From d0242c1da64ba438f887c3cc7b0d9f2d1a6fdc3f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 21 May 2020 10:54:47 -0400 Subject: [PATCH 01/27] update references of /opt/so/saltstack to /opt/so/saltstack/default. use var default_salt_dir where appropriate - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- files/master | 4 +- pillar/data/addtotab.sh | 30 +++---- pillar/firewall/addfirewall.sh | 6 +- salt/common/tools/sbin/so-allow | 5 +- salt/common/tools/sbin/so-bro-logs | 7 +- .../tools/sbin/so-elasticsearch-templates | 3 +- salt/common/tools/sbin/so-features-enable | 5 +- salt/common/tools/sbin/so-helix-apikey | 7 +- salt/deprecated-bro/files/local.bro | 4 +- salt/fleet/files/scripts/so-fleet-packages | 5 +- salt/hive/thehive/scripts/cortex_init | 4 +- salt/hive/thehive/scripts/hive_init | 4 +- salt/idstools/init.sls | 2 +- salt/master/files/add_minion.sh | 6 +- salt/nodered/files/nodered_load_flows | 3 +- salt/nodered/init.sls | 2 +- salt/playbook/files/playbook_db_init.sh | 4 +- salt/reactor/fleet.sls | 9 +- salt/ssl/init.sls | 6 +- salt/wazuh/files/wazuh-manager-whitelist | 3 +- setup/so-functions | 90 ++++++++++--------- setup/so-variables | 3 + upgrade/so-update-functions | 6 +- 23 files changed, 120 insertions(+), 98 deletions(-) diff --git a/files/master b/files/master index fea77c2f7..8739a043a 100644 --- a/files/master +++ b/files/master @@ -37,7 +37,7 @@ log_file: /opt/so/log/salt/master # file_roots: base: - - /opt/so/saltstack/salt + - /opt/so/saltstack/default/salt # The master_roots setting configures a master-only copy of the file_roots dictionary, # used by the state compiler. @@ -53,7 +53,7 @@ file_roots: pillar_roots: base: - - /opt/so/saltstack/pillar + - /opt/so/saltstack/default/pillar peer: .*: diff --git a/pillar/data/addtotab.sh b/pillar/data/addtotab.sh index ad302607c..33c73c21e 100644 --- a/pillar/data/addtotab.sh +++ b/pillar/data/addtotab.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # This script adds sensors/nodes/etc to the nodes tab - +default_salt_dir=/opt/so/saltstack/default TYPE=$1 NAME=$2 IPADDRESS=$3 @@ -15,7 +15,7 @@ MONINT=$9 #HOTNAME=$11 echo "Seeing if this host is already in here. If so delete it" -if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then +if grep -q $NAME "$default_salt_dir/pillar/data/$TYPE.sls"; then echo "Node Already Present - Let's re-add it" awk -v blah=" $NAME:" 'BEGIN{ print_flag=1 } { @@ -31,27 +31,27 @@ if grep -q $NAME "/opt/so/saltstack/pillar/data/$TYPE.sls"; then if ( print_flag == 1 ) print $0 -} ' /opt/so/saltstack/pillar/data/$TYPE.sls > /opt/so/saltstack/pillar/data/tmp.$TYPE.sls -mv /opt/so/saltstack/pillar/data/tmp.$TYPE.sls /opt/so/saltstack/pillar/data/$TYPE.sls +} ' $default_salt_dir/pillar/data/$TYPE.sls > $default_salt_dir/pillar/data/tmp.$TYPE.sls +mv $default_salt_dir/pillar/data/tmp.$TYPE.sls $default_salt_dir/pillar/data/$TYPE.sls echo "Deleted $NAME from the tab. Now adding it in again with updated info" fi -echo " $NAME:" >> /opt/so/saltstack/pillar/data/$TYPE.sls -echo " ip: $IPADDRESS" >> /opt/so/saltstack/pillar/data/$TYPE.sls -echo " manint: $MANINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls -echo " totalcpus: $CPUS" >> /opt/so/saltstack/pillar/data/$TYPE.sls -echo " guid: $GUID" >> /opt/so/saltstack/pillar/data/$TYPE.sls -echo " rootfs: $ROOTFS" >> /opt/so/saltstack/pillar/data/$TYPE.sls -echo " nsmfs: $NSM" >> /opt/so/saltstack/pillar/data/$TYPE.sls +echo " $NAME:" >> $default_salt_dir/pillar/data/$TYPE.sls +echo " ip: $IPADDRESS" >> $default_salt_dir/pillar/data/$TYPE.sls +echo " manint: $MANINT" >> $default_salt_dir/pillar/data/$TYPE.sls +echo " totalcpus: $CPUS" >> $default_salt_dir/pillar/data/$TYPE.sls +echo " guid: $GUID" >> $default_salt_dir/pillar/data/$TYPE.sls +echo " rootfs: $ROOTFS" >> $default_salt_dir/pillar/data/$TYPE.sls +echo " nsmfs: $NSM" >> $default_salt_dir/pillar/data/$TYPE.sls if [ $TYPE == 'sensorstab' ]; then - echo " monint: $MONINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls + echo " monint: $MONINT" >> $default_salt_dir/pillar/data/$TYPE.sls salt-call state.apply common queue=True fi if [ $TYPE == 'evaltab' ]; then - echo " monint: $MONINT" >> /opt/so/saltstack/pillar/data/$TYPE.sls + echo " monint: $MONINT" >> $default_salt_dir/pillar/data/$TYPE.sls salt-call state.apply common queue=True salt-call state.apply utility queue=True fi #if [ $TYPE == 'nodestab' ]; then -# echo " nodetype: $NODETYPE" >> /opt/so/saltstack/pillar/data/$TYPE.sls -# echo " hotname: $HOTNAME" >> /opt/so/saltstack/pillar/data/$TYPE.sls +# echo " nodetype: $NODETYPE" >> $default_salt_dir/pillar/data/$TYPE.sls +# echo " hotname: $HOTNAME" >> $default_salt_dir/pillar/data/$TYPE.sls #fi diff --git a/pillar/firewall/addfirewall.sh b/pillar/firewall/addfirewall.sh index fa1f1c617..856fda869 100644 --- a/pillar/firewall/addfirewall.sh +++ b/pillar/firewall/addfirewall.sh @@ -1,13 +1,13 @@ #!/usr/bin/env bash # This script adds ip addresses to specific rule sets defined by the user - +default_salt_dir=/opt/so/saltstack/default POLICY=$1 IPADDRESS=$2 -if grep -q $2 "/opt/so/saltstack/pillar/firewall/$1.sls"; then +if grep -q $2 "$default_salt_dir/pillar/firewall/$1.sls"; then echo "Firewall Rule Already There" else - echo " - $2" >> /opt/so/saltstack/pillar/firewall/$1.sls + echo " - $2" >> $default_salt_dir/pillar/firewall/$1.sls salt-call state.apply firewall queue=True fi diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index bede282b3..d3906e67c 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -17,6 +17,7 @@ . /usr/sbin/so-common +default_salt_dir=/opt/so/saltstack/default SKIP=0 while getopts "abowi:" OPTION @@ -80,10 +81,10 @@ if [ "$SKIP" -eq 0 ]; then fi echo "Adding $IP to the $FULLROLE role. This can take a few seconds" -/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP +$default_salt_dir/pillar/firewall/addfirewall.sh $FULLROLE $IP # Check if Wazuh enabled -if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then +if grep -q -R "wazuh: 1" $default_salt_dir/pillar/*; then # If analyst, add to Wazuh AR whitelist if [ "$FULLROLE" == "analyst" ]; then WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" diff --git a/salt/common/tools/sbin/so-bro-logs b/salt/common/tools/sbin/so-bro-logs index 1593ead81..ac70ea857 100755 --- a/salt/common/tools/sbin/so-bro-logs +++ b/salt/common/tools/sbin/so-bro-logs @@ -1,11 +1,12 @@ #!/bin/bash +default_salt_dir=/opt/so/saltstack/default bro_logs_enabled() { - echo "brologs:" > /opt/so/saltstack/pillar/brologs.sls - echo " enabled:" >> /opt/so/saltstack/pillar/brologs.sls + echo "brologs:" > $default_salt_dir/pillar/brologs.sls + echo " enabled:" >> $default_salt_dir/pillar/brologs.sls for BLOG in ${BLOGS[@]}; do - echo " - $BLOG" | tr -d '"' >> /opt/so/saltstack/pillar/brologs.sls + echo " - $BLOG" | tr -d '"' >> $default_salt_dir/pillar/brologs.sls done } diff --git a/salt/common/tools/sbin/so-elasticsearch-templates b/salt/common/tools/sbin/so-elasticsearch-templates index efe5f8345..829e2a68d 100755 --- a/salt/common/tools/sbin/so-elasticsearch-templates +++ b/salt/common/tools/sbin/so-elasticsearch-templates @@ -15,12 +15,13 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +default_salt_dir=/opt/so/saltstack/default ELASTICSEARCH_HOST="{{ MASTERIP}}" ELASTICSEARCH_PORT=9200 #ELASTICSEARCH_AUTH="" # Define a default directory to load pipelines from -ELASTICSEARCH_TEMPLATES="/opt/so/saltstack/salt/logstash/pipelines/templates/so/" +ELASTICSEARCH_TEMPLATES="$default_salt_dir/salt/logstash/pipelines/templates/so/" # Wait for ElasticSearch to initialize echo -n "Waiting for ElasticSearch..." diff --git a/salt/common/tools/sbin/so-features-enable b/salt/common/tools/sbin/so-features-enable index a37743960..3f7034e2a 100755 --- a/salt/common/tools/sbin/so-features-enable +++ b/salt/common/tools/sbin/so-features-enable @@ -15,10 +15,11 @@ # along with this program. If not, see . . /usr/sbin/so-common +default_salt_dir=/opt/so/saltstack/default -VERSION=$(grep soversion /opt/so/saltstack/pillar/static.sls | cut -d':' -f2|sed 's/ //g') +VERSION=$(grep soversion $default_salt_dir/pillar/static.sls | cut -d':' -f2|sed 's/ //g') # Modify static.sls to enable Features -sed -i 's/features: False/features: True/' /opt/so/saltstack/pillar/static.sls +sed -i 's/features: False/features: True/' $default_salt_dir/pillar/static.sls SUFFIX="-features" TRUSTED_CONTAINERS=( \ "so-elasticsearch:$VERSION$SUFFIX" \ diff --git a/salt/common/tools/sbin/so-helix-apikey b/salt/common/tools/sbin/so-helix-apikey index 529ab93e4..6f93d9f55 100755 --- a/salt/common/tools/sbin/so-helix-apikey +++ b/salt/common/tools/sbin/so-helix-apikey @@ -1,4 +1,7 @@ #!/bin/bash + +default_salt_dir=/opt/so/saltstack/default + got_root() { # Make sure you are root @@ -10,13 +13,13 @@ got_root() { } got_root -if [ ! -f /opt/so/saltstack/pillar/fireeye/init.sls ]; then +if [ ! -f $default_salt_dir/pillar/fireeye/init.sls ]; then echo "This is nto configured for Helix Mode. Please re-install." exit else echo "Enter your Helix API Key: " read APIKEY - sed -i "s/^ api_key.*/ api_key: $APIKEY/g" /opt/so/saltstack/pillar/fireeye/init.sls + sed -i "s/^ api_key.