From 59ae5f63cf58baa83381e8e69c72caf461b63c2c Mon Sep 17 00:00:00 2001 From: Masaya-A <68965261+Masaya-A@users.noreply.github.com> Date: Thu, 17 Dec 2020 22:14:03 +0900 Subject: [PATCH 01/56] Make yum removing unneeded packages Reference: https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2020-09-03/finding/V-204452 --- salt/yum/etc/yum.conf.jinja | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/yum/etc/yum.conf.jinja b/salt/yum/etc/yum.conf.jinja index bef9c2128..5e1d30510 100644 --- a/salt/yum/etc/yum.conf.jinja +++ b/salt/yum/etc/yum.conf.jinja @@ -10,6 +10,7 @@ plugins=1 installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }} bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum distroverpkg=centos-release +clean_requirements_on_remove=1 {% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', '0') %} proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142 From ea5e25c4a5d9bbc7671a729329d6f4b6418fb49f Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 29 Dec 2020 10:34:27 -0500 Subject: [PATCH 02/56] Monitor interface will not always be bond0 - pull correct value from pillar; Replay test data after automated test installations complete. --- salt/common/tools/sbin/so-tcpreplay | 6 +++--- setup/so-setup | 2 ++ 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-tcpreplay b/salt/common/tools/sbin/so-tcpreplay index 4cd473c0c..a5c75c267 100755 --- a/salt/common/tools/sbin/so-tcpreplay +++ b/salt/common/tools/sbin/so-tcpreplay @@ -20,9 +20,11 @@ . /usr/sbin/so-common . /usr/sbin/so-image-common -REPLAYIFACE=${REPLAYIFACE:-bond0} +REPLAYIFACE=${REPLAYIFACE:-$(lookup_pillar interface sensor)} REPLAYSPEED=${REPLAYSPEED:-10} +mkdir -p /opt/so/samples + if [[ $# -lt 1 ]]; then echo "Replays one or more PCAP sample files to the Security Onion monitoring interface." echo @@ -48,8 +50,6 @@ if ! docker ps | grep -q so-tcpreplay; then TRUSTED_CONTAINERS=("so-tcpreplay") update_docker_containers "tcpreplay" so-tcpreplay-start || fail "Unable to initialize tcpreplay" - mkdir -p /opt/so/samples - docker cp so-tcpreplay:/opt/samples/* /opt/so/samples fi echo "Replaying PCAP(s) at ${REPLAYSPEED} Mbps on interface ${REPLAYIFACE}..." diff --git a/setup/so-setup b/setup/so-setup index 8300fe6ae..fc5996c04 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -842,6 +842,8 @@ if [[ -n $SO_ERROR ]]; then else echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1 { + [ -n "$TESTING" ] && so-test + export percentage=95 # set to last percentage used in previous subshell if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then set_progress_str 97 "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" From 74dd2187fb13b79975e77a06e6e91077d6ba61db Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 29 Dec 2020 11:16:57 -0500 Subject: [PATCH 03/56] Use AMI's public IP for external access --- setup/automation/aws_standalone_defaults | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/automation/aws_standalone_defaults b/setup/automation/aws_standalone_defaults index db199986b..6c00cc789 100644 --- a/setup/automation/aws_standalone_defaults +++ b/setup/automation/aws_standalone_defaults @@ -62,7 +62,7 @@ OSQUERY=1 # PATCHSCHEDULEHOURS= PATCHSCHEDULENAME=auto PLAYBOOK=1 -REDIRECTHOST=securityonion +REDIRECTHOST=$(curl http://169.254.169.254/latest/meta-data/public-ipv4) REDIRECTINFO=OTHER RULESETUP=ETOPEN # SHARDCOUNT= From 989e2b8b780411b266c7ee1ad6a9ad141b7a823c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 29 Dec 2020 16:15:10 -0500 Subject: [PATCH 04/56] Add eval automation --- setup/automation/pm_eval_defaults | 77 +++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 setup/automation/pm_eval_defaults diff --git a/setup/automation/pm_eval_defaults b/setup/automation/pm_eval_defaults new file mode 100644 index 000000000..a2acf0457 --- /dev/null +++ b/setup/automation/pm_eval_defaults @@ -0,0 +1,77 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=7 +BASICSURI=7 +# BLOGS= +BNICS=eth1 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=eval +install_type=EVAL +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +SKIP_REBOOT=1 +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r From 827a571db8c754919f4363307d2cb5ad797d2697 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 29 Dec 2020 17:25:53 -0500 Subject: [PATCH 05/56] Ensure so-test is logged --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index fc5996c04..752afb9a9 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -842,7 +842,7 @@ if [[ -n $SO_ERROR ]]; then else echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1 { - [ -n "$TESTING" ] && so-test + [ -n "$TESTING" ] && logCmd so-setup export percentage=95 # set to last percentage used in previous subshell if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then From a49ddfb887c42def14e29128d2c8028ec6d84bac Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 29 Dec 2020 20:42:50 -0500 Subject: [PATCH 06/56] Reboot to ensure thehive falls in line before kicking off the test --- setup/automation/aws_eval_defaults | 2 +- setup/automation/aws_standalone_defaults | 2 +- setup/automation/pm_eval_defaults | 2 +- setup/automation/pm_standalone_defaults | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/automation/aws_eval_defaults b/setup/automation/aws_eval_defaults index e038bf29d..2c5a8a52d 100644 --- a/setup/automation/aws_eval_defaults +++ b/setup/automation/aws_eval_defaults @@ -66,7 +66,7 @@ PLAYBOOK=1 REDIRECTINFO=HOSTNAME RULESETUP=ETOPEN # SHARDCOUNT= -SKIP_REBOOT=0 +# SKIP_REBOOT=0 SOREMOTEPASS1=onionuser SOREMOTEPASS2=onionuser STRELKA=1 diff --git a/setup/automation/aws_standalone_defaults b/setup/automation/aws_standalone_defaults index 6c00cc789..d32e1fad7 100644 --- a/setup/automation/aws_standalone_defaults +++ b/setup/automation/aws_standalone_defaults @@ -66,7 +66,7 @@ REDIRECTHOST=$(curl http://169.254.169.254/latest/meta-data/public-ipv4) REDIRECTINFO=OTHER RULESETUP=ETOPEN # SHARDCOUNT= -SKIP_REBOOT=0 +# SKIP_REBOOT= SOREMOTEPASS1=onionuser SOREMOTEPASS2=onionuser STRELKA=1 diff --git a/setup/automation/pm_eval_defaults b/setup/automation/pm_eval_defaults index a2acf0457..6e5560028 100644 --- a/setup/automation/pm_eval_defaults +++ b/setup/automation/pm_eval_defaults @@ -66,7 +66,7 @@ PLAYBOOK=1 REDIRECTINFO=IP RULESETUP=ETOPEN # SHARDCOUNT= -SKIP_REBOOT=1 +# SKIP_REBOOT= SOREMOTEPASS1=onionuser SOREMOTEPASS2=onionuser STRELKA=1 diff --git a/setup/automation/pm_standalone_defaults b/setup/automation/pm_standalone_defaults index d7bc1ea1f..0561a2883 100644 --- a/setup/automation/pm_standalone_defaults +++ b/setup/automation/pm_standalone_defaults @@ -66,7 +66,7 @@ PLAYBOOK=1 REDIRECTINFO=IP RULESETUP=ETOPEN # SHARDCOUNT= -SKIP_REBOOT=1 +# SKIP_REBOOT= SOREMOTEPASS1=onionuser SOREMOTEPASS2=onionuser STRELKA=1 From 19d14cf277ca815d272b41232ef873b17c7c29b9 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 30 Dec 2020 10:31:04 -0500 Subject: [PATCH 07/56] Fix script typo to correctly run the so-test --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 752afb9a9..299727eca 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -842,7 +842,7 @@ if [[ -n $SO_ERROR ]]; then else echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1 { - [ -n "$TESTING" ] && logCmd so-setup + [ -n "$TESTING" ] && logCmd so-test export percentage=95 # set to last percentage used in previous subshell if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then From 13f0ddabfc407b6f988bec2d293e529d8bc7454b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 30 Dec 2020 12:02:42 -0500 Subject: [PATCH 08/56] Use manager internal IP for intra-service comms --- salt/soctopus/files/SOCtopus.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/soctopus/files/SOCtopus.conf b/salt/soctopus/files/SOCtopus.conf index 29f31f95f..4f58ecf83 100644 --- a/salt/soctopus/files/SOCtopus.conf +++ b/salt/soctopus/files/SOCtopus.conf @@ -1,4 +1,4 @@ -{%- set MANAGER = salt['pillar.get']('global:url_base', '') %} +{%- set MANAGER = salt['pillar.get']('manager:mainip', '') %} {%- set URLBASE = salt['pillar.get']('global:url_base', '') %} {%- set HIVEKEY = salt['pillar.get']('global:hivekey', '') %} {%- set CORTEXKEY = salt['pillar.get']('global:cortexorguserkey', '') %} From df305c49a66b360ef5f6aa5a61f308b7f7870756 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 30 Dec 2020 16:33:46 -0500 Subject: [PATCH 09/56] Stop SOC prior to opening the firewall for analysts, this ensures no outside requests can be processed prior to the server rebooting --- setup/so-setup | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-setup b/setup/so-setup index 299727eca..3ee0326c0 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -845,6 +845,7 @@ else [ -n "$TESTING" ] && logCmd so-test export percentage=95 # set to last percentage used in previous subshell + so-soc-stop # Stop SOC so it doesn't accept external requests prior to the reboot if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then set_progress_str 97 "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 From e167bfed20e706a9ca42589fc3fb38874c00aee3 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 30 Dec 2020 18:48:56 -0500 Subject: [PATCH 10/56] Redirect tcpreplay init output to file --- salt/common/tools/sbin/so-tcpreplay | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-tcpreplay b/salt/common/tools/sbin/so-tcpreplay index a5c75c267..3f5c0aead 100755 --- a/salt/common/tools/sbin/so-tcpreplay +++ b/salt/common/tools/sbin/so-tcpreplay @@ -48,7 +48,8 @@ if ! docker ps | grep -q so-tcpreplay; then echo TRUSTED_CONTAINERS=("so-tcpreplay") - update_docker_containers "tcpreplay" + mkdir -p /opt/so/log/tcpreplay + update_docker_containers "tcpreplay" "" "" "/opt/so/log/tcpreplay/init.log" so-tcpreplay-start || fail "Unable to initialize tcpreplay" fi From 6b81419d3870f2755291146612745fbe02d97a98 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 30 Dec 2020 22:02:19 -0500 Subject: [PATCH 11/56] tcpreplay doesn't need an interactive terminal to run, remove 'it' --- salt/common/tools/sbin/so-tcpreplay | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-tcpreplay b/salt/common/tools/sbin/so-tcpreplay index 3f5c0aead..fa992bdd8 100755 --- a/salt/common/tools/sbin/so-tcpreplay +++ b/salt/common/tools/sbin/so-tcpreplay @@ -54,6 +54,6 @@ if ! docker ps | grep -q so-tcpreplay; then fi echo "Replaying PCAP(s) at ${REPLAYSPEED} Mbps on interface ${REPLAYIFACE}..." -docker exec -it so-tcpreplay /usr/bin/bash -c "/usr/local/bin/tcpreplay -i ${REPLAYIFACE} -M${REPLAYSPEED} $@" +docker exec so-tcpreplay /usr/bin/bash -c "/usr/local/bin/tcpreplay -i ${REPLAYIFACE} -M${REPLAYSPEED} $@" echo "Replay completed. Warnings shown above are typically expected." From 4b244645ba907cff7401b890b00a40ab263410ad Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 31 Dec 2020 10:52:59 -0500 Subject: [PATCH 12/56] so-fleet-setup doesn't need an interactive terminal to run, remove 'it' --- salt/common/tools/sbin/so-fleet-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-fleet-setup b/salt/common/tools/sbin/so-fleet-setup index 8de83b118..a3aa013a2 100755 --- a/salt/common/tools/sbin/so-fleet-setup +++ b/salt/common/tools/sbin/so-fleet-setup @@ -16,7 +16,7 @@ if [ ! "$(docker ps -q -f name=so-fleet)" ]; then fi docker exec so-fleet fleetctl config set --address https://127.0.0.1:8080 --tls-skip-verify --url-prefix /fleet -docker exec -it so-fleet bash -c 'while [[ "$(curl -s -o /dev/null --insecure -w ''%{http_code}'' https://127.0.0.1:8080/fleet)" != "301" ]]; do sleep 5; done' +docker exec so-fleet bash -c 'while [[ "$(curl -s -o /dev/null --insecure -w ''%{http_code}'' https://127.0.0.1:8080/fleet)" != "301" ]]; do sleep 5; done' docker exec so-fleet fleetctl setup --email $1 --password $2 docker exec so-fleet fleetctl apply -f /packs/palantir/Fleet/Endpoints/MacOS/osquery.yaml From 455da7ec5db9f1eb73852690f2ba2e42e4b28ce5 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 31 Dec 2020 15:09:22 -0500 Subject: [PATCH 13/56] Only stop SOC if is_manager or is_import --- ...