From 188b4424e4268a0650c00ec4a1e1b107c3b19bc9 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 17 Jun 2021 21:00:56 -0400 Subject: [PATCH 01/18] Fix wrong grep file --- salt/common/tools/sbin/so-elastic-auth | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-elastic-auth b/salt/common/tools/sbin/so-elastic-auth index 663dbb9f6..6631badf2 100755 --- a/salt/common/tools/sbin/so-elastic-auth +++ b/salt/common/tools/sbin/so-elastic-auth @@ -45,7 +45,7 @@ if [[ "$authEnable" == "true" ]]; then if grep -q "argon" "$ES_USERS_FILE"; then echo "" echo "IMPORTANT: The following users will need to change their password, after logging into SOC, in order to access Kibana:" - grep argon "$ES_USERS" | cut -d ":" -f 1 + grep argon "$ES_USERS_FILE" | cut -d ":" -f 1 fi else echo "Auth is already enabled." From 1d4161ba3184ffbfeba71fb2296e0138d22dd0c2 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 18 Jun 2021 08:36:36 -0400 Subject: [PATCH 02/18] Disable HaveIBeenPwned API (pwnedpasswords.com) --- salt/soc/files/kratos/kratos.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/soc/files/kratos/kratos.yaml b/salt/soc/files/kratos/kratos.yaml index a0a72b3ab..80340af4f 100644 --- a/salt/soc/files/kratos/kratos.yaml +++ b/salt/soc/files/kratos/kratos.yaml @@ -5,6 +5,8 @@ selfservice: methods: password: enabled: true + config: + haveibeenpwned_enabled: false flows: settings: From 101b835cf69e8e05b8374768985400320db186eb Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 18 Jun 2021 14:34:42 -0400 Subject: [PATCH 03/18] Remove unused mode --- salt/soctopus/init.sls | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/soctopus/init.sls b/salt/soctopus/init.sls index 1c7c92434..c2c8dc1ac 100644 --- a/salt/soctopus/init.sls +++ b/salt/soctopus/init.sls @@ -43,7 +43,6 @@ playbookrulesdir: - name: /opt/so/rules/elastalert/playbook - user: 939 - group: 939 - - mode: 660 - makedirs: True playbookrulessync: From 48c3cb4816306d1c022995f09a8fe8622a65c2cd Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 18 Jun 2021 14:56:01 -0400 Subject: [PATCH 04/18] if the salt-minion service isnt running when the state is rendered, dont try to apply schedule - https://github.com/Security-Onion-Solutions/securityonion/issues/1333 --- salt/patch/os/schedule.sls | 2 +- salt/salt/minion-check.sls | 6 ++++-- salt/schedule.sls | 2 ++ 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/salt/patch/os/schedule.sls b/salt/patch/os/schedule.sls index a91e61dfe..a5445f3a9 100644 --- a/salt/patch/os/schedule.sls +++ b/salt/patch/os/schedule.sls @@ -1,4 +1,4 @@ -{% if salt['pillar.get']('patch:os:schedule_name') %} +{% if salt['pillar.get']('patch:os:schedule_name') and salt['service.status']('salt-minion', True) %} {% set patch_os_pillar = salt['pillar.get']('patch:os') %} {% set schedule_name = patch_os_pillar.schedule_name %} {% set splay = patch_os_pillar.get('splay', 300) %} diff --git a/salt/salt/minion-check.sls b/salt/salt/minion-check.sls index e8a0c2639..a9d2e8d8d 100644 --- a/salt/salt/minion-check.sls +++ b/salt/salt/minion-check.sls @@ -1,6 +1,7 @@ include: - salt.minion-state-apply-test - + +{% if salt['service.status']('salt-minion', True) %} state-apply-test: schedule.present: - name: salt-minion-state-apply-test @@ -16,4 +17,5 @@ state-apply-test: cron.present: - identifier: so-salt-minion-check - user: root - - minute: '*/5' \ No newline at end of file + - minute: '*/5' +{% endif %} diff --git a/salt/schedule.sls b/salt/schedule.sls index 12e1cd081..30b5f8608 100644 --- a/salt/schedule.sls +++ b/salt/schedule.sls @@ -1,5 +1,7 @@ +{% if salt['service.status']('salt-minion', True) %} schedule: schedule.present: - function: state.highstate - minutes: 15 - maxrunning: 1 +{% endif %} From c7a58816b68a940035c69a4d5bf84dcb62c34061 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 18 Jun 2021 15:30:51 -0400 Subject: [PATCH 05/18] move condition to avoid wrong notic about schedule not set in pillar --- salt/patch/os/schedule.sls | 40 ++++++++++++++++++++------------------ 1 file changed, 21 insertions(+), 19 deletions(-) diff --git a/salt/patch/os/schedule.sls b/salt/patch/os/schedule.sls index a5445f3a9..4e7820de1 100644 --- a/salt/patch/os/schedule.sls +++ b/salt/patch/os/schedule.sls @@ -1,12 +1,13 @@ -{% if salt['pillar.get']('patch:os:schedule_name') and salt['service.status']('salt-minion', True) %} - {% set patch_os_pillar = salt['pillar.get']('patch:os') %} - {% set schedule_name = patch_os_pillar.schedule_name %} - {% set splay = patch_os_pillar.get('splay', 300) %} +{% if salt['pillar.get']('patch:os:schedule_name') %} + {% if salt['service.status']('salt-minion', True) %} + {% set patch_os_pillar = salt['pillar.get']('patch:os') %} + {% set schedule_name = patch_os_pillar.schedule_name %} + {% set splay = patch_os_pillar.get('splay', 300) %} - {% if schedule_name != 'manual' and schedule_name != 'auto' %} - {% import_yaml "patch/os/schedules/"~schedule_name~".yml" as os_schedule %} + {% if schedule_name != 'manual' and schedule_name != 'auto' %} + {% import_yaml "patch/os/schedules/"~schedule_name~".yml" as os_schedule %} - {% if patch_os_pillar.enabled %} + {% if patch_os_pillar.enabled %} patch_os_schedule: schedule.present: @@ -14,28 +15,28 @@ patch_os_schedule: - job_args: - patch.os - when: - {% for days in os_schedule.patch.os.schedule %} - {% for day, times in days.items() %} - {% for time in times %} + {% for days in os_schedule.patch.os.schedule %} + {% for day, times in days.items() %} + {% for time in times %} - {{day}} {{time}} + {% endfor %} {% endfor %} {% endfor %} - {% endfor %} - splay: {{splay}} - return_job: True - {% else %} + {% else %} disable_patch_os_schedule: schedule.disabled: - name: patch_os_schedule - {% endif %} + {% endif %} - {% elif schedule_name == 'auto' %} + {% elif schedule_name == 'auto' %} - {% if patch_os_pillar.enabled %} + {% if patch_os_pillar.enabled %} patch_os_schedule: schedule.present: @@ -46,22 +47,23 @@ patch_os_schedule: - splay: {{splay}} - return_job: True - {% else %} + {% else %} disable_patch_os_schedule: schedule.disabled: - name: patch_os_schedule - {% endif %} + {% endif %} - {% elif schedule_name == 'manual' %} + {% elif schedule_name == 'manual' %} remove_patch_os_schedule: schedule.absent: - name: patch_os_schedule - {% endif %} + {% endif %} + {% endif %} {% else %} no_patch_os_schedule_name_set: From 60fd3c6bd3ad42fb28536067f6efe372cf120c22 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 18 Jun 2021 20:01:32 -0400 Subject: [PATCH 06/18] Ensure htpasswd exists earlier in the install process --- setup/so-functions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index 13438b1ba..ff019953e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2107,6 +2107,7 @@ saltify() { { if [[ ! $is_iso ]]; then yum -y install salt-minion-3003\ + httpd-tools\ python3\ python36-docker\ python36-dateutil\ @@ -2132,6 +2133,7 @@ saltify() { fi local pkg_arr=( + 'apache2-utils' 'ca-certificates' 'curl' 'software-properties-common' From 777bece2eb9648c47c2a57a28bc3b7c2bdce8789 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Sun, 20 Jun 2021 22:14:13 -0400 Subject: [PATCH 07/18] Fix intermittent 'like' failures; Ensure bash is on first line of load templates script --- salt/common/tools/sbin/so-elasticsearch-templates-load | 6 +++--- salt/common/tools/sbin/so-user | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/so-elasticsearch-templates-load b/salt/common/tools/sbin/so-elasticsearch-templates-load index 30ab66b48..fbb9e4e3a 100755 --- a/salt/common/tools/sbin/so-elasticsearch-templates-load +++ b/salt/common/tools/sbin/so-elasticsearch-templates-load @@ -1,6 +1,3 @@ -{%- set mainint = salt['pillar.get']('host:mainint') %} -{%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} - #!