change from default to local - https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/749

2025-12-06 09:12:45 +01:00 · 2020-05-26 11:59:00 -04:00
parent b24654002b
commit fafb469b5c
14 changed files with 71 additions and 67 deletions
--- a/files/master
+++ b/files/master
@@ -38,6 +38,7 @@ log_file: /opt/so/log/salt/master
 file_roots:
  base:
    - /opt/so/saltstack/default/salt
+    - /opt/so/saltstack/local/salt

 # The master_roots setting configures a master-only copy of the file_roots dictionary,
 # used by the state compiler.
@@ -54,6 +55,7 @@ file_roots:
 pillar_roots:
  base:
    - /opt/so/saltstack/default/pillar
+    - /opt/so/saltstack/local/pillar

 peer:
  .*:
--- a/pillar/data/addtotab.sh
+++ b/pillar/data/addtotab.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash

 # This script adds sensors/nodes/etc to the nodes tab
-default_salt_dir=/opt/so/saltstack/default
+local_salt_dir=/opt/so/saltstack/local
 TYPE=$1
 NAME=$2
 IPADDRESS=$3
@@ -15,7 +15,7 @@ MONINT=$9
 #HOTNAME=$11

 echo "Seeing if this host is already in here. If so delete it"
-if grep -q $NAME "$default_salt_dir/pillar/data/$TYPE.sls"; then
+if grep -q $NAME "$local_salt_dir/pillar/data/$TYPE.sls"; then
  echo "Node Already Present - Let's re-add it"
  awk -v blah="  $NAME:" 'BEGIN{ print_flag=1 }
 {
@@ -31,27 +31,27 @@ if grep -q $NAME "$default_salt_dir/pillar/data/$TYPE.sls"; then
    if ( print_flag == 1 )
        print $0

-} ' $default_salt_dir/pillar/data/$TYPE.sls > $default_salt_dir/pillar/data/tmp.$TYPE.sls
-mv $default_salt_dir/pillar/data/tmp.$TYPE.sls $default_salt_dir/pillar/data/$TYPE.sls
+} ' $local_salt_dir/pillar/data/$TYPE.sls > $local_salt_dir/pillar/data/tmp.$TYPE.sls
+mv $local_salt_dir/pillar/data/tmp.$TYPE.sls $local_salt_dir/pillar/data/$TYPE.sls
 echo "Deleted $NAME from the tab. Now adding it in again with updated info"
 fi
-echo "  $NAME:" >> $default_salt_dir/pillar/data/$TYPE.sls
-echo "    ip: $IPADDRESS" >> $default_salt_dir/pillar/data/$TYPE.sls
-echo "    manint: $MANINT" >> $default_salt_dir/pillar/data/$TYPE.sls
-echo "    totalcpus: $CPUS" >> $default_salt_dir/pillar/data/$TYPE.sls
-echo "    guid: $GUID" >> $default_salt_dir/pillar/data/$TYPE.sls
-echo "    rootfs: $ROOTFS" >> $default_salt_dir/pillar/data/$TYPE.sls
-echo "    nsmfs: $NSM" >> $default_salt_dir/pillar/data/$TYPE.sls
+echo "  $NAME:" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    ip: $IPADDRESS" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    manint: $MANINT" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    totalcpus: $CPUS" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    guid: $GUID" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    rootfs: $ROOTFS" >> $local_salt_dir/pillar/data/$TYPE.sls
+echo "    nsmfs: $NSM" >> $local_salt_dir/pillar/data/$TYPE.sls
 if [ $TYPE == 'sensorstab' ]; then
-  echo "    monint: $MONINT" >> $default_salt_dir/pillar/data/$TYPE.sls
+  echo "    monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls
  salt-call state.apply common queue=True
 fi
 if [ $TYPE == 'evaltab' ]; then
-  echo "    monint: $MONINT" >> $default_salt_dir/pillar/data/$TYPE.sls
+  echo "    monint: $MONINT" >> $local_salt_dir/pillar/data/$TYPE.sls
  salt-call state.apply common queue=True
  salt-call state.apply utility queue=True
 fi
 #if [ $TYPE == 'nodestab' ]; then
-#  echo "    nodetype: $NODETYPE" >> $default_salt_dir/pillar/data/$TYPE.sls
-#  echo "    hotname: $HOTNAME" >> $default_salt_dir/pillar/data/$TYPE.sls
+#  echo "    nodetype: $NODETYPE" >> $local_salt_dir/pillar/data/$TYPE.sls
+#  echo "    hotname: $HOTNAME" >> $local_salt_dir/pillar/data/$TYPE.sls
 #fi
--- a/pillar/firewall/addfirewall.sh
+++ b/pillar/firewall/addfirewall.sh
@@ -1,13 +1,13 @@
 #!/usr/bin/env bash

