merge with dev, resolve conflicts

2026-02-20 14:05:26 +01:00 · 2021-04-28 10:19:01 -04:00
parent 28982e0e0b bd454c7f25
commit d9cb018a7d
49 changed files with 280 additions and 330 deletions
--- a/salt/common/files/soversion
+++ b/salt/common/files/soversion
@@ -0,0 +1,2 @@
+{%- set VERSION = salt['pillar.get']('global:soversion') -%}
+{{ VERSION }}
--- a/salt/common/files/vimrc
+++ b/salt/common/files/vimrc
@@ -0,0 +1,6 @@
+" Activates filetype detection
+filetype plugin indent on
+
+" Sets .sls files to use YAML syntax highlighting
+autocmd BufNewFile,BufRead *.sls set syntax=yaml
+set number
--- a/salt/common/init.sls
+++ b/salt/common/init.sls
@@ -69,6 +69,13 @@ salttmp:
    - group: 939
    - makedirs: True

+# VIM config
+vimconfig:
+  file.managed:
+    - name: /root/.vimrc
+    - source: salt://common/files/vimrc
+    - replace: False
+
 # Install common packages
 {% if grains['os'] != 'CentOS' %}     
 commonpkgs:
@@ -95,6 +102,7 @@ commonpkgs:
      - python3-mysqldb
      - python3-packaging
      - git
+      - vim

 heldpackages:
  pkg.installed:
@@ -134,6 +142,7 @@ commonpkgs:
      - lvm2
      - openssl
      - git
+      - vim-enhanced

 heldpackages:
  pkg.installed:
@@ -269,6 +278,14 @@ backupdir:
    - daymonth: '*'
    - month: '*'
    - dayweek: '*'
+{% else %}
+soversionfile:
+  file.managed:
+    - name: /etc/soversion
+    - source: salt://common/files/soversion
+    - mode: 644
+    - template: jinja
+    
 {% endif %}

 # Manager daemon.json
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -122,6 +122,10 @@ check_elastic_license() {
 	fi  
 }

+disable_fastestmirror() {
+	sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
+}
+
 elastic_license() {

 read -r -d '' message <<- EOM
--- a/salt/common/tools/sbin/so-playbook-sync
+++ b/salt/common/tools/sbin/so-playbook-sync
@@ -19,6 +19,6 @@

 # Check to see if we are already running
 IS_RUNNING=$(ps aux | pgrep -f "so-playbook-sync" | wc -l)
-[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - Multiple Playbook Sync processes already running...exiting." && exit 0
+[ "$IS_RUNNING" -gt 3 ] && echo "$(date) - Multiple Playbook Sync processes already running...exiting." && exit 0

 docker exec so-soctopus python3 playbook_play-sync.py
--- a/salt/common/tools/sbin/so-sensor-clean
+++ b/salt/common/tools/sbin/so-sensor-clean
@@ -116,7 +116,7 @@ clean() {

 # Check to see if we are already running
 IS_RUNNING=$(ps aux | pgrep -f "so-sensor-clean" | wc -l)
-[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0
+[ "$IS_RUNNING" -gt 3 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0

 if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then
 	while [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; do
--- a/salt/common/tools/sbin/soup
+++ b/salt/common/tools/sbin/soup
@@ -453,18 +453,18 @@ up_2.3.3X_to_2.3.50_repo() {
  if [[ "$OS" == "centos" ]]; then
    # Import GPG Keys
    gpg_rpm_import
+    echo "Disabling fastestmirror."
+    disable_fastestmirror
+    echo "Deleting unneeded repo files."
+    DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh')

+    for DELREPO in "${DELREPOS[@]}"; do
+      if [[ -f "/etc/yum.repos.d/$DELREPO.repo" ]]; then
+        echo "Deleting $DELREPO.repo"
+        rm -f "/etc/yum.repos.d/$DELREPO.repo"
+      fi
+    done
    if [ $is_airgap -eq 1 ]; then
-      echo "Deleting unneeded repo files."
-      DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh')
-
-      for DELREPO in "${DELREPOS[@]}"; do
-        if [[ -f "/etc/yum.repos.d/$DELREPO.repo" ]]; then
-          echo "Deleting $DELREPO.repo"
-          rm -f "/etc/yum.repos.d/$DELREPO.repo"
-        fi
-      done
-
      # Copy the new repo file if not airgap
      cp $UPDATE_DIR/salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/
      yum clean all
@@ -474,6 +474,34 @@ up_2.3.3X_to_2.3.50_repo() {
 }

