From 8864428a00da668e27e140d5b736a4a99b37be72 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 24 Nov 2020 15:45:40 -0500 Subject: [PATCH 01/10] Ensure setup output is redirected to logfile --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 0dfbef58a..a8e08b7da 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -692,7 +692,7 @@ fi if [[ "$OSQUERY" = 1 ]]; then set_progress_str 75 "$(print_salt_state_apply 'fleet')" - salt-call state.apply fleet.event_enable-fleet # enable fleet in the global pillar + salt-call state.apply fleet.event_enable-fleet >> $setup_log 2>&1 # enable fleet in the global pillar salt-call state.apply -l info fleet >> $setup_log 2>&1 set_progress_str 76 "$(print_salt_state_apply 'redis')" From e1147398cc9c59977217551857c9fb3534b04071 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 24 Nov 2020 15:48:46 -0500 Subject: [PATCH 02/10] Ensure /nsm/wazuh is owned by ossec --- salt/wazuh/init.sls | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index d78d7908a..25f1c0eb8 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -70,6 +70,13 @@ wazuhagentconf: - template: jinja wazuhdir: + file.directory: + - name: /nsm/wazuh + - user: 945 + - group: 945 + - makedirs: True + +wazuhetcdir: file.directory: - name: /nsm/wazuh/etc - user: 945 From d20560385feb092f8d7e1f24a1033dc0db407516 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 24 Nov 2020 16:50:46 -0500 Subject: [PATCH 03/10] Remove /nsm/wazuh/etc subdir state since confirmed the Wazuh docker container itself --- salt/wazuh/init.sls | 7 ------- 1 file changed, 7 deletions(-) diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 25f1c0eb8..99f16cb8a 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -76,13 +76,6 @@ wazuhdir: - group: 945 - makedirs: True -wazuhetcdir: - file.directory: - - name: /nsm/wazuh/etc - - user: 945 - - group: 945 - - makedirs: True - # Wazuh agent registration script wazuhagentregister: file.managed: From 7fb264b4fecacbc1328157f439ecde8833814e2a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 24 Nov 2020 17:17:50 -0500 Subject: [PATCH 04/10] Use double quotes around agent key to ensure interpolation --- salt/wazuh/files/agent/wazuh-register-agent | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/wazuh/files/agent/wazuh-register-agent b/salt/wazuh/files/agent/wazuh-register-agent index 895fbd5d1..ca130ae90 100755 --- a/salt/wazuh/files/agent/wazuh-register-agent +++ b/salt/wazuh/files/agent/wazuh-register-agent @@ -73,7 +73,7 @@ register_agent() { # Importing key echo "" echo "Importing authentication key:" - echo "y" | /var/ossec/bin/manage_agents -i '$AGENT_KEY' + echo "y" | /var/ossec/bin/manage_agents -i "$AGENT_KEY" # Restarting agent echo "" From 8f9081618ff9d20dee925ee10ea1d7d12170fe26 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 25 Nov 2020 11:11:46 -0500 Subject: [PATCH 05/10] Add role to sensoroni.json file --- salt/sensoroni/files/sensoroni.json | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index ee46b5937..8d10323af 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -6,6 +6,7 @@ "logFilename": "/opt/sensoroni/logs/sensoroni.log", "logLevel":"info", "agent": { + "role": "{{ grains.role }}" "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }}, "serverUrl": "https://{{ URLBASE }}/sensoroniagents", "verifyCert": false, From 979f171828d234a9c52390ba583a8920e6162f2a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 25 Nov 2020 12:29:45 -0500 Subject: [PATCH 06/10] Add missing comma to sensoroni.json --- salt/sensoroni/files/sensoroni.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 8d10323af..cc5be34ea 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -6,7 +6,7 @@ "logFilename": "/opt/sensoroni/logs/sensoroni.log", "logLevel":"info", "agent": { - "role": "{{ grains.role }}" + "role": "{{ grains.role }}", "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }}, "serverUrl": "https://{{ URLBASE }}/sensoroniagents", "verifyCert": false, From 38afd67108c2c0ec7894125e1f13f09a67529a4c Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 25 Nov 2020 14:08:30 -0500 Subject: [PATCH 07/10] Fleet standalone fix --- salt/_modules/so.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/_modules/so.py b/salt/_modules/so.py index e75c90ec8..ff3cf27b2 100644 --- a/salt/_modules/so.py +++ b/salt/_modules/so.py @@ -17,7 +17,7 @@ def mysql_conn(retry): log.error(e) return False - mainint = __salt__['pillar.get']('sensor:mainint', __salt__['pillar.get']('manager:mainint')) + mainint = __salt__['pillar.get']('host:mainint') mainip = __salt__['grains.get']('ip_interfaces').get(mainint)[0] mysql_up = False From 19b36f04680308646c5fb8c1ceee4f5f182d3116 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 27 Nov 2020 11:43:51 -0500 Subject: [PATCH 08/10] Fleet standalone redirect fix --- salt/nginx/etc/nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/nginx/etc/nginx.conf b/salt/nginx/etc/nginx.conf index e65979f92..3ba1576a1 100644 --- a/salt/nginx/etc/nginx.conf +++ b/salt/nginx/etc/nginx.conf @@ -98,7 +98,7 @@ http { {%- if role == 'fleet' %} server { listen 443 ssl http2; - server_name {{ url_base }}; + server_name {{ main_ip }}; root /opt/socore/html; index index.html; From f52c30bff526b35ac8f2b0353ff12683d2e7966d Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 27 Nov 2020 13:58:41 -0500 Subject: [PATCH 09/10] Fix Fleet setup errors --- setup/so-setup | 1 - 1 file changed, 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index a8e08b7da..d83411b58 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -692,7 +692,6 @@ fi if [[ "$OSQUERY" = 1 ]]; then set_progress_str 75 "$(print_salt_state_apply 'fleet')" - salt-call state.apply fleet.event_enable-fleet >> $setup_log 2>&1 # enable fleet in the global pillar salt-call state.apply -l info fleet >> $setup_log 2>&1 set_progress_str 76 "$(print_salt_state_apply 'redis')" From 65d8005629ae9001eb1e60b35e8829aa5b486483 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 30 Nov 2020 10:32:39 -0500 Subject: [PATCH 10/10] Fleet standalone - fix event --- salt/common/tools/sbin/so-fleet-setup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/so-fleet-setup b/salt/common/tools/sbin/so-fleet-setup index 21aebc966..b481ceb59 100755 --- a/salt/common/tools/sbin/so-fleet-setup +++ b/salt/common/tools/sbin/so-fleet-setup @@ -28,6 +28,7 @@ docker exec so-fleet fleetctl apply -f /packs/osquery-config.conf # Enable Fleet echo "Enabling Fleet..." +sleep 5 salt-call state.apply fleet.event_enable-fleet queue=True >> /root/fleet-setup.log salt-call state.apply nginx queue=True >> /root/fleet-setup.log