 # This script adds ip addresses to specific rule sets defined by the user
-default_salt_dir=/opt/so/saltstack/default
+local_salt_dir=/opt/so/saltstack/local
 POLICY=$1
 IPADDRESS=$2

-if grep -q $2 "$default_salt_dir/pillar/firewall/$1.sls"; then
+if grep -q $2 "$local_salt_dir/pillar/firewall/$1.sls"; then
  echo "Firewall Rule Already There"
 else
-  echo "  - $2" >> $default_salt_dir/pillar/firewall/$1.sls
+  echo "  - $2" >> $local_salt_dir/pillar/firewall/$1.sls
  salt-call state.apply firewall queue=True
 fi
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -18,6 +18,8 @@
 . /usr/sbin/so-common

 default_salt_dir=/opt/so/saltstack/default
+local_salt_dir=/opt/so/saltstack/local
+
 SKIP=0

 while getopts "abowi:" OPTION
@@ -84,7 +86,7 @@ echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
 $default_salt_dir/pillar/firewall/addfirewall.sh $FULLROLE $IP

 # Check if Wazuh enabled
-if grep -q -R "wazuh: 1" $default_salt_dir/pillar/*; then
+if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then
    # If analyst, add to Wazuh AR whitelist
    if [ "$FULLROLE" == "analyst" ]; then
          WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
--- a/salt/common/tools/sbin/so-bro-logs
+++ b/salt/common/tools/sbin/so-bro-logs
@@ -1,12 +1,12 @@
 #!/bin/bash
-default_salt_dir=/opt/so/saltstack/default
+local_salt_dir=/opt/so/saltstack/local

 bro_logs_enabled() {

-  echo "brologs:" > $default_salt_dir/pillar/brologs.sls
-  echo "  enabled:" >> $default_salt_dir/pillar/brologs.sls
+  echo "brologs:" > $local_salt_dir/pillar/brologs.sls
+  echo "  enabled:" >> $local_salt_dir/pillar/brologs.sls
  for BLOG in ${BLOGS[@]}; do
-    echo "    - $BLOG" | tr -d '"' >> $default_salt_dir/pillar/brologs.sls
+    echo "    - $BLOG" | tr -d '"' >> $local_salt_dir/pillar/brologs.sls
  done

 }
--- a/salt/common/tools/sbin/so-features-enable
+++ b/salt/common/tools/sbin/so-features-enable
@@ -15,11 +15,11 @@
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.

 . /usr/sbin/so-common
-default_salt_dir=/opt/so/saltstack/default
+local_salt_dir=/opt/so/saltstack/local

-VERSION=$(grep soversion $default_salt_dir/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
+VERSION=$(grep soversion $local_salt_dir/pillar/static.sls | cut -d':' -f2|sed 's/ //g')
 # Modify static.sls to enable Features
-sed -i 's/features: False/features: True/' $default_salt_dir/pillar/static.sls
+sed -i 's/features: False/features: True/' $local_salt_dir/pillar/static.sls
 SUFFIX="-features"
 TRUSTED_CONTAINERS=( \
  "so-elasticsearch:$VERSION$SUFFIX" \
--- a/salt/common/tools/sbin/so-helix-apikey
+++ b/salt/common/tools/sbin/so-helix-apikey
@@ -1,6 +1,6 @@
 #!/bin/bash

