From b3ea4194dd8e700edf41f978e9d56bb19cb06ae4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 09:49:02 -0400 Subject: [PATCH 01/10] Only allow reposync to run on managers --- salt/common/tools/sbin/so-repo-sync | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/common/tools/sbin/so-repo-sync b/salt/common/tools/sbin/so-repo-sync index c69aa44ad..1c09ae60d 100644 --- a/salt/common/tools/sbin/so-repo-sync +++ b/salt/common/tools/sbin/so-repo-sync @@ -7,6 +7,11 @@ . /usr/sbin/so-common +if [ ! -f /root/repodownload.conf ]; then + echo "This script should only run on the manager." + exit 1 +fi + set_version set_os salt_minion_count From f8d5acd37de435843b29767a66cab7b280462a8e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 10:43:47 -0400 Subject: [PATCH 02/10] Saltify it up --- salt/common/tools/sbin/so-common | 10 ++++++---- salt/common/tools/sbin/so-repo-sync | 2 +- salt/manager/defaults.yaml | 5 +++++ salt/manager/init.sls | 31 +++++++++++++++++++++++++++++ salt/manager/soc_manager.yaml | 13 ++++++++++++ 5 files changed, 56 insertions(+), 5 deletions(-) create mode 100644 salt/manager/defaults.yaml diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index dc5ae2123..091529c4d 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -8,10 +8,12 @@ DEFAULT_SALT_DIR=/opt/so/saltstack/default DOC_BASE_URL="https://docs.securityonion.net/en/2.4" -# Check for prerequisites -if [ "$(id -u)" -ne 0 ]; then - echo "This script must be run using sudo!" - exit 1 +if [ ! -z $NOROOT ]; then + # Check for prerequisites + if [ "$(id -u)" -ne 0 ]; then + echo "This script must be run using sudo!" + exit 1 + fi fi # Define a banner to separate sections diff --git a/salt/common/tools/sbin/so-repo-sync b/salt/common/tools/sbin/so-repo-sync index 1c09ae60d..3d98ecc89 100644 --- a/salt/common/tools/sbin/so-repo-sync +++ b/salt/common/tools/sbin/so-repo-sync @@ -4,7 +4,7 @@ # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. - +NOROOT=1 . /usr/sbin/so-common if [ ! -f /root/repodownload.conf ]; then diff --git a/salt/manager/defaults.yaml b/salt/manager/defaults.yaml new file mode 100644 index 000000000..8bb34690e --- /dev/null +++ b/salt/manager/defaults.yaml @@ -0,0 +1,5 @@ +manager: + reposync: + enabled: True + hour: 3 + minute: 0 \ No newline at end of file diff --git a/salt/manager/init.sls b/salt/manager/init.sls index a360fb2c5..69911651a 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -7,6 +7,8 @@ {% if sls in allowed_states %} {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'strelka/map.jinja' import STRELKAMERGED %} +{% import_yaml 'manager/defaults.yaml' as MANAGERDEFAULTS %} +{% set MANAGERMERGED = salt['pillar.get']('manager', MANAGERDEFAULTS.manager, merge=true) %} include: - salt.minion @@ -14,6 +16,35 @@ include: - manager.sync_es_users - manager.elasticsearch +repo_log_dir: + file.directory: + - name: /opt/so/log/reposync + - user: socore + - group: socore + - recurse: + - user + - group + +repo_dir: + file.directory: + - name: /nsm/repo + - user: socore + - group: socore + - recurse: + - user + - group + +reposync_cron: + {% if MANAGERMERGED.reposync.enabled %} + cron.present: + {% else %} + cron.absent: + {% endif %} + - user: socore + - name: '/usr/sbin/so-repo-sync >> /opt/so/log/reposync/reposync.log 2>&1' + - hour: '{{ MANAGERMERGED.reposync.hour }}' + - minute: '{{ MANAGERMERGED.reposync.minute }}' + socore_own_saltstack: file.directory: - name: /opt/so/saltstack diff --git a/salt/manager/soc_manager.yaml b/salt/manager/soc_manager.yaml index e6e58e524..abcc9d078 100644 --- a/salt/manager/soc_manager.yaml +++ b/salt/manager/soc_manager.yaml @@ -1,4 +1,17 @@ manager: + reposync: + enabled: + description: This is the daily task of syncing the Security Onion OS packages. It is recommended that you leave this enabled. + global: True + helpLink: manager.html + hour: + description: The hour of the day in which the repo sync takes place. + global: True + helpLink: manager.html + minute: + description: The minute within the hour specified in hour to run the repo sync. + global: True + helpLink: manager.html elastalert: description: Enable elastalert 1=enabled 0=disabled. global: True From 02aa8662f7bd6074450cf68a6bb78e58f24a0ea0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 10:52:05 -0400 Subject: [PATCH 03/10] Saltify it up --- salt/{common/tools/sbin => manager/files}/so-repo-sync | 5 ----- salt/manager/init.sls | 8 ++++++++ 2 files changed, 8 insertions(+), 5 deletions(-) rename