{aws_forwardnode_defaults => distributed_forwardnode_ami} | 0 .../{aws_manager_defaults => distributed_manager_ami} | 0 .../{aws_searchnode_defaults => distributed_searchnode_ami} | 0 setup/automation/{aws_eval_defaults => eval_ami} | 0 setup/automation/{pm_eval_defaults => eval_iso} | 0 setup/automation/{aws_standalone_defaults => standalone_ami} | 0 setup/automation/{pm_standalone_defaults => standalone_iso} | 0 setup/so-setup | 5 ++++- 8 files changed, 4 insertions(+), 1 deletion(-) rename setup/automation/{aws_forwardnode_defaults => distributed_forwardnode_ami} (100%) rename setup/automation/{aws_manager_defaults => distributed_manager_ami} (100%) rename setup/automation/{aws_searchnode_defaults => distributed_searchnode_ami} (100%) rename setup/automation/{aws_eval_defaults => eval_ami} (100%) rename setup/automation/{pm_eval_defaults => eval_iso} (100%) rename setup/automation/{aws_standalone_defaults => standalone_ami} (100%) rename setup/automation/{pm_standalone_defaults => standalone_iso} (100%) diff --git a/setup/automation/aws_forwardnode_defaults b/setup/automation/distributed_forwardnode_ami similarity index 100% rename from setup/automation/aws_forwardnode_defaults rename to setup/automation/distributed_forwardnode_ami diff --git a/setup/automation/aws_manager_defaults b/setup/automation/distributed_manager_ami similarity index 100% rename from setup/automation/aws_manager_defaults rename to setup/automation/distributed_manager_ami diff --git a/setup/automation/aws_searchnode_defaults b/setup/automation/distributed_searchnode_ami similarity index 100% rename from setup/automation/aws_searchnode_defaults rename to setup/automation/distributed_searchnode_ami diff --git a/setup/automation/aws_eval_defaults b/setup/automation/eval_ami similarity index 100% rename from setup/automation/aws_eval_defaults rename to setup/automation/eval_ami diff --git a/setup/automation/pm_eval_defaults b/setup/automation/eval_iso similarity index 100% rename from setup/automation/pm_eval_defaults rename to setup/automation/eval_iso diff --git a/setup/automation/aws_standalone_defaults b/setup/automation/standalone_ami similarity index 100% rename from setup/automation/aws_standalone_defaults rename to setup/automation/standalone_ami diff --git a/setup/automation/pm_standalone_defaults b/setup/automation/standalone_iso similarity index 100% rename from setup/automation/pm_standalone_defaults rename to setup/automation/standalone_iso diff --git a/setup/so-setup b/setup/so-setup index 3ee0326c0..435ccf502 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -845,8 +845,11 @@ else [ -n "$TESTING" ] && logCmd so-test export percentage=95 # set to last percentage used in previous subshell - so-soc-stop # Stop SOC so it doesn't accept external requests prior to the reboot if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then + if [[ $is_manager || $is_import ]]; then + set_progress_str 96 "Stopping SOC prior to adjusting firewall rules" + so-soc-stop # Stop SOC so it doesn't accept external requests prior to the reboot + fi set_progress_str 97 "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi From a714d36b99b078a6a5f0891409af4e53a215540c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Sat, 2 Jan 2021 21:03:15 -0500 Subject: [PATCH 14/56] [fix] Remove condition for stopping SOC, since the parent condition covers what's tested --- setup/so-setup | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 435ccf502..808ee3825 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -846,10 +846,9 @@ else export percentage=95 # set to last percentage used in previous subshell if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then - if [[ $is_manager || $is_import ]]; then - set_progress_str 96 "Stopping SOC prior to adjusting firewall rules" - so-soc-stop # Stop SOC so it doesn't accept external requests prior to the reboot - fi + set_progress_str 96 "Stopping SOC prior to adjusting firewall rules" + so-soc-stop # Stop SOC so it doesn't accept external requests prior to the reboot + set_progress_str 97 "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi From 535820bfa7a5caae1a77f7e37094a3b5ce7938a3 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 4 Jan 2021 10:18:32 -0500 Subject: [PATCH 15/56] Remove old Strelka cron job --- salt/manager/init.sls | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 4136b276d..502c89579 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -88,6 +88,13 @@ append_so-aptcacherng_so-status.conf: {% endif %} +strelka_yara_update_old: + cron.absent: + - user: root + - name: '/usr/sbin/so-yara-update > /dev/null 2>&1' + - hour: '7' + - minute: '1' + strelka_yara_update: cron.present: - user: root From 7bfac1e8df318fa4e590cfa8855afa72305e1e27 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 4 Jan 2021 11:58:25 -0500 Subject: [PATCH 16/56] [fix] Don't prompt to only set up network and then skip if network was previously configured --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 3addaf208..bede7990d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -177,7 +177,7 @@ if ! [[ -f $install_opt_file ]]; then fi if [[ $setup_type == 'iso' ]]; then whiptail_first_menu_iso - if [[ $option == "Configure Network" ]] && ! [[ -f $net_init_file ]]; then + if [[ $option == "Configure Network" ]]; then network_init_whiptail whiptail_management_interface_setup network_init From f94e421f4ec9bb87723ea876876b28598c053461 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 4 Jan 2021 14:46:48 -0500 Subject: [PATCH 17/56] [fix] Fix automation compatibility --- setup/so-setup | 6 ++---- setup/so-whiptail | 7 +++++++ 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index bede7990d..8b8f99b01 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -175,7 +175,7 @@ if ! [[ -f $install_opt_file ]]; then echo "User cancelled setup." | tee -a "$setup_log" whiptail_cancel fi - if [[ $setup_type == 'iso' ]]; then + if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then whiptail_first_menu_iso if [[ $option == "Configure Network" ]]; then network_init_whiptail @@ -184,9 +184,7 @@ if ! [[ -f $install_opt_file ]]; then printf '%s\n' \ "MNIC=$MNIC" \ "HOSTNAME=$HOSTNAME" > "$net_init_file" - whiptail --title "Security Onion Setup" \ - --msgbox "Successfully set up networking, setup will now exit." 7 75 - exit 0 + whiptail_net_setup_complete else whiptail_install_type fi diff --git a/setup/so-whiptail b/setup/so-whiptail index b034ab679..6af5b701f 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -794,6 +794,13 @@ whiptail_management_interface_setup() { whiptail_check_exitstatus $exitstatus } +whiptail_net_setup_complete() { + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" \ + --msgbox "Successfully set up networking, setup will now exit." 7 75 + exit 0 +} whiptail_management_server() { From c1e245043ecdfcc2adb77c09e367debe13c35932 Mon Sep 17 00:00:00 2001 From: weslambert Date: Mon, 4 Jan 2021 16:29:32 -0500 Subject: [PATCH 18/56] Remove multiple old so-yara-update cron jobs, if needed --- salt/manager/init.sls | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 502c89579..597ca3c43 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -88,7 +88,14 @@ append_so-aptcacherng_so-status.conf: {% endif %} -strelka_yara_update_old: +strelka_yara_update_old_1: + cron.absent: + - user: root + - name: '[ -d /opt/so/saltstack/default/salt/strelka/rules/ ] && /usr/sbin/so-yara-update > /dev/null 2>&1' + - hour: '7' + - minute: '1' + +strelka_yara_update_old_2: cron.absent: - user: root - name: '/usr/sbin/so-yara-update > /dev/null 2>&1' From 294601ff64667d5617b2fd6edc0d7c63660ec5d7 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 4 Jan 2021 16:40:08 -0500 Subject: [PATCH 19/56] [feat] Reorder network-only prompt --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 6af5b701f..f3e612f70 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -662,8 +662,8 @@ whiptail_first_menu_iso() { [ -n "$TESTING" ] && return option=$(whiptail --title "Security Onion Setup" --menu "Select an option" 10 75 2 \ - "Configure Network" "Configure networking only " \ "Security Onion Installer" "Run the standard Security Onion installation " \ + "Configure Network" "Configure networking only " \ 3>&1 1>&2 2>&3 ) local exitstatus=$? From 81c4d879ebbe09a811c4e757b733a5e4b3bd476f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Jan 2021 10:26:19 -0500 Subject: [PATCH 20/56] first round of testing for automated testing ssh/scp --- setup/so-functions | 108 ++++++++++++++++++++++++++++++++++----------- setup/so-setup | 25 +++++++---- 2 files changed, 99 insertions(+), 34 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index d0e502941..fa52b4adb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -97,8 +97,6 @@ airgap_rules() { # Don't leave Strelka out cp -Rv /root/SecurityOnion/agrules/strelka /nsm/repo/rules/ - - } analyze_system() { @@ -112,17 +110,19 @@ analyze_system() { } accept_salt_key_remote() { + + local automated=$1 + local sshcmd=get_ssh_cmd $automated + systemctl restart salt-minion echo "Accept the key remotely on the manager" >> "$setup_log" 2>&1 # Delete the key just in case. - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -d "$MINION_ID" -y + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -d "$MINION_ID" -y salt-call state.apply ca >> /dev/null 2>&1 - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -a "$MINION_ID" -y - + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -a "$MINION_ID" -y } - add_admin_user() { # Add an admin user with full sudo rights if this is an ISO install. { @@ -558,7 +558,10 @@ check_requirements() { } compare_versions() { - manager_ver=$(ssh -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) + local automated=$1 + local sshcmd=get_ssh_cmd $automated + + manager_ver=$("$sshcmd" -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) if [[ $manager_ver == "" ]]; then rm /root/install_opt @@ -671,6 +674,11 @@ copy_salt_master_config() { } copy_minion_tmp_files() { + + local automated=$1 + local sshcmd=get_ssh_cmd $automated + local scpcmd=get_scp_cmd $automated + case "$install_type" in 'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') echo "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" @@ -682,15 +690,15 @@ copy_minion_tmp_files() { *) { echo "scp pillar and salt files in $temp_install_dir to manager $local_salt_dir"; - ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; - ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; - scp -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; + $scpcmd -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; if [ -d $temp_install_dir/salt/patch/os/schedules/ ]; then if [ "$(ls -A $temp_install_dir/salt/patch/os/schedules/)" ]; then - scp -prv -i /root/.ssh/so.key $temp_install_dir/salt/patch/os/schedules/* soremote@$MSRV:/tmp/$MINION_ID/schedules; + $scpcmd -prv -i /root/.ssh/so.key $temp_install_dir/salt/patch/os/schedules/* soremote@$MSRV:/tmp/$MINION_ID/schedules; fi fi - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/manager/files/add_minion.sh "$MINION_ID"; + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/manager/files/add_minion.sh "$MINION_ID"; } >> "$setup_log" 2>&1 ;; esac @@ -698,6 +706,9 @@ copy_minion_tmp_files() { copy_ssh_key() { + local automated=$1 + local sshcopyidcmd=get_ssh_copy_id_cmd $automated + echo "Generating SSH key" # Generate SSH key mkdir -p /root/.ssh @@ -709,7 +720,7 @@ copy_ssh_key() { echo "Copying the SSH key to the manager" #Copy the key over to the manager - ssh-copy-id -f -i /root/.ssh/so.key soremote@"$MSRV" + $sshcopyidcmd -f -i /root/.ssh/so.key soremote@"$MSRV" } create_local_directories() { @@ -974,11 +985,15 @@ docker_seed_registry() { } download_repo_tarball() { + local automated=$1 + local sshcmd=get_ssh_cmd $automated + local scpcmd=get_scp_cmd $automated + mkdir -p /root/manager_setup/securityonion { local manager_ver - manager_ver=$(ssh -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) - scp -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/repo/"$manager_ver".tar.gz /root/manager_setup + manager_ver=$("$sshcmd" -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) + $scpcmd -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/repo/"$manager_ver".tar.gz /root/manager_setup } >> "$setup_log" 2>&1 # Fail if the file doesn't download @@ -1082,6 +1097,42 @@ get_minion_type() { echo "$minion_type" } +get_scp_cmd() { + local automated=$1 + + if [ $automated == yes ]; then + local scpcmd='sshpass -p "PASSWORD" scp -o StrictHostKeyChecking=no' + else + local scpcmd='scp' + fi + + echo $scpcmd +} + +get_ssh_cmd() { + local automated=$1 + + if [ $automated == yes ]; then + local sshcmd='sshpass -p "PASSWORD" ssh -o StrictHostKeyChecking=no' + else + local sshcmd='ssh' + fi + + echo $sshcmd +} + +get_ssh_copy_id_cmd() { + local automated=$1 + + if [ $automated == yes ]; then + local sshcopyidcmd='sshpass -p "PASSWORD" ssh-copy-id -o StrictHostKeyChecking=no' + else + local sshcopyidcmd='ssh-copy-id' + fi + + echo $sshcopyidcmd +} + host_pillar() { local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls @@ -1629,6 +1680,9 @@ remove_package() { # - securityonion/salt/salt/minion.defaults.yaml saltify() { + local automated=$1 + local scpcmd=get_scp_cmd $automated + # Install updates and Salt if [ $OS = 'centos' ]; then set_progress_str 5 'Installing Salt repo' @@ -1774,7 +1828,7 @@ saltify() { # Copy down the gpg keys and install them from the manager mkdir "$temp_install_dir"/gpg >> "$setup_log" 2>&1 echo "scp the gpg keys and install them from the manager" >> "$setup_log" 2>&1 - scp -v -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/gpg/* "$temp_install_dir"/gpg >> "$setup_log" 2>&1 + $scpcmd -v -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/gpg/* "$temp_install_dir"/gpg >> "$setup_log" 2>&1 echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 @@ -2054,6 +2108,8 @@ set_hostname() { set_initial_firewall_policy() { set_main_ip + local automated=$1 + local sshcmd=get_ssh_cmd $automated if [ -f $default_salt_dir/pillar/data/addtotab.sh ]; then chmod +x $default_salt_dir/pillar/data/addtotab.sh; fi if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi @@ -2087,24 +2143,24 @@ set_initial_firewall_policy() { $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" ;; 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET') - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" case "$install_type" in 'SENSOR') - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" ;; 'SEARCHNODE') - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'HEAVYNODE') - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost heavy_node "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost heavy_node "$MAINIP" + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'FLEET') - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP" + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP" ;; esac ;; diff --git a/setup/so-setup b/setup/so-setup index bede7990d..f66b0a687 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -124,6 +124,15 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 done echo "Network is up on $MNIC" >> $setup_log 2>&1 + + if [[ ! $is_iso ]]; then + echo "Installing sshpass for automated testing." >> $setup_log 2>&1 + if [ "$OS" == ubuntu ]; then + yum -y install sshpass >> $setup_log 2>&1 + else + apt-get -y install sshpass >> $setup_log 2>&1 + fi + fi fi case "$setup_type" in @@ -287,10 +296,10 @@ if ! [[ -f $install_opt_file ]]; then fi if [[ $is_minion ]]; then - [ "$automated" == no ] && copy_ssh_key >> $setup_log 2>&1 + copy_ssh_key $automated >> $setup_log 2>&1 fi - if [[ $is_minion ]] && ! (compare_versions); then + if [[ $is_minion ]] && ! (compare_versions $automated); then info "Installer version mismatch, downloading correct version from manager" printf '%s\n' \ "install_type=$install_type" \ @@ -298,7 +307,7 @@ if ! [[ -f $install_opt_file ]]; then "HOSTNAME=$HOSTNAME" \ "MSRV=$MSRV" \ "MSRVIP=$MSRVIP" > "$install_opt_file" - download_repo_tarball + download_repo_tarball $automated exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" fi @@ -553,7 +562,7 @@ set_redirect >> $setup_log 2>&1 if [[ $is_minion ]]; then set_progress_str 1 'Configuring firewall' - set_initial_firewall_policy >> $setup_log 2>&1 + set_initial_firewall_policy $automated >> $setup_log 2>&1 fi set_progress_str 2 'Updating packages' @@ -573,7 +582,7 @@ set_redirect >> $setup_log 2>&1 fi set_progress_str 5 'Installing Salt and dependencies' - saltify 2>> $setup_log + saltify $automated 2>> $setup_log set_progress_str 6 'Installing Docker and dependencies' docker_install >> $setup_log 2>&1 @@ -626,7 +635,7 @@ set_redirect >> $setup_log 2>&1 if [[ $is_minion ]]; then set_progress_str 20 'Accepting Salt key on manager' - accept_salt_key_remote >> $setup_log 2>&1 + accept_salt_key_remote $automated >> $setup_log 2>&1 fi if [[ $is_manager || $is_import || $is_helix ]]; then @@ -635,7 +644,7 @@ set_redirect >> $setup_log 2>&1 fi set_progress_str 21 'Copying minion pillars to manager' - copy_minion_tmp_files >> $setup_log 2>&1 + copy_minion_tmp_files $automated >> $setup_log 2>&1 if [[ $is_minion ]]; then set_progress_str 22 'Checking if the Salt Minion needs to be updated' @@ -647,7 +656,7 @@ set_redirect >> $setup_log 2>&1 if [[ $is_manager || $is_helix || $is_import ]]; then set_progress_str 25 'Configuring firewall' - set_initial_firewall_policy >> $setup_log 2>&1 + set_initial_firewall_policy $automated >> $setup_log 2>&1 # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf mkdir -p /opt/so/conf/so-status/ >> $setup_log 2>&1 From c93dfa7b33980b56538fa4cf993912b52d54efef Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Jan 2021 11:47:22 -0500 Subject: [PATCH 21/56] hardcode automation pw --- setup/so-functions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index fa52b4adb..fc5f79bda 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1101,7 +1101,7 @@ get_scp_cmd() { local automated=$1 if [ $automated == yes ]; then - local scpcmd='sshpass -p "PASSWORD" scp -o StrictHostKeyChecking=no' + local scpcmd='sshpass -p "automation" scp -o StrictHostKeyChecking=no' else local scpcmd='scp' fi @@ -1113,7 +1113,7 @@ get_ssh_cmd() { local automated=$1 if [ $automated == yes ]; then - local sshcmd='sshpass -p "PASSWORD" ssh -o StrictHostKeyChecking=no' + local sshcmd='sshpass -p "automation" ssh -o StrictHostKeyChecking=no' else local sshcmd='ssh' fi @@ -1125,7 +1125,7 @@ get_ssh_copy_id_cmd() { local automated=$1 if [ $automated == yes ]; then - local sshcopyidcmd='sshpass -p "PASSWORD" ssh-copy-id -o StrictHostKeyChecking=no' + local sshcopyidcmd='sshpass -p "automation" ssh-copy-id -o StrictHostKeyChecking=no' else local sshcopyidcmd='ssh-copy-id' fi From 0f9bf9deb643be9e5291e45b8680d5e2f06c737c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Jan 2021 13:49:51 -0500 Subject: [PATCH 22/56] make sshcmd, scpcmd, ssh_copy_id_cmd global to so-functions; --- setup/so-functions | 39 ++++++--------------------------------- setup/so-setup | 17 ++++++++++------- 2 files changed, 16 insertions(+), 40 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index fc5f79bda..8d12156ae 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -110,10 +110,6 @@ analyze_system() { } accept_salt_key_remote() { - - local automated=$1 - local sshcmd=get_ssh_cmd $automated - systemctl restart salt-minion echo "Accept the key remotely on the manager" >> "$setup_log" 2>&1 @@ -558,9 +554,6 @@ check_requirements() { } compare_versions() { - local automated=$1 - local sshcmd=get_ssh_cmd $automated - manager_ver=$("$sshcmd" -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) if [[ $manager_ver == "" ]]; then @@ -675,10 +668,6 @@ copy_salt_master_config() { copy_minion_tmp_files() { - local automated=$1 - local sshcmd=get_ssh_cmd $automated - local scpcmd=get_scp_cmd $automated - case "$install_type" in 'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') echo "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" @@ -706,9 +695,6 @@ copy_minion_tmp_files() { copy_ssh_key() { - local automated=$1 - local sshcopyidcmd=get_ssh_copy_id_cmd $automated - echo "Generating SSH key" # Generate SSH key mkdir -p /root/.ssh @@ -985,9 +971,6 @@ docker_seed_registry() { } download_repo_tarball() { - local automated=$1 - local sshcmd=get_ssh_cmd $automated - local scpcmd=get_scp_cmd $automated mkdir -p /root/manager_setup/securityonion { @@ -1101,36 +1084,31 @@ get_scp_cmd() { local automated=$1 if [ $automated == yes ]; then - local scpcmd='sshpass -p "automation" scp -o StrictHostKeyChecking=no' + scpcmd='sshpass -p "automation" scp -o StrictHostKeyChecking=no' else - local scpcmd='scp' + scpcmd='scp' fi - - echo $scpcmd } get_ssh_cmd() { local automated=$1 if [ $automated == yes ]; then - local sshcmd='sshpass -p "automation" ssh -o StrictHostKeyChecking=no' + sshcmd='sshpass -p "automation" ssh -o StrictHostKeyChecking=no' else - local sshcmd='ssh' + sshcmd='ssh' fi - echo $sshcmd } get_ssh_copy_id_cmd() { local automated=$1 if [ $automated == yes ]; then - local sshcopyidcmd='sshpass -p "automation" ssh-copy-id -o StrictHostKeyChecking=no' + sshcopyidcmd='sshpass -p "automation" ssh-copy-id -o StrictHostKeyChecking=no' else - local sshcopyidcmd='ssh-copy-id' + sshcopyidcmd='ssh-copy-id' fi - - echo $sshcopyidcmd } host_pillar() { @@ -1680,9 +1658,6 @@ remove_package() { # - securityonion/salt/salt/minion.defaults.yaml saltify() { - local automated=$1 - local scpcmd=get_scp_cmd $automated - # Install updates and Salt if [ $OS = 'centos' ]; then set_progress_str 5 'Installing Salt repo' @@ -2108,8 +2083,6 @@ set_hostname() { set_initial_firewall_policy() { set_main_ip - local automated=$1 - local sshcmd=get_ssh_cmd $automated if [ -f $default_salt_dir/pillar/data/addtotab.sh ]; then chmod +x $default_salt_dir/pillar/data/addtotab.sh; fi if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi diff --git a/setup/so-setup b/setup/so-setup index f66b0a687..020882347 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -108,6 +108,9 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1 source automation/$automation