From 146c1a4d757bf1029f4aa18a0d37765934baf7e5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 19 Nov 2020 15:06:06 -0500 Subject: [PATCH 01/19] fix typos of minon to minion --- salt/salt/map.jinja | 8 ++++---- salt/soc/files/soc/changes.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index e4c395304..4796b16a2 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -12,13 +12,13 @@ {% if grains.saltversion|string != SALTVERSION|string %} {% if grains.os|lower in ['centos', 'redhat'] %} {% if ISAIRGAP is sameas true %} - {% set UPGRADECOMMAND = 'yum clean all && yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*" && systemctl restart salt-minon' %} + {% set UPGRADECOMMAND = 'yum clean all && yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*" && systemctl restart salt-minion' %} {% else %} - {% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*" && systemctl restart salt-minon' %} + {% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*" && systemctl restart salt-minion' %} {% endif %} {% elif grains.os|lower == 'ubuntu' %} - {% set UPGRADECOMMAND = 'apt-mark unhold salt-common && apt-mark unhold salt-minion && /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && apt-mark hold salt-common && apt-mark hold salt-minion && systemctl restart salt-minon' %} + {% set UPGRADECOMMAND = 'apt-mark unhold salt-common && apt-mark unhold salt-minion && /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && apt-mark hold salt-common && apt-mark hold salt-minion && systemctl restart salt-minion' %} {% endif %} {% else %} - {% set UPGRADECOMMAND = 'echo Already running Salt Minon version ' ~ SALTVERSION %} + {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %} {% endif %} \ No newline at end of file diff --git a/salt/soc/files/soc/changes.json b/salt/soc/files/soc/changes.json index 44298caf0..8a0fe1f50 100644 --- a/salt/soc/files/soc/changes.json +++ b/salt/soc/files/soc/changes.json @@ -37,6 +37,6 @@ { "summary": "Winlogbeat download package is now available from the SOC Downloads interface." }, { "summary": "Upgraded Kratos authentication system." }, { "summary": "Added new Reset Defaults button to the SOC Profile Settings interface which allows users to reset all local browser SOC customizations back to their defaults. This includes things like default sort column, sort order, items per page, etc." }, - { "summary": "Known Issues " } + { "summary": "Known Issues " } ] } From 8df9e020acef43c78940943d4b8b94804bb1aee7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 Jan 2021 15:35:29 -0500 Subject: [PATCH 02/19] pillarize elastalert https://github.com/Security-Onion-Solutions/securityonion/issues/1191 --- salt/elastalert/defaults.yaml | 48 +++++++++++++++++++ salt/elastalert/elastalert_config.map.jinja | 4 ++ .../files/elastalert_config.yaml.jinja | 3 ++ salt/elastalert/init.sls | 6 ++- 4 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 salt/elastalert/defaults.yaml create mode 100644 salt/elastalert/elastalert_config.map.jinja create mode 100644 salt/elastalert/files/elastalert_config.yaml.jinja diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml new file mode 100644 index 000000000..2bfd03243 --- /dev/null +++ b/salt/elastalert/defaults.yaml @@ -0,0 +1,48 @@ +elastalert: + config: + rules_folder: /opt/elastalert/rules/ + scan_subdirectories: true + disable_rules_on_error: false + run_every: + minutes: 3 + buffer_time: + minutes: 10 + old_query_limit: + minutes: 5 + es_host: {{salt['pillar.get']('manager:mainip', '')}} + es_port: {{salt['pillar.get']('manager:es_port', '')}} + es_conn_timeout: 55 + max_query_size: 5000 + #aws_region: us-east-1 + #profile: test + #es_url_prefix: elasticsearch + #use_ssl: True + #verify_certs: True + #es_send_get_body_as: GET + #es_username: someusername + #es_password: somepassword + writeback_index: elastalert_status + alert_time_limit: + days: 2 + index_settings: + shards: 1 + replicas: 0 + logging: + version: 1 + incremental: false + disable_existing_loggers: false + formatters: + logline: + format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s' + handlers: + file: + class : logging.FileHandler + formatter: logline + level: INFO + filename: /var/log/elastalert/elastalert.log + loggers: + '': + level: INFO + handlers: + - file + propagate: false diff --git a/salt/elastalert/elastalert_config.map.jinja b/salt/elastalert/elastalert_config.map.jinja new file mode 100644 index 000000000..270872fee --- /dev/null +++ b/salt/elastalert/elastalert_config.map.jinja @@ -0,0 +1,4 @@ +{% import_yaml 'elastalert/defaults.yaml' as elastalert_defaults with context %} +{% set elastalert_pillar = salt['pillar.get']('elastalert:config', {}) %} + +{% do salt['defaults.merge'](elastalert_defaults.elastalert.config, elastalert_pillar, in_place=True) %} \ No newline at end of file diff --git a/salt/elastalert/files/elastalert_config.yaml.jinja b/salt/elastalert/files/elastalert_config.yaml.jinja new file mode 100644 index 000000000..6bcfbef56 --- /dev/null +++ b/salt/elastalert/files/elastalert_config.yaml.jinja @@ -0,0 +1,3 @@ +%YAML 1.1 +--- +{{ elastalert_config | yaml(False) }} \ No newline at end of file diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index fcab3f57c..3fa261580 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -15,6 +15,8 @@ {% from 'allowed_states.map.jinja' import allowed_states %} {% if sls in allowed_states %} +{% from 'elastalert/elastalert_config.map.jinja' import elastalert_defaults as elastalert_config with context %} + {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} @@ -92,7 +94,9 @@ elastasomodulesync: elastaconf: file.managed: - name: /opt/so/conf/elastalert/elastalert_config.yaml - - source: salt://elastalert/files/elastalert_config.yaml + - source: salt://elastalert/files/elastalert_config.yaml.jinja + - context: + elastalert_config: {{ elastalert_config.elastalert.config } - user: 933 - group: 933 - template: jinja From b7aef32eebc5c446e0aa69b330b4ab07d41276b6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 Jan 2021 15:50:23 -0500 Subject: [PATCH 03/19] fix missing } --- salt/elastalert/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index 3fa261580..c45a4225d 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -96,7 +96,7 @@ elastaconf: - name: /opt/so/conf/elastalert/elastalert_config.yaml - source: salt://elastalert/files/elastalert_config.yaml.jinja - context: - elastalert_config: {{ elastalert_config.elastalert.config } + elastalert_config: {{ elastalert_config.elastalert.config }} - user: 933 - group: 933 - template: jinja From 0936dbdb1c174a56f644ae2bbbe4b69126a676cf Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 28 Jan 2021 11:40:31 -0500 Subject: [PATCH 04/19] add timeouts and retries to ca/ssl states --- salt/ca/init.sls | 3 ++ salt/ssl/init.sls | 72 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+) diff --git a/salt/ca/init.sls b/salt/ca/init.sls index 07cb75f31..ca5223d39 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -42,6 +42,9 @@ pki_private_key: - replace: False - require: - file: /etc/pki + - timeout: 60 + - retry: 5 + - interval: 30 x509_pem_entries: module.run: diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index d6c06d6fd..f12e5ebcb 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -67,6 +67,9 @@ removeesp12dir: - prereq: - x509: /etc/pki/influxdb.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Create a cert for the talking to influxdb /etc/pki/influxdb.crt: @@ -82,6 +85,9 @@ removeesp12dir: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 influxkeyperms: file.managed: @@ -104,6 +110,9 @@ influxkeyperms: - prereq: - x509: /etc/pki/redis.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 /etc/pki/redis.crt: x509.certificate_managed: @@ -118,6 +127,9 @@ influxkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 rediskeyperms: file.managed: @@ -140,6 +152,9 @@ rediskeyperms: - prereq: - x509: /etc/pki/filebeat.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Request a cert and drop it where it needs to go to be distributed /etc/pki/filebeat.crt: @@ -159,6 +174,9 @@ rediskeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 cmd.run: - name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt" - onchanges: @@ -213,6 +231,9 @@ fbcrtlink: - prereq: - x509: /etc/pki/registry.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Create a cert for the docker registry /etc/pki/registry.crt: @@ -228,6 +249,9 @@ fbcrtlink: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/registry.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 regkeyperms: file.managed: @@ -248,6 +272,9 @@ regkeyperms: - prereq: - x509: /etc/pki/minio.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Create a cert for minio /etc/pki/minio.crt: @@ -263,6 +290,9 @@ regkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/minio.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 miniokeyperms: file.managed: @@ -284,6 +314,9 @@ miniokeyperms: - prereq: - x509: /etc/pki/elasticsearch.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 /etc/pki/elasticsearch.crt: x509.certificate_managed: @@ -298,6 +331,9 @@ miniokeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 cmd.run: - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:" - onchanges: @@ -329,6 +365,9 @@ elasticp12perms: - prereq: - x509: /etc/pki/managerssl.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Create a cert for the reverse proxy /etc/pki/managerssl.crt: @@ -345,6 +384,9 @@ elasticp12perms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 msslkeyperms: file.managed: @@ -366,6 +408,9 @@ msslkeyperms: - prereq: - x509: /etc/pki/fleet.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 /etc/pki/fleet.crt: x509.certificate_managed: @@ -379,6 +424,9 @@ msslkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 fleetkeyperms: file.managed: @@ -407,6 +455,9 @@ fbcertdir: - prereq: - x509: /opt/so/conf/filebeat/etc/pki/filebeat.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Request a cert and drop it where it needs to go to be distributed /opt/so/conf/filebeat/etc/pki/filebeat.crt: @@ -426,6 +477,9 @@ fbcertdir: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 # Convert the key to pkcs#8 so logstash will work correctly. filebeatpkcs: @@ -465,6 +519,9 @@ chownfilebeatp8: - prereq: - x509: /etc/pki/managerssl.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 # Create a cert for the reverse proxy /etc/pki/managerssl.crt: @@ -481,6 +538,9 @@ chownfilebeatp8: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 msslkeyperms: file.managed: @@ -502,6 +562,9 @@ msslkeyperms: - prereq: - x509: /etc/pki/fleet.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 /etc/pki/fleet.crt: x509.certificate_managed: @@ -515,6 +578,9 @@ msslkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 fleetkeyperms: file.managed: @@ -539,6 +605,9 @@ fleetkeyperms: - prereq: - x509: /etc/pki/elasticsearch.crt {%- endif %} + - timeout: 60 + - retry: 5 + - interval: 30 /etc/pki/elasticsearch.crt: x509.certificate_managed: @@ -553,6 +622,9 @@ fleetkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' + - timeout: 60 + - retry: 5 + - interval: 30 cmd.run: - name: "/usr/bin/openssl pkcs12 -inkey /etc/pki/elasticsearch.key -in /etc/pki/elasticsearch.crt -export -out /etc/pki/elasticsearch.p12 -nodes -passout pass:" - onchanges: From e6ecd609ccc009c56278470c484c85014560c1fe Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 Jan 2021 13:44:11 -0500 Subject: [PATCH 05/19] change timeouts to 30s --- salt/ca/init.sls | 2 +- salt/ssl/init.sls | 48 +++++++++++++++++++++++------------------------ 2 files changed, 25 insertions(+), 25 deletions(-) diff --git a/salt/ca/init.sls b/salt/ca/init.sls index ca5223d39..0d35c10c1 100644 --- a/salt/ca/init.sls +++ b/salt/ca/init.sls @@ -42,7 +42,7 @@ pki_private_key: - replace: False - require: - file: /etc/pki - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index f12e5ebcb..8d6c65bea 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -67,7 +67,7 @@ removeesp12dir: - prereq: - x509: /etc/pki/influxdb.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -85,7 +85,7 @@ removeesp12dir: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/influxdb.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -110,7 +110,7 @@ influxkeyperms: - prereq: - x509: /etc/pki/redis.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -127,7 +127,7 @@ influxkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -152,7 +152,7 @@ rediskeyperms: - prereq: - x509: /etc/pki/filebeat.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -174,7 +174,7 @@ rediskeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 cmd.run: @@ -231,7 +231,7 @@ fbcrtlink: - prereq: - x509: /etc/pki/registry.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -249,7 +249,7 @@ fbcrtlink: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/registry.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -272,7 +272,7 @@ regkeyperms: - prereq: - x509: /etc/pki/minio.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -290,7 +290,7 @@ regkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/minio.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -314,7 +314,7 @@ miniokeyperms: - prereq: - x509: /etc/pki/elasticsearch.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -331,7 +331,7 @@ miniokeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 cmd.run: @@ -365,7 +365,7 @@ elasticp12perms: - prereq: - x509: /etc/pki/managerssl.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -384,7 +384,7 @@ elasticp12perms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -408,7 +408,7 @@ msslkeyperms: - prereq: - x509: /etc/pki/fleet.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -424,7 +424,7 @@ msslkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -455,7 +455,7 @@ fbcertdir: - prereq: - x509: /opt/so/conf/filebeat/etc/pki/filebeat.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -477,7 +477,7 @@ fbcertdir: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /opt/so/conf/filebeat/etc/pki/filebeat.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -519,7 +519,7 @@ chownfilebeatp8: - prereq: - x509: /etc/pki/managerssl.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -538,7 +538,7 @@ chownfilebeatp8: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/managerssl.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -562,7 +562,7 @@ msslkeyperms: - prereq: - x509: /etc/pki/fleet.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -578,7 +578,7 @@ msslkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/fleet.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -605,7 +605,7 @@ fleetkeyperms: - prereq: - x509: /etc/pki/elasticsearch.crt {%- endif %} - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 @@ -622,7 +622,7 @@ fleetkeyperms: # https://github.com/saltstack/salt/issues/52167 # Will trigger 5 days (432000 sec) from cert expiration - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/elasticsearch.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]' - - timeout: 60 + - timeout: 30 - retry: 5 - interval: 30 cmd.run: From f50a89a0cf7fd422f815d77e7f14a32151d4fed8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 Jan 2021 15:28:59 -0500 Subject: [PATCH 06/19] watch elastalert config and restart docker if chagnes --- salt/elastalert/defaults.yaml | 2 +- salt/elastalert/files/elastalert_config.yaml | 110 ------------------ .../files/elastalert_config.yaml.jinja | 2 - salt/elastalert/init.sls | 2 + 4 files changed, 3 insertions(+), 113 deletions(-) delete mode 100644 salt/elastalert/files/elastalert_config.yaml diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index 2bfd03243..1b177f58e 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -45,4 +45,4 @@ elastalert: level: INFO handlers: - file - propagate: false + propagate: false \ No newline at end of file diff --git a/salt/elastalert/files/elastalert_config.yaml b/salt/elastalert/files/elastalert_config.yaml deleted file mode 100644 index 28d26bac0..000000000 --- a/salt/elastalert/files/elastalert_config.yaml +++ /dev/null @@ -1,110 +0,0 @@ -{% set esip = salt['pillar.get']('manager:mainip', '') %} -{% set esport = salt['pillar.get']('manager:es_port', '') %} -# This is the folder that contains the rule yaml files -# Any .yaml file will be loaded as a rule -rules_folder: /opt/elastalert/rules/ - -# Sets whether or not ElastAlert should recursively descend -# the rules directory - true or false -scan_subdirectories: true - -# Do not disable a rule when an uncaught exception is thrown - -# This setting should be tweaked once the following issue has been fixed -# https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/98 -disable_rules_on_error: false - -# How often ElastAlert will query Elasticsearch -# The unit can be anything from weeks to seconds -run_every: - minutes: 3 - -# ElastAlert will buffer results from the most recent -# period of time, in case some log sources are not in real time -buffer_time: - minutes: 10 - -# The maximum time between queries for ElastAlert to start at the most recently -# run