diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index e09d2c8ae..37adcef99 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -366,6 +366,13 @@ is_feature_enabled() { return 1 } +read_feat() { + if [ -f /opt/so/log/sostatus/lks_enabled ]; then + lic_id=$(cat /opt/so/saltstack/local/pillar/soc/license.sls | grep license_id: | awk '{print $2}') + echo "$lic_id/$(cat /opt/so/log/sostatus/lks_enabled)/$(cat /opt/so/log/sostatus/fps_enabled)" + fi +} + require_manager() { if is_manager_node; then echo "This is a manager, so we can proceed." @@ -559,6 +566,14 @@ status () { printf "\n=========================================================================\n$(date) | $1\n=========================================================================\n" } +sync_options() { + set_version + set_os + salt_minion_count + + echo "$VERSION/$OS/$(uname -r)/$MINIONCOUNT/$(read_feat)" +} + systemctl_func() { local action=$1 local echo_action=$1 diff --git a/salt/common/tools/sbin/so-common-status-check b/salt/common/tools/sbin/so-common-status-check index 39e0c16a7..d713ba6c6 100644 --- a/salt/common/tools/sbin/so-common-status-check +++ b/salt/common/tools/sbin/so-common-status-check @@ -37,23 +37,28 @@ def check_needs_restarted(): with open(outfile, 'w') as f: f.write(val) -def check_for_fips(): - fips = 0 +def check_for_fps(): + feat = 'fps' + feat_full = feat.replace('ps', 'ips') + fps = 0 try: - result = subprocess.run(['fips-mode-setup', '--is-enabled'], stdout=subprocess.PIPE) + result = subprocess.run([feat_full + '-mode-setup', '--is-enabled'], stdout=subprocess.PIPE) if result.returncode == 0: - fips = 1 + fps = 1 except FileNotFoundError: - with open('/proc/sys/crypto/fips_enabled', 'r') as f: + fn = '/proc/sys/crypto/' + feat_full + '_enabled' + with open(fn, 'r') as f: contents = f.read() if '1' in contents: - fips = 1 + fps = 1 - with open('/opt/so/log/sostatus/fips_enabled', 'w') as f: - f.write(str(fips)) + with open('/opt/so/log/sostatus/lks_enabled', 'w') as f: + f.write(str(fps)) -def check_for_luks(): - luks = 0 +def check_for_lks(): + feat = 'Lks' + feat_full = feat.replace('ks', 'uks') + lks = 0 result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE) data = json.loads(result.stdout) for device in data['blockdevices']: @@ -61,17 +66,18 @@ def check_for_luks(): for gc in device['children']: if 'children' in gc: try: - result = subprocess.run(['cryptsetup', 'isLuks', gc['name']], stdout=subprocess.PIPE) + arg = 'is' + feat_full + result = subprocess.run(['cryptsetup', arg, gc['name']], stdout=subprocess.PIPE) if result.returncode == 0: - luks = 1 + lks = 1 except FileNotFoundError: for ggc in gc['children']: if 'crypt' in ggc['type']: - luks = 1 - if luks: + lks = 1 + if lks: break - with open('/opt/so/log/sostatus/luks_enabled', 'w') as f: - f.write(str(luks)) + with open('/opt/so/log/sostatus/fps_enabled', 'w') as f: + f.write(str(lks)) def fail(msg): print(msg, file=sys.stderr) @@ -84,9 +90,9 @@ def main(): # Ensure that umask is 0022 so that files created by this script have rw-r-r permissions org_umask = os.umask(0o022) check_needs_restarted() - check_for_fips() - check_for_luks() - # Restore umask to whatever value was set before this script was run. STIG sets to 0077 rw--- + check_for_fps() + check_for_lks() + # Restore umask to whatever value was set before this script was run. SXIG sets to 0077 rw--- os.umask(org_umask) if __name__ == "__main__": diff --git a/salt/kratos/map.jinja b/salt/kratos/map.jinja index a603d813a..89112a1f0 