automated=yes + get_scp_cmd $automated + get_ssh_cmd $automated + get_ssh_copy_id_cmd $automated attempt=1 attempts=60 @@ -296,7 +299,7 @@ if ! [[ -f $install_opt_file ]]; then fi if [[ $is_minion ]]; then - copy_ssh_key $automated >> $setup_log 2>&1 + copy_ssh_key >> $setup_log 2>&1 fi if [[ $is_minion ]] && ! (compare_versions $automated); then @@ -307,7 +310,7 @@ if ! [[ -f $install_opt_file ]]; then "HOSTNAME=$HOSTNAME" \ "MSRV=$MSRV" \ "MSRVIP=$MSRVIP" > "$install_opt_file" - download_repo_tarball $automated + download_repo_tarball exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" fi @@ -562,7 +565,7 @@ set_redirect >> $setup_log 2>&1 if [[ $is_minion ]]; then set_progress_str 1 'Configuring firewall' - set_initial_firewall_policy $automated >> $setup_log 2>&1 + set_initial_firewall_policy >> $setup_log 2>&1 fi set_progress_str 2 'Updating packages' @@ -582,7 +585,7 @@ set_redirect >> $setup_log 2>&1 fi set_progress_str 5 'Installing Salt and dependencies' - saltify $automated 2>> $setup_log + saltify 2>> $setup_log set_progress_str 6 'Installing Docker and dependencies' docker_install >> $setup_log 2>&1 @@ -635,7 +638,7 @@ set_redirect >> $setup_log 2>&1 if [[ $is_minion ]]; then set_progress_str 20 'Accepting Salt key on manager' - accept_salt_key_remote $automated >> $setup_log 2>&1 + accept_salt_key_remote >> $setup_log 2>&1 fi if [[ $is_manager || $is_import || $is_helix ]]; then @@ -644,7 +647,7 @@ set_redirect >> $setup_log 2>&1 fi set_progress_str 21 'Copying minion pillars to manager' - copy_minion_tmp_files $automated >> $setup_log 2>&1 + copy_minion_tmp_files >> $setup_log 2>&1 if [[ $is_minion ]]; then set_progress_str 22 'Checking if the Salt Minion needs to be updated' @@ -656,7 +659,7 @@ set_redirect >> $setup_log 2>&1 if [[ $is_manager || $is_helix || $is_import ]]; then set_progress_str 25 'Configuring firewall' - set_initial_firewall_policy $automated >> $setup_log 2>&1 + set_initial_firewall_policy >> $setup_log 2>&1 # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf mkdir -p /opt/so/conf/so-status/ >> $setup_log 2>&1 From 1154b533d67f6d6dd2d09850ba1a7b72394c67b5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Jan 2021 13:56:56 -0500 Subject: [PATCH 23/56] Remove ERSPAN so log doesn't show a warning --- salt/suricata/defaults.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/suricata/defaults.yaml b/salt/suricata/defaults.yaml index 9f34c0871..49a25917c 100644 --- a/salt/suricata/defaults.yaml +++ b/salt/suricata/defaults.yaml @@ -460,8 +460,6 @@ suricata: enabled: true ports: $VXLAN_PORTS erspan: - typeI: - enabled: false detect: profile: medium custom-values: From 749b21e6843877a7a0b73eb1fa07cfbc0dcc02b0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Jan 2021 14:12:43 -0500 Subject: [PATCH 24/56] make sure ssh commands get set whether automated install or not --- setup/so-setup | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 020882347..3804b1e96 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -108,9 +108,6 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1 source automation/$automation automated=yes - get_scp_cmd $automated - get_ssh_cmd $automated - get_ssh_copy_id_cmd $automated attempt=1 attempts=60 @@ -148,6 +145,11 @@ case "$setup_type" in ;; esac +#set ssh command thats will be used based on if this is an automated test install or not +get_scp_cmd $automated +get_ssh_cmd $automated +get_ssh_copy_id_cmd $automated + # Allow execution of SO tools during setup local_sbin="$(pwd)/../salt/common/tools/sbin" export PATH=$PATH:$local_sbin From 91ad7f26bfe5df04a887fc4ed92f021a1c229ff8 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 6 Jan 2021 08:45:33 -0500 Subject: [PATCH 25/56] no longer need to pass $automated to compare_versions --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 3804b1e96..3ea6fe570 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -304,7 +304,7 @@ if ! [[ -f $install_opt_file ]]; then copy_ssh_key >> $setup_log 2>&1 fi - if [[ $is_minion ]] && ! (compare_versions $automated); then + if [[ $is_minion ]] && ! (compare_versions); then info "Installer version mismatch, downloading correct version from manager" printf '%s\n' \ "install_type=$install_type" \ From aecc0c025eca68689acce0c86059aab12ab40480 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 6 Jan 2021 08:49:08 -0500 Subject: [PATCH 26/56] fix comment --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 3ea6fe570..4c5760856 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -145,7 +145,7 @@ case "$setup_type" in ;; esac -#set ssh command thats will be used based on if this is an automated test install or not +#set ssh commands that will be used based on if this is an automated test install or not get_scp_cmd $automated get_ssh_cmd $automated get_ssh_copy_id_cmd $automated From 94fd79cd289a617346f799489a83cba603a35067 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 6 Jan 2021 08:51:33 -0500 Subject: [PATCH 27/56] originally had sshpass package install reveresed, fixed it here --- setup/so-setup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 4c5760856..7ab87a23a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -128,9 +128,9 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th if [[ ! $is_iso ]]; then echo "Installing sshpass for automated testing." >> $setup_log 2>&1 if [ "$OS" == ubuntu ]; then - yum -y install sshpass >> $setup_log 2>&1 - else apt-get -y install sshpass >> $setup_log 2>&1 + else + yum -y install sshpass >> $setup_log 2>&1 fi fi fi From 48f81d9ac6640e77dddecd2d116953ad7da1957b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 6 Jan 2021 08:58:33 -0500 Subject: [PATCH 28/56] reduce setting ssh commands down to 1 function and 1 function call --- setup/so-functions | 45 ++++++++++++++------------------------------- setup/so-setup | 4 +--- 2 files changed, 15 insertions(+), 34 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 8d12156ae..52c8b19c9 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1080,37 +1080,6 @@ get_minion_type() { echo "$minion_type" } -get_scp_cmd() { - local automated=$1 - - if [ $automated == yes ]; then - scpcmd='sshpass -p "automation" scp -o StrictHostKeyChecking=no' - else - scpcmd='scp' - fi -} - -get_ssh_cmd() { - local automated=$1 - - if [ $automated == yes ]; then - sshcmd='sshpass -p "automation" ssh -o StrictHostKeyChecking=no' - else - sshcmd='ssh' - fi - -} - -get_ssh_copy_id_cmd() { - local automated=$1 - - if [ $automated == yes ]; then - sshcopyidcmd='sshpass -p "automation" ssh-copy-id -o StrictHostKeyChecking=no' - else - sshcopyidcmd='ssh-copy-id' - fi -} - host_pillar() { local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls @@ -2005,6 +1974,20 @@ set_progress_str() { "----" >> "$setup_log" 2>&1 } +set_ssh_cmds() { + local automated=$1 + + if [ $automated == yes ]; then + sshcmd='sshpass -p "automation" ssh -o StrictHostKeyChecking=no' + sshcopyidcmd='sshpass -p "automation" ssh-copy-id -o StrictHostKeyChecking=no' + scpcmd='sshpass -p "automation" scp -o StrictHostKeyChecking=no' + else + sshcmd='ssh' + sshcopyidcmd='ssh-copy-id' + scpcmd='scp' + fi +} + sensor_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls diff --git a/setup/so-setup b/setup/so-setup index 7ab87a23a..991273b65 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -146,9 +146,7 @@ case "$setup_type" in esac #set ssh commands that will be used based on if this is an automated test install or not -get_scp_cmd $automated -get_ssh_cmd $automated -get_ssh_copy_id_cmd $automated +set_ssh_cmds $automated # Allow execution of SO tools during setup local_sbin="$(pwd)/../salt/common/tools/sbin" From f2b677bfcb1045d6b629c6bcc3b703eb1d14aa4e Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 6 Jan 2021 15:52:10 +0000 Subject: [PATCH 29/56] Reserve port for Wazuh API and check if port is already in use --- salt/wazuh/init.sls | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/salt/wazuh/init.sls b/salt/wazuh/init.sls index 99f16cb8a..3cad6c367 100644 --- a/salt/wazuh/init.sls +++ b/salt/wazuh/init.sls @@ -96,6 +96,16 @@ wazuhmgrwhitelist: - mode: 755 - template: jinja +# Reserve OS port for Wazuh API +wazuhreserveport: + cmd.run: + - name: grep -q 55000 /proc/sys/net/ipv4/ip_local_reserved_ports || sysctl -w net.ipv4.ip_local_reserved_ports="55000" > /dev/null && echo "55000" >> /proc/sys/net/ipv4/ip_local_reserved_ports + +# Check to see if Wazuh API port is available +wazuhportavailable: + cmd.run: + - name: netstat -anp | grep 55000 | grep -qv docker && PROCESS=$(netstat -anp | grep 55000 | awk '{print $NF}' | uniq) && echo "Another process ($PROCESS) appears to be using port 55000. Please terminate this process, or reboot to ensure a clean state so that the Wazuh API can start properly." && exit 1 || exit 0 + so-wazuh: docker_container.running: - image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-wazuh:{{ VERSION }} @@ -158,4 +168,4 @@ wazuh_state_not_allowed: test.fail_without_changes: - name: wazuh_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} From 875908dc905ead667387f8af43a2c2fb4c32ee3d Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 6 Jan 2021 16:47:35 +0000 Subject: [PATCH 30/56] Set @timestamp to winlog.systemTime --- salt/elasticsearch/files/ingest/win.eventlogs | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/elasticsearch/files/ingest/win.eventlogs b/salt/elasticsearch/files/ingest/win.eventlogs index 3137e6bb5..2644be7a2 100644 --- a/salt/elasticsearch/files/ingest/win.eventlogs +++ b/salt/elasticsearch/files/ingest/win.eventlogs @@ -4,6 +4,8 @@ { "set": { "if": "ctx.winlog?.channel != null", "field": "event.module", "value": "windows_eventlog", "override": false, "ignore_failure": true } }, { "set": { "if": "ctx.winlog?.channel != null", "field": "event.dataset", "value": "{{winlog.channel}}", "override": true } }, { "set": { "if": "ctx.winlog?.computer_name != null", "field": "observer.name", "value": "{{winlog.computer_name}}", "override": true } }, + { "rename": { "if": "ctx.winlog?.systemTime != null", "field": "@timestamp", "target_field": "ingest.timestamp", "ignore_missing": true } }, + { "set": { "if": "ctx.winlog?.systemTime != null", "field": "@timestamp", "value": "{{winlog.systemTime}}", "override": true } }, { "set": { "field": "event.code", "value": "{{winlog.event_id}}", "override": true } }, { "set": { "field": "event.category", "value": "host", "override": true } }, { "rename": { "field": "winlog.event_data.SubjectUserName", "target_field": "user.name", "ignore_failure": true, "ignore_missing": true } }, From bbdb47703d320da840eae2d7963e7a31f354e493 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 6 Jan 2021 17:21:46 -0500 Subject: [PATCH 31/56] Rename automation files to match environment names for consistency --- .../{distributed_forwardnode_ami => distributed-ami-forwardnode} | 0 .../{distributed_manager_ami => distributed-ami-manager} | 0 .../{distributed_searchnode_ami => distributed-ami-searchnode} | 0 setup/automation/{eval_ami => eval-ami} | 0 setup/automation/{eval_iso => eval-iso} | 0 setup/automation/{standalone_ami => standalone-ami} | 0 setup/automation/{standalone_iso => standalone-iso} | 0 7 files changed, 0 insertions(+), 0 deletions(-) rename setup/automation/{distributed_forwardnode_ami => distributed-ami-forwardnode} (100%) rename setup/automation/{distributed_manager_ami => distributed-ami-manager} (100%) rename