CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-06-22 02:08:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15620 from Security-Onion-Solutions/mreeves/remove-non-oracle9-salt

Browse Source 
Remove non-Oracle Linux 9 support from salt states
This commit is contained in:
Josh Patterson
2026-03-16 17:10:24 -04:00
committed by GitHub
parent 6feb06e623 afc14ec29d
commit 744d8fdd5e
16 changed files with 46 additions and 212 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/_modules/needs_restarting.py
+5 -15
View File
@@ -1,24 +1,14 @@
from os import path
import subprocess import subprocess
def check(): def check():
osfam = __grains__['os_family']
retval = 'False' retval = 'False'
if osfam == 'Debian': cmd = 'needs-restarting -r > /dev/null 2>&1'
if path.exists('/var/run/reboot-required'):
retval = 'True'
elif osfam == 'RedHat': try:
cmd = 'needs-restarting -r > /dev/null 2>&1' needs_restarting = subprocess.check_call(cmd, shell=True)
except subprocess.CalledProcessError:
try: retval = 'True'
needs_restarting = subprocess.check_call(cmd, shell=True)
except subprocess.CalledProcessError:
retval = 'True'
else:
retval = 'Unsupported OS: %s' % os
return retval return retval
salt/ca/trustca.sls
-8
View File
@@ -3,8 +3,6 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
include: include:
- docker - docker
@@ -18,9 +16,3 @@ trusttheca:
- show_changes: False - show_changes: False
- makedirs: True - makedirs: True
{% if GLOBALS.os_family == 'Debian' %}
symlinkca:
file.symlink:
- target: /etc/pki/tls/certs/intca.crt
- name: /etc/ssl/certs/intca.crt
{% endif %}
salt/common/packages.sls
-49
View File
@@ -1,52 +1,5 @@
# we cannot import GLOBALS from vars/globals.map.jinja in this state since it is called in setup.virt.init # we cannot import GLOBALS from vars/globals.map.jinja in this state since it is called in setup.virt.init
# since it is early in setup of a new VM, the pillars imported in GLOBALS are not yet defined # since it is early in setup of a new VM, the pillars imported in GLOBALS are not yet defined
{% if grains.os_family == 'Debian' %}
commonpkgs:
pkg.installed:
- skip_suggestions: True
- pkgs:
- apache2-utils
- wget
- ntpdate
- jq
- curl
- ca-certificates
- software-properties-common
- apt-transport-https
- openssl
- netcat-openbsd
- sqlite3
- libssl-dev
- procps
- python3-dateutil
- python3-docker
- python3-packaging
- python3-lxml
- git
- rsync
- vim
- tar
- unzip
- bc
{% if grains.oscodename != 'focal' %}
- python3-rich
{% endif %}
{% if grains.oscodename == 'focal' %}
# since Ubuntu requires and internet connection we can use pip to install modules
python3-pip:
pkg.installed
python-rich:
pip.installed:
- name: rich
- target: /usr/local/lib/python3.8/dist-packages/
- require:
- pkg: python3-pip
{% endif %}
{% endif %}
{% if grains.os_family == 'RedHat' %}
remove_mariadb: remove_mariadb:
pkg.removed: pkg.removed:
@@ -84,5 +37,3 @@ commonpkgs:
- unzip - unzip
- wget - wget
- yum-utils - yum-utils
{% endif %}
salt/docker/init.sls
-34
View File
@@ -15,39 +15,6 @@ dockergroup:
- name: docker - name: docker
- gid: 920 - gid: 920
{% if GLOBALS.os_family == 'Debian' %}
{% if grains.oscodename == 'bookworm' %}
dockerheldpackages:
pkg.installed:
- pkgs:
- containerd.io: 2.2.1-1~debian.12~bookworm
