diff --git a/salt/common/init.sls b/salt/common/init.sls
index 8b17cc7f5..b0289ed32 100644
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -267,10 +267,23 @@ dockerreserveports:
- source: salt://common/files/99-reserved-ports.conf
- name: /etc/sysctl.d/99-reserved-ports.conf
+{% if salt['grains.get']('sosmodel', '') %}
+# Install raid check cron
+/usr/sbin/so-raid-status > /dev/null 2>&1:
+ cron.present:
+ - user: root
+ - minute: '*/15'
+ - hour: '*'
+ - daymonth: '*'
+ - month: '*'
+ - dayweek: '*'
+
+{% endif %}
+
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
-{% endif %}
+{% endif %}
\ No newline at end of file
diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common
index eb3b89e7e..b1db4c04c 100755
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -228,23 +228,23 @@ retry() {
attempt=0
while [[ $attempt -lt $maxAttempts ]]; do
attempt=$((attempt+1))
- info "Executing command with retry support: $cmd"
+ echo "Executing command with retry support: $cmd"
output=$($cmd)
- info "Results: $output"
exitcode=$?
+ echo "Results: $output ($exitcode)"
if [ -n "$expectedOutput" ]; then
if [[ "$output" =~ "$expectedOutput" ]]; then
return $exitCode
else
- info "Expected '$expectedOutput' but got '$output'"
+ echo "Expected '$expectedOutput' but got '$output'"
fi
elif [[ $exitcode -eq 0 ]]; then
return $exitCode
fi
- info "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..."
+ echo "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..."
sleep $sleepDelay
done
- error "Command continues to fail; giving up."
+ echo "Command continues to fail; giving up."
return 1
}
diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common
index c883fb3f1..9702da3f1 100755
--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -126,12 +126,19 @@ update_docker_containers() {
container_list
fi
- # Let's make sure we have the public key
- curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import - >> "$LOG_FILE" 2>&1
-
rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1
mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1
+ # Let's make sure we have the public key
+ retry 50 10 "curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" >> "$LOG_FILE" 2>&1
+ result=$?
+ if [[ $result -eq 0 ]]; then
+ cat $SIGNPATH/KEYS | gpg --import - >> "$LOG_FILE" 2>&1
+ else
+ echo "Failed to pull signature key file: $result"
+ exit 1
+ fi
+
# Download the containers from the interwebs
for i in "${TRUSTED_CONTAINERS[@]}"
do
@@ -146,7 +153,7 @@ update_docker_containers() {
docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image >> "$LOG_FILE" 2>&1
# Get signature
- curl -A "$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)" https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig >> "$LOG_FILE" 2>&1
+ retry 50 10 "curl -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" >> "$LOG_FILE" 2>&1
if [[ $? -ne 0 ]]; then
echo "Unable to pull signature file for $image" >> "$LOG_FILE" 2>&1
exit 1
diff --git a/salt/common/tools/sbin/so-raid-status b/salt/common/tools/sbin/so-raid-status
new file mode 100644
index 000000000..d55d158fe
--- /dev/null
+++ b/salt/common/tools/sbin/so-raid-status
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+. /usr/sbin/so-common
+
+#check_boss_raid() {
+# BOSSBIN=/opt/boss/mvcli
+# BOSSRC=$($BOSSBIN info -o vd | grep functional)
+#
+# if [[ $BOSSRC ]]; then
+# # Raid is good
+# BOSSRAID=0
+# else
+# BOSSRAID=1
+# fi
+#}
+
+check_lsi_raid() {
+ # For use for LSI on Ubuntu
+ #MEGA=/opt/MegaRAID/MegeCli/MegaCli64
+ #LSIRC=$($MEGA -LDInfo -Lall -aALL | grep Optimal)
+ # Open Source Centos
+ MEGA=/opt/mega/megasasctl
+ LSIRC=$($MEGA | grep optimal)
+
+ if [[ $LSIRC ]]; then
+ # Raid is good
+ LSIRAID=0
+ else
+ LSIRAID=1
+ fi
+
+}
+
+check_software_raid() {
+ SWRC=$(grep "_" /proc/mdstat)
+
+ if [[ $SWRC ]]; then
+ # RAID is failed in some way
+ SWRAID=1
+ else
+ SWRAID=0
+ fi
+}
+
+# This script checks raid status if you use SO appliances
+
+# See if this is an appliance
+
+{%- if salt['grains.get']('sosmodel', '') %}
+mkdir -p /opt/so/log/raid
+ {%- if grains['sosmodel'] in ['SOSMN', 'SOSSNNV'] %}
+#check_boss_raid
+check_software_raid
+echo "osraid=$BOSSRAID nsmraid=$SWRAID" > /opt/so/log/raid/status.log
+ {%- elif grains['sosmodel'] in ['SOS1000F', 'SOS1000', 'SOSSN7200', 'SOS10K', 'SOS4000'] %}
+#check_boss_raid
+check_lsi_raid
+echo "osraid=$BOSSRAID nsmraid=$LSIRAID" > /opt/so/log/raid/status.log
+ {%- else %}
+exit 0
+ {%- endif %}
+{%- else %}
+exit 0
+{%- endif %}
+
+
diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user
index 3ab9ae6a2..b918ff173 100755
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -1,12 +1,20 @@
#!/bin/bash
-# Copyright 2020 Security Onion Solutions. All rights reserved.
