Merge pull request #1298 from Security-Onion-Solutions/issue/1291

Issue/1291
2025-12-06 09:12:45 +01:00 · 2020-09-08 17:40:33 -04:00
parent 710a2be422 da34222931
commit d7016b4557
4 changed files with 60 additions and 2 deletions
--- a/salt/salt/engines/checkmine.py
+++ b/salt/salt/engines/checkmine.py
@@ -0,0 +1,28 @@
+# -*- coding: utf-8 -*-
+
+import logging
+from time import sleep
+from os import remove
+
+log = logging.getLogger(__name__)
+
+def start(interval=30):
+  log.info("checkmine engine started")
+  minionid = __grains__['id']
+  while True:
+    try:
+      ca_crt = __salt__['saltutil.runner']('mine.get', tgt=minionid, fun='x509.get_pem_entries')[minionid]['/etc/pki/ca.crt']
+      log.info('Successfully queried Salt mine for the CA.')
+    except:
+      log.error('Could not pull CA from the Salt mine.')
+      log.info('Removing /var/cache/salt/master/minions/%s/mine.p to force Salt mine to be repopulated.' % minionid)
+      try:
+        remove('/var/cache/salt/master/minions/%s/mine.p' % minionid)
+        log.info('Removed /var/cache/salt/master/minions/%s/mine.p' % minionid)
+      except FileNotFoundError:
+        log.error('/var/cache/salt/master/minions/%s/mine.p does not exist' % minionid)
+
+      __salt__['mine.send'](name='x509.get_pem_entries', glob_path='/etc/pki/ca.crt')
+      log.warning('Salt mine repopulated with /etc/pki/ca.crt')
+
+    sleep(interval)
--- a/salt/salt/files/engines.conf
+++ b/salt/salt/files/engines.conf
@@ -0,0 +1,6 @@
+engines_dirs:
+  - /etc/salt/engines
+
+engines:
+  - checkmine:
+      interval: 30
--- a/salt/salt/master.sls
+++ b/salt/salt/master.sls
@@ -1,3 +1,6 @@
+include:
+  - salt.minion
+
 salt_master_package:
  pkg.installed:
    - pkgs:
@@ -8,4 +11,19 @@ salt_master_package:
 salt_master_service:
  service.running:
    - name: salt-master
-    - enable: True
+    - enable: True
+
+checkmine_engine:
+  file.managed:
+    - name: /etc/salt/engines/checkmine.py
+    - source: salt://salt/engines/checkmine.py
+    - makedirs: True
+    - watch_in:
+        - service: salt_minion_service
+
+engines_config:
+  file.managed:
+    - name: /etc/salt/minion.d/engines.conf
+    - source: salt://salt/files/engines.conf
+    - watch_in:
+        - service: salt_minion_service
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -35,9 +35,10 @@ base:
    - common
    - patch.os.schedule
    - motd
-
+  
  '*_helix and G@saltversion:{{saltversion}}':
    - match: compound
+    - salt.master
    - ca
    - ssl
    - common
@@ -79,6 +80,7 @@ base:

  '*_eval and G@saltversion:{{saltversion}}':
    - match: compound
+    - salt.master
    - ca
    - ssl
    - common
@@ -136,6 +138,7 @@ base:

  '*_manager and G@saltversion:{{saltversion}}':
    - match: compound
+    - salt.master
    - ca
    - ssl
    - common
@@ -182,6 +185,7 @@ base:

  '*_standalone and G@saltversion:{{saltversion}}':
    - match: compound
+    - salt.master
    - ca
    - ssl
    - common
@@ -306,6 +310,7 @@ base:

  '*_managersearch and G@saltversion:{{saltversion}}':
    - match: compound
+    - salt.master
    - ca
    - ssl
    - common
@@ -396,6 +401,7 @@ base:

  '*_import and G@saltversion:{{saltversion}}':
    - match: compound
+    - salt.master
    - ca
    - ssl
    - common