-default_salt_dir=/opt/so/saltstack/default
+local_salt_dir=/opt/so/saltstack/local

 got_root() {

@@ -13,13 +13,13 @@ got_root() {
 }

 got_root
-if [ ! -f $default_salt_dir/pillar/fireeye/init.sls ]; then
+if [ ! -f $local_salt_dir/pillar/fireeye/init.sls ]; then
  echo "This is nto configured for Helix Mode. Please re-install."
  exit
 else
  echo "Enter your Helix API Key: "
  read APIKEY
-  sed -i "s/^    api_key.*/    api_key: $APIKEY/g" $default_salt_dir/pillar/fireeye/init.sls
+  sed -i "s/^    api_key.*/    api_key: $APIKEY/g" $local_salt_dir/pillar/fireeye/init.sls
  docker stop so-logstash
  docker rm so-logstash
  echo "Restarting Logstash for updated key"
--- a/salt/fleet/files/scripts/so-fleet-packages
+++ b/salt/fleet/files/scripts/so-fleet-packages
@@ -2,7 +2,7 @@
 {% set MAIN_HOSTNAME = salt['grains.get']('host') %}
 {% set MAIN_IP = salt['pillar.get']('node:mainip') %}

-default_salt_dir=/opt/so/saltstack/default
+local_salt_dir=/opt/so/saltstack/local

 #so-fleet-packages $FleetHostname/IP 

@@ -27,8 +27,8 @@ docker run \
  --mount type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt \
  docker.io/soshybridhunter/so-fleet-launcher:HH1.1.0 "$esecret" "$1":8090

-cp /opt/so/conf/fleet/packages/launcher.* $default_salt_dir/salt/launcher/packages/
+cp /opt/so/conf/fleet/packages/launcher.* $local_salt_dir/salt/launcher/packages/

 #Update timestamp on packages webpage
 sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" /opt/so/conf/fleet/packages/index.html
-sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" $default_salt_dir/salt/fleet/files/dedicated-index.html
+sed -i "s@.*Generated.*@Generated: $(date '+%m%d%Y')@g" $local_salt_dir/salt/fleet/files/dedicated-index.html
--- a/salt/idstools/init.sls
+++ b/salt/idstools/init.sls
@@ -60,7 +60,7 @@ synclocalnidsrules:

 ruleslink:
  file.symlink:
-    - name: /opt/so/saltstack/default/salt/suricata/rules
+    - name: /opt/so/saltstack/local/salt/suricata/rules
    - target: /opt/so/rules/nids

 so-idstools:
--- a/salt/master/files/add_minion.sh
+++ b/salt/master/files/add_minion.sh
@@ -1,10 +1,10 @@
 #!/usr/bin/env bash

 # This script adds pillar and schedule files securely
-default_salt_dir=/opt/so/saltstack/default
+local_salt_dir=/opt/so/saltstack/local
 MINION=$1

  echo "Adding $1" 
-  cp /tmp/$MINION/pillar/$MINION.sls $default_salt_dir/pillar/minions/
-  cp /tmp/$MINION/schedules/* $default_salt_dir/salt/patch/os/schedules/
+  cp /tmp/$MINION/pillar/$MINION.sls $local_salt_dir/pillar/minions/
+  cp --parents /tmp/$MINION/schedules/* $local_salt_dir/salt/patch/os/schedules/
  rm -rf /tmp/$MINION
--- a/salt/reactor/fleet.sls
+++ b/salt/reactor/fleet.sls
@@ -13,9 +13,9 @@ def run():
  ROLE = data['data']['role']
  ESECRET = data['data']['enroll-secret']
  MAINIP = data['data']['mainip']
-  default_salt_dir = /opt/so/saltstack/default
-  STATICFILE = default_salt_dir + '/pillar/static.sls'
-  SECRETSFILE = default_salt_dir + '/pillar/secrets.sls'
+  local_salt_dir = /opt/so/saltstack/local
+  STATICFILE = local_salt_dir + '/pillar/static.sls'
+  SECRETSFILE = local_salt_dir + '/pillar/secrets.sls'

  if MINIONID.split('_')[-1] in ['master','eval','fleet','mastersearch']:
    
@@ -55,7 +55,7 @@ def run():
      PACKAGEVERSION += 1

      # Run Docker container that will build the packages
-      gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=" + default_salt_dir + "/salt/fleet/packages,target=/output", \
+      gen_packages = subprocess.run(["docker", "run","--rm", "--mount", "type=bind,source=" + local_salt_dir + "/salt/fleet/packages,target=/output", \
         "--mount", "type=bind,source=/etc/ssl/certs/intca.crt,target=/var/launcher/launcher.crt", f"{ MASTER }:5000/soshybridhunter/so-fleet-launcher:HH1.3.0", \
         f"{ESECRET}", f"{HOSTNAME}:8090", f"{PACKAGEVERSION}.1.1"], stdout=subprocess.PIPE, encoding='ascii')  
      