query. When ElastAlert starts, for each rule, it will search elastalert_metadata -# for the most recently run query and start from that time, unless it is older than -# old_query_limit, in which case it will start from the present time. The default is one week. -old_query_limit: - minutes: 5 - -# The Elasticsearch hostname for metadata writeback -# Note that every rule can have its own Elasticsearch host -es_host: {{ esip }} - -# The Elasticsearch port -es_port: {{ esport }} - -# Sets timeout for connecting to and reading from es_host -es_conn_timeout: 55 - -# The maximum number of documents that will be downloaded from Elasticsearch in -# a single query. The default is 10,000, and if you expect to get near this number, -# consider using use_count_query for the rule. If this limit is reached, ElastAlert -# will scroll through pages the size of max_query_size until processing all results. -max_query_size: 5000 - -# The AWS region to use. Set this when using AWS-managed elasticsearch -#aws_region: us-east-1 - -# The AWS profile to use. Use this if you are using an aws-cli profile. -# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html -# for details -#profile: test - -# Optional URL prefix for Elasticsearch -#es_url_prefix: elasticsearch - -# Connect with TLS to Elasticsearch -#use_ssl: True - -# Verify TLS certificates -#verify_certs: True - -# GET request with body is the default option for Elasticsearch. -# If it fails for some reason, you can pass 'GET', 'POST' or 'source'. -# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport -# for details -#es_send_get_body_as: GET - -# Option basic-auth username and password for Elasticsearch -#es_username: someusername -#es_password: somepassword - -# The index on es_host which is used for metadata storage -# This can be a unmapped index, but it is recommended that you run -# elastalert-create-index to set a mapping -writeback_index: elastalert_status - -# If an alert fails for some reason, ElastAlert will retry -# sending the alert until this time period has elapsed -alert_time_limit: - days: 2 - -index_settings: - shards: 1 - replicas: 0 - -logging: - version: 1 - incremental: false - disable_existing_loggers: false - formatters: - logline: - format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s' - - handlers: - file: - class : logging.FileHandler - formatter: logline - level: INFO - filename: /var/log/elastalert/elastalert.log - - loggers: - '': - level: INFO - handlers: - - file - propagate: false diff --git a/salt/elastalert/files/elastalert_config.yaml.jinja b/salt/elastalert/files/elastalert_config.yaml.jinja index 6bcfbef56..9394d0fa2 100644 --- a/salt/elastalert/files/elastalert_config.yaml.jinja +++ b/salt/elastalert/files/elastalert_config.yaml.jinja @@ -1,3 +1 @@ -%YAML 1.1 ---- {{ elastalert_config | yaml(False) }} \ No newline at end of file diff --git a/salt/elastalert/init.sls b/salt/elastalert/init.sls index c45a4225d..9008832f1 100644 --- a/salt/elastalert/init.sls +++ b/salt/elastalert/init.sls @@ -123,6 +123,8 @@ so-elastalert: - {{MANAGER_URL}}:{{MANAGER_IP}} - require: - module: wait_for_elasticsearch + - watch: + - file: elastaconf append_so-elastalert_so-status.conf: file.append: From 618b94b9b637c92c6f41382f04de95fab67fb39a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 Jan 2021 15:31:05 -0500 Subject: [PATCH 07/19] add newline --- salt/elastalert/files/elastalert_config.yaml.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/files/elastalert_config.yaml.jinja b/salt/elastalert/files/elastalert_config.yaml.jinja index 9394d0fa2..4e368ab30 100644 --- a/salt/elastalert/files/elastalert_config.yaml.jinja +++ b/salt/elastalert/files/elastalert_config.yaml.jinja @@ -1 +1 @@ -{{ elastalert_config | yaml(False) }} \ No newline at end of file +{{ elastalert_config | yaml(False) }} From 7a3c7322fc653fab331ba316ef845c86b95ad3b4 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 29 Jan 2021 15:36:50 -0500 Subject: [PATCH 08/19] [fix] Only check for ZEEKVERSION on manager installs --- setup/so-setup | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index ed0afe354..dc2a4a96b 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -459,7 +459,12 @@ if [[ $is_sensor && ! $is_eval ]]; then collect_homenet_snsr whiptail_sensor_config if [ $NSMSETUP == 'ADVANCED' ]; then - [[ $ZEEKVERSION == "ZEEK" ]] && whiptail_zeek_pins + if [[ $is_manager ]]; then + [[ $ZEEKVERSION == "ZEEK" ]] && whiptail_zeek_pins + else + whiptail_zeek_pins + fi + whiptail_suricata_pins collect_mtu else @@ -469,7 +474,13 @@ if [[ $is_sensor && ! $is_eval ]]; then else PROCS=$lb_procs fi - [[ $ZEEKVERSION == "ZEEK" ]] && collect_zeek + + if [[ $is_manager ]]; then + [[ $ZEEKVERSION == "ZEEK" ]] && collect_zeek + else + collect_zeek + fi + collect_suri fi fi From 0ea504c16a6da0ff03b21e7d47faf4310c3600f8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 Jan 2021 17:32:48 -0500 Subject: [PATCH 09/19] remove space --- salt/elastalert/defaults.