diff --git a/salt/ca/init.sls b/salt/ca/init.sls index c857b331e..4c7973cd0 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -18,7 +18,7 @@ include: pki_private_key: x509.private_key_managed: - name: /etc/pki/ca.key - - bits: 4096 + - keysize: 4096 - passphrase: - cipher: aes_256_cbc - backup: True @@ -39,7 +39,7 @@ pki_public_ca_crt: - keyUsage: "critical cRLSign, keyCertSign" - extendedkeyUsage: "serverAuth, clientAuth" - subjectKeyIdentifier: hash - - authorityKeyIdentifier: keyid,issuer:always + - authorityKeyIdentifier: keyid:always, issuer - days_valid: 3650 - days_remaining: 0 - backup: True diff --git a/salt/common/packages.sls b/salt/common/packages.sls index 2ed82c895..9e118f4da 100644 --- a/salt/common/packages.sls +++ b/salt/common/packages.sls @@ -52,5 +52,6 @@ commonpkgs: - rsync - python3-rich - python3-watchdog + - python3-packaging - unzip {% endif %} diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 48010da77..ea5cc703e 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -205,7 +205,7 @@ gpg_rpm_import() { local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/rocky/keys" fi - RPMKEYS=('RPM-GPG-KEY-EPEL-9' 'SALTSTACK-GPG-KEY2.pub' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub') + RPMKEYS=('RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub') for RPMKEY in "${RPMKEYS[@]}"; do rpm --import $RPMKEYSLOC/$RPMKEY diff --git a/salt/repo/client/files/rocky/keys/SALTSTACK-GPG-KEY2.pub b/salt/repo/client/files/rocky/keys/SALTSTACK-GPG-KEY2.pub deleted file mode 100644 index bfc7fc267..000000000 --- a/salt/repo/client/files/rocky/keys/SALTSTACK-GPG-KEY2.pub +++ /dev/null @@ -1,31 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQENBGLXV/8BCADCuomk2pibSOuLQeKMIwV3Afy60080hykdc4tU4qQS+zBJZZC0 -VBl2TAOmMWyeY5DRF2ibRTx6Ap8qYefuEjWlo2WHWWZH4WhNkJWL3aWiu8Ga+fFo -ebjoUFLGgpKDGKveO9PF8A41IP1CLvDicpWXTxfqzQKDOvg3g5EmCx+5ksviXHJ1 -lY5CBbhVPmU3ruzGBqN/6B90VyTicbIyIZKZdnElAqaW6OiEaOmj2Oadi3ARJLWA -8rpVPweZE0/S4B5UIuMh+JVJU3Os1BUXHKN3LAPENZa1NNYX3j53GxGMf+SAKe0g -QHe+fHiiB7a6iBl09W8cUJh8HINXW+vvU6mZABEBAAG0MlNhbHRTdGFjayBQYWNr -YWdpbmcgVGVhbSA8cGFja2FnaW5nQHNhbHRzdGFjay5jb20+iQFSBBMBCAA8FiEE -9+rekz4krjI0B2hWN6cQR50w17YFAmLXV/8CGwMFCwkIBwIDIgIBBhUKCQgLAgQW -AgMBAh4HAheAAAoJEDenEEedMNe2d0MH/36khQzCWMc5ezznO7bcOHOS3OWjQveF -Vv60y54QRnINCEa7w7ckjiap3dUSJxTo5eoAKNbgX5SgrshEY1HDXDoqgumHJLFW -J+L4f3CXFBhvObUOwB7ApUNHURcoNQYK7kS/vUJrQ3dFyT7uvgysGtv+/WpboY1s -ScJnVtWyQmLe7qj5pJ0aI5pPjFnP9869zPScNb6o6lbqGp/xhnL5NkZCF0DNgItw -HXyNsRPyc8JG+P+GP80XWZ37ajEdwkiPbtu3CD5pvBO1w5FPLBwuH5CSgQFEcA4V -QH8ThU0P1IhKe3xPRNgawcBTAHXqOD0OxilAIsQdfrKkRiTEcZtFZW25AQ0EYtdX -/wEIANFBzJfSks4ti/JQkECtEAwH7OtqUxu1QhSSRusGsQu/PpjBRZzlaVlKjS4c -fGTiZ8+25RX063vBQ+XpuTN9T9boEE4EywM11FCx1zRZIc+HlLOIJ10uKWUapmPM -+7flnQWXMgJzP47rHe0ofEHlP4/av5C1imgWEtEpYyn1B4qgSxvLFDq46rD5m+DP -2xNZbwWd0uSAG/wZNonVkISYymB0UTnUm8FABH1Ci7lXO9JnuW+IvVt32C5VibGy -FXdAJGmIiqsvBhJSUl+GJhO6NTXntuevqPLUXD9PuHWo4Vo1Afek8kqZByyiyrTZ -StDhrbo/8dSAVQMibLEfNS7R0QkAEQEAAYkBNgQYAQgAIBYhBPfq3pM+JK4yNAdo -VjenEEedMNe2BQJi11f/AhsMAAoJEDenEEedMNe2zhgH/0wxbQpaCho0BRbUbe6L -jm9r3yTWn6M+yYv+cBeH9sbobIVOqTvZcawzTEPWa+eVbKgkqhZjUTyfFDpjq9s6 -67zLZnCh85hLoyieSQBER59dc1pmqZJP3VrAIT1lGKMIdjZoN8JAF8IbmJHE1j65 -iZZdhbxfFHnDx22gQ+3nfniTNTWsfVAQeoAjeOuakPKdfUEMsXPBhtBBuFY4NcrT -TIsBevT4J/STCLkEqlMtYC8ldxUCZqQXdtxqltC4k+y0kp4PmNc3/Vmp65oAeuxI -d8TNwgZdamdinv5mPrTfBqSNiELQAcPQnOwpsqEDYF2pq9L4sdNGavP5ZvPGRLkH -+uU= -=383D ------END PGP PUBLIC KEY BLOCK----- diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index b4d80c476..dac0e6e5c 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: master: - version: 3006.0+0na.61a7bd9 + version: 3006.0rc3 diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index 7bbd569c6..88a2435ca 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,6 +2,6 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3006.0+0na.61a7bd9 + version: 3006.0rc3 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default service_start_delay: 30 # in seconds. diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 4a521f12c..9d280ff36 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -51,17 +51,13 @@ m2cryptopkgs: influxdb_key: x509.private_key_managed: - name: /etc/pki/influxdb.key - - CN: {{ GLOBALS.hostname }} - - bits: 4096 - - days_remaining: 0 - - days_valid: 820 + - keysize: 4096 - backup: True - new: True {% if salt['file.file_exists']('/etc/pki/influxdb.key') -%} - prereq: - x509: /etc/pki/influxdb.crt {%- endif %} - - timeout: 30 - retry: attempts: 5 interval: 30 @@ -72,7 +68,7 @@ influxdb_crt: - name: /etc/pki/influxdb.crt - ca_server: {{ ca_server }} - signing_policy: influxdb - - public_key: /etc/pki/influxdb.key + - private_key: /etc/pki/influxdb.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 @@ -101,17 +97,13 @@ influxkeyperms: redis_key: x509.private_key_managed: - name: /etc/pki/redis.key - - CN: {{ GLOBALS.hostname }} - - bits: 4096 - - days_remaining: 0 - - days_valid: 820 + - keysize: 4096 - backup: True - new: True {% if salt['file.file_exists']('/etc/pki/redis.key') -%} - prereq: - x509: /etc/pki/redis.crt {%- endif %} - - timeout: 30 - retry: attempts: 5 interval: 30 @@ -122,7 +114,7 @@ redis_crt: - ca_server: {{ ca_server }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - signing_policy: registry - - public_key: /etc/pki/redis.key + - private_key: /etc/pki/redis.key - CN: {{ GLOBALS.hostname }} - days_remaining: 0 - days_valid: 820 @@ -150,17 +142,13 @@ rediskeyperms: etc_elasticfleet_key: x509.private_key_managed: - name: /etc/pki/elasticfleet.key - - CN: {{ COMMONNAME }} - - bits: 4096 - - days_remaining: 0 - - days_valid: 820 + - keysize: 4096 - backup: True - new: True {% if salt['file.file_exists']('/etc/pki/elasticfleet.key') -%} - prereq: - x509: etc_elasticfleet_crt {%- endif %} - - timeout: 30 - retry: attempts: 5 interval: 30 @@ -171,7 +159,7 @@ etc_elasticfleet_crt: - name: /etc/pki/elasticfleet.crt - ca_server: {{ ca_server }} - signing_policy: elasticfleet - - public_key: /etc/pki/elasticfleet.key + - private_key: /etc/pki/elasticfleet.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 @@ -232,17 +220,13 @@ efcrtlink: etc_filebeat_key: x509.private_key_managed: - name: /etc/pki/filebeat.key - - CN: {{ COMMONNAME }} - - bits: 4096 - - days_remaining: 0 - - days_valid: 820 + - keysize: 4096 - backup: True - new: True {% if salt['file.file_exists']('/etc/pki/filebeat.key') -%} - prereq: - x509: etc_filebeat_crt {%- endif %} - - timeout: 30 - retry: attempts: 5 interval: 30 @@ -253,7 +237,7 @@ etc_filebeat_crt: - name: /etc/pki/filebeat.crt - ca_server: {{ ca_server }} - signing_policy: filebeat - - public_key: /etc/pki/filebeat.key + - private_key: /etc/pki/filebeat.