Headline

CVE-2022-22967: Salt Project Package Repo

An issue was discovered in SaltStack Salt in versions before 3002.9, 3003.5, 3004.2. PAM auth fails to reject locked accounts, which allows a previously authorized user whose account is locked still run Salt commands when their account is locked. This affects both local shell accounts with an active session and salt-api users that authenticate via PAM eauth.

2 years ago

CVE

Open in Source

#vulnerability #web #mac #windows #amazon #ubuntu #linux #debian #aws #amd #auth #ssh #rpm #ssl

About

Latest release: 3004.2 (June 21, 2022)

Navigate to the appropriate tab above for installing Salt!

NATIVE MINIONS

Looking to run Salt on AIX, Solaris, Arista, or Juniper devices? Reference the Native minion documentation for more information.

SALT SINGLE-BINARY (BETA) DOWNLOAD

Interested in testing out the new Tiamat-generated, single-binary release of Salt? Visit the Single-binary (BETA) tab!

Debian 11 (Bullseye)****Debian 11 (Bullseye) ARM64****Debian 10 (buster) PY3****Debian 9 (stretch) PY3

Pin to Latest Release
Pin to Major Release
Pin to Minor Release

Installs the latest release. Updating installs the latest release even if it is a new major version.

Run the following commands to import the SaltStack repository key, and to create /etc/apt/sources.list.d/salt.list:

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/11/amd64/latest/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/debian/11/amd64/latest bullseye main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/11/arm64/latest/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=arm64] https://repo.saltproject.io/py3/debian/11/arm64/latest bullseye main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/10/amd64/latest/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/debian/10/amd64/latest buster main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/9/amd64/latest/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/debian/9/amd64/latest stretch main" | sudo tee /etc/apt/sources.list.d/salt.list

Debian 9 also requires apt-transport-https due to the repo being an https endpoint. This is no longer required with Debian 10 and later.

sudo apt-get update
sudo apt-get install apt-transport-https

Run sudo apt-get update
Install the salt-minion, salt-master, or other Salt components:
- sudo apt-get install salt-master
- sudo apt-get install salt-minion
- sudo apt-get install salt-ssh
- sudo apt-get install salt-syndic
- sudo apt-get install salt-cloud
- sudo apt-get install salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

Installs the latest release. Updating installs the latest minor release but not a new major version.

Run the following commands to import the SaltStack repository key, and to create /etc/apt/sources.list.d/salt.list:

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/11/amd64/3004/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/debian/11/amd64/3004 bullseye main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/11/arm64/3004/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=arm64] https://repo.saltproject.io/py3/debian/11/arm64/3004 bullseye main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/10/amd64/3004/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/debian/10/amd64/3004 buster main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/9/amd64/3004/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/debian/9/amd64/3004 stretch main" | sudo tee /etc/apt/sources.list.d/salt.list

Debian 9 also requires apt-transport-https due to the repo being an https endpoint. This is no longer required with Debian 10 and later.

sudo apt-get update
sudo apt-get install apt-transport-https

Run sudo apt-get update
Install the salt-minion, salt-master, or other Salt components:
- sudo apt-get install salt-master
- sudo apt-get install salt-minion
- sudo apt-get install salt-ssh
- sudo apt-get install salt-syndic
- sudo apt-get install salt-cloud
- sudo apt-get install salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

Installs a specific release. Updating doesn’t change the release that is installed.

Run the following commands to import the SaltStack repository key, and to create /etc/apt/sources.list.d/salt.list:

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/11/amd64/archive/3004.2/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/debian/11/amd64/archive/3004.2 bullseye main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/11/arm64/archive/3004.2/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=arm64] https://repo.saltproject.io/py3/debian/11/arm64/archive/3004.2 bullseye main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/10/amd64/archive/3004.2/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/debian/10/amd64/archive/3004.2 buster main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/9/amd64/archive/3004.2/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/debian/9/amd64/archive/3004.2 stretch main" | sudo tee /etc/apt/sources.list.d/salt.list

Debian 9 also requires apt-transport-https due to the repo being an https endpoint. This is no longer required with Debian 10 and later.

sudo apt-get update
sudo apt-get install apt-transport-https

Run sudo apt-get update
Install the salt-minion, salt-master, or other Salt components:
- sudo apt-get install salt-master
- sudo apt-get install salt-minion
- sudo apt-get install salt-ssh
- sudo apt-get install salt-syndic
- sudo apt-get install salt-cloud
- sudo apt-get install salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

Redhat / CentOS 8 PY3****Redhat / CentOS 7 PY3

Pin to Latest Release
Pin to Major Release
Pin to Minor Release

Installs the latest release. Updating installs the latest release even if it is a new major version.