- docker-ce: 5:29.2.1-1~debian.12~bookworm
- docker-ce-cli: 5:29.2.1-1~debian.12~bookworm
- docker-ce-rootless-extras: 5:29.2.1-1~debian.12~bookworm
- hold: True
- update_holds: True
{% elif grains.oscodename == 'jammy' %}
dockerheldpackages:
pkg.installed:
- pkgs:
- containerd.io: 2.2.1-1~ubuntu.22.04~jammy
- docker-ce: 5:29.2.1-1~ubuntu.22.04~jammy
- docker-ce-cli: 5:29.2.1-1~ubuntu.22.04~jammy
- docker-ce-rootless-extras: 5:29.2.1-1~ubuntu.22.04~jammy
- hold: True
- update_holds: True
{% else %}
dockerheldpackages:
pkg.installed:
- pkgs:
- containerd.io: 1.7.21-1
- docker-ce: 5:27.2.0-1~ubuntu.20.04~focal
- docker-ce-cli: 5:27.2.0-1~ubuntu.20.04~focal
- docker-ce-rootless-extras: 5:27.2.0-1~ubuntu.20.04~focal
- hold: True
- update_holds: True
{% endif %}
{% else %}
dockerheldpackages: dockerheldpackages:
pkg.installed: pkg.installed:
- pkgs: - pkgs:
@@ -57,7 +24,6 @@ dockerheldpackages:
- docker-ce-rootless-extras: 29.2.1-1.el9 - docker-ce-rootless-extras: 29.2.1-1.el9
- hold: True - hold: True
- update_holds: True - update_holds: True
{% endif %}
#disable docker from managing iptables #disable docker from managing iptables
iptables_disabled: iptables_disabled:
salt/firewall/init.sls
-4
View File
@@ -27,14 +27,12 @@ iptables_config:
- source: salt://firewall/iptables.jinja - source: salt://firewall/iptables.jinja
- template: jinja - template: jinja
{% if grains.os_family == 'RedHat' %}
disable_firewalld: disable_firewalld:
service.dead: service.dead:
- name: firewalld - name: firewalld
- enable: False - enable: False
- require: - require:
- file: iptables_config - file: iptables_config
{% endif %}
iptables_restore: iptables_restore:
cmd.run: cmd.run:
@@ -44,7 +42,6 @@ iptables_restore:
- onlyif: - onlyif:
- iptables-restore --test {{ iptmap.configfile }} - iptables-restore --test {{ iptmap.configfile }}
{% if grains.os_family == 'RedHat' %}
enable_firewalld: enable_firewalld:
service.running: service.running:
- name: firewalld - name: firewalld
@@ -52,7 +49,6 @@ enable_firewalld:
- onfail: - onfail:
- file: iptables_config - file: iptables_config
- cmd: iptables_restore - cmd: iptables_restore
{% endif %}
{% else %} {% else %}
salt/firewall/ipt.map.jinja
+6 -14
View File
@@ -1,14 +1,6 @@
{% set iptmap = salt['grains.filter_by']({ {% set iptmap = {
'Debian': { 'service': 'iptables',
'service': 'netfilter-persistent', 'iptpkg': 'iptables-nft',
'iptpkg': 'iptables', 'persistpkg': 'iptables-nft-services',
'persistpkg': 'iptables-persistent', 'configfile': '/etc/sysconfig/iptables'
'configfile': '/etc/iptables/rules.v4' } %}
},
'RedHat': {
'service': 'iptables',
'iptpkg': 'iptables-nft',
'persistpkg': 'iptables-nft-services',
'configfile': '/etc/sysconfig/iptables'
},
}) %}
salt/idh/openssh/config.sls
-2
View File
@@ -3,7 +3,6 @@
include: include:
- idh.openssh - idh.openssh
{% if grains.os_family == 'RedHat' %}
idh_sshd_selinux: idh_sshd_selinux:
selinux.port_policy_present: selinux.port_policy_present:
- port: {{ openssh_map.config.port }} - port: {{ openssh_map.config.port }}
@@ -13,7 +12,6 @@ idh_sshd_selinux:
- file: openssh_config - file: openssh_config
- require: - require:
- pkg: python_selinux_mgmt_tools - pkg: python_selinux_mgmt_tools
{% endif %}
openssh_config: openssh_config:
file.replace: file.replace:
