Fix Conflicts

setup/automation/pm_standalone_defaults

@@ -74,5 +74,5 @@ STRELKA=1
 THEHIVE=1
 WAZUH=1
 WEBUSER=onionuser@somewhere.invalid
-WEBPASSWD1=onionuser
-WEBPASSWD2=onionuser
+WEBPASSWD1=0n10nus3r
+WEBPASSWD2=0n10nus3r

setup/so-functions

@@ -258,6 +258,10 @@ check_soremote_pass() {
 	check_pass_match "$SOREMOTEPASS1" "$SOREMOTEPASS2" "SCMATCH"
 }
 
+check_fleet_node_pass() {
+	check_pass_match "$FLEETNODEPASSWD1" "$FLEETNODEPASSWD2" "FPMATCH"
+}
+
 check_web_pass() {
 	check_pass_match "$WEBPASSWD1" "$WEBPASSWD2" "WPMATCH"
 }
@@ -295,6 +299,30 @@ collect_adminuser_inputs() {
 	done
 }
 
+collect_fleet_custom_hostname_inputs() {
+	whiptail_fleet_custom_hostname
+}
+
+collect_fleetuser_inputs() {
+	# Get a username & password for the Fleet admin user
+	local valid_user=no
+	while [[ $valid_user != yes ]]; do
+		whiptail_create_fleet_node_user		
+		if so-user valemail "$FLEETNODEUSER" >> "$setup_log" 2>&1; then
+			valid_user=yes
+		else
+			whiptail_invalid_user_warning
+		fi
+	done
+
+	FPMATCH=no
+	while [[ $FPMATCH != yes ]]; do
+		whiptail_create_fleet_node_user_password1
+		whiptail_create_fleet_node_user_password2
+		check_fleet_node_pass
+	done
+}
+
 
 collect_webuser_inputs() {
 	# Get a password for the web admin user
@@ -390,6 +418,7 @@ check_requirements() {
 		req_mem=8
 		req_cores=4
 		if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi
+		if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi
 	fi
 
 	if [[ $num_nics -lt $req_nics ]]; then
@@ -814,6 +843,17 @@ get_minion_type() {
 	echo "$minion_type"
 }
 
+host_pillar() {
+
+	local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls
+
+	# Create the host pillar
+	printf '%s\n'\
+		"host:"\
+		"  mainint: $MNIC"\
+		"" > "$pillar_file"
+}
+
 install_cleanup() {
 	echo "Installer removing the following files:"
 	ls -lR "$temp_install_dir"
@@ -906,6 +946,7 @@ master_static() {
 		"  cortexorgname: SecurityOnion"\
 		"  cortexorguser: soadmin"\
 		"  cortexorguserkey: $CORTEXORGUSERKEY"\
+		"  fleet_custom_hostname: "\
 		"  fleet_master: False"\
 		"  fleet_node: False"\
 		"  fleet_packages-timestamp: N/A"\
@@ -1194,8 +1235,12 @@ salt_checkin() {
 				sleep 5;
 				systemctl restart salt-minion;
 				sleep 15;
+				echo " Confirming existence of the CA certificate"
+				cat /etc/pki/ca.crt
 				echo " Applyng a mine hack";
 				salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt;
+				echo " Confirming salt mine now contain the certificate"
+				salt \* mine.get \* x509.get_pem_entries
 				echo " Applying SSL state";
 				salt-call state.apply ssl;
 			} >> "$setup_log" 2>&1

setup/so-setup

@@ -145,6 +145,7 @@ elif [ "$install_type" = 'HEAVYNODE' ]; then
 	is_sensor=true
 elif [ "$install_type" = 'FLEET' ]; then
 	is_minion=true
+	is_fleet_standalone=true
 	OSQUERY=1
 elif [ "$install_type" = 'HELIXSENSOR' ]; then
 	is_helix=true
@@ -152,10 +153,12 @@ fi
 
 if [[ $is_eval ]]; then
 	check_requirements "eval"
-elif [[ $is_distmaster || $is_minion ]]; then
-	check_requirements "dist"
+elif [[ $is_fleet_standalone ]]; then
+	check_requirements "dist" "fleet"
 elif [[ $is_sensor && ! $is_eval ]]; then
 	check_requirements "dist" "sensor"
+elif [[ $is_distmaster || $is_minion ]]; then
+	check_requirements "dist"
 fi
 
 whiptail_patch_schedule
@@ -256,7 +259,7 @@ if [[ $is_master ]]; then
 	get_redirect
 fi
 
