CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

configure salt then install it

Browse Source
This commit is contained in:
Josh Patterson
2025-11-12 18:06:55 -05:00
parent 235dfd78f1
commit be11c718f6
2 changed files with 37 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
setup/so-functions
View File

@@ -502,6 +502,7 @@ configure_minion() {
minion_type=desktop minion_type=desktop
fi fi
info "Configuring minion type as $minion_type" info "Configuring minion type as $minion_type"
logCmd "mkdir -p /etc/salt/minion.d"
echo "role: so-$minion_type" > /etc/salt/grains echo "role: so-$minion_type" > /etc/salt/grains
local minion_config=/etc/salt/minion local minion_config=/etc/salt/minion
@@ -541,20 +542,6 @@ configure_minion() {
"log_file: /opt/so/log/salt/minion"\ "log_file: /opt/so/log/salt/minion"\
"#startup_states: highstate" >> "$minion_config" "#startup_states: highstate" >> "$minion_config"
# At the time the so-managerhype node does not yet have the bridge configured.
# The so-hypervisor node doesn't either, but it doesn't cause issues here.
local usebr0=false
if [ "$minion_type" == 'hypervisor' ]; then
usebr0=true
fi
local pillar_json="{\"host\": {\"mainint\": \"$MNIC\"}, \"usebr0\": $usebr0}"
info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='$pillar_json'"
salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="$pillar_json"
{
logCmd "systemctl enable salt-minion";
logCmd "systemctl restart salt-minion";
} >> "$setup_log" 2>&1
} }
checkin_at_boot() { checkin_at_boot() {
@@ -798,25 +785,18 @@ configure_hyper_bridge() {
} }
copy_salt_master_config() { copy_salt_master_config() {
logCmd "mkdir /etc/salt"
title "Copy the Salt master config template to the proper directory" title "Copy the Salt master config template to the proper directory"
if [ "$setup_type" = 'iso' ]; then if [ "$setup_type" = 'iso' ]; then
logCmd "cp /root/SecurityOnion/files/salt/master/master /etc/salt/master" logCmd "cp /root/SecurityOnion/files/salt/master/master /etc/salt/master"
#logCmd "cp /root/SecurityOnion/files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service"
else else
logCmd "cp ../files/salt/master/master /etc/salt/master" logCmd "cp ../files/salt/master/master /etc/salt/master"
#logCmd "cp ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service"
fi fi
info "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" info "Copying pillar and salt files in $temp_install_dir to $local_salt_dir"
logCmd "cp -R $temp_install_dir/pillar/ $local_salt_dir/" logCmd "cp -R $temp_install_dir/pillar/ $local_salt_dir/"
if [ -d "$temp_install_dir"/salt ] ; then if [ -d "$temp_install_dir"/salt ] ; then
logCmd "cp -R $temp_install_dir/salt/ $local_salt_dir/" logCmd "cp -R $temp_install_dir/salt/ $local_salt_dir/"
fi fi
# Restart the service so it picks up the changes
logCmd "systemctl daemon-reload"
logCmd "systemctl enable salt-master"
logCmd "systemctl restart salt-master"
} }
create_local_nids_rules() { create_local_nids_rules() {
@@ -1941,11 +1921,12 @@ repo_sync_local() {
} }
saltify() { saltify() {
info "Installing Salt"
SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+") SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
info "Installing Salt $SALTVERSION"
chmod u+x ../salt/salt/scripts/bootstrap-salt.sh
if [[ $is_deb ]]; then if [[ $is_deb ]]; then
DEBIAN_FRONTEND=noninteractive retry 150 20 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || fail_setup DEBIAN_FRONTEND=noninteractive retry 30 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || fail_setup
if [ $OSVER == "focal" ]; then update-alternatives --install /usr/bin/python python /usr/bin/python3.10 10; fi if [ $OSVER == "focal" ]; then update-alternatives --install /usr/bin/python python /usr/bin/python3.10 10; fi
local pkg_arr=( local pkg_arr=(
'apache2-utils' 'apache2-utils'
@@ -1958,16 +1939,11 @@ saltify() {
'jq' 'jq'
'gnupg' 'gnupg'
) )
retry 150 20 "apt-get -y install ${pkg_arr[*]}" || fail_setup retry 30 10 "apt-get -y install ${pkg_arr[*]}" || fail_setup
logCmd "mkdir -vp /etc/apt/keyrings" logCmd "mkdir -vp /etc/apt/keyrings"
logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg" logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg"
# Download public key
logCmd "curl -fsSL -o /etc/apt/keyrings/salt-archive-keyring-2023.pgp https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public"
# Create apt repo target configuration
echo "deb [signed-by=/etc/apt/keyrings/salt-archive-keyring-2023.pgp arch=amd64] https://packages.broadcom.com/artifactory/saltproject-deb/ stable main" | sudo tee /etc/apt/sources.list.d/salt.list