/bin/bash # Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC # @@ -17,6 +14,9 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{%- set mainint = salt['pillar.get']('host:mainint') %} +{%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} + default_conf_dir=/opt/so/conf ELASTICSEARCH_HOST="{{ MYIP }}" ELASTICSEARCH_PORT=9200 diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 0f44a3227..fe0118438 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -201,7 +201,7 @@ function syncElastic() { # Generate the new users file echo "select '{\"user\":\"' || ici.identifier || '\", \"data\":' || ic.config || '}'" \ "from identity_credential_identifiers ici, identity_credentials ic " \ - "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \ + "where ici.identity_credential_id=ic.id and instr(ic.config, 'hashed_password') " \ "order by ici.identifier;" | \ sqlite3 "$databasePath" | \ jq -r '.user + ":" + .data.hashed_password' \ @@ -212,7 +212,7 @@ function syncElastic() { echo "select 'superuser:' || ici.identifier " \ "from identity_credential_identifiers ici, identity_credentials ic " \ - "where ici.identity_credential_id=ic.id and ic.config like '%hashed_password%' " \ + "where ici.identity_credential_id=ic.id and instr(ic.config, 'hashed_password') " \ "order by ici.identifier;" | \ sqlite3 "$databasePath" \ >> "$rolesTmpFile" From 5298cb8cfb2fb3c87e4ac30e4e4f77adee1e032f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 21 Jun 2021 07:06:49 -0400 Subject: [PATCH 08/18] Update copyrights --- salt/common/tools/sbin/so-elasticsearch-templates-load | 2 +- salt/common/tools/sbin/so-filebeat-module-setup | 2 +- salt/elasticsearch/files/scripts/so-catrust | 2 +- salt/elasticsearch/files/so-elasticsearch-pipelines | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/so-elasticsearch-templates-load b/salt/common/tools/sbin/so-elasticsearch-templates-load index fbb9e4e3a..c416a3ce2 100755 --- a/salt/common/tools/sbin/so-elasticsearch-templates-load +++ b/salt/common/tools/sbin/so-elasticsearch-templates-load @@ -1,5 +1,5 @@ #!/bin/bash -# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/salt/common/tools/sbin/so-filebeat-module-setup b/salt/common/tools/sbin/so-filebeat-module-setup index 4f9811ca7..ef35a9b17 100755 --- a/salt/common/tools/sbin/so-filebeat-module-setup +++ b/salt/common/tools/sbin/so-filebeat-module-setup @@ -2,7 +2,7 @@ {%- set MYIP = salt['grains.get']('ip_interfaces:' ~ mainint)[0] %} #!/bin/bash -# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/salt/elasticsearch/files/scripts/so-catrust b/salt/elasticsearch/files/scripts/so-catrust index d49a29ce4..c157d9691 100644 --- a/salt/elasticsearch/files/scripts/so-catrust +++ b/salt/elasticsearch/files/scripts/so-catrust @@ -1,6 +1,6 @@ #!/bin/bash # -# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by diff --git a/salt/elasticsearch/files/so-elasticsearch-pipelines b/salt/elasticsearch/files/so-elasticsearch-pipelines index 5d103963e..c1ff88397 100755 --- a/salt/elasticsearch/files/so-elasticsearch-pipelines +++ b/salt/elasticsearch/files/so-elasticsearch-pipelines @@ -1,6 +1,6 @@ #!