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
#
-# This program is distributed under the terms of version 2 of the
-# GNU General Public License. See LICENSE for further details.
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
source $(dirname $0)/so-common
diff --git a/setup/automation/distributed-net-centos-search b/setup/automation/distributed-net-centos-search
index d95d7ff44..5f61edd52 100644
--- a/setup/automation/distributed-net-centos-search
+++ b/setup/automation/distributed-net-centos-search
@@ -49,7 +49,7 @@ MANAGERUPDATES=1
MNIC=eth0
# MSEARCH=
MSRV=distributed-manager
-MSRVIP=10.66.166.42
+MSRVIP=10.66.166.72
# MTU=
# NIDS=Suricata
# NODE_ES_HEAP_SIZE=
diff --git a/setup/automation/distributed-net-centos-sensor b/setup/automation/distributed-net-centos-sensor
index f932c80b4..23f32b319 100644
--- a/setup/automation/distributed-net-centos-sensor
+++ b/setup/automation/distributed-net-centos-sensor
@@ -49,7 +49,7 @@ MANAGERUPDATES=1
MNIC=eth0
# MSEARCH=
MSRV=distributed-manager
-MSRVIP=10.66.166.42
+MSRVIP=10.66.166.72
# MTU=
# NIDS=Suricata
# NODE_ES_HEAP_SIZE=
diff --git a/setup/automation/distributed-net-ubuntu-search b/setup/automation/distributed-net-ubuntu-search
index 454c23b16..62621208a 100644
--- a/setup/automation/distributed-net-ubuntu-search
+++ b/setup/automation/distributed-net-ubuntu-search
@@ -49,7 +49,7 @@ MANAGERUPDATES=1
MNIC=ens18
# MSEARCH=
MSRV=distributed-manager
-MSRVIP=10.66.166.42
+MSRVIP=10.66.166.62
# MTU=
# NIDS=Suricata
# NODE_ES_HEAP_SIZE=
diff --git a/setup/automation/distributed-net-ubuntu-sensor b/setup/automation/distributed-net-ubuntu-sensor
index 269545a0b..475481071 100644
--- a/setup/automation/distributed-net-ubuntu-sensor
+++ b/setup/automation/distributed-net-ubuntu-sensor
@@ -49,7 +49,7 @@ MANAGERUPDATES=1
MNIC=ens18
# MSEARCH=
MSRV=distributed-manager
-MSRVIP=10.66.166.42
+MSRVIP=10.66.166.62
# MTU=
# NIDS=Suricata
# NODE_ES_HEAP_SIZE=
diff --git a/setup/automation/import-airgap b/setup/automation/import-airgap
index 8844d19d1..6873cf120 100644
--- a/setup/automation/import-airgap
+++ b/setup/automation/import-airgap
@@ -63,8 +63,8 @@ OSQUERY=1
# PATCHSCHEDULEHOURS=
PATCHSCHEDULENAME=auto
# PLAYBOOK=1
-REDIRECTHOST=$(curl http://169.254.169.254/latest/meta-data/public-ipv4)
-REDIRECTINFO=OTHER
+# REDIRECTHOST=
+REDIRECTINFO=IP
RULESETUP=ETOPEN
# SHARDCOUNT=
# SKIP_REBOOT=
diff --git a/setup/so-setup b/setup/so-setup
index 8a2cb714c..ea67ef5f4 100755
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -567,7 +567,7 @@ set_redirect >> $setup_log 2>&1
set_updates >> $setup_log 2>&1
fi
- if [[ $is_manager && $is_airgap ]]; then
+ if [[ ( $is_manager || $is_import ) && $is_airgap ]]; then
info "Creating airgap repo"
create_repo >> $setup_log 2>&1
airgap_rules >> $setup_log 2>&1
@@ -652,12 +652,12 @@ set_redirect >> $setup_log 2>&1
if [[ $is_minion ]]; then
set_progress_str 20 'Accepting Salt key on manager'
- retry 20 10 accept_salt_key_remote "going to be accepted"
+ retry 20 10 accept_salt_key_remote "going to be accepted" >> $setup_log 2>&1
fi
if [[ $is_manager || $is_import || $is_helix ]]; then
set_progress_str 20 'Accepting Salt key'
- retry 20 10 "salt-key -ya $MINION_ID" "going to be accepted"
+ retry 20 10 "salt-key -ya $MINION_ID" "going to be accepted" >> $setup_log 2>&1
fi
set_progress_str 21 'Copying minion pillars to manager'