Merge pull request #12248 from Security-Onion-Solutions/jertel/pfeat

standardize feature names
2025-12-06 17:22:49 +01:00 · 2024-01-24 12:12:16 -05:00
parent cbdaf2e9a1 9f17bd2255
commit e53030feef
8 changed files with 49 additions and 32 deletions
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -366,6 +366,13 @@ is_feature_enabled() {
 	return 1
 }

+read_feat() {
+	if [ -f /opt/so/log/sostatus/lks_enabled ]; then
+		lic_id=$(cat /opt/so/saltstack/local/pillar/soc/license.sls | grep license_id: | awk '{print $2}')
+		echo "$lic_id/$(cat /opt/so/log/sostatus/lks_enabled)/$(cat /opt/so/log/sostatus/fps_enabled)"
+	fi
+}
+
 require_manager() {
 	if is_manager_node; then
 		echo "This is a manager, so we can proceed."
@@ -559,6 +566,14 @@ status () {
    printf "\n=========================================================================\n$(date) | $1\n=========================================================================\n"
 }

+sync_options() {
+	set_version
+	set_os
+	salt_minion_count
+	
+	echo "$VERSION/$OS/$(uname -r)/$MINIONCOUNT/$(read_feat)"
+}
+
 systemctl_func() {
 	local action=$1
 	local echo_action=$1
--- a/salt/common/tools/sbin/so-common-status-check
+++ b/salt/common/tools/sbin/so-common-status-check
@@ -37,23 +37,28 @@ def check_needs_restarted():
  with open(outfile, 'w') as f:
    f.write(val)

-def check_for_fips():
-    fips = 0
+def check_for_fps():
+    feat = 'fps'
+    feat_full = feat.replace('ps', 'ips')
+    fps = 0
    try:
-        result = subprocess.run(['fips-mode-setup', '--is-enabled'], stdout=subprocess.PIPE)
+        result = subprocess.run([feat_full + '-mode-setup', '--is-enabled'], stdout=subprocess.PIPE)
        if result.returncode == 0:
-            fips = 1
+            fps = 1
    except FileNotFoundError:
-        with open('/proc/sys/crypto/fips_enabled', 'r') as f:
+        fn = '/proc/sys/crypto/' + feat_full + '_enabled'
+        with open(fn, 'r') as f:
            contents = f.read()
            if '1' in contents:
-                fips = 1
+                fps = 1

-    with open('/opt/so/log/sostatus/fips_enabled', 'w') as f:
-       f.write(str(fips))
+    with open('/opt/so/log/sostatus/lks_enabled', 'w') as f:
+       f.write(str(fps))

-def check_for_luks():
-    luks = 0
+def check_for_lks():
+    feat = 'Lks'
+    feat_full = feat.replace('ks', 'uks')
+    lks = 0
    result = subprocess.run(['lsblk', '-p', '-J'], check=True, stdout=subprocess.PIPE)
    data = json.loads(result.stdout)
    for device in data['blockdevices']:
@@ -61,17 +66,18 @@ def check_for_luks():
            for gc in device['children']:
                if 'children' in gc:
                    try:
-                        result = subprocess.run(['cryptsetup', 'isLuks', gc['name']], stdout=subprocess.PIPE)
+                        arg = 'is' + feat_full
+                        result = subprocess.run(['cryptsetup', arg, gc['name']], stdout=subprocess.PIPE)
                        if result.returncode == 0:
-                           luks = 1
+                           lks = 1
                    except FileNotFoundError:
                        for ggc in gc['children']:
                            if 'crypt' in ggc['type']:
-                                luks = 1
-        if luks:
+                                lks = 1
+        if lks:
            break
-    with open('/opt/so/log/sostatus/luks_enabled', 'w') as f:
-       f.write(str(luks))
+    with open('/opt/so/log/sostatus/fps_enabled', 'w') as f:
+       f.write(str(lks))

 def fail(msg):
  print(msg, file=sys.stderr)
@@ -84,9 +90,9 @@ def main():
  # Ensure that umask is 0022 so that files created by this script have rw-r-r permissions
  org_umask = os.umask(0o022)
  check_needs_restarted()
-  check_for_fips()
-  check_for_luks()
-  # Restore umask to whatever value was set before this script was run. STIG sets to 0077 rw---
+  check_for_fps()
+  check_for_lks()
+  # Restore umask to whatever value was set before this script was run. SXIG sets to 0077 rw---
  os.umask(org_umask)

 if __name__ == "__main__":
--- a/salt/kratos/map.jinja
+++ b/salt/kratos/map.jinja
@@ -21,7 +21,7 @@