if [[ $is_ubuntu ]]; then if [[ $is_ubuntu ]]; then
# Add Docker Repo # Add Docker Repo
add-apt-repository -y "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" add-apt-repository -y "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
@@ -1978,45 +1954,50 @@ saltify() {
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OSVER stable" > /etc/apt/sources.list.d/docker.list echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OSVER stable" > /etc/apt/sources.list.d/docker.list
fi fi
logCmd "apt-key add /etc/apt/keyrings/salt-archive-keyring-2023.pgp"
#logCmd "apt-key add /opt/so/gpg/SALTSTACK-GPG-KEY.pub"
logCmd "apt-key add /etc/apt/keyrings/docker.pub" logCmd "apt-key add /etc/apt/keyrings/docker.pub"
# Add SO Saltstack Repo retry 30 10 "apt-get update" "" "Err:" || fail_setup
#echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt3004.2/ focal main" > /etc/apt/sources.list.d/saltstack.list
# Ain't nothing but a GPG
retry 150 20 "apt-get update" "" "Err:" || fail_setup
if [[ $waitforstate ]]; then if [[ $waitforstate ]]; then
retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION salt-master=$SALTVERSION" || fail_setup retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -M -X stable $SALTVERSION" || fail_setup
retry 150 20 "apt-mark hold salt-minion salt-common salt-master" || fail_setup retry 30 10 "apt-mark hold salt-minion salt-common salt-master" || fail_setup
retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-packaging python3-influxdb python3-lxml" || exit 1 retry 30 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-packaging python3-influxdb python3-lxml" || exit 1
else else
retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION" || fail_setup retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -X stable $SALTVERSION" || fail_setup
retry 150 20 "apt-mark hold salt-minion salt-common" || fail_setup retry 30 10 "apt-mark hold salt-minion salt-common" || fail_setup
fi fi
fi fi
if [[ $is_rpm ]]; then if [[ $is_rpm ]]; then
if [[ $waitforstate ]]; then if [[ $waitforstate ]]; then
# install all for a manager # install all for a manager
logCmd "dnf -y install salt-$SALTVERSION salt-master-$SALTVERSION salt-minion-$SALTVERSION" retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -M -X stable $SALTVERSION" || fail_setup
else else
# We just need the minion # just a minion
if [[ $is_airgap ]]; then retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -X stable $SALTVERSION" || fail_setup
logCmd "dnf -y install salt salt-minion"
else
logCmd "dnf -y install salt-$SALTVERSION salt-minion-$SALTVERSION"
fi
fi fi
fi fi
logCmd "mkdir -p /etc/salt/minion.d"
salt_install_module_deps salt_install_module_deps
salt_patch_x509_v2 salt_patch_x509_v2
# At the time the so-managerhype node does not yet have the bridge configured.
# The so-hypervisor node doesn't either, but it doesn't cause issues here.
local usebr0=false
if [ "$minion_type" == 'hypervisor' ]; then
usebr0=true
fi
local pillar_json="{\"host\": {\"mainint\": \"$MNIC\"}, \"usebr0\": $usebr0}"
info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='$pillar_json'"
salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="$pillar_json"
if [[ $waitforstate ]]; then
logCmd "systemctl enable salt-master";
logCmd "systemctl start salt-master";
fi
logCmd "systemctl enable salt-minion";
logCmd "systemctl restart salt-minion";
} }
salt_install_module_deps() { salt_install_module_deps() {

9
setup/so-setup
View File

@@ -745,13 +745,12 @@ if ! [[ -f $install_opt_file ]]; then
securityonion_repo securityonion_repo
# Update existing packages # Update existing packages
update_packages update_packages
# Install salt # Put salt-master config in place
saltify
# Start the master service
copy_salt_master_config copy_salt_master_config
configure_minion "$minion_type" configure_minion "$minion_type"
# Install salt
saltify
check_sos_appliance check_sos_appliance
logCmd "salt-key -yd $MINION_ID" logCmd "salt-key -yd $MINION_ID"
sleep 2 # Debug RSA Key format errors sleep 2 # Debug RSA Key format errors
logCmd "salt-call state.show_top" logCmd "salt-call state.show_top"
@@ -852,8 +851,8 @@ if ! [[ -f $install_opt_file ]]; then
gpg_rpm_import gpg_rpm_import
securityonion_repo securityonion_repo
update_packages update_packages
saltify
configure_minion "$minion_type" configure_minion "$minion_type"
saltify
check_sos_appliance check_sos_appliance
drop_install_options drop_install_options
hypervisor_local_states hypervisor_local_states