From 16249cc80d7e4c53b7ec28b5f260ea4dfbcb1d2f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 10 Apr 2023 09:06:55 -0400 Subject: [PATCH 01/10] salt install for ubuntu --- setup/so-functions | 29 ++++++++++++++++++----------- setup/so-setup | 20 ++++++++++---------- 2 files changed, 28 insertions(+), 21 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 9dbc95173..b2ecc7130 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2008,14 +2008,19 @@ saltify() { ) retry 150 20 "apt-get -y install ${pkg_arr[*]}" || exit 1 - logCmd "mkdir -vp /opt/so/gpg" - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt/SALTSTACK-GPG-KEY.pub" - logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" - logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub" - logCmd "apt-key add /opt/so/gpg/docker.pub" + logCmd "mkdir -vp /etc/apt/keyrings" + #logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg" + + logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.gpg https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/3006.0rc3/SALT-PROJECT-GPG-PUBKEY-2023.gpg" + echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.gpg] https://repo.saltproject.io/salt_rc/salt/py3/ubuntu/20.04/amd64/minor/3006.0rc3/ focal main" | sudo tee /etc/apt/sources.list.d/salt.list + logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.gpg" + + #logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub" + logCmd "apt-key add /etc/apt/keyrings/docker.pub" # Add SO Saltstack Repo - echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt3004.2/ focal main" > /etc/apt/sources.list.d/saltstack.list + #echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt3004.2/ focal main" > /etc/apt/sources.list.d/saltstack.list # Add Docker Repo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" @@ -2023,9 +2028,9 @@ saltify() { # Ain't nothing but a GPG retry 150 20 "apt-get update" "" "Err:" || exit 1 - retry 150 20 "apt-get -y install salt-minion=3004.2+ds-1 salt-common=3004.2+ds-1" || exit 1 + retry 150 20 "apt-get -y install salt-common salt-minion" || exit 1 retry 150 20 "apt-mark hold salt-minion salt-common" || exit 1 - retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" || exit 1 + #retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" || exit 1 fi @@ -2033,9 +2038,7 @@ saltify() { # THIS IS A TEMP HACK #logCmd "dnf -y install securityonion-salt python3-audit python3-libsemanage python3-policycoreutils python3-setools python3-setuptools python3-chardet python3-idna python3-pysocks python3-requests python3-urllib3 python3-websocket-client python3-docker" logCmd "dnf -y install salt salt-master salt-minion" - logCmd "mkdir -p /etc/salt/minion.d" - logCmd "salt-pip install docker --no-index --only-binary=:all: --find-links files/salt_module_deps/docker/" - logCmd "salt-pip install pymysql --no-index --only-binary=:all: --find-links files/salt_module_deps/pymysql/" + #if [[ $waitforstate ]]; then # # Since this is a salt master so let's install it # logCmd "" @@ -2045,6 +2048,10 @@ saltify() { #fi fi + logCmd "mkdir -p /etc/salt/minion.d" + logCmd "salt-pip install docker --no-index --only-binary=:all: --find-links files/salt_module_deps/docker/" + logCmd "salt-pip install pymysql --no-index --only-binary=:all: --find-links files/salt_module_deps/pymysql/" + } diff --git a/setup/so-setup b/setup/so-setup index f10ff8c48..96e39b546 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -337,7 +337,7 @@ if ! [[ -f $install_opt_file ]]; then # If you are a manager ask ALL the manager things here. I know there is code re-use but this makes it easier to add new roles. if [[ $is_eval ]]; then waitforstate=true - ubuntu_check + #ubuntu_check monints=true check_elastic_license check_requirements "manager" @@ -361,7 +361,7 @@ if ! [[ -f $install_opt_file ]]; then whiptail_end_settings elif [[ $is_standalone ]]; then waitforstate=true - ubuntu_check + #ubuntu_check monints=true check_elastic_license check_requirements "manager" @@ -386,7 +386,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_manager ]]; then check_elastic_license waitforstate=true - ubuntu_check + #ubuntu_check check_requirements "manager" networking_needful collect_net_method @@ -408,7 +408,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_managersearch ]]; then check_elastic_license waitforstate=true - ubuntu_check + #ubuntu_check check_requirements "manager" networking_needful collect_net_method @@ -428,7 +428,7 @@ if ! [[ -f $install_opt_file ]]; then collect_so_allow whiptail_end_settings elif [[ $is_sensor ]]; then - ubuntu_check + #ubuntu_check monints=true check_requirements "sensor" calculate_useable_cores @@ -444,7 +444,7 @@ if ! [[ -f $install_opt_file ]]; then whiptail_end_settings elif [[ $is_searchnode ]]; then - ubuntu_check + #ubuntu_check check_requirements "elasticsearch" networking_needful check_network_manager_conf @@ -457,7 +457,7 @@ if ! [[ -f $install_opt_file ]]; then whiptail_end_settings elif [[ $is_heavynode ]]; then - ubuntu_check + #ubuntu_check monints=true check_requirements "heavynode" calculate_useable_cores @@ -469,7 +469,7 @@ if ! [[ -f $install_opt_file ]]; then whiptail_end_settings elif [[ $is_idh ]]; then - ubuntu_check + #ubuntu_check check_requirements "idh" networking_needful collect_mngr_hostname @@ -481,7 +481,7 @@ if ! [[ -f $install_opt_file ]]; then whiptail_end_settings elif [[ $is_import ]]; then - ubuntu_check + #ubuntu_check waitforstate=true monints=true check_elastic_license @@ -503,7 +503,7 @@ if ! [[ -f $install_opt_file ]]; then whiptail_end_settings elif [[ $is_receiver ]]; then - ubuntu_check + #ubuntu_check check_requirements "receiver" networking_needful collect_mngr_hostname From ad64b873c0316106bc915df606405294c1487892 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 11 Apr 2023 12:58:40 -0400 Subject: [PATCH 02/10] ubuntu changes --- salt/common/init.sls | 7 ------- salt/common/packages.sls | 16 ++++++++++++---- salt/ntp/init.sls | 7 ++++++- salt/repo/client/ubuntu.sls | 20 -------------------- salt/salt/init.sls | 10 +--------- setup/so-functions | 29 ++++++++++++++++++----------- setup/so-setup | 1 + 7 files changed, 38 insertions(+), 52 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 21c4ce369..b6495a84b 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -200,13 +200,6 @@ sostatus_log: - name: /opt/so/log/sostatus/status.log - mode: 644 -common_pip_dependencies: - pip.installed: - - user: root - - pkgs: - - rich - - target: /usr/lib64/python3.6/site-packages - # Install sostatus check cron sostatus_check_cron: cron.present: diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 9e118f4da..7870eddf8 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -10,23 +10,31 @@ commonpkgs: - wget - ntpdate - jq - - python3-docker - curl - ca-certificates - software-properties-common - apt-transport-https - openssl - netcat - - python3-mysqldb - sqlite3 - libssl-dev - python3-dateutil - - python3-m2crypto - - python3-mysqldb - python3-packaging - python3-lxml - git - vim + +# since Ubuntu requires and internet connection we can use pip to install modules +python3-pip: + pkg.installed + +python-rich: + pip.installed: + - name: rich + - require: + - pkg: python3-pip + + {% elif GLOBALS.os == 'Rocky' %} commonpkgs: pkg.installed: diff --git a/salt/ntp/init.sls b/salt/ntp/init.sls index 42840d6ec..aeb878594 100644 --- a/salt/ntp/init.sls +++ b/salt/ntp/init.sls @@ -2,6 +2,7 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. +{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'ntp/config.map.jinja' import NTPCONFIG %} chronyconf: @@ -12,8 +13,12 @@ chronyconf: - defaults: NTPCONFIG: {{ NTPCONFIG }} +{% if GLOBALS.os == 'Rocky' %} chronyd: +{% else %} +chrony: +{% endif %} service.running: - enable: True - watch: - - file: chronyconf \ No newline at end of file + - file: chronyconf diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls index a5d55fa5e..e69de29bb 100644 --- a/salt/repo/client/ubuntu.sls +++ b/salt/repo/client/ubuntu.sls @@ -1,20 +0,0 @@ -# this removes the repo file left by bootstrap-salt.sh without -r -remove_salt.list: - file.absent: - - name: /etc/apt/sources.list.d/salt.list - -saltstack.list: - file.managed: - - name: /etc/apt/sources.list.d/saltstack.list - - contents: - - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt3004.2/ {{grains.oscodename}} main - -apt_update: - cmd.run: - - name: apt-get update - - onchanges: - - file: saltstack.list - - timeout: 30 - - retry: - attempts: 5 - interval: 30 \ No newline at end of file diff --git a/salt/salt/init.sls b/salt/salt/init.sls index da66e100e..a190a84eb 100644 --- a/salt/salt/init.sls +++ b/salt/salt/init.sls @@ -1,16 +1,8 @@ -{% from 'vars/globals.map.jinja' import GLOBALS %} - -{% if GLOBALS.os != 'Rocky' %} +{% if grains.oscodename == 'focal' %} saltpymodules: pkg.installed: - pkgs: - {% if grains['oscodename'] == 'bionic' %} - - python-m2crypto - - python-docker - {% elif grains['oscodename'] == 'focal' %} - - python3-m2crypto - python3-docker - {% endif %} {% endif %} salt_bootstrap: diff --git a/setup/so-functions b/setup/so-functions index d4ec97a69..aa7cf98d4 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -674,8 +674,13 @@ configure_ntp() { 'rtcsync' \ 'logdir /var/log/chrony' >> $chrony_conf - systemctl enable chronyd - systemctl restart chronyd + if [ "$OS" == 'rocky' ]; then + systemctl enable chronyd + systemctl restart chronyd + elif [ "$OS" == 'ubuntu' ]; then + systemctl enable chrony + systemctl restart chrony + fi # Tell the chrony daemon to sync time & update the system time # Since these commands only make a call to chronyd, wait after each command to make sure the changes are made @@ -959,15 +964,17 @@ installer_progress_loop() { } installer_prereq_packages() { - if [ "$OS" == rocky ]; then - if [[ ! $is_iso ]]; then - if ! command -v nmcli > /dev/null 2>&1; then - logCmd "dnf -y install NetworkManager" - fi - fi - logCmd "systemctl enable NetworkManager" - logCmd "systemctl start NetworkManager" - elif [ "$OS" == ubuntu ]; then +# if [ "$OS" == rocky ]; then +# if [[ ! $is_iso ]]; then +# if ! command -v nmcli > /dev/null 2>&1; then +# logCmd "dnf -y install NetworkManager" +# fi +# fi +# logCmd "systemctl enable NetworkManager" +# logCmd "systemctl start NetworkManager" +# el + + if [ "$OS" == ubuntu ]; then # Print message to stdout so the user knows setup is doing something retry 150 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 # Install network manager so we can do interface stuff diff --git a/setup/so-setup b/setup/so-setup index 96e39b546..76bc79e5b 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -641,6 +641,7 @@ if ! [[ -f $install_opt_file ]]; then mkdir -p /opt/so es_heapsize ls_heapsize + installer_prereq_packages generate_interface_vars if [[ $monints ]]; then configure_network_sensor From c66f59566601200f9983b8b73e9262be1ed708f4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 11 Apr 2023 13:48:59 -0400 Subject: [PATCH 03/10] unsure prereqs for sensor --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 76bc79e5b..68d32b0f5 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -429,6 +429,7 @@ if ! [[ -f $install_opt_file ]]; then whiptail_end_settings elif [[ $is_sensor ]]; then #ubuntu_check + installer_prereq_packages monints=true check_requirements "sensor" calculate_useable_cores @@ -641,7 +642,6 @@ if ! [[ -f $install_opt_file ]]; then mkdir -p /opt/so es_heapsize ls_heapsize - installer_prereq_packages generate_interface_vars if [[ $monints ]]; then configure_network_sensor From 26a12477acb6f6ddc680a3e6cc29411a2628725a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 11 Apr 2023 15:36:57 -0400 Subject: [PATCH 04/10] python3-rich for ubuntu and chrony pkg for all --- salt/common/packages.sls | 1 + salt/ntp/init.sls | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 7870eddf8..0272a971d 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -31,6 +31,7 @@ python3-pip: python-rich: pip.installed: - name: rich + - target: /usr/local/lib/python3.8/dist-packages/ - require: - pkg: python3-pip diff --git a/salt/ntp/init.sls b/salt/ntp/init.sls index aeb878594..08f5e28b5 100644 --- a/salt/ntp/init.sls +++ b/salt/ntp/init.sls @@ -5,6 +5,10 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'ntp/config.map.jinja' import NTPCONFIG %} +chrony_pkg: + pkg.installed: + - name: chrony + chronyconf: file.managed: - name: /etc/chrony.conf @@ -22,3 +26,5 @@ chrony: - enable: True - watch: - file: chronyconf + - require: + - pkg: chrony_pkg From de082f6100ba2d772351eac4b10a748872e5b6e3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 12 Apr 2023 09:26:04 -0400 Subject: [PATCH 05/10] install chrony in ntp state --- salt/common/packages.