CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-13 04:32:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

[fix] Double quote variables + fix indents

Browse Source
This commit is contained in:
William Wernert
2020-04-18 18:06:30 -04:00
parent 56326026b7
commit 2127924066
2 changed files with 404 additions and 399 deletions
Download Patch File Download Diff File Expand all files Collapse all files

205
setup/so-functions
View File

@@ -16,18 +16,18 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
SCRIPTDIR=$(dirname "$0") SCRIPTDIR=$(dirname "$0")
source $SCRIPTDIR/so-whiptail source "$SCRIPTDIR/so-whiptail"
SOVERSION=1.2.1 SOVERSION=1.2.1
accept_salt_key_local() { accept_salt_key_local() {
echo "Accept the key locally on the master" >> $SETUPLOG 2>&1 echo "Accept the key locally on the master" >> "$SETUPLOG" 2>&1
# Accept the key locally on the master # Accept the key locally on the master
salt-key -ya $MINION_ID salt-key -ya $MINION_ID
} }
accept_salt_key_remote() { accept_salt_key_remote() {
echo "Accept the key remotely on the master" >> $SETUPLOG 2>&1 echo "Accept the key remotely on the master" >> "$SETUPLOG" 2>&1
# Delete the key just in case. # Delete the key just in case.
ssh -i /root/.ssh/so.key soremote@$MSRV sudo salt-key -d $MINION_ID -y ssh -i /root/.ssh/so.key soremote@$MSRV sudo salt-key -d $MINION_ID -y
salt-call state.apply ca salt-call state.apply ca
@@ -35,6 +35,7 @@ accept_salt_key_remote() {
} }
add_admin_user() { add_admin_user() {
# Add an admin user with full sudo rights if this is an ISO install. # Add an admin user with full sudo rights if this is an ISO install.
@@ -44,7 +45,7 @@ add_admin_user() {
} }
add_master_hostfile() { add_master_hostfile() {
echo "Checking if I can resolve master. If not add to hosts file" >> $SETUPLOG 2>&1 echo "Checking if I can resolve master. If not add to hosts file" >> "$SETUPLOG" 2>&1
# Pop up an input to get the IP address # Pop up an input to get the IP address
MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \ MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3) "Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
@@ -86,7 +87,7 @@ add_soremote_user_master() {
} }
add_socore_user_notmaster() { add_socore_user_notmaster() {
echo "Add socore user on non master" >> $SETUPLOG 2>&1 echo "Add socore user on non master" >> "$SETUPLOG" 2>&1
# Add socore user to the non master system. Probably not a bad idea to make system user # Add socore user to the non master system. Probably not a bad idea to make system user
groupadd --gid 939 socore groupadd --gid 939 socore
$ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore $ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore
@@ -120,7 +121,7 @@ add_web_user() {
secrets_pillar(){ secrets_pillar(){
if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then
echo "Creating Secrets Pillar" >> $SETUPLOG 2>&1 echo "Creating Secrets Pillar" >> "$SETUPLOG" 2>&1
mkdir -p /opt/so/saltstack/pillar mkdir -p /opt/so/saltstack/pillar
echo "secrets:" >> /opt/so/saltstack/pillar/secrets.sls echo "secrets:" >> /opt/so/saltstack/pillar/secrets.sls
echo " mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/secrets.sls echo " mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/secrets.sls
@@ -133,7 +134,7 @@ secrets_pillar(){
# Enable Bro Logs # Enable Bro Logs
bro_logs_enabled() { bro_logs_enabled() {
