Merge pull request #10091 from Security-Onion-Solutions/salt3006rc3

Salt3006rc3
2025-12-06 09:12:45 +01:00 · 2023-04-05 16:42:36 -04:00
parent 1faceddc40 ff7aaa95e1
commit 6aba7b6bcf
17 changed files with 30 additions and 91 deletions
--- a/salt/ca/init.sls
+++ b/salt/ca/init.sls
@@ -18,7 +18,7 @@ include:
 pki_private_key:
  x509.private_key_managed:
    - name: /etc/pki/ca.key
-    - bits: 4096
+    - keysize: 4096
    - passphrase:
    - cipher: aes_256_cbc
    - backup: True
@@ -39,7 +39,7 @@ pki_public_ca_crt:
    - keyUsage: "critical cRLSign, keyCertSign"
    - extendedkeyUsage: "serverAuth, clientAuth"
    - subjectKeyIdentifier: hash
-    - authorityKeyIdentifier: keyid,issuer:always
+    - authorityKeyIdentifier: keyid:always, issuer
    - days_valid: 3650
    - days_remaining: 0
    - backup: True
--- a/salt/common/packages.sls
+++ b/salt/common/packages.sls
@@ -52,5 +52,6 @@ commonpkgs:
      - rsync
      - python3-rich
      - python3-watchdog
      - python3-packaging
      - unzip
 {% endif %}
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -205,7 +205,7 @@ gpg_rpm_import() {
 	        local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/rocky/keys"
 	    fi
-	    RPMKEYS=('RPM-GPG-KEY-EPEL-9' 'SALTSTACK-GPG-KEY2.pub' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
+	    RPMKEYS=('RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub')
 	    for RPMKEY in "${RPMKEYS[@]}"; do
    	        rpm --import $RPMKEYSLOC/$RPMKEY
--- a/salt/repo/client/files/rocky/keys/SALTSTACK-GPG-KEY2.pub
+++ b/salt/repo/client/files/rocky/keys/SALTSTACK-GPG-KEY2.pub
@@ -1,31 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQENBGLXV/8BCADCuomk2pibSOuLQeKMIwV3Afy60080hykdc4tU4qQS+zBJZZC0
 VBl2TAOmMWyeY5DRF2ibRTx6Ap8qYefuEjWlo2WHWWZH4WhNkJWL3aWiu8Ga+fFo
 ebjoUFLGgpKDGKveO9PF8A41IP1CLvDicpWXTxfqzQKDOvg3g5EmCx+5ksviXHJ1
 lY5CBbhVPmU3ruzGBqN/6B90VyTicbIyIZKZdnElAqaW6OiEaOmj2Oadi3ARJLWA
 8rpVPweZE0/S4B5UIuMh+JVJU3Os1BUXHKN3LAPENZa1NNYX3j53GxGMf+SAKe0g
 QHe+fHiiB7a6iBl09W8cUJh8HINXW+vvU6mZABEBAAG0MlNhbHRTdGFjayBQYWNr
 YWdpbmcgVGVhbSA8cGFja2FnaW5nQHNhbHRzdGFjay5jb20+iQFSBBMBCAA8FiEE
 9+rekz4krjI0B2hWN6cQR50w17YFAmLXV/8CGwMFCwkIBwIDIgIBBhUKCQgLAgQW
 AgMBAh4HAheAAAoJEDenEEedMNe2d0MH/36khQzCWMc5ezznO7bcOHOS3OWjQveF
 Vv60y54QRnINCEa7w7ckjiap3dUSJxTo5eoAKNbgX5SgrshEY1HDXDoqgumHJLFW
 J+L4f3CXFBhvObUOwB7ApUNHURcoNQYK7kS/vUJrQ3dFyT7uvgysGtv+/WpboY1s
 ScJnVtWyQmLe7qj5pJ0aI5pPjFnP9869zPScNb6o6lbqGp/xhnL5NkZCF0DNgItw
 HXyNsRPyc8JG+P+GP80XWZ37ajEdwkiPbtu3CD5pvBO1w5FPLBwuH5CSgQFEcA4V
 QH8ThU0P1IhKe3xPRNgawcBTAHXqOD0OxilAIsQdfrKkRiTEcZtFZW25AQ0EYtdX
 /wEIANFBzJfSks4ti/JQkECtEAwH7OtqUxu1QhSSRusGsQu/PpjBRZzlaVlKjS4c
 fGTiZ8+25RX063vBQ+XpuTN9T9boEE4EywM11FCx1zRZIc+HlLOIJ10uKWUapmPM
 +7flnQWXMgJzP47rHe0ofEHlP4/av5C1imgWEtEpYyn1B4qgSxvLFDq46rD5m+DP
 2xNZbwWd0uSAG/wZNonVkISYymB0UTnUm8FABH1Ci7lXO9JnuW+IvVt32C5VibGy
 FXdAJGmIiqsvBhJSUl+GJhO6NTXntuevqPLUXD9PuHWo4Vo1Afek8kqZByyiyrTZ
 StDhrbo/8dSAVQMibLEfNS7R0QkAEQEAAYkBNgQYAQgAIBYhBPfq3pM+JK4yNAdo
 VjenEEedMNe2BQJi11f/AhsMAAoJEDenEEedMNe2zhgH/0wxbQpaCho0BRbUbe6L
 jm9r3yTWn6M+yYv+cBeH9sbobIVOqTvZcawzTEPWa+eVbKgkqhZjUTyfFDpjq9s6
 67zLZnCh85hLoyieSQBER59dc1pmqZJP3VrAIT1lGKMIdjZoN8JAF8IbmJHE1j65
 iZZdhbxfFHnDx22gQ+3nfniTNTWsfVAQeoAjeOuakPKdfUEMsXPBhtBBuFY4NcrT
 TIsBevT4J/STCLkEqlMtYC8ldxUCZqQXdtxqltC4k+y0kp4PmNc3/Vmp65oAeuxI
 d8TNwgZdamdinv5mPrTfBqSNiELQAcPQnOwpsqEDYF2pq9L4sdNGavP5ZvPGRLkH
 +uU=
 =383D
 -----END PGP PUBLIC KEY BLOCK-----
--- a/salt/salt/master.defaults.yaml
