From 534dbf9761ecd7680dfd0ebbe9eb8b77475edccc Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 5 Apr 2021 09:07:00 -0400 Subject: [PATCH 01/33] change the upgrade command - https://github.com/Security-Onion-Solutions/securityonion/issues/3501 --- salt/salt/map.jinja | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index 7ef63bd68..80646f4ca 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -19,12 +19,12 @@ {% if grains.saltversion|string != SALTVERSION|string %} {% if grains.os|lower in ['centos', 'redhat'] %} {% if ISAIRGAP is sameas true %} - {% set UPGRADECOMMAND = 'yum clean all && yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*"' %} + {% set UPGRADECOMMAND = 'yum clean all ; yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' ; yum versionlock add "salt-*"' %} {% else %} - {% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && yum versionlock add "salt-*"' %} + {% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" ; /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' ; yum versionlock add "salt-*"' %} {% endif %} {% elif grains.os|lower == 'ubuntu' %} - {% set UPGRADECOMMAND = 'apt-mark unhold salt-common && apt-mark unhold salt-minion && /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' && apt-mark hold salt-common && apt-mark hold salt-minion' %} + {% set UPGRADECOMMAND = 'apt-mark unhold salt-common ; apt-mark unhold salt-minion && /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' ; apt-mark hold salt-common && apt-mark hold salt-minion' %} {% endif %} {% else %} {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %} From 1c3a7094bdc8607c74315ace5a8a7e70c83b99f0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 5 Apr 2021 11:05:48 -0400 Subject: [PATCH 02/33] upgrade salt to 3003.1 --- salt/salt/master.defaults.yaml | 2 +- salt/salt/minion.defaults.yaml | 2 +- setup/so-functions | 18 +++++++++--------- setup/so-preflight | 6 +++--- 4 files changed, 14 insertions(+), 14 deletions(-) diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index 2b50b517b..e97115ec1 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: master: - version: 3002.5 \ No newline at end of file + version: 3003.1 \ No newline at end of file diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index e6b1303ed..3993c827b 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,5 +2,5 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3002.5 + version: 3003.1 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 2732a0ee9..75e8951ad 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2029,13 +2029,13 @@ saltify() { # Download Ubuntu Keys in case manager updates = 1 mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3002.5/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3003/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3002.5" + logCmd "yum -y install salt-master-3003.1" fi systemctl enable salt-master >> "$setup_log" 2>&1 ;; @@ -2048,7 +2048,7 @@ saltify() { set_progress_str 8 'Installing salt-minion & python modules' { if [[ ! $is_iso ]]; then - yum -y install salt-minion-3002.5\ + yum -y install salt-minion-3003.1\ python3\ python36-docker\ python36-dateutil\ @@ -2100,8 +2100,8 @@ saltify() { 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR') # Add saltstack repo(s) - wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3002.5/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.5 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3003/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3003 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 @@ -2109,7 +2109,7 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/archive/3002.5/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/archive/3003/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 @@ -2122,7 +2122,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' retry 50 10 "apt-get -y install sqlite3 argon2 libssl-dev" >> "$setup_log" 2>&1 || exit 1 set_progress_str 7 'Installing salt-master' - retry 50 10 "apt-get -y install salt-master=3002.5+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-master=3003.1+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 ;; *) @@ -2133,14 +2133,14 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.5/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3003/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || exit 1 set_progress_str 8 'Installing salt-minion & python modules' - retry 50 10 "apt-get -y install salt-minion=3002.5+ds-1 salt-common=3002.5+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-minion=3003.1+ds-1 salt-common=3003.1+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 if [[ $OSVER != 'xenial' ]]; then retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging" >> "$setup_log" 2>&1 || exit 1 diff --git a/setup/so-preflight b/setup/so-preflight index da25e6775..1ef840284 100644 --- a/setup/so-preflight +++ b/setup/so-preflight @@ -46,8 +46,8 @@ check_new_repos() { if [[ $OS == 'centos' ]]; then local repo_arr=( "https://download.docker.com/linux/centos/docker-ce.repo" - "https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.5/SALTSTACK-GPG-KEY.pub" - "https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3002.5/SALTSTACK-GPG-KEY.pub" + "https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3003/SALTSTACK-GPG-KEY.pub" + "https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3003/SALTSTACK-GPG-KEY.pub" "https://download.docker.com/linux/ubuntu/gpg" "https://packages.wazuh.com/key/GPG-KEY-WAZUH" "https://packages.wazuh.com/3.x/yum/" @@ -59,7 +59,7 @@ check_new_repos() { local repo_arr=( "https://download.docker.com/linux/ubuntu/gpg" "https://download.docker.com/linux/ubuntu" - "https://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.5/SALTSTACK-GPG-KEY.pub" + "https://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3003/SALTSTACK-GPG-KEY.pub" "https://packages.wazuh.com/key/GPG-KEY-WAZUH" "https://packages.wazuh.com" ) From 9b8b5e6173b8b3b105dd570edc6c956c0bf08113 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 5 Apr 2021 14:12:24 -0400 Subject: [PATCH 03/33] use -r by default to disable salt bootstrap from doing repo things --- salt/salt/map.jinja | 4 ---- 1 file changed, 4 deletions(-) diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index 80646f4ca..6b5273b84 