Run the following commands to install the SaltStack repository and key:

sudo rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/latest/SALTSTACK-GPG-KEY.pub
curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/latest.repo | sudo tee /etc/yum.repos.d/salt.repo

sudo rpm --import https://repo.saltproject.io/py3/redhat/7/x86_64/latest/SALTSTACK-GPG-KEY.pub
curl -fsSL https://repo.saltproject.io/py3/redhat/7/x86_64/latest.repo | sudo tee /etc/yum.repos.d/salt.repo

Run sudo yum clean expire-cache
Install the salt-minion, salt-master, or other Salt components:
- sudo yum install salt-master
- sudo yum install salt-minion
- sudo yum install salt-ssh
- sudo yum install salt-syndic
- sudo yum install salt-cloud
- sudo yum install salt-api
Enable and start service for salt-minion, salt-master, or other Salt components:
- sudo systemctl enable salt-master && sudo systemctl start salt-master
- sudo systemctl enable salt-minion && sudo systemctl start salt-minion
- sudo systemctl enable salt-syndic && sudo systemctl start salt-syndic
- sudo systemctl enable salt-api && sudo systemctl start salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

Installs the latest release. Updating installs the latest minor release but not a new major version.

Run the following commands to install the SaltStack repository and key:

sudo rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/3004/SALTSTACK-GPG-KEY.pub
curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/3004.repo | sudo tee /etc/yum.repos.d/salt.repo

sudo rpm --import https://repo.saltproject.io/py3/redhat/7/x86_64/3004/SALTSTACK-GPG-KEY.pub
curl -fsSL https://repo.saltproject.io/py3/redhat/7/x86_64/3004.repo | sudo tee /etc/yum.repos.d/salt.repo

Run sudo yum clean expire-cache
Install the salt-minion, salt-master, or other Salt components:
- sudo yum install salt-master
- sudo yum install salt-minion
- sudo yum install salt-ssh
- sudo yum install salt-syndic
- sudo yum install salt-cloud
- sudo yum install salt-api
Enable and start service for salt-minion, salt-master, or other Salt components:
- sudo systemctl enable salt-master && sudo systemctl start salt-master
- sudo systemctl enable salt-minion && sudo systemctl start salt-minion
- sudo systemctl enable salt-syndic && sudo systemctl start salt-syndic
- sudo systemctl enable salt-api && sudo systemctl start salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

Installs a specific release. Updating doesn’t change the release that is installed.

Run the following commands to install the SaltStack repository and key:

sudo rpm --import https://repo.saltproject.io/py3/redhat/8/x86_64/archive/3004.2/SALTSTACK-GPG-KEY.pub
curl -fsSL https://repo.saltproject.io/py3/redhat/8/x86_64/archive/3004.2.repo | sudo tee /etc/yum.repos.d/salt.repo

sudo rpm --import https://repo.saltproject.io/py3/redhat/7/x86_64/archive/3004.2/SALTSTACK-GPG-KEY.pub
curl -fsSL https://repo.saltproject.io/py3/redhat/7/x86_64/archive/3004.2.repo | sudo tee /etc/yum.repos.d/salt.repo

Run sudo yum clean expire-cache
Install the salt-minion, salt-master, or other Salt components:
- sudo yum install salt-master
- sudo yum install salt-minion
- sudo yum install salt-ssh
- sudo yum install salt-syndic
- sudo yum install salt-cloud
- sudo yum install salt-api
Enable and start service for salt-minion, salt-master, or other Salt components:
- sudo systemctl enable salt-master && sudo systemctl start salt-master
- sudo systemctl enable salt-minion && sudo systemctl start salt-minion
- sudo systemctl enable salt-syndic && sudo systemctl start salt-syndic
- sudo systemctl enable salt-api && sudo systemctl start salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

Ubuntu 20 (focal) PY3****Ubuntu 20 (focal) PY3 ARM64****Ubuntu 18 (bionic) PY3

Pin to Latest Release
Pin to Major Release
Pin to Minor Release

Installs the latest release. Updating installs the latest release even if it is a new major version.

