Merge remote-tracking branch 'remotes/origin/dev' into issue/1191

2025-12-06 17:22:49 +01:00 · 2021-01-29 16:54:26 -05:00
parent 618b94b9b6 929896c191
commit 8ca15a6679
11 changed files with 134 additions and 25 deletions
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -267,6 +267,19 @@ dockerreserveports:
    - source: salt://common/files/99-reserved-ports.conf
    - name: /etc/sysctl.d/99-reserved-ports.conf

+{% if salt['grains.get']('sosmodel', '') %}
+# Install raid check cron
+/usr/sbin/so-raid-status > /dev/null 2>&1:
+  cron.present:
+    - user: root
+    - minute: '*/15'
+    - hour: '*'
+    - daymonth: '*'
+    - month: '*'
+    - dayweek: '*'
+
+{% endif %}
+
 {% else %}

 {{sls}}_state_not_allowed:
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -228,23 +228,23 @@ retry() {
 	attempt=0
 	while [[ $attempt -lt $maxAttempts ]]; do			
 		attempt=$((attempt+1))
-		info "Executing command with retry support: $cmd"
+		echo "Executing command with retry support: $cmd"
 		output=$($cmd)
-		info "Results: $output"
 		exitcode=$?
+		echo "Results: $output ($exitcode)"
 		if [ -n "$expectedOutput" ]; then
 			if [[ "$output" =~ "$expectedOutput" ]]; then
 				return $exitCode
 			else
-				info "Expected '$expectedOutput' but got '$output'"
+				echo "Expected '$expectedOutput' but got '$output'"
 			fi
 		elif [[ $exitcode -eq 0 ]]; then
 			return $exitCode
 		fi
-		info "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..."
+		echo "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..."
 		sleep $sleepDelay
 	done
-	error "Command continues to fail; giving up."
+	echo "Command continues to fail; giving up."
 	return 1
 }

--- a/salt/common/tools/sbin/so-image-common
+++ b/salt/common/tools/sbin/so-image-common
@@ -126,12 +126,19 @@ update_docker_containers() {
    container_list
  fi

-  # Let's make sure we have the public key
-  curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import -  >> "$LOG_FILE" 2>&1
-  
  rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 
  mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 

+  # Let's make sure we have the public key
+  retry 50 10 "curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" >> "$LOG_FILE" 2>&1
+  result=$?
+  if [[ $result -eq 0 ]]; then
+    cat $SIGNPATH/KEYS | gpg --import - >> "$LOG_FILE" 2>&1
+  else
+    echo "Failed to pull signature key file: $result"
+    exit 1
+  fi
+  
  # Download the containers from the interwebs
  for i in "${TRUSTED_CONTAINERS[@]}"
  do
@@ -146,7 +153,7 @@ update_docker_containers() {
    docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image >> "$LOG_FILE" 2>&1 
    
    # Get signature
-    curl -A "$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)" https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig >> "$LOG_FILE" 2>&1 
+    retry 50 10 "curl -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" >> "$LOG_FILE" 2>&1
    if [[ $? -ne 0 ]]; then
      echo "Unable to pull signature file for $image" >> "$LOG_FILE" 2>&1 
      exit 1
--- a/salt/common/tools/sbin/so-raid-status
+++ b/salt/common/tools/sbin/so-raid-status
@@ -0,0 +1,81 @@
+#!/bin/bash
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /usr/sbin/so-common
+
+#check_boss_raid() {
+#    BOSSBIN=/opt/boss/mvcli
+#    BOSSRC=$($BOSSBIN info -o vd | grep functional)
+#
+#    if [[ $BOSSRC ]]; then
+#        # Raid is good
+#        BOSSRAID=0
+#    else
+#        BOSSRAID=1
+#    fi
+#}
+
+check_lsi_raid() {
+    # For use for LSI on Ubuntu
+    #MEGA=/opt/MegaRAID/MegeCli/MegaCli64
+    #LSIRC=$($MEGA -LDInfo -Lall -aALL | grep Optimal)
+    # Open Source Centos
+    MEGA=/opt/mega/megasasctl
+    LSIRC=$($MEGA | grep optimal)
+
+    if [[ $LSIRC ]]; then
+        # Raid is good
+        LSIRAID=0
+    else
+        LSIRAID=1
+    fi
+
+}
+
+check_software_raid() {
+    SWRC=$(grep "_" /proc/mdstat)
+
+    if [[ $SWRC ]]; then
+        # RAID is failed in some way
+        SWRAID=1
+    else
+        SWRAID=0
+    fi
+}
+
+# This script checks raid status if you use SO appliances
+
+# See if this is an appliance
+
+{%- if salt['grains.get']('sosmodel', '') %}
+mkdir -p /opt/so/log/raid
+  {%- if grains['sosmodel'] in ['SOSMN', 'SOSSNNV'] %}
+#check_boss_raid
+check_software_raid
+echo "osraid=$BOSSRAID nsmraid=$SWRAID" > /opt/so/log/raid/status.log
+  {%- elif grains['sosmodel'] in ['SOS1000F', 'SOS1000', 'SOSSN7200', 'SOS10K', 'SOS4000'] %}
+#check_boss_raid
+check_lsi_raid
+echo "osraid=$BOSSRAID nsmraid=$LSIRAID" > /opt/so/log/raid/status.log
+  {%- else %}
+exit 0
+  {%- endif %}
+{%- else %}
+exit 0
+{%- endif %}
+
+
--- a/salt/common/tools/sbin/so-user
+++ b/salt/common/tools/sbin/so-user
@@ -1,12 +1,20 @@
 #!/bin/bash
-# Copyright 2020 Security Onion Solutions. All rights reserved.
-#
-# This program is distributed under the terms of version 2 of the
-# GNU General Public License.  See LICENSE for further details.
+
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+
+#    This program is free software: you can redistribute it and/or modify
+#    it under the terms of the GNU General Public License as published by
+#    the Free Software Foundation, either version 3 of the License, or
+#    (at your option) any later version.
 #
 #    This program is distributed in the hope that it will be useful,
 #    but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#    GNU General Public License for more details.
+#
+#    You should have received a copy of the GNU General Public License
+#    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+