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -18,11 +18,7 @@ {% if grains.saltversion|string != SALTVERSION|string %} {% if grains.os|lower in ['centos', 'redhat'] %} - {% if ISAIRGAP is sameas true %} {% set UPGRADECOMMAND = 'yum clean all ; yum versionlock delete "salt-*" && /usr/sbin/bootstrap-salt.sh -X -s 120 -r -F -x python3 stable ' ~ SALTVERSION ~ ' ; yum versionlock add "salt-*"' %} - {% else %} - {% set UPGRADECOMMAND = 'yum versionlock delete "salt-*" ; /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' ; yum versionlock add "salt-*"' %} - {% endif %} {% elif grains.os|lower == 'ubuntu' %} {% set UPGRADECOMMAND = 'apt-mark unhold salt-common ; apt-mark unhold salt-minion && /usr/sbin/bootstrap-salt.sh -X -s 120 -F -x python3 stable ' ~ SALTVERSION ~ ' ; apt-mark hold salt-common && apt-mark hold salt-minion' %} {% endif %} From 83bf709290e14a845e68fc90234374356c22acdc Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 5 Apr 2021 15:12:53 -0400 Subject: [PATCH 04/33] use -r for salt boostrap in soup as well --- salt/common/tools/sbin/soup | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index cb2d19aed..d06002b7d 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -509,11 +509,7 @@ upgrade_salt() { yum versionlock delete "salt-*" echo "Updating Salt packages and restarting services." echo "" - if [ $is_airgap -eq 0 ]; then - sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable "$NEWSALTVERSION" - else - sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION" - fi + sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable "$NEWSALTVERSION" echo "Applying yum versionlock for Salt." echo "" yum versionlock add "salt-*" From 89f72bb6edfc8437c3681e95b6c7b91e62c2da70 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 5 Apr 2021 16:44:51 -0400 Subject: [PATCH 05/33] check if . in new version, append .1 if not --- salt/common/tools/sbin/soup | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index d06002b7d..eda93fc1f 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -649,6 +649,12 @@ fi echo "Checking if Salt was upgraded." echo "" # Check that Salt was upgraded +SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk {'print $2'}) +if [[ "." =~ .*"$SALTVERSIONPOSTUPGRADE".* ]]; then + SALTVERSIONPOSTUPGRADE=$SALTVERSIONPOSTUPGRADE +else + SALTVERSIONPOSTUPGRADE="${SALTVERSIONPOSTUPGRADE}.1" +fi if [[ $(salt --versions-report | grep Salt: | awk {'print $2'}) != "$NEWSALTVERSION" ]]; then echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." echo "Once the issue is resolved, run soup again." From 3a1c478d9a3e9f0415eeae9f5e8fe5fbb1c94f11 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 5 Apr 2021 16:56:34 -0400 Subject: [PATCH 06/33] compare the new var --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index eda93fc1f..9036d83bb 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -655,7 +655,7 @@ if [[ "." =~ .*"$SALTVERSIONPOSTUPGRADE".* ]]; then else SALTVERSIONPOSTUPGRADE="${SALTVERSIONPOSTUPGRADE}.1" fi -if [[ $(salt --versions-report | grep Salt: | awk {'print $2'}) != "$NEWSALTVERSION" ]]; then +if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." echo "Once the issue is resolved, run soup again." echo "Exiting." From 5525b9e97d17c472b58a23b42b6aecb8b2732d66 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 6 Apr 2021 08:30:57 -0400 Subject: [PATCH 07/33] point to new salt repo --- salt/common/yum_repos/securityonion.repo | 2 +- salt/common/yum_repos/securityonioncache.repo | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/yum_repos/securityonion.repo b/salt/common/yum_repos/securityonion.repo index e61829380..2fb35e579 100644 --- a/salt/common/yum_repos/securityonion.repo +++ b/salt/common/yum_repos/securityonion.repo @@ -42,7 +42,7 @@ gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub [saltstack] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack/ +baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack3003/ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub diff --git a/salt/common/yum_repos/securityonioncache.repo b/salt/common/yum_repos/securityonioncache.repo index 6d5058337..56ada1413 100644 --- a/salt/common/yum_repos/securityonioncache.repo +++ b/salt/common/yum_repos/securityonioncache.repo @@ -42,7 +42,7 @@ gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub [saltstack] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack/ +baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack3003/ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub From 1ea0be00976a8f298b5e7c43b8c5cd54f270847c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 6 Apr 2021 09:15:22 -0400 Subject: [PATCH 08/33] remove references to 3003.1 change to 3003 --- salt/common/tools/sbin/soup | 5 ----- salt/salt/master.defaults.yaml | 2 +- salt/salt/minion.defaults.yaml | 2 +- salt/top.sls | 1 + setup/so-functions | 8 ++++---- 5 files changed, 7 insertions(+), 11 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 9036d83bb..0a68fae2d 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -650,11 +650,6 @@ echo "Checking if Salt was upgraded." echo "" # Check that Salt was upgraded SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk {'print $2'}) -if [[ "." =~ .*"$SALTVERSIONPOSTUPGRADE".* ]]; then - SALTVERSIONPOSTUPGRADE=$SALTVERSIONPOSTUPGRADE -else - SALTVERSIONPOSTUPGRADE="${SALTVERSIONPOSTUPGRADE}.1" -fi if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." echo "Once the issue is resolved, run soup again." diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index e97115ec1..8588af65c 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: master: - version: 3003.1 \ No newline at end of file + version: 3003 \ No newline at end of file diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index 3993c827b..9d888f106 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,5 +2,5 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3003.1 + version: 3003 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default \ No newline at end of file diff --git a/salt/top.sls b/salt/top.sls index 68c392c25..6b522d03b 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -17,6 +17,7 @@ {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} {% import_yaml 'salt/minion.defaults.yaml' as saltversion %} {% set saltversion = saltversion.salt.minion.version %} +{% set INSTALLEDSALTVERSION = grains.saltversion %} base: diff --git a/setup/so-functions b/setup/so-functions index 8dd5d2f75..bc2908a41 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2033,7 +2033,7 @@ saltify() { fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3003.1" + logCmd "yum -y install salt-master-3003" fi systemctl enable salt-master >> "$setup_log" 2>&1 ;; @@ -2046,7 +2046,7 @@ saltify() { set_progress_str 8 'Installing salt-minion & python modules' { if [[ ! $is_iso ]]; then - yum -y install salt-minion-3003.1\ + yum -y install salt-minion-3003\ python3\ python36-docker\ python36-dateutil\ @@ -2120,7 +2120,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' retry 50 10 "apt-get -y install sqlite3 argon2 libssl-dev" >> "$setup_log" 2>&1 || exit 1 set_progress_str 7 'Installing salt-master' - retry 50 10 "apt-get -y install salt-master=3003.1+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-master=3003+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 ;; *) @@ -2138,7 +2138,7 @@ saltify() { retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || exit 1 set_progress_str 8 'Installing salt-minion & python modules' - retry 50 10 "apt-get -y install salt-minion=3003.1+ds-1 salt-common=3003.1+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-minion=3003+ds-1 salt-common=3003+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 if [[ $OSVER != 'xenial' ]]; then retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging" >> "$setup_log" 2>&1 || exit 1 From 049001d572fd0ad5f5801c32a448782dd9d04ea0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 6 Apr 2021 09:48:21 -0400 Subject: [PATCH 09/33] set repo url for salt upgrade for centos --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 0a68fae2d..d8007012e 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -509,7 +509,7 @@ upgrade_salt() { yum versionlock delete "salt-*" echo "Updating Salt packages and restarting services." echo "" - sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable "$NEWSALTVERSION" + sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -R https://repo.securityonion.net/file/securityonion-repo/saltstack3003/ -F -M -x python3 stable "$NEWSALTVERSION" echo "Applying yum versionlock for Salt." echo "" yum versionlock add "salt-*" From 01f95c846c6a9403f4b704646e6effaf8b3156c1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 6 Apr 2021 11:41:06 -0400 Subject: [PATCH 10/33] remove trailing / --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index d8007012e..f36cdac68 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -509,7 +509,7 @@ upgrade_salt() { yum versionlock delete "salt-*" echo "Updating Salt packages and restarting services." echo "" - sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -R https://repo.securityonion.net/file/securityonion-repo/saltstack3003/ -F -M -x python3 stable "$NEWSALTVERSION" + sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -R https://repo.securityonion.net/file/securityonion-repo/saltstack3003 -F -M -x python3 stable "$NEWSALTVERSION" echo "Applying yum versionlock for Salt." echo "" yum versionlock add "salt-*" From 521dbbd90a1f7441c39deb4191013dbb0e569005 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 6 Apr 2021 11:45:59 -0400 Subject: [PATCH 11/33] change repo path --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index f36cdac68..e14c9a0aa 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -509,7 +509,7 @@ upgrade_salt() { yum versionlock delete "salt-*" echo "Updating Salt packages and restarting services." echo "" - sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -R https://repo.securityonion.net/file/securityonion-repo/saltstack3003 -F -M -x python3 stable "$NEWSALTVERSION" + sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -R https://repo.securityonion.net/file/securityonion-repo/saltstack3003/py3/redhat/7/x86_64/archive/3003/ -F -M -x python3 stable "$NEWSALTVERSION" echo "Applying yum versionlock for Salt." echo "" yum versionlock add "salt-*" From 6da84c7c87fb2b1b2519b06100fa026d2bbbbbf5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 6 Apr 2021 12:00:36 -0400 Subject: [PATCH 12/33] strip trailing / --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e14c9a0aa..74a1c26c0 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -509,7 +509,7 @@ upgrade_salt() { yum versionlock delete "salt-*" echo "Updating Salt packages and restarting services." echo "" - sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -R https://repo.securityonion.net/file/securityonion-repo/saltstack3003/py3/redhat/7/x86_64/archive/3003/ -F -M -x python3 stable "$NEWSALTVERSION" + sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -R https://repo.securityonion.net/file/securityonion-repo/saltstack3003/py3/redhat/7/x86_64/archive/3003 -F -M -x python3 stable "$NEWSALTVERSION" echo "Applying yum versionlock for Salt." echo "" yum versionlock add "salt-*" From 80509fbbc61987eecf7b0bccd17d7c59b454a1e4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 6 Apr 2021 12:23:11 -0400 Subject: [PATCH 13/33] fix -R repo option --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 74a1c26c0..5108e73d3 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -509,7 +509,7 @@ upgrade_salt() { yum versionlock delete "salt-*" echo "Updating Salt packages and restarting services." echo "" - sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -R https://repo.securityonion.net/file/securityonion-repo/saltstack3003/py3/redhat/7/x86_64/archive/3003 -F -M -x python3 stable "$NEWSALTVERSION" + sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -R repo.securityonion.net/file/securityonion-repo/saltstack3003 -F -M -x python3 stable "$NEWSALTVERSION" echo "Applying yum versionlock for Salt." echo "" yum versionlock add "salt-*" From af6403f8746180fdd3c94e1223dff3760a4acadd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 6 Apr 2021 15:45:05 -0400 Subject: [PATCH 14/33] soup salt and repos ohh my --- salt/common/init.sls | 6 ++++ salt/common/tools/sbin/soup | 28 +++++++++++++++++-- salt/common/yum_repos/securityonion.repo | 14 +++++----- salt/common/yum_repos/securityonioncache.repo | 4 +-- 4 files changed, 41 insertions(+), 11 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 0ada77e1a..adf34a43a 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -74,6 +74,12 @@ repair_yumdb: - onlyif: - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"' +crsynckeys: + file.recurse: + - name: /etc/pki/rpm_gpg + - source: salt://common/keys/ + + crbase: file.absent: - name: /etc/yum.repos.d/CentOS-Base.repo diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index cb2d19aed..a24af62f9 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -409,6 +409,30 @@ up_2.3.2X_to_2.3.30() { sed -i "/^strelka:/a \\ repos: \n - https://github.com/Neo23x0/signature-base" /opt/so/saltstack/local/pillar/global.sls; fi check_log_size_limit + INSTALLEDVERSION=2.3.30 +} + +up_2.3.3X_to_2.3.50() { + if [[ $OS == 'centos' ]]; then + # Import GPG Keys + gpg_rpm_import + + if [[ ! $is_airgap ]]; then + + DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh') + + for DELREPO in "${DELREPOS[@]}"; + rm /etc/yum.repos.d/$DELREPO + done + + # Copy the new repo file if not airgap + cp $UPDATE_DIR/salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ + yum clean all + yum repolist + fi + fi + INSTALLEDVERSION=2.3.50 + } verify_upgradespace() { @@ -503,7 +527,7 @@ upgrade_salt() { echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION." echo "" # If CentOS - if [ "$OS" == "centos" ]; then + if [[ $OS == 'centos' ]]; then echo "Removing yum versionlock for Salt." echo "" yum versionlock delete "salt-*" @@ -518,7 +542,7 @@ upgrade_salt() { echo "" yum versionlock add "salt-*" # Else do Ubuntu things - elif [ "$OS" == "ubuntu" ]; then + elif [[ $OS == 'ubuntu' ]]; then echo "Removing apt hold for Salt." echo "" apt-mark unhold "salt-common" diff --git a/salt/common/yum_repos/securityonion.repo b/salt/common/yum_repos/securityonion.repo index e61829380..0cd96bd91 100644 --- a/salt/common/yum_repos/securityonion.repo +++ b/salt/common/yum_repos/securityonion.repo @@ -31,25 +31,25 @@ name=Extra Packages for Enterprise Linux 7 - $basearch baseurl=https://repo.securityonion.net/file/securityonion-repo/epel/ enabled=1 gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/RPM-GPG-KEY-EPEL-7 +gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7 [docker-ce-stable] name=Docker CE Stable - $basearch baseurl=https://repo.securityonion.net/file/securityonion-repo/docker-ce-stable enabled=1 gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub +gpgkey=file:///etc/pki/rpm-gpg/docker.pub -[saltstack] +[saltstack3003] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack/ +baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack3003/ enabled=1 gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub +gpgkey=file:///etc/pki/rpm-gpg/SALTSTACK-GPG-KEY.pub [wazuh_repo] gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH +gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh_repo/ @@ -57,7 +57,7 @@ protect=1 [wazuh4_repo] gpgcheck=1 -gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH +gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://repo.securityonion.net/file/securityonion-repo/wazuh4_repo/ diff --git a/salt/common/yum_repos/securityonioncache.repo b/salt/common/yum_repos/securityonioncache.repo index 6d5058337..bc0454ae7 100644 --- a/salt/common/yum_repos/securityonioncache.repo +++ b/salt/common/yum_repos/securityonioncache.repo @@ -40,9 +40,9 @@ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub -[saltstack] +[saltstack3003] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack/ +baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack3003/ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub From 92768ecd08e51d006064faf0beaf5081c3c0ad74 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 6 Apr 2021 15:47:50 -0400 Subject: [PATCH 15/33] Add upgrade function --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index a24af62f9..6578432fa 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -239,6 +239,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" =~ rc.3 ]] && rc3_to_2.3.0 [[ "$INSTALLEDVERSION" == 2.3.0 || "$INSTALLEDVERSION" == 2.3.1 || "$INSTALLEDVERSION" == 2.3.2 || "$INSTALLEDVERSION" == 2.3.10 ]] && up_2.3.0_to_2.3.20 [[ "$INSTALLEDVERSION" == 2.3.20 || "$INSTALLEDVERSION" == 2.3.21 ]] && up_2.3.2X_to_2.3.30 + [[ "$INSTALLEDVERSION" == 2.3.30 ]] && up_2.3.3X_to_2.3.50 } postupgrade_changes() { From b50700114c4ee6a1ff0edbbd04419b6a447d91c1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 6 Apr 2021 15:58:08 -0400 Subject: [PATCH 16/33] Add the do --- salt/common/tools/sbin/soup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 6578432fa..412f10e04 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -422,8 +422,8 @@ up_2.3.3X_to_2.3.50() { DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh') - for DELREPO in "${DELREPOS[@]}"; - rm /etc/yum.repos.d/$DELREPO + for DELREPO in "${DELREPOS[@]}"; do + rm /etc/yum.repos.d/"$DELREPO" done # Copy the new repo file if not airgap From 73e00dbe30dceeb5418932f49576643fbccdc2c9 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 6 Apr 2021 16:07:08 -0400 Subject: [PATCH 17/33] change salt upgrade in soup --- salt/common/tools/sbin/soup | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index c95f71499..a3fa70397 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -534,7 +534,11 @@ upgrade_salt() { yum versionlock delete "salt-*" echo "Updating Salt packages and restarting services." echo "" - sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -R repo.securityonion.net/file/securityonion-repo/saltstack3003 -F -M -x python3 stable "$NEWSALTVERSION" + if [ $is_airgap -eq 0 ]; then + sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable "$NEWSALTVERSION" + else + sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION" + fi echo "Applying yum versionlock for Salt." echo "" yum versionlock add "salt-*" From 51bf988d31e00fa61f8228460b3e087e28d93088 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 6 Apr 2021 16:21:19 -0400 Subject: [PATCH 18/33] Add .repo extension --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 412f10e04..b4cbc43ec 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -423,7 +423,7 @@ up_2.3.3X_to_2.3.50() { DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh') for DELREPO in "${DELREPOS[@]}"; do - rm /etc/yum.repos.d/"$DELREPO" + rm /etc/yum.repos.d/"$DELREPO".repo done # Copy the new repo file if not