From ad01be66ea34cc039fd214c1f8f749942e6545aa Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 Sep 2023 14:09:04 -0400 Subject: [PATCH 1/7] remove checkmine engine. add x509.get_pem_entries to managers mine_functions. simplify mine update during soup --- salt/manager/tools/sbin/soup | 2 +- salt/salt/etc/minion.d/mine_functions.conf.jinja | 4 ++++ salt/salt/master.sls | 9 +++------ 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 960c50f31..333be836b 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -580,7 +580,7 @@ update_centos_repo() { update_salt_mine() { echo "Populating the mine with network.ip_addrs pillar.host.mainint for each host." set +e - salt \* cmd.run cmd='MAININT=$(salt-call pillar.get host:mainint --out=newline_values_only) && salt-call mine.send name=network.ip_addrs interface="$MAININT"' + salt \* mine.update set -e } diff --git a/salt/salt/etc/minion.d/mine_functions.conf.jinja b/salt/salt/etc/minion.d/mine_functions.conf.jinja index 378d2c435..2ae345cdf 100644 --- a/salt/salt/etc/minion.d/mine_functions.conf.jinja +++ b/salt/salt/etc/minion.d/mine_functions.conf.jinja @@ -2,3 +2,7 @@ mine_interval: 35 mine_functions: network.ip_addrs: - interface: {{ GLOBALS.main_interface }} +{% if GLOBALS.is_manager -%} + x509.get_pem_entries: + - glob_path: '/etc/pki/ca.crt' +{% endif -%} diff --git a/salt/salt/master.sls b/salt/salt/master.sls index 8b2b6c7d0..b10a4df0f 100644 --- a/salt/salt/master.sls +++ b/salt/salt/master.sls @@ -18,17 +18,14 @@ salt_master_service: - enable: True checkmine_engine: - file.managed: + file.absent: - name: /etc/salt/engines/checkmine.py - - source: salt://salt/engines/checkmine.py - - makedirs: True - watch_in: - service: salt_minion_service engines_config: - file.managed: + file.absent: - name: /etc/salt/minion.d/engines.conf - - source: salt://salt/files/engines.conf - watch_in: - service: salt_minion_service @@ -38,4 +35,4 @@ engines_config: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} From 8690304dffce6fc1ef2a923edf8ec2b80d90079d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 Sep 2023 16:17:19 -0400 Subject: [PATCH 2/7] change how mine_functions.conf is managed during setup --- salt/salt/etc/minion.d/mine_functions.conf.jinja | 4 ++-- salt/salt/mine_functions.sls | 5 +++++ salt/salt/minion.sls | 9 +-------- setup/so-functions | 3 +-- 4 files changed, 9 insertions(+), 12 deletions(-) create mode 100644 salt/salt/mine_functions.sls diff --git a/salt/salt/etc/minion.d/mine_functions.conf.jinja b/salt/salt/etc/minion.d/mine_functions.conf.jinja index 2ae345cdf..e3c62e75c 100644 --- a/salt/salt/etc/minion.d/mine_functions.conf.jinja +++ b/salt/salt/etc/minion.d/mine_functions.conf.jinja @@ -1,8 +1,8 @@ mine_interval: 35 mine_functions: network.ip_addrs: - - interface: {{ GLOBALS.main_interface }} -{% if GLOBALS.is_manager -%} + - interface: {{ pillar.host.mainint }} +{% if grains.role in ['so-eval','so-import','so-manager','so-managersearch','so-standalone'] -%} x509.get_pem_entries: - glob_path: '/etc/pki/ca.crt' {% endif -%} diff --git a/salt/salt/mine_functions.sls b/salt/salt/mine_functions.sls new file mode 100644 index 000000000..27a905847 --- /dev/null +++ b/salt/salt/mine_functions.sls @@ -0,0 +1,5 @@ +mine_functions: + file.managed: + - name: /etc/salt/minion.d/mine_functions.conf + - source: salt://salt/etc/minion.d/mine_functions.conf.jinja + - template: jinja diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index 43f7539f9..865bd367f 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -12,6 +12,7 @@ include: - salt - systemd.reload - repo.client + - salt.mine_functions {% if INSTALLEDSALTVERSION|string != SALTVERSION|string %} @@ -78,14 +79,6 @@ salt_minion_service_unit_file: {% endif %} -mine_functions: - file.managed: - - name: /etc/salt/minion.d/mine_functions.conf - - source: salt://salt/etc/minion.d/mine_functions.conf.jinja - - template: jinja - - defaults: - GLOBALS: {{ GLOBALS }} - # this has to be outside the if statement above since there are _in calls to this state salt_minion_service: service.running: diff --git a/setup/so-functions b/setup/so-functions index 679142e2a..eab7a4add 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -649,8 +649,7 @@ configure_minion() { "log_level_logfile: info"\ "log_file: /opt/so/log/salt/minion" >> "$minion_config" - cp -f ../salt/salt/etc/minion.d/mine_functions.conf.jinja /etc/salt/minion.d/mine_functions.conf - sed -i "s/{{ GLOBALS.main_interface }}/$MNIC/" /etc/salt/minion.d/mine_functions.conf + logCmd "salt-call state.apply salt.mine_functions -l info" { logCmd "systemctl enable salt-minion"; From 