salt/idh/openssh/init.sls
-2
View File
@@ -16,8 +16,6 @@ openssh:
- name: {{ openssh_map.service }} - name: {{ openssh_map.service }}
{% endif %} {% endif %}
{% if grains.os_family == 'RedHat' %}
python_selinux_mgmt_tools: python_selinux_mgmt_tools:
pkg.installed: pkg.installed:
- name: policycoreutils-python-utils - name: policycoreutils-python-utils
{% endif %}
salt/manager/init.sls
-2
View File
@@ -63,11 +63,9 @@ yara_log_dir:
- user - user
- group - group
{% if GLOBALS.os_family == 'RedHat' %}
install_createrepo: install_createrepo:
pkg.installed: pkg.installed:
- name: createrepo_c - name: createrepo_c
{% endif %}
repo_conf_dir: repo_conf_dir:
file.directory: file.directory:
salt/ntp/init.sls
-5
View File
@@ -2,7 +2,6 @@
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'ntp/config.map.jinja' import NTPCONFIG %} {% from 'ntp/config.map.jinja' import NTPCONFIG %}
chrony_pkg: chrony_pkg:
@@ -17,11 +16,7 @@ chronyconf:
- defaults: - defaults:
NTPCONFIG: {{ NTPCONFIG }} NTPCONFIG: {{ NTPCONFIG }}
{% if GLOBALS.os_family == 'RedHat' %}
chronyd: chronyd:
{% else %}
chrony:
{% endif %}
service.running: service.running:
- enable: True - enable: True
- watch: - watch:
salt/repo/client/map.jinja
+29 -43
View File
@@ -1,43 +1,29 @@
{% from 'vars/globals.map.jinja' import GLOBALS %} {% set REPOPATH = '/etc/yum.repos.d/' %}
{% set ABSENTFILES = [
{% if GLOBALS.os_family == 'RedHat' %} 'centos-addons.repo',
{% set REPOPATH = '/etc/yum.repos.d/' %} 'centos-devel.repo',
{% if GLOBALS.os == 'OEL' %} 'centos-extras.repo',
{% set ABSENTFILES = [ 'centos.repo',
'centos-addons.repo', 'docker-ce.repo',
'centos-devel.repo', 'epel.repo',
'centos-extras.repo', 'epel-testing.repo',
'centos.repo', 'saltstack.repo',
'docker-ce.repo', 'salt-latest.repo',
'epel.repo', 'wazuh.repo'
'epel-testing.repo', 'Rocky-Base.repo',
'saltstack.repo', 'Rocky-CR.repo',
'salt-latest.repo', 'Rocky-Debuginfo.repo',
'wazuh.repo' 'Rocky-fasttrack.repo',
'Rocky-Base.repo', 'Rocky-Media.repo',
'Rocky-CR.repo', 'Rocky-Sources.repo',
'Rocky-Debuginfo.repo', 'Rocky-Vault.repo',
'Rocky-fasttrack.repo', 'Rocky-x86_64-kernel.repo',
'Rocky-Media.repo', 'rocky-addons.repo',
'Rocky-Sources.repo', 'rocky-devel.repo',
'Rocky-Vault.repo', 'rocky-extras.repo',
'Rocky-x86_64-kernel.repo', 'rocky.repo',
'rocky-addons.repo', 'oracle-linux-ol9.repo',
'rocky-devel.repo', 'uek-ol9.repo',
'rocky-extras.repo', 'virt-ol9.repo'
'rocky.repo', ]
'oracle-linux-ol9.repo', %}
'uek-ol9.repo',
'virt-ol9.repo'
]
%}
{% else %}
{% set ABSENTFILES = [] %}
{% endif %}
{% else %}
{% set REPOPATH = '/etc/apt/sources.list.d/' %}
{% set ABSENTFILES = [] %}
{% endif %}
salt/salt/init.sls
-7
View File
@@ -1,10 +1,3 @@
{% if grains.oscodename == 'focal' %}
saltpymodules:
pkg.installed:
- pkgs:
- python3-docker
{% endif %}
# distribute to minions for salt upgrades # distribute to minions for salt upgrades
salt_bootstrap: salt_bootstrap:
file.managed: file.managed:
salt/salt/map.jinja
+4 -14
View File
@@ -17,22 +17,12 @@
{% set SALTVERSION = saltminion.salt.minion.version | string %} {% set SALTVERSION = saltminion.salt.minion.version | string %}
{% set INSTALLEDSALTVERSION = grains.saltversion | string %} {% set INSTALLEDSALTVERSION = grains.saltversion | string %}
{% if grains.os_family == 'Debian' %} {% set SPLITCHAR = '-' %}
