CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-08 18:22:47 +01:00
Code Issues Packages Projects Releases Wiki Activity

Network setup fixes

Browse Source
This commit is contained in:
William Wernert
2019-11-21 19:11:52 -05:00
parent c547e6be47
commit 05a9d3e0da
1 changed files with 72 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
so-setup-network.sh
View File

@@ -275,11 +275,11 @@ copy_ssh_key() {
} }
network_setup() { create_sensor_bond() {
echo "Setting up Bond" >> $SETUPLOG 2>&1 echo "Setting up sensor bond" >> $SETUPLOG 2>&1
# Set the MTU # Set the MTU
if [ "$NSMSETUP" != 'ADVANCED' ]; then if [[ $NSMSETUP != 'ADVANCED' ]]; then
MTU=1500 MTU=1500
fi fi
@@ -304,10 +304,6 @@ network_setup() {
# Bring the slave interface up # Bring the slave interface up
nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1 nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1
done done
# Replace the variable string in the network script
sed -i "s/\$MAININT/${MAININT}/g" ./install_scripts/disable-checksum-offload.sh >> $SETUPLOG 2>&1
# Copy the checksum offload script to prevent issues with packet capture
cp ./install_scripts/disable-checksum-offload.sh /etc/NetworkManager/dispatcher.d/disable-checksum-offload.sh >> $SETUPLOG 2>&1
} }
detect_os() { detect_os() {
@@ -329,6 +325,19 @@ detect_os() {
} }
disable_unused_nics() {
for UNUSED_NIC in ${FNICS[@]}; do
# Disable DHCPv4/v6 and autoconnect
nmcli con mod $UNUSED_NIC \
ipv4.method disabled \
ipv6.method link-local \
connection.autoconnect "no" >> $SETUPLOG 2>&1
# Flush any existing IPs
ip addr flush $UNUSED_NIC >> $SETUPLOG 2>&1
done
}
docker_install() { docker_install() {
if [ $OS == 'centos' ]; then if [ $OS == 'centos' ]; then
@@ -402,11 +411,19 @@ eval_mode_hostsfile() {
} }
filter_nics() { filter_unused_nics() {
# Set the main NIC as the default grep search string
grep_string=$MNIC
# Filter the NICs that we don't want to see in setup # If we call this function and NICs have already been assigned to the bond interface then add them to the grep search string
FNICS=$(ip link | grep -vw $MNIC | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}') if [[ $BNICS ]]; then
for BONDNIC in ${BNICS[@]}; do
grep_string="$grep_string\|$BONDNIC"
done
fi
# Finally, set FNICS to any NICs we aren't using (and ignore interfaces that aren't of use)
FNICS=$(ip link | grep -vwe $grep_string | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}')
} }
generate_passwords(){ generate_passwords(){
@@ -604,6 +621,22 @@ minio_generate_keys() {
} }
network_setup() {
echo "Finishing up network setup" >> $SETUPLOG 2>&1
echo "... Disabling unused NICs" >> $SETUPLOG 2>&1
disable_unused_nics >> $SETUPLOG 2>&1
echo "... Setting ONBOOT for management interface" >> $SETUPLOG 2>&1
nmcli con mod $MAININT connection.autoconnect "yes" >> $SETUPLOG 2>&1
echo "... Copying disable-checksum-offload.sh" >> $SETUPLOG 2>&1
cp ./install_scripts/disable-checksum-offload.sh /etc/NetworkManager/dispatcher.d/disable-checksum-offload.sh >> $SETUPLOG 2>&1
echo "... Modifying disable-checksum-offload.sh" >> $SETUPLOG 2>&1
sed -i "s/\$MAININT/${MAININT}/g" /etc/NetworkManager/dispatcher.d/disable-checksum-offload.sh >> $SETUPLOG 2>&1
}
node_pillar() { node_pillar() {
NODEPILLARPATH=$TMP/pillar/nodes NODEPILLARPATH=$TMP/pillar/nodes
@@ -1209,11 +1242,16 @@ whiptail_bro_version() {
whiptail_bond_nics() { whiptail_bond_nics() {
BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${FNICS[@]} 3>&1 1>&2 2>&3 ) local nic_list=()
for FNIC in ${FNICS[@]}; do
nic_list+=($FNIC "Interface" "OFF")
done
BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${nic_list[@]} 3>&1 1>&2 2>&3 )
while [ -z "$BNICS" ] while [ -z "$BNICS" ]
do do
BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${FNICS[@]} 3>&1 1>&2 2>&3 ) BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${nic_list[@]} 3>&1 1>&2 2>&3 )
done done
local exitstatus=$? local exitstatus=$?
@@ -1992,7 +2030,9 @@ if (whiptail_you_sure); then
checkin_at_boot >> $SETUPLOG 2>&1 checkin_at_boot >> $SETUPLOG 2>&1
echo -e "XXX\n95\nVerifying Install... \nXXX" echo -e "XXX\n95\nVerifying Install... \nXXX"
salt-call state.highstate >> $SETUPLOG 2>&1 salt-call state.highstate >> $SETUPLOG 2>&1
echo -e "XX\n99\nFinishing touches... \nXXX"
filter_unused_nics >> $SETUPLOG 2>&1
network_setup >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}') GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then if [[ $GOODSETUP == '0' ]]; then
@@ -2015,7 +2055,7 @@ if (whiptail_you_sure); then
if [ $INSTALLTYPE == 'SENSORONLY' ]; then if [ $INSTALLTYPE == 'SENSORONLY' ]; then