100644 --- a/salt/kratos/map.jinja +++ b/salt/kratos/map.jinja @@ -21,7 +21,7 @@ {% set KRATOSMERGED = salt['pillar.get']('kratos', default=KRATOSDEFAULTS.kratos, merge=true) %} -{% if KRATOSMERGED.oidc.enabled and 'oidc' in salt['pillar.get']('features') %} +{% if KRATOSMERGED.oidc.enabled and 'odc' in salt['pillar.get']('features') %} {% do KRATOSMERGED.config.selfservice.methods.update({'oidc': {'enabled': true, 'config': {'providers': [KRATOSMERGED.oidc.config]}}}) %} {% endif %} diff --git a/salt/manager/tools/sbin/so-repo-sync b/salt/manager/tools/sbin/so-repo-sync index 84384fcdf..a0393a36b 100644 --- a/salt/manager/tools/sbin/so-repo-sync +++ b/salt/manager/tools/sbin/so-repo-sync @@ -7,12 +7,8 @@ NOROOT=1 . /usr/sbin/so-common -set_version -set_os -salt_minion_count - set -e -curl --retry 5 --retry-delay 60 -A "reposync/$VERSION/$OS/$(uname -r)/$MINIONCOUNT" https://sigs.securityonion.net/checkup --output /tmp/checkup +curl --retry 5 --retry-delay 60 -A "reposync/$(sync_options)" https://sigs.securityonion.net/checkup --output /tmp/checkup dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/ createrepo /nsm/repo diff --git a/salt/manager/tools/sbin/so-user b/salt/manager/tools/sbin/so-user index d597cdacb..69b4fdb50 100755 --- a/salt/manager/tools/sbin/so-user +++ b/salt/manager/tools/sbin/so-user @@ -347,7 +347,7 @@ function syncElastic() { [[ $? != 0 ]] && fail "Unable to read credential hashes from database" user_data_formatted=$(echo "${userData}" | jq -r '.user + ":" + .data.hashed_password') - if lookup_salt_value "licensed_features" "" "pillar" | grep -x oidc; then + if lookup_salt_value "features" "" "pillar" | grep -x odc; then # generate random placeholder salt/hash for users without passwords random_crypt=$(get_random_value 53) user_data_formatted=$(echo "${user_data_formatted}" | sed -r "s/^(.+:)\$/\\1\$2a\$12${random_crypt}/") diff --git a/salt/stig/enabled.sls b/salt/stig/enabled.sls index 5c4b6851b..3d8f15ff6 100644 --- a/salt/stig/enabled.sls +++ b/salt/stig/enabled.sls @@ -12,7 +12,7 @@ {% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls.split('.')[0] in allowed_states and GLOBALS.os == 'OEL' %} -{% if 'stig' in salt['pillar.get']('features', []) %} +{% if 'stg' in salt['pillar.get']('features', []) %} {% set OSCAP_PROFILE_NAME = 'xccdf_org.ssgproject.content_profile_stig' %} {% set OSCAP_PROFILE_LOCATION = '/opt/so/conf/stig/sos-oscap.xml' %} {% set OSCAP_OUTPUT_DIR = '/opt/so/log/stig' %} diff --git a/salt/stig/schedule.sls b/salt/stig/schedule.sls index 9f354662d..94aaf4e2d 100644 --- a/salt/stig/schedule.sls +++ b/salt/stig/schedule.sls @@ -4,7 +4,7 @@ # Elastic License 2.0. {% from 'stig/map.jinja' import STIGMERGED %} -{% if 'stig' in salt['pillar.get']('features', []) %} +{% if 'stg' in salt['pillar.get']('features', []) %} stig_remediate_schedule: schedule.present: - function: state.apply diff --git a/salt/telegraf/scripts/features.sh b/salt/telegraf/scripts/features.sh index eb600ccdf..7c4fe6f52 100644 --- a/salt/telegraf/scripts/features.sh +++ b/salt/telegraf/scripts/features.sh @@ -7,11 +7,11 @@ if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then - FIPS_ENABLED=$(cat /var/log/sostatus/fips_enabled) - LUKS_ENABLED=$(cat /var/log/sostatus/luks_enabled) + FPS_ENABLED=$(cat /var/log/sostatus/fps_enabled) + LKS_ENABLED=$(cat /var/log/sostatus/lks_enabled) - echo "features fips=$FIPS_ENABLED" - echo "features luks=$LUKS_ENABLED" + echo "features fps=$FPS_ENABLED" + echo "features lks=$LKS_ENABLED" fi exit 0