{% set SPLITCHAR = '+' %} {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
{% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion', 'salt-cloud'] %} {% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
{% set SYSTEMD_UNIT_FILE = '/lib/systemd/system/salt-minion.service' %}
{% else %}
{% set SPLITCHAR = '-' %}
{% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion', 'salt-cloud'] %}
{% set SYSTEMD_UNIT_FILE = '/usr/lib/systemd/system/salt-minion.service' %}
{% endif %}
{% if INSTALLEDSALTVERSION != SALTVERSION %} {% if INSTALLEDSALTVERSION != SALTVERSION %}
{% if grains.os_family|lower == 'redhat' %} {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
{% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -r -F stable ' ~ SALTVERSION %}
{% elif grains.os_family|lower == 'debian' %}
{% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -F stable ' ~ SALTVERSION %}
{% endif %}
{% else %} {% else %}
{% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %} {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}
{% endif %} {% endif %}
salt/strelka/filestream/config.sls
-7
View File
@@ -47,12 +47,6 @@ filestream_config:
FILESTREAMCONFIG: {{ STRELKAMERGED.filestream.config }} FILESTREAMCONFIG: {{ STRELKAMERGED.filestream.config }}
# Filecheck Section # Filecheck Section
{% if GLOBALS.os_family == 'Debian' %}
install_watchdog:
pkg.installed:
- name: python3-watchdog
{% elif GLOBALS.os_family == 'RedHat' %}
remove_old_watchdog: remove_old_watchdog:
pkg.removed: pkg.removed:
- name: python3-watchdog - name: python3-watchdog
@@ -60,7 +54,6 @@ remove_old_watchdog:
install_watchdog: install_watchdog:
pkg.installed: pkg.installed:
- name: securityonion-python39-watchdog - name: securityonion-python39-watchdog
{% endif %}
filecheck_logdir: filecheck_logdir:
file.directory: file.directory:
salt/versionlock/init.sls
+1 -1
View File
@@ -3,7 +3,7 @@
# https://securityonion.net/license; you may not use this file except in compliance with the # https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0. # Elastic License 2.0.
{% if grains.os_family == 'Debian' or (grains.os_family == 'RedHat' and salt['pkg.version']('python3-dnf-plugin-versionlock') != "") %} {% if salt['pkg.version']('python3-dnf-plugin-versionlock') != "" %}
{% from 'versionlock/map.jinja' import VERSIONLOCKMERGED %} {% from 'versionlock/map.jinja' import VERSIONLOCKMERGED %}
{% for pkg in VERSIONLOCKMERGED.hold %} {% for pkg in VERSIONLOCKMERGED.hold %}
{{pkg}}_held: {{pkg}}_held:
salt/versionlock/map.jinja
+1 -5
View File
@@ -6,11 +6,7 @@
{% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %} {% import_yaml 'versionlock/defaults.yaml' as VERSIONLOCKDEFAULTS %}
{% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %} {% set VERSIONLOCKMERGED = salt['pillar.get']('versionlock', VERSIONLOCKDEFAULTS.versionlock, merge=True) %}
{% if grains.os_family == 'RedHat' %} {% set HELD = salt['pkg.list_holds']() %}
{% set HELD = salt['pkg.list_holds']() %}
{% else %}
{% set HELD = salt['pkg.get_selections'](state='hold')['hold'] %}
{% endif %}
{# these are packages held / versionlock in other states #} {# these are packages held / versionlock in other states #}
{% set PACKAGES_HELD_IN_OTHER_STATES = [ {% set PACKAGES_HELD_IN_OTHER_STATES = [