setup/automation/{distributed_searchnode_ami => distributed-ami-searchnode} (100%) rename setup/automation/{eval_ami => eval-ami} (100%) rename setup/automation/{eval_iso => eval-iso} (100%) rename setup/automation/{standalone_ami => standalone-ami} (100%) rename setup/automation/{standalone_iso => standalone-iso} (100%) diff --git a/setup/automation/distributed_forwardnode_ami b/setup/automation/distributed-ami-forwardnode similarity index 100% rename from setup/automation/distributed_forwardnode_ami rename to setup/automation/distributed-ami-forwardnode diff --git a/setup/automation/distributed_manager_ami b/setup/automation/distributed-ami-manager similarity index 100% rename from setup/automation/distributed_manager_ami rename to setup/automation/distributed-ami-manager diff --git a/setup/automation/distributed_searchnode_ami b/setup/automation/distributed-ami-searchnode similarity index 100% rename from setup/automation/distributed_searchnode_ami rename to setup/automation/distributed-ami-searchnode diff --git a/setup/automation/eval_ami b/setup/automation/eval-ami similarity index 100% rename from setup/automation/eval_ami rename to setup/automation/eval-ami diff --git a/setup/automation/eval_iso b/setup/automation/eval-iso similarity index 100% rename from setup/automation/eval_iso rename to setup/automation/eval-iso diff --git a/setup/automation/standalone_ami b/setup/automation/standalone-ami similarity index 100% rename from setup/automation/standalone_ami rename to setup/automation/standalone-ami diff --git a/setup/automation/standalone_iso b/setup/automation/standalone-iso similarity index 100% rename from setup/automation/standalone_iso rename to setup/automation/standalone-iso From ae7c0a26be3d39e0f543ee7a05fc3278b31fd0b7 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 6 Jan 2021 18:46:21 -0500 Subject: [PATCH 32/56] add a quiet mode to so-status for automation testing --- salt/common/tools/sbin/so-status | 107 +++++++++++++++++++++++-------- 1 file changed, 80 insertions(+), 27 deletions(-) diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 8dd607bd6..dedd11d3e 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -20,7 +20,21 @@ if ! [ "$(id -u)" = 0 ]; then exit 1 fi +display_help() { +cat < Date: Wed, 6 Jan 2021 20:14:42 -0500 Subject: [PATCH 33/56] return 99 if setup is running --- salt/common/tools/sbin/so-status | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index dedd11d3e..953d3a43e 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -38,6 +38,7 @@ EXITCODE=0 SYSTEM_START_TIME=$(date -d "$( Date: Wed, 6 Jan 2021 20:39:44 -0500 Subject: [PATCH 34/56] Drop password requirement for sudo access during automated tests --- setup/so-functions | 7 +++++++ setup/so-setup | 1 + 2 files changed, 8 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index d0e502941..2c7bc4502 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2200,6 +2200,13 @@ mark_version() { echo "$SOVERSION" > /etc/soversion } +update_sudoers_for_testing() { + if [ -n "$TESTING" ]; then + info "Ensuring $INSTALLUSERNAME has password-less sudo access for automated testing purposes." + sed -i "s/^$INSTALLUSERNAME ALL=(ALL) ALL/^$INSTALLUSERNAME ALL=(ALL) NOPASSWD:ALL/" /etc/sudoers + fi +} + update_sudoers() { if ! grep -qE '^soremote\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then diff --git a/setup/so-setup b/setup/so-setup index 8b8f99b01..be0c73d52 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -594,6 +594,7 @@ set_redirect >> $setup_log 2>&1 set_progress_str 10 'Updating sudoers file for soremote user' update_sudoers >> $setup_log 2>&1 + update_sudoers_for_testing >> $setup_log 2>&1 set_progress_str 11 'Generating manager global pillar' #minio_generate_keys From 83e749369156cae4c3f6483b5da0e609bc3ce0ad Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 7 Jan 2021 11:23:39 -0500 Subject: [PATCH 35/56] add description for exit code 99 --- salt/common/tools/sbin/so-status | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-status b/salt/common/tools/sbin/so-status index 953d3a43e..bb05d5f2e 100755 --- a/salt/common/tools/sbin/so-status +++ b/salt/common/tools/sbin/so-status @@ -27,8 +27,8 @@ cat < Date: Thu, 7 Jan 2021 11:33:29 -0500 Subject: [PATCH 36/56] Update sed to disable sudo password prompt for automated testing --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 533ca110a..315334a18 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2215,7 +2215,7 @@ mark_version() { update_sudoers_for_testing() { if [ -n "$TESTING" ]; then info "Ensuring $INSTALLUSERNAME has password-less sudo access for automated testing purposes." - sed -i "s/^$INSTALLUSERNAME ALL=(ALL) ALL/^$INSTALLUSERNAME ALL=(ALL) NOPASSWD:ALL/" /etc/sudoers + sed -i "s/^$INSTALLUSERNAME ALL=(ALL) ALL/$INSTALLUSERNAME ALL=(ALL) NOPASSWD: ALL/" /etc/sudoers fi } From a6f88b2843c2478b50c971ca13c371f6f980e958 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 7 Jan 2021 15:22:34 -0500 Subject: [PATCH 37/56] Correct eval AMI automation vars --- setup/automation/eval-ami | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/automation/eval-ami b/setup/automation/eval-ami index 2c5a8a52d..288bc7287 100644 --- a/setup/automation/eval-ami +++ b/setup/automation/eval-ami @@ -26,7 +26,7 @@ ALLOW_ROLE=a BASICZEEK=7 BASICSURI=7 # BLOGS= -BNICS=ens6 +BNICS=eth1 ZEEKVERSION=ZEEK # CURCLOSEDAYS= # EVALADVANCED=BASIC @@ -46,7 +46,7 @@ MANAGERUPDATES=1 # MGATEWAY= # MIP= # MMASK= -MNIC=ens5 +MNIC=eth0 # MSEARCH= # MSRV= # MTU= @@ -62,11 +62,11 @@ OSQUERY=1 # PATCHSCHEDULEHOURS= PATCHSCHEDULENAME=auto PLAYBOOK=1 -# REDIRECTHOST= -REDIRECTINFO=HOSTNAME +REDIRECTHOST=$(curl http://169.254.169.254/latest/meta-data/public-ipv4) +REDIRECTINFO=OTHER RULESETUP=ETOPEN # SHARDCOUNT= -# SKIP_REBOOT=0 +# SKIP_REBOOT= SOREMOTEPASS1=onionuser SOREMOTEPASS2=onionuser STRELKA=1 From 9eedb874fb390a7bb58c74b9934dd7cad099fe82 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 8 Jan 2021 12:37:54 -0500 Subject: [PATCH 38/56] Add eval and standalone airgap automations --- setup/automation/eval-airgap | 78 ++++++++++++++++++++++++++++++ setup/automation/standalone-airgap | 78 ++++++++++++++++++++++++++++++ 2 files changed, 156 insertions(+) create mode 100644 setup/automation/eval-airgap create mode 100644 setup/automation/standalone-airgap diff --git a/setup/automation/eval-airgap b/setup/automation/eval-airgap new file mode 100644 index 000000000..ce25a2784 --- /dev/null +++ b/setup/automation/eval-airgap @@ -0,0 +1,78 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=7 +BASICSURI=7 +# BLOGS= +BNICS=eth1 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=eval +install_type=EVAL +INTERWEBS=AIRGAP +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-airgap b/setup/automation/standalone-airgap new file mode 100644 index 000000000..9ed05a27e --- /dev/null +++ b/setup/automation/standalone-airgap @@ -0,0 +1,78 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=7 +BASICSURI=7 +# BLOGS= +BNICS=eth1 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=standalone +install_type=STANDALONE +INTERWEBS=AIRGAP +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r From f07e583013f01686fab37e049e3698d64dc56d83 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 8 Jan 2021 16:33:38 -0500 Subject: [PATCH 39/56] increase salt logging to info --- files/salt/master/master | 2 ++ setup/so-functions | 2 ++ 2 files changed, 4 insertions(+) diff --git a/files/salt/master/master b/files/salt/master/master index 42e7866d9..93e8ff938 100644 --- a/files/salt/master/master +++ b/files/salt/master/master @@ -13,6 +13,8 @@ # user: socore log_file: /opt/so/log/salt/master +log_level_logfile: info +log_level: info ##### File Server settings ##### ########################################## diff --git a/setup/so-functions b/setup/so-functions index 315334a18..83b5aef3c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -467,6 +467,8 @@ configure_minion() { printf '%s\n'\ "use_superseded:"\ " - module.run"\ + "log_level: info"\ + "log_level_logfile: info"\ "log_file: /opt/so/log/salt/minion" >> "$minion_config" { From 63047b4b853b82b3bd14288b0807cb59d93f7cc8 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Sun, 10 Jan 2021 00:56:10 -0500 Subject: [PATCH 40/56] Add retry logic around salt key acceptance during setup --- salt/common/tools/sbin/so-common | 19 +++++++++++++++++++ setup/so-functions | 2 +- setup/so-setup | 4 ++-- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index c71e9150c..caa19cd37 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -141,6 +141,25 @@ get_random_value() { head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 } +retry() { + maxAttempts=$1 + sleepDelay=$2 + cmd=$3 + attempt=0 + while [[ $attempt -lt $maxAttempts ]]; do + attempt=$((attempt+1)) + logCmd "$cmd" + exitcode=$? + if [[ $exitcode -eq 0 ]]; then + return $exitCode + fi + info "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..." + sleep $sleepDelay + done + error "Command continues to fail; giving up." + return 1 +} + wait_for_apt() { local progress_callback=$1 diff --git a/setup/so-functions b/setup/so-functions index 83b5aef3c..b2b7b688c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1972,7 +1972,7 @@ set_progress_str() { printf '%s\n' \ '----'\ - "$percentage% - ${progress_bar_text^^}"\ + info "$percentage% - ${progress_bar_text^^}"\ "----" >> "$setup_log" 2>&1 } diff --git a/setup/so-setup b/setup/so-setup index 15189746f..28f0bc0bb 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -637,12 +637,12 @@ set_redirect >> $setup_log 2>&1 if [[ $is_minion ]]; then set_progress_str 20 'Accepting Salt key on manager' - accept_salt_key_remote >> $setup_log 2>&1 + retry 20 10 accept_salt_key_remote fi if [[ $is_manager || $is_import || $is_helix ]]; then set_progress_str 20 'Accepting Salt key' - salt-key -ya "$MINION_ID" >> $setup_log 2>&1 + retry 20 10 "salt-key -ya $MINION_ID" fi set_progress_str 21 'Copying minion pillars to manager' From bc8e200919f31936fd6e875916d8caccefb91ff6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Sun, 10 Jan 2021 02:34:46 -0500 Subject: [PATCH 41/56] Continued retry implementation for salt-key acceptance; improve timestamp coverage in setup --- salt/common/tools/sbin/so-common | 13 +++++++++++-- setup/so-functions | 4 +++- setup/so-setup | 4 ++-- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index caa19cd37..0c18c4482 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -145,12 +145,21 @@ retry() { maxAttempts=$1 sleepDelay=$2 cmd=$3 + expectedOutput=$4 attempt=0 while [[ $attempt -lt $maxAttempts ]]; do attempt=$((attempt+1)) - logCmd "$cmd" + info "Executing command with retry support: $cmd" + output=$($cmd) + info "Results: $output" exitcode=$? - if [[ $exitcode -eq 0 ]]; then + if [ -n "$expectedOutput" ]; then + if [[ "$output" =~ "$expectedOutput" ]]; then + return $exitCode + else + info "Expected '$expectedOutput' but got '$output'" + fi + elif [[ $exitcode -eq 0 ]]; then return $exitCode fi info "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..." diff --git a/setup/so-functions b/setup/so-functions index b2b7b688c..e9de76233 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1970,9 +1970,11 @@ set_progress_str() { echo -e "$percentage_str" + info "Progressing ($percentage%): $progress_bar_text" + printf '%s\n' \ '----'\ - info "$percentage% - ${progress_bar_text^^}"\ + "$percentage% - ${progress_bar_text^^}"\ "----" >> "$setup_log" 2>&1 } diff --git a/setup/so-setup b/setup/so-setup index 28f0bc0bb..e62dc434f 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -637,12 +637,12 @@ set_redirect >> $setup_log 2>&1 if [[ $is_minion ]]; then set_progress_str 20 'Accepting Salt key on manager' - retry 20 10 accept_salt_key_remote + retry 20 10 accept_salt_key_remote "going to be accepted" fi if [[ $is_manager || $is_import || $is_helix ]]; then set_progress_str 20 'Accepting Salt key' - retry 20 10 "salt-key -ya $MINION_ID" + retry 20 10 "salt-key -ya $MINION_ID" "going to be accepted" fi set_progress_str 21 'Copying minion pillars to manager' From 8b49876e26d49f5fd9570ade5e7664447bd0eb04 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 11 Jan 2021 12:04:57 -0500 Subject: [PATCH 42/56] First pass at distribute ISO automation files --- setup/automation/distributed-iso-manager | 77 +++++++++++++++++++++++ setup/automation/distributed-iso-search | 78 ++++++++++++++++++++++++ setup/automation/distributed-iso-sensor | 78 ++++++++++++++++++++++++ 3 files changed, 233 insertions(+) create mode 100644 setup/automation/distributed-iso-manager create mode 100644 setup/automation/distributed-iso-search create mode 100644 setup/automation/distributed-iso-sensor diff --git a/setup/automation/distributed-iso-manager b/setup/automation/distributed-iso-manager new file mode 100644 index 000000000..cbf803dd2 --- /dev/null +++ b/setup/automation/distributed-iso-manager @@ -0,0 +1,77 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=7 +BASICSURI=7 +# BLOGS= +#BNICS=eth1 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=distributed-manager +install_type=MANAGER +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-iso-search b/setup/automation/distributed-iso-search new file mode 100644 index 000000000..d37a7d935 --- /dev/null +++ b/setup/automation/distributed-iso-search @@ -0,0 +1,78 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +# ALLOW_CIDR=0.0.0.0/0 +# ALLOW_ROLE=a +# BASICZEEK=7 +# BASICSURI=7 +# BLOGS= +# BNICS=eth1 +# ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +# GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=distributed-search +install_type=SEARCHNODE +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +# MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +MSRV=distributed-manager +MSRVIP=10.66.166.42 +# MTU= +# NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +# OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +# PLAYBOOK=1 +# REDIRECTHOST= +# REDIRECTINFO=IP +# RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +# STRELKA=1 +# THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-iso-sensor b/setup/automation/distributed-iso-sensor new file mode 100644 index 000000000..402049be9 --- /dev/null +++ b/setup/automation/distributed-iso-sensor @@ -0,0 +1,78 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +# ALLOW_CIDR=0.0.0.0/0 +# ALLOW_ROLE=a +BASICZEEK=7 +BASICSURI=7 +# BLOGS= +BNICS=eth1 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +# GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=distributed-sensor +install_type=SENSOR +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +# MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +MSRV=distributed-manager +MSRVIP=10.66.166.42 +# MTU= +# NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +# NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +# OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +# PLAYBOOK=1 +# REDIRECTHOST= +# REDIRECTINFO=IP +# RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +# THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r From 6ea1a83afe9199c9337c508fff10b54d797d3063 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 11 Jan 2021 14:10:08 -0500 Subject: [PATCH 43/56] resolve some issues with the zeekloss script https://github.com/Security-Onion-Solutions/securityonion/issues/2590 --- salt/telegraf/scripts/zeekloss.sh | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/salt/telegraf/scripts/zeekloss.sh b/salt/telegraf/scripts/zeekloss.sh index 9a64ef4dd..0cdef896c 100644 --- a/salt/telegraf/scripts/zeekloss.sh +++ b/salt/telegraf/scripts/zeekloss.sh @@ -29,15 +29,22 @@ echo $$ > $lf ZEEKLOG=$(tac /host/nsm/zeek/logs/packetloss.log | head -2) declare RESULT=($ZEEKLOG) CURRENTDROP=${RESULT[3]} -PASTDROP=${RESULT[9]} -DROPPED=$((CURRENTDROP - PASTDROP)) -if [ $DROPPED == 0 ]; then +# zeek likely not running if this is true +if [[ $CURRENTDROP == "rcvd:" ]]; then + CURRENTDROP=0 + PASTDROP=0 + DROPPED=0 +else + PASTDROP=${RESULT[9]} + DROPPED=$((CURRENTDROP - PASTDROP)) +fi +if [[ "$DROPPED" -le 0 ]]; then LOSS=0 echo "zeekdrop drop=0" else CURRENTPACKETS=${RESULT[5]} PASTPACKETS=${RESULT[11]} TOTAL=$((CURRENTPACKETS - PASTPACKETS)) - LOSS=$(echo $DROPPED $TOTAL / p | dc) + LOSS=$(echo 4k $DROPPED $TOTAL / p | dc) echo "zeekdrop drop=$LOSS" -fi +fi \ No newline at end of file From 9405990a2e148e310b8f52bbd54c545d6c6fc847 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 12 Jan 2021 09:50:08 -0500 Subject: [PATCH 44/56] remote quotes --- setup/so-functions | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 52c8b19c9..94f6b394d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -467,6 +467,8 @@ configure_minion() { printf '%s\n'\ "use_superseded:"\ " - module.run"\ + "log_level: info"\ + "log_level_logfile: info"\ "log_file: /opt/so/log/salt/minion" >> "$minion_config" { @@ -554,7 +556,7 @@ check_requirements() { } compare_versions() { - manager_ver=$("$sshcmd" -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) + manager_ver=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) if [[ $manager_ver == "" ]]; then rm /root/install_opt @@ -975,7 +977,7 @@ download_repo_tarball() { mkdir -p /root/manager_setup/securityonion { local manager_ver - manager_ver=$("$sshcmd" -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) + manager_ver=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) $scpcmd -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/repo/"$manager_ver".tar.gz /root/manager_setup } >> "$setup_log" 2>&1 @@ -1968,6 +1970,8 @@ set_progress_str() { echo -e "$percentage_str" + info "Progressing ($percentage%): $progress_bar_text" + printf '%s\n' \ '----'\ "$percentage% - ${progress_bar_text^^}"\ @@ -1978,9 +1982,9 @@ set_ssh_cmds() { local automated=$1 if [ $automated == yes ]; then - sshcmd='sshpass -p "automation" ssh -o StrictHostKeyChecking=no' - sshcopyidcmd='sshpass -p "automation" ssh-copy-id -o StrictHostKeyChecking=no' - scpcmd='sshpass -p "automation" scp -o StrictHostKeyChecking=no' + sshcmd='sshpass -p "$SOREMOTEPASS1" ssh -o StrictHostKeyChecking=no' + sshcopyidcmd='sshpass -p "$SOREMOTEPASS1" ssh-copy-id -o StrictHostKeyChecking=no' + scpcmd='sshpass -p "$SOREMOTEPASS1" scp -o StrictHostKeyChecking=no' else sshcmd='ssh' sshcopyidcmd='ssh-copy-id' @@ -2212,6 +2216,13 @@ mark_version() { echo "$SOVERSION" > /etc/soversion } +update_sudoers_for_testing() { + if [ -n "$TESTING" ]; then + info "Ensuring $INSTALLUSERNAME has password-less sudo access for automated testing purposes." + sed -i "s/^$INSTALLUSERNAME ALL=(ALL) ALL/$INSTALLUSERNAME ALL=(ALL) NOPASSWD: ALL/" /etc/sudoers + fi +} + update_sudoers() { if ! grep -qE '^soremote\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then From dbb9f90f0060592c44cffc86a30e88aaca7a349a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 12 Jan 2021 14:07:04 -0500 Subject: [PATCH 45/56] fix quotes --- setup/so-functions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 94f6b394d..e731da3b9 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1982,9 +1982,9 @@ set_ssh_cmds() { local automated=$1 if [ $automated == yes ]; then - sshcmd='sshpass -p "$SOREMOTEPASS1" ssh -o StrictHostKeyChecking=no' - sshcopyidcmd='sshpass -p "$SOREMOTEPASS1" ssh-copy-id -o StrictHostKeyChecking=no' - scpcmd='sshpass -p "$SOREMOTEPASS1" scp -o StrictHostKeyChecking=no' + sshcmd="sshpass -p $SOREMOTEPASS1 ssh -o StrictHostKeyChecking=no" + sshcopyidcmd="sshpass -p $SOREMOTEPASS1 ssh-copy-id -o StrictHostKeyChecking=no" + scpcmd="sshpass -p $SOREMOTEPASS1 scp -o StrictHostKeyChecking=no" else sshcmd='ssh' sshcopyidcmd='ssh-copy-id' From 225ed1c14a739325cb3754886d04007d86e0a54c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 12 Jan 2021 16:39:19 -0500 Subject: [PATCH 46/56] change suriloss and zeekloss to be more similar code style --- salt/telegraf/scripts/suriloss.sh | 10 +++++----- salt/telegraf/scripts/zeekloss.sh | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/salt/telegraf/scripts/suriloss.sh b/salt/telegraf/scripts/suriloss.sh index 7ef8de2ee..9f8ad8cc6 100644 --- a/salt/telegraf/scripts/suriloss.sh +++ b/salt/telegraf/scripts/suriloss.sh @@ -33,20 +33,20 @@ if [ $CHECKIT == 2 ]; then CURRENTDROP=${RESULT[4]} PASTDROP=${RESULT[14]} - DROPPED=$(($CURRENTDROP - $PASTDROP)) + DROPPED=$((CURRENTDROP - PASTDROP)) if [ $DROPPED == 0 ]; then LOSS=0 echo "suridrop drop=0" else CURRENTPACKETS=${RESULT[9]} PASTPACKETS=${RESULT[19]} - TOTALCURRENT=$(($CURRENTPACKETS + $CURRENTDROP)) - TOTALPAST=$(($PASTPACKETS + $PASTDROP)) - TOTAL=$(($TOTALCURRENT - $TOTALPAST)) + TOTALCURRENT=$((CURRENTPACKETS + CURRENTDROP)) + TOTALPAST=$((PASTPACKETS + PASTDROP)) + TOTAL=$((TOTALCURRENT - TOTALPAST)) LOSS=$(echo 4 k $DROPPED $TOTAL / p | dc) echo "suridrop drop=$LOSS" fi else echo "suridrop drop=0" -fi +fi \ No newline at end of file diff --git a/salt/telegraf/scripts/zeekloss.sh b/salt/telegraf/scripts/zeekloss.sh index 0cdef896c..966de8e4d 100644 --- a/salt/telegraf/scripts/zeekloss.sh +++ b/salt/telegraf/scripts/zeekloss.sh @@ -45,6 +45,6 @@ else CURRENTPACKETS=${RESULT[5]} PASTPACKETS=${RESULT[11]} TOTAL=$((CURRENTPACKETS - PASTPACKETS)) - LOSS=$(echo 4k $DROPPED $TOTAL / p | dc) + LOSS=$(echo 4 k $DROPPED $TOTAL / p | dc) echo "zeekdrop drop=$LOSS" fi \ No newline at end of file From 2950779d9159c39412ed7fc83fceca68402df406 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 13 Jan 2021 09:57:12 -0500 Subject: [PATCH 47/56] Fix stralka rule update --- salt/strelka/init.sls | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/salt/strelka/init.sls b/salt/strelka/init.sls index c4b5346ae..1bd9e3aad 100644 --- a/salt/strelka/init.sls +++ b/salt/strelka/init.sls @@ -1,4 +1,4 @@ -# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -17,8 +17,8 @@ {% if 'strelka' in top_states %} -{%- set MANAGER = salt['grains.get']('master') %} -{%- set MANAGERIP = salt['pillar.get']('global:managerip', '') %} +{% set MANAGER = salt['grains.get']('master') %} +{% set MANAGERIP = salt['pillar.get']('global:managerip', '') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} @@ -47,7 +47,7 @@ strelkasync: - group: 939 - template: jinja -{%- if STRELKA_RULES == 1 %} +{% if STRELKA_RULES == 1 %} strelkarules: file.recurse: @@ -56,13 +56,15 @@ strelkarules: - user: 939 - group: 939 +{% if grains['role'] in ['so-eval','so-managersearch', 'so-manager', 'so-standalone', 'so-import'] %} strelkarepos: file.managed: - name: /opt/so/saltstack/default/salt/strelka/rules/repos.txt - source: salt://strelka/rules/repos.txt.jinja - template: jinja - -{%- endif %} + +{% endif %} +{% endif %} strelkadatadir: file.directory: From bb386f9935a6a946be43085c023319a6b57b5442 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 12 Jan 2021 17:04:49 -0500 Subject: [PATCH 48/56] Allow passwordless sudo