-if [[ $is_distmaster || ( $is_sensor || $is_node ) && ! $is_eval ]]; then
+if [[ $is_distmaster || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ]]; then
 	whiptail_master_updates
 	if [[ $setup_type == 'network' && $MASTERUPDATES == 1 ]]; then
 		whiptail_master_updates_warning
@@ -305,6 +308,14 @@ if [[ $is_node && ! $is_eval ]]; then
 	fi
 fi
 
+if [ "$install_type" == 'FLEET' ]; then
+	collect_fleetuser_inputs
+	collect_fleet_custom_hostname_inputs
+else
+	FLEETNODEUSER=$WEBUSER
+	FLEETNODEPASSWD1=$WEBPASSWD1
+fi
+
 whiptail_make_changes
 
 if [[ -n "$TURBO" ]]; then
@@ -341,6 +352,10 @@ if [[ $is_minion ]]; then
 	copy_ssh_key >> $setup_log 2>&1
 fi
 
+if [[ "$OSQUERY" = 1 ]]; then
+	host_pillar >> $setup_log 2>&1
+fi
+
 # Begin install
 {
 	# Set initial percentage to 0
@@ -500,11 +515,24 @@ fi
 	fi
 	
 	if [[ "$OSQUERY" = 1 ]]; then
+		set_progress_str 73 "$(print_salt_state_apply 'mysql')"
+		salt-call state.apply -l info mysql >> $setup_log 2>&1
+
 		set_progress_str 73 "$(print_salt_state_apply 'fleet')"
 		salt-call state.apply -l info fleet >> $setup_log 2>&1
 
-		set_progress_str 74 "$(print_salt_state_apply 'redis')"
+		set_progress_str 73 "$(print_salt_state_apply 'redis')"
 		salt-call state.apply -l info redis >> $setup_log 2>&1
+
+		if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then
+			set_progress_str 73 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')"
+			pillar_override="{\"static\":{\"fleet_custom_hostname\": \"$FLEETCUSTOMHOSTNAME\"}}"
+			salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1
+		fi
+	
+		set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')"	
+		so-fleet-setup $FLEETNODEUSER $FLEETNODEPASSWD1 >> $setup_log 2>&1
+
 	fi
 
 	if [[ "$WAZUH" = 1 ]]; then
@@ -513,8 +541,8 @@ fi
 	fi
 
 	if [[ "$THEHIVE" = 1 ]]; then
-		set_progress_str 76 "$(print_salt_state_apply 'hive')"
-		salt-call state.apply -l info hive >> $setup_log 2>&1
+		set_progress_str 76 "$(print_salt_state_apply 'thehive')"
+		salt-call state.apply -l info thehive >> $setup_log 2>&1
 	fi
 
 	if [[ "$STRELKA" = 1 ]]; then

setup/so-whiptail

@@ -165,6 +165,38 @@ whiptail_create_admin_user_password2() {
 
 }
 
+whiptail_create_fleet_node_user() {
+
+	[ -n "$TESTING" ] && return
+
+	FLEETNODEUSER=$(whiptail --title "Security Onion Install" --inputbox \
+	"Please enter an email for use as the username for the Fleet admin user." 10 60 3>&1 1>&2 2>&3)
+
+}
+
+whiptail_create_fleet_node_user_password1() {
+
+	[ -n "$TESTING" ] && return
+
+	FLEETNODEPASSWD1=$(whiptail --title "Security Onion Install" --passwordbox \
+	"Enter a password for $FLEETNODEUSER" 10 60 3>&1 1>&2 2>&3)
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+}
+
+whiptail_create_fleet_node_user_password2() {
+
+	[ -n "$TESTING" ] && return
+
+	FLEETNODEPASSWD2=$(whiptail --title "Security Onion Install" --passwordbox \
+	"Re-enter a password for $FLEETNODEUSER" 10 60 3>&1 1>&2 2>&3)
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+
+}
+
 whiptail_create_soremote_user() {
 
 	[ -n "$TESTING" ] && return
@@ -238,6 +270,19 @@ whiptail_create_web_user_password2() {
 
 }
 
+whiptail_fleet_custom_hostname() {
+
+	[ -n "$TESTING" ] && return
+
+	FLEETCUSTOMHOSTNAME=$(whiptail --title "Security Onion Install" --inputbox \
+	"What FQDN should osquery clients use for connections to this Fleet node? Leave blank if the local system hostname will be used." 10 60 3>&1 1>&2 2>&3)
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+}
+
+
+
 whiptail_requirements_error() {
 
 	local requirement_needed=$1