Merge branch 'dev' into feature/docker-prune-rework

2025-12-06 17:22:49 +01:00 · 2021-03-01 09:37:47 -05:00
parent 33696398eb 64cc894948
commit 1834e07aad
17 changed files with 438 additions and 246 deletions
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -160,10 +160,10 @@ check_network_manager_conf() {
 		} >> "$setup_log" 2>&1
 	fi
 	
-	if test -f "$nmconf"; then
-		sed -i 's/managed=false/managed=true/g' "$nmconf" >> "$setup_log" 2>&1
-		systemctl restart NetworkManager >> "$setup_log" 2>&1
-	fi
+	#if test -f "$nmconf"; then
+#		sed -i 's/managed=false/managed=true/g' "$nmconf" >> "$setup_log" 2>&1
+#		systemctl restart NetworkManager >> "$setup_log" 2>&1
+#	fi

 	if [[ ! -d "$preupdir" ]]; then
 		mkdir "$preupdir" >> "$setup_log" 2>&1
@@ -271,7 +271,7 @@ collect_adminuser_inputs() {
 collect_cur_close_days() {
 	whiptail_cur_close_days "$CURCLOSEDAYS"

-	while ! valid_int "$CURCLOSEDAYS" "1"; do
+	while ! valid_int "$CURCLOSEDAYS"; do
 		whiptail_invalid_input
 		whiptail_cur_close_days "$CURCLOSEDAYS"
 	done
@@ -322,7 +322,7 @@ collect_es_cluster_name() {
 collect_es_space_limit() {
 	whiptail_log_size_limit "$log_size_limit"

-	while ! valid_int "$log_size_limit" "1"; do # Upper/lower bounds?
+	while ! valid_int "$log_size_limit"; do # Upper/lower bounds?
 		whiptail_invalid_input
 		whiptail_log_size_limit "$log_size_limit"
 	done
@@ -331,7 +331,7 @@ collect_es_space_limit() {
 collect_fleet_custom_hostname_inputs() {
 	whiptail_fleet_custom_hostname

-	while ! valid_fqdn "$FLEETCUSTOMHOSTNAME" || [[ $FLEETCUSTOMHOSTNAME != "" ]]; do
+	while [[ -n $FLEETCUSTOMHOSTNAME ]] && ! valid_fqdn "$FLEETCUSTOMHOSTNAME"; do
 		whiptail_invalid_input
 		whiptail_fleet_custom_hostname "$FLEETCUSTOMHOSTNAME"
 	done
@@ -368,7 +368,7 @@ collect_gateway() {
 }

 collect_helix_key() {
-	whiptail_helix_apikey # validate?
+	whiptail_helix_apikey
 }

 collect_homenet_mngr() {
@@ -398,7 +398,6 @@ collect_hostname() {

 	whiptail_set_hostname "$HOSTNAME"

-
 	if [[ $HOSTNAME == 'securityonion' ]]; then # Will only check HOSTNAME=securityonion once
 		if ! (whiptail_avoid_default_hostname); then
 			whiptail_set_hostname
@@ -446,7 +445,7 @@ collect_mngr_hostname() {
 collect_mtu() {
 	whiptail_bond_nics_mtu "1500"

-	while ! valid_int "$MTU" "68"; do
+	while ! valid_int "$MTU" "68" "10000"; do
 		whiptail_invalid_input
 		whiptail_bond_nics_mtu "$MTU"
 	done
@@ -454,20 +453,10 @@ collect_mtu() {

 collect_node_es_heap() {
 	whiptail_node_es_heap "$ES_HEAP_SIZE"
-
-	while ! valid_int "$NODE_ES_HEAP_SIZE"; do
-		whiptail_invalid_input
-		whiptail_node_es_heap "$NODE_ES_HEAP_SIZE"
-	done
 }

 collect_node_ls_heap() {
 	whiptail_node_ls_heap "$LS_HEAP_SIZE"
-
-	while ! valid_int "$NODE_LS_HEAP_SIZE"; do
-		whiptail_invalid_input
-		whiptail_node_ls_heap "$NODE_LS_HEAP_SIZE"
-	done
 }

 collect_node_ls_input() {
@@ -500,7 +489,7 @@ collect_node_ls_pipeline_worker_count() {
 collect_oinkcode() {
 	whiptail_oinkcode

-	while ! valid_string "$OINKCODE" "" "128"; do #TODO: verify max length here
+	while ! valid_string "$OINKCODE" "" "128"; do
 		whiptail_invalid_input
 		whiptail_oinkcode "$OINKCODE"
 	done
@@ -569,6 +558,7 @@ collect_so_allow() {
 collect_soremote_inputs() {
 	whiptail_create_soremote_user
 	SCMATCH=no
+
 	while [[ $SCMATCH != yes ]]; do
 		whiptail_create_soremote_user_password1
 		whiptail_create_soremote_user_password2
@@ -596,11 +586,11 @@ collect_webuser_inputs() {