+++ b/salt/salt/master.defaults.yaml
@@ -2,4 +2,4 @@
 # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions
 salt:
  master:
-    version: 3006.0+0na.61a7bd9
+    version: 3006.0rc3
--- a/salt/salt/minion.defaults.yaml
+++ b/salt/salt/minion.defaults.yaml
@@ -2,6 +2,6 @@
 # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions
 salt:
  minion:
-    version: 3006.0+0na.61a7bd9
+    version: 3006.0rc3
    check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default
    service_start_delay: 30 # in seconds.
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -51,17 +51,13 @@ m2cryptopkgs:
 influxdb_key:
  x509.private_key_managed:
    - name: /etc/pki/influxdb.key
-    - CN: {{ GLOBALS.hostname }}
+    - keysize: 4096
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
    - backup: True
    - new: True
    {% if salt['file.file_exists']('/etc/pki/influxdb.key') -%}
    - prereq:
      - x509: /etc/pki/influxdb.crt
    {%- endif %}
    - timeout: 30
    - retry:
        attempts: 5
        interval: 30
@@ -72,7 +68,7 @@ influxdb_crt:
    - name: /etc/pki/influxdb.crt
    - ca_server: {{ ca_server }}
    - signing_policy: influxdb
-    - public_key: /etc/pki/influxdb.key
+    - private_key: /etc/pki/influxdb.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }} 
    - days_remaining: 0
@@ -101,17 +97,13 @@ influxkeyperms:
 redis_key:
  x509.private_key_managed:
    - name: /etc/pki/redis.key
-    - CN: {{ GLOBALS.hostname }}
+    - keysize: 4096
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
    - backup: True
    - new: True
    {% if salt['file.file_exists']('/etc/pki/redis.key') -%}
    - prereq:
      - x509: /etc/pki/redis.crt
    {%- endif %}
    - timeout: 30
    - retry:
        attempts: 5
        interval: 30
@@ -122,7 +114,7 @@ redis_crt:
    - ca_server: {{ ca_server }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
    - signing_policy: registry
-    - public_key: /etc/pki/redis.key
+    - private_key: /etc/pki/redis.key
    - CN: {{ GLOBALS.hostname }}
    - days_remaining: 0
    - days_valid: 820
@@ -150,17 +142,13 @@ rediskeyperms:
 etc_elasticfleet_key:
  x509.private_key_managed:
    - name: /etc/pki/elasticfleet.key
-    - CN: {{ COMMONNAME }}
+    - keysize: 4096
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
    - backup: True
    - new: True
    {% if salt['file.file_exists']('/etc/pki/elasticfleet.key') -%}
    - prereq:
      - x509: etc_elasticfleet_crt
    {%- endif %}
    - timeout: 30
    - retry:
        attempts: 5
        interval: 30
@@ -171,7 +159,7 @@ etc_elasticfleet_crt:
    - name: /etc/pki/elasticfleet.crt
    - ca_server: {{ ca_server }}
    - signing_policy: elasticfleet
-    - public_key: /etc/pki/elasticfleet.key
+    - private_key: /etc/pki/elasticfleet.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
    - days_remaining: 0
@@ -232,17 +220,13 @@ efcrtlink:
 etc_filebeat_key:
  x509.private_key_managed:
    - name: /etc/pki/filebeat.key
-    - CN: {{ COMMONNAME }}
+    - keysize: 4096
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
    - backup: True
    - new: True
    {% if salt['file.file_exists']('/etc/pki/filebeat.key') -%}
    - prereq:
      - x509: etc_filebeat_crt
    {%- endif %}
    - timeout: 30
    - retry:
        attempts: 5
        interval: 30
@@ -253,7 +237,7 @@ etc_filebeat_crt:
    - name: /etc/pki/filebeat.crt
    - ca_server: {{ ca_server }}
    - signing_policy: filebeat
