Merge pull request #7665 from Security-Onion-Solutions/workstation_state

Workstation state
2025-12-06 09:12:45 +01:00 · 2022-03-29 10:27:07 -04:00
parent 7f7eaf173b e3f3af52e1
commit f5095b273d
11 changed files with 110 additions and 3 deletions
--- a/pillar/top.sls
+++ b/pillar/top.sls
@@ -131,3 +131,6 @@ base:
 {% endif %}
    - global
    - minions.{{ grains.id }}
+
+  '*_workstation':
+    - minions.{{ grains.id }}
--- a/salt/allowed_states.map.jinja
+++ b/salt/allowed_states.map.jinja
@@ -217,6 +217,8 @@
          'schedule',
          'docker_clean'
          ],
+      'so-workstation': [
+          ],
  }, grain='role') %}

  {% if FILEBEAT and grains.role in ['so-helixsensor', 'so-eval', 'so-manager', 'so-standalone', 'so-node', 'so-managersearch', 'so-heavynode', 'so-import', 'so-receiver'] %}
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -367,6 +367,7 @@ run_check_net_err() {
 		exit $exit_code
 	fi
 }
+
 set_cron_service_name() {
  if [[ "$OS" == "centos" ]]; then
    cron_service_name="crond"
--- a/salt/repo/client/init.sls
+++ b/salt/repo/client/init.sls
@@ -43,7 +43,7 @@ repair_yumdb:

 crsynckeys:
  file.recurse:
-    - name: /etc/pki/rpm_gpg
+    - name: /etc/pki/rpm-gpg
    - source: salt://repo/client/files/centos/keys/

 {% if not ISAIRGAP %}
--- a/salt/salt/minion.sls
+++ b/salt/salt/minion.sls
@@ -66,7 +66,7 @@ set_log_levels:

 salt_minion_service_unit_file:
  file.managed:
-    - name: /etc/systemd/system/multi-user.target.wants/salt-minion.service
+    - name: /usr/lib/systemd/system/salt-minion.service
    - source: salt://salt/service/salt-minion.service.jinja
    - template: jinja
    - defaults:
--- a/salt/top.sls
+++ b/salt/top.sls
@@ -35,12 +35,15 @@ base:
  '* and G@saltversion:{{saltversion}}':
    - match: compound
    - salt.minion
-    - common
    - patch.os.schedule
    - motd
    - salt.minion-check
    - salt.lasthighstate

+  'not *_workstation and G@saltversion:{{saltversion}}':
+    - match: compound
+    - common
+  
  '*_helixsensor and G@saltversion:{{saltversion}}':
    - match: compound
    - salt.master
@@ -507,3 +510,11 @@ base:
    - docker_clean
    - filebeat
    - idh
+
+  'J@workstation:gui:enabled:^[Tt][Rr][Uu][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:CentOS )':
+    - match: compound
+    - workstation
+
+  'J@workstation:gui:enabled:^[Ff][Aa][Ll][Ss][Ee]$ and ( G@saltversion:{{saltversion}} and G@os:CentOS )':
+    - match: compound
+    - workstation.remove_gui
--- a/salt/workstation/init.sls
+++ b/salt/workstation/init.sls
@@ -0,0 +1,3 @@
+include:
+  - workstation.xwindows
+  - workstation.trusted-ca
--- a/salt/workstation/packages.sls
+++ b/salt/workstation/packages.sls
@@ -0,0 +1,47 @@
+xwindows_group:
+  pkg.group_installed:
+    - name: X Window System
+
+graphical_extras:
+  pkg.installed:
+    - pkgs:
+      - gnome-classic-session
+      - gnome-terminal
+      - gnome-terminal-nautilus
+      - control-center
+      - liberation-mono-fonts
+      - file-roller
+
+workstation_packages:
+  pkg.installed:
+    - pkgs:
+      - wget
+      - curl
+      - unzip
+      - gedit
+      - mono-core
+      - mono-basic
+      - mono-winforms
+      - expect
+      - securityonion-networkminer
+      - wireshark-gnome
+      - dsniff
+      - hping3
+      - netsed
+      - ngrep
+      - python36-scapy
+      - ssldump
+      - tcpdump
+      - tcpflow
+      - whois
+      - securityonion-foremost
+      - chromium
+      - securityonion-tcpstat
+      - securityonion-tcptrace
+      - libevent
+      - sslsplit
+      - securityonion-bittwist
+      - perl-IO-Compress 
+      - perl-Net-DNS
+      - securityonion-chaosreader
+      - securityonion-analyst-extras
--- a/salt/workstation/remove_gui.sls
+++ b/salt/workstation/remove_gui.sls
@@ -0,0 +1,5 @@
+remove_graphical_target:
+  file.symlink:
+    - name: /etc/systemd/system/default.target
+    - target: /lib/systemd/system/multi-user.target
+    - force: True
--- a/salt/workstation/trusted-ca.sls
+++ b/salt/workstation/trusted-ca.sls
@@ -0,0 +1,24 @@
+   
+    {% set global_ca_text = [] %}
+    {% set global_ca_server = [] %}
+    {% set manager = salt['grains.get']('master') %}
+    {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %}
+    {% for host in x509dict %}
+      {% if host.split('_')|last in ['manager', 'managersearch', 'standalone', 'import'] %}
+        {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %}
+        {% do global_ca_server.append(host) %}
+      {% endif %}
+    {% endfor %}
+    {% set trusttheca_text = global_ca_text[0] %}
+    {% set ca_server = global_ca_server[0] %}
+
+trusted_ca:
+  x509.pem_managed:
+    - name: /etc/pki/ca-trust/source/anchors/ca.crt
+    - text:  {{ trusttheca_text }}
+
+update_ca_certs:
+  cmd.run:
+    - name: update-ca-trust
+    - onchanges:
+      - x509: trusted_ca
--- a/salt/workstation/xwindows.sls
+++ b/salt/workstation/xwindows.sls
@@ -0,0 +1,11 @@
+include:
+  - workstation.packages
+
+graphical_target:
+  file.symlink:
+    - name: /etc/systemd/system/default.target
+    - target: /lib/systemd/system/graphical.target
+    - force: True
+    - require:
+      - pkg: X Window System
+      - pkg: graphical_extras