/bin/bash # -# Copyright 2014,2015,2016,2017,2018,2019 Security Onion Solutions, LLC +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by From ba5b5db2c4e8bb10b60cf8f08a4b54a3262edb93 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 21 Jun 2021 08:56:24 -0400 Subject: [PATCH 09/18] remove the salt-minion check for schedules --- salt/patch/os/schedule.sls | 2 -- salt/salt/minion-check.sls | 2 -- salt/schedule.sls | 2 -- 3 files changed, 6 deletions(-) diff --git a/salt/patch/os/schedule.sls b/salt/patch/os/schedule.sls index 4e7820de1..4ad9a454e 100644 --- a/salt/patch/os/schedule.sls +++ b/salt/patch/os/schedule.sls @@ -1,5 +1,4 @@ {% if salt['pillar.get']('patch:os:schedule_name') %} - {% if salt['service.status']('salt-minion', True) %} {% set patch_os_pillar = salt['pillar.get']('patch:os') %} {% set schedule_name = patch_os_pillar.schedule_name %} {% set splay = patch_os_pillar.get('splay', 300) %} @@ -63,7 +62,6 @@ remove_patch_os_schedule: {% endif %} - {% endif %} {% else %} no_patch_os_schedule_name_set: diff --git a/salt/salt/minion-check.sls b/salt/salt/minion-check.sls index a9d2e8d8d..66ab732e2 100644 --- a/salt/salt/minion-check.sls +++ b/salt/salt/minion-check.sls @@ -1,7 +1,6 @@ include: - salt.minion-state-apply-test -{% if salt['service.status']('salt-minion', True) %} state-apply-test: schedule.present: - name: salt-minion-state-apply-test @@ -18,4 +17,3 @@ state-apply-test: - identifier: so-salt-minion-check - user: root - minute: '*/5' -{% endif %} diff --git a/salt/schedule.sls b/salt/schedule.sls index 30b5f8608..12e1cd081 100644 --- a/salt/schedule.sls +++ b/salt/schedule.sls @@ -1,7 +1,5 @@ -{% if salt['service.status']('salt-minion', True) %} schedule: schedule.present: - function: state.highstate - minutes: 15 - maxrunning: 1 -{% endif %} From 591ef540a6dfcc175285f747c34466980feb2742 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 21 Jun 2021 10:50:09 -0400 Subject: [PATCH 10/18] esalerter ES creds fix --- salt/elastalert/files/modules/so/playbook-es.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/elastalert/files/modules/so/playbook-es.py b/salt/elastalert/files/modules/so/playbook-es.py index 5b1835bac..bae967001 100644 --- a/salt/elastalert/files/modules/so/playbook-es.py +++ b/salt/elastalert/files/modules/so/playbook-es.py @@ -12,7 +12,7 @@ class PlaybookESAlerter(Alerter): Use matched data to create alerts in elasticsearch """ - required_options = set(['play_title','play_url','sigma_level','elasticsearch_host']) + required_options = set(['play_title','play_url','sigma_level']) def alert(self, matches): for match in matches: @@ -21,11 +21,11 @@ class PlaybookESAlerter(Alerter): headers = {"Content-Type": "application/json"} creds = None - if 'elasticsearch_user' in self.rule and 'elasticsearch_pass' in self.rule: - creds = (self.rule['elasticsearch_user'], self.rule['elasticsearch_pass']) + if 'es_username' in self.rule and 'es_password' in self.rule: + creds = (self.rule['es_username'], self.rule['es_password']) payload = {"rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp} - url = f"https://{self.rule['elasticsearch_host']}/so-playbook-alerts-{today}/_doc/" + url = f"https://{self.rule['es_host']}:{self.rule['es_port']}/so-playbook-alerts-{today}/_doc/" requests.post(url, data=json.dumps(payload), headers=headers, verify=False, auth=creds) def get_info(self): From 5e042bf4b8e4d19e2127a2f800638b78d0039770 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 21 Jun 2021 12:16:47 -0400 Subject: [PATCH 11/18] Improve algorithm for determining if a user sync is necessary; Apply salt state in foreground to avoid collisions with setup salt states. --- salt/common/tools/sbin/so-user | 9 +++++---- salt/soc/init.sls | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index fe0118438..9c2e1be50 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -226,9 +226,9 @@ function syncElastic() { mv "${rolesTmpFile}" "${elasticRolesFile}" if [[ -z "$SKIP_STATE_APPLY" ]]; then - echo "Elastic state will be