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 @@ -313,17 +297,13 @@ fbcrtlink: registry_key: x509.private_key_managed: - name: /etc/pki/registry.key - - CN: {{ GLOBALS.manager }} - - bits: 4096 - - days_remaining: 0 - - days_valid: 820 + - keysize: 4096 - backup: True - new: True {% if salt['file.file_exists']('/etc/pki/registry.key') -%} - prereq: - x509: /etc/pki/registry.crt {%- endif %} - - timeout: 30 - retry: attempts: 5 interval: 30 @@ -335,7 +315,7 @@ registry_crt: - ca_server: {{ ca_server }} - subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }} - signing_policy: registry - - public_key: /etc/pki/registry.key + - private_key: /etc/pki/registry.key - CN: {{ GLOBALS.manager }} - days_remaining: 0 - days_valid: 820 @@ -361,17 +341,13 @@ regkeyperms: # Create a cert for elasticsearch /etc/pki/elasticsearch.key: x509.private_key_managed: - - CN: {{ COMMONNAME }} - - bits: 4096 - - days_remaining: 0 - - days_valid: 820 + - keysize: 4096 - backup: True - new: True {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%} - prereq: - x509: /etc/pki/elasticsearch.crt {%- endif %} - - timeout: 30 - retry: attempts: 5 interval: 30 @@ -380,7 +356,7 @@ regkeyperms: x509.certificate_managed: - ca_server: {{ ca_server }} - signing_policy: registry - - public_key: /etc/pki/elasticsearch.key + - private_key: /etc/pki/elasticsearch.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 @@ -418,17 +394,13 @@ elasticp12perms: managerssl_key: x509.private_key_managed: - name: /etc/pki/managerssl.key - - CN: {{ GLOBALS.manager }} - - bits: 4096 - - days_remaining: 0 - - days_valid: 820 + - keysize: 4096 - backup: True - new: True {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%} - prereq: - x509: /etc/pki/managerssl.crt {%- endif %} - - timeout: 30 - retry: attempts: 5 interval: 30 @@ -439,7 +411,7 @@ managerssl_crt: - name: /etc/pki/managerssl.crt - ca_server: {{ ca_server }} - signing_policy: managerssl - - public_key: /etc/pki/managerssl.key + - private_key: /etc/pki/managerssl.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 @@ -476,17 +448,13 @@ fbcertdir: conf_filebeat_key: x509.private_key_managed: - name: /opt/so/conf/filebeat/etc/pki/filebeat.key - - CN: {{ COMMONNAME }} - - bits: 4096 - - days_remaining: 0 - - days_valid: 820 + - keysize: 4096 - backup: True - new: True {% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%} - prereq: - x509: conf_filebeat_crt {%- endif %} - - timeout: 30 - retry: attempts: 5 interval: 30 @@ -497,7 +465,7 @@ conf_filebeat_crt: - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt - ca_server: {{ ca_server }} - signing_policy: filebeat - - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key + - private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 @@ -542,17 +510,13 @@ chownfilebeatp8: # Create a cert for elasticsearch /etc/pki/elasticsearch.key: x509.private_key_managed: - - CN: {{ GLOBALS.manager }} - - bits: 4096 - - days_remaining: 0 - - days_valid: 820 + - keysize: 4096 - backup: True - new: True {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%} - prereq: - x509: /etc/pki/elasticsearch.crt {%- endif %} - - timeout: 30 - retry: attempts: 5 interval: 30 @@ -561,7 +525,7 @@ chownfilebeatp8: x509.certificate_managed: - ca_server: {{ ca_server }} - signing_policy: registry - - public_key: /etc/pki/elasticsearch.key + - private_key: /etc/pki/elasticsearch.key - CN: {{ GLOBALS.hostname }} - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} - days_remaining: 0 diff --git a/setup/files/salt_module_deps/docker/certifi-2022.12.7-py3-none-any.whl b/setup/files/salt_module_deps/docker/certifi-2022.12.7-py3-none-any.whl new file mode 100644 index 000000000..a08305611 Binary files /dev/null and b/setup/files/salt_module_deps/docker/certifi-2022.12.7-py3-none-any.whl differ diff --git a/setup/files/salt_module_deps/docker/chardet-4.0.0-py2.py3-none-any.whl b/setup/files/salt_module_deps/docker/chardet-4.0.0-py2.py3-none-any.whl new file mode 100644 index 000000000..b83344e8e Binary files /dev/null and b/setup/files/salt_module_deps/docker/chardet-4.0.0-py2.py3-none-any.whl differ diff --git