Run the following commands to import the SaltStack repository key, and to create /etc/apt/sources.list.d/salt.list:

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/ubuntu/20.04/amd64/latest/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/ubuntu/20.04/amd64/latest focal main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/ubuntu/20.04/arm64/latest/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=arm64] https://repo.saltproject.io/py3/ubuntu/20.04/arm64/latest focal main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/ubuntu/18.04/amd64/latest/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/ubuntu/18.04/amd64/latest bionic main" | sudo tee /etc/apt/sources.list.d/salt.list

Run sudo apt-get update
Install the salt-minion, salt-master, or other Salt components:
- sudo apt-get install salt-master
- sudo apt-get install salt-minion
- sudo apt-get install salt-ssh
- sudo apt-get install salt-syndic
- sudo apt-get install salt-cloud
- sudo apt-get install salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

Installs the latest release. Updating installs the latest minor release but not a new major version.

Run the following commands to import the SaltStack repository key, and to create /etc/apt/sources.list.d/salt.list:

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/ubuntu/20.04/amd64/3004/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/ubuntu/20.04/amd64/3004 focal main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/ubuntu/20.04/arm64/3004/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=arm64] https://repo.saltproject.io/py3/ubuntu/20.04/arm64/3004 focal main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/ubuntu/18.04/amd64/3004/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/ubuntu/18.04/amd64/3004 bionic main" | sudo tee /etc/apt/sources.list.d/salt.list

Run sudo apt-get update
Install the salt-minion, salt-master, or other Salt components:
- sudo apt-get install salt-master
- sudo apt-get install salt-minion
- sudo apt-get install salt-ssh
- sudo apt-get install salt-syndic
- sudo apt-get install salt-cloud
- sudo apt-get install salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

Installs a specific release. Updating doesn’t change the release that is installed.

Run the following commands to import the SaltStack repository key, and to create /etc/apt/sources.list.d/salt.list:

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/ubuntu/20.04/amd64/archive/3004.2/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/ubuntu/20.04/amd64/archive/3004.2 focal main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/ubuntu/20.04/arm64/archive/3004.2/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=arm64] https://repo.saltproject.io/py3/ubuntu/20.04/arm64/archive/3004.2 focal main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/ubuntu/18.04/amd64/archive/3004.2/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=amd64] https://repo.saltproject.io/py3/ubuntu/18.04/amd64/archive/3004.2 bionic main" | sudo tee /etc/apt/sources.list.d/salt.list

Run sudo apt-get update
Install the salt-minion, salt-master, or other Salt components:
- sudo apt-get install salt-master
- sudo apt-get install salt-minion
- sudo apt-get install salt-ssh
- sudo apt-get install salt-syndic
- sudo apt-get install salt-cloud
- sudo apt-get install salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

SUSE / OpenSUSE / SLES

SUSE hosts packages in their official repositories for openSUSE and SLES systems. To see what Salt packages are available for a specific SUSE OS, such as latest releases that may be labeled as Experimental, see their Salt landing page:

SUSE Packages: Salt

The following commands install the latest official version currently available from SUSE, as referenced in the above package link.