re-applied to affected minions in the background." + echo "Elastic state will be re-applied to affected minions. This may take several minutes..." echo "Applying elastic state to elastic minions at $(date)" >> /opt/so/log/soc/sync.log 2>&1 - salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1 & + salt -C 'G@role:so-standalone or G@role:so-eval or G@role:so-import or G@role:so-manager or G@role:so-managersearch or G@role:so-node or G@role:so-heavynode' state.apply elasticsearch queue=True >> /opt/so/log/soc/sync.log 2>&1 fi else echo "Newly generated users/roles files are incomplete; aborting." @@ -236,8 +236,9 @@ function syncElastic() { } function syncAll() { - if [[ -n "$STALE_MIN" && -f "$databasePath" ]]; then - staleCount=$(echo "select count(*) from identity_credentials where updated_at >= Datetime('now', '-${STALE_MIN} minutes');" \ + if [[ -f "$databasePath" && -f "$elasticUsersFile" ]]; then + usersFileAgeSecs=$((echo $(date +%s) - $(date +%s -r "$elasticUsersFile"))) + staleCount=$(echo "select count(*) from identity_credentials where updated_at >= Datetime('now', '-${usersFileAgeSecs} seconds');" \ | sqlite3 "$databasePath") if [[ "$staleCount" == "0" ]]; then return 1 diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 01b57c8ce..8e1943cb8 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -65,7 +65,7 @@ soccustom: sosyncusers: cron.present: - user: root - - name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin STALE_MIN=1 /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log' + - name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log' so-soc: docker_container.running: From f36ef86ccc95eeada67270770ce496f6ae556aa7 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 21 Jun 2021 12:38:02 -0400 Subject: [PATCH 12/18] Improve algorithm for determining if a user sync is necessary; Apply salt state in foreground to avoid collisions with setup salt states. --- salt/common/tools/sbin/so-user | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 9c2e1be50..62ba737b1 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -236,12 +236,12 @@ function syncElastic() { } function syncAll() { - if [[ -f "$databasePath" && -f "$elasticUsersFile" ]]; then - usersFileAgeSecs=$((echo $(date +%s) - $(date +%s -r "$elasticUsersFile"))) + if [[ -z "$FORCE_SYNC" && -f "$databasePath" && -f "$elasticUsersFile" ]]; then + usersFileAgeSecs=$(echo $(($(date +%s) - $(date +%s -r "$elasticUsersFile")))) staleCount=$(echo "select count(*) from identity_credentials where updated_at >= Datetime('now', '-${usersFileAgeSecs} seconds');" \ | sqlite3 "$databasePath") if [[ "$staleCount" == "0" ]]; then - return 1 + fail "Users are already in sync. Run 'FORCE_SYNC=1 $0 sync' to force a full sync anyway." fi fi syncElastic From c9ee28ce0139a12124dff31bad8fb0e1888f85ea Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 21 Jun 2021 14:47:24 -0400 Subject: [PATCH 13/18] adding elasticsearch.auth to heavynode and searchnode --- pillar/top.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pillar/top.sls b/pillar/top.sls index ff4cb5787..cb170c0af 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -68,6 +68,7 @@ base: '*_heavynode': - zeeklogs + - elasticsearch.auth - global - minions.{{ grains.id }} @@ -89,6 +90,7 @@ base: - logstash - logstash.search - elasticsearch.search + - elasticsearch.auth - global - minions.