 up_2.3.3X_to_2.3.50() {
+  
+  cat <<EOF > /tmp/supersed.txt
+/so-zeek:/ {
+  p;
+  n;
+  /shards:/ {
+    p;
+    n;
+    /warm:/ {
+      p;
+      n;
+      /close:/ {
+        s/close: 365/close: 45/;
+        p;
+        n;
+        /delete:/ {
+          s/delete: 45/delete: 365/;
+          p;
+          d;
+        }
+      }
+    }
+  }
+}
+p;
+EOF
+  sed -n -i -f /tmp/supersed.txt /opt/so/saltstack/local/pillar/global.sls
+  rm /tmp/supersed.txt
  INSTALLEDVERSION=2.3.50
 }

@@ -687,6 +715,9 @@ echo ""
 echo "Updating dockers to $NEWVERSION."
 if [ $is_airgap -eq 0 ]; then
  airgap_update_dockers
+  update_centos_repo
+  yum clean all
+  check_os_updates
 else
  update_registry
  update_docker_containers "soup"
@@ -708,10 +739,6 @@ preupgrade_changes_2.3.50_repo
 if [ "$UPGRADESALT" == "1" ]; then
  echo "Upgrading Salt"
  # Update the repo files so it can actually upgrade
-  if [ $is_airgap -eq 0 ]; then
-    update_centos_repo
-    yum clean all
-  fi
  upgrade_salt
 fi

@@ -796,13 +823,12 @@ unmount_update
 thehive_maint

 if [ "$UPGRADESALT" == "1" ]; then
-  echo ""
-  echo "Upgrading Salt on the remaining Security Onion nodes from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
  if [ $is_airgap -eq 0 ]; then
-    salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone' cmd.run "yum clean all"
+    echo ""
+    echo "Cleaning repos on remote Security Onion nodes."
+    salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all"
+    echo ""
  fi
-  salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone' -b $BATCHSIZE state.apply salt.minion queue=True
-  echo ""
 fi