 source $(dirname $0)/so-common

--- a/setup/automation/distributed-net-centos-search
+++ b/setup/automation/distributed-net-centos-search
@@ -49,7 +49,7 @@ MANAGERUPDATES=1
 MNIC=eth0
 # MSEARCH=
 MSRV=distributed-manager
-MSRVIP=10.66.166.42
+MSRVIP=10.66.166.72
 # MTU=
 # NIDS=Suricata
 # NODE_ES_HEAP_SIZE=
--- a/setup/automation/distributed-net-centos-sensor
+++ b/setup/automation/distributed-net-centos-sensor
@@ -49,7 +49,7 @@ MANAGERUPDATES=1
 MNIC=eth0
 # MSEARCH=
 MSRV=distributed-manager
-MSRVIP=10.66.166.42
+MSRVIP=10.66.166.72
 # MTU=
 # NIDS=Suricata
 # NODE_ES_HEAP_SIZE=
--- a/setup/automation/distributed-net-ubuntu-search
+++ b/setup/automation/distributed-net-ubuntu-search
@@ -49,7 +49,7 @@ MANAGERUPDATES=1
 MNIC=ens18
 # MSEARCH=
 MSRV=distributed-manager
-MSRVIP=10.66.166.42
+MSRVIP=10.66.166.62
 # MTU=
 # NIDS=Suricata
 # NODE_ES_HEAP_SIZE=
--- a/setup/automation/distributed-net-ubuntu-sensor
+++ b/setup/automation/distributed-net-ubuntu-sensor
@@ -49,7 +49,7 @@ MANAGERUPDATES=1
 MNIC=ens18
 # MSEARCH=
 MSRV=distributed-manager
-MSRVIP=10.66.166.42
+MSRVIP=10.66.166.62
 # MTU=
 # NIDS=Suricata
 # NODE_ES_HEAP_SIZE=
--- a/setup/automation/import-airgap
+++ b/setup/automation/import-airgap
@@ -63,8 +63,8 @@ OSQUERY=1
 # PATCHSCHEDULEHOURS=
 PATCHSCHEDULENAME=auto
 # PLAYBOOK=1
-REDIRECTHOST=$(curl http://169.254.169.254/latest/meta-data/public-ipv4)
-REDIRECTINFO=OTHER
+# REDIRECTHOST=
+REDIRECTINFO=IP
 RULESETUP=ETOPEN
 # SHARDCOUNT=
 # SKIP_REBOOT=
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -567,7 +567,7 @@ set_redirect >> $setup_log 2>&1
 		set_updates >> $setup_log 2>&1
 	fi

-	if [[ $is_manager && $is_airgap ]]; then
+	if [[ ( $is_manager || $is_import ) && $is_airgap ]]; then
 		info "Creating airgap repo"
 		create_repo >> $setup_log 2>&1
 		airgap_rules >> $setup_log 2>&1
@@ -652,12 +652,12 @@ set_redirect >> $setup_log 2>&1

 	if [[ $is_minion ]]; then
 		set_progress_str 20 'Accepting Salt key on manager'
-		retry 20 10	accept_salt_key_remote "going to be accepted"
+		retry 20 10	accept_salt_key_remote "going to be accepted" >> $setup_log 2>&1
 	fi

 	if [[ $is_manager || $is_import || $is_helix ]]; then
 		set_progress_str 20 'Accepting Salt key'
-		retry 20 10 "salt-key -ya $MINION_ID" "going to be accepted"
+		retry 20 10 "salt-key -ya $MINION_ID" "going to be accepted" >> $setup_log 2>&1
 	fi

 	set_progress_str 21 'Copying minion pillars to manager'