--- a/salt/ssl/init.sls
+++ b/salt/ssl/init.sls
@@ -84,17 +84,17 @@ chownilogstashfilebeatp8:
 # Create Symlinks to the keys so I can distribute it to all the things
 filebeatdir:
  file.directory:
-    - name: /opt/so/saltstack/default/salt/filebeat/files
+    - name: /opt/so/saltstack/local/salt/filebeat/files
    - mkdirs: True

 fbkeylink:
  file.symlink:
-    - name: /opt/so/saltstack/default/salt/filebeat/files/filebeat.p8
+    - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.p8
    - target: /etc/pki/filebeat.p8

 fbcrtlink:
  file.symlink:
-    - name: /opt/so/saltstack/default/salt/filebeat/files/filebeat.crt
+    - name: /opt/so/saltstack/local/salt/filebeat/files/filebeat.crt
    - target: /etc/pki/filebeat.crt

 # Create a cert for the docker registry
--- a/salt/wazuh/files/wazuh-manager-whitelist
+++ b/salt/wazuh/files/wazuh-manager-whitelist
@@ -1,6 +1,6 @@
 {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %}
 #!/bin/bash
-default_salt_dir=/opt/so/saltstack/default
+local_salt_dir=/opt/so/saltstack/local

 # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
 #
@@ -18,7 +18,7 @@ default_salt_dir=/opt/so/saltstack/default
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

 # Check if Wazuh enabled
-if grep -q -R "wazuh: 1" $default_salt_dir/pillar/*; then
+if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then
      WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
      if ! grep -q "<white_list>{{ MASTERIP }}</white_list>" $WAZUH_MGR_CFG ; then
              DATE=`date`
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -116,16 +116,16 @@ add_web_user() {

 # Create an secrets pillar so that passwords survive re-install
 secrets_pillar(){
-  if [ ! -f $default_salt_dir/pillar/secrets.sls ]; then
+  if [ ! -f $local_salt_dir/pillar/secrets.sls ]; then
 	echo "Creating Secrets Pillar" >> "$setup_log" 2>&1
-	mkdir -p $default_salt_dir/pillar
+	mkdir -p $local_salt_dir/pillar
 	printf '%s\n'\
 		"secrets:"\
 		"  mysql: $MYSQLPASS"\
 		"  playbook: $PLAYBOOKPASS"\
 		"  fleet: $FLEETPASS"\
 		"  fleet_jwt: $FLEETJWT"\
-		"  fleet_enroll-secret: False" > $default_salt_dir/pillar/secrets.sls
+		"  fleet_enroll-secret: False" > $local_salt_dir/pillar/secrets.sls
  fi
 }

@@ -327,10 +327,10 @@ configure_minion() {
 				"mysql.host: '$MAINIP'"\
 				"mysql.port: 3306"\
 				"mysql.user: 'root'" >> "$minion_config"
-			if [ ! -f $default_salt_dir/pillar/secrets.sls ]; then
+			if [ ! -f $local_salt_dir/pillar/secrets.sls ]; then
 				echo "mysql.pass: '$MYSQLPASS'" >> "$minion_config"
 			else
-				OLDPASS=$(grep "mysql" $default_salt_dir/pillar/secrets.sls | awk '{print $2}')
+				OLDPASS=$(grep "mysql" $local_salt_dir/pillar/secrets.sls | awk '{print $2}')
 				echo "mysql.pass: '$OLDPASS'" >> "$minion_config"
 			fi
 			;;
@@ -409,15 +409,15 @@ copy_master_config() {
 copy_minion_tmp_files() {
 	case "$install_type" in
 		'MASTER' | 'EVAL' | 'HELIXSENSOR' | 'MASTERSEARCH' | 'STANDALONE')
-			echo "Copying pillar and salt files in $temp_install_dir to $default_salt_dir"
-			cp -Rv "$temp_install_dir"/pillar/ $default_salt_dir/ >> "$setup_log" 2>&1
+			echo "Copying pillar and salt files in $temp_install_dir to $local_salt_dir"
+			cp -Rv "$temp_install_dir"/pillar/ $local_salt_dir/ >> "$setup_log" 2>&1
 			if [ -d "$temp_install_dir"/salt ] ; then
-				cp -Rv "$temp_install_dir"/salt/ $default_salt_dir/ >> "$setup_log" 2>&1
+				cp -Rv "$temp_install_dir"/salt/ $local_salt_dir/ >> "$setup_log" 2>&1
 			fi
 			;;
 		*)
 			{
-				echo "scp pillar and salt files in $temp_install_dir to master $default_salt_dir";
+				echo "scp pillar and salt files in $temp_install_dir to master $local_salt_dir";
 				ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar;
 				ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules;
 				scp -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/;
@@ -695,7 +695,7 @@ docker_seed_registry() {

