From 990470a76594192671d358cf0a505bfb8432524a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 10:41:45 -0400 Subject: [PATCH 01/37] Add initial analyst install option to so-setup --- setup/so-functions | 42 +++++++++++++++++++++++++++++++----------- setup/so-setup | 30 ++++++++++++++++++++++++++---- setup/so-whiptail | 17 +++++++++++++++++ 3 files changed, 74 insertions(+), 15 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 5b4914941..be3113485 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -138,6 +138,26 @@ analyze_system() { logCmd "ip a" } +analyst_workstation_pillar() { + + local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls + + # Create the analyst workstation pillar + printf '%s\n'\ + "host:"\ + " mainint: '$INTERFACE'"\ + "patch:"\ + " os:"\ + " source: $source"\ + " enabled: true"\ + " schedule_name: '$PATCHSCHEDULENAME'"\ + " splay: 300"\ + "workstation:"\ + " gui:"\ + " enabled: true" >> "$pillar_file" + +} + calculate_useable_cores() { # Calculate reasonable core usage @@ -1108,6 +1128,7 @@ detect_os() { echo "Detecting Base OS" >> "$log" 2>&1 if [ -f /etc/redhat-release ]; then OS=centos + is_centos=true if grep -q "CentOS Linux release 7" /etc/redhat-release; then OSVER=7 elif grep -q "CentOS Linux release 8" /etc/redhat-release; then @@ -1207,7 +1228,7 @@ disable_ipv6() { docker_install() { - if [ $OS = 'centos' ]; then + if [[ $is_centos ]]; then logCmd "yum clean expire-cache" if [[ ! $is_iso ]]; then logCmd "yum -y install docker-ce-20.10.5-3.el7 docker-ce-cli-20.10.5-3.el7 docker-ce-rootless-extras-20.10.5-3.el7 containerd.io-1.4.4-3.1.el7" @@ -1759,7 +1780,7 @@ manager_global() { " rules: 1" >> "$global_pillar" if [[ $is_airgap ]]; then printf '%s\n'\ - " repos:"\ + " repos:"\'$PATCHSCHEDULENAME' " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$global_pillar" else printf '%s\n'\ @@ -1785,7 +1806,7 @@ manager_global() { printf '%s\n'\ " replicas: 0"\ - " discovery_nodes: 1"\ + " discovery_nodes: 1"\'$PATCHSCHEDULENAME' " hot_warm_enabled: False"\ " cluster_routing_allocation_disk.threshold_enabled: true"\ " cluster_routing_allocation_disk_watermark_low: '95%'"\ @@ -1805,8 +1826,7 @@ manager_global() { " index_template:"\ " template:"\ " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " index:"\'$PATCHSCHEDULENAME' " warm: 7"\ " close: 30"\ " delete: 365"\ @@ -2178,7 +2198,7 @@ reset_proxy() { [[ -f /etc/gitconfig ]] && rm -f /etc/gitconfig - if [[ $OS == 'centos' ]]; then + if [[ $is_centos ]]; then sed -i "/proxy=/d" /etc/yum.conf else [[ -f /etc/apt/apt.conf.d/00-proxy.conf ]] && rm -f /etc/apt/apt.conf.d/00-proxy.conf @@ -2206,7 +2226,7 @@ backup_dir() { remove_package() { local package_name=$1 - if [ $OS = 'centos' ]; then + if [[ $is_centos ]]; then if rpm -qa | grep -q "$package_name"; then logCmd "yum remove -y $package_name" fi @@ -2371,7 +2391,7 @@ secrets_pillar(){ securityonion_repo() { # Remove all the current repos - if [[ "$OS" == "centos" ]]; then + if [[ $is_centos ]]; then if [[ "$INTERWEBS" == "AIRGAP" ]]; then echo "This is airgap I don't need to add this repo" else @@ -2462,7 +2482,7 @@ set_proxy() { "}" > /root/.docker/config.json # Set proxy for package manager - if [ "$OS" = 'centos' ]; then + if [[ $is_centos ]]; then echo "proxy=$so_proxy" >> /etc/yum.conf else # Set it up so the updates roll through the manager @@ -2741,7 +2761,7 @@ set_redirect() { set_updates() { if [ "$MANAGERUPDATES" = '1' ]; then - if [ "$OS" = 'centos' ]; then + if [[ $is_centos ]]; then if [[ ! $is_airgap ]] && ! ( grep -q "$MSRV" /etc/yum.conf); then if grep -q "proxy=" /etc/yum.conf; then sed -i "s/proxy=.*/proxy=http:\/\/$MSRV:3142/" /etc/yum.conf @@ -2808,7 +2828,7 @@ update_sudoers() { } update_packages() { - if [ "$OS" = 'centos' ]; then + if [[ $is_centos ]]; then logCmd "yum repolist" logCmd "yum -y update --exclude=salt*,wazuh*,docker*,containerd*" else diff --git a/setup/so-setup b/setup/so-setup index deca4b0d6..cef614112 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -72,15 +72,37 @@ done detect_os +if [ "$setup_type" = 'analyst' ]; then + is_analyst=true +fi + if [[ "$setup_type" == 'iso' ]]; then - if [[ "$OS" == 'centos' ]]; then - is_iso=true + if [[ $is_centos ]]; then + is_iso=true else echo "Only use 'so-setup iso' for an ISO install on CentOS. Please run 'so-setup network' instead." exit 1 fi fi +# Check to see if this is an analyst install. If it is let's run things differently + +if [[ $is_analyst ]]; then + + # Make sure it's CentOS + if [[ ! $is_centos ]]; then + echo "Analyst Workstation is only supported on CentOS 7" + exit 1 + fi + + whiptail_analyst_install + + exit 0 + +fi + + + if ! [ -f $install_opt_file ] && [ -d /root/manager_setup/securityonion ] && [[ $(pwd) != /root/manager_setup/securityonion/setup ]]; then exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" fi @@ -674,7 +696,7 @@ echo "1" > /root/accept_changes # Import the gpg keys gpg_rpm_import >> $setup_log 2>&1 info "Disabling fastestmirror" - [[ $OS == 'centos' ]] && disable_fastestmirror + [[ $is_centos ]] && disable_fastestmirror if [[ ! $is_airgap ]]; then securityonion_repo >> $setup_log 2>&1 update_packages >> $setup_log 2>&1 @@ -817,7 +839,7 @@ echo "1" > /root/accept_changes set_progress_str 61 "$(print_salt_state_apply 'firewall')" salt-call state.apply -l info firewall >> $setup_log 2>&1 - if [ $OS = 'centos' ]; then + if [[ $is_centos ]]; then set_progress_str 61 'Installing Yum utilities' salt-call state.apply -l info yum.packages >> $setup_log 2>&1 fi diff --git a/setup/so-whiptail b/setup/so-whiptail index c39ec4ff7..d5c0aafef 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -33,6 +33,23 @@ whiptail_airgap() { INTERWEBS=$(echo "${INTERWEBS^^}" | tr -d ' ') } +whiptail_analyst_install() { + + [ -n "$TESTING" ] && return + + read -r -d '' message <<- EOM + + Welcome to the Security Onion Anaylst Workstation install! + + You can choose to use join this workstation to an existing grid for managemnt or make it standalone. + EOM + + whiptail --title "$whiptail_title" \ + --yesno "$message" 11 75 \ + --yes-button "Join" --no-button "Standalone" --defaultno + +} + whiptail_avoid_default_hostname() { [ -n "$TESTING" ] && return From 80af497f95f35624475c7d145e5eca0448fa751a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 12:43:20 -0400 Subject: [PATCH 02/37] Add initial analyst install code --- setup/so-functions | 25 ++++++++++++++++++++++--- setup/so-setup | 36 +++++++++++------------------------- setup/so-whiptail | 4 ++-- 3 files changed, 35 insertions(+), 30 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index be3113485..53e475b71 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -169,6 +169,13 @@ calculate_useable_cores() { export lb_procs } +catch() { + info "Fatal error occurred at $1 in so-setup, failing setup." + grep --color=never "ERROR" "$setup_log" > "$error_log" + whiptail_setup_failed + exit 1 +} + check_admin_pass() { check_pass_match "$ADMINPASS1" "$ADMINPASS2" "APMATCH" } @@ -1780,13 +1787,14 @@ manager_global() { " rules: 1" >> "$global_pillar" if [[ $is_airgap ]]; then printf '%s\n'\ - " repos:"\'$PATCHSCHEDULENAME' + " repos: '$PATCHSCHEDULENAME'"\ " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$global_pillar" else printf '%s\n'\ " repos:"\ " - 'https://github.com/Neo23x0/signature-base'" >> "$global_pillar" fi + printf '%s\n'\ "curator:"\ " hot_warm: False"\ @@ -1806,7 +1814,7 @@ manager_global() { printf '%s\n'\ " replicas: 0"\ - " discovery_nodes: 1"\'$PATCHSCHEDULENAME' + " discovery_nodes: 1"\ " hot_warm_enabled: False"\ " cluster_routing_allocation_disk.threshold_enabled: true"\ " cluster_routing_allocation_disk_watermark_low: '95%'"\ @@ -1826,7 +1834,8 @@ manager_global() { " index_template:"\ " template:"\ " settings:"\ - " index:"\'$PATCHSCHEDULENAME' + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ @@ -2058,6 +2067,16 @@ print_salt_state_apply() { echo "Applying $state Salt state" } +progress() { + local msg=${1:-'Please wait while installing...'} + + if [ $automated == no ]; then + whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text + else + cat >> $setup_log 2>&1 + fi +} + proxy_validate() { echo "Testing proxy..." local test_url="https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS" diff --git a/setup/so-setup b/setup/so-setup index cef614112..9598a566a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -99,6 +99,9 @@ if [[ $is_analyst ]]; then exit 0 + # If you got this far then you want to join the grid + is_minion=true + fi @@ -128,23 +131,9 @@ fi # Set up handler for setup to exit early (use `kill -SIGUSR1 "$setup_proc"; exit 1` in child scripts) trap 'catch $LINENO' SIGUSR1 setup_proc="$$" -catch() { - info "Fatal error occurred at $1 in so-setup, failing setup." - grep --color=never "ERROR" "$setup_log" > "$error_log" - whiptail_setup_failed - exit 1 -} - +catch automated=no -progress() { - local msg=${1:-'Please wait while installing...'} - - if [ $automated == no ]; then - whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text - else - cat >> $setup_log 2>&1 - fi -} +progress if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1 @@ -178,11 +167,11 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th fi case "$setup_type" in - iso | network) # Accepted values + iso | network | analyst) # Accepted values echo "Beginning Security Onion $setup_type install" >> $setup_log 2>&1 ;; *) - echo "Invalid install type, must be 'iso' or 'network'" | tee -a $setup_log + echo "Invalid install type, must be 'iso', 'network' or 'analyst'." | tee -a $setup_log exit 1 ;; esac @@ -291,7 +280,7 @@ elif [ "$install_type" = 'RECEIVER' ]; then is_receiver=true elif [ "$install_type" = 'ANALYST' ]; then cd .. || exit 255 - exec bash so-analyst-install + exec bash so-setup analyst fi if [[ $is_manager || $is_import ]]; then @@ -311,7 +300,7 @@ if ! [[ -f $install_opt_file ]]; then check_requirements "dist" "idh" elif [[ $is_sensor && ! $is_eval ]]; then check_requirements "dist" "sensor" - elif [[ $is_distmanager || $is_minion ]] && [[ ! $is_import ]]; then + elif [[ $is_distmanager || $is_minion ]] && [[ ! ( $is_import || $is_analyst ) ]]; then check_requirements "dist" elif [[ $is_import ]]; then check_requirements "import" @@ -342,9 +331,6 @@ if ! [[ -f $install_opt_file ]]; then if [[ $is_minion ]]; then collect_mngr_hostname add_mngr_ip_to_hosts - fi - - if [[ $is_minion ]]; then whiptail_ssh_key_copy_notice copy_ssh_key >> $setup_log 2>&1 fi @@ -355,7 +341,7 @@ if ! [[ -f $install_opt_file ]]; then if [[ "$INTERWEBS" == 'AIRGAP' ]]; then is_airgap=true fi - elif [[ $is_minion && $is_iso ]]; then + elif [[ $is_minion && ( $is_iso || $is_analyst ) ]]; then $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1 airgap_check=$? [[ $airgap_check == 0 ]] && is_airgap=true >> $setup_log 2>&1 @@ -584,7 +570,7 @@ if [[ $is_sensor && ! $is_eval ]]; then fi fi -[[ $is_iso ]] && collect_ntp_servers +[[ ( $is_iso || $is_analyst ) ]] && collect_ntp_servers if [[ ($is_node || $is_receiver) && ! $is_eval ]]; then whiptail_node_advanced diff --git a/setup/so-whiptail b/setup/so-whiptail index d5c0aafef..36d4493d8 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -39,9 +39,9 @@ whiptail_analyst_install() { read -r -d '' message <<- EOM - Welcome to the Security Onion Anaylst Workstation install! + Welcome to the Security Onion Analyst Workstation install! - You can choose to use join this workstation to an existing grid for managemnt or make it standalone. + You can choose to join this workstation to an existing grid for managemnt or make it standalone. EOM whiptail --title "$whiptail_title" \ From 0d23688aa0e0aea6c9d326df124f8bbb8b96a4f1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 12:46:45 -0400 Subject: [PATCH 03/37] Add initial analyst install code --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 53e475b71..d4a97db9f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1787,7 +1787,7 @@ manager_global() { " rules: 1" >> "$global_pillar" if [[ $is_airgap ]]; then printf '%s\n'\ - " repos: '$PATCHSCHEDULENAME'"\ + " repos:"\ " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$global_pillar" else printf '%s\n'\ From 102d2507cbb7698343b967c5432b086d1df0853e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 12:48:52 -0400 Subject: [PATCH 04/37] Add initial analyst install code --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index d4a97db9f..24b2c0fef 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1835,7 +1835,7 @@ manager_global() { " template:"\ " settings:"\ " index:"\ - " number_of_shards: 1"\ + " numbber_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ From 3ace55dfe50b8978ea253d93d0eda14c68fae4cf Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 12:49:30 -0400 Subject: [PATCH 05/37] Add initial analyst install code --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 24b2c0fef..d4a97db9f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1835,7 +1835,7 @@ manager_global() { " template:"\ " settings:"\ " index:"\ - " numbber_of_shards: 1"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ From afb918d79c307620d5a665da514e4974c9421118 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:08:03 -0400 Subject: [PATCH 06/37] Set standalone to load Xwindows --- setup/so-setup | 8 +++++++- setup/so-whiptail | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 9598a566a..f08a95415 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -97,7 +97,13 @@ if [[ $is_analyst ]]; then whiptail_analyst_install - exit 0 + if [[ $AWORK != "Join" ]]; then + # Lets make this a standalone + echo "Enabling X Windows and setting it to load at boot" + systemctl set-default graphical.target + startx + exit 0 + fi # If you got this far then you want to join the grid is_minion=true diff --git a/setup/so-whiptail b/setup/so-whiptail index 36d4493d8..9ecd00b04 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -44,9 +44,9 @@ whiptail_analyst_install() { You can choose to join this workstation to an existing grid for managemnt or make it standalone. EOM - whiptail --title "$whiptail_title" \ + AWORK=$(whiptail --title "$whiptail_title" \ --yesno "$message" 11 75 \ - --yes-button "Join" --no-button "Standalone" --defaultno + --yes-button "Join" --no-button "Standalone" --defaultno) } From 853235ca9b2a9ca70c8304fb3bbe73936662604a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:11:19 -0400 Subject: [PATCH 07/37] Set standalone to load Xwindows --- setup/so-whiptail | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 9ecd00b04..37164268e 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -43,10 +43,10 @@ whiptail_analyst_install() { You can choose to join this workstation to an existing grid for managemnt or make it standalone. EOM - + echo "whiptail" AWORK=$(whiptail --title "$whiptail_title" \ --yesno "$message" 11 75 \ - --yes-button "Join" --no-button "Standalone" --defaultno) + --yes-button "Join" --no-button "Standalone" --defaultno ) } From 053ec812857c7222da2f1b834cca2736a4e8eaf8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:12:25 -0400 Subject: [PATCH 08/37] Set standalone to load Xwindows --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 37164268e..2c6b7092b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -46,7 +46,7 @@ whiptail_analyst_install() { echo "whiptail" AWORK=$(whiptail --title "$whiptail_title" \ --yesno "$message" 11 75 \ - --yes-button "Join" --no-button "Standalone" --defaultno ) + --yes-button "Join" --no-button "Standalone" --defaultno 3>&1 1>&2 2>&3 ) } From 86e32f3e6c45e2491476152b070ef03e0023942f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:13:47 -0400 Subject: [PATCH 09/37] Set standalone to load Xwindows --- setup/so-setup | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-setup b/setup/so-setup index f08a95415..6aa95c0e6 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -96,6 +96,7 @@ if [[ $is_analyst ]]; then fi whiptail_analyst_install + echo "$AWORK" if [[ $AWORK != "Join" ]]; then # Lets make this a standalone From 67582be5758c969661ebbbc39a190e001b84732b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:23:38 -0400 Subject: [PATCH 10/37] Set standalone to load Xwindows --- setup/so-setup | 5 +---- setup/so-whiptail | 9 +++++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 6aa95c0e6..ca3403bee 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -95,10 +95,7 @@ if [[ $is_analyst ]]; then exit 1 fi - whiptail_analyst_install - echo "$AWORK" - - if [[ $AWORK != "Join" ]]; then + if ! whiptail_analyst_install; then # Lets make this a standalone echo "Enabling X Windows and setting it to load at boot" systemctl set-default graphical.target diff --git a/setup/so-whiptail b/setup/so-whiptail index 2c6b7092b..f028af323 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -41,12 +41,13 @@ whiptail_analyst_install() { Welcome to the Security Onion Analyst Workstation install! - You can choose to join this workstation to an existing grid for managemnt or make it standalone. + You can choose to join this workstation to an existing grid? + + NOTE: Selecting "no" will enable X Windows and set it to load at boot. EOM echo "whiptail" - AWORK=$(whiptail --title "$whiptail_title" \ - --yesno "$message" 11 75 \ - --yes-button "Join" --no-button "Standalone" --defaultno 3>&1 1>&2 2>&3 ) + whiptail --title "$whiptail_title" \ + --yesno "$message" 11 75 --defaultno } From 45161b2a3906ac4ab46c46fea5a545e28598ca10 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:28:32 -0400 Subject: [PATCH 11/37] Set standalone to load Xwindows --- setup/so-functions | 7 ------- setup/so-setup | 7 ++++++- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index d4a97db9f..736f2e15b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -169,13 +169,6 @@ calculate_useable_cores() { export lb_procs } -catch() { - info "Fatal error occurred at $1 in so-setup, failing setup." - grep --color=never "ERROR" "$setup_log" > "$error_log" - whiptail_setup_failed - exit 1 -} - check_admin_pass() { check_pass_match "$ADMINPASS1" "$ADMINPASS2" "APMATCH" } diff --git a/setup/so-setup b/setup/so-setup index ca3403bee..5f4329750 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -135,7 +135,12 @@ fi # Set up handler for setup to exit early (use `kill -SIGUSR1 "$setup_proc"; exit 1` in child scripts) trap 'catch $LINENO' SIGUSR1 setup_proc="$$" -catch +catch() { + info "Fatal error occurred at $1 in so-setup, failing setup." + grep --color=never "ERROR" "$setup_log" > "$error_log" + whiptail_setup_failed + exit 1 +} automated=no progress From c4a4e9737b2e5f7952880138a3af814621563f5e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:31:53 -0400 Subject: [PATCH 12/37] Set standalone to load Xwindows --- setup/so-functions | 10 ---------- setup/so-setup | 10 +++++++++- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 736f2e15b..8a51a8b31 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2060,16 +2060,6 @@ print_salt_state_apply() { echo "Applying $state Salt state" } -progress() { - local msg=${1:-'Please wait while installing...'} - - if [ $automated == no ]; then - whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text - else - cat >> $setup_log 2>&1 - fi -} - proxy_validate() { echo "Testing proxy..." local test_url="https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS" diff --git a/setup/so-setup b/setup/so-setup index 5f4329750..88a4daa5a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -142,7 +142,15 @@ catch() { exit 1 } automated=no -progress +progress() { + local msg=${1:-'Please wait while installing...'} + + if [ $automated == no ]; then + whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text + else + cat >> $setup_log 2>&1 + fi +} if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1 From 816d0b1075d8b982b63bd51c90a1843bbea4d69a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:35:13 -0400 Subject: [PATCH 13/37] Don't prompt for install type since we know its analyst --- setup/so-setup | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 88a4daa5a..8d01089e0 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -247,7 +247,9 @@ if ! [[ -f $install_opt_file ]]; then true fi fi - whiptail_install_type + if [[ ! $is_analyst ]]; then + whiptail_install_type + fi else source $install_opt_file fi From dceb46888f1c49d6600c93127fbe9493918facf1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 30 Mar 2022 11:06:59 -0400 Subject: [PATCH 14/37] Add analyst install network stack --- setup/so-setup | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/setup/so-setup b/setup/so-setup index 8d01089e0..fb0472ebf 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -74,6 +74,10 @@ detect_os if [ "$setup_type" = 'analyst' ]; then is_analyst=true + # Check to see if this is an ISO + if [ -d /root/SecurityOnion ]; then + is_analyst_iso=true + fi fi if [[ "$setup_type" == 'iso' ]]; then @@ -230,6 +234,38 @@ if ! [[ -f $install_opt_file ]]; then echo "User cancelled setup." | tee -a "$setup_log" whiptail_cancel fi + if [[ $is_analyst ]]; then + collect_hostname + if [[ $is_analyst_iso ]]; then + # Prompt Network Setup + whiptail_management_nic + whiptail_dhcp_or_static + + if [ "$address_type" != 'DHCP' ]; then + collect_int_ip_mask + collect_gateway + collect_dns + collect_dns_domain + fi + + fi + if [[ ! $is_analyst_iso ]]; then + # This should be a network install + whiptail_network_notice + whiptail_dhcp_warn + whiptail_management_nic + fi + whiptail_network_init_notice + network_init + printf '%s\n' \ + "MNIC=$MNIC" \ + "HOSTNAME=$HOSTNAME" > "$net_init_file" + set_main_ip >> $setup_log 2>&1 + compare_main_nic_ip + whiptail_net_setup_complete + + fi + if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then whiptail_first_menu_iso if [[ $option == "CONFIGURENETWORK" ]]; then From c3d3806f651d343484450ac76c7e911c0522c7f8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 30 Mar 2022 11:14:35 -0400 Subject: [PATCH 15/37] Add analyst install network stack --- setup/so-setup | 1 - 1 file changed, 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index fb0472ebf..7e82abe12 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -278,7 +278,6 @@ if ! [[ -f $install_opt_file ]]; then "HOSTNAME=$HOSTNAME" > "$net_init_file" set_main_ip >> $setup_log 2>&1 compare_main_nic_ip - whiptail_net_setup_complete else true fi From f43a6757e0d7aa4b8512290ea57956f925231aea Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 30 Mar 2022 11:16:00 -0400 Subject: [PATCH 16/37] Add analyst install network stack --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 7e82abe12..ba9125f31 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -262,7 +262,6 @@ if ! [[ -f $install_opt_file ]]; then "HOSTNAME=$HOSTNAME" > "$net_init_file" set_main_ip >> $setup_log 2>&1 compare_main_nic_ip - whiptail_net_setup_complete fi @@ -278,6 +277,7 @@ if ! [[ -f $install_opt_file ]]; then "HOSTNAME=$HOSTNAME" > "$net_init_file" set_main_ip >> $setup_log 2>&1 compare_main_nic_ip + whiptail_net_setup_complete else true fi From a049e458c6bd0f8cc29dd60a5b146d22285e15e5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 30 Mar 2022 14:03:52 -0400 Subject: [PATCH 17/37] Add workstation to the salt config --- setup/so-functions | 64 +++++++++++++++++++++++++++------------------- setup/so-setup | 7 ++++- 2 files changed, 43 insertions(+), 28 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 8a51a8b31..6ad0510a5 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -155,7 +155,8 @@ analyst_workstation_pillar() { "workstation:"\ " gui:"\ " enabled: true" >> "$pillar_file" - + "sensoroni:"\ + " node_description: '${NODE_DESCRIPTION//\'/''}'" } calculate_useable_cores() { @@ -786,6 +787,9 @@ collect_zeek() { configure_minion() { local minion_type=$1 + if [[ $is_analyst ]]; then + minion_type=workstation + fi echo "Configuring minion type as $minion_type" >> "$setup_log" 2>&1 echo "role: so-$minion_type" > /etc/salt/grains @@ -794,6 +798,9 @@ configure_minion() { echo "id: '$MINION_ID'" > "$minion_config" case "$minion_type" in + 'workstation') + echo "master: '$HOSTNAME'" >> "$minion_config" + ;; 'helix') cp -f ../salt/ca/files/signing_policies.conf /etc/salt/minion.d/signing_policies.conf echo "master: '$HOSTNAME'" >> "$minion_config" @@ -2249,38 +2256,41 @@ remove_package() { saltify() { # Install updates and Salt - if [ $OS = 'centos' ]; then + if [[ $is_centos ]]; then set_progress_str 6 'Installing various dependencies' - if [[ ! $is_iso ]]; then + if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then logCmd "yum -y install wget nmap-ncat" - fi - case "$install_type" in - 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') - reserve_group_ids - if [[ ! $is_iso ]]; then - logCmd "yum -y install sqlite curl mariadb-devel" - fi - # Download Ubuntu Keys in case manager updates = 1 - logCmd "mkdir -vp /opt/so/gpg" - if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004/SALTSTACK-GPG-KEY.pub" - logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" - logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" - fi - set_progress_str 7 'Installing salt-master' - if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004" - fi - logCmd "systemctl enable salt-master" - ;; - *) - ;; - esac + fi + + if [[ ! is_analyst ]]; then + case "$install_type" in + 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') + reserve_group_ids + if [[ ! $is_iso ]]; then + logCmd "yum -y install sqlite curl mariadb-devel" + fi + # Download Ubuntu Keys in case manager updates = 1 + logCmd "mkdir -vp /opt/so/gpg" + if [[ ! $is_airgap ]]; then + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" + logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" + fi + set_progress_str 7 'Installing salt-master' + if [[ ! $is_iso ]]; then + logCmd "yum -y install salt-master-3004" + fi + logCmd "systemctl enable salt-master" + ;; + *) + ;; + esac + fi if [[ ! $is_airgap ]]; then logCmd "yum clean expire-cache" fi set_progress_str 8 'Installing salt-minion & python modules' - if [[ ! $is_iso ]]; then + if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then logCmd "yum -y install salt-minion-3004 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" fi diff --git a/setup/so-setup b/setup/so-setup index ba9125f31..8d146d00f 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -461,7 +461,12 @@ detect_cloud short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}') -MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') +if [[ $is_analyst ]]; then + MINION_ID=$(echo "${short_name}_workstation" | tr '[:upper:]' '[:lower:]') +fi +if [[ ! $is_analyst ]]; then + MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') +fi export MINION_ID echo "MINION_ID = $MINION_ID" >> $setup_log 2>&1 From 179aa5e29caeb47f95b164600aceec28ce37d0c3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 31 Mar 2022 10:49:38 -0400 Subject: [PATCH 18/37] Add firewall rules for Analyst workstation --- setup/so-functions | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index 6ad0510a5..5badeb08a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2722,6 +2722,13 @@ set_initial_firewall_policy() { # TODO: implement ;; esac + + # Add some firewall rules for analyst workstations that get added to the grid + if [[ $ is_analyst ]]; then + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost analyst "$MAINIP" + fi + } # Set up the management interface on the ISO From ad833965a0d1bfa7e63e030c999ea2c4ebc9a5ac Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 31 Mar 2022 11:12:10 -0400 Subject: [PATCH 19/37] Fix extra space --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 5badeb08a..78b860a87 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2724,7 +2724,7 @@ set_initial_firewall_policy() { esac # Add some firewall rules for analyst workstations that get added to the grid - if [[ $ is_analyst ]]; then + if [[ $is_analyst ]]; then $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost analyst "$MAINIP" fi From c9eb188a799920555910e88c4788188895814004 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 31 Mar 2022 12:01:55 -0400 Subject: [PATCH 20/37] Only run specific states during install for AW --- setup/so-setup | 47 ++++++++++++++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 17 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 8d146d00f..8bc2c687a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -765,17 +765,22 @@ echo "1" > /root/accept_changes set_progress_str 5 'Installing Salt and dependencies' saltify 2>> $setup_log + + if [[ ! $is_analyst ]]; then + set_progress_str 6 'Installing Docker and dependencies' + docker_install >> $setup_log 2>&1 + fi - set_progress_str 6 'Installing Docker and dependencies' - docker_install >> $setup_log 2>&1 - set_progress_str 7 'Generating patch pillar' patch_pillar >> $setup_log 2>&1 set_progress_str 8 'Initializing Salt minion' configure_minion "$minion_type" >> $setup_log 2>&1 - check_sos_appliance >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + check_sos_appliance >> $setup_log 2>&1 + fi + update_sudoers_for_testing >> $setup_log 2>&1 if [[ $is_manager || $is_helix || $is_import ]]; then @@ -853,8 +858,10 @@ echo "1" > /root/accept_changes generate_ca >> $setup_log 2>&1 fi - set_progress_str 24 'Generating SSL' - generate_ssl >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + set_progress_str 24 'Generating SSL' + generate_ssl >> $setup_log 2>&1 + fi if [[ $is_manager || $is_helix || $is_import ]]; then set_progress_str 25 'Configuring firewall' @@ -881,18 +888,22 @@ echo "1" > /root/accept_changes echo "Finished so-elastic-auth..." >> $setup_log 2>&1 fi - set_progress_str 61 "$(print_salt_state_apply 'firewall')" - salt-call state.apply -l info firewall >> $setup_log 2>&1 - + if [[ ! $is_analyst ]]; then + set_progress_str 61 "$(print_salt_state_apply 'firewall')" + salt-call state.apply -l info firewall >> $setup_log 2>&1 + fi + if [[ $is_centos ]]; then set_progress_str 61 'Installing Yum utilities' salt-call state.apply -l info yum.packages >> $setup_log 2>&1 fi - set_progress_str 62 "$(print_salt_state_apply 'common')" - salt-call state.apply -l info common >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + set_progress_str 62 "$(print_salt_state_apply 'common')" + salt-call state.apply -l info common >> $setup_log 2>&1 + fi - if [[ ! $is_helix && ! $is_receiver && ! $is_idh ]]; then + if [[ ! $is_helix && ! $is_receiver && ! $is_idh && ! $is_analyst ]]; then set_progress_str 62 "$(print_salt_state_apply 'nginx')" salt-call state.apply -l info nginx >> $setup_log 2>&1 fi @@ -1035,11 +1046,13 @@ echo "1" > /root/accept_changes salt-call state.apply -l info filebeat >> $setup_log 2>&1 fi - set_progress_str 85 'Applying finishing touches' - filter_unused_nics >> $setup_log 2>&1 - network_setup >> $setup_log 2>&1 - so-ssh-harden >> $setup_log 2>&1 - + if [[ ! $is_analyst ]]; then + set_progress_str 85 'Applying finishing touches' + filter_unused_nics >> $setup_log 2>&1 + network_setup >> $setup_log 2>&1 + so-ssh-harden >> $setup_log 2>&1 + fi + if [[ $is_manager || $is_import ]]; then set_progress_str 87 'Adding user to SOC' add_web_user >> $setup_log 2>&1 From 5264526ff1b11f9adfc33429aaed1b702ce7779c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 31 Mar 2022 12:05:59 -0400 Subject: [PATCH 21/37] Fix salt master declaration --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 78b860a87..e03962f47 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -799,7 +799,7 @@ configure_minion() { case "$minion_type" in 'workstation') - echo "master: '$HOSTNAME'" >> "$minion_config" + echo "master: '$MSRV'" >> "$minion_config" ;; 'helix') cp -f ../salt/ca/files/signing_policies.conf /etc/salt/minion.d/signing_policies.conf From 63eb15aa6dc9ab3001e9f4dfd5280041c84c6dea Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 31 Mar 2022 13:35:30 -0400 Subject: [PATCH 22/37] Run anayst Pillar --- setup/so-setup | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 8bc2c687a..0e3749bce 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -717,8 +717,12 @@ echo "1" > /root/accept_changes if [[ $is_manager && ! $is_eval ]]; then add_soremote_user_manager >> $setup_log 2>&1 fi - - host_pillar >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + host_pillar >> $setup_log 2>&1 + fi + if [[ $is_analyst ]]; then + analyst_workstation_pillar + fi ntp_pillar >> $setup_log 2>&1 From edc6a461ec721e69b9292cc9e4243506b99d38c6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 31 Mar 2022 13:57:37 -0400 Subject: [PATCH 23/37] Fix analyst pillar --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index e03962f47..d00eb7962 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -154,7 +154,7 @@ analyst_workstation_pillar() { " splay: 300"\ "workstation:"\ " gui:"\ - " enabled: true" >> "$pillar_file" + " enabled: true" >> "$pillar_file"\ "sensoroni:"\ " node_description: '${NODE_DESCRIPTION//\'/''}'" } From 64e480714af43467e400dc8031d7b47884f72ac1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 09:10:38 -0400 Subject: [PATCH 24/37] Fix the analyst pillar --- setup/so-functions | 4 ++-- setup/so-setup | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index d00eb7962..f0adf595a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -145,7 +145,7 @@ analyst_workstation_pillar() { # Create the analyst workstation pillar printf '%s\n'\ "host:"\ - " mainint: '$INTERFACE'"\ + " mainint: '$MNIC'"\ "patch:"\ " os:"\ " source: $source"\ @@ -156,7 +156,7 @@ analyst_workstation_pillar() { " gui:"\ " enabled: true" >> "$pillar_file"\ "sensoroni:"\ - " node_description: '${NODE_DESCRIPTION//\'/''}'" + " node_description: '${NODE_DESCRIPTION//\'/''}'" > $pillar_file } calculate_useable_cores() { diff --git a/setup/so-setup b/setup/so-setup index 0e3749bce..8365eff79 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -687,7 +687,7 @@ echo "1" > /root/accept_changes [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 - reserve_ports + if [[ ! $is_analyst ]]; then reserve_ports fi set_path From cb2044cee9aaad8823b8b8d4273b74696208ee15 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 09:29:29 -0400 Subject: [PATCH 25/37] Fix the analyst pillar --- setup/so-setup | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 8365eff79..c233c3069 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -687,7 +687,9 @@ echo "1" > /root/accept_changes [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 - if [[ ! $is_analyst ]]; then reserve_ports fi + if [[ ! $is_analyst ]]; then + reserve_ports + fi set_path From d524f3833b43e89dbaf4932086fad5f3e62127f8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 10:09:55 -0400 Subject: [PATCH 26/37] Let the patch pillar do its work --- setup/so-functions | 6 ------ 1 file changed, 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index f0adf595a..45a6fe0ab 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -146,12 +146,6 @@ analyst_workstation_pillar() { printf '%s\n'\ "host:"\ " mainint: '$MNIC'"\ - "patch:"\ - " os:"\ - " source: $source"\ - " enabled: true"\ - " schedule_name: '$PATCHSCHEDULENAME'"\ - " splay: 300"\ "workstation:"\ " gui:"\ " enabled: true" >> "$pillar_file"\ From 2782c9b464f1daece99debc634019c89843d9bfc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 11:26:58 -0400 Subject: [PATCH 27/37] Update salt versions --- salt/salt/master.defaults.yaml | 2 +- salt/salt/minion.defaults.yaml | 2 +- setup/so-functions | 18 +++++++++--------- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index 8d5e85e15..a07f22865 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: master: - version: 3004 + version: 3004.1 diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index ef7bfe37c..68e044db8 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,6 +2,6 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3004 + version: 3004.1 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default service_start_delay: 30 # in seconds. diff --git a/setup/so-functions b/setup/so-functions index 45a6fe0ab..9cb191912 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2266,13 +2266,13 @@ saltify() { # Download Ubuntu Keys in case manager updates = 1 logCmd "mkdir -vp /opt/so/gpg" if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004" + logCmd "yum -y install salt-master-3004.1" fi logCmd "systemctl enable salt-master" ;; @@ -2285,7 +2285,7 @@ saltify() { fi set_progress_str 8 'Installing salt-minion & python modules' if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then - logCmd "yum -y install salt-minion-3004 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" fi logCmd "systemctl enable salt-minion" @@ -2324,8 +2324,8 @@ saltify() { 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR') # Add saltstack repo(s) - wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 + echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 @@ -2333,7 +2333,7 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 @@ -2346,7 +2346,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' retry 50 10 "apt-get -y install sqlite3 libssl-dev" >> "$setup_log" 2>&1 || exit 1 set_progress_str 7 'Installing salt-master' - retry 50 10 "apt-get -y install salt-master=3004+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-master=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 ;; *) @@ -2357,14 +2357,14 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 set_progress_str 8 'Installing salt-minion & python modules' - retry 50 10 "apt-get -y install salt-minion=3004+ds-1 salt-common=3004+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-minion=3004.1+ds-1 salt-common=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" >> "$setup_log" 2>&1 || exit 1 fi From 97fc652a97de8bcede7827a448266e68da0fdb09 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 11:54:55 -0400 Subject: [PATCH 28/37] fix the yum commands --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 9cb191912..f05b4c756 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2272,7 +2272,7 @@ saltify() { fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004.1" + logCmd "yum -y install salt-master-3004" fi logCmd "systemctl enable salt-master" ;; @@ -2285,7 +2285,7 @@ saltify() { fi set_progress_str 8 'Installing salt-minion & python modules' if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then - logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" fi logCmd "systemctl enable salt-minion" From 8e9386fcd4548b6c85ae2c551034d83c01673938 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 13:17:13 -0400 Subject: [PATCH 29/37] fix the yum commands --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index f05b4c756..9cb191912 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2272,7 +2272,7 @@ saltify() { fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004" + logCmd "yum -y install salt-master-3004.1" fi logCmd "systemctl enable salt-master" ;; @@ -2285,7 +2285,7 @@ saltify() { fi set_progress_str 8 'Installing salt-minion & python modules' if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then - logCmd "yum -y install salt-minion-3004 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" fi logCmd "systemctl enable salt-minion" From 7c39559787e5d9a70a2caebd7856b3d237307362 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 14:19:17 -0400 Subject: [PATCH 30/37] fix so salt master gets installed --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index c233c3069..47977a90b 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -71,7 +71,7 @@ while [[ $# -gt 0 ]]; do done detect_os - +is_analyst=false if [ "$setup_type" = 'analyst' ]; then is_analyst=true # Check to see if this is an ISO From 76f43380d9ddc948a9ed96b2430f58848f530904 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 14:29:24 -0400 Subject: [PATCH 31/37] fix so salt master gets installed --- setup/so-functions | 2 +- setup/so-setup | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 9cb191912..5224a5b90 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2256,7 +2256,7 @@ saltify() { logCmd "yum -y install wget nmap-ncat" fi - if [[ ! is_analyst ]]; then + if [[ ! $is_analyst ]]; then case "$install_type" in 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') reserve_group_ids diff --git a/setup/so-setup