From 22e200bf82304e809383d5e696b1198130c90696 Mon Sep 17 00:00:00 2001 From: Michael Chmielewski Date: Wed, 7 Apr 2021 17:01:01 -0400 Subject: [PATCH] Added the ability to override the component for debian repositories (eused to default to `main`), and fixed up some sane defaults for the test configuration. --- .kitchen.yml | 96 +++++++++++++++++++++++++++++++++++++------- threatstack/init.sls | 20 +++++++-- 2 files changed, 98 insertions(+), 18 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index 72b25b3..8baad3f 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -6,10 +6,6 @@ provisioner: name: salt_solo bootstrap_url: 'https://raw.githubusercontent.com/olhado/kitchen-salt/master/assets/install.sh' is_file_root: true - # Use this section (and comment out the `threatstack.sls` definition in the `pillars` section) - # to grab pillar data from the `pillar.example` file - # pillars_from_files: - # threatstack.sls: pillar.example pillars: top.sls: base: @@ -31,6 +27,10 @@ provisioner: <% if ENV['TS_CONFIG_ARGS'] %> ts_agent_config_args: <%= ENV['TS_CONFIG_ARGS'] %> <% end %> + # Use this section (and comment out the `threatstack.sls` definition in the `pillars` section) + # to grab pillar data from the `pillar.example` file + # pillars_from_files: + # threatstack.sls: pillar.example state_top: base: '*': @@ -38,8 +38,16 @@ provisioner: platforms: - name: amazonlinux-1 - image: amazonlinux:1 + provisioner: + salt_bootstrap_options: '-R archive.repo.saltstack.com stable 2019.2' + pillars: + threatstack.sls: + pkg_url: https://pkg.threatstack.com/v2/Amazon/1 + gpg_key: https://app.threatstack.com/RPM-GPG-KEY-THREATSTACK + gpg_key_file: '/etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK' + gpg_key_file_uri: 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK' driver_config: + image: amazonlinux:1 run_command: /sbin/init privileged: true run_options: @@ -53,8 +61,15 @@ platforms: - sed -i 's/local_events = yes/local_events = no/g' /etc/audit/auditd.conf - chkconfig auditd on - name: amazonlinux-2 - image: amazonlinux:2 + provisioner: + pillars: + threatstack.sls: + pkg_url: https://pkg.threatstack.com/v2/Amazon/2 + gpg_key: https://app.threatstack.com/RPM-GPG-KEY-THREATSTACK + gpg_key_file: '/etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK' + gpg_key_file_uri: 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK' driver_config: + image: amazonlinux:2 run_command: /sbin/init privileged: true run_options: @@ -69,10 +84,17 @@ platforms: - yum install -y audit initscripts - sed -i 's/local_events = yes/local_events = no/g' /etc/audit/auditd.conf - systemctl enable auditd.service - image: centos:7 - name: centos-7 - image: centos:7 + provisioner: + salt_bootstrap_options: '-R archive.repo.saltstack.com stable 2019.2' + pillars: + threatstack.sls: + pkg_url: https://pkg.threatstack.com/v2/EL/7 + gpg_key: https://app.threatstack.com/RPM-GPG-KEY-THREATSTACK + gpg_key_file: '/etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK' + gpg_key_file_uri: 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK' driver_config: + image: centos:7 run_command: /sbin/init privileged: true run_options: @@ -93,8 +115,15 @@ platforms: - sed -i 's/local_events = yes/local_events = no/g' /etc/audit/auditd.conf - systemctl enable auditd.service - name: centos-8 - image: centos:8 + provisioner: + pillars: + threatstack.sls: + pkg_url: https://pkg.threatstack.com/v2/EL/8 + gpg_key: https://app.threatstack.com/RPM-GPG-KEY-THREATSTACK + gpg_key_file: '/etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK' + gpg_key_file_uri: 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK' driver_config: + image: centos:8 run_command: /sbin/init privileged: true run_options: @@ -106,8 +135,15 @@ platforms: - sed -i 's/local_events = yes/local_events = no/g' /etc/audit/auditd.conf - systemctl enable auditd.service - name: debian-8 - image: debian:8 + provisioner: + salt_bootstrap_options: '-R archive.repo.saltstack.com' + pillars: + threatstack.sls: + pkg_url: https://pkg.threatstack.com/v2/Ubuntu + gpg_key: https://app.threatstack.com/APT-GPG-KEY-THREATSTACK + pkg_component: main driver_config: + image: debian:8 run_command: /sbin/init cap_add: - SYS_ADMIN @@ -125,8 +161,14 @@ platforms: - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - systemctl enable ssh.service - name: debian-9 - image: debian:9 + provisioner: + pillars: + threatstack.sls: + pkg_url: https://pkg.threatstack.com/v2/Ubuntu + gpg_key: https://app.threatstack.com/APT-GPG-KEY-THREATSTACK + pkg_component: main driver_config: + image: debian:9 run_command: /bin/systemd cap_add: - SYS_ADMIN @@ -138,8 +180,14 @@ platforms: - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - systemctl enable ssh.service - name: debian-10 - image: debian:10 + provisioner: + pillars: + threatstack.sls: + pkg_url: https://pkg.threatstack.com/v2/Ubuntu + gpg_key: https://app.threatstack.com/APT-GPG-KEY-THREATSTACK + pkg_component: main driver_config: + image: debian:10 run_command: /sbin/init cap_add: - SYS_ADMIN @@ -151,8 +199,14 @@ platforms: - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - systemctl enable ssh.service - name: ubuntu-16.04 - image: ubuntu:16.04 + provisioner: + pillars: + threatstack.sls: + pkg_url: https://pkg.threatstack.com/v2/Ubuntu + gpg_key: https://app.threatstack.com/APT-GPG-KEY-THREATSTACK + pkg_component: main driver_config: + image: ubuntu:16.04 run_command: /sbin/init cap_add: - SYS_ADMIN @@ -164,8 +218,14 @@ platforms: - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - systemctl enable ssh.service - name: ubuntu-18.04 - image: ubuntu:18.04 + provisioner: + pillars: + threatstack.sls: + pkg_url: https://pkg.threatstack.com/v2/Ubuntu + gpg_key: https://app.threatstack.com/APT-GPG-KEY-THREATSTACK + pkg_component: main driver_config: + image: ubuntu:18.04 run_command: /sbin/init cap_add: - SYS_ADMIN @@ -177,8 +237,14 @@ platforms: - sed -i 's/UsePAM yes/UsePAM no/g' /etc/ssh/sshd_config - systemctl enable ssh.service - name: ubuntu-20.04 - image: ubuntu:20.04 + provisioner: + pillars: + threatstack.sls: + pkg_url: https://pkg.threatstack.com/v2/Ubuntu + gpg_key: https://app.threatstack.com/APT-GPG-KEY-THREATSTACK + pkg_component: main driver_config: + image: ubuntu:20.04 run_command: /sbin/init cap_add: - SYS_ADMIN diff --git a/threatstack/init.sls b/threatstack/init.sls index e1b5bb7..02478ca 100644 --- a/threatstack/init.sls +++ b/threatstack/init.sls @@ -15,8 +15,15 @@ {% set _ = pkg_location.update({ 'pkg_url': pillar['pkg_url']}) %} {% endif %} +# If the package component is explicitly set, use the override and move on +{% if pillar['pkg_component'] is defined %} + {% set _ = pkg_location.update({ 'pkg_component': pillar['pkg_component']}) %} +{% else %} + {% set _ = pkg_location.update({ 'pkg_component': "main" }) %} +{% endif %} + # Check if OS is not supported in 2.X, and assign the repository URL appropriately -{% if pkg_url is not defined %} +{% if pkg_location.pkg_url is not defined %} {% set _ = pkg_location.update({ 'pkg_url': agent2_pkg_url_base}) %} # Set the rest of the URL path @@ -51,6 +58,13 @@ {% set gpgkey_file_uri = 'file:///etc/pki/rpm-gpg/RPM-GPG-KEY-THREATSTACK' %} {% endif %} +# Overrride gpgcheck on yum repositories. NOT RECOMMENDED IN PRODUCTION ENVIRONMENTS +{% if pillar['gpgcheck'] is defined %} + {% set gpgcheck = pillar['gpgcheck'] %} +{% else %} + {% set gpgcheck = 1 %} +{% endif %} + {% if pillar['ts_agent_extra_args'] is defined %} {% set agent_extra_args = pillar['ts_agent_extra_args'] %} {% else %} @@ -71,7 +85,7 @@ threatstack-repo: - name: 'curl -q -f {{ gpgkey }} | apt-key add -' - unless: 'apt-key list | grep "Threat Stack"' pkgrepo.managed: - - name: deb {{ pkg_location.pkg_url }} {{ os_maj_ver.ver }} main + - name: deb {{ pkg_location.pkg_url }} {{ os_maj_ver.ver }} {{ pkg_location.pkg_component }} - file: '/etc/apt/sources.list.d/threatstack.list' {% elif os_family=="RedHat" %} cmd.run: @@ -81,7 +95,7 @@ threatstack-repo: - name: threatstack - humanname: Threat Stack Package Repository - gpgkey: {{ gpgkey_file_uri }} - - gpgcheck: 1 + - gpgcheck: {{ gpgcheck }} - enabled: 1 - baseurl: {{ pkg_location.pkg_url }} {% endif %}