Refresh the package list:
Packages are available in the standard SUSE repositories. Install the salt-minion, salt-master, or other Salt components:
- sudo zypper install salt-master
- sudo zypper install salt-minion
- sudo zypper install salt-ssh
- sudo zypper install salt-syndic
- sudo zypper install salt-cloud
- sudo zypper install salt-api
- sudo zypper install salt-proxy
Enable and start service for salt-minion, salt-master, or other Salt components:
- sudo systemctl enable salt-master && sudo systemctl start salt-master
- sudo systemctl enable salt-minion && sudo systemctl start salt-minion
- sudo systemctl enable salt-syndic && sudo systemctl start salt-syndic
- sudo systemctl enable salt-api && sudo systemctl start salt-api
(Upgrade only) Restart all upgraded services, for example:
- sudo systemctl restart salt-minion

Post-installation

For more information on next steps, reference Post-installation configuration

Fedora

Installs the latest release. Updating installs the latest release even if it is a new major version.

Packages are available in the standard Fedora repositories. Install the salt-minion, salt-master, or other Salt components:
- sudo dnf install salt-master
- sudo dnf install salt-minion
- sudo dnf install salt-ssh
- sudo dnf install salt-syndic
- sudo dnf install salt-cloud
- sudo dnf install salt-api
Enable and start service for salt-minion, salt-master, or other Salt components:
- sudo systemctl enable salt-master && sudo systemctl start salt-master
- sudo systemctl enable salt-minion && sudo systemctl start salt-minion
- sudo systemctl enable salt-syndic && sudo systemctl start salt-syndic
- sudo systemctl enable salt-api && sudo systemctl start salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

Windows PY3

Arch

FileType

Download

MD5

SHA256

Windows

amd64

msi

Salt-Minion-3004.2-1-Py3-AMD64.msi

MD5

SHA256

Windows

amd64

exe

Salt-Minion-3004.2-1-Py3-AMD64-Setup.exe

MD5

SHA256

Windows

x86

msi

Salt-Minion-3004.2-1-Py3-x86.msi

MD5

SHA256

Windows

x86

exe

Salt-Minion-3004.2-1-Py3-x86-Setup.exe

MD5

SHA256

EXE: Silent Installation Options

The installer can be run silently by providing the /S option at the command line. The options /master and /minion-name allow for configuring the master hostname and minion name, respectively. Here’s an example of running a silent installation from the command line:

Salt-Minion-3004.2-1-Py3-AMD64-Setup.exe /S /master=yoursaltmaster /minion-name=yourminionname

MSI: Silent Installation Options

The installer can be run silently by providing the /quiet and /norestart option at the command line. The options MASTER and MINION_ID allow for configuring the master hostname and minion name, respectively. Here’s an example of running a silent installation from the command line:

msiexec /i Salt-Minion-3004.2-1-Py3-AMD64.msi /quiet /norestart MASTER=yoursaltmaster MINION_ID=yourminionname

Post-installation

For more information on next steps, reference Post-installation configuration

macOS PY3

Arch

FileType

Download

MD5

SHA256

macOS

x86_64

pkg

salt-3004.2-1-py3-x86_64.pkg

MD5

SHA256

OS X Gatekeeper settings might prevent installation of the Salt package. If a warning appears during installation, open System Preferences > Security & Privacy > click Open Anyway

Initial Configuration

After the installation completes, run the following to configure the Salt minion ID, the Salt master location, and to start the required services.

sudo salt-config -i yourminionname -m yoursaltmaster

Start and Stop the Minion Service

On OS X, the Salt minion configuration file is in the standard /etc/salt/minion location. To stop the Salt minion, run the following:

sudo launchctl stop com.saltstack.salt.minion

To start the Salt minion, run the following:

sudo launchctl start com.saltstack.salt.minion

Post-installation

For more information on next steps, reference Post-installation configuration

Amazon Linux 2 PY3

Pin to Latest Release
Pin to Major Release
Pin to Minor Release

Installs the latest release. Updating installs the latest release even if it is a new major version.