 {% set KRATOSMERGED = salt['pillar.get']('kratos', default=KRATOSDEFAULTS.kratos, merge=true) %}

-{% if KRATOSMERGED.oidc.enabled and 'oidc' in salt['pillar.get']('features') %}
+{% if KRATOSMERGED.oidc.enabled and 'odc' in salt['pillar.get']('features') %}
 {%   do KRATOSMERGED.config.selfservice.methods.update({'oidc': {'enabled': true, 'config': {'providers': [KRATOSMERGED.oidc.config]}}}) %}
 {% endif %}

--- a/salt/manager/tools/sbin/so-repo-sync
+++ b/salt/manager/tools/sbin/so-repo-sync
@@ -7,12 +7,8 @@
 NOROOT=1
 . /usr/sbin/so-common

-set_version
-set_os
-salt_minion_count
-
 set -e

-curl --retry 5 --retry-delay 60 -A "reposync/$VERSION/$OS/$(uname -r)/$MINIONCOUNT" https://sigs.securityonion.net/checkup --output /tmp/checkup
+curl --retry 5 --retry-delay 60 -A "reposync/$(sync_options)" https://sigs.securityonion.net/checkup --output /tmp/checkup
 dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/
 createrepo /nsm/repo
--- a/salt/manager/tools/sbin/so-user
+++ b/salt/manager/tools/sbin/so-user
@@ -347,7 +347,7 @@ function syncElastic() {
    [[ $? != 0 ]] && fail "Unable to read credential hashes from database"

    user_data_formatted=$(echo "${userData}" | jq -r '.user + ":" + .data.hashed_password')
-    if lookup_salt_value "licensed_features" "" "pillar" | grep -x oidc; then
+    if lookup_salt_value "features" "" "pillar" | grep -x odc; then
      # generate random placeholder salt/hash for users without passwords
      random_crypt=$(get_random_value 53)
      user_data_formatted=$(echo "${user_data_formatted}" | sed -r "s/^(.+:)\$/\\1\$2a\$12${random_crypt}/")
--- a/salt/stig/enabled.sls
+++ b/salt/stig/enabled.sls
@@ -12,7 +12,7 @@
 {% from 'vars/globals.map.jinja' import GLOBALS %}
 {% from 'allowed_states.map.jinja' import allowed_states %}
 {% if sls.split('.')[0] in allowed_states and GLOBALS.os == 'OEL' %}
-{%   if 'stig' in salt['pillar.get']('features', []) %}
+{%   if 'stg' in salt['pillar.get']('features', []) %}
  {% set OSCAP_PROFILE_NAME = 'xccdf_org.ssgproject.content_profile_stig' %}
  {% set OSCAP_PROFILE_LOCATION = '/opt/so/conf/stig/sos-oscap.xml' %}
  {% set OSCAP_OUTPUT_DIR = '/opt/so/log/stig' %}
--- a/salt/stig/schedule.sls
+++ b/salt/stig/schedule.sls
@@ -4,7 +4,7 @@
 # Elastic License 2.0.

 {% from 'stig/map.jinja' import STIGMERGED %}
-{%   if 'stig' in salt['pillar.get']('features', []) %}
+{%   if 'stg' in salt['pillar.get']('features', []) %}
 stig_remediate_schedule:
  schedule.present:
    - function: state.apply
--- a/salt/telegraf/scripts/features.sh
+++ b/salt/telegraf/scripts/features.sh
@@ -7,11 +7,11 @@

 if [[ ! "`pidof -x $(basename $0) -o %PPID`" ]]; then

-    FIPS_ENABLED=$(cat /var/log/sostatus/fips_enabled)
-    LUKS_ENABLED=$(cat /var/log/sostatus/luks_enabled)
+    FPS_ENABLED=$(cat /var/log/sostatus/fps_enabled)
+    LKS_ENABLED=$(cat /var/log/sostatus/lks_enabled)

-    echo "features fips=$FIPS_ENABLED"
-    echo "features luks=$LUKS_ENABLED"
+    echo "features fps=$FPS_ENABLED"
+    echo "features lks=$LKS_ENABLED"
 fi

 exit 0