827ed7b273cf2a9180fa94e7cd398a2e178dbfcb Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 Sep 2023 17:08:42 -0400 Subject: [PATCH 3/7] run salt.mine_function state locally and provide pillar info to it --- setup/so-functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index eab7a4add..b55ae0def 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -649,7 +649,8 @@ configure_minion() { "log_level_logfile: info"\ "log_file: /opt/so/log/salt/minion" >> "$minion_config" - logCmd "salt-call state.apply salt.mine_functions -l info" + info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "$MNIC"}}'" + salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="{'host': {'mainint': $MNIC}}" { logCmd "systemctl enable salt-minion"; From 39ea1d317df32c17e96f3566fea64ddfbd33b297 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 Sep 2023 17:12:14 -0400 Subject: [PATCH 4/7] add comment --- salt/salt/mine_functions.sls | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/salt/salt/mine_functions.sls b/salt/salt/mine_functions.sls index 27a905847..49a47e524 100644 --- a/salt/salt/mine_functions.sls +++ b/salt/salt/mine_functions.sls @@ -1,3 +1,11 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +# this state was seperated from salt.minion state since it is called during setup +# GLOBALS are imported in the salt.minion state and that is not available at that point in setup +# this state is included in the salt.minion state mine_functions: file.managed: - name: /etc/salt/minion.d/mine_functions.conf From a283e7ea0bea9928ff27ba42f022a5d07934520e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 10 Oct 2023 13:00:54 -0400 Subject: [PATCH 5/7] remove checkmine salt engine --- salt/salt/engines/checkmine.py | 28 ---------------------------- salt/salt/files/engines.conf | 6 ------ 2 files changed, 34 deletions(-) delete mode 100644 salt/salt/engines/checkmine.py delete mode 100644 salt/salt/files/engines.conf diff --git a/salt/salt/engines/checkmine.py b/salt/salt/engines/checkmine.py deleted file mode 100644 index 5cc0a5ad3..000000000 --- a/salt/salt/engines/checkmine.py +++ /dev/null @@ -1,28 +0,0 @@ -# -*- coding: utf-8 -*- - -import logging -from time import sleep -from os import remove - -log = logging.getLogger(__name__) - -def start(interval=30): - log.info("checkmine engine started") - minionid = __grains__['id'] - while True: - try: - ca_crt = __salt__['saltutil.runner']('mine.get', tgt=minionid, fun='x509.get_pem_entries')[minionid]['/etc/pki/ca.crt'] - log.info('Successfully queried Salt mine for the CA.') - except: - log.error('Could not pull CA from the Salt mine.') - log.info('Removing /var/cache/salt/master/minions/%s/mine.p to force Salt mine to be repopulated.' % minionid) - try: - remove('/var/cache/salt/master/minions/%s/mine.p' % minionid) - log.info('Removed /var/cache/salt/master/minions/%s/mine.p' % minionid) - except FileNotFoundError: - log.error('/var/cache/salt/master/minions/%s/mine.p does not exist' % minionid) - - __salt__['mine.send'](name='x509.get_pem_entries', glob_path='/etc/pki/ca.crt') - log.warning('Salt mine repopulated with /etc/pki/ca.crt') - - sleep(interval) \ No newline at end of file diff --git a/salt/salt/files/engines.conf b/salt/salt/files/engines.conf deleted file mode 100644 index c9e20adf3..000000000 --- a/salt/salt/files/engines.conf +++ /dev/null @@ -1,6 +0,0 @@ -engines_dirs: - - /etc/salt/engines - -engines: - - checkmine: - interval: 30 \ No newline at end of file From 89467adf9c3ba493c397836a942b9f75b9eb183e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 10 Oct 2023 13:05:43 -0400 Subject: [PATCH 6/7] batch the salt mine update --- salt/manager/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index 333be836b..e4b388e22 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -580,7 +580,7 @@ update_centos_repo() { update_salt_mine() { echo "Populating the mine with network.ip_addrs pillar.host.mainint for each host." set +e - salt \* mine.update + salt \* mine.update -b 50 set -e } From 4193130ed05fc6cd6e34e1432161737c23996a74 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 10 Oct 2023 13:07:12 -0400 Subject: [PATCH 7/7] reduce salt mine interval to 25 minutes --- salt/salt/etc/minion.d/mine_functions.conf.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/salt/etc/minion.d/mine_functions.conf.jinja b/salt/salt/etc/minion.d/mine_functions.conf.jinja index e3c62e75c..3851238fd 100644 --- a/salt/salt/etc/minion.d/mine_functions.conf.jinja +++ b/salt/salt/etc/minion.d/mine_functions.conf.jinja @@ -1,4 +1,4 @@ -mine_interval: 35 +mine_interval: 25 mine_functions: network.ip_addrs: - interface: {{ pillar.host.mainint }}