diff --git a/pillar/top.sls b/pillar/top.sls index 0762f14a7..b8d694e23 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -16,6 +16,8 @@ base: - sensoroni.adv_sensoroni - telegraf.soc_telegraf - telegraf.adv_telegraf + - versionlock.soc_versionlock + - versionlock.adv_versionlock '* and not *_desktop': - firewall.soc_firewall diff --git a/salt/common/init.sls b/salt/common/init.sls index 8dd727f72..f385bd96d 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -182,6 +182,7 @@ sostatus_log: file.managed: - name: /opt/so/log/sostatus/status.log - mode: 644 + - replace: False # Install sostatus check cron. This is used to populate Grid. so-status_check_cron: diff --git a/salt/elasticfleet/config.sls b/salt/elasticfleet/config.sls index 71bc369c6..208fa2306 100644 --- a/salt/elasticfleet/config.sls +++ b/salt/elasticfleet/config.sls @@ -63,6 +63,14 @@ eastatedir: - group: 939 - makedirs: True +custommappingsdir: + file.directory: + - name: /nsm/custom-mappings + - user: 947 + - group: 939 + - makedirs: True + + eapackageupgrade: file.managed: - name: /usr/sbin/so-elastic-fleet-package-upgrade @@ -73,14 +81,7 @@ eapackageupgrade: - template: jinja {% if GLOBALS.role != "so-fleet" %} - -soresourcesrepoconfig: - git.config_set: - - name: safe.directory - - value: /nsm/securityonion-resources - - global: True - - user: socore - + {% if not GLOBALS.airgap %} soresourcesrepoclone: git.latest: diff --git a/salt/elasticfleet/defaults.yaml b/salt/elasticfleet/defaults.yaml index c3ca0f828..e586100da 100644 --- a/salt/elasticfleet/defaults.yaml +++ b/salt/elasticfleet/defaults.yaml @@ -110,6 +110,8 @@ elasticfleet: - ti_otx - ti_recordedfuture - ti_threatq + - trendmicro + - trend_micro_vision_one - udp - vsphere - windows diff --git a/salt/elasticfleet/enabled.sls b/salt/elasticfleet/enabled.sls index 51d2d1430..f91074b39 100644 --- a/salt/elasticfleet/enabled.sls +++ b/salt/elasticfleet/enabled.sls @@ -143,7 +143,9 @@ so-elastic-fleet-integrations: so-elastic-agent-grid-upgrade: cmd.run: - name: /usr/sbin/so-elastic-agent-grid-upgrade - - retry: True + - retry: + attempts: 12 + interval: 5 so-elastic-fleet-integration-upgrade: cmd.run: diff --git a/salt/elasticfleet/files/integrations/grid-nodes_general/so-ip-mappings.json b/salt/elasticfleet/files/integrations/grid-nodes_general/so-ip-mappings.json new file mode 100644 index 000000000..fdcd36815 --- /dev/null +++ b/salt/elasticfleet/files/integrations/grid-nodes_general/so-ip-mappings.json @@ -0,0 +1,35 @@ +{ + "package": { + "name": "log", + "version": "" + }, + "name": "so-ip-mappings", + "namespace": "so", + "description": "IP Description mappings", + "policy_id": "so-grid-nodes_general", + "vars": {}, + "inputs": { + "logs-logfile": { + "enabled": true, + "streams": { + "log.logs": { + "enabled": true, + "vars": { + "paths": [ + "/nsm/custom-mappings/ip-descriptions.csv" + ], + "data_stream.dataset": "hostnamemappings", + "tags": [ + "so-ip-mappings" + ], + "processors": "- decode_csv_fields:\n fields:\n message: decoded.csv\n separator: \",\"\n ignore_missing: false\n overwrite_keys: true\n trim_leading_space: true\n fail_on_error: true\n\n- extract_array:\n field: decoded.csv\n mappings:\n so.ip_address: '0'\n so.description: '1'\n\n- script:\n lang: javascript\n source: >\n function process(event) {\n var ip = event.Get('so.ip_address');\n var validIpRegex = /^((25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)\\.){3}(25[0-5]|2[0-4]\\d|1\\d{2}|[1-9]?\\d)$/\n if (!validIpRegex.test(ip)) {\n event.Cancel();\n }\n }\n- fingerprint:\n fields: [\"so.ip_address\"]\n target_field: \"@metadata._id\"\n", + "custom": "" + } + } + } + } + }, + "force": true +} + + diff --git a/salt/elasticsearch/defaults.yaml b/salt/elasticsearch/defaults.yaml index 823b33f22..5336eb2ed 100644 --- a/salt/elasticsearch/defaults.yaml +++ b/salt/elasticsearch/defaults.yaml @@ -599,6 +599,35 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-ip-mappings: + index_sorting: false + index_template: + composed_of: + - so-ip-mappings + ignore_missing_component_templates: [] + index_patterns: + - so-ip* + priority: 500 + template: + mappings: + date_detection: false + dynamic_templates: + - strings_as_keyword: + mapping: + ignore_above: 1024 + type: keyword + match_mapping_type: string + settings: + index: + mapping: + total_fields: + limit: 1500 + number_of_replicas: 0 + number_of_shards: 1 + refresh_interval: 30s + sort: + field: '@timestamp' + order: desc so-items: index_sorting: false index_template: @@ -3580,28 +3609,70 @@ elasticsearch: set_priority: priority: 50 min_age: 30d - so-logs-crowdstrike_x_falcon: - index_sorting: false + so-logs-crowdstrike_x_alert: + index_sorting: False index_template: + index_patterns: + - logs-crowdstrike.alert-* + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - logs-crowdstrike.alert@package + - logs-crowdstrike.alert@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-crowdstrike.alert@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-crowdstrike_x_falcon: + index_sorting: False + index_template: + index_patterns: + - logs-crowdstrike.falcon-* + template: + settings: + index: + number_of_replicas: 0 composed_of: - logs-crowdstrike.falcon@package - logs-crowdstrike.falcon@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 + priority: 501 data_stream: - allow_custom_routing: false hidden: false + allow_custom_routing: false ignore_missing_component_templates: - logs-crowdstrike.falcon@custom - index_patterns: - - logs-crowdstrike.falcon-* - priority: 501 - template: - settings: - index: - lifecycle: - name: so-logs-crowdstrike.falcon-logs - number_of_replicas: 0 policy: phases: cold: @@ -3627,27 +3698,69 @@ elasticsearch: priority: 50 min_age: 30d so-logs-crowdstrike_x_fdr: - index_sorting: false + index_sorting: False index_template: + index_patterns: + - logs-crowdstrike.fdr-* + template: + settings: + index: + number_of_replicas: 0 composed_of: - logs-crowdstrike.fdr@package - logs-crowdstrike.fdr@custom - so-fleet_globals-1 - so-fleet_agent_id_verification-1 + priority: 501 data_stream: - allow_custom_routing: false hidden: false + allow_custom_routing: false ignore_missing_component_templates: - logs-crowdstrike.fdr@custom + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-crowdstrike_x_host: + index_sorting: False + index_template: index_patterns: - - logs-crowdstrike.fdr-* - priority: 501 + - logs-crowdstrike.host-* template: settings: index: - lifecycle: - name: so-logs-crowdstrike.fdr-logs number_of_replicas: 0 + composed_of: + - logs-crowdstrike.host@package + - logs-crowdstrike.host@custom + - so-fleet_globals-1 + - so-fleet_agent_id_verification-1 + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + ignore_missing_component_templates: + - logs-crowdstrike.host@custom policy: phases: cold: @@ -10408,6 +10521,182 @@ elasticsearch: set_priority: priority: 50 min_age: 30d + so-logs-trend_micro_vision_one_x_alert: + index_sorting: False + index_template: + index_patterns: + - "logs-trend_micro_vision_one.alert-*" + template: + settings: + index: + number_of_replicas: 0 + composed_of: + - "logs-trend_micro_vision_one.alert@package" + - "logs-trend_micro_vision_one.alert@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + ignore_missing_component_templates: + - "logs-trend_micro_vision_one.alert@custom" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-trend_micro_vision_one_x_audit: + index_sorting: False + index_template: + index_patterns: + - "logs-trend_micro_vision_one.audit-*" + template: + settings: + index: + number_of_replicas: 0 + ignore_missing_component_templates: + - "logs-trend_micro_vision_one.audit@custom" + composed_of: + - "logs-trend_micro_vision_one.audit@package" + - "logs-trend_micro_vision_one.audit@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-trend_micro_vision_one_x_detection: + index_sorting: False + index_template: + index_patterns: + - "logs-trend_micro_vision_one.detection-*" + template: + settings: + index: + number_of_replicas: 0 + ignore_missing_component_templates: + - "logs-trend_micro_vision_one.detection@custom" + composed_of: + - "logs-trend_micro_vision_one.detection@package" + - "logs-trend_micro_vision_one.detection@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d + so-logs-trendmicro_x_deep_security: + index_sorting: False + index_template: + index_patterns: + - "logs-trendmicro.deep_security-*" + template: + settings: + index: + number_of_replicas: 0 + ignore_missing_component_templates: + - "logs-trendmicro.deep_security@custom" + composed_of: + - "logs-trendmicro.deep_security@package" + - "logs-trendmicro.deep_security@custom" + - "so-fleet_globals-1" + - "so-fleet_agent_id_verification-1" + priority: 501 + data_stream: + hidden: false + allow_custom_routing: false + policy: + phases: + cold: + actions: + set_priority: + priority: 0 + min_age: 60d + delete: + actions: + delete: {} + min_age: 365d + hot: + actions: + rollover: + max_age: 30d + max_primary_shard_size: 50gb + set_priority: + priority: 100 + min_age: 0ms + warm: + actions: + set_priority: + priority: 50 + min_age: 30d so-logs-vsphere_x_log: index_sorting: false index_template: diff --git a/salt/elasticsearch/soc_elasticsearch.yaml b/salt/elasticsearch/soc_elasticsearch.yaml index 7fd6d08b2..88ea45b89 100644 --- a/salt/elasticsearch/soc_elasticsearch.yaml +++ b/salt/elasticsearch/soc_elasticsearch.yaml @@ -396,8 +396,10 @@ elasticsearch: so-logs-citrix_waf_x_log: *indexSettings so-logs-cloudflare_x_audit: *indexSettings so-logs-cloudflare_x_logpull: *indexSettings + so-logs-crowdstrike_x_alert: *indexSettings so-logs-crowdstrike_x_falcon: *indexSettings so-logs-crowdstrike_x_fdr: *indexSettings + so-logs-crowdstrike_x_host: *indexSettings so-logs-darktrace_x_ai_analyst_alert: *indexSettings so-logs-darktrace_x_model_breach_alert: *indexSettings so-logs-darktrace_x_system_status_alert: *indexSettings @@ -494,6 +496,10 @@ elasticsearch: so-logs-ti_recordedfuture_x_latest_ioc-template: *indexSettings so-logs-ti_recordedfuture_x_threat: *indexSettings so-logs-ti_threatq_x_threat: *indexSettings + so-logs-trend_micro_vision_one_x_alert: *indexSettings + so-logs-trend_micro_vision_one_x_audit: *indexSettings + so-logs-trend_micro_vision_one_x_detection: *indexSettings + so-logs-trendmicro_x_deep_security: *indexSettings so-logs-zscaler_zia_x_alerts: *indexSettings so-logs-zscaler_zia_x_dns: *indexSettings so-logs-zscaler_zia_x_firewall: *indexSettings diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.alert@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-crowdstrike.host@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.alert@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.audit@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-trend_micro_vision_one.detection@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json b/salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json new file mode 100644 index 000000000..17319ab9f --- /dev/null +++ b/salt/elasticsearch/templates/component/elastic-agent/logs-trendmicro.deep_security@custom.json @@ -0,0 +1,36 @@ +{ + "template": { + "mappings": { + "properties": { + "host": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "related": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "destination": { + "properties":{ + "ip": { + "type": "ip" + } + } + }, + "source": { + "properties":{ + "ip": { + "type": "ip" + } + } + } + } + } + } +} diff --git a/salt/elasticsearch/templates/component/so/detection-mappings.json b/salt/elasticsearch/templates/component/so/detection-mappings.json index 5e51b872b..4dd5b45e7 100644 --- a/salt/elasticsearch/templates/component/so/detection-mappings.json +++ b/salt/elasticsearch/templates/component/so/detection-mappings.json @@ -21,10 +21,10 @@ "properties": { "publicId": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword" }, "title": { - "ignore_above": 1024, + "ignore_above": 1024, "type": "keyword" }, "severity": { @@ -38,15 +38,15 @@ "description": { "type": "text" }, - "category": { + "category": { "ignore_above": 1024, "type": "keyword" }, - "product": { + "product": { "ignore_above": 1024, "type": "keyword" }, - "service": { + "service": { "ignore_above": 1024, "type": "keyword" }, @@ -64,7 +64,7 @@ }, "tags": { "ignore_above": 1024, - "type": "keyword" + "type": "keyword" }, "ruleset": { "ignore_above": 1024, @@ -82,6 +82,12 @@ "ignore_above": 1024, "type": "keyword" }, + "sourceCreated": { + "type": "date" + }, + "sourceUpdated": { + "type": "date" + }, "overrides": { "properties": { "type": { @@ -97,6 +103,9 @@ "updatedAt": { "type": "date" }, + "note": { + "type": "text" + }, "regex": { "type": "text" }, diff --git a/salt/elasticsearch/templates/component/so/so-ip-mappings.json b/salt/elasticsearch/templates/component/so/so-ip-mappings.json new file mode 100644 index 000000000..a61eae5fd --- /dev/null +++ b/salt/elasticsearch/templates/component/so/so-ip-mappings.json @@ -0,0 +1,25 @@ +{ + "_meta": { + "documentation": "https://www.elastic.co/guide/en/ecs/current/ecs-network.html", + "ecs_version": "1.12.2" + }, + "template": { + "mappings": { + "properties": { + "@timestamp": { + "type": "date" + }, + "so": { + "properties": { + "ip_address": { + "type": "ip" + }, + "description": { + "type": "text" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/salt/logstash/map.jinja b/salt/logstash/map.jinja index 8fc3291e5..da2bc341a 100644 --- a/salt/logstash/map.jinja +++ b/salt/logstash/map.jinja @@ -1,5 +1,5 @@ {# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one - or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at https://securityonion.net/license; you may not use this file except in compliance with the Elastic License 2.0. #} @@ -42,4 +42,4 @@ {% do LOGSTASH_MERGED.update({'enabled': False}) %} {% endif %} {% endif %} -{% endif %} \ No newline at end of file +{% endif %} diff --git a/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja b/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja index 3a86cd8be..be7ec6898 100644 --- a/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja +++ b/salt/logstash/pipelines/config/so/9805_output_elastic_agent.conf.jinja @@ -1,18 +1,45 @@ output { - if "elastic-agent" in [tags] { - if [metadata][pipeline] { - if [metadata][_id] { - elasticsearch { - hosts => "{{ GLOBALS.hostname }}" - ecs_compatibility => v8 - data_stream => true - user => "{{ ES_USER }}" - password => "{{ ES_PASS }}" - document_id => "%{[metadata][_id]}" - pipeline => "%{[metadata][pipeline]}" - silence_errors_in_log => ["version_conflict_engine_exception"] - ssl => true - ssl_certificate_verification => false + if "elastic-agent" in [tags] and "so-ip-mappings" in [tags] { + elasticsearch { + hosts => "{{ GLOBALS.hostname }}" + data_stream => false + user => "{{ ES_USER }}" + password => "{{ ES_PASS }}" + document_id => "%{[metadata][_id]}" + index => "so-ip-mappings" + silence_errors_in_log => ["version_conflict_engine_exception"] + ssl => true + ssl_certificate_verification => false + } + } + else { + if "elastic-agent" in [tags] { + if [metadata][pipeline] { + if [metadata][_id] { + elasticsearch { + hosts => "{{ GLOBALS.hostname }}" + ecs_compatibility => v8 + data_stream => true + user => "{{ ES_USER }}" + password => "{{ ES_PASS }}" + document_id => "%{[metadata][_id]}" + pipeline => "%{[metadata][pipeline]}" + silence_errors_in_log => ["version_conflict_engine_exception"] + ssl => true + ssl_certificate_verification => false + } + } + else { + elasticsearch { + hosts => "{{ GLOBALS.hostname }}" + ecs_compatibility => v8 + data_stream => true + user => "{{ ES_USER }}" + password => "{{ ES_PASS }}" + pipeline => "%{[metadata][pipeline]}" + ssl => true + ssl_certificate_verification => false + } } } else { @@ -22,22 +49,10 @@ output { data_stream => true user => "{{ ES_USER }}" password => "{{ ES_PASS }}" - pipeline => "%{[metadata][pipeline]}" ssl => true ssl_certificate_verification => false } } } - else { - elasticsearch { - hosts => "{{ GLOBALS.hostname }}" - ecs_compatibility => v8 - data_stream => true - user => "{{ ES_USER }}" - password => "{{ ES_PASS }}" - ssl => true - ssl_certificate_verification => false - } - } } } diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 2feda45ae..c4b2ad136 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -6,10 +6,7 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} -{% from 'strelka/map.jinja' import STRELKAMERGED %} -{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %} -{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=true) %} -{% from 'strelka/map.jinja' import STRELKAMERGED %} +{% from 'manager/map.jinja' import MANAGERMERGED %} include: - salt.minion @@ -45,6 +42,12 @@ yara_log_dir: - user - group +{% if GLOBALS.os_family == 'RedHat' %} +install_createrepo: + pkg.installed: + - name: createrepo_c +{% endif %} + repo_conf_dir: file.directory: - name: /opt/so/conf/reposync @@ -135,6 +138,16 @@ rules_dir: - group: socore - makedirs: True +git_config_set_safe_dirs: + git.config_set: + - name: safe.directory + - global: True + - user: socore + - multivar: + - /nsm/rules/custom-local-repos/local-sigma + - /nsm/rules/custom-local-repos/local-yara + - /nsm/securityonion-resources + - /opt/so/conf/soc/ai_summary_repos/securityonion-resources {% else %} {{sls}}_state_not_allowed: diff --git a/salt/manager/map.jinja b/salt/manager/map.jinja index 1ab9c12c3..4ea04a1cf 100644 --- a/salt/manager/map.jinja +++ b/salt/manager/map.jinja @@ -4,4 +4,8 @@ Elastic License 2.0. #} {% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %} -{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=True) %} \ No newline at end of file +{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=True) %} + +{% if grains.os != 'OEL' %} +{% do MANAGERMERGED.reposync.update({'enabled': False}) %} +{% endif %} diff --git a/salt/manager/tools/sbin/soup b/salt/manager/tools/sbin/soup index fe5883294..2c91430e7 100755 --- a/salt/manager/tools/sbin/soup +++ b/salt/manager/tools/sbin/soup @@ -701,11 +701,13 @@ up_to_2.4.90() { INSTALLEDVERSION=2.4.90 } + up_to_2.4.100() { # Elastic Update for this release, so download Elastic Agent files determine_elastic_agent_upgrade INSTALLEDVERSION=2.4.100 } + up_to_2.4.110() { echo "Nothing to do for 2.4.110" @@ -713,10 +715,15 @@ up_to_2.4.110() { } up_to_2.4.120() { - echo "Nothing to do for 2.4.120" - add_hydra_pillars + # this is needed for the new versionlock state + mkdir /opt/so/saltstack/local/pillar/versionlock + touch /opt/so/saltstack/local/pillar/versionlock/adv_versionlock.sls /opt/so/saltstack/local/pillar/versionlock/soc_versionlock.sls + + # New Grid Integration added this release + rm -f /opt/so/state/eaintegrations.txt + INSTALLEDVERSION=2.4.120 } @@ -949,7 +956,7 @@ update_airgap_repo() { echo "Syncing new updates to /nsm/repo" rsync -av $AGREPO/* /nsm/repo/ echo "Creating repo" - dnf -y install yum-utils createrepo + dnf -y install yum-utils createrepo_c createrepo /nsm/repo } diff --git a/salt/soc/config.sls b/salt/soc/config.sls index 5174dd94e..129d669d3 100644 --- a/salt/soc/config.sls +++ b/salt/soc/config.sls @@ -204,6 +204,49 @@ socsensoronirepos: - mode: 775 - makedirs: True + +create_custom_local_yara_repo_template: + git.present: + - name: /nsm/rules/custom-local-repos/local-yara + - bare: False + - force: True + +add_readme_custom_local_yara_repo_template: + file.managed: + - name: /nsm/rules/custom-local-repos/local-yara/README + - source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja + - user: 939 + - group: 939 + - template: jinja + - context: + repo_type: "yara" + + +create_custom_local_sigma_repo_template: + git.present: + - name: /nsm/rules/custom-local-repos/local-sigma + - bare: False + - force: True + +add_readme_custom_local_sigma_repo_template: + file.managed: + - name: /nsm/rules/custom-local-repos/local-sigma/README + - source: salt://soc/files/soc/detections_custom_repo_template_readme.jinja + - user: 939 + - group: 939 + - template: jinja + - context: + repo_type: "sigma" + +socore_own_custom_repos: + file.directory: + - name: /nsm/rules/custom-local-repos/ + - user: socore + - group: socore + - recurse: + - user + - group + {% else %} {{sls}}_state_not_allowed: diff --git a/salt/soc/defaults.yaml b/salt/soc/defaults.yaml index ae5f83edd..6147af73b 100644 --- a/salt/soc/defaults.yaml +++ b/salt/soc/defaults.yaml @@ -1351,11 +1351,17 @@ soc: license: Elastic-2.0 folder: sigma/stable community: true + - repo: file:///nsm/rules/custom-local-repos/local-sigma + license: Elastic-2.0 + community: false airgap: - repo: file:///nsm/rules/detect-sigma/repos/securityonion-resources license: Elastic-2.0 folder: sigma/stable community: true + - repo: file:///nsm/rules/custom-local-repos/local-sigma + license: Elastic-2.0 + community: false sigmaRulePackages: - core - emerging_threats_addon @@ -1422,10 +1428,16 @@ soc: - repo: https://github.com/Security-Onion-Solutions/securityonion-yara license: DRL community: true + - repo: file:///nsm/rules/custom-local-repos/local-yara + license: Elastic-2.0 + community: false airgap: - repo: file:///nsm/rules/detect-yara/repos/securityonion-yara license: DRL community: true + - repo: file:///nsm/rules/custom-local-repos/local-yara + license: Elastic-2.0 + community: false yaraRulesFolder: /opt/sensoroni/yara/rules stateFilePath: /opt/sensoroni/fingerprints/strelkaengine.state integrityCheckFrequencySeconds: 1200 @@ -1445,6 +1457,8 @@ soc: rulesFingerprintFile: /opt/sensoroni/fingerprints/emerging-all.fingerprint stateFilePath: /opt/sensoroni/fingerprints/suricataengine.state integrityCheckFrequencySeconds: 1200 + ignoredSidRanges: + - '1100000-1101000' client: enableReverseLookup: false docsUrl: /docs/ @@ -2254,7 +2268,7 @@ soc: description: Show all custom detections - name: "All Detections - Enabled" query: "so_detection.isEnabled:true | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity" - description: Show all enalbed Detections + description: Show all enabled Detections - name: "All Detections - Disabled" query: "so_detection.isEnabled:false | groupby so_detection.language | groupby so_detection.ruleset so_detection.severity" description: Show all disabled Detections @@ -2273,6 +2287,16 @@ soc: - name: "Detections with Overrides" query: "_exists_:so_detection.overrides | groupby so_detection.language | groupby so_detection.ruleset so_detection.isEnabled" description: Show Detections that have Overrides + detectionEngineStatusQueries: | + suricata: + default: 'tags:so-soc AND suricata | groupby log.level | groupby event.action | groupby soc.fields.error' + IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"suricata" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' + elastalert: + default: 'tags:so-soc AND elastalert | groupby log.level | groupby event.action | groupby soc.fields.error' + IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"elastalert" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' + strelka: + default: 'tags:so-soc AND strelka | groupby log.level | groupby event.action | groupby soc.fields.error' + IntegrityFailure: 'event.action: "integrity check failed" AND soc.fields.detectionEngine:"strelka" | table event.dataset soc.fields.deployedButNotEnabledCount soc.fields.enabledButNotDeployedCount soc.fields.syncId' detection: showUnreviewedAiSummaries: false presets: diff --git a/salt/soc/files/soc/detections_custom_repo_template_readme.jinja b/salt/soc/files/soc/detections_custom_repo_template_readme.jinja new file mode 100644 index 000000000..228a467bf --- /dev/null +++ b/salt/soc/files/soc/detections_custom_repo_template_readme.jinja @@ -0,0 +1,94 @@ +{% if repo_type == 'yara' %} +# YARA Local Custom Rules Repository + +This folder has already been initialized as a git repo +and your Security Onion grid is configured to import any YARA rule files found here. + +Just add your rule file and commit it. + +For example: + +** Note: If this is your first time making changes to this repo, you may run into the following error: + +fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-yara' +To