salt/{common/tools/sbin => manager/files}/so-repo-sync (83%) diff --git a/salt/common/tools/sbin/so-repo-sync b/salt/manager/files/so-repo-sync similarity index 83% rename from salt/common/tools/sbin/so-repo-sync rename to salt/manager/files/so-repo-sync index 3d98ecc89..e9e110446 100644 --- a/salt/common/tools/sbin/so-repo-sync +++ b/salt/manager/files/so-repo-sync @@ -7,11 +7,6 @@ NOROOT=1 . /usr/sbin/so-common -if [ ! -f /root/repodownload.conf ]; then - echo "This script should only run on the manager." - exit 1 -fi - set_version set_os salt_minion_count diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 69911651a..fe26ddebc 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -34,6 +34,14 @@ repo_dir: - user - group +repo_sync_script: + file.managed: + - name: /usr/sbin/so-repo-sync + - source: salt://manager/files/so-repo-sync + - user: root + - group: root + - mode: 755 + reposync_cron: {% if MANAGERMERGED.reposync.enabled %} cron.present: From e52087b7424c6f19becf1543c307a923ec75e863 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 10:54:01 -0400 Subject: [PATCH 04/10] Saltify it up --- salt/common/tools/sbin/so-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 091529c4d..5cdb9e57a 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -8,7 +8,7 @@ DEFAULT_SALT_DIR=/opt/so/saltstack/default DOC_BASE_URL="https://docs.securityonion.net/en/2.4" -if [ ! -z $NOROOT ]; then +if [ -z $NOROOT ]; then # Check for prerequisites if [ "$(id -u)" -ne 0 ]; then echo "This script must be run using sudo!" From b68cf85392cf0aa95739b1d6ba026edcca7b3561 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 11:04:26 -0400 Subject: [PATCH 05/10] Change repo download script location --- setup/so-functions | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 96c357c74..74a2f8b28 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1967,25 +1967,25 @@ repo_sync_local() { # Check for reposync info "Backing up old repos" mkdir -p /nsm/repo - mkdir -p /root/reposync_cache - echo "[main]" > /root/repodownload.conf - echo "gpgcheck=1" >> /root/repodownload.conf - echo "installonly_limit=3" >> /root/repodownload.conf - echo "clean_requirements_on_remove=True" >> /root/repodownload.conf - echo "best=True" >> /root/repodownload.conf - echo "skip_if_unavailable=False" >> /root/repodownload.conf - echo "cachedir=/root/reposync_cache" >> /root/repodownload.conf - echo "keepcache=0" >> /root/repodownload.conf - echo "[securityonionsync]" >> /root/repodownload.conf - echo "name=Security Onion Repo repo" >> /root/repodownload.conf - echo "baseurl=https://repo.securityonion.net/file/securityonion-repo/2.4/" >> /root/repodownload.conf - echo "enabled=1" >> /root/repodownload.conf - echo "gpgcheck=1" >> /root/repodownload.conf - echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /root/repodownload.conf + mkdir -p /opt/so/conf/reposync/cache + echo "[main]" > /opt/so/conf/reposync/repodownload.conf + echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf + echo "installonly_limit=3" >> /opt/so/conf/reposync/repodownload.conf + echo "clean_requirements_on_remove=True" >> /opt/so/conf/reposync/repodownload.conf + echo "best=True" >> /opt/so/conf/reposync/repodownload.conf + echo "skip_if_unavailable=False" >> /opt/so/conf/reposync/repodownload.conf + echo "cachedir=/opt/so/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf + echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf + echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf + echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf + echo "baseurl=https://repo.securityonion.net/file/securityonion-repo/2.4/" >> /opt/so/conf/reposync/repodownload.conf + echo "enabled=1" >> /opt/so/conf/reposync/repodownload.conf + echo "gpgcheck=1" >> /opt/so/conf/reposync/repodownload.conf + echo "gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/securityonion.pub" >> /opt/so/conf/reposync/repodownload.conf logCmd "dnf repolist" # Make sure we can get to the sig repo - logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/checkup" + logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/install" logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" # Run it again and make sure we got allt he things logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" From 3756c935180e2f5fe59e1783482e0e1943c6ee2d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 11:05:48 -0400 Subject: [PATCH 06/10] Change repo download script location --- salt/manager/files/so-repo-sync | 2 +- setup/so-functions | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/manager/files/so-repo-sync b/salt/manager/files/so-repo-sync index e9e110446..051a1fff7 100644 --- a/salt/manager/files/so-repo-sync +++ b/salt/manager/files/so-repo-sync @@ -12,5 +12,5 @@ set_os salt_minion_count curl --retry 5 --retry-delay 60 -A 'checkin/$VERSION/$OS/$(uname -r)/$MINIONCOUNT' https://sigs.securityonion.net/checkup --output /tmp/checkup -dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ +dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ createrepo /nsm/repo \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 74a2f8b28..6552020c4 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1986,9 +1986,9 @@ repo_sync_local() { logCmd "dnf repolist" # Make sure we can get to the sig repo logCmd "curl --retry 5 --retry-delay 60 -A 'gridinstall/$SOVERSION/$OS/$(uname -r)/1' https://sigs.securityonion.net/checkup --output /tmp/install" - logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" + logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" # Run it again and make sure we got allt he things - logCmd "dnf reposync --norepopath -g --delete -m -c /root/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" + logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" # After the download is complete run createrepo create_repo From 8f4076ccd6f41b893be888ab0610cd42a7c0afc7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 11:46:32 -0400 Subject: [PATCH 07/10] Change repo conf permissions --- salt/manager/init.sls | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index fe26ddebc..4db979266 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -25,6 +25,15 @@ repo_log_dir: - user - group +repo_conf_dir: + file.directory: + - name: /opt/so/conf/reposync + - user: socore + - group: socore + - recurse: + - user + - group + repo_dir: file.directory: - name: /nsm/repo From c977f38a5867e111be47ea3ba7ddcb9d74b3747c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 11:56:40 -0400 Subject: [PATCH 08/10] Change repo conf permissions --- salt/manager/init.sls | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 4db979266..2cddf130c 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -34,6 +34,15 @@ repo_conf_dir: - user - group +repo_cache_dir: + file.directory: + - name: /opt/so/reposync/cache + - user: socore + - group: socore + - recurse: + - user + - group + repo_dir: file.directory: - name: /nsm/repo From 0a096712cb74a2500e07b36e053df48a7d1b3d73 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 12:39:31 -0400 Subject: [PATCH 09/10] Fix cache location --- salt/manager/init.sls | 9 --------- setup/so-functions | 2 +- 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 2cddf130c..4db979266 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -34,15 +34,6 @@ repo_conf_dir: - user - group -repo_cache_dir: - file.directory: - - name: /opt/so/reposync/cache - - user: socore - - group: socore - - recurse: - - user - - group - repo_dir: file.directory: - name: /nsm/repo diff --git a/setup/so-functions b/setup/so-functions index 6552020c4..807d29575 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1974,7 +1974,7 @@ repo_sync_local() { echo "clean_requirements_on_remove=True" >> /opt/so/conf/reposync/repodownload.conf echo "best=True" >> /opt/so/conf/reposync/repodownload.conf echo "skip_if_unavailable=False" >> /opt/so/conf/reposync/repodownload.conf - echo "cachedir=/opt/so/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf + echo "cachedir=/opt/so/conf/reposync/cache" >> /opt/so/conf/reposync/repodownload.conf echo "keepcache=0" >> /opt/so/conf/reposync/repodownload.conf echo "[securityonionsync]" >> /opt/so/conf/reposync/repodownload.conf echo "name=Security Onion Repo repo" >> /opt/so/conf/reposync/repodownload.conf From 3b671efa8eec9ef31bff80d99aed45c28326a66f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 23 Mar 2023 12:47:48 -0400 Subject: [PATCH 10/10] Fix cache location --- salt/manager/soc_manager.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/manager/soc_manager.yaml b/salt/manager/soc_manager.yaml index abcc9d078..437c14ad9 100644 --- a/salt/manager/soc_manager.yaml +++ b/salt/manager/soc_manager.yaml @@ -9,7 +9,7 @@ manager: global: True helpLink: manager.html minute: - description: The minute within the hour specified in hour to run the repo sync. + description: The minute within the hour to run the repo sync. global: True helpLink: manager.html elastalert: