From 5f6770925d0ede70182da4c510f244d3793e3b14 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 5 Apr 2021 16:52:12 -0400 Subject: [PATCH 01/14] speculative commit --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 018bdfac7..e889c64d0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1008,7 +1008,7 @@ create_repo() { detect_cloud() { echo "Testing if setup is running on a cloud instance..." | tee -a "$setup_log" - if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null); then export is_cloud="true"; fi + if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null) || [ -f /var/log/waagent.log ]; then export is_cloud="true"; fi } detect_os() { From 5cd7d65b3f9c3d00115d4a181f86a4901abd1eff Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Apr 2021 10:03:33 -0400 Subject: [PATCH 02/14] Fix Logic for Airgap distributed --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 214896572..9fef19875 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2285,7 +2285,7 @@ secrets_pillar(){ securityonion_repo() { # Remove all the current repos - if [[ "$OS" == "centos" ]]; then + if [[ "$OS" == "centos" && ! $is_airgap ]]; then mkdir -p /root/oldrepos mv /etc/yum.repos.d/* /root/oldrepos/ rm -f /etc/yum.repos.d/* From ed0cd97de5af75600c3a4a2b2d95539de6378bca Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Apr 2021 12:34:23 -0400 Subject: [PATCH 03/14] Fix Logic for Airgap distributed --- setup/so-functions | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 9fef19875..2e7a21797 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2285,15 +2285,17 @@ secrets_pillar(){ securityonion_repo() { # Remove all the current repos - if [[ "$OS" == "centos" && ! $is_airgap ]]; then - mkdir -p /root/oldrepos - mv /etc/yum.repos.d/* /root/oldrepos/ - rm -f /etc/yum.repos.d/* - if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then - cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ - else - cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ - fi + if [[ "$OS" == "centos" ]]; then + if [[ ! $is_airgap ]]; then + mkdir -p /root/oldrepos + mv /etc/yum.repos.d/* /root/oldrepos/ + rm -f /etc/yum.repos.d/* + if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then + cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ + else + cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ + fi + fi else echo "This is Ubuntu" fi From c8c1553247d6c07e441e5c62c6c8bced81f021dd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Apr 2021 12:36:50 -0400 Subject: [PATCH 04/14] Fix Logic for Airgap distributed --- setup/so-functions | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 2e7a21797..9aca9ca54 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2285,17 +2285,15 @@ secrets_pillar(){ securityonion_repo() { # Remove all the current repos - if [[ "$OS" == "centos" ]]; then - if [[ ! $is_airgap ]]; then - mkdir -p /root/oldrepos - mv /etc/yum.repos.d/* /root/oldrepos/ - rm -f /etc/yum.repos.d/* - if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then - cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ - else - cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ - fi - fi + if [[ "$OS" == "centos" && $is_airgap ]]; then + mkdir -p /root/oldrepos + mv /etc/yum.repos.d/* /root/oldrepos/ + rm -f /etc/yum.repos.d/* + if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then + cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ + else + cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ + fi else echo "This is Ubuntu" fi From 9baa9767cafb722fb864bfd90e27e2622f6b497d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Apr 2021 16:12:51 -0400 Subject: [PATCH 05/14] Add raid bind --- salt/telegraf/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index 2814eb159..c4871a0b3 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -72,6 +72,7 @@ so-telegraf: - /opt/so/conf/telegraf/scripts:/scripts:ro - /opt/so/log/stenographer:/var/log/stenographer:ro - /opt/so/log/suricata:/var/log/suricata:ro + - /opt/so/log/raid:/var/log/raid:ro - watch: - file: tgrafconf - file: tgrafsyncscripts From 8ab4dd10d42ac97b522abb2345d45e00ba36f43c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Apr 2021 16:29:44 -0400 Subject: [PATCH 06/14] Add sostatus for telegraf --- salt/common/init.sls | 19 +++++++++++++++++++ salt/telegraf/init.sls | 1 + 2 files changed, 20 insertions(+) diff --git a/salt/common/init.sls b/salt/common/init.sls index 0ada77e1a..9ee126ac1 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -297,6 +297,25 @@ commonlogrotateconf: - month: '*' - dayweek: '*' +# Create the status directory +sostatusdir: + file.directory: + - name: /opt/so/log/sostatus + - user: 0 + - group: 0 + - makedirs: True + +# Install sostatus check cron +/usr/sbin/so-status -q && echo $? > /opt/so/log/sostatus/status.log 2>&1: + cron.present: + - user: root + - minute: '*/15' + - hour: '*' + - daymonth: '*' + - month: '*' + - dayweek: '*' + + {% if role in ['eval', 'manager', 'managersearch', 'standalone'] %} # Lock permissions on the backup directory backupdir: diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index c4871a0b3..cea4d3f45 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -73,6 +73,7 @@ so-telegraf: - /opt/so/log/stenographer:/var/log/stenographer:ro - /opt/so/log/suricata:/var/log/suricata:ro - /opt/so/log/raid:/var/log/raid:ro + - /opt/so/log/sostatus:/var/log/sostatus:ro - watch: - file: tgrafconf - file: tgrafsyncscripts From 3caaf0682043074b1576d175f3ec1ba94f95b6bb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Apr 2021 16:30:16 -0400 Subject: [PATCH 07/14] Add sostatus for telegraf --- salt/telegraf/scripts/sostatus.sh | 33 +++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 salt/telegraf/scripts/sostatus.sh diff --git a/salt/telegraf/scripts/sostatus.sh b/salt/telegraf/scripts/sostatus.sh new file mode 100644 index 000000000..23096d903 --- /dev/null +++ b/salt/telegraf/scripts/sostatus.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +APP=sostatus +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf +SOSTATUSLOG=/var/log/sostatus/status.log +SOSTATUSSTATUS=$(cat /var/log/sostatus/status.log) + +if [ -f "$SOSTATUSLOG" ]; then + echo "sostatus status=$SOSTATUSSTATUS" +else + exit 0 +fi From d4a3bc455071b90b36b9233fb7392b8fdbd4cfa9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Apr 2021 08:43:20 -0400 Subject: [PATCH 08/14] Fix so repo for salt --- salt/common/yum_repos/securityonion.repo | 7 +++++++ salt/common/yum_repos/securityonioncache.repo | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/salt/common/yum_repos/securityonion.repo b/salt/common/yum_repos/securityonion.repo index e61829380..0f39d5a3f 100644 --- a/salt/common/yum_repos/securityonion.repo +++ b/salt/common/yum_repos/securityonion.repo @@ -47,6 +47,13 @@ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub +[saltstack3003] +name=SaltStack repo for RHEL/CentOS $releasever PY3 +baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack3003/ +enabled=1 +gpgcheck=1 +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub + [wazuh_repo] gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH diff --git a/salt/common/yum_repos/securityonioncache.repo b/salt/common/yum_repos/securityonioncache.repo index 6d5058337..def6f8a40 100644 --- a/salt/common/yum_repos/securityonioncache.repo +++ b/salt/common/yum_repos/securityonioncache.repo @@ -47,6 +47,13 @@ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub +[saltstack3003] +name=SaltStack repo for RHEL/CentOS $releasever PY3 +baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack3003/ +enabled=1 +gpgcheck=1 +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub + [wazuh_repo] gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH From 725320ebc8880629f3c2550a21e55b1ba3785e52 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Apr 2021 10:02:11 -0400 Subject: [PATCH 09/14] Fix Repo Logic --- salt/common/init.sls | 2 +- setup/so-functions | 18 +++++++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 9ee126ac1..93f76c3b3 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -309,7 +309,7 @@ sostatusdir: /usr/sbin/so-status -q && echo $? > /opt/so/log/sostatus/status.log 2>&1: cron.present: - user: root - - minute: '*/15' + - minute: '*/5' - hour: '*' - daymonth: '*' - month: '*' diff --git a/setup/so-functions b/setup/so-functions index 9aca9ca54..54f8d2abf 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2285,14 +2285,18 @@ secrets_pillar(){ securityonion_repo() { # Remove all the current repos - if [[ "$OS" == "centos" && $is_airgap ]]; then - mkdir -p /root/oldrepos - mv /etc/yum.repos.d/* /root/oldrepos/ - rm -f /etc/yum.repos.d/* - if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then - cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ + if [[ "$OS" == "centos" ]]; then + if [[ "$INTERWEBS" == "AIRGAP" ]]; then + echo "This is airgap I don't need to add this repo" else - cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ + mkdir -p /root/oldrepos + mv /etc/yum.repos.d/* /root/oldrepos/ + rm -f /etc/yum.repos.d/* + if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then + cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ + else + cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ + fi fi else echo "This is Ubuntu" From ce9f781d81ea51ad265b630e5f79f1959db161ab Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Apr 2021 10:24:04 -0400 Subject: [PATCH 10/14] Fix Repo Logic --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 54f8d2abf..1633d0901 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2291,7 +2291,7 @@ securityonion_repo() { else mkdir -p /root/oldrepos mv /etc/yum.repos.d/* /root/oldrepos/ - rm -f /etc/yum.repos.d/* + rm -rf /etc/yum.repos.d/* if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ else From 951369c2d698cbd9a7a738c839c099ffae55d430 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Apr 2021 10:25:36 -0400 Subject: [PATCH 11/14] Fix Repo Logic --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 1633d0901..0771567b2 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2290,7 +2290,7 @@ securityonion_repo() { echo "This is airgap I don't need to add this repo" else mkdir -p /root/oldrepos - mv /etc/yum.repos.d/* /root/oldrepos/ + mv -v /etc/yum.repos.d/* /root/oldrepos/ rm -rf /etc/yum.repos.d/* if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ From fdaf251ba02111b21244524018d7dd6a1b13c6a4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Apr 2021 10:36:52 -0400 Subject: [PATCH 12/14] Fix Repo Logic --- setup/so-functions | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 0771567b2..b8cd2cae2 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2291,7 +2291,9 @@ securityonion_repo() { else mkdir -p /root/oldrepos mv -v /etc/yum.repos.d/* /root/oldrepos/ - rm -rf /etc/yum.repos.d/* + ls -la /etc/yum.repos.d/ + rm -rf /etc/yum.repos.d + mkdir -p /etc/yum.repos.d if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ else From 4c5f373ffa2c3e5f3532d32e42c1d50c1e88e6a7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Apr 2021 10:37:44 -0400 Subject: [PATCH 13/14] Fix Repo Logic --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index b8cd2cae2..f2face572 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2293,6 +2293,7 @@ securityonion_repo() { mv -v /etc/yum.repos.d/* /root/oldrepos/ ls -la /etc/yum.repos.d/ rm -rf /etc/yum.repos.d + yum clean all mkdir -p /etc/yum.repos.d if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ From 09b14e6a863ede8568d0b0622f3a18dd41af9eb1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Apr 2021 10:38:50 -0400 Subject: [PATCH 14/14] Fix Repo Logic --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index f2face572..9cbad1cfb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2294,6 +2294,7 @@ securityonion_repo() { ls -la /etc/yum.repos.d/ rm -rf /etc/yum.repos.d yum clean all + yum repolist all mkdir -p /etc/yum.repos.d if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/