 check_sudoers
--- a/salt/grafana/dashboards/manager/manager.json
+++ b/salt/grafana/dashboards/manager/manager.json
@@ -4322,139 +4322,6 @@
        "align": false,
        "alignLevel": null
      }
-    },
-    {
-      "aliasColors": {},
-      "bars": false,
-      "dashLength": 10,
-      "dashes": false,
-      "datasource": "InfluxDB",
-      "fieldConfig": {
-        "defaults": {
-          "custom": {}
-        },
-        "overrides": []
-      },
-      "fill": 1,
-      "fillGradient": 0,
-      "gridPos": {
-        "h": 6,
-        "w": 8,
-        "x": 16,
-        "y": 31
-      },
-      "hiddenSeries": false,
-      "id": 76,
-      "legend": {
-        "avg": false,
-        "current": false,
-        "max": false,
-        "min": false,
-        "show": false,
-        "total": false,
-        "values": false
-      },
-      "lines": true,
-      "linewidth": 1,
-      "nullPointMode": "connected",
-      "options": {
-        "alertThreshold": true
-      },
-      "percentage": false,
-      "pluginVersion": "7.3.4",
-      "pointradius": 2,
-      "points": false,
-      "renderer": "flot",
-      "seriesOverrides": [],
-      "spaceLength": 10,
-      "stack": false,
-      "steppedLine": false,
-      "targets": [
-        {
-          "alias": "EPS",
-          "groupBy": [
-            {
-              "params": [
-                "$__interval"
-              ],
-              "type": "time"
-            },
-            {
-              "params": [
-                "null"
-              ],
-              "type": "fill"
-            }
-          ],
-          "measurement": "esteps",
-          "orderByTime": "ASC",
-          "policy": "default",
-          "queryType": "randomWalk",
-          "refId": "A",
-          "resultFormat": "time_series",
-          "select": [
-            [
-              {
-                "params": [
-                  "eps"
-                ],
-                "type": "field"
-              },
-              {
-                "params": [],
-                "type": "mean"
-              }
-            ]
-          ],
-          "tags": [
-            {
-              "key": "host",
-              "operator": "=",
-              "value": "{{ SERVERNAME }}"
-            }
-          ]
-        }
-      ],
-      "thresholds": [],
-      "timeFrom": null,
-      "timeRegions": [],
-      "timeShift": null,
-      "title": "{{ SERVERNAME }} - Estimated EPS",
-      "tooltip": {
-        "shared": true,
-        "sort": 0,
-        "value_type": "individual"
-      },
-      "type": "graph",
-      "xaxis": {
-        "buckets": null,
-        "mode": "time",
-        "name": null,
-        "show": true,
-        "values": []
-      },
-      "yaxes": [
-        {
-          "format": "short",
-          "label": "EPS",
-          "logBase": 1,
-          "max": null,
-          "min": null,
-          "show": true
-        },
-        {
-          "format": "short",
-          "label": null,
-          "logBase": 1,
-          "max": null,
-          "min": null,
-          "show": false
-        }
-      ],
-      "yaxis": {
-        "align": false,
-        "alignLevel": null
-      }
    }
  ],
  "refresh": false,
--- a/salt/grafana/dashboards/managersearch/managersearch.json
+++ b/salt/grafana/dashboards/managersearch/managersearch.json
@@ -5157,7 +5157,7 @@
              "type": "fill"
            }
          ],
-          "measurement": "esteps",
+          "measurement": "consumptioneps",
          "orderByTime": "ASC",
          "policy": "default",
          "queryType": "randomWalk",
--- a/salt/grafana/dashboards/standalone/standalone.json
+++ b/salt/grafana/dashboards/standalone/standalone.json
@@ -5562,7 +5562,7 @@
              "type": "fill"
            }
          ],
-          "measurement": "esteps",
+          "measurement": "consumptioneps",
          "orderByTime": "ASC",
          "policy": "default",
          "queryType": "randomWalk",
--- a/salt/manager/files/acng/acng.conf
+++ b/salt/manager/files/acng/acng.conf
@@ -90,3 +90,7 @@ PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirr
 # MaxDlSpeed: 500
 # MaxInresponsiveDlSize: 64000
 # BadRedirDetectMime: text/html
+{% set proxy = salt['pillar.get']('manager:proxy') -%}
+{% if proxy -%}
+Proxy: {{ proxy }}
+{% endif -%}
--- a/salt/manager/init.sls
+++ b/salt/manager/init.sls
@@ -18,7 +18,6 @@
 {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
 {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
 {% set MANAGER = salt['grains.get']('master') %}
-{% set managerproxy = salt['pillar.get']('global:managerupdate', '0') %}
 {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}

 socore_own_saltstack:
@@ -35,8 +34,6 @@ socore_own_saltstack:
    - mode: 750
    - replace: False

-{% if managerproxy == 1 %}
-
 # Create the directories for apt-cacher-ng
 aptcacherconfdir:
  file.directory:
@@ -60,11 +57,12 @@ aptcacherlogdir:
    - makedirs: true

 # Copy the config
-
 acngcopyconf:
  file.managed:
    - name: /opt/so/conf/aptcacher-ng/etc/acng.conf
    - source: salt://manager/files/acng/acng.conf
+    - template: jinja
+    - show_changes: False

 # Install the apt-cacher-ng container
 so-aptcacherng:
@@ -84,8 +82,6 @@ append_so-aptcacherng_so-status.conf:
    - name: /opt/so/conf/so-status/so-status.conf
    - text: so-aptcacherng

-{% endif %}
-
 strelka_yara_update_old_1:
  cron.absent:
    - user: root
--- a/salt/repo/client/files/centos/yum.conf.jinja
+++ b/salt/repo/client/files/centos/yum.conf.jinja
@@ -12,7 +12,7 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }}
 bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
 distroverpkg=centos-release
 clean_requirements_on_remove=1
-{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', '0') -%}
+{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import']) and ( salt['pillar.get']('global:managerupdate', '0') or salt['pillar.get']('patch:os:source', 'direct') == 'manager' ) -%}
 proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142
 {% elif proxy -%}
 proxy={{ proxy }}
--- a/salt/repo/client/init.sls
+++ b/salt/repo/client/init.sls
@@ -16,8 +16,9 @@ airgap_repo:
  pkgrepo.managed:
    - humanname: Airgap Repo
    - baseurl: https://{{ MANAGER }}/repo
-    - gpgcheck: 1
+    - gpgcheck: 0
    - sslverify: 0
+
 {% endif %}