airgap From 6f7e6cee80bae73ef6c7f4d68124f6a2f0828eab Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 6 Apr 2021 16:43:42 -0400 Subject: [PATCH 19/33] Force it --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index b4cbc43ec..46aa0c650 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -423,7 +423,7 @@ up_2.3.3X_to_2.3.50() { DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh') for DELREPO in "${DELREPOS[@]}"; do - rm /etc/yum.repos.d/"$DELREPO".repo + rm -f /etc/yum.repos.d/"$DELREPO".repo done # Copy the new repo file if not airgap From 8f208728dde9fe1a4ef795da31c81357a60d41ef Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 7 Apr 2021 09:10:16 -0400 Subject: [PATCH 20/33] change delete repos --- salt/common/tools/sbin/soup | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 5ce8d78c1..ffad5ad67 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -418,11 +418,11 @@ up_2.3.3X_to_2.3.50() { # Import GPG Keys gpg_rpm_import - if [[ ! $is_airgap ]]; then + if [ $is_airgap -eq 1 ]; then - DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh') + DELREPOS=('CentOS-Base.repo' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh') - for DELREPO in "${DELREPOS[@]}"; do + for DELREPO in ${DELREPOS[@]}; do rm -f /etc/yum.repos.d/"$DELREPO".repo done From 080ecba8e6e87700017f4ca365ff43db4bd62149 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 7 Apr 2021 10:54:46 -0400 Subject: [PATCH 21/33] change delrepos --- salt/common/tools/sbin/soup | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index ffad5ad67..0fc1017f6 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -414,16 +414,18 @@ up_2.3.2X_to_2.3.30() { } up_2.3.3X_to_2.3.50() { - if [[ $OS == 'centos' ]]; then + if [[ "$OS" == "centos" ]]; then # Import GPG Keys gpg_rpm_import if [ $is_airgap -eq 1 ]; then - DELREPOS=('CentOS-Base.repo' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh') - + DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh') + for DELREPO in ${DELREPOS[@]}; do - rm -f /etc/yum.repos.d/"$DELREPO".repo + if [[ -f "$DELREPO" ]]; then + rm -f /etc/yum.repos.d/"$DELREPO".repo + fi done # Copy the new repo file if not airgap @@ -433,7 +435,6 @@ up_2.3.3X_to_2.3.50() { fi fi INSTALLEDVERSION=2.3.50 - } verify_upgradespace() { From 54e039477623668ee5dc7a7858d13db191f6aca6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 7 Apr 2021 10:57:09 -0400 Subject: [PATCH 22/33] change from saltstack3003 to just saltstack for repo --- salt/common/yum_repos/securityonion.repo | 4 ++-- salt/common/yum_repos/securityonioncache.repo | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/common/yum_repos/securityonion.repo b/salt/common/yum_repos/securityonion.repo index 0cd96bd91..9bb42552d 100644 --- a/salt/common/yum_repos/securityonion.repo +++ b/salt/common/yum_repos/securityonion.repo @@ -40,9 +40,9 @@ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/docker.pub -[saltstack3003] +[saltstack] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack3003/ +baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/SALTSTACK-GPG-KEY.pub diff --git a/salt/common/yum_repos/securityonioncache.repo b/salt/common/yum_repos/securityonioncache.repo index bc0454ae7..6d5058337 100644 --- a/salt/common/yum_repos/securityonioncache.repo +++ b/salt/common/yum_repos/securityonioncache.repo @@ -40,9 +40,9 @@ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub -[saltstack3003] +[saltstack] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack3003/ +baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack/ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub From b7aa9ddaa3542c1c1d3724beac3444b7aebb0427 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 7 Apr 2021 11:37:55 -0400 Subject: [PATCH 23/33] run preupgrade changes if 2.3.40 --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 0fc1017f6..679c52a17 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -239,7 +239,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" =~ rc.3 ]] && rc3_to_2.3.0 [[ "$INSTALLEDVERSION" == 2.3.0 || "$INSTALLEDVERSION" == 2.3.1 || "$INSTALLEDVERSION" == 2.3.2 || "$INSTALLEDVERSION" == 2.3.10 ]] && up_2.3.0_to_2.3.20 [[ "$INSTALLEDVERSION" == 2.3.20 || "$INSTALLEDVERSION" == 2.3.21 ]] && up_2.3.2X_to_2.3.30 - [[ "$INSTALLEDVERSION" == 2.3.30 ]] && up_2.3.3X_to_2.3.50 + [[ "$INSTALLEDVERSION" == 2.3.30 || "$INSTALLEDVERSION" == 2.3.40 ]] && up_2.3.3X_to_2.3.50 } postupgrade_changes() { From 5578206bf119311a7b2ea7b99f8a0974b0054f81 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 7 Apr 2021 12:41:01 -0400 Subject: [PATCH 24/33] need to make the repo changes before we try to upgrade sa;t --- salt/common/tools/sbin/soup | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 679c52a17..e9f337f65 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -230,6 +230,13 @@ masterunlock() { fi } +preupgrade_changes_2.3.50_repo() { + # We made repo changes in 2.3.50 and this prepares for that on upgrade + echo "Checking to see if 2.3.50 repo changes are needed." + + [[ "$INSTALLEDVERSION" == 2.3.30 || "$INSTALLEDVERSION" == 2.3.40 ]] && up_2.3.3X_to_2.3.50_repo +} + preupgrade_changes() { # This function is to add any new pillar items if needed. echo "Checking to see if changes are needed." @@ -413,7 +420,7 @@ up_2.3.2X_to_2.3.30() { INSTALLEDVERSION=2.3.30 } -up_2.3.3X_to_2.3.50() { +up_2.3.3X_to_2.3.50_repo() { if [[ "$OS" == "centos" ]]; then # Import GPG Keys gpg_rpm_import @@ -434,6 +441,9 @@ up_2.3.3X_to_2.3.50() { yum repolist fi fi +} + +up_2.3.3X_to_2.3.50() { INSTALLEDVERSION=2.3.50 } @@ -655,6 +665,7 @@ else update_registry update_docker_containers "soup" fi + echo "" echo "Stopping Salt Minion service." systemctl stop salt-minion @@ -665,6 +676,8 @@ echo "Stopping Salt Master service." systemctl stop salt-master echo "" +preupgrade_changes_2.3.50_repo + # Does salt need upgraded. If so update it. if [ "$UPGRADESALT" == "1" ]; then echo "Upgrading Salt" From 249fa06fc7f1c51475c7419dc86386d43d1e3639 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 7 Apr 2021 13:03:27 -0400 Subject: [PATCH 25/33] echo when performing the repo actions for 2.3.50 --- salt/common/tools/sbin/soup | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e9f337f65..4584c207a 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -421,12 +421,13 @@ up_2.3.2X_to_2.3.30() { } up_2.3.3X_to_2.3.50_repo() { + echo 'Performing 2.3.50 repo actions.' if [[ "$OS" == "centos" ]]; then # Import GPG Keys gpg_rpm_import if [ $is_airgap -eq 1 ]; then - + echo 'Deleting unneeded repo files.' DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh') for DELREPO in ${DELREPOS[@]}; do From 425e5bc4c30dda35c27d730a1c465120bc05821b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 7 Apr 2021 13:31:43 -0400 Subject: [PATCH 26/33] add some quotes --- salt/common/tools/sbin/soup | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 4584c207a..6824ac8a2 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -421,18 +421,19 @@ up_2.3.2X_to_2.3.30() { } up_2.3.3X_to_2.3.50_repo() { - echo 'Performing 2.3.50 repo actions.' + echo "Performing 2.3.50 repo actions." if [[ "$OS" == "centos" ]]; then # Import GPG Keys gpg_rpm_import if [ $is_airgap -eq 1 ]; then - echo 'Deleting unneeded repo files.' + echo "Deleting unneeded repo files." DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh') - for DELREPO in ${DELREPOS[@]}; do + for DELREPO in "${DELREPOS[@]}"; do if [[ -f "$DELREPO" ]]; then - rm -f /etc/yum.repos.d/"$DELREPO".repo + echo "Deleting $DELREPO.repo" + rm -f "/etc/yum.repos.d/$DELREPO.repo" fi done From c4f01192763e4f661eee745777a25f6802b1ed9a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 7 Apr 2021 13:51:40 -0400 Subject: [PATCH 27/33] fix check if repo file exists --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 6824ac8a2..6448c432f 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -431,7 +431,7 @@ up_2.3.3X_to_2.3.50_repo() { DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh') for DELREPO in "${DELREPOS[@]}"; do - if [[ -f "$DELREPO" ]]; then + if [[ -f "/etc/yum.repos.d/$DELREPO.repo" ]]; then echo "Deleting $DELREPO.repo" rm -f "/etc/yum.repos.d/$DELREPO.repo" fi From dce476b604e30923ff79e566eea3593bbbdc6a30 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 8 Apr 2021 09:54:41 -0400 Subject: [PATCH 28/33] change back to saltstack3003 repo --- salt/common/yum_repos/securityonion.repo | 2 +- salt/common/yum_repos/securityonioncache.repo | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/yum_repos/securityonion.repo b/salt/common/yum_repos/securityonion.repo index 9bb42552d..5fd9b5fc4 100644 --- a/salt/common/yum_repos/securityonion.repo +++ b/salt/common/yum_repos/securityonion.repo @@ -42,7 +42,7 @@ gpgkey=file:///etc/pki/rpm-gpg/docker.pub [saltstack] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack/ +baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack3003/ enabled=1 gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/SALTSTACK-GPG-KEY.pub diff --git a/salt/common/yum_repos/securityonioncache.repo b/salt/common/yum_repos/securityonioncache.repo index 6d5058337..56ada1413 100644 --- a/salt/common/yum_repos/securityonioncache.repo +++ b/salt/common/yum_repos/securityonioncache.repo @@ -42,7 +42,7 @@ gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/docker.pub [saltstack] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack/ +baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack3003/ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub From 6650ad5cdd545e8378a945edf7abfd94b92f85d5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 8 Apr 2021 14:04:30 -0400 Subject: [PATCH 29/33] make the -r for all --- salt/common/tools/sbin/soup | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 6448c432f..70d453334 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -547,11 +547,7 @@ upgrade_salt() { yum versionlock delete "salt-*" echo "Updating Salt packages and restarting services." echo "" - if [ $is_airgap -eq 0 ]; then - sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable "$NEWSALTVERSION" - else - sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION" - fi + sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable "$NEWSALTVERSION" echo "Applying yum versionlock for Salt." echo "" yum versionlock add "salt-*" From 9240d376f3588d4029b14ff93400c2031bde9cf7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 12 Apr 2021 14:31:41 -0400 Subject: [PATCH 30/33] combine client repo management into 1 state --- salt/airgap/init.sls | 71 ---------------- salt/common/init.sls | 83 ------------------- .../client/files/centos/airgap}/yum.conf | 0 .../client/files/centos}/keys/GPG-KEY-WAZUH | 0 .../files/centos}/keys/RPM-GPG-KEY-EPEL-7 | 0 .../files/centos}/keys/SALTSTACK-GPG-KEY.pub | 0 .../client/files/centos}/keys/docker.pub | 0 .../files/centos}/keys/securityonion.pub | 0 .../client/files/centos}/securityonion.repo | 0 .../files/centos}/securityonioncache.repo | 0 .../client/files/centos}/yum.conf.jinja | 0 salt/repo/client/init.sls | 77 +++++++++++++++++ salt/repo/client/map.jinja | 25 ++++++ salt/top.sls | 11 +-- salt/yum/init.sls | 17 ---- 15 files changed, 104 insertions(+), 180 deletions(-) delete mode 100644 salt/airgap/init.sls rename salt/{airgap/files => repo/client/files/centos/airgap}/yum.conf (100%) rename salt/{common => repo/client/files/centos}/keys/GPG-KEY-WAZUH (100%) rename salt/{common => repo/client/files/centos}/keys/RPM-GPG-KEY-EPEL-7 (100%) rename salt/{common => repo/client/files/centos}/keys/SALTSTACK-GPG-KEY.pub (100%) rename salt/{common => repo/client/files/centos}/keys/docker.pub (100%) rename salt/{common => repo/client/files/centos}/keys/securityonion.pub (100%) rename salt/{common/yum_repos => repo/client/files/centos}/securityonion.repo (100%) rename salt/{common/yum_repos => repo/client/files/centos}/securityonioncache.repo (100%) rename salt/{yum/etc => repo/client/files/centos}/yum.conf.jinja (100%) create mode 100644 salt/repo/client/init.sls create mode 100644 salt/repo/client/map.jinja delete mode 100644 salt/yum/init.sls diff --git a/salt/airgap/init.sls b/salt/airgap/init.sls deleted file mode 100644 index 4ff401099..000000000 --- a/salt/airgap/init.sls +++ /dev/null @@ -1,71 +0,0 @@ -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -{% set MANAGER = salt['grains.get']('master') %} -airgapyum: - file.managed: - - name: /etc/yum/yum.conf - - source: salt://airgap/files/yum.conf - -airgap_repo: - pkgrepo.managed: - - humanname: Airgap Repo - - baseurl: https://{{ MANAGER }}/repo - - gpgcheck: 1 - - sslverify: 0 - -agbase: - file.absent: - - name: /etc/yum.repos.d/CentOS-Base.repo - -agcr: - file.absent: - - name: /etc/yum.repos.d/CentOS-CR.repo - -agdebug: - file.absent: - - name: /etc/yum.repos.d/CentOS-Debuginfo.repo - -agfasttrack: - file.absent: - - name: /etc/yum.repos.d/CentOS-fasttrack.repo - -agmedia: - file.absent: - - name: /etc/yum.repos.d/CentOS-Media.repo - -agsources: - file.absent: - - name: /etc/yum.repos.d/CentOS-Sources.repo - -agvault: - file.absent: - - name: /etc/yum.repos.d/CentOS-Vault.repo - -agkernel: - file.absent: - - name: /etc/yum.repos.d/CentOS-x86_64-kernel.repo - -agepel: - file.absent: - - name: /etc/yum.repos.d/epel.repo - -agtesting: - file.absent: - - name: /etc/yum.repos.d/epel-testing.repo - -agssrepo: - file.absent: - - name: /etc/yum.repos.d/saltstack.repo - -agwazrepo: - file.absent: - - name: /etc/yum.repos.d/wazuh.repo - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} \ No newline at end of file diff --git a/salt/common/init.sls b/salt/common/init.sls index b630891f5..0492b6535 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -2,8 +2,6 @@ {% if sls in allowed_states %} {% set role = grains.id.split('_') | last %} -{% set managerupdates = salt['pillar.get']('global:managerupdate', '0') %} -{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} # Remove variables.txt from /tmp - This is temp rmvariablesfile: @@ -66,87 +64,6 @@ salttmp: - group: 939 - makedirs: True -# Remove default Repos -{% if grains['os'] == 'CentOS' %} -repair_yumdb: - cmd.run: - - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all' - - onlyif: - - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"' - -crsynckeys: - file.recurse: - - name: /etc/pki/rpm_gpg - - source: salt://common/keys/ - - -crbase: - file.absent: - - name: /etc/yum.repos.d/CentOS-Base.repo - -crcr: - file.absent: - - name: /etc/yum.repos.d/CentOS-CR.repo - -crdebug: - file.absent: - - name: /etc/yum.repos.d/CentOS-Debuginfo.repo - -crdockerce: - file.absent: - - name: /etc/yum.repos.d/docker-ce.repo - -crfasttrack: - file.absent: - - name: /etc/yum.repos.d/CentOS-fasttrack.repo - -crmedia: - file.absent: - - name: /etc/yum.repos.d/CentOS-Media.repo - -crsources: - file.absent: - - name: /etc/yum.repos.d/CentOS-Sources.repo - -crvault: - file.absent: - - name: /etc/yum.repos.d/CentOS-Vault.repo - -crkernel: - file.absent: - - name: /etc/yum.repos.d/CentOS-x86_64-kernel.repo - -crepel: - file.absent: - - name: /etc/yum.repos.d/epel.repo - -crtesting: - file.absent: - - name: /etc/yum.repos.d/epel-testing.repo - -crssrepo: - file.absent: - - name: /etc/yum.repos.d/saltstack.repo - -crwazrepo: - file.absent: - - name: /etc/yum.repos.d/wazuh.repo - -{% if not ISAIRGAP %} -crsecurityonionrepo: - file.managed: - {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} - - name: /etc/yum.repos.d/securityonion.repo - - source: salt://common/yum_repos/securityonion.repo - {% else %} - - name: /etc/yum.repos.d/securityonioncache.repo - - source: salt://common/yum_repos/securityonioncache.repo - {% endif %} - - mode: 644 - -{% endif %} -{% endif %} - # Install common packages {% if grains['os'] != 'CentOS' %} commonpkgs: diff --git a/salt/airgap/files/yum.conf b/salt/repo/client/files/centos/airgap/yum.conf similarity index 100% rename from salt/airgap/files/yum.conf rename to salt/repo/client/files/centos/airgap/yum.conf diff --git a/salt/common/keys/GPG-KEY-WAZUH b/salt/repo/client/files/centos/keys/GPG-KEY-WAZUH similarity index 100% rename from salt/common/keys/GPG-KEY-WAZUH rename to salt/repo/client/files/centos/keys/GPG-KEY-WAZUH diff --git a/salt/common/keys/RPM-GPG-KEY-EPEL-7 b/salt/repo/client/files/centos/keys/RPM-GPG-KEY-EPEL-7 similarity index 100% rename from salt/common/keys/RPM-GPG-KEY-EPEL-7 rename to salt/repo/client/files/centos/keys/RPM-GPG-KEY-EPEL-7 diff --git a/salt/common/keys/SALTSTACK-GPG-KEY.pub b/salt/repo/client/files/centos/keys/SALTSTACK-GPG-KEY.pub similarity index 100% rename from salt/common/keys/SALTSTACK-GPG-KEY.pub rename to salt/repo/client/files/centos/keys/SALTSTACK-GPG-KEY.pub diff --git a/salt/common/keys/docker.pub b/salt/repo/client/files/centos/keys/docker.pub similarity index 100% rename from salt/common/keys/docker.pub rename to salt/repo/client/files/centos/keys/docker.pub diff --git a/salt/common/keys/securityonion.pub b/salt/repo/client/files/centos/keys/securityonion.pub similarity index 100% rename from salt/common/keys/securityonion.pub rename to salt/repo/client/files/centos/keys/securityonion.pub diff --git a/salt/common/yum_repos/securityonion.repo b/salt/repo/client/files/centos/securityonion.repo similarity index 100% rename from salt/common/yum_repos/securityonion.repo rename to salt/repo/client/files/centos/securityonion.repo diff --git a/salt/common/yum_repos/securityonioncache.repo b/salt/repo/client/files/centos/securityonioncache.repo similarity index 100% rename from salt/common/yum_repos/securityonioncache.repo rename to salt/repo/client/files/centos/securityonioncache.repo diff --git a/salt/yum/etc/yum.conf.jinja b/salt/repo/client/files/centos/yum.conf.jinja similarity index 100% rename from salt/yum/etc/yum.conf.jinja rename to salt/repo/client/files/centos/yum.conf.jinja diff --git a/salt/repo/client/init.sls b/salt/repo/client/init.sls new file mode 100644 index 000000000..60353426f --- /dev/null +++ b/salt/repo/client/init.sls @@ -0,0 +1,77 @@ +{% from 'repo/client/map.jinja' import ABSENTFILES with context %} +{% from 'repo/client/map.jinja' import REPOPATH with context %} +{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} +{% set managerupdates = salt['pillar.get']('global:managerupdate', '0') %} +{% set role = grains.id.split('_') | last %} + +# from airgap state +{% if ISAIRGAP and grains.os == 'CentOS' %} +{% set MANAGER = salt['grains.get']('master') %} +airgapyum: + file.managed: + - name: /etc/yum/yum.conf + - source: salt://repo/client/files/centos/airgap/yum.conf + +airgap_repo: + pkgrepo.managed: + - humanname: Airgap Repo + - baseurl: https://{{ MANAGER }}/repo + - gpgcheck: 1 + - sslverify: 0 +{% endif %} + +# from airgap and common +{% if ABSENTFILES|length > 0%} + {% for file in ABSENTFILES %} +{{ file }}: + file.absent: + - name: {{ REPOPATH }}{{ file }} + - onchanges_in: cleanyum + {% endfor %} +{% endif %} + +# from common state +# Remove default Repos +{% if