 	WPMATCH=no
 	while [[ $WPMATCH != yes ]]; do
-	    whiptail_create_web_user_password1
-	    while ! check_password "$WEBPASSWD1"; do
-				whiptail_invalid_pass_characters_warning
-				whiptail_create_web_user_password1
-			done
+		whiptail_create_web_user_password1
+		while ! check_password "$WEBPASSWD1"; do
+			whiptail_invalid_pass_characters_warning
+			whiptail_create_web_user_password1
+		done
 		if echo "$WEBPASSWD1" | so-user valpass >> "$setup_log" 2>&1; then
 			whiptail_create_web_user_password2
 			check_web_pass
@@ -751,14 +741,25 @@ check_sos_appliance() {
 }

 compare_main_nic_ip() {
-	if [[ "$MAINIP" != "$MNIC_IP" ]]; then
-		read -r -d '' message <<- EOM
+	if ! [[ $MNIC =~ ^(tun|wg|vpn).*$ ]]; then
+	  if [[ "$MAINIP" != "$MNIC_IP" ]]; then
+		  read -r -d '' message <<- EOM
 			The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC).

-			This is not a supported configuration, please remediate and rerun setup.
-		EOM
-		whiptail --title "Security Onion Setup" --msgbox "$message" 10 75
-		kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1
+			This has been known to cause installs to fail in some scenarios.
+			
+			Please select whether to continue the install or exit setup to remediate any potential issues.
+			EOM
+			whiptail --title "Security Onion Setup" \
+				--yesno "$message" 10 75 \
+				--yes-button "Continue" --no-button "Exit" --defaultno
+
+			kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1
+			fi
+	else
+		# Setup uses MAINIP, but since we ignore the equality condition when using a VPN 
+		# just set the variable to the IP of the VPN interface
+		MAINIP=$MNIC_IP
 	fi
 }

@@ -1005,33 +1006,38 @@ disable_ipv6() {
 		sysctl -w net.ipv6.conf.all.disable_ipv6=1
 		sysctl -w net.ipv6.conf.default.disable_ipv6=1
 	}  >> "$setup_log" 2>&1
+        {
+        echo "net.ipv6.conf.all.disable_ipv6 = 1"
+        echo "net.ipv6.conf.default.disable_ipv6 = 1"
+        echo "net.ipv6.conf.lo.disable_ipv6 = 1" 
+        } >> /etc/sysctl.conf
 }

-disable_misc_network_features() {
-	filter_unused_nics
-	if [ ${#filtered_nics[@]} -ne 0 ]; then
-		for unused_nic in "${filtered_nics[@]}"; do
-			if [ -n "$unused_nic" ]; then
-				echo "Disabling unused NIC: $unused_nic" >> "$setup_log" 2>&1
-
-				# Disable DHCPv4/v6 and autoconnect
-				nmcli con mod "$unused_nic" \
-					ipv4.method disabled \
-					ipv6.method ignore \
-					connection.autoconnect "no" >> "$setup_log" 2>&1
-
-				# Flush any existing IPs
-				ip addr flush "$unused_nic" >> "$setup_log" 2>&1
-			fi
-		done
-	fi
-	# Disable IPv6
-	{ 
-		echo "net.ipv6.conf.all.disable_ipv6 = 1"
-		echo "net.ipv6.conf.default.disable_ipv6 = 1"
-		echo "net.ipv6.conf.lo.disable_ipv6 = 1" 
-	} >> /etc/sysctl.conf
-}
+#disable_misc_network_features() {
+#	filter_unused_nics
+#	if [ ${#filtered_nics[@]} -ne 0 ]; then
+#		for unused_nic in "${filtered_nics[@]}"; do
+#			if [ -n "$unused_nic" ]; then
+#				echo "Disabling unused NIC: $unused_nic" >> "$setup_log" 2>&1
+#
+#				# Disable DHCPv4/v6 and autoconnect
+#				nmcli con mod "$unused_nic" \
+#					ipv4.method disabled \
+#					ipv6.method ignore \
+#					connection.autoconnect "no" >> "$setup_log" 2>&1
+#
+#				# Flush any existing IPs
+#				ip addr flush "$unused_nic" >> "$setup_log" 2>&1
+#			fi
+#		done
+#	fi
+#	# Disable IPv6
+#	{ 
+#		echo "net.ipv6.conf.all.disable_ipv6 = 1"
+#		echo "net.ipv6.conf.default.disable_ipv6 = 1"
+#		echo "net.ipv6.conf.lo.disable_ipv6 = 1" 
+#	} >> /etc/sysctl.conf
+#}

 docker_install() {

@@ -1223,7 +1229,7 @@ filter_unused_nics() {
 	fi

 	# Finally, set filtered_nics to any NICs we aren't using (and ignore interfaces that aren't of use)
-	filtered_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|tun|wg|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string"  | sed 's/ //g')
+	filtered_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string"  | sed 's/ //g')
 	readarray -t filtered_nics <<< "$filtered_nics"
 	
 	nic_list=()
@@ -1720,17 +1726,11 @@ network_setup() {
 		echo "... Verifying all network devices are managed by Network Manager";
 		check_network_manager_conf;