whiptail_management_nic whiptail_management_nic
filter_nics filter_unused_nics
whiptail_bond_nics whiptail_bond_nics
whiptail_management_server whiptail_management_server
whiptail_master_updates whiptail_master_updates
@@ -2046,7 +2086,7 @@ if (whiptail_you_sure); then
#echo -e "XXX\n1\nInstalling pip3... \nXXX" #echo -e "XXX\n1\nInstalling pip3... \nXXX"
#install_pip3 >> $SETUPLOG 2>&1 #install_pip3 >> $SETUPLOG 2>&1
echo -e "XXX\n3\nCreating Bond Interface... \nXXX" echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
network_setup >> $SETUPLOG 2>&1 create_sensor_bond >> $SETUPLOG 2>&1
echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX" echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
sensor_pillar >> $SETUPLOG 2>&1 sensor_pillar >> $SETUPLOG 2>&1
echo "** Generating the patch pillar **" >> $SETUPLOG echo "** Generating the patch pillar **" >> $SETUPLOG
@@ -2077,6 +2117,9 @@ if (whiptail_you_sure); then
echo -e "XXX\n80\nVerifying Install... \nXXX" echo -e "XXX\n80\nVerifying Install... \nXXX"
salt-call state.highstate >> $SETUPLOG 2>&1 salt-call state.highstate >> $SETUPLOG 2>&1
checkin_at_boot >> $SETUPLOG 2>&1 checkin_at_boot >> $SETUPLOG 2>&1
echo -e "XX\n99\nFinishing touches... \nXXX"
filter_unused_nics >> $SETUPLOG 2>&1
network_setup >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}') GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then if [[ $GOODSETUP == '0' ]]; then
@@ -2097,7 +2140,7 @@ if (whiptail_you_sure); then
whiptail_management_nic whiptail_management_nic
# Filter out the management NIC # Filter out the management NIC
filter_nics filter_unused_nics
# Select which NICs are in the bond # Select which NICs are in the bond
whiptail_bond_nics whiptail_bond_nics
@@ -2144,7 +2187,7 @@ if (whiptail_you_sure); then
{ {
sleep 0.5 sleep 0.5
echo -e "XXX\n0\nCreating Bond Interface... \nXXX" echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
network_setup >> $SETUPLOG 2>&1 create_sensor_bond >> $SETUPLOG 2>&1
#install_pip3 >> $SETUPLOG 2>&1 #install_pip3 >> $SETUPLOG 2>&1
echo -e "XXX\n1\nInstalling mysql dependencies for saltstack... \nXXX" echo -e "XXX\n1\nInstalling mysql dependencies for saltstack... \nXXX"
salt_install_mysql_deps >> $SETUPLOG 2>&1 salt_install_mysql_deps >> $SETUPLOG 2>&1
@@ -2223,22 +2266,24 @@ if (whiptail_you_sure); then
echo -e "XXX\n85\nInstalling filebeat... \nXXX" echo -e "XXX\n85\nInstalling filebeat... \nXXX"
salt-call state.apply filebeat >> $SETUPLOG 2>&1 salt-call state.apply filebeat >> $SETUPLOG 2>&1
salt-call state.apply utility >> $SETUPLOG 2>&1 salt-call state.apply utility >> $SETUPLOG 2>&1
echo -e "XXX\n95\nInstalling misc components... \nXXX" echo -e "XXX\n90\nInstalling misc components... \nXXX"
salt-call state.apply schedule >> $SETUPLOG 2>&1 salt-call state.apply schedule >> $SETUPLOG 2>&1
salt-call state.apply soctopus >> $SETUPLOG 2>&1 salt-call state.apply soctopus >> $SETUPLOG 2>&1
if [[ $THEHIVE == '1' ]]; then if [[ $THEHIVE == '1' ]]; then
echo -e "XXX\n96\nInstalling The Hive... \nXXX" echo -e "XXX\n91\nInstalling The Hive... \nXXX"
salt-call state.apply hive >> $SETUPLOG 2>&1 salt-call state.apply hive >> $SETUPLOG 2>&1
fi fi
if [[ $PLAYBOOK == '1' ]]; then if [[ $PLAYBOOK == '1' ]]; then
echo -e "XXX\n97\nInstalling Playbook... \nXXX" echo -e "XXX\n93\nInstalling Playbook... \nXXX"
salt-call state.apply playbook >> $SETUPLOG 2>&1 salt-call state.apply playbook >> $SETUPLOG 2>&1
fi fi
echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX" echo -e "XXX\n95\nSetting checkin to run on boot... \nXXX"
checkin_at_boot >> $SETUPLOG 2>&1 checkin_at_boot >> $SETUPLOG 2>&1
echo -e "XXX\n99\nVerifying Setup... \nXXX" echo -e "XXX\n98\nVerifying Setup... \nXXX"
salt-call state.highstate >> $SETUPLOG 2>&1 salt-call state.highstate >> $SETUPLOG 2>&1
echo -e "XX\n99\nFinishing touches... \nXXX"
filter_unused_nics >> $SETUPLOG 2>&1
network_setup >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}') GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [ $OS == 'centos' ]; then if [ $OS == 'centos' ]; then
@@ -2342,7 +2387,9 @@ if (whiptail_you_sure); then
echo -e "XXX\n90\nVerifying Install... \nXXX" echo -e "XXX\n90\nVerifying Install... \nXXX"
salt-call state.highstate >> $SETUPLOG 2>&1 salt-call state.highstate >> $SETUPLOG 2>&1
checkin_at_boot >> $SETUPLOG 2>&1 checkin_at_boot >> $SETUPLOG 2>&1
echo -e "XX\n99\nFinishing touches... \nXXX"
filter_unused_nics >> $SETUPLOG 2>&1
network_setup >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}') GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then if [[ $GOODSETUP == '0' ]]; then