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index 1b177f58e..0602e3fe7 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -5,6 +5,7 @@ elastalert: disable_rules_on_error: false run_every: minutes: 3 + seconds: 0 buffer_time: minutes: 10 old_query_limit: @@ -36,7 +37,7 @@ elastalert: format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s' handlers: file: - class : logging.FileHandler + class: logging.FileHandler formatter: logline level: INFO filename: /var/log/elastalert/elastalert.log From 36ce38920227e426b0b6a161e847fa3a4c4750c9 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 1 Feb 2021 10:55:14 -0500 Subject: [PATCH 10/19] Remove wait_for_apt, use common retry function to run apt commands --- salt/common/tools/sbin/so-common | 45 ------------ setup/so-functions | 121 +++++++++++-------------------- setup/so-setup | 2 +- 3 files changed, 45 insertions(+), 123 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index b1db4c04c..9d42cb797 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -248,51 +248,6 @@ retry() { return 1 } -wait_for_apt() { - local progress_callback=$1 - - local retry_count=30 - local retry_timeout='10s' - local lock_msg="Could not acquire dpkg lock, waiting $retry_timeout for lock to release." - if [[ -z $progress_callback ]]; then - if [[ -z $progress_bar_text ]]; then - local old_text="Installing..." - else - local old_text="$progress_bar_text" - fi - fi - local count=0 - while [[ "$count" -lt "$retry_count" ]]; do - ((count++)) - [[ -z $progress_callback ]] && echo "Attempting to acquire dpkg lock to run apt command... (Attempt $count/$retry_count)" - if __check_apt_lock; then - if [[ -z $progress_callback ]]; then - echo " $lock_msg" | tee -a "$setup_log" - else - $progress_callback "Could not acquire dpkg lock, waiting $retry_timeout ($count/$retry_count)" - fi - else - [[ -z $progress_callback ]] || $progress_callback "$old_text" - return 0 - fi - sleep "$retry_timeout" - done - - if __check_apt_lock; then - [[ -z $progress_callback ]] && echo "Could not acquire lock after $retry_count attempts, aborting." - return 1 - else - return 0 - fi -} - -__check_apt_lock() { - lsof /var/lib/dpkg/lock &> /dev/null - local lock=$? - - return $lock -} - valid_cidr() { # Verify there is a backslash in the string echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1 diff --git a/setup/so-functions b/setup/so-functions index 379cb6e30..2d035ae2c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -965,13 +965,13 @@ installer_prereq_packages() { echo "Installing required packages to run installer..." # Install network manager so we can do interface stuff if ! command -v nmcli > /dev/null 2>&1; then - if wait_for_apt; then apt-get install -y network-manager >> "$setup_log" 2<&1; else exit 1; fi + retry 50 10 "apt-get install -y network-manager" >> "$setup_log" 2>&1 || exit 1 { systemctl enable NetworkManager systemctl start NetworkManager } >> "$setup_log" 2<&1 fi - if wait_for_apt; then apt-get install -y bc curl >> "$setup_log" 2>&1; else exit 1; fi + retry 50 10 "apt-get install -y bc curl" >> "$setup_log" 2>&1 || exit 1 fi } @@ -1041,28 +1041,19 @@ docker_install() { else case "$install_type" in 'MANAGER' | 'EVAL' | 'STANDALONE' | 'MANAGERSEARCH' | 'IMPORT') - if wait_for_apt 'whiptail_prog_new_message'; then apt-get update >> "$setup_log" 2>&1; else kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1; fi + retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 ;; *) - if wait_for_apt 'whiptail_prog_new_message'; then - { - apt-key add "$temp_install_dir"/gpg/docker.pub; - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"; - apt-get update; - } >> "$setup_log" 2>&1 - else - kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 - fi + retry 50 10 "apt-key add $temp_install_dir/gpg/docker.pub" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "add-apt-repository \"deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable\"" >> "$setup_log" 2>&1 \ + || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 ;; esac - if wait_for_apt 'whiptail_prog_new_message'; then - if [ $OSVER != "xenial" ]; then - apt-get -y install docker-ce python3-docker >> "$setup_log" 2>&1 - else - apt-get -y install docker-ce python-docker >> "$setup_log" 2>&1 - fi + if [ $OSVER != "xenial" ]; then + retry 50 10 "apt-get -y install docker-ce python3-docker" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 else - kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get -y install docker-ce python-docker" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 fi fi docker_registry @@ -1873,11 +1864,7 @@ remove_package() { fi else if dpkg -l | grep -q "$package_name"; then - if wait_for_apt 'whiptail_prog_new_message'; then - apt purge -y "$package_name" - else - exit 1 - fi + retry 50 10 "apt purge -y \"$package_name\"" fi fi } @@ -1964,9 +1951,7 @@ saltify() { } >> "$setup_log" 2>&1 yum versionlock salt* else - if wait_for_apt 'whiptail_prog_new_message'; then - DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade >> "$setup_log" 2>&1 - else + if ! (DEBIAN_FRONTEND=noninteractive retry 50 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1); then kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 fi @@ -1974,18 +1959,18 @@ saltify() { # Switch to Python 3 as default if this is not xenial update-alternatives --install /usr/bin/python python /usr/bin/python3.6 10 >> "$setup_log" 2>&1 fi - if wait_for_apt 'whiptail_prog_new_message'; then - # Add the pre-requisites for installing docker-ce - apt-get -y install ca-certificates\ - curl\ - software-properties-common\ - apt-transport-https\ - openssl\ - netcat\ - jq >> "$setup_log" 2>&1 - else - kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 - fi + + local pkg_arr=( + 'ca-certificates' + 'curl' + 'software-properties-common' + 'apt-transport-https' + 'openssl' + 'netcat' + 'jq' + ) + retry 50 10 "apt-get -y install ${pkg_arr[*]}" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + # Grab the version from the os-release file local ubuntu_version ubuntu_version=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}') @@ -1993,10 +1978,10 @@ saltify() { case "$install_type" in 'FLEET') - if wait_for_apt 'whiptail_prog_new_message'; then - if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-mysqldb >> "$setup_log" 2>&1; else apt-get -y install python-mysqldb >> "$setup_log" 2>&1; fi + if [[ $OSVER != 'xenial' ]]; then + retry 50 10 "apt-get -y install python3-mysqldb" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 else - kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get -y install python-mysqldb" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 fi ;; 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR') @@ -2007,7 +1992,7 @@ saltify() { # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >> "$setup_log" 2>&1 + retry 50 10 "add-apt-repository \"deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable\"" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 @@ -2020,17 +2005,12 @@ saltify() { # Add repo echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" - if wait_for_apt 'whiptail_prog_new_message'; then - # Initialize the new repos - apt-get update >> "$setup_log" 2>&1 - set_progress_str 6 'Installing various dependencies' - apt-get -y install sqlite3 argon2 libssl-dev >> "$setup_log" 2>&1 - set_progress_str 7 'Installing salt-master' - apt-get -y install salt-master=3002.2+ds-1 >> "$setup_log" 2>&1 - apt-mark hold salt-master >> "$setup_log" 2>&1 - else - kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 - fi + retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + set_progress_str 6 'Installing various dependencies' + retry 50 10 "apt-get -y install sqlite3 argon2 libssl-dev" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + set_progress_str 7 'Installing salt-master' + retry 50 10 "apt-get -y install salt-master=3002.2+ds-1" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 ;; *) # Copy down the gpg keys and install them from the manager @@ -2044,19 +2024,15 @@ saltify() { echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac - if wait_for_apt 'whiptail_prog_new_message'; then - apt-get update >> "$setup_log" 2>&1 - set_progress_str 8 'Installing salt-minion & python modules' - apt-get -y install salt-minion=3002.2+ds-1\ - salt-common=3002.2+ds-1 >> "$setup_log" 2>&1 - apt-mark hold salt-minion salt-common >> "$setup_log" 2>&1 - if [ "$OSVER" != 'xenial' ]; then - apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb >> "$setup_log" 2>&1 - else - apt-get -y install python-pip python-dateutil python-m2crypto python-mysqldb >> "$setup_log" 2>&1 - fi + + retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + set_progress_str 8 'Installing salt-minion & python modules' + retry 50 10 "apt-get -y install salt-minion=3002.2+ds-1 salt-common=3002.2+ds-1" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + if [[ $OSVER != 'xenial' ]]; then + retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 else - kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get -y install python-pip python-dateutil python-m2crypto python-mysqldb" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 fi fi } @@ -2522,12 +2498,8 @@ update_packages() { if [ "$OS" = 'centos' ]; then yum -y update >> "$setup_log" else - if wait_for_apt 'whiptail_prog_new_message'; then - apt-get -y update >> "$setup_log" - apt-get -y upgrade >> "$setup_log" - else - kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 - fi + retry 50 10 "apt-get -y update" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 fi } @@ -2572,11 +2544,6 @@ wait_for_file() { return 1 } -whiptail_prog_new_message() { - local message=$1 - set_progress_str "$percentage" "$message" -} - # Enable Zeek Logs zeek_logs_enabled() { echo "Enabling Zeek Logs" >> "$setup_log" 2>&1 diff --git a/setup/so-setup b/setup/so-setup index df9d8d851..67f9af65b 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -130,7 +130,7 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th if [[ ! $is_iso ]]; then echo "Installing sshpass for automated testing." >> $setup_log 2>&1 if [ "$OS" == ubuntu ]; then - if wait_for_apt; then apt-get -y install sshpass >> $setup_log 2>&1; else exit 1; fi + retry 50 10 "apt-get -y install sshpass" >> $setup_log 2>&1 || exit 1 else yum -y install sshpass >> $setup_log 2>&1 fi From 02f0ef989bf751b3203a6f914c52d25c17941115 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 1 Feb 2021 11:11:01 -0500 Subject: [PATCH 11/19] [fix] || ; exit 1 will always exit, fix this --- setup/so-functions | 56 +++++++++++++++++++++++----------------------- 1 file changed, 28 insertions(+), 28 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 2d035ae2c..5a7caf849 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -760,7 +760,7 @@ compare_versions() { if [[ $manager_ver == '' ]]; then echo "Could not determine version of Security Onion running on manager $MSRV. Please check your network settings and run setup again." | tee -a "$setup_log" - kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + exit 1 fi [[ "$manager_ver" == "$SOVERSION" ]] @@ -1041,19 +1041,19 @@ docker_install() { else case "$install_type" in 'MANAGER' | 'EVAL' | 'STANDALONE' | 'MANAGERSEARCH' | 'IMPORT') - retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || exit 1 ;; *) - retry 50 10 "apt-key add $temp_install_dir/gpg/docker.pub" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-key add $temp_install_dir/gpg/docker.pub" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "add-apt-repository \"deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable\"" >> "$setup_log" 2>&1 \ - || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 - retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + || exit 1 + retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || exit 1 ;; esac if [ $OSVER != "xenial" ]; then - retry 50 10 "apt-get -y install docker-ce python3-docker" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get -y install docker-ce python3-docker" >> "$setup_log" 2>&1 || exit 1 else - retry 50 10 "apt-get -y install docker-ce