grains['os'] == 'CentOS' %} +repair_yumdb: + cmd.run: + - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all' + - onlyif: + - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"' + +crsynckeys: + file.recurse: + - name: /etc/pki/rpm_gpg + - source: salt://repo/client/files/centos/keys/ + +{% if not ISAIRGAP %} +crsecurityonionrepo: + file.managed: + {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} + - name: /etc/yum.repos.d/securityonion.repo + - source: salt://repo/client/files/centos/securityonion.repo + {% else %} + - name: /etc/yum.repos.d/securityonioncache.repo + - source: salt://repo/client/files/centos/securityonioncache.repo + {% endif %} + - mode: 644 + +yumconf: + file.managed: + - name: /etc/yum.conf + - source: salt:/repo/client/files/centos/yum.conf.jinja + - mode: 644 + - template: jinja +{% endif %} + +cleanyum: + module.run: + - pkg.clean_metadata + - onchanges: + - file: airgapyum + - pkgrepo: airgap_repo + - file: crsecurityonionrepo + - file: yumconf + +{% endif %} + diff --git a/salt/repo/client/map.jinja b/salt/repo/client/map.jinja new file mode 100644 index 000000000..ccfa1eae2 --- /dev/null +++ b/salt/repo/client/map.jinja @@ -0,0 +1,25 @@ +{% if grains.os == 'CentOS' %} + + {% set REPOPATH = '/etc/yum.repos.d/' %} + {% set ABSENTFILES = [ + 'CentOS-Base.repo', + 'CentOS-CR.repo', + 'CentOS-Debuginfo.repo', + 'CentOS-fasttrack.repo', + 'CentOS-Media.repo', + 'CentOS-Sources.repo', + 'CentOS-Vault.repo', + 'CentOS-x86_64-kernel.repo', + 'epel.repo', + 'epel-testing.repo', + 'saltstack.repo', + 'wazuh.repo' + ] + %} + +{% elif grains.os == 'Ubuntu' %} + + {% set REPOPATH = '/etc/apt/sources.list.d/' %} + {% set ABSENTFILES = [] %} + +{% endif %} \ No newline at end of file diff --git a/salt/top.sls b/salt/top.sls index 6b522d03b..8a12aaa26 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -14,7 +14,6 @@ {% set CURATOR = salt['pillar.get']('curator:enabled', True) %} {% set REDIS = salt['pillar.get']('redis:enabled', True) %} {% set STRELKA = salt['pillar.get']('strelka:enabled', '0') %} -{% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} {% import_yaml 'salt/minion.defaults.yaml' as saltversion %} {% set saltversion = saltversion.salt.minion.version %} {% set INSTALLEDSALTVERSION = grains.saltversion %} @@ -24,18 +23,12 @@ base: 'not G@saltversion:{{saltversion}}': - match: compound - salt.minion-state-apply-test - {% if ISAIRGAP is sameas true %} - - airgap - {% endif %} + - repo.client - salt.minion 'G@os:CentOS and G@saltversion:{{saltversion}}': - match: compound - {% if ISAIRGAP is sameas true %} - - airgap - {% else %} - - yum - {% endif %} + - repo.client - yum.packages '* and G@saltversion:{{saltversion}}': diff --git a/salt/yum/init.sls b/salt/yum/init.sls deleted file mode 100644 index 339a6f2a7..000000000 --- a/salt/yum/init.sls +++ /dev/null @@ -1,17 +0,0 @@ -{% from 'allowed_states.map.jinja' import allowed_states %} -{% if sls in allowed_states %} - -yumconf: - file.managed: - - name: /etc/yum.conf - - source: salt://yum/etc/yum.conf.jinja - - mode: 644 - - template: jinja - -{% else %} - -{{sls}}_state_not_allowed: - test.fail_without_changes: - - name: {{sls}}_state_not_allowed - -{% endif %} \ No newline at end of file From eb7bf58f30c9bc688b799d4a3c2e1acc608bc469 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 12 Apr 2021 16:33:32 -0400 Subject: [PATCH 31/33] fix issues with repo.client state --- salt/repo/client/init.sls | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/salt/repo/client/init.sls b/salt/repo/client/init.sls index 60353426f..5567caac2 100644 --- a/salt/repo/client/init.sls +++ b/salt/repo/client/init.sls @@ -26,7 +26,8 @@ airgap_repo: {{ file }}: file.absent: - name: {{ REPOPATH }}{{ file }} - - onchanges_in: cleanyum + - onchanges_in: + - module: cleanyum {% endfor %} {% endif %} @@ -59,19 +60,22 @@ crsecurityonionrepo: yumconf: file.managed: - name: /etc/yum.conf - - source: salt:/repo/client/files/centos/yum.conf.jinja + - source: salt://repo/client/files/centos/yum.conf.jinja - mode: 644 - template: jinja {% endif %} cleanyum: module.run: - - pkg.clean_metadata + - pkg.clean_metadata: [] - onchanges: +{% if ISAIRGAP %} - file: airgapyum - pkgrepo: airgap_repo +{% else %} - file: crsecurityonionrepo - file: yumconf +{% endif %} {% endif %} From 325264dafd858413ff6f977e4fba8d9b20f34d0a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 12 Apr 2021 17:44:50 -0400 Subject: [PATCH 32/33] point to new repo location --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 70d453334..2a1ddab1c 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -438,7 +438,7 @@ up_2.3.3X_to_2.3.50_repo() { done # Copy the new repo file if not airgap - cp $UPDATE_DIR/salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ + cp $UPDATE_DIR/salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/ yum clean all yum repolist fi From eb94c011e22ec056501b5aee66da88a39054a5f5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 13 Apr 2021 11:15:15 -0400 Subject: [PATCH 33/33] update location of yum keys and repo files for setup --- salt/common/tools/sbin/so-common | 4 ++-- setup/so-functions | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index a2c28587d..97e61e6e2 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -165,9 +165,9 @@ get_random_value() { gpg_rpm_import() { if [[ "$OS" == "centos" ]]; then if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then - local RPMKEYSLOC="../salt/common/keys" + local RPMKEYSLOC="../salt/repo/client/files/centos/keys" else - local RPMKEYSLOC="$UPDATEDIR/salt/common/keys" + local RPMKEYSLOC="$UPDATEDIR/salt/repo/client/files/centos/keys" fi RPMKEYS=('RPM-GPG-KEY-EPEL-7' 'GPG-KEY-WAZUH' 'docker.pub' 'SALTSTACK-GPG-KEY.pub' 'securityonion.pub') diff --git a/setup/so-functions b/setup/so-functions index d3a695fa1..ae65c7547 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2300,9 +2300,9 @@ securityonion_repo() { yum repolist all mkdir -p /etc/yum.repos.d if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then - cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ + cp -f ../salt/repo/client/files/centos/securityonioncache.repo /etc/yum.repos.d/ else - cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ + cp -f ../salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/ fi fi else