 # from airgap and common
@@ -63,6 +64,7 @@ yumconf:
    - source: salt://repo/client/files/centos/yum.conf.jinja
    - mode: 644
    - template: jinja
+    - show_changes: False
 {% endif %}

 cleanyum:
--- a/salt/salt/map.jinja
+++ b/salt/salt/map.jinja
@@ -3,13 +3,15 @@

 {% if grains.os == 'Ubuntu' %}
  {% set SPLITCHAR = '+' %}
-  {% set SALTNOTHELD = salt['cmd.run']('apt-mark showhold | grep salt-* ; echo $?', python_shell=True) %}
+  {% set SALTNOTHELD = salt['cmd.run']('apt-mark showhold | grep -q salt ; echo $?', python_shell=True) %}
+  {% set SALTPACKAGES = ['salt-common', 'salt-master', 'salt-minion'] %}
  {% set SALT_STATE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/states' %}
  {% set SALT_MODULE_CODE_PATH = '/usr/lib/python3/dist-packages/salt/modules' %}
  {% set PYTHON3INFLUX= 'python3-influxdb' %}
 {% else %}
  {% set SPLITCHAR = '-' %}
-  {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep salt-* ; echo $?', python_shell=True) %}
+  {% set SALTNOTHELD = salt['cmd.run']('yum versionlock list | grep -q salt ; echo $?', python_shell=True) %}
+  {% set SALTPACKAGES = ['salt', 'salt-master', 'salt-minion'] %}
  {% set SALT_STATE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/states' %}
  {% set SALT_MODULE_CODE_PATH = '/usr/lib/python3.6/site-packages/salt/modules' %}
  {% set PYTHON3INFLUX= 'securityonion-python3-influxdb' %}
@@ -19,9 +21,9 @@

 {% if grains.saltversion|string != SALTVERSION|string %}
  {% if grains.os|lower in ['centos', 'redhat'] %}
-      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*"' %}
+      {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION %}
  {% elif grains.os|lower == 'ubuntu' %}
-    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && apt-mark hold salt-common && apt-mark hold salt-minion' %}
+    {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION %}
  {% endif %}
 {% else %}
  {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %}
--- a/salt/salt/minion.sls
+++ b/salt/salt/minion.sls
@@ -2,6 +2,7 @@
 {% from 'salt/map.jinja' import SALTVERSION %}
 {% from 'salt/map.jinja' import INSTALLEDSALTVERSION %}
 {% from 'salt/map.jinja' import SALTNOTHELD %}
+{% from 'salt/map.jinja' import SALTPACKAGES %}
 {% import_yaml 'salt/minion.defaults.yaml' as SALTMINION %}
 {% set service_start_delay = SALTMINION.salt.minion.service_start_delay %}

@@ -12,11 +13,14 @@ include:

 {% if INSTALLEDSALTVERSION|string != SALTVERSION|string %}

-{% if SALTNOTHELD == 0 %}
+{% if SALTNOTHELD | int == 0 %}
 unhold_salt_packages:
  module.run:
    - pkg.unhold:
-      - name: 'salt-*'
+      - pkgs:
+{% for package in SALTPACKAGES %}
+        - {{ package }}
+{% endfor %}
 {% endif %}

 install_salt_minion:
@@ -30,11 +34,14 @@ install_salt_minion:

 {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %}

-{% if SALTNOTHELD == 1 %}
+{% if SALTNOTHELD | int == 1 %}
 hold_salt_packages:
  module.run:
    - pkg.hold:
-      - name: 'salt-*'
+      - pkgs:
+{% for package in SALTPACKAGES %}
+        - {{ package }}
+{% endfor %}
 {% endif %}

 set_log_levels:
--- a/salt/soc/files/soc/motd.md
+++ b/salt/soc/files/soc/motd.md
@@ -1,6 +1,6 @@
 ## Getting Started

-New to Security Onion 2? Check out the [Online Help](/docs/) and [Cheatsheet](/docs/cheatsheet.pdf) to learn how to best utilize Security Onion to hunt for evil! Find them in the upper-right menu.
+New to Security Onion 2? Check out the [Online Help](/docs/) and [Cheatsheet](/docs/cheatsheet.pdf) to learn how to best utilize Security Onion to hunt for evil! Find them in the upper-right menu. Also, watch our free Security Onion 2 Essentials online course, available on our [Training](https://securityonionsolutions.com/training) website.

