CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-06-28 13:18:13 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
576c7bfeddf80577f6b57fea005ec869eb05fa2e
securityonion/salt/manager/init.sls
T
Mike Reeves b0b022c3ad Seed an empty /nsm/kernelrepo so the manager repo is always valid 
so-repo-sync only populates /nsm/kernelrepo after the highstate, so on a
manager the file:///nsm/kernelrepo repo could be assigned before any
repodata exists, failing every dnf op. Run createrepo on the dir when
repodata/repomd.xml is missing, leaving a synced repo untouched.
2026-06-24 13:23:25 -04:00

270 lines
6.3 KiB
Plaintext
Raw Blame History

# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
{% from 'allowed_states.map.jinja' import allowed_states %}
{% if sls in allowed_states %}
{% from 'vars/globals.map.jinja' import GLOBALS %}
{% from 'manager/map.jinja' import MANAGERMERGED %}
include:
- salt.minion
- kibana.secrets
- manager.sync_es_users
- manager.elasticsearch
- manager.kibana
- manager.managed_soc_annotations
repo_log_dir:
file.directory:
- name: /opt/so/log/reposync
- user: socore
- group: socore
- recurse:
- user
- group
agents_log_dir:
file.directory:
- name: /opt/so/log/agents
- user: root
- group: root
- recurse:
- user
- group
agents_conf_dir:
file.directory:
- name: /opt/so/conf/agents
- user: root
- group: root
- recurse:
- user
- group
{% if MANAGERMERGED.agent_monitoring.config.critical_agents | length > 0 %}
critical_agents_patterns:
file.managed:
- name: /opt/so/conf/agents/critical-agents.txt
- contents: {{ MANAGERMERGED.agent_monitoring.config.critical_agents }}
{% else %}
remove_critical_agents_config:
file.absent:
- name: /opt/so/conf/agents/critical-agents.txt
{% endif %}
yara_log_dir:
file.directory:
- name: /opt/so/log/yarasync
- user: socore
- group: socore
- recurse:
- user
- group
install_createrepo:
pkg.installed:
- name: createrepo_c
repo_conf_dir:
file.directory:
- name: /opt/so/conf/reposync
- user: socore
- group: socore
- recurse:
- user
- group
repo_dir:
file.directory:
- name: /nsm/repo
- user: socore
- group: socore
- recurse:
- user
- group
- show_changes: False
kernelrepo_dir:
file.directory:
- name: /nsm/kernelrepo
- user: socore
- group: socore
- recurse:
- user
- group
- show_changes: False
# Ensure /nsm/kernelrepo is always a valid (if empty) repo before it is ever assigned to
# a client. Without repodata/repomd.xml an enabled file:///nsm/kernelrepo repo makes every
# dnf operation fail; so-repo-sync only populates it after the highstate, so seed an empty
# repo here. Only runs when repodata is missing, so it won't clobber a synced repo.
kernelrepo_init_empty:
cmd.run:
- name: createrepo /nsm/kernelrepo
- unless: 'test -e /nsm/kernelrepo/repodata/repomd.xml'
- require:
- file: kernelrepo_dir
- pkg: install_createrepo
manager_sbin:
file.recurse:
- name: /usr/sbin
- source: salt://manager/tools/sbin
- user: 939
- group: 939
- file_mode: 755
- exclude_pat:
- "*_test.py"
- show_changes: False
manager_sbin_jinja:
file.recurse:
- name: /usr/sbin/
- source: salt://manager/tools/sbin_jinja/
- user: socore
- group: socore
- file_mode: 755
- template: jinja
- show_changes: False
so-repo-file:
file.managed:
- name: /opt/so/conf/reposync/repodownload.conf
- source: salt://manager/files/repodownload.conf
- user: socore
- group: socore
- show_changes: False
so-repo-mirrorlist:
file.managed:
- name: /opt/so/conf/reposync/mirror.txt
- source: salt://manager/files/mirror.txt
- user: socore
- group: socore
so-repo-kernel-mirrorlist:
file.managed:
- name: /opt/so/conf/reposync/mirror-kernel.txt
- source: salt://manager/files/mirror-kernel.txt
- user: socore
- group: socore
so-repo-sync:
{% if MANAGERMERGED.reposync.enabled %}
cron.present:
{% else %}
cron.absent:
{% endif %}
- user: socore
- name: '/usr/sbin/so-repo-sync >> /opt/so/log/reposync/reposync.log 2>&1'
- identifier: so-repo-sync
- hour: '{{ MANAGERMERGED.reposync.hour }}'
- minute: '{{ MANAGERMERGED.reposync.minute }}'
so_fleetagent_status:
cron.present:
- name: /usr/sbin/so-elasticagent-status > /opt/so/log/agents/agentstatus.log 2>&1
- identifier: so_fleetagent_status
- user: root
- minute: '*/5'
- hour: '*'
- daymonth: '*'
- month: '*'
- dayweek: '*'
so_fleetagent_monitor:
{% if MANAGERMERGED.agent_monitoring.enabled %}
cron.present:
{% else %}
cron.absent:
{% endif %}
- name: /bin/flock -n /opt/so/log/agents/agent-monitor.lock /usr/sbin/so-elastic-agent-monitor
- identifier: so_fleetagent_monitor
- user: root
- minute: '*/{{ MANAGERMERGED.agent_monitoring.config.run_interval }}'
- hour: '*'
- daymonth: '*'
- month: '*'
- dayweek: '*'
socore_own_saltstack_default:
file.directory:
- name: /opt/so/saltstack/default
- user: socore
- group: socore
- recurse:
- user
- group
socore_own_saltstack_local:
file.directory:
- name: /opt/so/saltstack/local
- user: socore
- group: socore
- dir_mode: 750
- file_mode: 640
- replace: False
- recurse:
- user
- group
- mode
rules_dir:
file.directory:
- name: /nsm/rules/yara
- user: socore
- group: socore
- makedirs: True
nsm_playbooks_dir:
file.directory:
- name: /nsm/airgap-resources/playbooks
- user: socore
- group: socore
- makedirs: True
git_config_set_safe_dirs:
git.config_set:
- name: safe.directory
- global: True
- user: socore
- multivar:
- /nsm/rules/custom-local-repos/local-sigma
- /nsm/rules/custom-local-repos/local-yara
- /nsm/rules/custom-local-repos/local-suricata
- /nsm/securityonion-resources
- /opt/so/conf/soc/ai_summary_repos/securityonion-resources
- /nsm/airgap-resources/playbooks
- /opt/so/conf/soc/playbooks
surinsmrulesdir:
file.directory:
- name: /nsm/rules/suricata/etopen
- user: 939
- group: 939
- makedirs: True
suriextractionrules:
file.managed:
- name: /nsm/rules/suricata/so_extraction.rules
- source: salt://suricata/files/so_extraction.rules
- user: 939
- group: 939
surifiltersrules:
file.managed:
- name: /nsm/rules/suricata/so_filters.rules
- source: salt://suricata/files/so_filters.rules
- user: 939
- group: 939
{% else %}
{{sls}}_state_not_allowed:
test.fail_without_changes:
- name: {{sls}}_state_not_allowed
{% endif %}
Reference in New Issue View Git Blame Copy Permalink