From ff4077a46f3505a3cfd04ccbfc0ce45ecee41246 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 15 Nov 2019 13:58:32 -0500
Subject: [PATCH 1/6] update all nodes motd with nodes that need restarted from
 patch updates -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/112

---
 salt/_modules/needs_restarting.py             | 25 +++++++++++++++++++
 .../package_update_reboot_required.jinja      | 23 +++++++++++++++++
 salt/motd/init.sls                            |  5 ++++
 salt/patch/os/init.sls                        | 10 ++++++++
 salt/top.sls                                  |  1 +
 salt/yum/packages.sls                         |  3 +++
 6 files changed, 67 insertions(+)
 create mode 100644 salt/_modules/needs_restarting.py
 create mode 100644 salt/motd/files/package_update_reboot_required.jinja
 create mode 100644 salt/motd/init.sls
 create mode 100644 salt/yum/packages.sls

diff --git a/salt/_modules/needs_restarting.py b/salt/_modules/needs_restarting.py
new file mode 100644
index 000000000..51f80670a
--- /dev/null
+++ b/salt/_modules/needs_restarting.py
@@ -0,0 +1,25 @@
+from os import path
+import subprocess
+
+def check():
+
+  os = __grains__['os']
+  cmd = 'needs-restarting -r > /dev/null 2>&1'
+
+  if os == 'Ubuntu':
+    if path.exists('/var/run/reboot-required'):
+      retval = 'True'
+    else:
+      retval = 'False'
+
+  elif os == 'CentOS':
+    try:
+      needs_restarting = subprocess.check_call(cmd.split(), shell=True)
+    except subprocess.CalledProcessError:
+      retval = 'True'
+    retval = 'False'
+
+  else:
+    retval = 'Unsupported OS: %s' % os
+
+  return retval
diff --git a/salt/motd/files/package_update_reboot_required.jinja b/salt/motd/files/package_update_reboot_required.jinja
new file mode 100644
index 000000000..3a1fd1e9e
--- /dev/null
+++ b/salt/motd/files/package_update_reboot_required.jinja
@@ -0,0 +1,23 @@
+{% set needs_restarting_check = salt['mine.get']('*', 'needs_restarting.check', tgt_type='glob') -%}
+
+{%- if needs_restarting_check %}
+  {%- set minions_need_restarted = [] %}
+
+  {%- for minion, need_restarted in needs_restarting_check | dictsort() %}
+    {%- if need_restarted == 'True' %}
+      {% do minions_need_restarted.append(minion) %}
+    {%- endif %}
+  {%- endfor -%}
+
+  {%- if minions_need_restarted | length > 0 %}
+*****************************************************************************************
+* The following nodes in your Security Onion grid need restarted due to package updates *
+*****************************************************************************************
+
+    {% for minion in minions_need_restarted -%}
+  {{ minion }}
+    {% endfor -%}
+
+  {%- endif -%}
+
+{%- endif -%}
diff --git a/salt/motd/init.sls b/salt/motd/init.sls
new file mode 100644
index 000000000..a314ddb80
--- /dev/null
+++ b/salt/motd/init.sls
@@ -0,0 +1,5 @@
+package_update_reboot_required_motd:
+  file.append:
+    - name: /etc/motd
+    - source: salt://motd/files/package_update_reboot_required.jinja
+    - template: jinja
diff --git a/salt/patch/os/init.sls b/salt/patch/os/init.sls
index d3ae6a1ff..97183199b 100644
--- a/salt/patch/os/init.sls
+++ b/salt/patch/os/init.sls
@@ -1,4 +1,14 @@
+{% if grains.os == "CentOS" %}
+include:
+  - yum.packages
+{% endif %}
+
 patch_os:
   pkg.uptodate:
     - name: patch_os
     - refresh: True
+
+needs_restarting:
+  module.run:
+    - mine.send:
+      - func: needs_restarting.check
diff --git a/salt/top.sls b/salt/top.sls
index f742a66cf..711cf564c 100644
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -7,6 +7,7 @@
 base:
   '*':
     - patch.os.schedule
+    - motd
 
   'G@role:so-sensor':
     - ca
diff --git a/salt/yum/packages.sls b/salt/yum/packages.sls
new file mode 100644
index 000000000..4c773d0e9
--- /dev/null
+++ b/salt/yum/packages.sls
@@ -0,0 +1,3 @@
+install_yum_utils:
+  pkg.installed:
+    - name: yum-utils

From 8261b6fc6341893eef81e956efb236f0772d2ce4 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 15 Nov 2019 14:02:06 -0500
Subject: [PATCH 2/6] move cmd assignment -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/112

---
 salt/_modules/needs_restarting.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/salt/_modules/needs_restarting.py b/salt/_modules/needs_restarting.py
index 51f80670a..49f82bbf2 100644
--- a/salt/_modules/needs_restarting.py
+++ b/salt/_modules/needs_restarting.py
@@ -4,7 +4,6 @@ import subprocess
 def check():
 
   os = __grains__['os']
-  cmd = 'needs-restarting -r > /dev/null 2>&1'
 
   if os == 'Ubuntu':
     if path.exists('/var/run/reboot-required'):
@@ -13,6 +12,7 @@ def check():
       retval = 'False'
 
   elif os == 'CentOS':
+    cmd = 'needs-restarting -r > /dev/null 2>&1'
     try:
       needs_restarting = subprocess.check_call(cmd.split(), shell=True)
     except subprocess.CalledProcessError:

From f9b1fc8b1fc22adaf2071684a9b8ae5285ae9a88 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 15 Nov 2019 15:48:21 -0500
Subject: [PATCH 3/6] bug fix for remote distribution so setup -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/114

---
 so-setup-network.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index 422ec8a99..db0a313b3 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -278,7 +278,7 @@ copy_minion_tmp_files() {
     rsync -a -v $TMP/ /opt/so/saltstack/ >> $SETUPLOG 2>&1
   else
     echo "scp all files in $TMP to master /opt/so/saltstack" >> $SETUPLOG 2>&1
-    scp -prv -i /root/.ssh/so.key $TMP socore@$MSRV:/opt/so/saltstack >> $SETUPLOG 2>&1
+    scp -prv -i /root/.ssh/so.key "${TMP}/*" socore@$MSRV:/opt/so/saltstack >> $SETUPLOG 2>&1
   fi
 
   }

From f40f00255f1756663a5cbb5544129ed00baddabe Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 15 Nov 2019 16:02:21 -0500
Subject: [PATCH 4/6] adding install_pip3 for sensor and node types

---
 so-setup-network.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index db0a313b3..e1adb38c8 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -2056,6 +2056,7 @@ if (whiptail_you_sure); then
     copy_ssh_key
     {
       sleep 0.5
+      install_pip3 >> $SETUPLOG 2>&1
       echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
       set_initial_firewall_policy >> $SETUPLOG 2>&1
       echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
@@ -2321,6 +2322,7 @@ if (whiptail_you_sure); then
     copy_ssh_key
     {
       sleep 0.5
+      install_pip3 >> $SETUPLOG 2>&1
       echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
       set_initial_firewall_policy >> $SETUPLOG 2>&1
       echo -e "XXX\n5\nInstalling Salt Packages... \nXXX"

From 95a3919df44ff528f01c8c80a7253121e695fae1 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 15 Nov 2019 16:08:50 -0500
Subject: [PATCH 5/6] make socore own /opt/so/saltstack recursively -
 https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/113

---
 salt/master/init.sls | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/salt/master/init.sls b/salt/master/init.sls
index 1a7efe744..c6e11279d 100644
--- a/salt/master/init.sls
+++ b/salt/master/init.sls
@@ -17,6 +17,15 @@
 
 {% if masterproxy == 1 %}
 
+socore_own_saltstack:
+  file.directory:
+    - name: /opt/so/saltstack
+    - user: socore
+    - group: socore
+    - recurse:
+      - user
+      - group	
+
 # Create the directories for apt-cacher-ng
 aptcacherconfdir:
   file.directory:

From 6bcadded1452a4d02bdf709718b17e4e17341fea Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Fri, 15 Nov 2019 18:16:27 -0500
Subject: [PATCH 6/6] change scp of pillar files, install pip3 for centos

---
 so-setup-network.sh | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/so-setup-network.sh b/so-setup-network.sh
index e1adb38c8..a2871a9f5 100644
--- a/so-setup-network.sh
+++ b/so-setup-network.sh
@@ -278,7 +278,7 @@ copy_minion_tmp_files() {
     rsync -a -v $TMP/ /opt/so/saltstack/ >> $SETUPLOG 2>&1
   else
     echo "scp all files in $TMP to master /opt/so/saltstack" >> $SETUPLOG 2>&1
-    scp -prv -i /root/.ssh/so.key "${TMP}/*" socore@$MSRV:/opt/so/saltstack >> $SETUPLOG 2>&1
+    scp -prv -i /root/.ssh/so.key $TMP/* socore@$MSRV:/opt/so/saltstack >> $SETUPLOG 2>&1
   fi
 
   }
@@ -488,9 +488,12 @@ install_cleanup() {
 
 install_pip3() {
 
+  echo "Installing pip3"
+
   if [ $OS == 'ubuntu' ]; then
-    echo -e "XXX\n0\nInstalling pip3... \nXXX"
     apt-get -y install python3-pip gcc python3-dev
+  elif [ $OS == 'centos' ]; then
+    yum -y install python3-pip gcc python3-devel
   fi
 
 }
@@ -716,7 +719,7 @@ saltify() {
     ADDUSER=adduser
 
     if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
-      yum -y install https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest-2.el7.noarch.rpm
+      yum -y install https://repo.saltstack.com/py3/redhat/salt-py3-repo-2019.2-2.el7.noarch.rpm
       cp /etc/yum.repos.d/salt-latest.repo /etc/yum.repos.d/salt-2019-2.repo
       sed -i 's/latest/2019.2/g' /etc/yum.repos.d/salt-2019-2.repo
       cat > /etc/yum.repos.d/wazuh.repo <<\EOF
@@ -1006,7 +1009,7 @@ salt_master_directories() {
 salt_install_mysql_deps() {
 
   if [ $OS == 'centos' ]; then
-    yum -y install gcc mariadb-devel python3-devel
+    yum -y install mariadb-devel
     echo "Using pip3 to install mysqlclient for salt"
     pip3 install -t /usr/lib64/python3.6/site-packages/ mysqlclient
   elif [ $OS == 'ubuntu' ]; then