diff --git a/pillar/top.sls b/pillar/top.sls index bf28b6474..53ec8a330 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -2,6 +2,9 @@ base: '*': - global.soc_global - global.adv_global + - docker.soc_docker + - docker.adv_docker + - influxdb.token - logrotate.soc_logrotate - logrotate.adv_logrotate - ntp.soc_ntp @@ -9,21 +12,18 @@ base: - patch.needs_restarting - patch.soc_patch - patch.adv_patch - - '* and not *_desktop': - - docker.soc_docker - - docker.adv_docker - - firewall.soc_firewall - - firewall.adv_firewall - - influxdb.token - - nginx.soc_nginx - - nginx.adv_nginx - - node_data.ips - sensoroni.soc_sensoroni - sensoroni.adv_sensoroni - telegraf.soc_telegraf - telegraf.adv_telegraf + '* and not *_desktop': + - firewall.soc_firewall + - firewall.adv_firewall + - nginx.soc_nginx + - nginx.adv_nginx + - node_data.ips + '*_manager or *_managersearch': - match: compound {% if salt['file.file_exists']('/opt/so/saltstack/local/pillar/elasticsearch/auth.sls') %} diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index a3c5c75ab..4e3e57f9c 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -188,6 +188,9 @@ 'docker_clean' ], 'so-desktop': [ + 'ssl', + 'docker_clean', + 'telegraf' ], }, grain='role') %} diff --git a/salt/docker_clean/init.sls b/salt/docker_clean/init.sls index c11af4f56..ee60f5591 100644 --- a/salt/docker_clean/init.sls +++ b/salt/docker_clean/init.sls @@ -9,6 +9,7 @@ prune_images: cmd.run: - name: so-docker-prune + - order: last {% else %} diff --git a/salt/firewall/defaults.yaml b/salt/firewall/defaults.yaml index ecb4bad6b..75df49b25 100644 --- a/salt/firewall/defaults.yaml +++ b/salt/firewall/defaults.yaml @@ -289,6 +289,11 @@ firewall: - elastic_agent_control - elastic_agent_data - elastic_agent_update + desktop: + portgroups: + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update customhostgroup0: portgroups: [] customhostgroup1: @@ -463,7 +468,13 @@ firewall: - endgame desktop: portgroups: + - docker_registry + - influxdb + - sensoroni - yum + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update customhostgroup0: portgroups: [] customhostgroup1: @@ -651,7 +662,13 @@ firewall: - endgame desktop: portgroups: + - docker_registry + - influxdb + - sensoroni - yum + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update customhostgroup0: portgroups: [] customhostgroup1: @@ -847,7 +864,13 @@ firewall: - strelka_frontend desktop: portgroups: + - docker_registry + - influxdb + - sensoroni - yum + - elastic_agent_control + - elastic_agent_data + - elastic_agent_update customhostgroup0: portgroups: [] customhostgroup1: @@ -1205,9 +1228,6 @@ firewall: analyst: portgroups: - nginx - desktop: - portgroups: - - yum customhostgroup0: portgroups: [] customhostgroup1: diff --git a/salt/manager/tools/sbin/so-minion b/salt/manager/tools/sbin/so-minion index de55c3a5b..075632985 100755 --- a/salt/manager/tools/sbin/so-minion +++ b/salt/manager/tools/sbin/so-minion @@ -552,6 +552,7 @@ function createRECEIVER() { function createDESKTOP() { add_desktop_to_minion + add_telegraf_to_minion } function testConnection() { diff --git a/salt/telegraf/defaults.yaml b/salt/telegraf/defaults.yaml index 36ef679f0..a87fa952b 100644 --- a/salt/telegraf/defaults.yaml +++ b/salt/telegraf/defaults.yaml @@ -87,4 +87,5 @@ telegraf: - sostatus.sh fleet: - sostatus.sh - desktop: [] + desktop: + - sostatus.sh diff --git a/salt/top.sls b/salt/top.sls index 4a605b13c..6db19b361 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -28,11 +28,9 @@ base: - motd - salt.minion-check - salt.lasthighstate - - 'not *_desktop and G@saltversion:{{saltversion}}': - - match: compound - common - docker + - docker_clean '*_sensor and G@saltversion:{{saltversion}}': - match: compound @@ -47,7 +45,6 @@ base: - healthcheck - zeek - strelka - - docker_clean - elasticfleet.install_agent_grid '*_eval and G@saltversion:{{saltversion}}': @@ -57,14 +54,14 @@ base: - ca - ssl - registry - - sensoroni - manager - backup.config_backup - nginx - - telegraf - influxdb - soc - kratos + - sensoroni + - telegraf - firewall - idstools - suricata.manager @@ -84,7 +81,6 @@ base: - playbook - redis - elasticfleet - - docker_clean '*_manager and G@saltversion:{{saltversion}}': - match: compound @@ -92,14 +88,14 @@ base: - ca - ssl - registry - - sensoroni - nginx - - telegraf - influxdb - soc - kratos - firewall - manager + - sensoroni + - telegraf - backup.config_backup - idstools - suricata.manager @@ -115,7 +111,6 @@ base: - soctopus - playbook - elasticfleet - - docker_clean '*_standalone and G@saltversion:{{saltversion}}': - match: compound @@ -124,15 +119,15 @@ base: - ca - ssl - registry - - sensoroni - manager - backup.config_backup - nginx - - telegraf - influxdb - soc - kratos - firewall + - sensoroni + - telegraf - idstools - suricata.manager - healthcheck @@ -152,19 +147,17 @@ base: - soctopus - playbook - elasticfleet - - docker_clean '*_searchnode and G@saltversion:{{saltversion}}': - match: compound - ssl - sensoroni - - nginx - telegraf + - nginx - firewall - elasticsearch - logstash - elasticfleet.install_agent_grid - - docker_clean '*_managersearch and G@saltversion:{{saltversion}}': - match: compound @@ -172,14 +165,14 @@ base: - ca - ssl - registry - - sensoroni - nginx - - telegraf - influxdb - soc - kratos - firewall - manager + - sensoroni + - telegraf - backup.config_backup - idstools - suricata.manager @@ -195,15 +188,14 @@ base: - soctopus - playbook - elasticfleet - - docker_clean '*_heavynode and G@saltversion:{{saltversion}}': - match: compound - sensor - ssl - sensoroni - - nginx - telegraf + - nginx - firewall - elasticsearch - logstash @@ -215,7 +207,6 @@ base: - zeek - elasticfleet.install_agent_grid - elasticagent - - docker_clean '*_import and G@saltversion:{{saltversion}}': - match: compound @@ -224,13 +215,13 @@ base: - ca - ssl - registry - - sensoroni - manager - nginx - - telegraf - influxdb - soc - kratos + - sensoroni + - telegraf - firewall - idstools - suricata.manager @@ -242,7 +233,6 @@ base: - suricata - zeek - elasticfleet - - docker_clean '*_receiver and G@saltversion:{{saltversion}}': - match: compound @@ -253,7 +243,6 @@ base: - logstash - redis - elasticfleet.install_agent_grid - - docker_clean '*_idh and G@saltversion:{{saltversion}}': - match: compound @@ -262,7 +251,6 @@ base: - telegraf - firewall - elasticfleet.install_agent_grid - - docker_clean - idh '*_fleet and G@saltversion:{{saltversion}}': @@ -275,7 +263,12 @@ base: - elasticfleet - elasticfleet.install_agent_grid - schedule - - docker_clean + + '*_desktop and G@saltversion:{{saltversion}}': + - ssl + - sensoroni + - telegraf + - elasticfleet.install_agent_grid 'J@desktop:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:OEL )': - match: compound diff --git a/setup/so-functions b/setup/so-functions index efa6c800f..5015b4bff 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -94,6 +94,9 @@ desktop_salt_local() { logCmd "yum -y install salt-minion-$SALTVERSION httpd-tools python3 python3-dateutil yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" + salt_install_module_deps + salt_patch_x509_v2 + logCmd "salt-call state.apply desktop --local --file-root=../salt/ -l info" read -r -d '' message <<- EOM Finished Security Onion Desktop installation. @@ -2075,21 +2078,27 @@ saltify() { fi logCmd "mkdir -p /etc/salt/minion.d" + salt_install_module_deps + salt_patch_x509_v2 + +} + +# Run a salt command to generate the minion key +salt_firstcheckin() { + salt-call state.show_top >> /dev/null 2>&1 # send output to /dev/null because we don't actually care about the ouput +} + +salt_install_module_deps() { logCmd "salt-pip install docker --no-index --only-binary=:all: --find-links files/salt_module_deps/docker/" logCmd "salt-pip install pymysql --no-index --only-binary=:all: --find-links files/salt_module_deps/pymysql/" +} +salt_patch_x509_v2() { # this can be removed when https://github.com/saltstack/salt/issues/64195 is resolved if [ $SALTVERSION == "3006.1" ]; then info "Salt version 3006.1 found. Patching /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py" \cp -v ./files/patch/states/x509_v2.py /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py fi - -} - - -# Run a salt command to generate the minion key -salt_firstcheckin() { - salt-call state.show_top >> /dev/null 2>&1 # send output to /dev/null because we don't actually care about the ouput } # Create an secrets pillar so that passwords survive re-install