 If you're ready to dive-in, take a look at the [Alerts](/#/alerts) interface to see what Security Onion has detected so far. Or navigate to the [Hunt](/#/hunt) interface to hunt for evil that the alerts might have missed!

@@ -10,16 +10,18 @@ The release notes have moved to the upper-right menu. Click on the [What's New](

 ## Customize This Space

-Make this area your own by customizing the content. The content is stored in the `motd.md` file, which uses the common Markdown (.md) format. Visit [mardownguide.org](https://www.markdownguide.org/) to learn more about the simple Markdown format.
+Make this area your own by customizing the content. The content is stored in the `motd.md` file, which uses the common Markdown (.md) format. Visit [markdownguide.org](https://www.markdownguide.org/) to learn more about the simple Markdown format.

 To customize this content, login to the manager via SSH and execute the following command:

 ```bash
-cp -f /opt/so/saltstack/default/salt/soc/files/soc/motd.md /opt/so/saltstack/local/salt/soc/files/soc/motd.md
+sudo cp /opt/so/saltstack/default/salt/soc/files/soc/motd.md /opt/so/saltstack/local/salt/soc/files/soc/
 ```

-Now, edit the new file as desired. Finally, run this command:
+and edit the new file as desired. 
+
+Finally, run this command:

 ```bash
-salt-call state.apply soc queue=True
+sudo so-soc-restart
 ```
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -132,8 +132,9 @@ influxkeyperms:
      # Will trigger 5 days (432000 sec) from cert expiration
      - 'enddate=$(date -d "$(openssl x509 -in /etc/pki/redis.crt -enddate -noout | cut -d= -f2)" +%s) ; now=$(date +%s) ; expire_date=$(( now + 432000)); [ $enddate -gt $expire_date ]'
    - timeout: 30
-    - retry: 5
-    - interval: 30
+    - retry:
+        attempts: 5
+        interval: 30

 rediskeyperms:
  file.managed:
@@ -325,8 +326,9 @@ miniokeyperms:
      - x509: /etc/pki/elasticsearch.crt
    {%- endif %}
    - timeout: 30
-    - retry: 5
-    - interval: 30
+    - retry:
+        attempts: 5
+        interval: 30

 /etc/pki/elasticsearch.crt:
  x509.certificate_managed:
--- a/salt/telegraf/etc/telegraf.conf
+++ b/salt/telegraf/etc/telegraf.conf
@@ -615,29 +615,18 @@
 #   ## Use TLS but skip chain & host verification
 #   # insecure_skip_verify = false

-{% if TRUE_CLUSTER %}
-  {% if grains.role == 'so-manager' %}
-[[inputs.elasticsearch]]
-   servers = ["https://{{ MANAGER }}:9200"]
-   insecure_skip_verify = true
-   local = false
-   cluster_health = true
-   cluster_stats = true
-  {% endif %}
-  
-{% else %}

 # # Read stats from one or more Elasticsearch servers or clusters
-  {% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone']   %}
+{% if grains['role'] in ['so-manager', 'so-eval', 'so-managersearch', 'so-standalone']   %}
 [[inputs.elasticsearch]]
   servers = ["https://{{ MANAGER }}:9200"]
   insecure_skip_verify = true
-  {% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode']  %}
+{% elif grains['role'] in ['so-node', 'so-hotnode', 'so-warmnode', 'so-heavynode']  %}
 [[inputs.elasticsearch]]
   servers = ["https://{{ NODEIP }}:9200"]
   insecure_skip_verify = true
-  {% endif %}
 {% endif %}
+
 #
 #   ## Timeout for HTTP requests to the elastic search server(s)
 #   http_timeout = "5s"