diff --git a/setup/functions.sh b/setup/functions.sh index 184750d61..ccc1a76d3 100644 --- a/setup/functions.sh +++ b/setup/functions.sh @@ -1,3 +1,5 @@ +#!/bin/bash + # Functions accept_salt_key_local() { @@ -16,6 +18,14 @@ accept_salt_key_remote() { } +add_admin_user() { + + # Add an admin user with full sudo rights if this is an ISO install. + useradd $ADMINUSER && echo $ADMINUSER:$ADMINPASS1 | chpasswd --crypt-method=SHA512 + usermod -aG wheel $ADMINUSER + +} + add_master_hostfile() { echo "Checking if I can resolve master. If not add to hosts file" >> $SETUPLOG 2>&1 # Pop up an input to get the IP address @@ -49,7 +59,7 @@ add_socore_user_notmaster() { } # Create an auth pillar so that passwords survive re-install -auth_pillar(){ +auth_pillar() { if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then echo "Creating Auth Pillar" >> $SETUPLOG 2>&1 @@ -128,9 +138,14 @@ calculate_useable_cores() { } -checkin_at_boot() { - echo "Enabling checkin at boot" >> $SETUPLOG 2>&1 - echo "startup_states: highstate" >> /etc/salt/minion +check_admin_pass() { + + if [ $ADMINPASS1 == $ADMINPASS2 ]; then + APMATCH=yes + else + whiptail_passwords_dont_match + fi + } check_hive_init_then_reboot() { @@ -160,6 +175,13 @@ check_socore_pass() { } +checkin_at_boot() { + + echo "Enabling checkin at boot" >> $SETUPLOG 2>&1 + echo "startup_states: highstate" >> /etc/salt/minion + +} + chown_salt_master() { echo "Chown the salt dirs on the master for socore" >> $SETUPLOG 2>&1 @@ -168,6 +190,7 @@ chown_salt_master() { } clear_master() { + # Clear out the old master public key in case this is a re-install. # This only happens if you re-install the master. if [ -f /etc/salt/pki/minion/minion_master.pub ]; then @@ -213,7 +236,12 @@ configure_minion() { copy_master_config() { # Copy the master config template to the proper directory - cp files/master /etc/salt/master + if [ $ISOINSTALL == '1' ]; then + cp /root/SecurityOnion/files/master /etc/salt/master + else + cp ../files/master /etc/salt/master + fi + # Restart the service so it picks up the changes -TODO Enable service on CentOS service salt-master restart @@ -229,7 +257,7 @@ copy_minion_tmp_files() { scp -prv -i /root/.ssh/so.key $TMP/* socore@$MSRV:/opt/so/saltstack >> $SETUPLOG 2>&1 fi - } +} copy_ssh_key() { @@ -242,50 +270,40 @@ copy_ssh_key() { } -network_setup() { - echo "Setting up Bond" >> $SETUPLOG 2>&1 - - # Set the MTU - if [ "$NSMSETUP" != 'ADVANCED' ]; then - MTU=1500 - fi - - # Create the bond interface - nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \ - ipv4.method disabled \ - ipv6.method link-local \ - ethernet.mtu $MTU \ - connection.autoconnect "yes" >> $SETUPLOG 2>&1 - - for BNIC in ${BNICS[@]}; do - # Strip the quotes from the NIC names - BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" - # Turn off various offloading settings for the interface - for i in rx tx sg tso ufo gso gro lro; do - ethtool -K $BONDNIC $i off >> $SETUPLOG 2>&1 - done - # Create the slave interface and assign it to the bond - nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0 -- \ - ethernet.mtu $MTU \ - connection.autoconnect "yes" >> $SETUPLOG 2>&1 - # Bring the slave interface up - nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1 - done - # Replace the variable string in the network script - sed -i "s/\$MAININT/${MAININT}/g" ./install_scripts/disable-checksum-offload.sh >> $SETUPLOG 2>&1 - # Copy the checksum offload script to prevent issues with packet capture - cp ./install_scripts/disable-checksum-offload.sh /etc/NetworkManager/dispatcher.d/disable-checksum-offload.sh >> $SETUPLOG 2>&1 -} - detect_os() { # Detect Base OS echo "Detecting Base OS" >> $SETUPLOG 2>&1 if [ -f /etc/redhat-release ]; then OS=centos + if grep -q "CentOS Linux release 7" /etc/redhat-release; then + OSVER=7 + elif grep -q "CentOS Linux release 8" /etc/redhat-release; then + OSVER=8 + echo "We currently do not support CentOS $OSVER but we are working on it!" + exit + else + echo "We do not support the version of CentOS you are trying to use" + exit + fi + + # Install bind-utils so the host command exists yum -y install bind-utils + + elif [ -f /etc/os-release ]; then OS=ubuntu + if grep -q "UBUNTU_CODENAME=bionic" /etc/os-release; then + OSVER=bionic + echo "We currently don't support Ubuntu $OSVER but we are working on it!" + exit + elif grep -q "UBUNTU_CODENAME=xenial" /etc/os-release; then + OSVER=xenial + else + echo "We do not support your current version of Ubuntu" + exit + fi + # Install netowrk manager so we can do interface stuff apt install -y network-manager /bin/systemctl enable network-manager /bin/systemctl start network-manager @@ -296,6 +314,15 @@ detect_os() { } + +disable_onion_user() { + + # Disable the default account cause security. + usermod -L onion + +} + + docker_install() { if [ $OS == 'centos' ]; then @@ -363,12 +390,6 @@ es_heapsize() { } -eval_mode_hostsfile() { - - echo "127.0.0.1 $HOSTNAME" >> /etc/hosts - -} - filter_nics() { # Filter the NICs that we don't want to see in setup @@ -567,6 +588,41 @@ minio_generate_keys() { } +network_setup() { + echo "Setting up Bond" >> $SETUPLOG 2>&1 + + # Set the MTU + if [ "$NSMSETUP" != 'ADVANCED' ]; then + MTU=1500 + fi + + # Create the bond interface + nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \ + ipv4.method disabled \ + ipv6.method link-local \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> $SETUPLOG 2>&1 + + for BNIC in ${BNICS[@]}; do + # Strip the quotes from the NIC names + BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" + # Turn off various offloading settings for the interface + for i in rx tx sg tso ufo gso gro lro; do + ethtool -K $BONDNIC $i off >> $SETUPLOG 2>&1 + done + # Create the slave interface and assign it to the bond + nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0 -- \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> $SETUPLOG 2>&1 + # Bring the slave interface up + nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1 + done + # Replace the variable string in the network script + sed -i "s/\$MAININT/${MAININT}/g" ./install_scripts/disable-checksum-offload.sh >> $SETUPLOG 2>&1 + # Copy the checksum offload script to prevent issues with packet capture + cp ../install_scripts/disable-checksum-offload.sh /etc/NetworkManager/dispatcher.d/disable-checksum-offload.sh >> $SETUPLOG 2>&1 +} + node_pillar() { NODEPILLARPATH=$TMP/pillar/nodes @@ -923,18 +979,6 @@ salt_checkin() { } -salt_checkin_message() { - - # Warn the user that this might take a while - echo "####################################################" - echo "## ##" - echo "## Applying and Installing everything ##" - echo "## (This will take a while) ##" - echo "## ##" - echo "####################################################" - -} - salt_firstcheckin() { #First Checkin @@ -949,10 +993,17 @@ salt_master_directories() { mkdir -p /opt/so/saltstack/pillar # Copy over the salt code and templates - cp -R pillar/* /opt/so/saltstack/pillar/ + if [ $ISOINSTALL == '1' ]; then + cp /root/SecurityOnion/pillar/* /opt/so/saltstack/pillar/ + cp /root/SecurityOnion/salt/* /opt/so/saltstack/salt/ + else + # if ISO /root/SecurityOnion/blah + cp -R ../pillar/* /opt/so/saltstack/pillar/ + cp -R ../salt/* /opt/so/saltstack/salt/ + fi + chmod +x /opt/so/saltstack/pillar/firewall/addfirewall.sh chmod +x /opt/so/saltstack/pillar/data/addtotab.sh - cp -R salt/* /opt/so/saltstack/salt/ } @@ -1075,6 +1126,22 @@ set_initial_firewall_policy() { } +# Set up the management interface on the ISO +set_management_interface() { + + if [ $ADDRESSTYPE == 'DHCP' ]; then + /usr/bin/nmcli con up $MNIC + /usr/bin/nmcli con mod $MNIC connection.autoconnect yes + else + # Set Static IP + /usr/bin/nmcli con mod $MNIC ipv4.addresses $MIP/$MMASK ipv4.gateway $MGATEWAY \ + ipv4.dns $MDNS ipv4.dns-search $MSEARCH ipv4.method manual + /usr/bin/nmcli con up $MNIC + /usr/bin/nmcli con mod $MNIC connection.autoconnect yes + fi + +} + set_node_type() { # Determine the node type based on whiplash choice diff --git a/setup/so-setup.sh b/setup/so-setup.sh index 837cf6d6e..a70361976 100644 --- a/setup/so-setup.sh +++ b/setup/so-setup.sh @@ -17,7 +17,16 @@ # Source the other pieces of the setup source functions.sh -source whiplash.sh +source whiptail.sh + +# See if this is an ISO install +OPTIONS=$1 + +if [[ $OPTIONS = 'iso' ]]; then + ISOINSTALL=1 +else + ISOINSTALL=0 +fi # Global Variables HOSTNAME=$(cat /etc/hostname) @@ -49,8 +58,6 @@ if (whiptail_you_sure); then # Create a temp dir to get started install_prep - # Determine if this is a network install or ISO install - # Let folks know they need their management interface already set up. whiptail_network_notice diff --git a/setup/whiplash.sh b/setup/whiptail.sh similarity index 98% rename from setup/whiplash.sh rename to setup/whiptail.sh index 1806588ae..637ac8cdd 100644 --- a/setup/whiplash.sh +++ b/setup/whiptail.sh @@ -36,8 +36,10 @@ whiptail_bro_pins() { whiptail_bro_version() { - BROVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate meta data?" 20 78 4 "ZEEK" "Install Zeek (aka Bro)" ON \ - "COMMUNITY" "Install Community NSM" OFF "SURICATA" "SUPER EXPERIMENTAL" OFF 3>&1 1>&2 2>&3) + BROVERSION=$(whiptail --title "Security Onion Setup" \ + --radiolist "What tool would you like to use to generate meta data?" 20 78 4 \ + "ZEEK" "Install Zeek (aka Bro)" ON \ + "SURICATA" "SUPER EXPERIMENTAL" OFF 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -170,10 +172,10 @@ whiptail_install_type() { "SENSORONLY" "Create a forward only sensor" ON \ "STORAGENODE" "Add a Storage Hot Node with parsing" OFF \ "MASTERONLY" "Start a new grid" OFF \ + "EVALMODE" "Evaluate all the things" OFF \ "PARSINGNODE" "TODO Add a dedicated Parsing Node" OFF \ "HOTNODE" "TODO Add a Hot Node (Storage Node without Parsing)" OFF \ "WARMNODE" "TODO Add a Warm Node to an existing Hot or Storage node" OFF \ - "EVALMODE" "Evaluate all the things" OFF \ "WAZUH" "TODO Stand Alone Wazuh Node" OFF \ "STRELKA" "TODO Stand Alone Strelka Node" OFF \ "FLEET" "TODO Stand Alone Fleet OSQuery Node" OFF 3>&1 1>&2 2>&3 )