a/setup/files/salt_module_deps/docker/charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl b/setup/files/salt_module_deps/docker/charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl new file mode 100644 index 000000000..7b57bc716 Binary files /dev/null and b/setup/files/salt_module_deps/docker/charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl differ diff --git a/setup/files/salt_module_deps/docker/docker-5.0.2-py2.py3-none-any.whl b/setup/files/salt_module_deps/docker/docker-5.0.2-py2.py3-none-any.whl new file mode 100644 index 000000000..f1ed95ee1 Binary files /dev/null and b/setup/files/salt_module_deps/docker/docker-5.0.2-py2.py3-none-any.whl differ diff --git a/setup/files/salt_module_deps/docker/idna-2.10-py2.py3-none-any.whl b/setup/files/salt_module_deps/docker/idna-2.10-py2.py3-none-any.whl new file mode 100644 index 000000000..41225cb05 Binary files /dev/null and b/setup/files/salt_module_deps/docker/idna-2.10-py2.py3-none-any.whl differ diff --git a/setup/files/salt_module_deps/docker/requests-2.25.1-py2.py3-none-any.whl b/setup/files/salt_module_deps/docker/requests-2.25.1-py2.py3-none-any.whl new file mode 100644 index 000000000..8d70e9716 Binary files /dev/null and b/setup/files/salt_module_deps/docker/requests-2.25.1-py2.py3-none-any.whl differ diff --git a/setup/files/salt_module_deps/docker/urllib3-1.26.15-py2.py3-none-any.whl b/setup/files/salt_module_deps/docker/urllib3-1.26.15-py2.py3-none-any.whl new file mode 100644 index 000000000..ad723d5e1 Binary files /dev/null and b/setup/files/salt_module_deps/docker/urllib3-1.26.15-py2.py3-none-any.whl differ diff --git a/setup/files/salt_module_deps/docker/websocket_client-1.5.1-py3-none-any.whl b/setup/files/salt_module_deps/docker/websocket_client-1.5.1-py3-none-any.whl new file mode 100644 index 000000000..bd8152d2c Binary files /dev/null and b/setup/files/salt_module_deps/docker/websocket_client-1.5.1-py3-none-any.whl differ diff --git a/setup/files/salt_module_deps/pymysql/PyMySQL-1.0.3-py3-none-any.whl b/setup/files/salt_module_deps/pymysql/PyMySQL-1.0.3-py3-none-any.whl new file mode 100644 index 000000000..0bbd29da0 Binary files /dev/null and b/setup/files/salt_module_deps/pymysql/PyMySQL-1.0.3-py3-none-any.whl differ diff --git a/setup/so-functions b/setup/so-functions index e01d9af35..9dbc95173 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -634,6 +634,8 @@ configure_minion() { printf '%s\n'\ "use_superseded:"\ " - module.run"\ + "features:"\ + " x509_v2: true"\ "log_level: info"\ "log_level_logfile: info"\ "log_file: /opt/so/log/salt/minion" >> "$minion_config" @@ -2029,8 +2031,11 @@ saltify() { if [[ $is_rocky ]]; then # THIS IS A TEMP HACK - logCmd "dnf -y install securityonion-salt python3-audit python3-libsemanage python3-policycoreutils python3-setools python3-setuptools python3-chardet python3-idna python3-pysocks python3-requests python3-urllib3 python3-websocket-client python3-docker" + #logCmd "dnf -y install securityonion-salt python3-audit python3-libsemanage python3-policycoreutils python3-setools python3-setuptools python3-chardet python3-idna python3-pysocks python3-requests python3-urllib3 python3-websocket-client python3-docker" + logCmd "dnf -y install salt salt-master salt-minion" logCmd "mkdir -p /etc/salt/minion.d" + logCmd "salt-pip install docker --no-index --only-binary=:all: --find-links files/salt_module_deps/docker/" + logCmd "salt-pip install pymysql --no-index --only-binary=:all: --find-links files/salt_module_deps/pymysql/" #if [[ $waitforstate ]]; then # # Since this is a salt master so let's install it # logCmd ""