add an exception for this directory, call: + git config --global --add safe.directory /nsm/rules/custom-local-repos/local-yara + +This means that the user you are running commands as does not match the user that is used for this git repo (socore). +You will need to make sure your rule files are accessible to the socore user, so either su to socore +or add the exception and then chown the rule files later. + +Also, you will be asked to set some configuration: +``` +Author identity unknown +*** Please tell me who you are. +Run + git config --global user.email "you@example.com" + git config --global user.name "Your Name" +to set your account's default identity. +Omit --global to set the identity only in this repository. +``` + +Run these commands, ommitting the `--global`. + +With that out of the way: + +First, create the rule file with a .yar extension: +`vi my_custom_rule.yar` + +Next, use git to stage the new rule to be committed: +`git add my_custom_rule.yar` + +Finally, commit it: +`git commit -m "Initial commit of my_custom_rule.yar"` + +The next time the Strelka / YARA engine syncs, the new rule should be imported +If there are errors, review the sync log to troubleshoot further. + +{% elif repo_type == 'sigma' %} +# Sigma Local Custom Rules Repository + +This folder has already been initialized as a git repo +and your Security Onion grid is configured to import any Sigma rule files found here. + +Just add your rule file and commit it. + +For example: + +** Note: If this is your first time making changes to this repo, you may run into the following error: + +fatal: detected dubious ownership in repository at '/nsm/rules/custom-local-repos/local-sigma' +To add an exception for this directory, call: + git config --global --add safe.directory /nsm/rules/custom-local-repos/local-sigma + +This means that the user you are running commands as does not match the user that is used for this git repo (socore). +You will need to make sure your rule files are accessible to the socore user, so either su to socore +or add the exception and then chown the rule files later. + +Also, you will be asked to set some configuration: +``` +Author identity unknown +*** Please tell me who you are. +Run + git config --global user.email "you@example.com" + git config --global user.name "Your Name" +to set your account's default identity. +Omit --global to set the identity only in this repository. +``` + +Run these commands, ommitting the `--global`. + +With that out of the way: + +First, create the rule file with a .yml or .yaml extension: +`vi my_custom_rule.yml` + +Next, use git to stage the new rule to be committed: +`git add my_custom_rule.yml` + +Finally, commit it: +`git commit -m "Initial commit of my_custom_rule.yml"` + +The next time the Elastalert / Sigma engine syncs, the new rule should be imported +If there are errors, review the sync log to troubleshoot further. +{% endif %} \ No newline at end of file diff --git a/salt/soc/files/soc/sigma_so_pipeline.yaml b/salt/soc/files/soc/sigma_so_pipeline.yaml index 8314361f5..df8b2709a 100644 --- a/salt/soc/files/soc/sigma_so_pipeline.yaml +++ b/salt/soc/files/soc/sigma_so_pipeline.yaml @@ -106,3 +106,23 @@ transformations: - type: include_fields fields: - event.code + # Maps process_creation rules to endpoint process creation logs + # This is an OS-agnostic mapping, to account for logs that don't specify source OS + - id: endpoint_process_create_windows_add-fields + type: add_condition + conditions: + event.category: 'process' + event.type: 'start' + rule_conditions: + - type: logsource + category: process_creation + # Maps file_event rules to endpoint file creation logs + # This is an OS-agnostic mapping, to account for logs that don't specify source OS + - id: endpoint_file_create_add-fields + type: add_condition + conditions: + event.category: 'file' + event.type: 'creation' + rule_conditions: + - type: logsource + category: file_event \ No newline at end of file diff --git a/salt/soc/soc_soc.yaml b/salt/soc/soc_soc.yaml index af4668fc2..c27228ab6 100644 --- a/salt/soc/soc_soc.yaml +++ b/salt/soc/soc_soc.yaml @@ -390,6 +390,12 @@ soc: advanced: True forcedType: "[]{}" helpLink: suricata.html + ignoredSidRanges: + description: 'List of Suricata SID ranges to ignore during the Integrity Check. This is useful for ignoring specific rules not governed by the UI. Each line should contain 1 range in the format "1100000-1200000". The ranges are treated as inclusive.' + global: True + advanced: True + forcedType: "[]string" + helpLink: detections.html#rule-engine-status client: enableReverseLookup: description: Set to true to enable reverse DNS lookups for IP addresses in the SOC UI. @@ -461,7 +467,14 @@ soc: alerts: *appSettings cases: *appSettings dashboards: *appSettings - detections: *appSettings + detections: + <<: *appSettings + detectionEngineStatusQueries: + description: Queries mapped to the detection engine statuses. Acceptable statuses are "Migrating", "Importing", "MigrationFailure", "IntegrityFailure", "SyncFailure", "ImportPending", "Syncing", and "Healthy" and will fallback to a "default" entry if specified. + global: True + syntax: yaml + multiline: True + forcedType: "string" detection: showUnreviewedAiSummaries: description: Show AI summaries in detections even if they have not yet been reviewed by a human. diff --git a/salt/strelka/filestream/config.sls b/salt/strelka/filestream/config.sls index 0f9f38914..2809bd8b1 100644 --- a/salt/strelka/filestream/config.sls +++ b/salt/strelka/filestream/config.sls @@ -99,12 +99,14 @@ filecheck.log: - name: /opt/so/log/strelka/filecheck.log - user: {{ filecheck_runas }} - group: {{ filecheck_runas }} + - replace: False filecheck_stdout.log: file.managed: - name: /opt/so/log/strelka/filecheck_stdout.log - user: {{ filecheck_runas }} - group: {{ filecheck_runas }} + - replace: False {% if GLOBALS.md_engine == 'ZEEK' %} diff --git a/salt/top.sls b/salt/top.sls index c4ad5d12f..437c44bf8 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -12,6 +12,7 @@ base: '*': - cron.running - repo.client + - versionlock - ntp - schedule - logrotate diff --git a/salt/versionlock/defaults.yaml b/salt/versionlock/defaults.yaml new file mode 100644 index 000000000..cacd1d7bb --- /dev/null +++ b/salt/versionlock/defaults.yaml @@ -0,0 +1,2 @@ +versionlock: + hold: [] diff --git a/salt/versionlock/init.sls b/salt/versionlock/init.sls new file mode 100644 index 000000000..a310356b4 --- /dev/null +++ b/salt/versionlock/init.sls @@ -0,0 +1,19 @@ +# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one +# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at +# https://securityonion.net/license; you may not use this file except in compliance with the +# Elastic License 2.0. + +{% if grains.os_family == 'Debian' or (grains.os_family == 'RedHat' and salt['pkg.version']('python3-dnf-plugin-versionlock') != "") %} +{% from 'versionlock/map.jinja' import VERSIONLOCKMERGED %} +{% for pkg in VERSIONLOCKMERGED.hold %} +{{pkg}}_held: + pkg.held: + - name: {{pkg}} +{% endfor %} + +{% for pkg in VERSIONLOCKMERGED.UNHOLD %} +{{pkg}}_unheld: + pkg.unheld: + - name: {{pkg}} +{% endfor %} +{% endif %} diff --git a/salt/versionlock/map.jinja b/salt/versionlock/map.jinja new file mode 100644 index 000000000..1477657bc --- /dev/null +++ b/salt/versionlock/map.jinja @@ -0,0 +1,38 @@ +{# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one + or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at + https://securityonion.net/license; you may not use this file except in compliance with the + Elastic License 2.0. #} + +{% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %} +{% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %} + +{% if grains.os_family == 'RedHat' %} +{% set HELD = salt['pkg.list_holds']() %} +{% else %} +{% set HELD = salt['pkg.get_selections'](state='hold')['hold'] %} +{% endif %} + +{# these are packages held / versionlock in other states #} +{% set PACKAGES_HELD_IN_OTHER_STATES = [ + 'salt', + 'salt-master', + 'salt-minion', + 'containerd.io', + 'docker-ce', + 'docker-ce-cli', + 'docker-ce-rootless-extras' +] %} + +{# remove packages held in other states from hold list #} +{% do VERSIONLOCKMERGED.update({'hold': VERSIONLOCKMERGED['hold'] | unique | reject('in', PACKAGES_HELD_IN_OTHER_STATES) | list }) %} + +{# initiate VERSIONLOCKMERGED.UNHOLD #} +{% do VERSIONLOCKMERGED.update({'UNHOLD': []}) %} + +{# if a package is currently held but not set to be held, unhold it #} +{% for item in HELD %} + {% set base_name = item.rsplit('-', 2)[0] %} + {% if base_name not in VERSIONLOCKMERGED['hold'] and base_name not in PACKAGES_HELD_IN_OTHER_STATES and base_name not in VERSIONLOCKMERGED['UNHOLD'] %} + {% do VERSIONLOCKMERGED['UNHOLD'].append(base_name) %} + {% endif %} +{% endfor %} diff --git a/salt/versionlock/soc_versionlock.yaml b/salt/versionlock/soc_versionlock.yaml new file mode 100644 index 000000000..92fd69875 --- /dev/null +++ b/salt/versionlock/soc_versionlock.yaml @@ -0,0 +1,7 @@ +versionlock: + hold: + description: List of packages to prevent from upgrading. To reduce the frequency of required reboots, add 'kernel' to this list for RedHat based OS families. For Debian, please see the documentation. + global: True + forcedType: "[]string" + multiline: True + helpLink: versionlock.html diff --git a/setup/so-functions b/setup/so-functions index be57776f7..914e0c2cd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -44,17 +44,17 @@ logCmd() { airgap_rules() { # Copy the rules for detections if using Airgap mkdir -p /nsm/rules - rsync -av /root/SecurityOnion/agrules/ /nsm/rules/ + logCmd "rsync -av /root/SecurityOnion/agrules/ /nsm/rules/" # Copy over the securityonion-resources repo - rsync -av /root/SecurityOnion/agrules/securityonion-resources /nsm/ + logCmd "rsync -av /root/SecurityOnion/agrules/securityonion-resources /nsm/" } airgap_detection_summaries() { # Copy summaries over to SOC and checkout the correct branch - rsync -av --chown=socore:socore /nsm/securityonion-resources /opt/so/conf/soc/ai_summary_repos - git config --global --add safe.directory /opt/so/conf/soc/ai_summary_repos/securityonion-resources - git -C /opt/so/conf/soc/ai_summary_repos/securityonion-resources checkout generated-summaries-published + logCmd "rsync -av --chown=socore:socore /nsm/securityonion-resources /opt/so/conf/soc/ai_summary_repos" + logCmd "git config --global --add safe.directory /opt/so/conf/soc/ai_summary_repos/securityonion-resources" + logCmd "git -C /opt/so/conf/soc/ai_summary_repos/securityonion-resources checkout generated-summaries-published" } add_admin_user() { @@ -804,7 +804,7 @@ create_manager_pillars() { create_repo() { title "Create the repo directory" - logCmd "dnf -y install yum-utils createrepo" + logCmd "dnf -y install yum-utils createrepo_c" logCmd "createrepo /nsm/repo" } @@ -1425,7 +1425,7 @@ make_some_dirs() { mkdir -p $local_salt_dir/salt/firewall/portgroups mkdir -p $local_salt_dir/salt/firewall/ports - for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idstools idh elastalert stig global kafka;do + for THEDIR in bpf pcap elasticsearch ntp firewall redis backup influxdb strelka sensoroni soc docker zeek suricata nginx telegraf logstash soc manager kratos hydra idstools idh elastalert stig global kafka versionlock; do mkdir -p $local_salt_dir/pillar/$THEDIR touch $local_salt_dir/pillar/$THEDIR/adv_$THEDIR.sls touch $local_salt_dir/pillar/$THEDIR/soc_$THEDIR.sls @@ -1850,7 +1850,6 @@ repo_sync_local() { # After the download is complete run createrepo create_repo fi - else # Add the proper repos for unsupported stuff echo "Adding Repos" @@ -1866,9 +1865,9 @@ repo_sync_local() { fi dnf install -y yum-utils device-mapper-persistent-data lvm2 curl -fsSL https://repo.securityonion.net/file/so-repo/prod/2.4/so/so.repo | tee /etc/yum.repos.d/so.repo - rpm --import https://repo.saltproject.io/salt/py3/redhat/9/x86_64/SALT-PROJECT-GPG-PUBKEY-2023.pub + rpm --import https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo - curl -fsSL "https://repo.saltproject.io/salt/py3/redhat/9/x86_64/minor/$SALTVERSION.repo" | tee /etc/yum.repos.d/salt.repo + curl -fsSL "https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo" | tee /etc/yum.repos.d/salt.repo dnf repolist curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install else @@ -1901,27 +1900,22 @@ saltify() { logCmd "mkdir -vp /etc/apt/keyrings" logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg" + # Download public key + logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.pgp https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public" + # Create apt repo target configuration + echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.pgp arch=amd64] https://packages.broadcom.com/artifactory/saltproject-deb/ stable main" | sudo tee /etc/apt/sources.list.d/salt.list + if [[ $is_ubuntu ]]; then - - # Add Salt Repo - logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt/py3/ubuntu/$UBVER/amd64/minor/$SALTVERSION/SALT-PROJECT-GPG-PUBKEY-2023.gpg" - echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt/py3/ubuntu/$UBVER/amd64/minor/$SALTVERSION/ $OSVER main" | sudo tee /etc/apt/sources.list.d/salt.list - # Add Docker Repo add-apt-repository -y "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" else - # Add Salt Repo *NOTE* You have to use debian 11 since it isn't out for 12 - logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt/py3/debian/11/amd64/minor/$SALTVERSION/SALT-PROJECT-GPG-PUBKEY-2023.gpg" - echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt/py3/debian/11/amd64/minor/$SALTVERSION/ bullseye main" | sudo tee /etc/apt/sources.list.d/salt.list - # Add Docker Repo curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OSVER stable" > /etc/apt/sources.list.d/docker.list - fi - logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.gpg" + logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.pgp" #logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub" logCmd "apt-key add /etc/apt/keyrings/docker.pub" diff --git a/setup/so-setup b/setup/so-setup index 85b26fa40..b7723da37 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -692,8 +692,10 @@ if ! [[ -f $install_opt_file ]]; then logCmd "so-minion -o=setup" title "Creating Global SLS" - # Airgap Rules - airgap_rules + if [[ $is_airgap ]]; then + # Airgap Rules + airgap_rules + fi manager_pillar