-		echo "... Disabling unused NICs";
-		disable_misc_network_features;
-
-		echo "... Setting ONBOOT for management interface";
-		command -v netplan &> /dev/null || nmcli con mod "$MNIC" connection.autoconnect "yes"
-
 		echo "... Copying 99-so-checksum-offload-disable";
 		cp ./install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable ;

 		echo "... Modifying 99-so-checksum-offload-disable";
-		sed -i "s/\$MNIC/${MNIC}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable;
+		sed -i "s/\$MNIC/${INTERFACE}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable;
 	} >> "$setup_log" 2>&1
 }

@@ -1899,7 +1899,7 @@ saltify() {
 	if [ $OS = 'centos' ]; then
 		set_progress_str 5 'Installing Salt repo'
 		{
-			sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.2/SALTSTACK-GPG-KEY.pub;
+			sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.5/SALTSTACK-GPG-KEY.pub;
 			cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo;
 		} >> "$setup_log" 2>&1
 		set_progress_str 6 'Installing various dependencies'
@@ -1916,14 +1916,14 @@ saltify() {
 				# Download Ubuntu Keys in case manager updates = 1
 				mkdir -p /opt/so/gpg >> "$setup_log" 2>&1
 				if [[ ! $is_airgap ]]; then
-				  logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3002.2/SALTSTACK-GPG-KEY.pub"
+				  logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3002.5/SALTSTACK-GPG-KEY.pub"
 				  logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg"
 				  logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH"
 				  logCmd "cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo"
 				fi
 				set_progress_str 7 'Installing salt-master'
 				if [[ ! $is_iso ]]; then
-				  logCmd "yum -y install salt-master-3002.2"
+				  logCmd "yum -y install salt-master-3002.5"
 				fi
 				systemctl enable salt-master >> "$setup_log" 2>&1
 				;;
@@ -1951,7 +1951,7 @@ saltify() {
 		{
 			if [[ ! $is_iso ]]; then
 			  yum -y install epel-release
-			  yum -y install salt-minion-3002.2\
+			  yum -y install salt-minion-3002.5\
 			   	python3\
 					python36-docker\
 					python36-dateutil\
@@ -2003,8 +2003,8 @@ saltify() {
 			'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR')

 				# Add saltstack repo(s)
-				wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3002.2/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1
-				echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.2 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
+				wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3002.5/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1
+				echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.5 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"

 				# Add Docker repo
 				curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1
@@ -2012,7 +2012,7 @@ saltify() {

 				# Get gpg keys
 				mkdir -p /opt/so/gpg >> "$setup_log" 2>&1
-				wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/archive/3002.2/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
+				wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/archive/3002.5/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
 				wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1
 				wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1

@@ -2025,7 +2025,7 @@ saltify() {
 				set_progress_str 6 'Installing various dependencies'
 				retry 50 10 "apt-get -y install sqlite3 argon2 libssl-dev" >> "$setup_log" 2>&1 || exit 1
 				set_progress_str 7 'Installing salt-master'
-				retry 50 10 "apt-get -y install salt-master=3002.2+ds-1" >> "$setup_log" 2>&1 || exit 1
+				retry 50 10 "apt-get -y install salt-master=3002.5+ds-1" >> "$setup_log" 2>&1 || exit 1
 				retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1
 				;;
 			*)
@@ -2036,14 +2036,14 @@ saltify() {
 				echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1
 				apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
 				apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1
-				echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.2/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
+				echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.5/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
 				echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log"
 				;;
 		esac

 		retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || exit 1
 		set_progress_str 8 'Installing salt-minion & python modules'
-		retry 50 10 "apt-get -y install salt-minion=3002.2+ds-1 salt-common=3002.2+ds-1" >> "$setup_log" 2>&1 || exit 1
+		retry 50 10 "apt-get -y install salt-minion=3002.5+ds-1 salt-common=3002.5+ds-1" >> "$setup_log" 2>&1 || exit 1
 		retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1
 		if [[ $OSVER != 'xenial' ]]; then
 			retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging" >> "$setup_log" 2>&1 || exit 1
@@ -2334,8 +2334,6 @@ set_hostname() {

 set_initial_firewall_policy() {

-  set_main_ip
-
  if [ -f $default_salt_dir/pillar/data/addtotab.sh ]; then chmod +x $default_salt_dir/pillar/data/addtotab.sh; fi
  if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi