From ee45fc31a2894137a82a2e90a6e3fb2aff39c2ba Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 28 Sep 2023 11:04:16 -0400 Subject: [PATCH 1/6] Delete salt/strelka/tools/sbin_jinja/so-yara-download --- .../strelka/tools/sbin_jinja/so-yara-download | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 salt/strelka/tools/sbin_jinja/so-yara-download diff --git a/salt/strelka/tools/sbin_jinja/so-yara-download b/salt/strelka/tools/sbin_jinja/so-yara-download deleted file mode 100644 index a8087173c5..0000000000 --- a/salt/strelka/tools/sbin_jinja/so-yara-download +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -NOROOT=1 -. /usr/sbin/so-common - -{%- set proxy = salt['pillar.get']('manager:proxy') %} - -# Download the rules from the internet -{%- if proxy %} -export http_proxy={{ proxy }} -export https_proxy={{ proxy }} -export no_proxy=salt['pillar.get']('manager:no_proxy') -{%- endif %} - -mkdir -p /tmp/yara -cd /tmp/yara -git clone https://github.com/Security-Onion-Solutions/securityonion-yara.git -mkdir -p /nsm/rules/yara -rsync -shav --progress /tmp/yara/securityonion-yara/yara /nsm/rules/ -cd /tmp -rm -rf /tmp/yara - From a77a53f20b3bbdd6d6b7965e6bb4e65a146ae154 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 28 Sep 2023 11:10:17 -0400 Subject: [PATCH 2/6] Update init.sls --- salt/manager/init.sls | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index b9d2d3ba99..146bca126c 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -26,6 +26,15 @@ repo_log_dir: - user - group +yara_log_dir: + file.directory: + - name: /opt/so/log/yarasync + - user: socore + - group: socore + - recurse: + - user + - group + repo_conf_dir: file.directory: - name: /opt/so/conf/reposync From 7a21b7903dfbdf57518ba2a667b5aa14f4c8f640 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 28 Sep 2023 11:46:43 -0400 Subject: [PATCH 3/6] Fix manager cron logic --- salt/manager/init.sls | 92 +++++++++++++++++++------------------------ 1 file changed, 40 insertions(+), 52 deletions(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 146bca126c..55badaf101 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -61,21 +61,23 @@ manager_sbin: - group: 939 - file_mode: 755 -#manager_sbin_jinja: -# file.recurse: -# - name: /usr/sbin -# - source: salt://manager/tools/sbin_jinja -# - user: 939 -# - group: 939 -# - file_mode: 755 -# - template: jinja +yara_update_scripts: + file.recurse: + - name: /usr/sbin/ + - source: salt://manager/tools/sbin_jinja/ + - user: socore + - group: socore + - file_mode: 755 + - template: jinja + - defaults: + EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} so-repo-sync: - {% if MANAGERMERGED.reposync.enabled %} + {% if MANAGERMERGED.reposync.enabled or ! GLOBALS.airgap %} cron.present: - {% else %} + {% else %} cron.absent: - {% endif %} + {% endif %} - user: socore - name: '/usr/sbin/so-repo-sync >> /opt/so/log/reposync/reposync.log 2>&1' - identifier: so-repo-sync @@ -91,7 +93,15 @@ socore_own_saltstack: - user - group -{% if STRELKAMERGED.rules.enabled %} +rules_dir: + file.directory: + - name: /nsm/rules/yara + - user: socore + - group: socore + - makedirs: True + +{% if STRELKAMERGED.rules.enabled %} + strelkarepos: file.managed: - name: /opt/so/conf/strelka/repos.txt @@ -100,67 +110,45 @@ strelkarepos: - defaults: STRELKAREPOS: {{ STRELKAMERGED.rules.repos }} - makedirs: True -{% endif %} - -yara_update_scripts: - file.recurse: - - name: /usr/sbin/ - - source: salt://manager/tools/sbin_jinja/ - - user: socore - - group: socore - - file_mode: 755 - - template: jinja - - defaults: - EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} - -rules_dir: - file.directory: - - name: /nsm/rules/yara - - user: socore - - group: socore - - makedirs: True - -{% if GLOBALS.airgap %} -remove_strelka-yara-download: - cron.absent: - - user: socore - - identifier: strelka-yara-download strelka-yara-update: + {% if MANAGERMERGED.reposync.enabled or ! GLOBALS.airgap %} cron.present: + {% else %} + cron.absent: + {% endif %} - user: socore - - name: '/usr/sbin/so-yara-update >> /nsm/strelka/log/yara-update.log 2>&1' + - name: '/usr/sbin/so-yara-update >> /opt/so/log/yarasync/yara-update.log 2>&1' - identifier: strelka-yara-update - hour: '7' - minute: '1' -update_yara_rules: - cmd.run: - - name: /usr/sbin/so-yara-update - - onchanges: - - file: yara_update_scripts -{% else %} -remove_strelka-yara-update: - cron.absent: - - user: socore - - identifier: strelka-yara-update - strelka-yara-download: + {% if MANAGERMERGED.reposync.enabled or ! GLOBALS.airgap %} cron.present: + {% else %} + cron.absent: + {% endif %} - user: socore - name: '/usr/sbin/so-yara-download >> /nsm/strelka/log/yara-download.log 2>&1' - identifier: strelka-yara-download - hour: '7' - minute: '1' +{% if ! GLOBALS.airgap %} +update_yara_rules: + cmd.run: + - name: /usr/sbin/so-yara-update + - onchanges: + - file: yara_update_scripts + download_yara_rules: cmd.run: - name: /usr/sbin/so-yara-download - onchanges: - file: yara_update_scripts -{% endif %} - - +{% endif %} +{% endif %} {% else %} {{sls}}_state_not_allowed: From 5040df7551474d521fef76a2872913f046b8fdc5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 28 Sep 2023 12:32:40 -0400 Subject: [PATCH 4/6] Fix manager cron logic --- salt/manager/init.sls | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 55badaf101..68d51c2aff 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -73,7 +73,7 @@ yara_update_scripts: EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} so-repo-sync: - {% if MANAGERMERGED.reposync.enabled or ! GLOBALS.airgap %} + {% if MANAGERMERGED.reposync.enabled or not GLOBALS.airgap %} cron.present: {% else %} cron.absent: @@ -112,7 +112,7 @@ strelkarepos: - makedirs: True strelka-yara-update: - {% if MANAGERMERGED.reposync.enabled or ! GLOBALS.airgap %} + {% if MANAGERMERGED.reposync.enabled or not GLOBALS.airgap %} cron.present: {% else %} cron.absent: @@ -124,18 +124,18 @@ strelka-yara-update: - minute: '1' strelka-yara-download: - {% if MANAGERMERGED.reposync.enabled or ! GLOBALS.airgap %} + {% if MANAGERMERGED.reposync.enabled or not GLOBALS.airgap %} cron.present: {% else %} cron.absent: {% endif %} - user: socore - - name: '/usr/sbin/so-yara-download >> /nsm/strelka/log/yara-download.log 2>&1' + - name: '/usr/sbin/so-yara-download >> /opt/so/log/yarasync/yara-download.log 2>&1' - identifier: strelka-yara-download - hour: '7' - minute: '1' -{% if ! GLOBALS.airgap %} +{% if not GLOBALS.airgap %} update_yara_rules: cmd.run: - name: /usr/sbin/so-yara-update From 95d32cb07689a8792e6b2be213c38314797c8eec Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 28 Sep 2023 12:49:46 -0400 Subject: [PATCH 5/6] Fix manager cron logic --- salt/manager/init.sls | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 68d51c2aff..e808325efb 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -73,7 +73,7 @@ yara_update_scripts: EXCLUDEDRULES: {{ STRELKAMERGED.rules.excluded }} so-repo-sync: - {% if MANAGERMERGED.reposync.enabled or not GLOBALS.airgap %} + {% if MANAGERMERGED.reposync.enabled %} cron.present: {% else %} cron.absent: @@ -112,7 +112,7 @@ strelkarepos: - makedirs: True strelka-yara-update: - {% if MANAGERMERGED.reposync.enabled or not GLOBALS.airgap %} + {% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %} cron.present: {% else %} cron.absent: @@ -124,7 +124,7 @@ strelka-yara-update: - minute: '1' strelka-yara-download: - {% if MANAGERMERGED.reposync.enabled or not GLOBALS.airgap %} + {% if MANAGERMERGED.reposync.enabled and not GLOBALS.airgap %} cron.present: {% else %} cron.absent: From ff359460508df28a1a5f022b63507cd076f94047 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 28 Sep 2023 13:06:21 -0400 Subject: [PATCH 6/6] Fix manager cron logic --- setup/so-functions | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 3707e31416..679142e2aa 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1963,12 +1963,10 @@ securityonion_repo() { fi if [[ $is_rpm ]]; then logCmd "dnf repolist all"; fi if [[ $waitforstate ]]; then - if [[ ! $is_airgap ]]; then - if [[ $is_rpm ]]; then + if [[ $is_rpm ]]; then # Build the repo locally so we can use it echo "Syncing Repos" repo_sync_local - fi fi fi } @@ -1978,7 +1976,7 @@ repo_sync_local() { if [[ $is_supported ]]; then # Sync the repo from the the SO repo locally. # Check for reposync - info "Backing up old repos" + info "Adding Repo Download Configuration" mkdir -p /nsm/repo mkdir -p /opt/so/conf/reposync/cache echo "https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9" > /opt/so/conf/reposync/mirror.txt @@ -2002,10 +2000,10 @@ repo_sync_local() { if [[ ! $is_airgap ]]; then curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/" + # After the download is complete run createrepo + create_repo fi - # After the download is complete run createrepo - create_repo else # Add the proper repos for unsupported stuff echo "Adding Repos"