b/setup/so-setup index 47977a90b..af822c64c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -71,7 +71,7 @@ while [[ $# -gt 0 ]]; do done detect_os -is_analyst=false +is_analyst= if [ "$setup_type" = 'analyst' ]; then is_analyst=true # Check to see if this is an ISO From a449a91f38b1aaf913ad499dde93980d40a031ce Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 15:52:38 -0400 Subject: [PATCH 32/37] fix formatting --- setup/so-setup | 42 +++++++++++++++++++++--------------------- setup/so-whiptail | 1 - 2 files changed, 21 insertions(+), 22 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index af822c64c..9aaba8052 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -234,36 +234,36 @@ if ! [[ -f $install_opt_file ]]; then echo "User cancelled setup." | tee -a "$setup_log" whiptail_cancel fi - if [[ $is_analyst ]]; then - collect_hostname - if [[ $is_analyst_iso ]]; then - # Prompt Network Setup - whiptail_management_nic - whiptail_dhcp_or_static + if [[ $is_analyst ]]; then + collect_hostname + if [[ $is_analyst_iso ]]; then + # Prompt Network Setup + whiptail_management_nic + whiptail_dhcp_or_static - if [ "$address_type" != 'DHCP' ]; then - collect_int_ip_mask - collect_gateway - collect_dns - collect_dns_domain - fi + if [ "$address_type" != 'DHCP' ]; then + collect_int_ip_mask + collect_gateway + collect_dns + collect_dns_domain + fi - fi - if [[ ! $is_analyst_iso ]]; then + fi + if [[ ! $is_analyst_iso ]]; then # This should be a network install - whiptail_network_notice - whiptail_dhcp_warn - whiptail_management_nic - fi + whiptail_network_notice + whiptail_dhcp_warn + whiptail_management_nic + fi whiptail_network_init_notice network_init printf '%s\n' \ - "MNIC=$MNIC" \ - "HOSTNAME=$HOSTNAME" > "$net_init_file" + "MNIC=$MNIC" \ + "HOSTNAME=$HOSTNAME" > "$net_init_file" set_main_ip >> $setup_log 2>&1 compare_main_nic_ip - fi + fi if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then whiptail_first_menu_iso diff --git a/setup/so-whiptail b/setup/so-whiptail index f028af323..5d98a5199 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -45,7 +45,6 @@ whiptail_analyst_install() { NOTE: Selecting "no" will enable X Windows and set it to load at boot. EOM - echo "whiptail" whiptail --title "$whiptail_title" \ --yesno "$message" 11 75 --defaultno From d20a07bb5f810e80d5fda62e0607c4ad948b90bb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 16:00:44 -0400 Subject: [PATCH 33/37] fix formatting --- setup/so-setup | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 9aaba8052..22840831e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -720,8 +720,8 @@ echo "1" > /root/accept_changes add_soremote_user_manager >> $setup_log 2>&1 fi if [[ ! $is_analyst ]]; then - host_pillar >> $setup_log 2>&1 - fi + host_pillar >> $setup_log 2>&1 + fi if [[ $is_analyst ]]; then analyst_workstation_pillar fi @@ -783,8 +783,8 @@ echo "1" > /root/accept_changes set_progress_str 8 'Initializing Salt minion' configure_minion "$minion_type" >> $setup_log 2>&1 - if [[ ! $is_analyst ]]; then - check_sos_appliance >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + check_sos_appliance >> $setup_log 2>&1 fi update_sudoers_for_testing >> $setup_log 2>&1 @@ -864,9 +864,9 @@ echo "1" > /root/accept_changes generate_ca >> $setup_log 2>&1 fi - if [[ ! $is_analyst ]]; then - set_progress_str 24 'Generating SSL' - generate_ssl >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + set_progress_str 24 'Generating SSL' + generate_ssl >> $setup_log 2>&1 fi if [[ $is_manager || $is_helix || $is_import ]]; then @@ -894,9 +894,9 @@ echo "1" > /root/accept_changes echo "Finished so-elastic-auth..." >> $setup_log 2>&1 fi - if [[ ! $is_analyst ]]; then - set_progress_str 61 "$(print_salt_state_apply 'firewall')" - salt-call state.apply -l info firewall >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + set_progress_str 61 "$(print_salt_state_apply 'firewall')" + salt-call state.apply -l info firewall >> $setup_log 2>&1 fi if [[ $is_centos ]]; then @@ -1052,11 +1052,11 @@ echo "1" > /root/accept_changes salt-call state.apply -l info filebeat >> $setup_log 2>&1 fi - if [[ ! $is_analyst ]]; then - set_progress_str 85 'Applying finishing touches' - filter_unused_nics >> $setup_log 2>&1 - network_setup >> $setup_log 2>&1 - so-ssh-harden >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + set_progress_str 85 'Applying finishing touches' + filter_unused_nics >> $setup_log 2>&1 + network_setup >> $setup_log 2>&1 + so-ssh-harden >> $setup_log 2>&1 fi if [[ $is_manager || $is_import ]]; then From 277c7d9d33ceb6a544574ebea585a1a336e9a930 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 16:05:37 -0400 Subject: [PATCH 34/37] fix formatting --- setup/so-setup | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 22840831e..375682a08 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -97,11 +97,11 @@ if [[ $is_analyst ]]; then if [[ ! $is_centos ]]; then echo "Analyst Workstation is only supported on CentOS 7" exit 1 - fi + fi if ! whiptail_analyst_install; then # Lets make this a standalone - echo "Enabling X Windows and setting it to load at boot" + echo "Enabling graphical interface and setting it to load at boot" systemctl set-default graphical.target startx exit 0 @@ -722,9 +722,9 @@ echo "1" > /root/accept_changes if [[ ! $is_analyst ]]; then host_pillar >> $setup_log 2>&1 fi - if [[ $is_analyst ]]; then - analyst_workstation_pillar - fi + if [[ $is_analyst ]]; then + analyst_workstation_pillar + fi ntp_pillar >> $setup_log 2>&1 From 5974279ed7fa4e8af4141e6973ff900b1e65a39b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 16:17:22 -0400 Subject: [PATCH 35/37] fix formatting --- setup/so-setup | 138 ++++++++++++++++++++++++------------------------- 1 file changed, 69 insertions(+), 69 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 375682a08..58671a729 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -74,15 +74,15 @@ detect_os is_analyst= if [ "$setup_type" = 'analyst' ]; then is_analyst=true - # Check to see if this is an ISO - if [ -d /root/SecurityOnion ]; then - is_analyst_iso=true - fi + # Check to see if this is an ISO + if [ -d /root/SecurityOnion ]; then + is_analyst_iso=true + fi fi if [[ "$setup_type" == 'iso' ]]; then if [[ $is_centos ]]; then - is_iso=true + is_iso=true else echo "Only use 'so-setup iso' for an ISO install on CentOS. Please run 'so-setup network' instead." exit 1 @@ -93,17 +93,17 @@ fi if [[ $is_analyst ]]; then - # Make sure it's CentOS - if [[ ! $is_centos ]]; then - echo "Analyst Workstation is only supported on CentOS 7" - exit 1 - fi + # Make sure it's CentOS + if [[ ! $is_centos ]]; then + echo "Analyst Workstation is only supported on CentOS 7" + exit 1 + fi - if ! whiptail_analyst_install; then - # Lets make this a standalone + if ! whiptail_analyst_install; then + # Lets make this a standalone echo "Enabling graphical interface and setting it to load at boot" systemctl set-default graphical.target - startx + startx exit 0 fi @@ -234,37 +234,37 @@ if ! [[ -f $install_opt_file ]]; then echo "User cancelled setup." | tee -a "$setup_log" whiptail_cancel fi - if [[ $is_analyst ]]; then - collect_hostname - if [[ $is_analyst_iso ]]; then - # Prompt Network Setup - whiptail_management_nic - whiptail_dhcp_or_static - - if [ "$address_type" != 'DHCP' ]; then - collect_int_ip_mask - collect_gateway - collect_dns - collect_dns_domain - fi + if [[ $is_analyst ]]; then + collect_hostname + if [[ $is_analyst_iso ]]; then + # Prompt Network Setup + whiptail_management_nic + whiptail_dhcp_or_static + + if [ "$address_type" != 'DHCP' ]; then + collect_int_ip_mask + collect_gateway + collect_dns + collect_dns_domain + fi - fi - if [[ ! $is_analyst_iso ]]; then - # This should be a network install - whiptail_network_notice - whiptail_dhcp_warn - whiptail_management_nic - fi + fi + if [[ ! $is_analyst_iso ]]; then + # This should be a network install + whiptail_network_notice + whiptail_dhcp_warn + whiptail_management_nic + fi whiptail_network_init_notice network_init printf '%s\n' \ - "MNIC=$MNIC" \ - "HOSTNAME=$HOSTNAME" > "$net_init_file" + "MNIC=$MNIC" \ + "HOSTNAME=$HOSTNAME" > "$net_init_file" set_main_ip >> $setup_log 2>&1 compare_main_nic_ip - fi - + fi + if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then whiptail_first_menu_iso if [[ $option == "CONFIGURENETWORK" ]]; then @@ -283,7 +283,7 @@ if ! [[ -f $install_opt_file ]]; then fi fi if [[ ! $is_analyst ]]; then - whiptail_install_type + whiptail_install_type fi else source $install_opt_file @@ -462,10 +462,10 @@ detect_cloud short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}') if [[ $is_analyst ]]; then - MINION_ID=$(echo "${short_name}_workstation" | tr '[:upper:]' '[:lower:]') + MINION_ID=$(echo "${short_name}_workstation" | tr '[:upper:]' '[:lower:]') fi if [[ ! $is_analyst ]]; then - MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') + MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') fi export MINION_ID @@ -749,10 +749,10 @@ echo "1" > /root/accept_changes info "Disabling fastestmirror" [[ $is_centos ]] && disable_fastestmirror if [[ ! $is_airgap ]]; then - securityonion_repo >> $setup_log 2>&1 - update_packages >> $setup_log 2>&1 + securityonion_repo >> $setup_log 2>&1 + update_packages >> $setup_log 2>&1 else - airgap_repo >> $setup_log 2>&1 + airgap_repo >> $setup_log 2>&1 fi if [[ $is_sensor || $is_helix || $is_import ]]; then @@ -773,8 +773,8 @@ echo "1" > /root/accept_changes saltify 2>> $setup_log if [[ ! $is_analyst ]]; then - set_progress_str 6 'Installing Docker and dependencies' - docker_install >> $setup_log 2>&1 + set_progress_str 6 'Installing Docker and dependencies' + docker_install >> $setup_log 2>&1 fi set_progress_str 7 'Generating patch pillar' @@ -783,9 +783,9 @@ echo "1" > /root/accept_changes set_progress_str 8 'Initializing Salt minion' configure_minion "$minion_type" >> $setup_log 2>&1 - if [[ ! $is_analyst ]]; then - check_sos_appliance >> $setup_log 2>&1 - fi + if [[ ! $is_analyst ]]; then + check_sos_appliance >> $setup_log 2>&1 + fi update_sudoers_for_testing >> $setup_log 2>&1 @@ -864,10 +864,10 @@ echo "1" > /root/accept_changes generate_ca >> $setup_log 2>&1 fi - if [[ ! $is_analyst ]]; then - set_progress_str 24 'Generating SSL' - generate_ssl >> $setup_log 2>&1 - fi + if [[ ! $is_analyst ]]; then + set_progress_str 24 'Generating SSL' + generate_ssl >> $setup_log 2>&1 + fi if [[ $is_manager || $is_helix || $is_import ]]; then set_progress_str 25 'Configuring firewall' @@ -894,20 +894,20 @@ echo "1" > /root/accept_changes echo "Finished so-elastic-auth..." >> $setup_log 2>&1 fi - if [[ ! $is_analyst ]]; then - set_progress_str 61 "$(print_salt_state_apply 'firewall')" - salt-call state.apply -l info firewall >> $setup_log 2>&1 - fi - + if [[ ! $is_analyst ]]; then + set_progress_str 61 "$(print_salt_state_apply 'firewall')" + salt-call state.apply -l info firewall >> $setup_log 2>&1 + fi + if [[ $is_centos ]]; then set_progress_str 61 'Installing Yum utilities' salt-call state.apply -l info yum.packages >> $setup_log 2>&1 fi if [[ ! $is_analyst ]]; then - set_progress_str 62 "$(print_salt_state_apply 'common')" - salt-call state.apply -l info common >> $setup_log 2>&1 - fi + set_progress_str 62 "$(print_salt_state_apply 'common')" + salt-call state.apply -l info common >> $setup_log 2>&1 + fi if [[ ! $is_helix && ! $is_receiver && ! $is_idh && ! $is_analyst ]]; then set_progress_str 62 "$(print_salt_state_apply 'nginx')" @@ -1052,12 +1052,12 @@ echo "1" > /root/accept_changes salt-call state.apply -l info filebeat >> $setup_log 2>&1 fi - if [[ ! $is_analyst ]]; then - set_progress_str 85 'Applying finishing touches' - filter_unused_nics >> $setup_log 2>&1 - network_setup >> $setup_log 2>&1 - so-ssh-harden >> $setup_log 2>&1 - fi + if [[ ! $is_analyst ]]; then + set_progress_str 85 'Applying finishing touches' + filter_unused_nics >> $setup_log 2>&1 + network_setup >> $setup_log 2>&1 + so-ssh-harden >> $setup_log 2>&1 + fi if [[ $is_manager || $is_import ]]; then set_progress_str 87 'Adding user to SOC' @@ -1111,9 +1111,9 @@ else fi if [[ -n $ENDGAMEHOST ]]; then - set_progress_str 99 'Configuring firewall for Endgame SMP' - so-firewall --apply includehost endgame $ENDGAMEHOST >> $setup_log 2>&1 - fi + set_progress_str 99 'Configuring firewall for Endgame SMP' + so-firewall --apply includehost endgame $ENDGAMEHOST >> $setup_log 2>&1 + fi } | whiptail_gauge_post_setup "Running post-installation steps..." From 07783713e6a786cc726f1b591f8747ea15f89c5f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 16:22:40 -0400 Subject: [PATCH 36/37] fix formatting --- setup/so-whiptail | 83 +++++++++++++++++++++++------------------------ 1 file changed, 40 insertions(+), 43 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 5d98a5199..1ae07c443 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -41,7 +41,7 @@ whiptail_analyst_install() { Welcome to the Security Onion Analyst Workstation install! - You can choose to join this workstation to an existing grid? + Would you like to join this workstation to an existing grid? NOTE: Selecting "no" will enable X Windows and set it to load at boot. EOM @@ -451,9 +451,9 @@ whiptail_end_settings() { if [[ $is_idh ]]; then __append_end_msg "IDH Services Enabled:" - for service in ${idh_services[@]}; do + for service in ${idh_services[@]}; do __append_end_msg "- $service" - done + done fi @@ -1562,40 +1562,37 @@ whiptail_patch_schedule_select_hours() { [ -n "$TESTING" ] && return - # Select the hours to patch - PATCHSCHEDULEHOURS=$(whiptail --title "$whiptail_title" --checklist \ - "At which time, UTC, do you want to apply OS patches on the selected days?" 22 75 13 \ - 00:00 "" OFF \ - 01:00 "" OFF \ - 02:00 "" ON \ - 03:00 "" OFF \ - 04:00 "" OFF \ - 05:00 "" OFF \ - 06:00 "" OFF \ - 07:00 "" OFF \ - 08:00 "" OFF \ - 09:00 "" OFF \ - 10:00 "" OFF \ - 11:00 "" OFF \ - 12:00 "" OFF \ - 13:00 "" OFF \ - 14:00 "" OFF \ - 15:00 "" OFF \ - 16:00 "" OFF \ - 17:00 "" OFF \ - 18:00 "" OFF \ - 19:00 "" OFF \ - 20:00 "" OFF \ - 21:00 "" OFF \ - 22:00 "" OFF \ - 23:00 "" OFF 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - PATCHSCHEDULEHOURS=$(echo "$PATCHSCHEDULEHOURS" | tr -d '"') - - IFS=' ' read -ra PATCHSCHEDULEHOURS <<< "$PATCHSCHEDULEHOURS" + # Select the hours to patch + PATCHSCHEDULEHOURS=$(whiptail --title "$whiptail_title" --checklist \ + "At which time, UTC, do you want to apply OS patches on the selected days?" 22 75 13 \ + 00:00 "" OFF \ + 01:00 "" OFF \ + 02:00 "" ON \ + 03:00 "" OFF \ + 04:00 "" OFF \ + 05:00 "" OFF \ + 06:00 "" OFF \ + 07:00 "" OFF \ + 08:00 "" OFF \ + 09:00 "" OFF \ + 10:00 "" OFF \ + 11:00 "" OFF \ + 12:00 "" OFF \ + 13:00 "" OFF \ + 14:00 "" OFF \ + 15:00 "" OFF \ + 16:00 "" OFF \ + 17:00 "" OFF \ + 18:00 "" OFF \ + 19:00 "" OFF \ + 20:00 "" OFF \ + 21:00 "" OFF \ + 22:00 "" OFF \ + 23:00 "" OFF 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + PATCHSCHEDULEHOURS=$(echo "$PATCHSCHEDULEHOURS" | tr -d '"') + IFS=' ' read -ra PATCHSCHEDULEHOURS <<< "$PATCHSCHEDULEHOURS" } @@ -1940,10 +1937,10 @@ whiptail_suricata_pins() { done if [[ $is_node && $is_sensor && ! $is_eval ]]; then - local PROCS=$(expr $lb_procs / 2) - if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi + local PROCS=$(expr $lb_procs / 2) + if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi else - local PROCS=$lb_procs + local PROCS=$lb_procs fi SURIPINS=$(whiptail --noitem --title "$whiptail_title" --checklist "Please select $PROCS cores to pin Suricata to:" 20 75 12 "${filtered_core_str[@]}" 3>&1 1>&2 2>&3 ) @@ -2023,10 +2020,10 @@ whiptail_zeek_pins() { done if [[ $is_smooshed ]]; then - local PROCS=$(expr $lb_procs / 2) - if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi + local PROCS=$(expr $lb_procs / 2) + if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi else - local PROCS=$lb_procs + local PROCS=$lb_procs fi ZEEKPINS=$(whiptail --noitem --title "$whiptail_title" --checklist "Please select $PROCS cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 ) From 5387caf6f4c6946494074be1de43e9f9b3692232 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 16:50:55 -0400 Subject: [PATCH 37/37] fix formatting --- setup/so-functions | 212 ++++++++++++++++++++++----------------------- 1 file changed, 106 insertions(+), 106 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 5224a5b90..351b9a30b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -49,14 +49,14 @@ airgap_repo() { rm -rf /etc/yum.repos.d/* echo "[airgap_repo]" > /etc/yum.repos.d/airgap_repo.repo if $is_manager; then - echo "baseurl=https://$HOSTNAME/repo" >> /etc/yum.repos.d/airgap_repo.repo + echo "baseurl=https://$HOSTNAME/repo" >> /etc/yum.repos.d/airgap_repo.repo else - echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/airgap_repo.repo + echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/airgap_repo.repo fi - echo "gpgcheck=1" >> /etc/yum.repos.d/airgap_repo.repo - echo "sslverify=0" >> /etc/yum.repos.d/airgap_repo.repo - echo "name=Airgap Repo" >> /etc/yum.repos.d/airgap_repo.repo - echo "enabled=1" >> /etc/yum.repos.d/airgap_repo.repo + echo "gpgcheck=1" >> /etc/yum.repos.d/airgap_repo.repo + echo "sslverify=0" >> /etc/yum.repos.d/airgap_repo.repo + echo "name=Airgap Repo" >> /etc/yum.repos.d/airgap_repo.repo + echo "enabled=1" >> /etc/yum.repos.d/airgap_repo.repo } airgap_rules() { @@ -144,11 +144,11 @@ analyst_workstation_pillar() { # Create the analyst workstation pillar printf '%s\n'\ - "host:"\ - " mainint: '$MNIC'"\ - "workstation:"\ + "host:"\ + " mainint: '$MNIC'"\ + "workstation:"\ " gui:"\ - " enabled: true" >> "$pillar_file"\ + " enabled: true" >> "$pillar_file"\ "sensoroni:"\ " node_description: '${NODE_DESCRIPTION//\'/''}'" > $pillar_file } @@ -782,7 +782,7 @@ collect_zeek() { configure_minion() { local minion_type=$1 if [[ $is_analyst ]]; then - minion_type=workstation + minion_type=workstation fi echo "Configuring minion type as $minion_type" >> "$setup_log" 2>&1 echo "role: so-$minion_type" > /etc/salt/grains @@ -792,9 +792,9 @@ configure_minion() { echo "id: '$MINION_ID'" > "$minion_config" case "$minion_type" in - 'workstation') - echo "master: '$MSRV'" >> "$minion_config" - ;; + 'workstation') + echo "master: '$MSRV'" >> "$minion_config" + ;; 'helix') cp -f ../salt/ca/files/signing_policies.conf /etc/salt/minion.d/signing_policies.conf echo "master: '$HOSTNAME'" >> "$minion_config" @@ -1251,15 +1251,15 @@ docker_install() { ;; esac if [ $OSVER == "bionic" ]; then - service docker stop + service docker stop apt -y purge docker-ce docker-ce-cli docker-ce-rootless-extras retry 50 10 "apt-get -y install --allow-downgrades docker-ce=5:20.10.5~3-0~ubuntu-bionic docker-ce-cli=5:20.10.5~3-0~ubuntu-bionic docker-ce-rootless-extras=5:20.10.5~3-0~ubuntu-bionic python3-docker" >> "$setup_log" 2>&1 || exit 1 - apt-mark hold docker-ce docker-ce-cli docker-ce-rootless-extras + apt-mark hold docker-ce docker-ce-cli docker-ce-rootless-extras elif [ $OSVER == "focal" ]; then - service docker stop + service docker stop apt -y purge docker-ce docker-ce-cli docker-ce-rootless-extras retry 50 10 "apt-get -y install --allow-downgrades docker-ce=5:20.10.8~3-0~ubuntu-focal docker-ce-cli=5:20.10.8~3-0~ubuntu-focal docker-ce-rootless-extras=5:20.10.8~3-0~ubuntu-focal python3-docker" >> "$setup_log" 2>&1 || exit 1 - apt-mark hold docker-ce docker-ce-cli docker-ce-rootless-extras + apt-mark hold docker-ce docker-ce-cli docker-ce-rootless-extras fi fi docker_registry @@ -1390,9 +1390,9 @@ es_heapsize() { # Set heap size to 33% of available memory ES_HEAP_SIZE=$(( total_mem / 3 )) if [ "$ES_HEAP_SIZE" -ge 25001 ] ; then - ES_HEAP_SIZE="25000m" + ES_HEAP_SIZE="25000m" else - ES_HEAP_SIZE=$ES_HEAP_SIZE"m" + ES_HEAP_SIZE=$ES_HEAP_SIZE"m" fi fi export ES_HEAP_SIZE @@ -1750,7 +1750,7 @@ manager_global() { " managerip: '$MAINIP'" > "$global_pillar" if [[ $HIGHLANDER == 'True' ]]; then - printf '%s\n'\ + printf '%s\n'\ " highlander: True"\ >> "$global_pillar" fi if [[ $is_airgap ]]; then @@ -1780,14 +1780,14 @@ manager_global() { " enabled: $STRELKA"\ " rules: 1" >> "$global_pillar" if [[ $is_airgap ]]; then - printf '%s\n'\ - " repos:"\ - " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$global_pillar" - else - printf '%s\n'\ - " repos:"\ - " - 'https://github.com/Neo23x0/signature-base'" >> "$global_pillar" - fi + printf '%s\n'\ + " repos:"\ + " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$global_pillar" + else + printf '%s\n'\ + " repos:"\ + " - 'https://github.com/Neo23x0/signature-base'" >> "$global_pillar" + fi printf '%s\n'\ "curator:"\ @@ -1816,101 +1816,101 @@ manager_global() { " cluster_routing_allocation_disk_watermark_flood_stage: '98%'"\ " index_settings:"\ " so-beats:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-endgame:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-firewall:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-flow:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-ids:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-import:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 73000"\ " delete: 73001"\ " so-osquery:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-ossec:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-strelka:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-syslog:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-zeek:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 45"\ " delete: 365"\ @@ -2257,28 +2257,28 @@ saltify() { fi if [[ ! $is_analyst ]]; then - case "$install_type" in - 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') - reserve_group_ids - if [[ ! $is_iso ]]; then - logCmd "yum -y install sqlite curl mariadb-devel" - fi - # Download Ubuntu Keys in case manager updates = 1 - logCmd "mkdir -vp /opt/so/gpg" - if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub" - logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" - logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" - fi - set_progress_str 7 'Installing salt-master' - if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004.1" - fi - logCmd "systemctl enable salt-master" - ;; - *) - ;; - esac + case "$install_type" in + 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') + reserve_group_ids + if [[ ! $is_iso ]]; then + logCmd "yum -y install sqlite curl mariadb-devel" + fi + # Download Ubuntu Keys in case manager updates = 1 + logCmd "mkdir -vp /opt/so/gpg" + if [[ ! $is_airgap ]]; then + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" + logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" + fi + set_progress_str 7 'Installing salt-master' + if [[ ! $is_iso ]]; then + logCmd "yum -y install salt-master-3004.1" + fi + logCmd "systemctl enable salt-master" + ;; + *) + ;; + esac fi if [[ ! $is_airgap ]]; then logCmd "yum clean expire-cache" @@ -2659,8 +2659,8 @@ set_initial_firewall_policy() { 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" case "$install_type" in 'EVAL') $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" True @@ -2676,7 +2676,7 @@ set_initial_firewall_policy() { 'HELIXSENSOR') $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" ;; 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'IDH' | 'RECEIVER') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" @@ -2719,9 +2719,9 @@ set_initial_firewall_policy() { # Add some firewall rules for analyst workstations that get added to the grid if [[ $is_analyst ]]; then - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost analyst "$MAINIP" - fi + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost analyst "$MAINIP" + fi } @@ -2842,8 +2842,8 @@ update_sudoers() { update_packages() { if [[ $is_centos ]]; then - logCmd "yum repolist" - logCmd "yum -y update --exclude=salt*,wazuh*,docker*,containerd*" + logCmd "yum repolist" + logCmd "yum -y update --exclude=salt*,wazuh*,docker*,containerd*" else retry 50 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 @@ -2903,7 +2903,7 @@ write_out_idh_services() { " services:" >> "$pillar_file" for service in ${idh_services[@]}; do echo " - $service" | tr '[:upper:]' '[:lower:]' >> "$pillar_file" - done + done } # Enable Zeek Logs