From 643dab12d0b6b1826e4717d1b96c32983b379b5b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Sep 2020 11:09:33 -0400 Subject: [PATCH 1/5] Enable airgap --- setup/so-setup | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 30bc10479..8ff274bf5 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -193,16 +193,16 @@ if [[ "$setup_type" == 'iso' ]]; then is_iso=true fi -#Check if this is an airgap install +# Check if this is an airgap install -#if [[ $is_manager ]]; then -# if [[ $is_iso ]]; then -# whiptail_airgap -# if [[ "$INTERWEBS" == 'AIRGAP' ]]; then -# is_airgap=true -# fi -# fi -#fi +if [[ $is_manager ]]; then + if [[ $is_iso ]]; then + whiptail_airgap + if [[ "$INTERWEBS" == 'AIRGAP' ]]; then + is_airgap=true + fi + fi +fi if [[ $is_manager && $is_sensor ]]; then check_requirements "standalone" From 9cff7c1427ca38dbbe024cec862684e451daa3a0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Sep 2020 11:24:22 -0400 Subject: [PATCH 2/5] Enable airgap functions --- setup/so-functions | 147 ++++++++++++++++++++++++--------------------- setup/so-setup | 2 + 2 files changed, 82 insertions(+), 67 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 73828b091..111f7ce5a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -480,72 +480,6 @@ check_requirements() { fi } -copy_salt_master_config() { - - # Copy the Salt master config template to the proper directory - if [ "$setup_type" = 'iso' ]; then - cp /root/SecurityOnion/files/master /etc/salt/master >> "$setup_log" 2>&1 - else - cp ../files/master /etc/salt/master >> "$setup_log" 2>&1 - fi - - # Restart the service so it picks up the changes - systemctl restart salt-master >> "$setup_log" 2>&1 -} - -copy_minion_tmp_files() { - case "$install_type" in - 'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') - echo "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" - cp -Rv "$temp_install_dir"/pillar/ $local_salt_dir/ >> "$setup_log" 2>&1 - if [ -d "$temp_install_dir"/salt ] ; then - cp -Rv "$temp_install_dir"/salt/ $local_salt_dir/ >> "$setup_log" 2>&1 - fi - ;; - *) - { - echo "scp pillar and salt files in $temp_install_dir to manager $local_salt_dir"; - ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; - ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; - scp -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; - if [ -d $temp_install_dir/salt/patch/os/schedules/ ]; then - if [ "$(ls -A $temp_install_dir/salt/patch/os/schedules/)" ]; then - scp -prv -i /root/.ssh/so.key $temp_install_dir/salt/patch/os/schedules/* soremote@$MSRV:/tmp/$MINION_ID/schedules; - fi - fi - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/manager/files/add_minion.sh "$MINION_ID"; - } >> "$setup_log" 2>&1 - ;; - esac -} - -copy_ssh_key() { - - echo "Generating SSH key" - # Generate SSH key - mkdir -p /root/.ssh - ssh-keygen -f /root/.ssh/so.key -t rsa -q -N "" < /dev/zero - chown -R "$SUDO_USER":"$SUDO_USER" /root/.ssh - echo "Copying the SSH key to the manager" - #Copy the key over to the manager - ssh-copy-id -f -i /root/.ssh/so.key soremote@"$MSRV" -} - -create_local_directories() { - echo "Creating local pillar and salt directories" - PILLARSALTDIR=${SCRIPTDIR::-5} - for i in "pillar" "salt"; do - for d in $(find $PILLARSALTDIR/$i -type d); do - suffixdir=${d//$PILLARSALTDIR/} - if [ ! -d "$local_salt_dir/$suffixdir" ]; then - mkdir -v "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1 - fi - done - chown -R socore:socore "$local_salt_dir/$i" - done - -} - configure_network_sensor() { echo "Setting up sensor interface" >> "$setup_log" 2>&1 local nic_error=0 @@ -630,6 +564,77 @@ configure_network_sensor() { fi } +copy_salt_master_config() { + + # Copy the Salt master config template to the proper directory + if [ "$setup_type" = 'iso' ]; then + cp /root/SecurityOnion/files/master /etc/salt/master >> "$setup_log" 2>&1 + else + cp ../files/master /etc/salt/master >> "$setup_log" 2>&1 + fi + + # Restart the service so it picks up the changes + systemctl restart salt-master >> "$setup_log" 2>&1 +} + +copy_minion_tmp_files() { + case "$install_type" in + 'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') + echo "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" + cp -Rv "$temp_install_dir"/pillar/ $local_salt_dir/ >> "$setup_log" 2>&1 + if [ -d "$temp_install_dir"/salt ] ; then + cp -Rv "$temp_install_dir"/salt/ $local_salt_dir/ >> "$setup_log" 2>&1 + fi + ;; + *) + { + echo "scp pillar and salt files in $temp_install_dir to manager $local_salt_dir"; + ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; + ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; + scp -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; + if [ -d $temp_install_dir/salt/patch/os/schedules/ ]; then + if [ "$(ls -A $temp_install_dir/salt/patch/os/schedules/)" ]; then + scp -prv -i /root/.ssh/so.key $temp_install_dir/salt/patch/os/schedules/* soremote@$MSRV:/tmp/$MINION_ID/schedules; + fi + fi + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/manager/files/add_minion.sh "$MINION_ID"; + } >> "$setup_log" 2>&1 + ;; + esac +} + +copy_ssh_key() { + + echo "Generating SSH key" + # Generate SSH key + mkdir -p /root/.ssh + ssh-keygen -f /root/.ssh/so.key -t rsa -q -N "" < /dev/zero + chown -R "$SUDO_USER":"$SUDO_USER" /root/.ssh + echo "Copying the SSH key to the manager" + #Copy the key over to the manager + ssh-copy-id -f -i /root/.ssh/so.key soremote@"$MSRV" +} + +create_local_directories() { + echo "Creating local pillar and salt directories" + PILLARSALTDIR=${SCRIPTDIR::-5} + for i in "pillar" "salt"; do + for d in $(find $PILLARSALTDIR/$i -type d); do + suffixdir=${d//$PILLARSALTDIR/} + if [ ! -d "$local_salt_dir/$suffixdir" ]; then + mkdir -v "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1 + fi + done + chown -R socore:socore "$local_salt_dir/$i" + done + +} + +create_repo() { + # Create the repo for airgap + createrepo /nsm/repo +} + detect_cloud() { echo "Testing if setup is running on a cloud instance..." >> "$setup_log" 2>&1 if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null); then export is_cloud="true"; fi @@ -1096,7 +1101,15 @@ manager_global() { " ids: $NIDS"\ " url_base: $REDIRECTIT"\ " managerip: $MAINIP" > "$global_pillar" - + + if [[ $is_airgap ]]; then + printf '%s\n'\ + " airgap: True"\ >> "$global_pillar" + else + printf '%s\n'\ + " airgap: False"\ >> "$global_pillar" + fi + # Check if TheHive is enabled. If so, add creds and other details if [[ "$THEHIVE" == "1" ]]; then printf '%s\n'\ diff --git a/setup/so-setup b/setup/so-setup index 8ff274bf5..39b7efe9c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -411,6 +411,8 @@ if [[ $is_manager || $is_import ]]; then whiptail_so_allow; fi whiptail_make_changes +# From here on changes will be made. + if [[ -n "$TURBO" ]]; then use_turbo_proxy fi From 951fe2ac69f4b6c230fd29a40808caba70d24a8d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 1 Sep 2020 11:26:33 -0400 Subject: [PATCH 3/5] Create repo --- setup/so-setup | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/setup/so-setup b/setup/so-setup index 39b7efe9c..f771d7d57 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -462,6 +462,11 @@ fi # Set initial percentage to 0 export percentage=0 + if [[ $is_manager && $is_airgap ]]; then + info "Creating airgap repo" + create_repo >> $setup_log 2>&1 + fi + if [[ $is_minion ]]; then set_progress_str 1 'Configuring firewall' set_initial_firewall_policy >> $setup_log 2>&1 From 9745191f194b31d95e0c703590442e8f8af236d8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 2 Sep 2020 16:17:44 -0400 Subject: [PATCH 4/5] Add Airgap State --- salt/airgap/init.sls | 51 +++++++++++++++++++++++++ salt/nginx/etc/nginx.conf.so-standalone | 16 ++++++++ salt/nginx/init.sls | 4 ++ 3 files changed, 71 insertions(+) create mode 100644 salt/airgap/init.sls diff --git a/salt/airgap/init.sls b/salt/airgap/init.sls new file mode 100644 index 000000000..c5f46e03b --- /dev/null +++ b/salt/airgap/init.sls @@ -0,0 +1,51 @@ +{% set MANAGER = salt['grains.get']('master') %} +{% set IMAGEREPO = salt['pillar.get']('global:airgap') %} +airgap.repo: + pkgrepo.managed: + - humanname: Airgap Repo + - baseurl: https://{{ MANAGER }}/repo + - gpgcheck: 0 + +agbase: + file.absent: + - name: /etc/yum.repos.d/CentOS-Base.repo + +agcr: + file.absent: + - name: /etc/yum.repos.d/CentOS-CR.repo + +agdebug: + file.absent: + - name: /etc/yum.repos.d/CentOS-Debuginfo.repo + +agfasttrack: + file.absent: + - name: /etc/yum.repos.d/CentOS-fasttrack.repo + +agmedia: + file.absent: + - name: /etc/yum.repos.d/CentOS-Media.repo + +agsources: + file.absent: + - name: /etc/yum.repos.d/CentOS-Sources.repo + +agvault: + file.absent: + - name: /etc/yum.repos.d/CentOS-Vault.repo + +agkernel: + file.absent: + - name: /etc/yum.repos.d/CentOS-x86_64-kernel.repo + +agepel: + file.absent: + - name: /etc/yum.repos.d/epel.repo + +agtesting: + file.absent: + - name: /etc/yum.repos.d/epel-testing.repo + +agssrepo: + file.absent: + - name: /etc/yum.repos.d/saltstack.repo \ No newline at end of file diff --git a/salt/nginx/etc/nginx.conf.so-standalone b/salt/nginx/etc/nginx.conf.so-standalone index ceae18cb1..220f86af5 100644 --- a/salt/nginx/etc/nginx.conf.so-standalone +++ b/salt/nginx/etc/nginx.conf.so-standalone @@ -2,6 +2,7 @@ {%- set FLEET_MANAGER = salt['pillar.get']('global:fleet_manager') %} {%- set FLEET_NODE = salt['pillar.get']('global:fleet_node') %} {%- set FLEET_IP = salt['pillar.get']('global:fleet_ip', None) %} +{%- set ISAIRGAP = salt['pillar.get']('global:airgap') %} # For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ @@ -182,6 +183,21 @@ http { proxy_set_header X-Forwarded-Proto $scheme; } + {%- if ISAIRGAP is sameas true %} + location /repo/ { + #auth_request /auth/sessions/whoami; + proxy_read_timeout 90; + proxy_connect_timeout 90; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Proxy ""; + proxy_set_header X-Forwarded-Proto $scheme; + } + + {%- endif %} + + location /grafana/ { auth_request /auth/sessions/whoami; rewrite /grafana/(.*) /$1 break; diff --git a/salt/nginx/init.sls b/salt/nginx/init.sls index 2e67a6b2c..2cb7984db 100644 --- a/salt/nginx/init.sls +++ b/salt/nginx/init.sls @@ -3,6 +3,7 @@ {% set MANAGER = salt['grains.get']('master') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} +{% set ISAIRGAP = salt['pillar.get']('global:airgap') %} # Drop the correct nginx config based on role nginxconfdir: @@ -72,6 +73,9 @@ so-nginx: - /etc/pki/managerssl.crt:/etc/pki/nginx/server.crt:ro - /etc/pki/managerssl.key:/etc/pki/nginx/server.key:ro - /opt/so/conf/fleet/packages:/opt/socore/html/packages + {% if ISAIRGAP is sameas true %} + - /nsm/repo:/opt/socore/html/repo:ro + {% endif %} # ATT&CK Navigator binds - /opt/so/conf/navigator/navigator_config.json:/opt/socore/html/navigator/assets/config.json:ro - /opt/so/conf/navigator/nav_layer_playbook.json:/opt/socore/html/navigator/assets/playbook.json:ro From b2ee757db2b397f99b2d1e08495c99ce9cf6cd3d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 3 Sep 2020 10:35:12 -0400 Subject: [PATCH 5/5] Airgap Time --- salt/airgap/files/yum.conf | 12 ++++++++++++ salt/airgap/init.sls | 6 +++++- salt/nginx/etc/nginx.conf.so-standalone | 19 +++++++++---------- salt/top.sls | 9 ++++++++- setup/so-functions | 8 +++++--- 5 files changed, 39 insertions(+), 15 deletions(-) create mode 100644 salt/airgap/files/yum.conf diff --git a/salt/airgap/files/yum.conf b/salt/airgap/files/yum.conf new file mode 100644 index 000000000..cbab7607d --- /dev/null +++ b/salt/airgap/files/yum.conf @@ -0,0 +1,12 @@ +[main] +cachedir=/var/cache/yum/$basearch/$releasever +keepcache=0 +debuglevel=2 +logfile=/var/log/yum.log +exactarch=1 +obsoletes=1 +gpgcheck=1 +plugins=1 +installonly_limit=2 +bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum +distroverpkg=centos-release \ No newline at end of file diff --git a/salt/airgap/init.sls b/salt/airgap/init.sls index c5f46e03b..5e972e877 100644 --- a/salt/airgap/init.sls +++ b/salt/airgap/init.sls @@ -1,5 +1,9 @@ {% set MANAGER = salt['grains.get']('master') %} -{% set IMAGEREPO = salt['pillar.get']('global:airgap') %} +airgapyum: + file.managed: + - name: /etc/yum/yum.conf + - source: salt://airgap/files/yum.conf + airgap.repo: pkgrepo.managed: - humanname: Airgap Repo diff --git a/salt/nginx/etc/nginx.conf.so-standalone b/salt/nginx/etc/nginx.conf.so-standalone index 220f86af5..dca073437 100644 --- a/salt/nginx/etc/nginx.conf.so-standalone +++ b/salt/nginx/etc/nginx.conf.so-standalone @@ -184,16 +184,15 @@ http { } {%- if ISAIRGAP is sameas true %} - location /repo/ { - #auth_request /auth/sessions/whoami; - proxy_read_timeout 90; - proxy_connect_timeout 90; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Proxy ""; - proxy_set_header X-Forwarded-Proto $scheme; - } + location /repo/ { + allow all; + sendfile on; + sendfile_max_chunk 1m; + autoindex on; + autoindex_exact_size off; + autoindex_format html; + autoindex_localtime on; + } {%- endif %} diff --git a/salt/top.sls b/salt/top.sls index 719b367e8..8e0cbad59 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -9,17 +9,24 @@ {%- set STRELKA = salt['pillar.get']('strelka:enabled', '0') -%} {% import_yaml 'salt/minion.defaults.yaml' as salt %} {% set saltversion = salt.salt.minion.version %} - +{% set ISAIRGAP = salt['pillar.get']('global:airgap') %} base: 'not G@saltversion:{{saltversion}}': - match: compound + {% if ISAIRGAP is sameas true %} + - airgap + {% endif %} - salt.minion 'G@os:CentOS and G@saltversion:{{saltversion}}': - match: compound + {% if ISAIRGAP is sameas true %} + - airgap + {% else %} - yum + {% endif %} - yum.packages '* and G@saltversion:{{saltversion}}': diff --git a/setup/so-functions b/setup/so-functions index 111f7ce5a..01dc15c78 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1109,7 +1109,7 @@ manager_global() { printf '%s\n'\ " airgap: False"\ >> "$global_pillar" fi - + # Check if TheHive is enabled. If so, add creds and other details if [[ "$THEHIVE" == "1" ]]; then printf '%s\n'\ @@ -1873,8 +1873,10 @@ set_redirect() { set_updates() { if [ "$MANAGERUPDATES" = '1' ]; then if [ "$OS" = 'centos' ]; then - if ! grep -q "$MSRV" /etc/yum.conf; then - echo "proxy=http://$MSRV:3142" >> /etc/yum.conf + if [[ ! $is_airgap ]]; then + if ! grep -q "$MSRV" /etc/yum.conf; then + echo "proxy=http://$MSRV:3142" >> /etc/yum.conf + fi fi else # Set it up so the updates roll through the manager