Run the following commands to install the SaltStack repository and key:

sudo rpm --import https://repo.saltproject.io/py3/amazon/2/x86_64/latest/SALTSTACK-GPG-KEY.pub
curl -fsSL https://repo.saltproject.io/py3/amazon/2/x86_64/latest.repo | sudo tee /etc/yum.repos.d/salt-amzn.repo

Run sudo yum clean expire-cache
Install the salt-minion, salt-master, or other Salt components:
- sudo yum install salt-master
- sudo yum install salt-minion
- sudo yum install salt-ssh
- sudo yum install salt-syndic
- sudo yum install salt-cloud
- sudo yum install salt-api
Enable and start service for salt-minion, salt-master, or other Salt components:
- sudo systemctl enable salt-master && sudo systemctl start salt-master
- sudo systemctl enable salt-minion && sudo systemctl start salt-minion
- sudo systemctl enable salt-syndic && sudo systemctl start salt-syndic
- sudo systemctl enable salt-api && sudo systemctl start salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

Installs the latest release. Updating installs the latest minor release but not a new major version.

Run the following commands to install the SaltStack repository and key:

sudo rpm --import https://repo.saltproject.io/py3/amazon/2/x86_64/3004/SALTSTACK-GPG-KEY.pub
curl -fsSL https://repo.saltproject.io/py3/amazon/2/x86_64/3004.repo | sudo tee /etc/yum.repos.d/salt-amzn.repo

Run sudo yum clean expire-cache
Install the salt-minion, salt-master, or other Salt components:
- sudo yum install salt-master
- sudo yum install salt-minion
- sudo yum install salt-ssh
- sudo yum install salt-syndic
- sudo yum install salt-cloud
- sudo yum install salt-api
Enable and start service for salt-minion, salt-master, or other Salt components:
- sudo systemctl enable salt-master && sudo systemctl start salt-master
- sudo systemctl enable salt-minion && sudo systemctl start salt-minion
- sudo systemctl enable salt-syndic && sudo systemctl start salt-syndic
- sudo systemctl enable salt-api && sudo systemctl start salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

Installs a specific release. Updating doesn’t change the release that is installed.

Run the following commands to install the SaltStack repository and key:

sudo rpm --import https://repo.saltproject.io/py3/amazon/2/x86_64/archive/3004.2/SALTSTACK-GPG-KEY.pub
curl -fsSL https://repo.saltproject.io/py3/amazon/2/x86_64/archive/3004.2.repo | sudo tee /etc/yum.repos.d/salt-amzn.repo

Run sudo yum clean expire-cache
Install the salt-minion, salt-master, or other Salt components:
- sudo yum install salt-master
- sudo yum install salt-minion
- sudo yum install salt-ssh
- sudo yum install salt-syndic
- sudo yum install salt-cloud
- sudo yum install salt-api
Enable and start service for salt-minion, salt-master, or other Salt components:
- sudo systemctl enable salt-master && sudo systemctl start salt-master
- sudo systemctl enable salt-minion && sudo systemctl start salt-minion
- sudo systemctl enable salt-syndic && sudo systemctl start salt-syndic
- sudo systemctl enable salt-api && sudo systemctl start salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

Raspbian 11 (bullseye)****Raspbian 10 (buster) PY3****Raspbian 9 (stretch) PY3

Pin to Latest Release
Pin to Major Release
Pin to Minor Release

Installs the latest release. Updating installs the latest release even if it is a new major version.

Run the following commands to import the SaltStack repository key, and to create /etc/apt/sources.list.d/salt.list:

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/11/armhf/latest/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=armhf] https://repo.saltproject.io/py3/debian/11/armhf/latest bullseye main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/10/armhf/latest/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=armhf] https://repo.saltproject.io/py3/debian/10/armhf/latest buster main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/9/armhf/latest/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=armhf] https://repo.saltproject.io/py3/debian/9/armhf/latest stretch main" | sudo tee /etc/apt/sources.list.d/salt.list

Raspbian 9 also requires apt-transport-https due to the repo being an https endpoint. This is no longer required with Raspbian 10 and later.

sudo apt-get update
sudo apt-get install apt-transport-https

Run sudo apt-get update
Install the salt-minion, salt-master, or other Salt components:
- sudo apt-get install salt-master
- sudo apt-get install salt-minion
- sudo apt-get install salt-ssh
- sudo apt-get install salt-syndic
- sudo apt-get install salt-cloud
- sudo apt-get install salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

Installs the latest release. Updating installs the latest minor release but not a new major version.

