Better state management

When salt-cp runs it's course and finds it can't send a file, it outputs a report saying as much but the exit code will be zero. Now we remove the filename and node from the response and look for `True` to know if it succeeded. Also, respect the cleanup flag on success or failure. Check the status of the decryption process before importing. No longer decrypt locally, issue salt command for the remote client to do the decrypting.
2025-12-06 09:12:45 +01:00 · 2023-06-14 12:10:34 -06:00
parent 41951659ec
commit ad28ea275f
1 changed files with 33 additions and 21 deletions
--- a/salt/soc/files/bin/salt-relay.sh
+++ b/salt/soc/files/bin/salt-relay.sh
@@ -188,9 +188,14 @@ function send_file() {
  gpg --passphrase "infected" --batch --symmetric --cipher-algo AES256 "$from"

  fromgpg="$from.gpg"
+  filename=$(basename "$fromgpg")

  log "sending..."
  response=$($CMD_PREFIX salt-cp -C "$node" "$fromgpg" "$to")
+  # salt-cp returns 0 even if the file transfer fails, so we need to check the response.
+  # Remove the node and filename from the response on the off-chance they contain
+  # the word "True" in them
+  echo $response | sed "s/$node//" | sed "s/$filename//" | grep True
  exit_code=$?

  rm -f "$fromgpg"
@@ -198,11 +203,12 @@ function send_file() {
  log Response:$'\n'"$response"
  log "Exit Code: $exit_code"

+  if [[ $cleanup -eq 1 ]]; then
+    log "Cleaning up file $from"
+    rm -f "$from"
+  fi
+
  if [[ exit_code -eq 0 ]]; then
-    if [[ $cleanup -eq 1 ]]; then
-      log "Cleaning up file $from"
-      rm -f "$from"
-    fi
    $(echo "true" > "${SOC_PIPE}")
  else
    $(echo "false" > "${SOC_PIPE}")
@@ -222,25 +228,31 @@ function import_file() {
  filegpg="$file.gpg"

  log "decrypting..."
-  gpg --passphrase "infected" --batch --decrypt "$filegpg" > "$file"
+  $CMD_PREFIX "salt '$node' cmd.run 'gpg --passphrase \"infected\" --batch --decrypt \"$filegpg\" > \"$file\"'"
+  decrypt_code=$?

-  log "importing..."
-  case $importer in
-    pcap)
-      response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'")
-      exit_code=$?
-      ;;
-    evtx)
-      response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'")
-      exit_code=$?
-      ;;
-    *)
-      response="Unsupported importer: $importer"
-      exit_code=1
-      ;;
-  esac
+  if [[ $decrypt_code -eq 0 ]]; then
+    log "importing..."
+    case $importer in
+      pcap)
+        response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-pcap $file --json'")
+        exit_code=$?
+        ;;
+      evtx)
+        response=$($CMD_PREFIX "salt '$node' cmd.run 'so-import-evtx $file --json'")
+        exit_code=$?
+        ;;
+      *)
+        response="Unsupported importer: $importer"
+        exit_code=1
+        ;;
+    esac
+  else
+    response="Failed to decrypt file: $file"
+    exit_code=$decrypt_code
+  fi

-  rm "$file" "$filegpg"
+  rm -f "$file" "$filegpg"

  log Response:$'\n'"$response"
  log "Exit Code: $exit_code"