-    - public_key: /etc/pki/filebeat.key
+    - private_key: /etc/pki/filebeat.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
    - days_remaining: 0
@@ -313,17 +297,13 @@ fbcrtlink:
 registry_key:
  x509.private_key_managed:
    - name: /etc/pki/registry.key
-    - CN: {{ GLOBALS.manager }}
+    - keysize: 4096
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
    - backup: True
    - new: True
    {% if salt['file.file_exists']('/etc/pki/registry.key') -%}
    - prereq:
      - x509: /etc/pki/registry.crt
    {%- endif %}
    - timeout: 30
    - retry:
        attempts: 5
        interval: 30
@@ -335,7 +315,7 @@ registry_crt:
    - ca_server: {{ ca_server }}
    - subjectAltName: DNS:{{ GLOBALS.manager }}, IP:{{ GLOBALS.manager_ip }} 
    - signing_policy: registry
-    - public_key: /etc/pki/registry.key
+    - private_key: /etc/pki/registry.key
    - CN: {{ GLOBALS.manager }}
    - days_remaining: 0
    - days_valid: 820
@@ -361,17 +341,13 @@ regkeyperms:
 # Create a cert for elasticsearch
 /etc/pki/elasticsearch.key:
  x509.private_key_managed:
-    - CN: {{ COMMONNAME }}
+    - keysize: 4096
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
    - backup: True
    - new: True
    {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%}
    - prereq:
      - x509: /etc/pki/elasticsearch.crt
    {%- endif %}
    - timeout: 30
    - retry:
        attempts: 5
        interval: 30
@@ -380,7 +356,7 @@ regkeyperms:
  x509.certificate_managed:
    - ca_server: {{ ca_server }}
    - signing_policy: registry
-    - public_key: /etc/pki/elasticsearch.key
+    - private_key: /etc/pki/elasticsearch.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
    - days_remaining: 0
@@ -418,17 +394,13 @@ elasticp12perms:
 managerssl_key:
  x509.private_key_managed:
    - name: /etc/pki/managerssl.key
-    - CN: {{ GLOBALS.manager }}
+    - keysize: 4096
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
    - backup: True
    - new: True
    {% if salt['file.file_exists']('/etc/pki/managerssl.key') -%}
    - prereq:
      - x509: /etc/pki/managerssl.crt
    {%- endif %}
    - timeout: 30
    - retry:
        attempts: 5
        interval: 30
@@ -439,7 +411,7 @@ managerssl_crt:
    - name: /etc/pki/managerssl.crt
    - ca_server: {{ ca_server }}
    - signing_policy: managerssl
-    - public_key: /etc/pki/managerssl.key
+    - private_key: /etc/pki/managerssl.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
    - days_remaining: 0
@@ -476,17 +448,13 @@ fbcertdir:
 conf_filebeat_key:
  x509.private_key_managed:
    - name: /opt/so/conf/filebeat/etc/pki/filebeat.key
-    - CN: {{ COMMONNAME }}
+    - keysize: 4096
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
    - backup: True
    - new: True
    {% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%}
    - prereq:
      - x509: conf_filebeat_crt
    {%- endif %}
    - timeout: 30
    - retry:
        attempts: 5
        interval: 30
@@ -497,7 +465,7 @@ conf_filebeat_crt:
    - name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
    - ca_server: {{ ca_server }}
    - signing_policy: filebeat
-    - public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
+    - private_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
    - days_remaining: 0
@@ -542,17 +510,13 @@ chownfilebeatp8:
 # Create a cert for elasticsearch
 /etc/pki/elasticsearch.key:
  x509.private_key_managed:
-    - CN: {{ GLOBALS.manager }}
+    - keysize: 4096