Run the following commands to import the SaltStack repository key, and to create /etc/apt/sources.list.d/salt.list:

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/11/armhf/3004/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=armhf] https://repo.saltproject.io/py3/debian/11/armhf/3004 bullseye main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/10/armhf/3004/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=armhf] https://repo.saltproject.io/py3/debian/10/armhf/3004 buster main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/9/armhf/3004/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=armhf] https://repo.saltproject.io/py3/debian/9/armhf/3004 stretch main" | sudo tee /etc/apt/sources.list.d/salt.list

Raspbian 9 also requires apt-transport-https due to the repo being an https endpoint. This is no longer required with Raspbian 10 and later.

sudo apt-get update
sudo apt-get install apt-transport-https

Run sudo apt-get update
Install the salt-minion, salt-master, or other Salt components:
- sudo apt-get install salt-master
- sudo apt-get install salt-minion
- sudo apt-get install salt-ssh
- sudo apt-get install salt-syndic
- sudo apt-get install salt-cloud
- sudo apt-get install salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

Installs a specific release. Updating doesn’t change the release that is installed.

Run the following commands to import the SaltStack repository key, and to create /etc/apt/sources.list.d/salt.list:

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/11/armhf/archive/3004.2/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=armhf] https://repo.saltproject.io/py3/debian/11/armhf/archive/3004.2 bullseye main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/10/armhf/archive/3004.2/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=armhf] https://repo.saltproject.io/py3/debian/10/armhf/archive/3004.2 buster main" | sudo tee /etc/apt/sources.list.d/salt.list

# Download key
sudo curl -fsSL -o /usr/share/keyrings/salt-archive-keyring.gpg https://repo.saltproject.io/py3/debian/9/armhf/archive/3004.2/salt-archive-keyring.gpg
# Create apt sources list file
echo "deb [signed-by=/usr/share/keyrings/salt-archive-keyring.gpg arch=armhf] https://repo.saltproject.io/py3/debian/9/armhf/archive/3004.2 stretch main" | sudo tee /etc/apt/sources.list.d/salt.list

Raspbian 9 also requires apt-transport-https due to the repo being an https endpoint. This is no longer required with Raspbian 10 and later.

sudo apt-get update
sudo apt-get install apt-transport-https

Run sudo apt-get update
Install the salt-minion, salt-master, or other Salt components:
- sudo apt-get install salt-master
- sudo apt-get install salt-minion
- sudo apt-get install salt-ssh
- sudo apt-get install salt-syndic
- sudo apt-get install salt-cloud
- sudo apt-get install salt-api

Post-installation

For more information on next steps, reference Post-installation configuration

Bootstrap - Multi-Platform

Salt Bootstrap is a shell script that detects the target platform and selects the best installation method. (Supported Platforms)

On the Salt master

Run these commands on the system that you want to use as the central management point.

# Download
curl -fsSL https://bootstrap.saltproject.io -o install_salt.sh
curl -fsSL https://bootstrap.saltproject.io/sha256 -o install_salt_sha256

# Verify file integrity
SHA_OF_FILE=$(sha256sum install_salt.sh | cut -d' ' -f1)
SHA_FOR_VALIDATION=$(cat install_salt_sha256)
if [[ "$SHA_OF_FILE" == "$SHA_FOR_VALIDATION" ]]; then
    # After verification, run script to bootstrap master
    echo "Success! Installing..."
    sudo sh install_salt.sh -P -M -x python3
else
    # If hash check fails, don't attempt install
    echo "WARNING: This file is corrupt or has been tampered with."
fi

Your Salt master can manage itself, so a Salt minion is installed along with the Salt master. If you do not want to install the minion, also pass the -N option.

On each Salt minion

Run these commands on each system that you want to manage using Salt.