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 0272a971d..dc6d72b8d 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -5,7 +5,6 @@ commonpkgs: pkg.installed: - skip_suggestions: True - pkgs: - - chrony - apache2-utils - wget - ntpdate From c90c72dbba20f77bfef112d149e9093180c8b444 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 12 Apr 2023 10:17:13 -0400 Subject: [PATCH 06/10] provide info when running apt-get update and upgrade --- setup/so-functions | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index aa7cf98d4..a2d45e3b6 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -976,9 +976,11 @@ installer_prereq_packages() { if [ "$OS" == ubuntu ]; then # Print message to stdout so the user knows setup is doing something + info "Running apt-get update" retry 150 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 # Install network manager so we can do interface stuff if ! command -v nmcli > /dev/null 2>&1; then + info "Installing network-manager" retry 150 10 "apt-get -y install network-manager" >> "$setup_log" 2>&1 || exit 1 { systemctl enable NetworkManager @@ -2393,7 +2395,9 @@ update_packages() { logCmd "dnf repolist" logCmd "dnf -y update --allowerasing --exclude=salt*,wazuh*,docker*,containerd*" else - retry 150 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 + info "Running apt-get update" + retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 + info "Running apt-get upgrade" retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 fi } From 0d17f4f486f50b14131e3b3bed4c3197ef7cc63b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 12 Apr 2023 14:38:21 -0400 Subject: [PATCH 07/10] python modules for filecheck --- salt/common/packages.sls | 2 ++ setup/so-setup | 4 ++++ 2 files changed, 6 insertions(+) diff --git a/salt/common/packages.sls b/salt/common/packages.sls index dc6d72b8d..dff2e95c9 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -19,6 +19,7 @@ commonpkgs: - libssl-dev - python3-dateutil - python3-packaging + - python3-watchdog - python3-lxml - git - vim @@ -59,6 +60,7 @@ commonpkgs: - python3-m2crypto - rsync - python3-rich + - python3-pyyaml - python3-watchdog - python3-packaging - unzip diff --git a/setup/so-setup b/setup/so-setup index 68d32b0f5..e4200086e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -446,6 +446,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_searchnode ]]; then #ubuntu_check + installer_prereq_packages check_requirements "elasticsearch" networking_needful check_network_manager_conf @@ -459,6 +460,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_heavynode ]]; then #ubuntu_check + installer_prereq_packages monints=true check_requirements "heavynode" calculate_useable_cores @@ -471,6 +473,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_idh ]]; then #ubuntu_check + installer_prereq_packages check_requirements "idh" networking_needful collect_mngr_hostname @@ -505,6 +508,7 @@ if ! [[ -f $install_opt_file ]]; then elif [[ $is_receiver ]]; then #ubuntu_check + installer_prereq_packages check_requirements "receiver" networking_needful collect_mngr_hostname From e4e326cd0604d8255dd1c8d1efea7136337009cd Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 12 Apr 2023 15:44:42 -0400 Subject: [PATCH 08/10] limit whiptail install options for ubuntu --- setup/so-whiptail | 35 ++++++++++++++++++++++++++--------- 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index f58f65fa2..ea7740ab1 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -523,15 +523,24 @@ whiptail_install_type() { [ -n "$TESTING" ] && return # What kind of install are we doing? - install_type=$(whiptail --title "$whiptail_title" --menu \ - "What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture.html" 18 65 5 \ - "IMPORT" "Import PCAP or log files " \ - "EVAL" "Evaluation mode (not for production) " \ - "STANDALONE" "Standalone production install " \ - "DISTRIBUTED" "Distributed install submenu " \ - "OTHER" "Other install types" \ - 3>&1 1>&2 2>&3 - ) + if [[ $OS = 'rocky' ]]; then + install_type=$(whiptail --title "$whiptail_title" --menu \ + "What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture.html" 18 65 5 \ + "IMPORT" "Import PCAP or log files " \ + "EVAL" "Evaluation mode (not for production) " \ + "STANDALONE" "Standalone production install " \ + "DISTRIBUTED" "Distributed install submenu " \ + "OTHER" "Other install types" \ + 3>&1 1>&2 2>&3 + ) + elif [[ $OS = 'ubuntu' ]]; then + install_type=$(whiptail --title "$whiptail_title" --menu \ + "What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture.html" 18 65 5 \ + "DISTRIBUTED" "Distributed install submenu " \ + "OTHER" "Other install types" \ + 3>&1 1>&2 2>&3 + ) + fi local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -554,11 +563,19 @@ whiptail_install_type_dist() { [ -n "$TESTING" ] && return + if [[ $OS = 'rocky' ]]; then dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 11 75 2 \ "New Deployment " "Create a new Security Onion deployment" \ "Existing Deployment " "Join to an existing Security Onion deployment " \ 3>&1 1>&2 2>&3 ) + elif [[ $OS = 'ubuntu' ]]; then + dist_option=$(whiptail --title "$whiptail_title" --menu "Since this is Ubuntu, this box can only be connected to \nan existing deployment." 11 75 2 \ + "Existing Deployment " "Join to an existing Security Onion deployment " \ + 3>&1 1>&2 2>&3 + ) + fi + local exitstatus=$? whiptail_check_exitstatus $exitstatus From 76ba89c3562c45dfe62a91907b1acbfbe4e07cd1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 13 Apr 2023 16:01:43 -0400 Subject: [PATCH 09/10] fix so-status cron to work with ubuntu --- salt/common/init.sls | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index b6495a84b..2248c80bc 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -200,10 +200,11 @@ sostatus_log: - name: /opt/so/log/sostatus/status.log - mode: 644 -# Install sostatus check cron +# Install sostatus check cron. This is used to populate Grid. sostatus_check_cron: cron.present: - - name: '/usr/sbin/so-status -j > /opt/so/log/sostatus/status.log 2>&1' + - name: 'USER=root /usr/sbin/so-status -j > /opt/so/log/sostatus/status.log 2>&1' + - identifier: sostatus_check_cron - user: root - minute: '*/1' - hour: '*' From 104746289868bec4ade8e2b7a06e5ece5d6c207a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 13 Apr 2023 16:25:47 -0400 Subject: [PATCH 10/10] add identifiers for all cron.present --- salt/backup/config_backup.sls | 1 + salt/common/init.sls | 21 ++++++++++++++------- salt/curator/init.sls | 6 ++++-- salt/idstools/init.sls | 3 ++- salt/influxdb/init.sls | 1 + salt/manager/init.sls | 6 ++++-- salt/manager/sync_es_users.sls | 3 ++- salt/playbook/init.sls | 6 ++++-- salt/salt/minion-check.sls | 5 +++-- salt/setup/highstate_cron.sls | 1 + salt/soc/init.sls | 1 + salt/strelka/init.sls | 2 ++ salt/suricata/init.sls | 15 ++++----------- 13 files changed, 43 insertions(+), 28 deletions(-) diff --git a/salt/backup/config_backup.sls b/salt/backup/config_backup.sls index 20616f780..a09c67b1b 100644 --- a/salt/backup/config_backup.sls +++ b/salt/backup/config_backup.sls @@ -25,6 +25,7 @@ config_backup_script: so_config_backup: cron.present: - name: /usr/sbin/so-config-backup > /dev/null 2>&1 + - identifier: so_config_backup - user: root - minute: '1' - hour: '0' diff --git a/salt/common/init.sls b/salt/common/init.sls index 2248c80bc..387d4e82a 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -133,8 +133,10 @@ so-status_script: {% if GLOBALS.role in GLOBALS.sensor_roles %} # Add sensor cleanup -/usr/sbin/so-sensor-clean: +so-sensor-clean: cron.present: + - name: /usr/sbin/so-sensor-clean + - identifier: so-sensor-clean - user: root - minute: '*' - hour: '*' @@ -154,8 +156,10 @@ sensorrotateconf: - source: salt://common/files/sensor-rotate.conf - mode: 644 -/usr/local/bin/sensor-rotate: +sensor-rotate: cron.present: + - name: /usr/local/bin/sensor-rotate + - identifier: sensor-rotate - user: root - minute: '1' - hour: '0' @@ -178,8 +182,10 @@ commonlogrotateconf: - template: jinja - mode: 644 -/usr/local/bin/common-rotate: +common-rotate: cron.present: + - name: /usr/local/bin/common-rotate + - identifier: common-rotate - user: root - minute: '1' - hour: '0' @@ -201,10 +207,10 @@ sostatus_log: - mode: 644 # Install sostatus check cron. This is used to populate Grid. -sostatus_check_cron: +so-status_check_cron: cron.present: - name: 'USER=root /usr/sbin/so-status -j > /opt/so/log/sostatus/status.log 2>&1' - - identifier: sostatus_check_cron + - identifier: so-status_check_cron - user: root - minute: '*/1' - hour: '*' @@ -214,7 +220,7 @@ sostatus_check_cron: remove_post_setup_cron: cron.absent: - - name: 'salt-call state.highstate' + - name: 'PATH=$PATH:/usr/sbin salt-call state.highstate' - identifier: post_setup_cron {% if GLOBALS.role not in ['eval', 'manager', 'managersearch', 'standalone'] %} @@ -240,9 +246,10 @@ raidpkgs: {% endif %} # Install raid check cron -so_raid_status: +so-raid-status: cron.present: - name: '/usr/sbin/so-raid-status > /dev/null 2>&1' + - identifier: so-raid-status - user: root - minute: '*/15' - hour: '*' diff --git a/salt/curator/init.sls b/salt/curator/init.sls index 36f1261fe..d1e4276e1 100644 --- a/salt/curator/init.sls +++ b/salt/curator/init.sls @@ -126,9 +126,10 @@ delete_so-curator_so-status.disabled: - regex: ^so-curator$ {% endif %} -so-curatorclusterclose: +so-curator-cluster-close: cron.present: - name: /usr/sbin/so-curator-cluster-close > /opt/so/log/curator/cron-close.log 2>&1 + - identifier: so-curator-cluster-close - user: root - minute: '2' - hour: '*/1' @@ -136,9 +137,10 @@ so-curatorclusterclose: - month: '*' - dayweek: '*' -so-curatorclusterdeletecron: +so-curator-cluster-delete: cron.present: - name: /usr/sbin/so-curator-cluster-delete > /opt/so/log/curator/cron-cluster-delete.log 2>&1 + - identifier: so-curator-cluster-delete - user: root - minute: '*/5' - hour: '*' diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 78f6c2735..5ec9464cc 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -20,9 +20,10 @@ idstoolslogdir: - group: 939 - makedirs: True -so-ruleupdatecron: +so-rule-update: cron.present: - name: /usr/sbin/so-rule-update > /opt/so/log/idstools/download.log 2>&1 + - identifier: so-rule-update - user: root - minute: '1' - hour: '7' diff --git a/salt/influxdb/init.sls b/salt/influxdb/init.sls index b6190fdfd..b4824825b 100644 --- a/salt/influxdb/init.sls +++ b/salt/influxdb/init.sls @@ -127,6 +127,7 @@ metrics_link_file: get_influxdb_size: cron.present: - name: 'du -s -k /nsm/influxdb | cut -f1 > /opt/so/log/telegraf/influxdb_size.log 2>&1' + - identifier: get_influxdb_size - user: root - minute: '*/1' - hour: '*' diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 4db979266..9973dcb41 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -51,7 +51,7 @@ repo_sync_script: - group: root - mode: 755 -reposync_cron: +so-repo-sync: {% if MANAGERMERGED.reposync.enabled %} cron.present: {% else %} @@ -59,6 +59,7 @@ reposync_cron: {% endif %} - user: socore - name: '/usr/sbin/so-repo-sync >> /opt/so/log/reposync/reposync.log 2>&1' + - identifier: so-repo-sync - hour: '{{ MANAGERMERGED.reposync.hour }}' - minute: '{{ MANAGERMERGED.reposync.minute }}' @@ -83,10 +84,11 @@ yara_update_script: ISAIRGAP: {{ GLOBALS.airgap }} EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} -strelka_yara_update: +strelka-yara-update: cron.present: - user: root - name: '/usr/sbin/so-yara-update >> /nsm/strelka/log/yara-update.log 2>&1' + - identifier: strelka-yara-update - hour: '7' - minute: '1' diff --git a/salt/manager/sync_es_users.sls