    - bits: 4096
    - days_remaining: 0
    - days_valid: 820
    - backup: True
    - new: True
    {% if salt['file.file_exists']('/etc/pki/elasticsearch.key') -%}
    - prereq:
      - x509: /etc/pki/elasticsearch.crt
    {%- endif %}
    - timeout: 30
    - retry:
        attempts: 5
        interval: 30
@@ -561,7 +525,7 @@ chownfilebeatp8:
  x509.certificate_managed:
    - ca_server: {{ ca_server }}
    - signing_policy: registry
-    - public_key: /etc/pki/elasticsearch.key
+    - private_key: /etc/pki/elasticsearch.key
    - CN: {{ GLOBALS.hostname }}
    - subjectAltName: DNS:{{ GLOBALS.hostname }}, IP:{{ GLOBALS.node_ip }}
    - days_remaining: 0
--- a/setup/files/salt_module_deps/docker/certifi-2022.12.7-py3-none-any.whl
+++ b/setup/files/salt_module_deps/docker/certifi-2022.12.7-py3-none-any.whl
--- a/setup/files/salt_module_deps/docker/chardet-4.0.0-py2.py3-none-any.whl
+++ b/setup/files/salt_module_deps/docker/chardet-4.0.0-py2.py3-none-any.whl
--- a/setup/files/salt_module_deps/docker/charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
+++ b/setup/files/salt_module_deps/docker/charset_normalizer-3.1.0-cp310-cp310-manylinux_2_17_x86_64.manylinux2014_x86_64.whl
--- a/setup/files/salt_module_deps/docker/docker-5.0.2-py2.py3-none-any.whl
+++ b/setup/files/salt_module_deps/docker/docker-5.0.2-py2.py3-none-any.whl
--- a/setup/files/salt_module_deps/docker/idna-2.10-py2.py3-none-any.whl
+++ b/setup/files/salt_module_deps/docker/idna-2.10-py2.py3-none-any.whl
--- a/setup/files/salt_module_deps/docker/requests-2.25.1-py2.py3-none-any.whl
+++ b/setup/files/salt_module_deps/docker/requests-2.25.1-py2.py3-none-any.whl
--- a/setup/files/salt_module_deps/docker/urllib3-1.26.15-py2.py3-none-any.whl
+++ b/setup/files/salt_module_deps/docker/urllib3-1.26.15-py2.py3-none-any.whl
--- a/setup/files/salt_module_deps/docker/websocket_client-1.5.1-py3-none-any.whl
+++ b/setup/files/salt_module_deps/docker/websocket_client-1.5.1-py3-none-any.whl
--- a/setup/files/salt_module_deps/pymysql/PyMySQL-1.0.3-py3-none-any.whl
+++ b/setup/files/salt_module_deps/pymysql/PyMySQL-1.0.3-py3-none-any.whl
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -634,6 +634,8 @@ configure_minion() {
 	printf '%s\n'\
 		"use_superseded:"\
 		"  - module.run"\
 		"features:"\
 		"  x509_v2: true"\
 		"log_level: info"\
 		"log_level_logfile: info"\
 		"log_file: /opt/so/log/salt/minion" >> "$minion_config"
@@ -2029,8 +2031,11 @@ saltify() {
 	if [[ $is_rocky ]]; then
 		# THIS IS A TEMP HACK
-		logCmd "dnf -y install securityonion-salt python3-audit python3-libsemanage python3-policycoreutils python3-setools python3-setuptools python3-chardet python3-idna python3-pysocks python3-requests python3-urllib3 python3-websocket-client python3-docker"
+		#logCmd "dnf -y install securityonion-salt python3-audit python3-libsemanage python3-policycoreutils python3-setools python3-setuptools python3-chardet python3-idna python3-pysocks python3-requests python3-urllib3 python3-websocket-client python3-docker"
 		logCmd "dnf -y install salt salt-master salt-minion"
 		logCmd "mkdir -p /etc/salt/minion.d"
        logCmd "salt-pip install docker --no-index --only-binary=:all: --find-links files/salt_module_deps/docker/"
        logCmd "salt-pip install pymysql --no-index --only-binary=:all: --find-links files/salt_module_deps/pymysql/"
 		#if [[ $waitforstate ]]; then 
 		#	# Since this is a salt master so let's install it
 		#	logCmd ""