Salt default shell on Ubuntu vs RHEL

[rpopp-fni-stl-com]

Version

2.4.0

Installation Method

Network installation on Ubuntu

Description

other (please provide detail below)

Installation Type

Standalone

Location

cloud

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

16Gb

Storage for /

300Gb

Storage for /nsm

300Gb

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Greetings yet again. It would seem that there's an issue with any script that references so-common:

Jan 18 16:21:03 seconion salt-minion[2613917]: [ERROR   ] {'pid': 2639876, 'retcode': 2, 'stdout': '', 'stderr': '/usr/sbin/so-elastic-agent-grid-upgrade: 258: /usr/sbin/so-common: Syntax error: "(" unexpected (expecting "fi")'}
red Jan 18 16:21:33 seconion salt-minion[2613917]: [ERROR   ] Command '/usr/sbin/so-elastic-agent-grid-upgrade' failed with return code: 2
red Jan 18 16:21:33 seconion salt-minion[2613917]: [ERROR   ] stderr: /usr/sbin/so-elastic-agent-grid-upgrade: 258: /usr/sbin/so-common: Syntax error: "(" unexpected (expecting "fi")
red Jan 18 16:21:33 seconion salt-minion[2613917]: [ERROR   ] retcode: 2

Based on this thread in salt, my understanding is that it will default to the user's defined shell from /etc/passwd, defaulting to /bin/sh. On RHEL, I believe that /bin/sh still points to /bin/bash, whereas on Ubuntu it points to /bin/dash, which to the best of my knowledge does NOT support arrays. Checking our fresh install, out of all the added SecurityOnion accounts, only socore has a defined shell of /bin/bash. The account for salt is /usr/sbin/nologin, and all other services are /bin/sh.

I suspect that this will need to change for Ubuntu, but I'm not sure which needs to change. That is, the account for salt, or the accounts for all the other salt services? Or does the array declaration and usage in so-common need to change to be more POSIX compliant?

As always, TIA

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[rpopp-fni-stl-com]

Documenting for those who may follow: This can be corrected on Ubuntu systems by changing the default shell /bin/sh to be /bin/bash rather than /bin/dash, as I suspected. To do so, see this article with its caveats. So far, no issues here on 22.04 after performing the switch and no more errors like the above reported.

Unfortunately, I don't see a different option unless the maintainers of SecurityOnion make their associated scripts POSIX compliant, OR explictly call /bin/bash for each of their scripts.

[reyesj2]

We have an issue open to review this

[rpopp-fni-stl-com]

Could you provide the link to that issue please? If only to make sure it wasn't something I missed before opening the thread.