Merge pull request #9016 from Security-Onion-Solutions/patch2.4

Patch2.4
2025-12-06 17:22:49 +01:00 · 2022-10-27 13:07:54 -04:00
parent 8b0ea7104f 8af0334c3c
commit c6ebe5c8dd
4 changed files with 100 additions and 71 deletions
--- a/salt/common/tools/sbin/so-minion
+++ b/salt/common/tools/sbin/so-minion
@@ -148,20 +148,6 @@ function add_sensoroni_to_minion() {
        "  " >> $PILLARFILE
 }	

-# Patch pillar settings.
-function add_patch_pillar_to_minion() {
-
-	printf '%s\n'\
-		"patch:"\
-		"  os:"\
-		"    source: '$source'"\
-		"    schedule_name: '$PATCHSCHEDULENAME'"\
-		"    enabled: True"\
-		"    splay: 300"\
-		"" >> $PILLARFILE
-
-}
-
 # Sensor settings for the minion pillar
 function add_sensor_to_minion() {
 	echo "sensor:" >> $PILLARFILE
@@ -253,7 +239,6 @@ if [[ "$OPERATION" = 'add' || "$OPERATION" = 'setup' ]]; then
 	fi
 	create_minion_files
 	add_host_to_minion
-	add_patch_pillar_to_minion
 	add_sensoroni_to_minion
 	create$NODETYPE
 	echo "Minion file created for $MINION_ID"	
--- a/salt/patch/defaults.yaml
+++ b/salt/patch/defaults.yaml
@@ -0,0 +1,82 @@
+patch:
+  os:
+    enabled: true
+    schedule_to_run: auto
+    schedules:
+      auto:
+        splay: 900
+        schedule:
+          hours: 8
+      monday:
+        splay: 900
+        schedule:
+          Monday:
+            - '08:00'
+      tuesday:
+        splay: 900
+        schedule:
+          Tuesday:
+            - '08:00'
+      wednesday:
+        splay: 900
+        schedule:
+          Wednesday:
+            - '08:00'
+      thursday:
+        splay: 900
+        schedule:
+          Thursday:
+            - '08:00'
+      friday:
+        splay: 900
+        schedule:
+          Friday:
+            - '08:00'
+      saturday:
+        splay: 900
+        schedule:
+          Saturday:
+            - '08:00'
+      sunday:
+        splay: 900
+        schedule:
+          Sunday:
+            - '08:00'
+      daily:
+        splay: 900
+        schedule:
+          Monday:
+            - '08:00'
+          Tuesday:
+            - '08:00'
+          Wednesday:
+            - '08:00'
+          Thursday:
+            - '08:00'
+          Friday:
+            - '08:00'
+          Saturday:
+            - '08:00'
+          Sunday:
+            - '08:00'
+      weekdays:
+        splay: 900
+        schedule:
+          Monday:
+            - '08:00'
+          Tuesday:
+            - '08:00'
+          Wednesday:
+            - '08:00'
+          Thursday:
+            - '08:00'
+          Friday:
+            - '08:00'
+      weekends:
+        splay: 900
+        schedule:
+          Saturday:
+            - '08:00'
+          Sunday:
+            - '08:00'
+
--- a/salt/patch/os/schedule.sls
+++ b/salt/patch/os/schedule.sls
@@ -1,76 +1,36 @@
-{% if salt['pillar.get']('patch:os:schedule_name') %}
-    {% set patch_os_pillar = salt['pillar.get']('patch:os') %}
-    {% set schedule_name = patch_os_pillar.schedule_name %}
-    {% set splay = patch_os_pillar.get('splay', 300) %}
+{% from 'patch/os/schedules/map.jinja' import PATCHMERGED %}

-    {% if schedule_name != 'manual' and schedule_name != 'auto' %}
-      {% import_yaml "patch/os/schedules/"~schedule_name~".yml" as os_schedule %}
-
-      {% if patch_os_pillar.enabled %}
+{% if PATCHMERGED.os.enabled %}
+  {% set SCHEDULE_TO_RUN = PATCHMERGED.os.schedule_to_run %}

 patch_os_schedule:
  schedule.present:
    - function: state.sls
    - job_args:
      - patch.os
+    - splay: {{PATCHMERGED.os.schedules[SCHEDULE_TO_RUN].splay}}
+    - return_job: True
+  {# check if *day is in the schedule #}
+  {% if PATCHMERGED.os.schedules[SCHEDULE_TO_RUN].schedule.keys() | select("match", ".*day") | list | length  > 0 %}
+
    - when:
-        {% for days in os_schedule.patch.os.schedule %}
-          {% for day, times in days.items() %}
-            {% for time in times %}
+        {% for day, times in PATCHMERGED.os.schedules[SCHEDULE_TO_RUN].schedule.items() %}
+          {% for time in times %}
        - {{day}} {{time}}
            {% endfor %}
-          {% endfor %}
        {% endfor %}
-    - splay: {{splay}}
-    - return_job: True
+  {# check if days, hours, minutes is in the schedule #}
+  {% elif PATCHMERGED.os.schedules[SCHEDULE_TO_RUN].schedule.keys() | select("match", "days|hours|minutes") | list | length > 0 %}
+    {% set DHM = PATCHMERGED.os.schedules[SCHEDULE_TO_RUN].schedule.keys() | first %}

-      {% else %}
+    - {{DHM}}: {{ PATCHMERGED.os.schedules[SCHEDULE_TO_RUN].schedule[DHM] }}

-disable_patch_os_schedule:
-  schedule.disabled:
-    - name: patch_os_schedule
+  {% endif %}

-      {% endif %}
-
-
-    {% elif schedule_name == 'auto' %}
-
-      {% if patch_os_pillar.enabled %}
-
-patch_os_schedule:
-  schedule.present:
-    - function: state.sls
-    - job_args:
-      - patch.os
-    - hours: {{ patch_os_pillar.get('hours', 8) }} 
-    - splay: {{splay}}
-    - return_job: True
-
-      {% else %}
-
-disable_patch_os_schedule:
-  schedule.disabled:
-    - name: patch_os_schedule
-
-      {% endif %}
-
-    {% elif schedule_name == 'manual' %}
+{% else %}

 remove_patch_os_schedule:
  schedule.absent:
    - name: patch_os_schedule

-    {% endif %}
-
-{% else %}
-
-no_patch_os_schedule_name_set:
-  test.fail_without_changes:
-    - name: "Set a pillar value for patch:os:schedule_name in this minion's .sls file. If an OS patch schedule is not listed as enabled in show_schedule output below, then OS patches will need to be applied manually until this is corrected."
-
-show_patch_os_schedule:
-  module.run:
-    - schedule.is_enabled:
-      - name: patch_os_schedule
-
 {% endif %}
--- a/salt/patch/os/schedules/map.jinja
+++ b/salt/patch/os/schedules/map.jinja
@@ -0,0 +1,2 @@
+{% import_yaml 'patch/defaults.yaml' as PATCHDEFAULTS %}
+{% set PATCHMERGED = salt['pillar.get']('patch', PATCHDEFAULTS.patch, merge=true) %}