 fireeye_pillar() {

-	local fireeye_pillar_path=$default_salt_dir/pillar/fireeye
+	local fireeye_pillar_path=$local_salt_dir/pillar/fireeye
 	mkdir -p "$fireeye_pillar_path"

 	printf '%s\n'\
@@ -709,7 +709,7 @@ fireeye_pillar() {
 # Generate Firewall Templates
 firewall_generate_templates() {

-	local firewall_pillar_path=$default_salt_dir/pillar/firewall
+	local firewall_pillar_path=$local_salt_dir/pillar/firewall
 	mkdir -p "$firewall_pillar_path"

 	for i in analyst beats_endpoint forward_nodes masterfw minions osquery_endpoint search_nodes wazuh_endpoint
@@ -851,7 +851,7 @@ master_pillar() {
  }

 master_static() {
-	local static_pillar="$default_salt_dir/pillar/static.sls"
+	local static_pillar="$local_salt_dir/pillar/static.sls"

 	# Create a static file for global values
 	printf '%s\n'\
@@ -1197,8 +1197,8 @@ setup_salt_master_dirs() {
 	# Create salt paster directories
 	mkdir -p $default_salt_dir/pillar
 	mkdir -p $default_salt_dir/salt
-	mkdir -p $custom_salt_dir/pillar
-	mkdir -p $custom_salt_dir/salt
+	mkdir -p $local_salt_dir/pillar
+	mkdir -p $local_salt_dir/salt

 	# Copy over the salt code and templates
 	if [ "$setup_type" = 'iso' ]; then
@@ -1313,14 +1313,14 @@ set_initial_firewall_policy() {

 	case "$install_type" in
 		'MASTER')
-			printf "  - %s\n" "$MAINIP" | tee -a $default_salt_dir/pillar/firewall/minions.sls $default_salt_dir/pillar/firewall/masterfw.sls
+			printf "  - %s\n" "$MAINIP" | tee -a $local_salt_dir/pillar/firewall/minions.sls $local_salt_dir/pillar/firewall/masterfw.sls
 			$default_salt_dir/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
 			;;
 		'EVAL' | 'MASTERSEARCH')
-			printf "  - %s\n" "$MAINIP" | tee -a $default_salt_dir/pillar/firewall/minions.sls\
-				$default_salt_dir/pillar/firewall/masterfw.sls\
-				$default_salt_dir/pillar/firewall/forward_nodes.sls\
-				$default_salt_dir/pillar/firewall/search_nodes.sls
+			printf "  - %s\n" "$MAINIP" | tee -a $local_salt_dir/pillar/firewall/minions.sls\
+				$local_salt_dir/pillar/firewall/masterfw.sls\
+				$local_salt_dir/pillar/firewall/forward_nodes.sls\
+				$local_salt_dir/pillar/firewall/search_nodes.sls
 			case "$install_type" in 
 				'EVAL')
 					$default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
@@ -1331,9 +1331,9 @@ set_initial_firewall_policy() {
 			esac
 			;;
 		'HELIXSENSOR')
-			printf "  - %s\n" "$MAINIP" | tee -a $default_salt_dir/pillar/firewall/minions.sls\
-				$default_salt_dir/pillar/firewall/masterfw.sls\
-				$default_salt_dir/pillar/firewall/forward_nodes.sls
+			printf "  - %s\n" "$MAINIP" | tee -a $local_salt_dir/pillar/firewall/minions.sls\
+				$local_salt_dir/pillar/firewall/masterfw.sls\
+				$local_salt_dir/pillar/firewall/forward_nodes.sls
 			;;
 		'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET')
 			ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/firewall/addfirewall.sh minions "$MAINIP"