python-docker" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get -y install docker-ce python-docker" >> "$setup_log" 2>&1 || exit 1 fi fi docker_registry @@ -1136,7 +1136,7 @@ download_repo_tarball() { rm -rf $install_opt_file local message="Could not download $manager_ver.tar.gz from manager, please check your network settings and verify the file /opt/so/repo/$manager_ver.tar.gz exists on the manager." echo "$message" | tee -a "$setup_log" - kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + exit 1 fi mkdir -p /root/manager_setup/securityonion @@ -1812,7 +1812,7 @@ reinstall_init() { # Stop the systemctl process trying to kill the service, show user a message, then exit setup kill -9 $pid - kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + exit 1 fi sleep 5 @@ -1952,7 +1952,7 @@ saltify() { yum versionlock salt* else if ! (DEBIAN_FRONTEND=noninteractive retry 50 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1); then - kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + exit 1 fi if [ $OSVER != "xenial" ]; then @@ -1969,7 +1969,7 @@ saltify() { 'netcat' 'jq' ) - retry 50 10 "apt-get -y install ${pkg_arr[*]}" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get -y install ${pkg_arr[*]}" >> "$setup_log" 2>&1 || exit 1 # Grab the version from the os-release file local ubuntu_version @@ -1979,9 +1979,9 @@ saltify() { case "$install_type" in 'FLEET') if [[ $OSVER != 'xenial' ]]; then - retry 50 10 "apt-get -y install python3-mysqldb" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get -y install python3-mysqldb" >> "$setup_log" 2>&1 || exit 1 else - retry 50 10 "apt-get -y install python-mysqldb" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get -y install python-mysqldb" >> "$setup_log" 2>&1 || exit 1 fi ;; 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR') @@ -1992,7 +1992,7 @@ saltify() { # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 - retry 50 10 "add-apt-repository \"deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable\"" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "add-apt-repository \"deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable\"" >> "$setup_log" 2>&1 || exit 1 # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 @@ -2005,12 +2005,12 @@ saltify() { # Add repo echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" - retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || exit 1 set_progress_str 6 'Installing various dependencies' - retry 50 10 "apt-get -y install sqlite3 argon2 libssl-dev" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get -y install sqlite3 argon2 libssl-dev" >> "$setup_log" 2>&1 || exit 1 set_progress_str 7 'Installing salt-master' - retry 50 10 "apt-get -y install salt-master=3002.2+ds-1" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 - retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get -y install salt-master=3002.2+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 ;; *) # Copy down the gpg keys and install them from the manager @@ -2025,14 +2025,14 @@ saltify() { ;; esac - retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || exit 1 set_progress_str 8 'Installing salt-minion & python modules' - retry 50 10 "apt-get -y install salt-minion=3002.2+ds-1 salt-common=3002.2+ds-1" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 - retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get -y install salt-minion=3002.2+ds-1 salt-common=3002.2+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 if [[ $OSVER != 'xenial' ]]; then - retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb" >> "$setup_log" 2>&1 || exit 1 else - retry 50 10 "apt-get -y install python-pip python-dateutil python-m2crypto python-mysqldb" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get -y install python-pip python-dateutil python-m2crypto python-mysqldb" >> "$setup_log" 2>&1 || exit 1 fi fi } @@ -2073,7 +2073,7 @@ salt_checkin() { if [ $count -gt 12 ]; then echo "$service could not be restarted in 120 seconds, exiting" >> "$setup_log" 2>&1 kill -9 "$pid" - kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + exit 1 fi sleep 10; ((count++)) @@ -2085,7 +2085,7 @@ salt_checkin() { echo "salt minion cannot talk to salt master" >> "$setup_log" 2>&1 if [ $count -gt 30 ]; then echo "salt minion could not talk to salt master after 30 attempts, exiting" >> "$setup_log" 2>&1 - kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + exit 1 fi sleep 1; ((count++)) @@ -2096,7 +2096,7 @@ salt_checkin() { echo "salt master did not get a job response from salt minion" >> "$setup_log" 2>&1 if [ $count -gt 30 ]; then echo "salt master did not get a job response from salt minion after 30 attempts, exiting" >> "$setup_log" 2>&1 - kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + exit 1 fi systemctl kill salt-minion systemctl start salt-minion @@ -2498,8 +2498,8 @@ update_packages() { if [ "$OS" = 'centos' ]; then yum -y update >> "$setup_log" else - retry 50 10 "apt-get -y update" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 - retry 50 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + retry 50 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 fi } From 44617fdddf58ba7e565bf6000d2c1ad28003eb27 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 1 Feb 2021 11:28:28 -0500 Subject: [PATCH 12/19] [fix] Run command being retried within quotes --- salt/common/tools/sbin/so-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 9d42cb797..aa5e05230 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -229,7 +229,7 @@ retry() { while [[ $attempt -lt $maxAttempts ]]; do attempt=$((attempt+1)) echo "Executing command with retry support: $cmd" - output=$($cmd) + output=$("$cmd") exitcode=$? echo "Results: $output ($exitcode)" if [ -n "$expectedOutput" ]; then From daebe90b6e7434759969fc9a306792685b08165a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 1 Feb 2021 12:06:19 -0500 Subject: [PATCH 13/19] [fix] fix retry command handling * use eval "$cmd" to handle strings correctly * add-apt-repo doesn't need dpkg lock so don't use retry for those lines --- salt/common/tools/sbin/so-common | 2 +- setup/so-functions | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index aa5e05230..3cf1f5e88 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -229,7 +229,7 @@ retry() { while [[ $attempt -lt $maxAttempts ]]; do attempt=$((attempt+1)) echo "Executing command with retry support: $cmd" - output=$("$cmd") + output=$(eval "$cmd") exitcode=$? echo "Results: $output ($exitcode)" if [ -n "$expectedOutput" ]; then diff --git a/setup/so-functions b/setup/so-functions index 5a7caf849..e7112163e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1045,8 +1045,7 @@ docker_install() { ;; *) retry 50 10 "apt-key add $temp_install_dir/gpg/docker.pub" >> "$setup_log" 2>&1 || exit 1 - retry 50 10 "add-apt-repository \"deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable\"" >> "$setup_log" 2>&1 \ - || exit 1 + add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >> "$setup_log" 2>&1 retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || exit 1 ;; esac @@ -1992,7 +1991,7 @@ saltify() { # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 - retry 50 10 "add-apt-repository \"deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable\"" >> "$setup_log" 2>&1 || exit 1 + add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >> "$setup_log" 2>&1 # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 From 8f476bbbddbd913a32f57da47ce6a3110742ac32 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 1 Feb 2021 13:11:51 -0500 Subject: [PATCH 14/19] [fix] Add back removed if statement --- setup/so-setup | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 67f9af65b..8cb985e70 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -397,7 +397,9 @@ if [[ ! $is_import ]]; then collect_patch_schedule fi -collect_homenet_mngr +if [[ $is_helix || $is_manager || $is_import ]]; then + collect_homenet_mngr +fi if [[ $is_helix || $is_manager || $is_node || $is_import ]]; then set_base_heapsizes From 8cf0a3da98d47275ca12f1664ceebd179d518de3 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 1 Feb 2021 15:19:47 -0500 Subject: [PATCH 15/19] remove seconds --- salt/elastalert/defaults.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/salt/elastalert/defaults.yaml b/salt/elastalert/defaults.yaml index 0602e3fe7..a22d65b7b 100644 --- a/salt/elastalert/defaults.yaml +++ b/salt/elastalert/defaults.yaml @@ -5,7 +5,6 @@ elastalert: disable_rules_on_error: false run_every: minutes: 3 - seconds: 0 buffer_time: minutes: 10 old_query_limit: From 2253603544c53580a416d334e05128d64245024a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 2 Feb 2021 12:11:47 -0500 Subject: [PATCH 16/19] [fix] Don't try to inherit home net on standalone --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 8cb985e70..041084f11 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -458,7 +458,7 @@ if [[ $is_distmanager ]]; then fi if [[ $is_sensor && ! $is_eval ]]; then - collect_homenet_snsr + [[ $is_manager ]] || collect_homenet_snsr whiptail_sensor_config if [ $NSMSETUP == 'ADVANCED' ]; then if [[ $is_manager ]]; then From 46581c052881e88a9da2bddd3eef88d46aa6e67f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 2 Feb 2021 12:45:56 -0500 Subject: [PATCH 17/19] [fix] Don't use ZEEKVERSION var, check pillar value --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 041084f11..beb9b40a3 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -743,7 +743,7 @@ set_redirect >> $setup_log 2>&1 set_progress_str 66 "$(print_salt_state_apply 'suricata')" salt-call state.apply -l info suricata >> $setup_log 2>&1 - if [[ $ZEEKVERSION == 'ZEEK' ]]; then + if [[ $(lookup_pillar "mdengine") == 'ZEEK' ]]; then set_progress_str 67 "$(print_salt_state_apply 'zeek')" salt-call state.apply -l info zeek >> $setup_log 2>&1 fi From 55a8f6aa7aea1d2b2925b185b10c4f121e1239d7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 2 Feb 2021 16:41:52 -0500 Subject: [PATCH 18/19] Make filebeat retry forever --- salt/filebeat/etc/filebeat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 1b902d542..931d38b28 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -440,7 +440,7 @@ setup.template.enabled: false # The number of times a particular Elasticsearch index operation is attempted. If # the indexing operation doesn't succeed after this many retries, the events are # dropped. The default is 3. - #max_retries: 3 + max_retries: -1 # The maximum number of events to bulk in a single Elasticsearch bulk API index request. # The default is 50. From 58e4205602f4ba23985fbc1e8cd7f6af666fddd9 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 3 Feb 2021 21:46:29 -0500 Subject: [PATCH 19/19] Revert "Make filebeat retry forever" --- salt/filebeat/etc/filebeat.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/filebeat/etc/filebeat.yml b/salt/filebeat/etc/filebeat.yml index 931d38b28..1b902d542 100644 --- a/salt/filebeat/etc/filebeat.yml +++ b/salt/filebeat/etc/filebeat.yml @@ -440,7 +440,7 @@ setup.template.enabled: false # The number of times a particular Elasticsearch index operation is attempted. If # the indexing operation doesn't succeed after this many retries, the events are # dropped. The default is 3. - max_retries: -1 + #max_retries: 3 # The maximum number of events to bulk in a single Elasticsearch bulk API index request. # The default is 50.