Linux or macOS / OSX

# Download
curl -fsSL https://bootstrap.saltproject.io -o install_salt.sh
curl -fsSL https://bootstrap.saltproject.io/sha256 -o install_salt_sha256

# Verify file integrity
SHA_OF_FILE=$(sha256sum install_salt.sh | cut -d' ' -f1)
SHA_FOR_VALIDATION=$(cat install_salt_sha256)
if [[ "$SHA_OF_FILE" == "$SHA_FOR_VALIDATION" ]]; then
    # After verification, run Linux or macOS / OSX minion install
    echo "Success! Installing..."
    sudo sh install_salt.sh -P -x python3
else
    # If hash check fails, don't attempt install
    echo "WARNING: This file is corrupt or has been tampered with."
fi

Windows bootstrap

# Windows: Using Windows PowerShell or PowerShell Core
# Download
Invoke-WebRequest -Uri https://winbootstrap.saltproject.io -OutFile C:\Temp\bootstrap-salt.ps1
Invoke-WebRequest -Uri https://winbootstrap.saltproject.io/sha256 -OutFile C:\Temp\bootstrap-salt-sha256

# Verify file integrity
$FileSha = (Get-FileHash C:\Temp\bootstrap-salt.ps1).hash
$ValidatedSha = Get-Content C:\Temp\bootstrap-salt-sha256
if ("$FileSha" -eq "$ValidatedSha") {
    # After verification, run Windows minion install
    Write-Output "Success! Installing..."
    Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
    C:\Temp\bootstrap-salt.ps1
    Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser
} else {
    # If hash check fails, don't attempt install
    Write-Error "WARNING: This file is corrupt or has been tampered with."
}

Post-installation

For more information on next steps, reference Post-installation configuration

Single-binary (BETA)

Architecture

Version

Download

SHA512

Linux

amd64

v3004-1

salt-3004-1-linux-amd64.tar.gz

SHA512

Single-binaries of salt are primarily used by Heist, but they can be downloaded for simplified lab use. It is highly recommended that users instead install salt via the appropriate package for their target OS, as those packages include several configurations (configuring services, users, etc.) that would have to be manually configured when downloading single-binary forms of salt.

Verify GPG key fingerprint and file integrity

It’s best practice, for security considerations and file integrity purposes, to confirm that the downloaded file is the file that was released by Salt Project.

Linux downloads

gpg needs to be available. If gpg isn’t present, it can be installed via gnupg2 (or, at times, gnupg) on most systems. The following examples should work for Linux.

Example: yum install gnupg2
Example: apt install gnupg2

The following will download the single-binary and verify the download before attempting to extract from the .tar.gz:

# Download latest salt and files required for file integrity verification
# This example covers the latest amd64 download for Linux systems
curl -fsSL https://repo.saltproject.io/salt/singlebin/3004/salt-3004_SHA512.asc -O
curl -fsSL https://repo.saltproject.io/salt/singlebin/3004/salt-3004_SHA512 -O
curl -fsSL https://repo.saltproject.io/salt/singlebin/3004/salt-3004-1-linux-amd64.tar.gz -O

# Import GPG key for verifying signatures
SALT_GPG_TEMP_DIR=$(mktemp -d)
SALT_KEYRING="${SALT_GPG_TEMP_DIR}/salt-keyring.gpg"
touch "${SALT_KEYRING}"
gpg --homedir "${SALT_GPG_TEMP_DIR}" \
    --no-default-keyring \
    --keyring "${SALT_KEYRING}" \
    --keyserver https://repo.saltproject.io/salt/singlebin/3004/salt-archive-keyring.gpg \
    --recv-keys 754A1A7AE731F165D5E6D4BD0E08A149DE57BFBE

# Steps, with each one only able to execute if previous step passes:
# - Verify signature passes
# - Verify file integrity via sha
# - Extract salt into current dir
gpgv --homedir "${SALT_GPG_TEMP_DIR}" \
     --keyring "${SALT_KEYRING}" salt-3004_SHA512.asc salt-3004_SHA512 && \
       sha512sum -c --ignore-missing salt-3004_SHA512 && \
       tar -xvf salt-3004-1-linux-amd64.tar.gz

# Cleanup temp dir
rm -rf "${SALT_GPG_TEMP_DIR}"

Expected output should include:

gpgv: Good signature from "SaltStack Packaging Team <[email protected]>"
salt-3004-1-linux-amd64.tar.gz: OK

Usage

All tools, from the salt repo, are included in the single-binary. Though, because they are contained within a single binary, they must be called differently.

Example:

# Make use of salt-call
sudo ./salt call --local test.versions

Available tools:

salt master (similar to salt-master)
salt minion (similar to salt-minion)
salt call (similar to salt-call)
salt ssh (similar to salt-ssh)
salt syndic (similar to salt-syndic)
salt cloud (similar to salt-cloud)
salt api (similar to salt-api)
salt pip

Installing pip packages into Salt

The single-binary includes a new command, salt pip, which makes it easy to install packages from PyPI directly into Salt.

Example:

sudo ./salt pip install <extra-packages>

Post-installation

For more information on next steps, reference Post-installation configuration

Other Platforms

For installation on other platforms and alternative installation methods, see the Salt Installation Instructions.

Unsupported or archived OS versions

We do NOT recommend installing unsupported or archived versions of Salt. These may be impacted by security vulnerabilities. Run at your own risk.

Ubuntu 16.04 Packages

End of Life Support for Ubuntu 16.04 ended in April 2021. 3001.x and 3002.x are the last Salt releases for which Ubuntu 16.04 packages will be created.

Raspbian 8 Packages

End of Life Support for Raspbian 8 ended in June 2020. As a result, 2019.2.7, 3000.5 are the last Salt releases for which Raspbian 8 packages were created. The packages are only retrievable via the archive.

Debian 8 Packages

End of Life Support for Debian 8 ended in June 2020. As a result, 2019.2.7, 3000.5 are the last Salt releases for which Debian 8 packages were created. The packages are only retrievable via the archive.

RHEL 6 Packages

End of Life Support for RHEL 6 ended in November 2020. As a result, 2019.2.7 and 3000.5 were the last Salt releases for which RHEL 6 packages were created. The packages are only retrievable via the archive.

Create a Local Mirror of the Salt Project Package Repo

The Salt Project package repo supports mirroring using an s3 api compatible sync tool such as the aws-cli, or rclone. Note that we use a custom endpoint so we can switch buckets easily. Also note that rclone may warn about the time being off. This warning is shown because we use CloudFront as a cache instead of using s3 directly. You can safely ignore these warning messages. Please sync no more than once per day.

rclone example:

RCLONE_CONFIG_S3_TYPE=s3 RCLONE_CONFIG_S3_PROVIDER=Other RCLONE_CONFIG_S3_ENV_AUTH=false RCLONE_CONFIG_S3_ENDPOINT=https://s3.repo.saltproject.io rclone sync --fast-list --use-server-modtime -v s3:s3/ ./fullrepo/

Please make sure to include the --use-server-modtime flags as not doing so will drastically increase our costs.

If you can’t use the --use-server-modtime flag because your version of rclone is too old, you can use the -c flag:

RCLONE_CONFIG_S3_TYPE=s3 RCLONE_CONFIG_S3_PROVIDER=Other RCLONE_CONFIG_S3_ENV_AUTH=false RCLONE_CONFIG_S3_ENDPOINT=https://s3.repo.saltproject.io rclone sync --fast-list -c -v s3:s3/ ./fullrepo/

aws-cli example:

aws --no-sign-request --endpoint-url https://s3.repo.saltproject.io s3 sync --delete --exact-timestamps s3://s3/ ./fullrepo/

For syncing https://archive.repo.saltproject.io, the endpoint url is https://s3.archive.repo.saltproject.io. Everything else is the same.

Directory Listing

Gentoo Linux Security Advisory 202310-22 - Multiple vulnerabilities have been discovered in Salt, the worst of which could result in local privilege escalation. Versions greater than or equal to 3004.2 are affected.

11 months ago

Packet Storm

Open in Source

#vulnerability #web #mac #linux #intel

CVE-2022-46756: DSA-2022-335: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities

Dell VxRail, versions prior to 7.0.410, contain a Container Escape Vulnerability. A local high-privileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the container's underlying OS. Exploitation may lead to a system take over by an attacker.

1 year ago

CVE

Open in Source

#vulnerability #ios #intel #vmware #bios #dell #ssl

GHSA-fpxm-fprw-6hxj: Salt's PAM auth fails to reject locked accounts

2 years ago

ghsa

Open in Source

#git #auth