b/salt/manager/sync_es_users.sls index 4546fc52f..79ab14669 100644 --- a/salt/manager/sync_es_users.sls +++ b/salt/manager/sync_es_users.sls @@ -24,8 +24,9 @@ sync_es_users: # we dont want this added too early in setup, so we add the onlyif to verify 'startup_states: highstate' # is in the minion config. That line is added before the final highstate during setup -sosyncusers: +so-user_sync: cron.present: - user: root - name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log' + - identifier: so-user_sync - onlyif: "grep 'startup_states: highstate' /etc/salt/minion" diff --git a/salt/playbook/init.sls b/salt/playbook/init.sls index fd31aeba8..f76292333 100644 --- a/salt/playbook/init.sls +++ b/salt/playbook/init.sls @@ -113,15 +113,17 @@ append_so-playbook_so-status.conf: {% endif %} -so-playbooksynccron: +so-playbook-sync_cron: cron.present: - name: /usr/sbin/so-playbook-sync > /opt/so/log/playbook/sync.log 2>&1 + - identifier: so-playbook-sync_cron - user: root - minute: '*/5' -so-playbookruleupdatecron: +so-playbook-ruleupdate_cron: cron.present: - name: /usr/sbin/so-playbook-ruleupdate > /opt/so/log/playbook/update.log 2>&1 + - identifier: so-playbook-ruleupdate_cron - user: root - minute: '1' - hour: '6' diff --git a/salt/salt/minion-check.sls b/salt/salt/minion-check.sls index 66ab732e2..22f87ca8a 100644 --- a/salt/salt/minion-check.sls +++ b/salt/salt/minion-check.sls @@ -12,8 +12,9 @@ state-apply-test: start: 0 end: 180 -/usr/sbin/so-salt-minion-check -q: +so-salt-minion-check_cron: cron.present: - - identifier: so-salt-minion-check + - name: /usr/sbin/so-salt-minion-check -q + - identifier: so-salt-minion-check_cron - user: root - minute: '*/5' diff --git a/salt/setup/highstate_cron.sls b/salt/setup/highstate_cron.sls index c14f4e1f4..862968d97 100644 --- a/salt/setup/highstate_cron.sls +++ b/salt/setup/highstate_cron.sls @@ -1,6 +1,7 @@ post_setup_cron: cron.present: - name: 'PATH=$PATH:/usr/sbin salt-call state.highstate' + - identifier: post_setup_cron - user: root - minute: '*/1' - identifier: post_setup_cron diff --git a/salt/soc/init.sls b/salt/soc/init.sls index e2ec511ed..9460eeac2 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -91,6 +91,7 @@ socusersroles: salt-relay: cron.present: - name: 'ps -ef | grep salt-relay.sh | grep -v grep > /dev/null 2>&1 || /opt/so/saltstack/default/salt/soc/files/bin/salt-relay.sh >> /opt/so/log/soc/salt-relay.log 2>&1 &' + - identifier: salt-relay so-soc: docker_container.running: diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index bbb2bcaf6..081f2ebd1 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -205,11 +205,13 @@ filecheck_restart: filecheck_run: cron.present: - name: 'ps -ef | grep filecheck | grep -v grep > /dev/null 2>&1 || python3 /opt/so/conf/strelka/filecheck >> /opt/so/log/strelka/filecheck_stdout.log 2>&1 &' + - identifier: filecheck_run - user: {{ filecheck_runas }} filcheck_history_clean: cron.present: - name: '/usr/bin/find /nsm/strelka/history/ -type f -mtime +2 -exec rm {} + > /dev/null 2>&1' + - identifier: filecheck_history_clean - minute: '33' # End Filecheck Section diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 07350d8e1..159e59f4f 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -79,8 +79,10 @@ surilogscript: - source: salt://suricata/cron/surilogcompress - mode: 755 -/usr/local/bin/surilogcompress: +surilogcompress: cron.present: + - name: /usr/local/bin/surilogcompress + - identifier: surilogcompress - user: suricata - minute: '17' - hour: '*' @@ -181,16 +183,6 @@ delete_so-suricata_so-status.disabled: - regex: ^so-suricata$ {% endif %} -surirotate: - cron.absent: - - name: /usr/local/bin/surirotate - - user: root - - minute: '11' - - hour: '*' - - daymonth: '*' - - month: '*' - - dayweek: '*' - so-suricata-eve-clean: file.managed: - name: /usr/sbin/so-suricata-eve-clean @@ -204,6 +196,7 @@ so-suricata-eve-clean: clean_suricata_eve_files: cron.present: - name: /usr/sbin/so-suricata-eve-clean > /dev/null 2>&1 + - identifier: clean_suricata_eve_files - user: root - minute: '*/5' - hour: '*'