during tests for all nodes, not just manager; Only run so-test on sensor nodes during test runs --- setup/so-setup | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index e62dc434f..b4b0fd6ed 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -594,6 +594,8 @@ set_redirect >> $setup_log 2>&1 set_progress_str 8 'Initializing Salt minion' configure_minion "$minion_type" >> $setup_log 2>&1 + update_sudoers_for_testing >> $setup_log 2>&1 + if [[ $is_manager || $is_helix || $is_import ]]; then set_progress_str 9 'Configuring Salt master' { @@ -606,7 +608,6 @@ set_redirect >> $setup_log 2>&1 set_progress_str 10 'Updating sudoers file for soremote user' update_sudoers >> $setup_log 2>&1 - update_sudoers_for_testing >> $setup_log 2>&1 set_progress_str 11 'Generating manager global pillar' #minio_generate_keys @@ -851,7 +852,7 @@ if [[ -n $SO_ERROR ]]; then else echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1 { - [ -n "$TESTING" ] && logCmd so-test + [[ -n "$TESTING" && $is_sensor ]] && logCmd so-test export percentage=95 # set to last percentage used in previous subshell if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then From 9b060fb2d118798a1b70aa62feaf68feb5a19006 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 13 Jan 2021 10:21:12 -0500 Subject: [PATCH 49/56] Adjust automation defaults for sensors and search nodes --- setup/automation/distributed-ami-forwardnode | 14 +++++++------- setup/automation/distributed-ami-manager | 4 ++-- setup/automation/distributed-ami-searchnode | 10 +++++----- setup/automation/distributed-iso-search | 8 ++++---- setup/automation/distributed-iso-sensor | 14 +++++++------- 5 files changed, 25 insertions(+), 25 deletions(-) diff --git a/setup/automation/distributed-ami-forwardnode b/setup/automation/distributed-ami-forwardnode index 99d8f21be..a3cd2cccb 100644 --- a/setup/automation/distributed-ami-forwardnode +++ b/setup/automation/distributed-ami-forwardnode @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser #ALLOW_CIDR=0.0.0.0/0 #ALLOW_ROLE=a -BASICZEEK=1 -BASICSURI=1 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=ens6 ZEEKVERSION=ZEEK @@ -70,9 +70,9 @@ PATCHSCHEDULENAME=auto SKIP_REBOOT=0 SOREMOTEPASS1=onionuser SOREMOTEPASS2=onionuser -STRELKA=1 +#STRELKA=1 #THEHIVE=1 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r +#WAZUH=1 +# WEBUSER=onionuser@somewhere.invalid +# WEBPASSWD1=0n10nus3r +# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-ami-manager b/setup/automation/distributed-ami-manager index 2ca5c2a04..b1effcf7a 100644 --- a/setup/automation/distributed-ami-manager +++ b/setup/automation/distributed-ami-manager @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=ens6 ZEEKVERSION=ZEEK diff --git a/setup/automation/distributed-ami-searchnode b/setup/automation/distributed-ami-searchnode index 3c2ff4df5..e50e18475 100644 --- a/setup/automation/distributed-ami-searchnode +++ b/setup/automation/distributed-ami-searchnode @@ -22,7 +22,7 @@ ADMINUSER=onionuser ADMINPASS1=onionuser ADMINPASS2=onionuser #ALLOW_CIDR=0.0.0.0/0 -ALLOW_ROLE=a +#ALLOW_ROLE=a #BASICZEEK=7 #BASICSURI=7 # BLOGS= @@ -72,7 +72,7 @@ SOREMOTEPASS1=onionuser SOREMOTEPASS2=onionuser #STRELKA=1 #THEHIVE=1 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r +#WAZUH=1 +# WEBUSER=onionuser@somewhere.invalid +# WEBPASSWD1=0n10nus3r +# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-iso-search b/setup/automation/distributed-iso-search index d37a7d935..aec7afd31 100644 --- a/setup/automation/distributed-iso-search +++ b/setup/automation/distributed-iso-search @@ -72,7 +72,7 @@ SOREMOTEPASS1=onionuser SOREMOTEPASS2=onionuser # STRELKA=1 # THEHIVE=1 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r +# WAZUH=1 +# WEBUSER=onionuser@somewhere.invalid +# WEBPASSWD1=0n10nus3r +# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-iso-sensor b/setup/automation/distributed-iso-sensor index 402049be9..4cc3f6a75 100644 --- a/setup/automation/distributed-iso-sensor +++ b/setup/automation/distributed-iso-sensor @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser # ALLOW_CIDR=0.0.0.0/0 # ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=eth1 ZEEKVERSION=ZEEK @@ -70,9 +70,9 @@ PATCHSCHEDULENAME=auto # SKIP_REBOOT= SOREMOTEPASS1=onionuser SOREMOTEPASS2=onionuser -STRELKA=1 +# STRELKA=1 # THEHIVE=1 -WAZUH=1 -WEBUSER=onionuser@somewhere.invalid -WEBPASSWD1=0n10nus3r -WEBPASSWD2=0n10nus3r +# WAZUH=1 +# WEBUSER=onionuser@somewhere.invalid +# WEBPASSWD1=0n10nus3r +# WEBPASSWD2=0n10nus3r From df590bfd23fa20a5528a62603a028baa5fa2f615 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 Jan 2021 11:09:38 -0500 Subject: [PATCH 50/56] pillarize disk freespace for steno https://github.com/Security-Onion-Solutions/securityonion/issues/2095 --- salt/pcap/files/config | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/pcap/files/config b/salt/pcap/files/config index 4a612fbf1..048775ef7 100644 --- a/salt/pcap/files/config +++ b/salt/pcap/files/config @@ -1,10 +1,12 @@ {%- set interface = salt['pillar.get']('sensor:interface', 'bond0') %} +{%- set diskfreepercentage = salt['pillar.get']('steno:diskfreepercentage', 10) %} + { "Threads": [ { "PacketsDirectory": "/nsm/pcap" , "IndexDirectory": "/nsm/pcapindex" , "MaxDirectoryFiles": 30000 - , "DiskFreePercentage": 10 + , "DiskFreePercentage": {{ diskfreepercentage }} } ] , "StenotypePath": "/usr/bin/stenotype" @@ -13,4 +15,4 @@ , "Host": "127.0.0.1" , "Flags": ["-v", "--uid=stenographer", "--gid=stenographer"{{ BPF_COMPILED }}] , "CertPath": "/etc/stenographer/certs" -} +} \ No newline at end of file From ea1ab75072bfc7fb74d79886b3d1b9582c6fad5d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 13 Jan 2021 12:42:41 -0500 Subject: [PATCH 51/56] Refactored so-common node type checks for improved readability; Updated so-tcpreplay to support distributed grids --- salt/common/tools/sbin/so-common | 32 ++++++++++++++++++++++------- salt/common/tools/sbin/so-tcpreplay | 28 ++++++++++++++++++------- setup/so-setup | 2 +- 3 files changed, 47 insertions(+), 15 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 0c18c4482..881be83ca 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -111,9 +111,7 @@ set_version() { } require_manager() { - # Check to see if this is a manager - MANAGERCHECK=$(cat /etc/salt/grains | grep role | awk '{print $2}') - if [ $MANAGERCHECK == 'so-eval' ] || [ $MANAGERCHECK == 'so-manager' ] || [ $MANAGERCHECK == 'so-managersearch' ] || [ $MANAGERCHECK == 'so-standalone' ] || [ $MANAGERCHECK == 'so-helix' ] || [ $MANAGERCHECK == 'so-import' ]; then + if is_manager; then echo "This is a manager, We can proceed." else echo "Please run this command on the manager; the manager controls the grid." @@ -121,12 +119,32 @@ require_manager() { fi } +is_manager() { + # Check to see if this is a manager node + role=$(lookup_role) + is_single_node_grid && return 0 + [ $role == 'manager' ] && return 0 + [ $role == 'managersearch' ] && return 0 + [ $role == 'helix' ] && return 0 + return 1 +} + +is_sensor() { + # Check to see if this is a sensor (forward) node + role=$(lookup_role) + is_single_node_grid && return 0 + [ $role == 'sensor' ] && return 0 + [ $role == 'heavynode' ] && return 0 + [ $role == 'helix' ] && return 0 + return 1 +} + is_single_node_grid() { role=$(lookup_role) - if [ "$role" != "eval" ] && [ "$role" != "standalone" ] && [ "$role" != "import" ]; then - return 1 - fi - return 0 + [ $role == 'eval' ] && return 0 + [ $role == 'standalone' ] && return 0 + [ $role == 'import' ] && return 0 + return 1 } fail() { diff --git a/salt/common/tools/sbin/so-tcpreplay b/salt/common/tools/sbin/so-tcpreplay index fa992bdd8..8b81c32cf 100755 --- a/salt/common/tools/sbin/so-tcpreplay +++ b/salt/common/tools/sbin/so-tcpreplay @@ -47,13 +47,27 @@ if ! docker ps | grep -q so-tcpreplay; then echo "Replay functionality not enabled; attempting to enable now (may require Internet access)..." echo - TRUSTED_CONTAINERS=("so-tcpreplay") - mkdir -p /opt/so/log/tcpreplay - update_docker_containers "tcpreplay" "" "" "/opt/so/log/tcpreplay/init.log" - so-tcpreplay-start || fail "Unable to initialize tcpreplay" + if is_manager; then + TRUSTED_CONTAINERS=("so-tcpreplay") + mkdir -p /opt/so/log/tcpreplay + update_docker_containers "tcpreplay" "" "" "/opt/so/log/tcpreplay/init.log" + elif is_sensor; then + if ! is_manager; then + echo "Attempting to start replay container. If this fails then you may need to run this command on the manager first." + fi + so-tcpreplay-start || fail "Unable to initialize tcpreplay" + else + echo "Unable to enable replay functionality on this node type." + fi fi -echo "Replaying PCAP(s) at ${REPLAYSPEED} Mbps on interface ${REPLAYIFACE}..." -docker exec so-tcpreplay /usr/bin/bash -c "/usr/local/bin/tcpreplay -i ${REPLAYIFACE} -M${REPLAYSPEED} $@" +if is_sensor; then + echo "Replaying PCAP(s) at ${REPLAYSPEED} Mbps on interface ${REPLAYIFACE}..." + docker exec so-tcpreplay /usr/bin/bash -c "/usr/local/bin/tcpreplay -i ${REPLAYIFACE} -M${REPLAYSPEED} $@" -echo "Replay completed. Warnings shown above are typically expected." + echo "Replay completed. Warnings shown above are typically expected." +elif is_manager; then + echo "The sensor nodes in this grid can now replay traffic." +else + echo "Unable to replay traffic since this node is not a sensor node." +fi diff --git a/setup/so-setup b/setup/so-setup index b4b0fd6ed..2cee0dc6a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -852,7 +852,7 @@ if [[ -n $SO_ERROR ]]; then else echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1 { - [[ -n "$TESTING" && $is_sensor ]] && logCmd so-test + [[ -n "$TESTING" ]] && logCmd so-test export percentage=95 # set to last percentage used in previous subshell if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then From 0a1ab29d196edd085af90d5be9625c353ef7d434 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 13 Jan 2021 14:28:54 -0500 Subject: [PATCH 52/56] Add distributed airgap automation files --- setup/automation/distributed-airgap-manager | 78 +++++++++++++++++++++ setup/automation/distributed-airgap-search | 78 +++++++++++++++++++++ setup/automation/distributed-airgap-sensor | 78 +++++++++++++++++++++ 3 files changed, 234 insertions(+) create mode 100644 setup/automation/distributed-airgap-manager create mode 100644 setup/automation/distributed-airgap-search create mode 100644 setup/automation/distributed-airgap-sensor diff --git a/setup/automation/distributed-airgap-manager b/setup/automation/distributed-airgap-manager new file mode 100644 index 000000000..f44bbc231 --- /dev/null +++ b/setup/automation/distributed-airgap-manager @@ -0,0 +1,78 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=7 +BASICSURI=7 +# BLOGS= +#BNICS=eth1 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=distributed-manager +install_type=MANAGER +INTERWEBS=AIRGAP +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-airgap-search b/setup/automation/distributed-airgap-search new file mode 100644 index 000000000..aec7afd31 --- /dev/null +++ b/setup/automation/distributed-airgap-search @@ -0,0 +1,78 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +# ALLOW_CIDR=0.0.0.0/0 +# ALLOW_ROLE=a +# BASICZEEK=7 +# BASICSURI=7 +# BLOGS= +# BNICS=eth1 +# ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +# GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=distributed-search +install_type=SEARCHNODE +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +# MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +MSRV=distributed-manager +MSRVIP=10.66.166.42 +# MTU= +# NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +# OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +# PLAYBOOK=1 +# REDIRECTHOST= +# REDIRECTINFO=IP +# RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +# STRELKA=1 +# THEHIVE=1 +# WAZUH=1 +# WEBUSER=onionuser@somewhere.invalid +# WEBPASSWD1=0n10nus3r +# WEBPASSWD2=0n10nus3r diff --git a/setup/automation/distributed-airgap-sensor b/setup/automation/distributed-airgap-sensor new file mode 100644 index 000000000..4cc3f6a75 --- /dev/null +++ b/setup/automation/distributed-airgap-sensor @@ -0,0 +1,78 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +# ALLOW_CIDR=0.0.0.0/0 +# ALLOW_ROLE=a +BASICZEEK=2 +BASICSURI=2 +# BLOGS= +BNICS=eth1 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +# GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=distributed-sensor +install_type=SENSOR +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +# MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +MSRV=distributed-manager +MSRVIP=10.66.166.42 +# MTU= +# NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +# NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +# OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +# PLAYBOOK=1 +# REDIRECTHOST= +# REDIRECTINFO=IP +# RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +# STRELKA=1 +# THEHIVE=1 +# WAZUH=1 +# WEBUSER=onionuser@somewhere.invalid +# WEBPASSWD1=0n10nus3r +# WEBPASSWD2=0n10nus3r From 6d6779bba60249f071b04d83be4c44d0cac29e8a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 13 Jan 2021 15:43:43 -0500 Subject: [PATCH 53/56] Added automation files for network eval/standalone installs; Reduced Zeek threads from 7 to 2 on all test nodes --- setup/automation/distributed-airgap-manager | 4 +- setup/automation/eval-airgap | 4 +- setup/automation/eval-ami | 4 +- setup/automation/eval-centos | 77 +++++++++++++++++++++ setup/automation/eval-iso | 4 +- setup/automation/eval-ubuntu | 77 +++++++++++++++++++++ setup/automation/standalone-airgap | 4 +- setup/automation/standalone-ami | 4 +- setup/automation/standalone-centos | 77 +++++++++++++++++++++ setup/automation/standalone-iso | 4 +- setup/automation/standalone-ubuntu | 77 +++++++++++++++++++++ 11 files changed, 322 insertions(+), 14 deletions(-) create mode 100644 setup/automation/eval-centos create mode 100644 setup/automation/eval-ubuntu create mode 100644 setup/automation/standalone-centos create mode 100644 setup/automation/standalone-ubuntu diff --git a/setup/automation/distributed-airgap-manager b/setup/automation/distributed-airgap-manager index f44bbc231..051212cdd 100644 --- a/setup/automation/distributed-airgap-manager +++ b/setup/automation/distributed-airgap-manager @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= #BNICS=eth1 ZEEKVERSION=ZEEK diff --git a/setup/automation/eval-airgap b/setup/automation/eval-airgap index ce25a2784..4ab28a795 100644 --- a/setup/automation/eval-airgap +++ b/setup/automation/eval-airgap @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=eth1 ZEEKVERSION=ZEEK diff --git a/setup/automation/eval-ami b/setup/automation/eval-ami index 288bc7287..a1192c93e 100644 --- a/setup/automation/eval-ami +++ b/setup/automation/eval-ami @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=eth1 ZEEKVERSION=ZEEK diff --git a/setup/automation/eval-centos b/setup/automation/eval-centos new file mode 100644 index 000000000..d8df5631a --- /dev/null +++ b/setup/automation/eval-centos @@ -0,0 +1,77 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +# address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=2 +BASICSURI=2 +# BLOGS= +BNICS=eth1 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=standalone +install_type=EVAL +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r diff --git a/setup/automation/eval-iso b/setup/automation/eval-iso index 6e5560028..81b04b9dc 100644 --- a/setup/automation/eval-iso +++ b/setup/automation/eval-iso @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=eth1 ZEEKVERSION=ZEEK diff --git a/setup/automation/eval-ubuntu b/setup/automation/eval-ubuntu new file mode 100644 index 000000000..a6ec2edad --- /dev/null +++ b/setup/automation/eval-ubuntu @@ -0,0 +1,77 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +# address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=2 +BASICSURI=2 +# BLOGS= +BNICS=ens19 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=standalone +install_type=STANDALONE +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=ens18 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-airgap b/setup/automation/standalone-airgap index 9ed05a27e..df6dca6b2 100644 --- a/setup/automation/standalone-airgap +++ b/setup/automation/standalone-airgap @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=eth1 ZEEKVERSION=ZEEK diff --git a/setup/automation/standalone-ami b/setup/automation/standalone-ami index d32e1fad7..d9e84ebe8 100644 --- a/setup/automation/standalone-ami +++ b/setup/automation/standalone-ami @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=eth1 ZEEKVERSION=ZEEK diff --git a/setup/automation/standalone-centos b/setup/automation/standalone-centos new file mode 100644 index 000000000..9d223fb4d --- /dev/null +++ b/setup/automation/standalone-centos @@ -0,0 +1,77 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +# address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=2 +BASICSURI=2 +# BLOGS= +BNICS=eth1 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=standalone +install_type=STANDALONE +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=eth0 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r diff --git a/setup/automation/standalone-iso b/setup/automation/standalone-iso index 0561a2883..15b21e2df 100644 --- a/setup/automation/standalone-iso +++ b/setup/automation/standalone-iso @@ -23,8 +23,8 @@ ADMINPASS1=onionuser ADMINPASS2=onionuser ALLOW_CIDR=0.0.0.0/0 ALLOW_ROLE=a -BASICZEEK=7 -BASICSURI=7 +BASICZEEK=2 +BASICSURI=2 # BLOGS= BNICS=eth1 ZEEKVERSION=ZEEK diff --git a/setup/automation/standalone-ubuntu b/setup/automation/standalone-ubuntu new file mode 100644 index 000000000..a6ec2edad --- /dev/null +++ b/setup/automation/standalone-ubuntu @@ -0,0 +1,77 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +TESTING=true + +# address_type=DHCP +ADMINUSER=onionuser +ADMINPASS1=onionuser +ADMINPASS2=onionuser +ALLOW_CIDR=0.0.0.0/0 +ALLOW_ROLE=a +BASICZEEK=2 +BASICSURI=2 +# BLOGS= +BNICS=ens19 +ZEEKVERSION=ZEEK +# CURCLOSEDAYS= +# EVALADVANCED=BASIC +GRAFANA=1 +# HELIXAPIKEY= +HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 +HNSENSOR=inherit +HOSTNAME=standalone +install_type=STANDALONE +# LSINPUTBATCHCOUNT= +# LSINPUTTHREADS= +# LSPIPELINEBATCH= +# LSPIPELINEWORKERS= +MANAGERADV=BASIC +MANAGERUPDATES=1 +# MDNS= +# MGATEWAY= +# MIP= +# MMASK= +MNIC=ens18 +# MSEARCH= +# MSRV= +# MTU= +NIDS=Suricata +# NODE_ES_HEAP_SIZE= +# NODE_LS_HEAP_SIZE= +NODESETUP=NODEBASIC +NSMSETUP=BASIC +NODEUPDATES=MANAGER +# OINKCODE= +OSQUERY=1 +# PATCHSCHEDULEDAYS= +# PATCHSCHEDULEHOURS= +PATCHSCHEDULENAME=auto +PLAYBOOK=1 +# REDIRECTHOST= +REDIRECTINFO=IP +RULESETUP=ETOPEN +# SHARDCOUNT= +# SKIP_REBOOT= +SOREMOTEPASS1=onionuser +SOREMOTEPASS2=onionuser +STRELKA=1 +THEHIVE=1 +WAZUH=1 +WEBUSER=onionuser@somewhere.invalid +WEBPASSWD1=0n10nus3r +WEBPASSWD2=0n10nus3r From b68685e00e6089b0ca165b8b7316b6f72d35a8b0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 13 Jan 2021 17:26:27 -0500 Subject: [PATCH 54/56] [fix] Correct metadata function name --- setup/so-whiptail | 36 +++++++++++++----------------------- 1 file changed, 13 insertions(+), 23 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index f3e612f70..7bbc12042 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -65,17 +65,6 @@ whiptail_basic_zeek() { whiptail_check_exitstatus $exitstatus } -whiptail_zeek_version() { - - [ -n "$TESTING" ] && return - - ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 \ - "ZEEK" "Zeek (formerly known as Bro)" ON \ - "SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} whiptail_bond_nics_mtu() { @@ -964,6 +953,19 @@ whiptail_manager_updates_warning() { whiptail_check_exitstatus $exitstatus } +whiptail_metadata_tool() { + + [ -n "$TESTING" ] && return + + ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 \ + "ZEEK" "Zeek (formerly known as Bro)" ON \ + "SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + +} + whiptail_nids() { [ -n "$TESTING" ] && return @@ -1582,15 +1584,3 @@ whiptail_zeek_pins() { IFS=' ' read -ra ZEEKPINS <<< "$ZEEKPINS" } - -whiptail_zeek_version() { - - [ -n "$TESTING" ] && return - - ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 "ZEEK" "Zeek (formerly known as Bro)" ON \ - "SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} From 2ccf77eaef958c12d9f2369a5792006009e8d5bf Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 13 Jan 2021 17:29:42 -0500 Subject: [PATCH 55/56] Rename network automation files --- setup/automation/{eval-centos => eval-net-centos} | 0 setup/automation/{eval-ubuntu => eval-net-ubuntu} | 0 setup/automation/{standalone-centos => standalone-net-centos} | 0 setup/automation/{standalone-ubuntu => standalone-net-ubuntu} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename setup/automation/{eval-centos => eval-net-centos} (100%) rename setup/automation/{eval-ubuntu => eval-net-ubuntu} (100%) rename setup/automation/{standalone-centos => standalone-net-centos} (100%) rename setup/automation/{standalone-ubuntu => standalone-net-ubuntu} (100%) diff --git a/setup/automation/eval-centos b/setup/automation/eval-net-centos similarity index 100% rename from setup/automation/eval-centos rename to setup/automation/eval-net-centos diff --git a/setup/automation/eval-ubuntu b/setup/automation/eval-net-ubuntu similarity index 100% rename from setup/automation/eval-ubuntu rename to setup/automation/eval-net-ubuntu diff --git a/setup/automation/standalone-centos b/setup/automation/standalone-net-centos similarity index 100% rename from setup/automation/standalone-centos rename to setup/automation/standalone-net-centos diff --git a/setup/automation/standalone-ubuntu b/setup/automation/standalone-net-ubuntu similarity index 100% rename from setup/automation/standalone-ubuntu rename to setup/automation/standalone-net-ubuntu From 9d0dca05b118b17a1396df5f751bee470fe27b6a Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 13 Jan 2021 22:29:58 -0500 Subject: [PATCH 56/56] Adjusted logic on so-tcpreplay to handle init for standalone/eval nodes --- salt/common/tools/sbin/so-tcpreplay | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-tcpreplay b/salt/common/tools/sbin/so-tcpreplay index 8b81c32cf..e8e24a474 100755 --- a/salt/common/tools/sbin/so-tcpreplay +++ b/salt/common/tools/sbin/so-tcpreplay @@ -51,13 +51,12 @@ if ! docker ps | grep -q so-tcpreplay; then TRUSTED_CONTAINERS=("so-tcpreplay") mkdir -p /opt/so/log/tcpreplay update_docker_containers "tcpreplay" "" "" "/opt/so/log/tcpreplay/init.log" - elif is_sensor; then + fi + if is_sensor; then if ! is_manager; then echo "Attempting to start replay container. If this fails then you may need to run this command on the manager first." fi so-tcpreplay-start || fail "Unable to initialize tcpreplay" - else - echo "Unable to enable replay functionality on this node type." fi fi