{{ grains.id }} - data.nodestab From e4e3b199fc97a0ea11aa02e6caf616e1ee8dd93d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 22 Jun 2021 08:05:08 -0400 Subject: [PATCH 14/18] retry on so-dockerregistry --- salt/registry/init.sls | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/registry/init.sls b/salt/registry/init.sls index 1cec55fd2..b59465fb7 100644 --- a/salt/registry/init.sls +++ b/salt/registry/init.sls @@ -43,6 +43,10 @@ so-dockerregistry: - /nsm/docker-registry/docker:/var/lib/registry/docker:rw - /etc/pki/registry.crt:/etc/pki/registry.crt:ro - /etc/pki/registry.key:/etc/pki/registry.key:ro + - timeout: 180 + - retry: + attempts: 5 + interval: 30 append_so-dockerregistry_so-status.conf: file.append: @@ -55,4 +59,4 @@ append_so-dockerregistry_so-status.conf: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} From dcc9af946ad09b6c583ac8c929e68cd46d0beee2 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 21 Jun 2021 21:52:02 -0400 Subject: [PATCH 15/18] Avoid logging when sync is unnecessary due to cronjob log output spam --- salt/common/tools/sbin/so-user | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 62ba737b1..f0c064d03 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -241,7 +241,7 @@ function syncAll() { staleCount=$(echo "select count(*) from identity_credentials where updated_at >= Datetime('now', '-${usersFileAgeSecs} seconds');" \ | sqlite3 "$databasePath") if [[ "$staleCount" == "0" ]]; then - fail "Users are already in sync. Run 'FORCE_SYNC=1 $0 sync' to force a full sync anyway." + return 1 fi fi syncElastic From 8ddc99e91f7f5f53e3147865ecff0a733c032e94 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 22 Jun 2021 08:07:41 -0400 Subject: [PATCH 16/18] Allow for adjusting SOC session timeout --- salt/soc/files/kratos/kratos.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/soc/files/kratos/kratos.yaml b/salt/soc/files/kratos/kratos.yaml index 80340af4f..b1174af58 100644 --- a/salt/soc/files/kratos/kratos.yaml +++ b/salt/soc/files/kratos/kratos.yaml @@ -1,5 +1,9 @@ {%- set WEBACCESS = salt['pillar.get']('global:url_base', '') -%} {%- set KRATOSKEY = salt['pillar.get']('kratos:kratoskey', '') -%} +{%- set SESSIONTIMEOUT = salt['pillar.get']('kratos:sessiontimeout', '24h') -%} + +session: + lifespan: {{ SESSIONTIMEOUT }} selfservice: methods: From bc8659041166185d55f958fa808e63f1addf508b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 22 Jun 2021 08:23:16 -0400 Subject: [PATCH 17/18] only add sosyncuser cron if startup_states: highstate is set in minion config --- salt/soc/init.sls | 3 +++ 1 file changed, 3 insertions(+) diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 8e1943cb8..51751e9a6 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -62,10 +62,13 @@ soccustom: - mode: 600 - template: jinja +# we dont want this added to early in setup, so we add the onlyif to verify 'startup_states: highstate' +# is in the minion config. that is added before the final highstate during setup sosyncusers: cron.present: - user: root - name: 'PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin /usr/sbin/so-user sync &>> /opt/so/log/soc/sync.log' + - onlyif: "grep 'startup_states: highstate' /etc/salt/minion" so-soc: docker_container.running: From c3deabae36fe509ee306d0a45ba8bf219a48b0ec Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 22 Jun 2021 08:30:54 -0400 Subject: [PATCH 18/18] Update init.sls --- salt/soc/init.sls | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/init.sls b/salt/soc/init.sls index 51751e9a6..b8cdb09ba 100644 --- a/salt/soc/init.sls +++ b/salt/soc/init.sls @@ -62,8 +62,8 @@ soccustom: - mode: 600 - template: jinja -# we dont want this added to early in setup, so we add the onlyif to verify 'startup_states: highstate' -# is in the minion config. that is added before the final highstate during setup +# we dont want this added too early in setup, so we add the onlyif to verify 'startup_states: highstate' +# is in the minion config. That line is added before the final highstate during setup sosyncusers: cron.present: - user: root