diff --git a/pillar/top.sls b/pillar/top.sls index 097f5b108..1cf3bdc8a 100644 --- a/pillar/top.sls +++ b/pillar/top.sls @@ -131,3 +131,6 @@ base: {% endif %} - global - minions.{{ grains.id }} + + '*_workstation': + - minions.{{ grains.id }} diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index a1f6cdb8c..3dbc6d24a 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -217,6 +217,8 @@ 'schedule', 'docker_clean' ], + 'so-workstation': [ + ], }, grain='role') %} {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import', 'so-receiver'] %} diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index a7677a754..5e1ecfbeb 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -367,6 +367,7 @@ run_check_net_err() { exit $exit_code fi } + set_cron_service_name() { if [[ "$OS" == "centos" ]]; then cron_service_name="crond" diff --git a/salt/repo/client/init.sls b/salt/repo/client/init.sls index 160782267..927a1091d 100644 --- a/salt/repo/client/init.sls +++ b/salt/repo/client/init.sls @@ -43,7 +43,7 @@ repair_yumdb: crsynckeys: file.recurse: - - name: /etc/pki/rpm_gpg + - name: /etc/pki/rpm-gpg - source: salt://repo/client/files/centos/keys/ {% if not ISAIRGAP %} diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index cf26c1249..882fe7580 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -66,7 +66,7 @@ set_log_levels: salt_minion_service_unit_file: file.managed: - - name: /etc/systemd/system/multi-user.target.wants/salt-minion.service + - name: /usr/lib/systemd/system/salt-minion.service - source: salt://salt/service/salt-minion.service.jinja - template: jinja - defaults: diff --git a/salt/top.sls b/salt/top.sls index 83c911992..dd41ff9fe 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -35,11 +35,14 @@ base: '* and G@saltversion:{{saltversion}}': - match: compound - salt.minion - - common - patch.os.schedule - motd - salt.minion-check - salt.lasthighstate + + 'not *_workstation and G@saltversion:{{saltversion}}': + - match: compound + - common '*_helixsensor and G@saltversion:{{saltversion}}': - match: compound @@ -507,3 +510,11 @@ base: - docker_clean - filebeat - idh + + 'J@workstation:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:CentOS )': + - match: compound + - workstation + + 'J@workstation:gui:enabled:^[Ff][Aa][Ll][Ss][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:CentOS )': + - match: compound + - workstation.remove_gui diff --git a/salt/workstation/init.sls b/salt/workstation/init.sls new file mode 100644 index 000000000..c786cdab5 --- /dev/null +++ b/salt/workstation/init.sls @@ -0,0 +1,3 @@ +include: + - workstation.xwindows + - workstation.trusted-ca diff --git a/salt/workstation/packages.sls b/salt/workstation/packages.sls new file mode 100644 index 000000000..3d4794fb5 --- /dev/null +++ b/salt/workstation/packages.sls @@ -0,0 +1,47 @@ +xwindows_group: + pkg.group_installed: + - name: X Window System + +graphical_extras: + pkg.installed: + - pkgs: + - gnome-classic-session + - gnome-terminal + - gnome-terminal-nautilus + - control-center + - liberation-mono-fonts + - file-roller + +workstation_packages: + pkg.installed: + - pkgs: + - wget + - curl + - unzip + - gedit + - mono-core + - mono-basic + - mono-winforms + - expect + - securityonion-networkminer + - wireshark-gnome + - dsniff + - hping3 + - netsed + - ngrep + - python36-scapy + - ssldump + - tcpdump + - tcpflow + - whois + - securityonion-foremost + - chromium + - securityonion-tcpstat + - securityonion-tcptrace + - libevent + - sslsplit + - securityonion-bittwist + - perl-IO-Compress + - perl-Net-DNS + - securityonion-chaosreader + - securityonion-analyst-extras diff --git a/salt/workstation/remove_gui.sls b/salt/workstation/remove_gui.sls new file mode 100644 index 000000000..96880a5ab --- /dev/null +++ b/salt/workstation/remove_gui.sls @@ -0,0 +1,5 @@ +remove_graphical_target: + file.symlink: + - name: /etc/systemd/system/default.target + - target: /lib/systemd/system/multi-user.target + - force: True diff --git a/salt/workstation/trusted-ca.sls b/salt/workstation/trusted-ca.sls new file mode 100644 index 000000000..6d86a8157 --- /dev/null +++ b/salt/workstation/trusted-ca.sls @@ -0,0 +1,24 @@ + + {% set global_ca_text = [] %} + {% set global_ca_server = [] %} + {% set manager = salt['grains.get']('master') %} + {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %} + {% for host in x509dict %} + {% if host.split('_')|last in ['manager', 'managersearch', 'standalone', 'import'] %} + {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %} + {% do global_ca_server.append(host) %} + {% endif %} + {% endfor %} + {% set trusttheca_text = global_ca_text[0] %} + {% set ca_server = global_ca_server[0] %} + +trusted_ca: + x509.pem_managed: + - name: /etc/pki/ca-trust/source/anchors/ca.crt + - text: {{ trusttheca_text }} + +update_ca_certs: + cmd.run: + - name: update-ca-trust + - onchanges: + - x509: trusted_ca diff --git a/salt/workstation/xwindows.sls b/salt/workstation/xwindows.sls new file mode 100644 index 000000000..c4d870f07 --- /dev/null +++ b/salt/workstation/xwindows.sls @@ -0,0 +1,11 @@ +include: + - workstation.packages + +graphical_target: + file.symlink: + - name: /etc/systemd/system/default.target + - target: /lib/systemd/system/graphical.target + - force: True + - require: + - pkg: X Window System + - pkg: graphical_extras