*/ api_key: $APIKEY/g" $default_salt_dir/pillar/fireeye/init.sls docker stop so-logstash docker rm so-logstash echo "Restarting Logstash for updated key" diff --git a/salt/deprecated-bro/files/local.bro b/salt/deprecated-bro/files/local.bro index afe4b94ca..131db7491 100644 --- a/salt/deprecated-bro/files/local.bro +++ b/salt/deprecated-bro/files/local.bro @@ -127,11 +127,11 @@ @load policy/hassh # You can load your own intel into: -# /opt/so/saltstack/bro/policy/intel/ on the master +# $default_salt_dir/bro/policy/intel/ on the master @load intel # Load a custom Bro policy -# /opt/so/saltstack/bro/policy/custom/ on the master +# $default_salt_dir/bro/policy/custom/ on the master #@load custom/somebropolicy.bro # Write logs in JSON diff --git a/salt/fleet/files/scripts/so-fleet-packages b/salt/fleet/files/scripts/so-fleet-packages index 49f3eebcd..3b804e472 100644 --- a/salt/fleet/files/scripts/so-fleet-packages +++ b/salt/fleet/files/scripts/so-fleet-packages @@ -2,6 +2,7 @@ {% set MAIN_HOSTNAME = salt['grains.get']('host') %} {% set MAIN_IP = salt['pillar.get']('node:mainip') %} +default_salt_dir=/opt/so/saltstack/default #so-fleet-packages $FleetHostname/IP @@ -26,8 +27,8 @@ docker run \ --mount type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt \ docker.io/soshybridhunter/so-fleet-launcher:HH1.1.0 "$esecret" "$1":8090 -cp /opt/so/conf/fleet/packages/launcher.* /opt/so/saltstack/salt/launcher/packages/ +cp /opt/so/conf/fleet/packages/launcher.* $default_salt_dir/salt/launcher/packages/ #Update timestamp on packages webpage sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html -sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/saltstack/salt/fleet/files/dedicated-index.html \ No newline at end of file +sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" $default_salt_dir/salt/fleet/files/dedicated-index.html \ No newline at end of file diff --git a/salt/hive/thehive/scripts/cortex_init b/salt/hive/thehive/scripts/cortex_init index 786039bf1..063ae498d 100644 --- a/salt/hive/thehive/scripts/cortex_init +++ b/salt/hive/thehive/scripts/cortex_init @@ -7,6 +7,8 @@ {%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %} {%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %} +default_salt_dir=/opt/so/saltstack/default + cortex_init(){ sleep 60 CORTEX_IP="{{MASTERIP}}" @@ -17,7 +19,7 @@ cortex_init(){ CORTEX_ORG_DESC="{{CORTEXORGNAME}} organization created by Security Onion setup" CORTEX_ORG_USER="{{CORTEXORGUSER}}" CORTEX_ORG_USER_KEY="{{CORTEXORGUSERKEY}}" - SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf" + SOCTOPUS_CONFIG="$default_salt_dir/salt/soctopus/files/SOCtopus.conf" # Migrate DB diff --git a/salt/hive/thehive/scripts/hive_init b/salt/hive/thehive/scripts/hive_init index b1ef62d68..0db2c75f9 100755 --- a/salt/hive/thehive/scripts/hive_init +++ b/salt/hive/thehive/scripts/hive_init @@ -4,13 +4,15 @@ {%- set HIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %} {%- set HIVEKEY = salt['pillar.get']('static:hivekey', '') %} +default_salt_dir=/opt/so/saltstack/default + hive_init(){ sleep 120 HIVE_IP="{{MASTERIP}}" HIVE_USER="{{HIVEUSER}}" HIVE_PASSWORD="{{HIVEPASSWORD}}" HIVE_KEY="{{HIVEKEY}}" - SOCTOPUS_CONFIG="/opt/so/saltstack/salt/soctopus/files/SOCtopus.conf" + SOCTOPUS_CONFIG="$default_salt_dir/salt/soctopus/files/SOCtopus.conf" echo -n "Waiting for TheHive..." COUNT=0 diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index eba5cfd26..0b641c83d 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -60,7 +60,7 @@ synclocalnidsrules: ruleslink: file.symlink: - - name: /opt/so/saltstack/salt/suricata/rules + - name: /opt/so/saltstack/default/salt/suricata/rules - target: /opt/so/rules/nids so-idstools: diff --git a/salt/master/files/add_minion.sh b/salt/master/files/add_minion.sh index 220317193..043a09ead 100755 --- a/salt/master/files/add_minion.sh +++ b/salt/master/files/add_minion.sh @@ -1,10 +1,10 @@ #!/usr/bin/env bash # This script adds pillar and schedule files securely - +default_salt_dir=/opt/so/saltstack/default MINION=$1 echo "Adding $1" - cp /tmp/$MINION/pillar/$MINION.sls /opt/so/saltstack/pillar/minions/ - cp /tmp/$MINION/schedules/* /opt/so/saltstack/salt/patch/os/schedules/ + cp /tmp/$MINION/pillar/$MINION.sls $default_salt_dir/pillar/minions/ + cp /tmp/$MINION/schedules/* $default_salt_dir/salt/patch/os/schedules/ rm -rf /tmp/$MINION \ No newline at end of file diff --git a/salt/nodered/files/nodered_load_flows b/salt/nodered/files/nodered_load_flows index c48fcd692..5617b1022 100644 --- a/salt/nodered/files/nodered_load_flows +++ b/salt/nodered/files/nodered_load_flows @@ -1,5 +1,6 @@ {%- set ip = salt['pillar.get']('static:masterip', '') -%} #!/bin/bash +default_salt_dir=/opt/so/saltstack/default echo "Waiting for connection" until $(curl --output /dev/null --silent --head http://{{ ip }}:1880); do @@ -7,5 +8,5 @@ until $(curl --output /dev/null --silent --head http://{{ ip }}:1880); do sleep 1 done echo "Loading flows..." -curl -XPOST -v -H "Content-Type: application/json" -d @/opt/so/saltstack/salt/nodered/so_flows.json {{ ip }}:1880/flows +curl -XPOST -v -H "Content-Type: application/json" -d @$default_salt_dir/salt/nodered/so_flows.json {{ ip }}:1880/flows echo "Done loading..." diff --git a/salt/nodered/init.sls b/salt/nodered/init.sls index cb1068d30..c501445a2 100644 --- a/salt/nodered/init.sls +++ b/salt/nodered/init.sls @@ -36,7 +36,7 @@ nodered: noderedflows: file.recurse: - - name: /opt/so/saltstack/salt/nodered/ + - name: /opt/so/saltstack/default/salt/nodered/ - source: salt://nodered/files - user: 947 - group: 939 diff --git a/salt/playbook/files/playbook_db_init.sh b/salt/playbook/files/playbook_db_init.sh index c77b93df1..713575f97 100644 --- a/salt/playbook/files/playbook_db_init.sh +++ b/salt/playbook/files/playbook_db_init.sh @@ -1,5 +1,7 @@ {%- set MYSQLPASS = salt['pillar.get']('secrets:mysql', None) -%} #!/bin/sh -docker cp /opt/so/saltstack/salt/playbook/files/playbook_db_init.sql so-mysql:/tmp/playbook_db_init.sql +default_salt_dir=/opt/so/saltstack/default + +docker cp $default_salt_dir/salt/playbook/files/playbook_db_init.sql so-mysql:/tmp/playbook_db_init.sql docker exec so-mysql /bin/bash -c "/usr/bin/mysql -b -uroot -p{{MYSQLPASS}} < /tmp/playbook_db_init.sql" \ No newline at end of file diff --git a/salt/reactor/fleet.sls b/salt/reactor/fleet.sls index d841d54d6..e93ab73f5 100644 --- a/salt/reactor/fleet.sls +++ b/salt/reactor/fleet.sls @@ -13,11 +13,12 @@ def run(): ROLE = data['data']['role'] ESECRET = data['data']['enroll-secret'] MAINIP = data['data']['mainip'] - - STATICFILE = '/opt/so/saltstack/pillar/static.sls' - SECRETSFILE = '/opt/so/saltstack/pillar/secrets.sls' + default_salt_dir = /opt/so/saltstack/default + STATICFILE = default_salt_dir + '/pillar/static.sls' + SECRETSFILE = default_salt_dir + '/pillar/secrets.sls' if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch']: + if ACTION == 'enablefleet': logging.info('so/fleet enablefleet reactor') @@ -54,7 +55,7 @@ def run(): PACKAGEVERSION += 1 # Run Docker container that will build the packages - gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=/opt/so/saltstack/salt/fleet/packages,target=/output", \ + gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=" + default_salt_dir + "/salt/fleet/packages,target=/output", \ "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:HH1.3.0", \ f"{ESECRET}", f"{HOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii') diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 384c5bd5f..ed967c6f9 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -84,17 +84,17 @@ chownilogstashfilebeatp8: # Create Symlinks to the keys so I can distribute it to all the things filebeatdir: file.directory: - - name: /opt/so/saltstack/salt/filebeat/files + - name: /opt/so/saltstack/default/salt/filebeat/files - mkdirs: True fbkeylink: file.symlink: - - name: /opt/so/saltstack/salt/filebeat/files/filebeat.p8 + - name: /opt/so/saltstack/default/salt/filebeat/files/filebeat.p8 - target: /etc/pki/filebeat.p8 fbcrtlink: file.symlink: - - name: /opt/so/saltstack/salt/filebeat/files/filebeat.crt + - name: /opt/so/saltstack/default/salt/filebeat/files/filebeat.crt - target: /etc/pki/filebeat.crt # Create a cert for the docker registry diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist index ab4b15fd0..af4761950 100755 --- a/salt/wazuh/files/wazuh-manager-whitelist +++ b/salt/wazuh/files/wazuh-manager-whitelist @@ -1,5 +1,6 @@ {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} #!/bin/bash +default_salt_dir=/opt/so/saltstack/default # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # @@ -17,7 +18,7 @@ # along with this program. If not, see . # Check if Wazuh enabled -if grep -q -R "wazuh: 1" /opt/so/saltstack/pillar/*; then +if grep -q -R "wazuh: 1" $default_salt_dir/pillar/*; then WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" if ! grep -q "{{ MASTERIP }}" $WAZUH_MGR_CFG ; then DATE=`date` diff --git a/setup/so-functions b/setup/so-functions index a20953035..72d252e6d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -116,16 +116,16 @@ add_web_user() { # Create an secrets pillar so that passwords survive re-install secrets_pillar(){ - if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then + if [ ! -f $default_salt_dir/pillar/secrets.sls ]; then echo "Creating Secrets Pillar" >> "$setup_log" 2>&1 - mkdir -p /opt/so/saltstack/pillar + mkdir -p $default_salt_dir/pillar printf '%s\n'\ "secrets:"\ " mysql: $MYSQLPASS"\ " playbook: $PLAYBOOKPASS"\ " fleet: $FLEETPASS"\ " fleet_jwt: $FLEETJWT"\ - " fleet_enroll-secret: False" > /opt/so/saltstack/pillar/secrets.sls + " fleet_enroll-secret: False" > $default_salt_dir/pillar/secrets.sls fi } @@ -327,10 +327,10 @@ configure_minion() { "mysql.host: '$MAINIP'"\ "mysql.port: 3306"\ "mysql.user: 'root'" >> "$minion_config" - if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then + if [ ! -f $default_salt_dir/pillar/secrets.sls ]; then echo "mysql.pass: '$MYSQLPASS'" >> "$minion_config" else - OLDPASS=$(grep "mysql" /opt/so/saltstack/pillar/secrets.sls | awk '{print $2}') + OLDPASS=$(grep "mysql" $default_salt_dir/pillar/secrets.sls | awk '{print $2}') echo "mysql.pass: '$OLDPASS'" >> "$minion_config" fi ;; @@ -409,20 +409,20 @@ copy_master_config() { copy_minion_tmp_files() { case "$install_type" in 'MASTER' | 'EVAL' | 'HELIXSENSOR' | 'MASTERSEARCH' | 'STANDALONE') - echo "Copying pillar and salt files in $temp_install_dir to /opt/so/saltstack" - cp -Rv "$temp_install_dir"/pillar/ /opt/so/saltstack/ >> "$setup_log" 2>&1 + echo "Copying pillar and salt files in $temp_install_dir to $default_salt_dir" + cp -Rv "$temp_install_dir"/pillar/ $default_salt_dir/ >> "$setup_log" 2>&1 if [ -d "$temp_install_dir"/salt ] ; then - cp -Rv "$temp_install_dir"/salt/ /opt/so/saltstack/ >> "$setup_log" 2>&1 + cp -Rv "$temp_install_dir"/salt/ $default_salt_dir/ >> "$setup_log" 2>&1 fi ;; *) { - echo "scp pillar and salt files in $temp_install_dir to master /opt/so/saltstack"; + echo "scp pillar and salt files in $temp_install_dir to master $default_salt_dir"; ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; scp -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; scp -prv -i /root/.ssh/so.key "$temp_install_dir"/salt/patch/os/schedules/* soremote@"$MSRV":/tmp/"$MINION_ID"/schedules; - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/salt/master/files/add_minion.sh "$MINION_ID"; + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/master/files/add_minion.sh "$MINION_ID"; } >> "$setup_log" 2>&1 ;; esac @@ -695,7 +695,7 @@ docker_seed_registry() { fireeye_pillar() { - local fireeye_pillar_path=/opt/so/saltstack/pillar/fireeye + local fireeye_pillar_path=$default_salt_dir/pillar/fireeye mkdir -p "$fireeye_pillar_path" printf '%s\n'\ @@ -709,7 +709,7 @@ fireeye_pillar() { # Generate Firewall Templates firewall_generate_templates() { - local firewall_pillar_path=/opt/so/saltstack/pillar/firewall + local firewall_pillar_path=$default_salt_dir/pillar/firewall mkdir -p "$firewall_pillar_path" for i in analyst beats_endpoint forward_nodes masterfw minions osquery_endpoint search_nodes wazuh_endpoint @@ -851,7 +851,7 @@ master_pillar() { } master_static() { - local static_pillar="/opt/so/saltstack/pillar/static.sls" + local static_pillar="$default_salt_dir/pillar/static.sls" # Create a static file for global values printf '%s\n'\ @@ -1195,16 +1195,18 @@ set_main_ip() { setup_salt_master_dirs() { # Create salt paster directories - mkdir -p /opt/so/saltstack/salt - mkdir -p /opt/so/saltstack/pillar + mkdir -p $default_salt_dir/pillar + mkdir -p $default_salt_dir/salt + mkdir -p $custom_salt_dir/pillar + mkdir -p $custom_salt_dir/salt # Copy over the salt code and templates if [ "$setup_type" = 'iso' ]; then - rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/pillar/* /opt/so/saltstack/pillar/ >> "$setup_log" 2>&1 - rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/salt/* /opt/so/saltstack/salt/ >> "$setup_log" 2>&1 + rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 + rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 else - cp -R ../pillar/* /opt/so/saltstack/pillar/ >> "$setup_log" 2>&1 - cp -R ../salt/* /opt/so/saltstack/salt/ >> "$setup_log" 2>&1 + cp -R ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1 + cp -R ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1 fi echo "Chown the salt dirs on the master for socore" >> "$setup_log" 2>&1 @@ -1306,49 +1308,49 @@ set_initial_firewall_policy() { set_main_ip - if [ -f /opt/so/saltstack/pillar/data/addtotab.sh ]; then chmod +x /opt/so/saltstack/pillar/data/addtotab.sh; fi - if [ -f /opt/so/saltstack/pillar/firewall/addfirewall.sh ]; then chmod +x /opt/so/saltstack/pillar/firewall/addfirewall.sh; fi + if [ -f $default_salt_dir/pillar/data/addtotab.sh ]; then chmod +x $default_salt_dir/pillar/data/addtotab.sh; fi + if [ -f $default_salt_dir/pillar/firewall/addfirewall.sh ]; then chmod +x $default_salt_dir/pillar/firewall/addfirewall.sh; fi case "$install_type" in 'MASTER') - printf " - %s\n" "$MAINIP" | tee -a /opt/so/saltstack/pillar/firewall/minions.sls /opt/so/saltstack/pillar/firewall/masterfw.sls - /opt/so/saltstack/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" + printf " - %s\n" "$MAINIP" | tee -a $default_salt_dir/pillar/firewall/minions.sls $default_salt_dir/pillar/firewall/masterfw.sls + $default_salt_dir/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'EVAL' | 'MASTERSEARCH') - printf " - %s\n" "$MAINIP" | tee -a /opt/so/saltstack/pillar/firewall/minions.sls\ - /opt/so/saltstack/pillar/firewall/masterfw.sls\ - /opt/so/saltstack/pillar/firewall/forward_nodes.sls\ - /opt/so/saltstack/pillar/firewall/search_nodes.sls + printf " - %s\n" "$MAINIP" | tee -a $default_salt_dir/pillar/firewall/minions.sls\ + $default_salt_dir/pillar/firewall/masterfw.sls\ + $default_salt_dir/pillar/firewall/forward_nodes.sls\ + $default_salt_dir/pillar/firewall/search_nodes.sls case "$install_type" in 'EVAL') - /opt/so/saltstack/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 ;; 'MASTERSEARCH') - /opt/so/saltstack/pillar/data/addtotab.sh mastersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" + $default_salt_dir/pillar/data/addtotab.sh mastersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; esac ;; 'HELIXSENSOR') - printf " - %s\n" "$MAINIP" | tee -a /opt/so/saltstack/pillar/firewall/minions.sls\ - /opt/so/saltstack/pillar/firewall/masterfw.sls\ - /opt/so/saltstack/pillar/firewall/forward_nodes.sls + printf " - %s\n" "$MAINIP" | tee -a $default_salt_dir/pillar/firewall/minions.sls\ + $default_salt_dir/pillar/firewall/masterfw.sls\ + $default_salt_dir/pillar/firewall/forward_nodes.sls ;; 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET') - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions "$MAINIP" + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh minions "$MAINIP" case "$install_type" in 'SENSOR') - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP" + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 ;; 'SEARCHNODE') - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh search_nodes "$MAINIP" + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'HEAVYNODE') - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP" + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh search_nodes "$MAINIP" + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; esac ;; @@ -1426,9 +1428,9 @@ update_sudoers() { if ! grep -qE '^soremote\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then # Update Sudoers so that soremote can accept keys without a password echo "soremote ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | tee -a /etc/sudoers - echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | tee -a /etc/sudoers - echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/data/addtotab.sh" | tee -a /etc/sudoers - echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/salt/master/files/add_minion.sh" | tee -a /etc/sudoers + echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/pillar/firewall/addfirewall.sh" | tee -a /etc/sudoers + echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/pillar/data/addtotab.sh" | tee -a /etc/sudoers + echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/master/files/add_minion.sh" | tee -a /etc/sudoers else echo "User soremote already granted sudo privileges" >> "$setup_log" 2>&1 fi diff --git a/setup/so-variables b/setup/so-variables index 786a4ca9b..ac0eba836 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -34,3 +34,6 @@ export temp_install_dir=/root/installtmp export percentage_str='Getting started' export DEBIAN_FRONTEND=noninteractive + +export default_salt_dir=/opt/so/saltstack/default +export custom_salt_dir=/opt/so/saltstack/custom diff --git a/upgrade/so-update-functions b/upgrade/so-update-functions index 5666fc2d6..dd4235902 100644 --- a/upgrade/so-update-functions +++ b/upgrade/so-update-functions @@ -95,9 +95,9 @@ copy_new_files() { # Copy new files over to the salt dir cd /tmp/sogh/securityonion-saltstack - rsync -a --exclude-from 'exclude-list.txt' salt /opt/so/saltstack/ - chown -R socore:socore /opt/so/saltstack/salt - chmod 755 /opt/so/saltstack/pillar/firewall/addfirewall.sh + rsync -a --exclude-from 'exclude-list.txt' salt $default_salt_dir/ + chown -R socore:socore $default_salt_dir/salt + chmod 755 $default_salt_dir/pillar/firewall/addfirewall.sh cd /tmp } From b24654002bb6adb7c062a6cc130da248871fd522 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 21 May 2020 14:53:25 -0400 Subject: [PATCH 02/27] rename salt custom directory to local --- salt/deprecated-bro/files/local.bro | 4 ++-- setup/so-variables | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/deprecated-bro/files/local.bro b/salt/deprecated-bro/files/local.bro index 131db7491..afe4b94ca 100644 --- a/salt/deprecated-bro/files/local.bro +++ b/salt/deprecated-bro/files/local.bro @@ -127,11 +127,11 @@ @load policy/hassh # You can load your own intel into: -# $default_salt_dir/bro/policy/intel/ on the master +# /opt/so/saltstack/bro/policy/intel/ on the master @load intel # Load a custom Bro policy -# $default_salt_dir/bro/policy/custom/ on the master +# /opt/so/saltstack/bro/policy/custom/ on the master #@load custom/somebropolicy.bro # Write logs in JSON diff --git a/setup/so-variables b/setup/so-variables index ac0eba836..7e0f71c8a 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -36,4 +36,4 @@ export percentage_str='Getting started' export DEBIAN_FRONTEND=noninteractive export default_salt_dir=/opt/so/saltstack/default -export custom_salt_dir=/opt/so/saltstack/custom +export local_salt_dir=/opt/so/saltstack/local From fafb469b5cd5b7e12f662fc53b572ca001579d3b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 26 May 2020 11:59:00 -0400 Subject: [PATCH 03/27] change from default to local - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- files/master | 2 + pillar/data/addtotab.sh | 30 +++++++-------- pillar/firewall/addfirewall.sh | 6 +-- salt/common/tools/sbin/so-allow | 4 +- salt/common/tools/sbin/so-bro-logs | 8 ++-- salt/common/tools/sbin/so-features-enable | 6 +-- salt/common/tools/sbin/so-helix-apikey | 6 +-- salt/fleet/files/scripts/so-fleet-packages | 6 +-- salt/idstools/init.sls | 2 +- salt/master/files/add_minion.sh | 6 +-- salt/reactor/fleet.sls | 8 ++-- salt/ssl/init.sls | 6 +-- salt/wazuh/files/wazuh-manager-whitelist | 4 +- setup/so-functions | 44 +++++++++++----------- 14 files changed, 71 insertions(+), 67 deletions(-) diff --git a/files/master b/files/master index 8739a043a..aa9a7a986 100644 --- a/files/master +++ b/files/master @@ -38,6 +38,7 @@ log_file: /opt/so/log/salt/master file_roots: base: - /opt/so/saltstack/default/salt + - /opt/so/saltstack/local/salt # The master_roots setting configures a master-only copy of the file_roots dictionary, # used by the state compiler. @@ -54,6 +55,7 @@ file_roots: pillar_roots: base: - /opt/so/saltstack/default/pillar + - /opt/so/saltstack/local/pillar peer: .*: diff --git a/pillar/data/addtotab.sh b/pillar/data/addtotab.sh index 33c73c21e..b20bf22d9 100644 --- a/pillar/data/addtotab.sh +++ b/pillar/data/addtotab.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash # This script adds sensors/nodes/etc to the nodes tab -default_salt_dir=/opt/so/saltstack/default +local_salt_dir=/opt/so/saltstack/local TYPE=$1 NAME=$2 IPADDRESS=$3 @@ -15,7 +15,7 @@ MONINT=$9 #HOTNAME=$11 echo "Seeing if this host is already in here. If so delete it" -if grep -q $NAME "$default_salt_dir/pillar/data/$TYPE.sls"; then +if grep -q $NAME "$local_salt_dir/pillar/data/$TYPE.sls"; then echo "Node Already Present - Let's re-add it" awk -v blah=" $NAME:" 'BEGIN{ print_flag=1 } { @@ -31,27 +31,27 @@ if grep -q $NAME "$default_salt_dir/pillar/data/$TYPE.sls"; then if ( print_flag == 1 ) print $0 -} ' $default_salt_dir/pillar/data/$TYPE.sls > $default_salt_dir/pillar/data/tmp.$TYPE.sls -mv $default_salt_dir/pillar/data/tmp.$TYPE.sls $default_salt_dir/pillar/data/$TYPE.sls +} ' $local_salt_dir/pillar/data/$TYPE.sls > $local_salt_dir/pillar/data/tmp.$TYPE.sls +mv $local_salt_dir/pillar/data/tmp.$TYPE.sls $local_salt_dir/pillar/data/$TYPE.sls echo "Deleted $NAME from the tab. Now adding it in again with updated info" fi -echo " $NAME:" >> $default_salt_dir/pillar/data/$TYPE.sls -echo " ip: $IPADDRESS" >> $default_salt_dir/pillar/data/$TYPE.sls -echo " manint: $MANINT" >> $default_salt_dir/pillar/data/$TYPE.sls -echo " totalcpus: $CPUS" >> $default_salt_dir/pillar/data/$TYPE.sls -echo " guid: $GUID" >> $default_salt_dir/pillar/data/$TYPE.sls -echo " rootfs: $ROOTFS" >> $default_salt_dir/pillar/data/$TYPE.sls -echo " nsmfs: $NSM" >> $default_salt_dir/pillar/data/$TYPE.sls +echo " $NAME:" >> $local_salt_dir/pillar/data/$TYPE.sls +echo " ip: $IPADDRESS" >> $local_salt_dir/pillar/data/$TYPE.sls +echo " manint: $MANINT" >> $local_salt_dir/pillar/data/$TYPE.sls +echo " totalcpus: $CPUS" >> $local_salt_dir/pillar/data/$TYPE.sls +echo " guid: $GUID" >> $local_salt_dir/pillar/data/$TYPE.sls +echo " rootfs: $ROOTFS" >> $local_salt_dir/pillar/data/$TYPE.sls +echo " nsmfs: $NSM" >> $local_salt_dir/pillar/data/$TYPE.sls if [ $TYPE == 'sensorstab' ]; then - echo " monint: $MONINT" >> $default_salt_dir/pillar/data/$TYPE.sls + echo " monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls salt-call state.apply common queue=True fi if [ $TYPE == 'evaltab' ]; then - echo " monint: $MONINT" >> $default_salt_dir/pillar/data/$TYPE.sls + echo " monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls salt-call state.apply common queue=True salt-call state.apply utility queue=True fi #if [ $TYPE == 'nodestab' ]; then -# echo " nodetype: $NODETYPE" >> $default_salt_dir/pillar/data/$TYPE.sls -# echo " hotname: $HOTNAME" >> $default_salt_dir/pillar/data/$TYPE.sls +# echo " nodetype: $NODETYPE" >> $local_salt_dir/pillar/data/$TYPE.sls +# echo " hotname: $HOTNAME" >> $local_salt_dir/pillar/data/$TYPE.sls #fi diff --git a/pillar/firewall/addfirewall.sh b/pillar/firewall/addfirewall.sh index 856fda869..c30451aa5 100644 --- a/pillar/firewall/addfirewall.sh +++ b/pillar/firewall/addfirewall.sh @@ -1,13 +1,13 @@ #!/usr/bin/env bash # This script adds ip addresses to specific rule sets defined by the user -default_salt_dir=/opt/so/saltstack/default +local_salt_dir=/opt/so/saltstack/local POLICY=$1 IPADDRESS=$2 -if grep -q $2 "$default_salt_dir/pillar/firewall/$1.sls"; then +if grep -q $2 "$local_salt_dir/pillar/firewall/$1.sls"; then echo "Firewall Rule Already There" else - echo " - $2" >> $default_salt_dir/pillar/firewall/$1.sls + echo " - $2" >> $local_salt_dir/pillar/firewall/$1.sls salt-call state.apply firewall queue=True fi diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index d3906e67c..9be770bed 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -18,6 +18,8 @@ . /usr/sbin/so-common default_salt_dir=/opt/so/saltstack/default +local_salt_dir=/opt/so/saltstack/local + SKIP=0 while getopts "abowi:" OPTION @@ -84,7 +86,7 @@ echo "Adding $IP to the $FULLROLE role. This can take a few seconds" $default_salt_dir/pillar/firewall/addfirewall.sh $FULLROLE $IP # Check if Wazuh enabled -if grep -q -R "wazuh: 1" $default_salt_dir/pillar/*; then +if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then # If analyst, add to Wazuh AR whitelist if [ "$FULLROLE" == "analyst" ]; then WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" diff --git a/salt/common/tools/sbin/so-bro-logs b/salt/common/tools/sbin/so-bro-logs index ac70ea857..173d23029 100755 --- a/salt/common/tools/sbin/so-bro-logs +++ b/salt/common/tools/sbin/so-bro-logs @@ -1,12 +1,12 @@ #!/bin/bash -default_salt_dir=/opt/so/saltstack/default +local_salt_dir=/opt/so/saltstack/local bro_logs_enabled() { - echo "brologs:" > $default_salt_dir/pillar/brologs.sls - echo " enabled:" >> $default_salt_dir/pillar/brologs.sls + echo "brologs:" > $local_salt_dir/pillar/brologs.sls + echo " enabled:" >> $local_salt_dir/pillar/brologs.sls for BLOG in ${BLOGS[@]}; do - echo " - $BLOG" | tr -d '"' >> $default_salt_dir/pillar/brologs.sls + echo " - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/brologs.sls done } diff --git a/salt/common/tools/sbin/so-features-enable b/salt/common/tools/sbin/so-features-enable index 3f7034e2a..6ba9252a9 100755 --- a/salt/common/tools/sbin/so-features-enable +++ b/salt/common/tools/sbin/so-features-enable @@ -15,11 +15,11 @@ # along with this program. If not, see . . /usr/sbin/so-common -default_salt_dir=/opt/so/saltstack/default +local_salt_dir=/opt/so/saltstack/local -VERSION=$(grep soversion $default_salt_dir/pillar/static.sls | cut -d':' -f2|sed 's/ //g') +VERSION=$(grep soversion $local_salt_dir/pillar/static.sls | cut -d':' -f2|sed 's/ //g') # Modify static.sls to enable Features -sed -i 's/features: False/features: True/' $default_salt_dir/pillar/static.sls +sed -i 's/features: False/features: True/' $local_salt_dir/pillar/static.sls SUFFIX="-features" TRUSTED_CONTAINERS=( \ "so-elasticsearch:$VERSION$SUFFIX" \ diff --git a/salt/common/tools/sbin/so-helix-apikey b/salt/common/tools/sbin/so-helix-apikey index 6f93d9f55..c58d2ad89 100755 --- a/salt/common/tools/sbin/so-helix-apikey +++ b/salt/common/tools/sbin/so-helix-apikey @@ -1,6 +1,6 @@ #!/bin/bash -default_salt_dir=/opt/so/saltstack/default +local_salt_dir=/opt/so/saltstack/local got_root() { @@ -13,13 +13,13 @@ got_root() { } got_root -if [ ! -f $default_salt_dir/pillar/fireeye/init.sls ]; then +if [ ! -f $local_salt_dir/pillar/fireeye/init.sls ]; then echo "This is nto configured for Helix Mode. Please re-install." exit else echo "Enter your Helix API Key: " read APIKEY - sed -i "s/^ api_key.*/ api_key: $APIKEY/g" $default_salt_dir/pillar/fireeye/init.sls + sed -i "s/^ api_key.*/ api_key: $APIKEY/g" $local_salt_dir/pillar/fireeye/init.sls docker stop so-logstash docker rm so-logstash echo "Restarting Logstash for updated key" diff --git a/salt/fleet/files/scripts/so-fleet-packages b/salt/fleet/files/scripts/so-fleet-packages index 3b804e472..e68517bde 100644 --- a/salt/fleet/files/scripts/so-fleet-packages +++ b/salt/fleet/files/scripts/so-fleet-packages @@ -2,7 +2,7 @@ {% set MAIN_HOSTNAME = salt['grains.get']('host') %} {% set MAIN_IP = salt['pillar.get']('node:mainip') %} -default_salt_dir=/opt/so/saltstack/default +local_salt_dir=/opt/so/saltstack/local #so-fleet-packages $FleetHostname/IP @@ -27,8 +27,8 @@ docker run \ --mount type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt \ docker.io/soshybridhunter/so-fleet-launcher:HH1.1.0 "$esecret" "$1":8090 -cp /opt/so/conf/fleet/packages/launcher.* $default_salt_dir/salt/launcher/packages/ +cp /opt/so/conf/fleet/packages/launcher.* $local_salt_dir/salt/launcher/packages/ #Update timestamp on packages webpage sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html -sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" $default_salt_dir/salt/fleet/files/dedicated-index.html \ No newline at end of file +sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" $local_salt_dir/salt/fleet/files/dedicated-index.html \ No newline at end of file diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 0b641c83d..c42d4ef5b 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -60,7 +60,7 @@ synclocalnidsrules: ruleslink: file.symlink: - - name: /opt/so/saltstack/default/salt/suricata/rules + - name: /opt/so/saltstack/local/salt/suricata/rules - target: /opt/so/rules/nids so-idstools: diff --git a/salt/master/files/add_minion.sh b/salt/master/files/add_minion.sh index 043a09ead..40d1c6adf 100755 --- a/salt/master/files/add_minion.sh +++ b/salt/master/files/add_minion.sh @@ -1,10 +1,10 @@ #!/usr/bin/env bash # This script adds pillar and schedule files securely -default_salt_dir=/opt/so/saltstack/default +local_salt_dir=/opt/so/saltstack/local MINION=$1 echo "Adding $1" - cp /tmp/$MINION/pillar/$MINION.sls $default_salt_dir/pillar/minions/ - cp /tmp/$MINION/schedules/* $default_salt_dir/salt/patch/os/schedules/ + cp /tmp/$MINION/pillar/$MINION.sls $local_salt_dir/pillar/minions/ + cp --parents /tmp/$MINION/schedules/* $local_salt_dir/salt/patch/os/schedules/ rm -rf /tmp/$MINION \ No newline at end of file diff --git a/salt/reactor/fleet.sls b/salt/reactor/fleet.sls index e93ab73f5..759cfaf58 100644 --- a/salt/reactor/fleet.sls +++ b/salt/reactor/fleet.sls @@ -13,9 +13,9 @@ def run(): ROLE = data['data']['role'] ESECRET = data['data']['enroll-secret'] MAINIP = data['data']['mainip'] - default_salt_dir = /opt/so/saltstack/default - STATICFILE = default_salt_dir + '/pillar/static.sls' - SECRETSFILE = default_salt_dir + '/pillar/secrets.sls' + local_salt_dir = /opt/so/saltstack/local + STATICFILE = local_salt_dir + '/pillar/static.sls' + SECRETSFILE = local_salt_dir + '/pillar/secrets.sls' if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch']: @@ -55,7 +55,7 @@ def run(): PACKAGEVERSION += 1 # Run Docker container that will build the packages - gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=" + default_salt_dir + "/salt/fleet/packages,target=/output", \ + gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=" + local_salt_dir + "/salt/fleet/packages,target=/output", \ "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:HH1.3.0", \ f"{ESECRET}", f"{HOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii') diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index ed967c6f9..9ecf65941 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -84,17 +84,17 @@ chownilogstashfilebeatp8: # Create Symlinks to the keys so I can distribute it to all the things filebeatdir: file.directory: - - name: /opt/so/saltstack/default/salt/filebeat/files + - name: /opt/so/saltstack/local/salt/filebeat/files - mkdirs: True fbkeylink: file.symlink: - - name: /opt/so/saltstack/default/salt/filebeat/files/filebeat.p8 + - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.p8 - target: /etc/pki/filebeat.p8 fbcrtlink: file.symlink: - - name: /opt/so/saltstack/default/salt/filebeat/files/filebeat.crt + - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.crt - target: /etc/pki/filebeat.crt # Create a cert for the docker registry diff --git a/salt/wazuh/files/wazuh-manager-whitelist b/salt/wazuh/files/wazuh-manager-whitelist index af4761950..19ad63415 100755 --- a/salt/wazuh/files/wazuh-manager-whitelist +++ b/salt/wazuh/files/wazuh-manager-whitelist @@ -1,6 +1,6 @@ {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} #!/bin/bash -default_salt_dir=/opt/so/saltstack/default +local_salt_dir=/opt/so/saltstack/local # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # @@ -18,7 +18,7 @@ default_salt_dir=/opt/so/saltstack/default # along with this program. If not, see . # Check if Wazuh enabled -if grep -q -R "wazuh: 1" $default_salt_dir/pillar/*; then +if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" if ! grep -q "{{ MASTERIP }}" $WAZUH_MGR_CFG ; then DATE=`date` diff --git a/setup/so-functions b/setup/so-functions index 72d252e6d..922046d5e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -116,16 +116,16 @@ add_web_user() { # Create an secrets pillar so that passwords survive re-install secrets_pillar(){ - if [ ! -f $default_salt_dir/pillar/secrets.sls ]; then + if [ ! -f $local_salt_dir/pillar/secrets.sls ]; then echo "Creating Secrets Pillar" >> "$setup_log" 2>&1 - mkdir -p $default_salt_dir/pillar + mkdir -p $local_salt_dir/pillar printf '%s\n'\ "secrets:"\ " mysql: $MYSQLPASS"\ " playbook: $PLAYBOOKPASS"\ " fleet: $FLEETPASS"\ " fleet_jwt: $FLEETJWT"\ - " fleet_enroll-secret: False" > $default_salt_dir/pillar/secrets.sls + " fleet_enroll-secret: False" > $local_salt_dir/pillar/secrets.sls fi } @@ -327,10 +327,10 @@ configure_minion() { "mysql.host: '$MAINIP'"\ "mysql.port: 3306"\ "mysql.user: 'root'" >> "$minion_config" - if [ ! -f $default_salt_dir/pillar/secrets.sls ]; then + if [ ! -f $local_salt_dir/pillar/secrets.sls ]; then echo "mysql.pass: '$MYSQLPASS'" >> "$minion_config" else - OLDPASS=$(grep "mysql" $default_salt_dir/pillar/secrets.sls | awk '{print $2}') + OLDPASS=$(grep "mysql" $local_salt_dir/pillar/secrets.sls | awk '{print $2}') echo "mysql.pass: '$OLDPASS'" >> "$minion_config" fi ;; @@ -409,15 +409,15 @@ copy_master_config() { copy_minion_tmp_files() { case "$install_type" in 'MASTER' | 'EVAL' | 'HELIXSENSOR' | 'MASTERSEARCH' | 'STANDALONE') - echo "Copying pillar and salt files in $temp_install_dir to $default_salt_dir" - cp -Rv "$temp_install_dir"/pillar/ $default_salt_dir/ >> "$setup_log" 2>&1 + echo "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" + cp -Rv "$temp_install_dir"/pillar/ $local_salt_dir/ >> "$setup_log" 2>&1 if [ -d "$temp_install_dir"/salt ] ; then - cp -Rv "$temp_install_dir"/salt/ $default_salt_dir/ >> "$setup_log" 2>&1 + cp -Rv "$temp_install_dir"/salt/ $local_salt_dir/ >> "$setup_log" 2>&1 fi ;; *) { - echo "scp pillar and salt files in $temp_install_dir to master $default_salt_dir"; + echo "scp pillar and salt files in $temp_install_dir to master $local_salt_dir"; ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; scp -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; @@ -695,7 +695,7 @@ docker_seed_registry() { fireeye_pillar() { - local fireeye_pillar_path=$default_salt_dir/pillar/fireeye + local fireeye_pillar_path=$local_salt_dir/pillar/fireeye mkdir -p "$fireeye_pillar_path" printf '%s\n'\ @@ -709,7 +709,7 @@ fireeye_pillar() { # Generate Firewall Templates firewall_generate_templates() { - local firewall_pillar_path=$default_salt_dir/pillar/firewall + local firewall_pillar_path=$local_salt_dir/pillar/firewall mkdir -p "$firewall_pillar_path" for i in analyst beats_endpoint forward_nodes masterfw minions osquery_endpoint search_nodes wazuh_endpoint @@ -851,7 +851,7 @@ master_pillar() { } master_static() { - local static_pillar="$default_salt_dir/pillar/static.sls" + local static_pillar="$local_salt_dir/pillar/static.sls" # Create a static file for global values printf '%s\n'\ @@ -1197,8 +1197,8 @@ setup_salt_master_dirs() { # Create salt paster directories mkdir -p $default_salt_dir/pillar mkdir -p $default_salt_dir/salt - mkdir -p $custom_salt_dir/pillar - mkdir -p $custom_salt_dir/salt + mkdir -p $local_salt_dir/pillar + mkdir -p $local_salt_dir/salt # Copy over the salt code and templates if [ "$setup_type" = 'iso' ]; then @@ -1313,14 +1313,14 @@ set_initial_firewall_policy() { case "$install_type" in 'MASTER') - printf " - %s\n" "$MAINIP" | tee -a $default_salt_dir/pillar/firewall/minions.sls $default_salt_dir/pillar/firewall/masterfw.sls + printf " - %s\n" "$MAINIP" | tee -a $local_salt_dir/pillar/firewall/minions.sls $local_salt_dir/pillar/firewall/masterfw.sls $default_salt_dir/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'EVAL' | 'MASTERSEARCH') - printf " - %s\n" "$MAINIP" | tee -a $default_salt_dir/pillar/firewall/minions.sls\ - $default_salt_dir/pillar/firewall/masterfw.sls\ - $default_salt_dir/pillar/firewall/forward_nodes.sls\ - $default_salt_dir/pillar/firewall/search_nodes.sls + printf " - %s\n" "$MAINIP" | tee -a $local_salt_dir/pillar/firewall/minions.sls\ + $local_salt_dir/pillar/firewall/masterfw.sls\ + $local_salt_dir/pillar/firewall/forward_nodes.sls\ + $local_salt_dir/pillar/firewall/search_nodes.sls case "$install_type" in 'EVAL') $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 @@ -1331,9 +1331,9 @@ set_initial_firewall_policy() { esac ;; 'HELIXSENSOR') - printf " - %s\n" "$MAINIP" | tee -a $default_salt_dir/pillar/firewall/minions.sls\ - $default_salt_dir/pillar/firewall/masterfw.sls\ - $default_salt_dir/pillar/firewall/forward_nodes.sls + printf " - %s\n" "$MAINIP" | tee -a $local_salt_dir/pillar/firewall/minions.sls\ + $local_salt_dir/pillar/firewall/masterfw.sls\ + $local_salt_dir/pillar/firewall/forward_nodes.sls ;; 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh minions "$MAINIP" From 413f08f1b9e0973057d53921086e5c0313e176ba Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 26 May 2020 14:43:15 -0400 Subject: [PATCH 04/27] change mkdirs to makedirs in ssl state --- salt/ssl/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 9ecf65941..064207990 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -85,7 +85,7 @@ chownilogstashfilebeatp8: filebeatdir: file.directory: - name: /opt/so/saltstack/local/salt/filebeat/files - - mkdirs: True + - makedirs: True fbkeylink: file.symlink: From e27facc843e6d132d294d993283ef60136cbd91f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 26 May 2020 14:47:16 -0400 Subject: [PATCH 05/27] ensure /opt/so/saltstack/local/salt/suricata/rules is created --- salt/idstools/init.sls | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index c42d4ef5b..7254208a1 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -58,6 +58,13 @@ synclocalnidsrules: - user: 939 - group: 939 +suricatarulesdir: + file.directory: + - name: /opt/so/saltstack/local/salt/suricata/rules + - user: 939 + - group: 939 + - makedirs: True + ruleslink: file.symlink: - name: /opt/so/saltstack/local/salt/suricata/rules From 13c2c4fa4c062e0b0fe7c6e1cf7ae27b07898af7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 26 May 2020 15:20:12 -0400 Subject: [PATCH 06/27] create and move files if they dont exist for addtotab.sh - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- pillar/data/addtotab.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pillar/data/addtotab.sh b/pillar/data/addtotab.sh index b20bf22d9..1aa3d6780 100644 --- a/pillar/data/addtotab.sh +++ b/pillar/data/addtotab.sh @@ -1,6 +1,7 @@ #!/usr/bin/env bash # This script adds sensors/nodes/etc to the nodes tab +default_salt_dir=/opt/so/saltstack/default local_salt_dir=/opt/so/saltstack/local TYPE=$1 NAME=$2 @@ -14,6 +15,14 @@ MONINT=$9 #NODETYPE=$10 #HOTNAME=$11 +if [ ! -d $local_salt_dir/pillar/data/ ]; then + mkdir -p $local_salt_dir/pillar/data/ +fi + +if [ ! -f $local_salt_dir/pillar/data/$TYPE.sls ]; then + cp $default_salt_dir/pillar/data/$TYPE.sls $local_salt_dir/pillar/data/$TYPE.sls +fi + echo "Seeing if this host is already in here. If so delete it" if grep -q $NAME "$local_salt_dir/pillar/data/$TYPE.sls"; then echo "Node Already Present - Let's re-add it" From 3d3d63173e50b2f59c4d11794931db21ae26ff0f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 26 May 2020 15:24:39 -0400 Subject: [PATCH 07/27] addtotab should apply grafana instead of common state --- pillar/data/addtotab.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pillar/data/addtotab.sh b/pillar/data/addtotab.sh index 1aa3d6780..0ad2fa041 100644 --- a/pillar/data/addtotab.sh +++ b/pillar/data/addtotab.sh @@ -53,11 +53,11 @@ echo " rootfs: $ROOTFS" >> $local_salt_dir/pillar/data/$TYPE.sls echo " nsmfs: $NSM" >> $local_salt_dir/pillar/data/$TYPE.sls if [ $TYPE == 'sensorstab' ]; then echo " monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls - salt-call state.apply common queue=True + salt-call state.apply grafana queue=True fi if [ $TYPE == 'evaltab' ]; then echo " monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls - salt-call state.apply common queue=True + salt-call state.apply grafana queue=True salt-call state.apply utility queue=True fi #if [ $TYPE == 'nodestab' ]; then From 1eb6142f11b6a51e94c5e35fcb871d525a40fdb0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 26 May 2020 17:00:29 -0400 Subject: [PATCH 08/27] remove dir creation - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- salt/idstools/init.sls | 7 ------- 1 file changed, 7 deletions(-) diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index 7254208a1..c42d4ef5b 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -58,13 +58,6 @@ synclocalnidsrules: - user: 939 - group: 939 -suricatarulesdir: - file.directory: - - name: /opt/so/saltstack/local/salt/suricata/rules - - user: 939 - - group: 939 - - makedirs: True - ruleslink: file.symlink: - name: /opt/so/saltstack/local/salt/suricata/rules From 2467f5636b3fe5cf1ab8a0fadc9ac9c85985dc00 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 26 May 2020 17:12:47 -0400 Subject: [PATCH 09/27] only have addtotab.sh run grafana or utility state if masterfw.sls exists --- pillar/data/addtotab.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pillar/data/addtotab.sh b/pillar/data/addtotab.sh index 0ad2fa041..8e5a166cc 100644 --- a/pillar/data/addtotab.sh +++ b/pillar/data/addtotab.sh @@ -57,8 +57,10 @@ if [ $TYPE == 'sensorstab' ]; then fi if [ $TYPE == 'evaltab' ]; then echo " monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls - salt-call state.apply grafana queue=True - salt-call state.apply utility queue=True + if [ -f $local_salt_dir/pillar/firewall/masterfw.sls ] ; then + salt-call state.apply grafana queue=True + salt-call state.apply utility queue=True + fi fi #if [ $TYPE == 'nodestab' ]; then # echo " nodetype: $NODETYPE" >> $local_salt_dir/pillar/data/$TYPE.sls From 7eb02d2af33343f09d65025978c21b852fb6d018 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 May 2020 10:09:23 -0400 Subject: [PATCH 10/27] move suri rule symlink --- salt/idstools/init.sls | 5 ----- 1 file changed, 5 deletions(-) diff --git a/salt/idstools/init.sls b/salt/idstools/init.sls index c42d4ef5b..9bda4dd58 100644 --- a/salt/idstools/init.sls +++ b/salt/idstools/init.sls @@ -58,11 +58,6 @@ synclocalnidsrules: - user: 939 - group: 939 -ruleslink: - file.symlink: - - name: /opt/so/saltstack/local/salt/suricata/rules - - target: /opt/so/rules/nids - so-idstools: docker_container.running: - image: {{ MASTER }}:5000/soshybridhunter/so-idstools:{{ VERSION }} From f35c59e6ced5e6ec54f0c26952f45aedb3ff0f91 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 May 2020 12:22:21 -0400 Subject: [PATCH 11/27] apply firewall state before we addtotab --- setup/so-functions | 3 +++ 1 file changed, 3 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index 7a1e7ec80..90c72d388 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1366,6 +1366,7 @@ set_initial_firewall_policy() { case "$install_type" in 'MASTER') printf " - %s\n" "$MAINIP" | tee -a $local_salt_dir/pillar/firewall/minions.sls $local_salt_dir/pillar/firewall/masterfw.sls + salt-call state.apply firewall queue=True $default_salt_dir/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'EVAL' | 'MASTERSEARCH') @@ -1373,8 +1374,10 @@ set_initial_firewall_policy() { $local_salt_dir/pillar/firewall/masterfw.sls\ $local_salt_dir/pillar/firewall/forward_nodes.sls\ $local_salt_dir/pillar/firewall/search_nodes.sls + salt-call state.apply firewall queue=True case "$install_type" in 'EVAL') + $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 ;; 'MASTERSEARCH') From 693000afa82b2f29ffec9199ba5a76a697abf28d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 May 2020 12:30:12 -0400 Subject: [PATCH 12/27] remove addtotab templates and move surirulelink - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- pillar/data/addtotab.sh | 6 +++++- pillar/data/evaltab.sls | 1 - pillar/data/mastersearchtab.sls | 1 - pillar/data/mastertab.sls | 1 - pillar/data/nodestab.sls | 1 - pillar/data/sensorstab.sls | 1 - salt/suricata/init.sls | 5 +++++ 7 files changed, 10 insertions(+), 6 deletions(-) delete mode 100644 pillar/data/evaltab.sls delete mode 100644 pillar/data/mastersearchtab.sls delete mode 100644 pillar/data/mastertab.sls delete mode 100644 pillar/data/nodestab.sls delete mode 100644 pillar/data/sensorstab.sls diff --git a/pillar/data/addtotab.sh b/pillar/data/addtotab.sh index 8e5a166cc..619f1722f 100644 --- a/pillar/data/addtotab.sh +++ b/pillar/data/addtotab.sh @@ -19,8 +19,12 @@ if [ ! -d $local_salt_dir/pillar/data/ ]; then mkdir -p $local_salt_dir/pillar/data/ fi +# Create the template if [ ! -f $local_salt_dir/pillar/data/$TYPE.sls ]; then - cp $default_salt_dir/pillar/data/$TYPE.sls $local_salt_dir/pillar/data/$TYPE.sls + printf '%s\n'\ + "$TYPE:"\ + "" > "$local_salt_dir/pillar/data"/$TYPE.sls + echo "Added $TYPE Template" fi echo "Seeing if this host is already in here. If so delete it" diff --git a/pillar/data/evaltab.sls b/pillar/data/evaltab.sls deleted file mode 100644 index 496542c18..000000000 --- a/pillar/data/evaltab.sls +++ /dev/null @@ -1 +0,0 @@ -evaltab: diff --git a/pillar/data/mastersearchtab.sls b/pillar/data/mastersearchtab.sls deleted file mode 100644 index 7e48930ab..000000000 --- a/pillar/data/mastersearchtab.sls +++ /dev/null @@ -1 +0,0 @@ -mastersearchtab: diff --git a/pillar/data/mastertab.sls b/pillar/data/mastertab.sls deleted file mode 100644 index daf832a5f..000000000 --- a/pillar/data/mastertab.sls +++ /dev/null @@ -1 +0,0 @@ -mastertab: diff --git a/pillar/data/nodestab.sls b/pillar/data/nodestab.sls deleted file mode 100644 index b30173cca..000000000 --- a/pillar/data/nodestab.sls +++ /dev/null @@ -1 +0,0 @@ -nodestab: diff --git a/pillar/data/sensorstab.sls b/pillar/data/sensorstab.sls deleted file mode 100644 index 60032a938..000000000 --- a/pillar/data/sensorstab.sls +++ /dev/null @@ -1 +0,0 @@ -sensorstab: diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index 39f419ad0..cc6c6f8a3 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -55,6 +55,11 @@ surilogdir: - user: 940 - group: 939 +ruleslink: + file.symlink: + - name: /opt/so/saltstack/local/salt/suricata/rules + - target: /opt/so/rules/nids + surirulesync: file.recurse: - name: /opt/so/conf/suricata/rules/ From 21f1b423f3c178723c024384759fb39b349ba45a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 May 2020 13:43:55 -0400 Subject: [PATCH 13/27] move where in the process addtotab template and data directory are created - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- pillar/data/addtotab.sh | 12 ------------ setup/so-functions | 15 +++++++++++++++ setup/so-setup | 1 + 3 files changed, 16 insertions(+), 12 deletions(-) diff --git a/pillar/data/addtotab.sh b/pillar/data/addtotab.sh index 619f1722f..a07dac0ea 100644 --- a/pillar/data/addtotab.sh +++ b/pillar/data/addtotab.sh @@ -15,18 +15,6 @@ MONINT=$9 #NODETYPE=$10 #HOTNAME=$11 -if [ ! -d $local_salt_dir/pillar/data/ ]; then - mkdir -p $local_salt_dir/pillar/data/ -fi - -# Create the template -if [ ! -f $local_salt_dir/pillar/data/$TYPE.sls ]; then - printf '%s\n'\ - "$TYPE:"\ - "" > "$local_salt_dir/pillar/data"/$TYPE.sls - echo "Added $TYPE Template" -fi - echo "Seeing if this host is already in here. If so delete it" if grep -q $NAME "$local_salt_dir/pillar/data/$TYPE.sls"; then echo "Node Already Present - Let's re-add it" diff --git a/setup/so-functions b/setup/so-functions index f6970d791..0923fb137 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -56,6 +56,21 @@ add_master_hostfile() { whiptail_check_exitstatus $exitstatus } +addtotab_generate_templates() { + + local addtotab_path=$local_salt_dir/pillar/data + mkdir -p "$addtotab_path" + + for i in evaltab mastersearchtab mastertab nodestab sensorstab + do + printf '%s\n'\ + "$i:"\ + "" > "$addtotab_path"/$i.sls + echo "Added $i Template" + done + +} + # $5 => (optional) password variable so_add_user() { local username=$1 diff --git a/setup/so-setup b/setup/so-setup index 9ddb35a0a..919283237 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -405,6 +405,7 @@ fi salt_checkin >> $setup_log 2>&1 if [[ $is_master || $is_helix ]]; then + addtotab_generate_templates >> $setup_log 2>&1 set_progress_str 25 'Configuring firewall' set_initial_firewall_policy >> $setup_log 2>&1 From b197869a23b981b0c4346f2eb230c82b638626ff Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 May 2020 13:46:30 -0400 Subject: [PATCH 14/27] remove logic for if states should run or not - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- pillar/data/addtotab.sh | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/pillar/data/addtotab.sh b/pillar/data/addtotab.sh index a07dac0ea..9737111c6 100644 --- a/pillar/data/addtotab.sh +++ b/pillar/data/addtotab.sh @@ -49,10 +49,8 @@ if [ $TYPE == 'sensorstab' ]; then fi if [ $TYPE == 'evaltab' ]; then echo " monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls - if [ -f $local_salt_dir/pillar/firewall/masterfw.sls ] ; then - salt-call state.apply grafana queue=True - salt-call state.apply utility queue=True - fi + salt-call state.apply grafana queue=True + salt-call state.apply utility queue=True fi #if [ $TYPE == 'nodestab' ]; then # echo " nodetype: $NODETYPE" >> $local_salt_dir/pillar/data/$TYPE.sls From d018648bc074ecbf33b5cb3c1870f6b4459e17c8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 May 2020 14:53:40 -0400 Subject: [PATCH 15/27] create addtotab templates sooner in setup - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- setup/so-setup | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index d059376b9..be5421895 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -401,11 +401,14 @@ fi set_progress_str 21 'Copying minion pillars to master' copy_minion_tmp_files >> $setup_log 2>&1 + if [[ $is_master ]]; then + addtotab_generate_templates >> $setup_log 2>&1 + fi + set_progress_str 22 'Generating CA and checking in' salt_checkin >> $setup_log 2>&1 if [[ $is_master || $is_helix ]]; then - addtotab_generate_templates >> $setup_log 2>&1 set_progress_str 25 'Configuring firewall' set_initial_firewall_policy >> $setup_log 2>&1 From 12a6da928fccc1a35bbfb63e701c031394a155d1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 May 2020 15:00:11 -0400 Subject: [PATCH 16/27] create /opt/so/saltstack/local/salt/suricata - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- salt/suricata/init.sls | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index a5e575af1..ddd127f54 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -55,11 +55,18 @@ surilogdir: - user: 940 - group: 939 +surilocaldir: + file.directory: + - name: /opt/so/saltstack/local/salt/suricata + - user: 940 + - group: 940 + - makedirs: True + ruleslink: file.symlink: - name: /opt/so/saltstack/local/salt/suricata/rules - target: /opt/so/rules/nids - + suridatadir: file.directory: - name: /nsm/suricata From 16c6b2b2020a2084002d2a226644655fae518bf9 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 May 2020 15:07:49 -0400 Subject: [PATCH 17/27] dont allow addtotab to run grafana and utility states if it is initial setup - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- pillar/data/addtotab.sh | 7 +++++-- setup/so-functions | 5 +---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/pillar/data/addtotab.sh b/pillar/data/addtotab.sh index 9737111c6..a3aaa2c24 100644 --- a/pillar/data/addtotab.sh +++ b/pillar/data/addtotab.sh @@ -12,6 +12,7 @@ MANINT=$6 ROOTFS=$7 NSM=$8 MONINT=$9 +INITIALSETUP=$10 #NODETYPE=$10 #HOTNAME=$11 @@ -49,8 +50,10 @@ if [ $TYPE == 'sensorstab' ]; then fi if [ $TYPE == 'evaltab' ]; then echo " monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls - salt-call state.apply grafana queue=True - salt-call state.apply utility queue=True + if [ ! $10 ]; then + salt-call state.apply grafana queue=True + salt-call state.apply utility queue=True + fi fi #if [ $TYPE == 'nodestab' ]; then # echo " nodetype: $NODETYPE" >> $local_salt_dir/pillar/data/$TYPE.sls diff --git a/setup/so-functions b/setup/so-functions index 53abe311e..5550b94a6 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1386,7 +1386,6 @@ set_initial_firewall_policy() { case "$install_type" in 'MASTER') printf " - %s\n" "$MAINIP" | tee -a $local_salt_dir/pillar/firewall/minions.sls $local_salt_dir/pillar/firewall/masterfw.sls - salt-call state.apply firewall queue=True $default_salt_dir/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'EVAL' | 'MASTERSEARCH') @@ -1394,11 +1393,9 @@ set_initial_firewall_policy() { $local_salt_dir/pillar/firewall/masterfw.sls\ $local_salt_dir/pillar/firewall/forward_nodes.sls\ $local_salt_dir/pillar/firewall/search_nodes.sls - salt-call state.apply firewall queue=True case "$install_type" in 'EVAL') - - $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 True ;; 'MASTERSEARCH') $default_salt_dir/pillar/data/addtotab.sh mastersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" From 63e0a1e8a23d87ffe6dfc1a07799f6b7abeced14 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 May 2020 17:18:17 -0400 Subject: [PATCH 18/27] create local salt and pillar dirs - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- setup/so-functions | 23 ++++++++++++++++------- setup/so-setup | 6 ++---- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 9bb756534..0d0e09d01 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -59,14 +59,12 @@ add_master_hostfile() { addtotab_generate_templates() { local addtotab_path=$local_salt_dir/pillar/data - mkdir -p "$addtotab_path" - for i in evaltab mastersearchtab mastertab nodestab sensorstab - do - printf '%s\n'\ - "$i:"\ - "" > "$addtotab_path"/$i.sls - echo "Added $i Template" + for i in evaltab mastersearchtab mastertab nodestab sensorstab; do + printf '%s\n'\ + "$i:"\ + "" > "$addtotab_path"/$i.sls + echo "Added $i Template" done } @@ -455,6 +453,17 @@ copy_ssh_key() { ssh-copy-id -f -i /root/.ssh/so.key soremote@"$MSRV" } +create_local_directories() { + echo "Creating local pillar and salt directories" + + for i in "pillar" "salt"; do + for d in `find ./$i/ -type d`; do + mkdir -p $local_salt_dir/$d + done + chown -R socore:socore $local_salt_dir/$i + done + +} create_sensor_bond() { echo "Setting up sensor bond" >> "$setup_log" 2>&1 diff --git a/setup/so-setup b/setup/so-setup index 28e4be6c2..5b48c35cb 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -365,6 +365,8 @@ fi copy_master_config >> $setup_log 2>&1 setup_salt_master_dirs >> $setup_log 2>&1 firewall_generate_templates >> $setup_log 2>&1 + create_local_directories >> $setup_log 2>&1 + addtotab_generate_templates >> $setup_log 2>&1 set_progress_str 11 'Updating sudoers file for soremote user' update_sudoers >> $setup_log 2>&1 @@ -406,10 +408,6 @@ fi set_progress_str 21 'Copying minion pillars to master' copy_minion_tmp_files >> $setup_log 2>&1 - if [[ $is_master ]]; then - addtotab_generate_templates >> $setup_log 2>&1 - fi - set_progress_str 22 'Generating CA and checking in' salt_checkin >> $setup_log 2>&1 From 8b8379925385bf4dacd00e29decb0ddf7b8e01bc Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 27 May 2020 18:16:02 -0400 Subject: [PATCH 19/27] create local dirs sooner - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- setup/so-functions | 2 +- setup/so-setup | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 0d0e09d01..8606de688 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -457,7 +457,7 @@ create_local_directories() { echo "Creating local pillar and salt directories" for i in "pillar" "salt"; do - for d in `find ./$i/ -type d`; do + for d in `find ../$i/ -type d`; do mkdir -p $local_salt_dir/$d done chown -R socore:socore $local_salt_dir/$i diff --git a/setup/so-setup b/setup/so-setup index 5b48c35cb..817887c84 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -362,11 +362,11 @@ fi if [[ $is_master || $is_helix ]]; then set_progress_str 10 'Configuring Salt master' + create_local_directories >> $setup_log 2>&1 + addtotab_generate_templates >> $setup_log 2>&1 copy_master_config >> $setup_log 2>&1 setup_salt_master_dirs >> $setup_log 2>&1 firewall_generate_templates >> $setup_log 2>&1 - create_local_directories >> $setup_log 2>&1 - addtotab_generate_templates >> $setup_log 2>&1 set_progress_str 11 'Updating sudoers file for soremote user' update_sudoers >> $setup_log 2>&1 From 091cc8b789e496c9938175aa87ad2f74168d48e9 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 28 May 2020 08:57:07 -0400 Subject: [PATCH 20/27] fix how local salt and pillar dirs are created - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- setup/so-functions | 21 ++++++++++++--------- setup/so-variables | 2 ++ 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 8606de688..c9397b94d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -270,7 +270,7 @@ clear_master() { { echo "Clearing old master key"; rm -f /etc/salt/pki/minion/minion_master.pub; - sytemctl -q restart salt-minion; + systemctl -q restart salt-minion; } >> "$setup_log" 2>&1 fi @@ -454,14 +454,17 @@ copy_ssh_key() { } create_local_directories() { - echo "Creating local pillar and salt directories" - - for i in "pillar" "salt"; do - for d in `find ../$i/ -type d`; do - mkdir -p $local_salt_dir/$d - done - chown -R socore:socore $local_salt_dir/$i - done + echo "Creating local pillar and salt directories" + PILLARSALTDIR=${SCRIPTDIR::-5} + for i in "pillar" "salt"; do + for d in `find $PILLARSALTDIR/$i -type d`; do + suffixdir=${d//$PILLARSALTDIR/} + if [ ! -d "$local_salt_dir/$suffixdir" ]; then + mkdir -v "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1 + fi + done + chown -R socore:socore "$local_salt_dir/$i" + done } diff --git a/setup/so-variables b/setup/so-variables index 7e0f71c8a..e14a955ab 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -37,3 +37,5 @@ export DEBIAN_FRONTEND=noninteractive export default_salt_dir=/opt/so/saltstack/default export local_salt_dir=/opt/so/saltstack/local + +export SCRIPTDIR=$(cd `dirname $0` && pwd) From 4f15de8b77415024e5b3061ded9b73ba41d7e6ca Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 28 May 2020 12:00:22 -0400 Subject: [PATCH 21/27] refresh salt fileserver if suricata rule symlink is created --- salt/salt/master/refresh_fileserver.sls | 3 +++ salt/suricata/init.sls | 12 ------------ salt/suricata/master.sls | 17 +++++++++++++++++ salt/top.sls | 4 ++++ 4 files changed, 24 insertions(+), 12 deletions(-) create mode 100644 salt/salt/master/refresh_fileserver.sls create mode 100644 salt/suricata/master.sls diff --git a/salt/salt/master/refresh_fileserver.sls b/salt/salt/master/refresh_fileserver.sls new file mode 100644 index 000000000..6b5640796 --- /dev/null +++ b/salt/salt/master/refresh_fileserver.sls @@ -0,0 +1,3 @@ +refresh_salt_master_fileserver: + saltmod.runner: + - name: fileserver.update \ No newline at end of file diff --git a/salt/suricata/init.sls b/salt/suricata/init.sls index ddd127f54..0f3d49bc3 100644 --- a/salt/suricata/init.sls +++ b/salt/suricata/init.sls @@ -55,18 +55,6 @@ surilogdir: - user: 940 - group: 939 -surilocaldir: - file.directory: - - name: /opt/so/saltstack/local/salt/suricata - - user: 940 - - group: 940 - - makedirs: True - -ruleslink: - file.symlink: - - name: /opt/so/saltstack/local/salt/suricata/rules - - target: /opt/so/rules/nids - suridatadir: file.directory: - name: /nsm/suricata diff --git a/salt/suricata/master.sls b/salt/suricata/master.sls new file mode 100644 index 000000000..6ad1e7c94 --- /dev/null +++ b/salt/suricata/master.sls @@ -0,0 +1,17 @@ +include: + - salt.master.refresh_fileserver + +surilocaldir: + file.directory: + - name: /opt/so/saltstack/local/salt/suricata + - user: 940 + - group: 940 + - makedirs: True + +ruleslink: + file.symlink: + - name: /opt/so/saltstack/local/salt/suricata/rules + - target: /opt/so/rules/nids + - watch_in: + - saltmod: refresh_salt_master_fileserver + \ No newline at end of file diff --git a/salt/top.sls b/salt/top.sls index 4d60b01c0..5c070a5da 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -30,6 +30,7 @@ base: - telegraf - firewall - idstools + - suricata.master - pcap - suricata - zeek @@ -73,6 +74,7 @@ base: - soc - firewall - idstools + - suricata.master - healthcheck {%- if FLEETMASTER or FLEETNODE or PLAYBOOK != 0 %} - mysql @@ -129,6 +131,7 @@ base: - firewall - master - idstools + - suricata.master - redis {%- if FLEETMASTER or FLEETNODE or PLAYBOOK != 0 %} - mysql @@ -174,6 +177,7 @@ base: - soc - firewall - idstools + - suricata.master - healthcheck - redis {%- if FLEETMASTER or FLEETNODE or PLAYBOOK != 0 %} From 71d381aeae8fa4bda2e0c70f2f01b8902a075705 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 28 May 2020 13:19:38 -0400 Subject: [PATCH 22/27] apply suricata.master state during setup - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- setup/so-setup | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 817887c84..60fd6631b 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -424,12 +424,15 @@ fi salt-call state.apply -l info registry >> $setup_log 2>&1 docker_seed_registry 2>> "$setup_log" # ~ 60% when finished - set_progress_str 61 "$(print_salt_state_apply 'master')" + set_progress_str 60 "$(print_salt_state_apply 'master')" salt-call state.apply -l info master >> $setup_log 2>&1 - set_progress_str 62 "$(print_salt_state_apply 'idstools')" + set_progress_str 61 "$(print_salt_state_apply 'idstools')" salt-call state.apply -l info idstools >> $setup_log 2>&1 + set_progress_str 61 "$(print_salt_state_apply 'suricata.master')" + salt-call state.apply -l info suricata.master >> $setup_log 2>&1 + fi set_progress_str 62 "$(print_salt_state_apply 'firewall')" From 40fa5293bf2d1f087807d8fae929002a54dc5095 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 28 May 2020 15:54:11 -0400 Subject: [PATCH 23/27] move fileserve update to suricata.master --- salt/salt/master/refresh_fileserver.sls | 3 --- salt/suricata/master.sls | 18 ++++++++++-------- 2 files changed, 10 insertions(+), 11 deletions(-) delete mode 100644 salt/salt/master/refresh_fileserver.sls diff --git a/salt/salt/master/refresh_fileserver.sls b/salt/salt/master/refresh_fileserver.sls deleted file mode 100644 index 6b5640796..000000000 --- a/salt/salt/master/refresh_fileserver.sls +++ /dev/null @@ -1,3 +0,0 @@ -refresh_salt_master_fileserver: - saltmod.runner: - - name: fileserver.update \ No newline at end of file diff --git a/salt/suricata/master.sls b/salt/suricata/master.sls index 6ad1e7c94..5998a484b 100644 --- a/salt/suricata/master.sls +++ b/salt/suricata/master.sls @@ -1,17 +1,19 @@ -include: - - salt.master.refresh_fileserver - surilocaldir: file.directory: - name: /opt/so/saltstack/local/salt/suricata - - user: 940 - - group: 940 + - user: socore + - group: socore - makedirs: True ruleslink: file.symlink: - name: /opt/so/saltstack/local/salt/suricata/rules + - user: socore + - group: socore - target: /opt/so/rules/nids - - watch_in: - - saltmod: refresh_salt_master_fileserver - \ No newline at end of file + +refresh_salt_master_fileserver_suricata_ruleslink: + salt.runner: + - name: fileserver.update + - onchanges: + - file: ruleslink \ No newline at end of file From 7957b514096eaf8bc3091db55c07b441f1737036 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 May 2020 10:57:43 -0400 Subject: [PATCH 24/27] change master roots priority to local --- files/master | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/files/master b/files/master index aa9a7a986..42e7866d9 100644 --- a/files/master +++ b/files/master @@ -37,8 +37,9 @@ log_file: /opt/so/log/salt/master # file_roots: base: - - /opt/so/saltstack/default/salt - /opt/so/saltstack/local/salt + - /opt/so/saltstack/default/salt + # The master_roots setting configures a master-only copy of the file_roots dictionary, # used by the state compiler. @@ -54,8 +55,8 @@ file_roots: pillar_roots: base: - - /opt/so/saltstack/default/pillar - /opt/so/saltstack/local/pillar + - /opt/so/saltstack/default/pillar peer: .*: From 2db2054cce0ee92eab014f4fa16004a356a46c3c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 May 2020 10:58:53 -0400 Subject: [PATCH 25/27] update instructions in logstash customer pipelines and templates - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- .../pipelines/config/custom/place_custom_config_in_local | 1 + .../templates/custom/Drop.Your.Custom.Templates.Here.conf | 2 -- .../pipelines/templates/custom/place_custom_template_in_local | 2 ++ 3 files changed, 3 insertions(+), 2 deletions(-) create mode 100644 salt/logstash/pipelines/config/custom/place_custom_config_in_local delete mode 100644 salt/logstash/pipelines/templates/custom/Drop.Your.Custom.Templates.Here.conf create mode 100644 salt/logstash/pipelines/templates/custom/place_custom_template_in_local diff --git a/salt/logstash/pipelines/config/custom/place_custom_config_in_local b/salt/logstash/pipelines/config/custom/place_custom_config_in_local new file mode 100644 index 000000000..55c386a67 --- /dev/null +++ b/salt/logstash/pipelines/config/custom/place_custom_config_in_local @@ -0,0 +1 @@ +# For custom logstash configs, they should be placed in /opt/so/saltstack/local/salt/logstash/pipelines/config/custom/ diff --git a/salt/logstash/pipelines/templates/custom/Drop.Your.Custom.Templates.Here.conf b/salt/logstash/pipelines/templates/custom/Drop.Your.Custom.Templates.Here.conf deleted file mode 100644 index 9ee9e27b5..000000000 --- a/salt/logstash/pipelines/templates/custom/Drop.Your.Custom.Templates.Here.conf +++ /dev/null @@ -1,2 +0,0 @@ -# Reference /usr/share/logstash/pipeline.custom/templates/YOURTEMPLATE.json -# diff --git a/salt/logstash/pipelines/templates/custom/place_custom_template_in_local b/salt/logstash/pipelines/templates/custom/place_custom_template_in_local new file mode 100644 index 000000000..af38c6107 --- /dev/null +++ b/salt/logstash/pipelines/templates/custom/place_custom_template_in_local @@ -0,0 +1,2 @@ +# Reference /usr/share/logstash/pipeline.custom/templates/YOURTEMPLATE.json +# For custom logstash templates, they should be placed in /opt/so/saltstack/local/salt/logstash/pipelines/templates/custom/ From 15fc97e51602f4f7bbd100fa92519be00cb4d187 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 29 May 2020 13:11:55 -0400 Subject: [PATCH 26/27] adding suricata.master state to mastersearch - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749 --- salt/top.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/top.sls b/salt/top.sls index 88aa30daa..42b88c170 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -304,6 +304,7 @@ base: - firewall - master - idstools + - suricata.master - redis {%- if FLEETMASTER or FLEETNODE or PLAYBOOK != 0 %} - mysql From f5c8091fd643b78a4b9c53b1127067d98f5a55be Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 1 Jun 2020 12:17:52 -0400 Subject: [PATCH 27/27] remove unneeded INITIALSETUP var from addtotab --- pillar/data/addtotab.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/pillar/data/addtotab.sh b/pillar/data/addtotab.sh index a3aaa2c24..33a42a1b1 100644 --- a/pillar/data/addtotab.sh +++ b/pillar/data/addtotab.sh @@ -12,7 +12,6 @@ MANINT=$6 ROOTFS=$7 NSM=$8 MONINT=$9 -INITIALSETUP=$10 #NODETYPE=$10 #HOTNAME=$11