echo "Enabling Bro Logs" >> $SETUPLOG 2>&1 echo "Enabling Bro Logs" >> "$SETUPLOG" 2>&1
echo "brologs:" > pillar/brologs.sls echo "brologs:" > pillar/brologs.sls
echo " enabled:" >> pillar/brologs.sls echo " enabled:" >> pillar/brologs.sls
@@ -235,15 +236,15 @@ check_network_manager_conf() {
mv "$gmdconf" "${gmdconf}.bak" mv "$gmdconf" "${gmdconf}.bak"
touch "$gmdconf" touch "$gmdconf"
systemctl restart NetworkManager systemctl restart NetworkManager
} >> $SETUPLOG 2>&1 } >> "$SETUPLOG" 2>&1
fi fi
if test -f "$nmconf"; then if test -f "$nmconf"; then
sed -i 's/managed=false/managed=true/g' "$nmconf" >> $SETUPLOG 2>&1 sed -i 's/managed=false/managed=true/g' "$nmconf" >> "$SETUPLOG" 2>&1
fi fi
if [[ ! -d "$preupdir" ]]; then if [[ ! -d "$preupdir" ]]; then
mkdir "$preupdir" >> $SETUPLOG 2>&1 mkdir "$preupdir" >> "$SETUPLOG" 2>&1
fi fi
} }
@@ -268,13 +269,13 @@ check_web_pass() {
} }
checkin_at_boot() { checkin_at_boot() {
echo "Enabling checkin at boot" >> $SETUPLOG 2>&1 echo "Enabling checkin at boot" >> "$SETUPLOG" 2>&1
echo "startup_states: highstate" >> /etc/salt/minion echo "startup_states: highstate" >> /etc/salt/minion
} }
chown_salt_master() { chown_salt_master() {
echo "Chown the salt dirs on the master for socore" >> $SETUPLOG 2>&1 echo "Chown the salt dirs on the master for socore" >> "$SETUPLOG" 2>&1
chown -R socore:socore /opt/so chown -R socore:socore /opt/so
} }
@@ -283,7 +284,7 @@ clear_master() {
# Clear out the old master public key in case this is a re-install. # Clear out the old master public key in case this is a re-install.
# This only happens if you re-install the master. # This only happens if you re-install the master.
if [ -f /etc/salt/pki/minion/minion_master.pub ]; then if [ -f /etc/salt/pki/minion/minion_master.pub ]; then
echo "Clearing old master key" >> $SETUPLOG 2>&1 echo "Clearing old master key" >> "$SETUPLOG" 2>&1
rm /etc/salt/pki/minion/minion_master.pub rm /etc/salt/pki/minion/minion_master.pub
service salt-minion restart service salt-minion restart
fi fi
@@ -294,7 +295,7 @@ configure_minion() {
# You have to pass the TYPE to this function so it knows if its a master or not # You have to pass the TYPE to this function so it knows if its a master or not
local TYPE=$1 local TYPE=$1
echo "Configuring minion type as $TYPE" >> $SETUPLOG 2>&1 echo "Configuring minion type as $TYPE" >> "$SETUPLOG" 2>&1
touch /etc/salt/grains touch /etc/salt/grains
echo "role: so-$TYPE" > /etc/salt/grains echo "role: so-$TYPE" > /etc/salt/grains
if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ] || [ $TYPE == 'mastersearch' ]; then if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ] || [ $TYPE == 'mastersearch' ]; then
@@ -346,17 +347,17 @@ copy_minion_tmp_files() {
if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
echo "Copying pillar and salt files in $TMP to /opt/so/saltstack" echo "Copying pillar and salt files in $TMP to /opt/so/saltstack"
cp -Rv $TMP/pillar/ /opt/so/saltstack/ >> $SETUPLOG 2>&1 cp -Rv $TMP/pillar/ /opt/so/saltstack/ >> "$SETUPLOG" 2>&1
if [ -d $TMP/salt ] ; then if [ -d $TMP/salt ] ; then
cp -Rv $TMP/salt/ /opt/so/saltstack/ >> $SETUPLOG 2>&1 cp -Rv $TMP/salt/ /opt/so/saltstack/ >> "$SETUPLOG" 2>&1
fi fi
else else
echo "scp pillar and salt files in $TMP to master /opt/so/saltstack" echo "scp pillar and salt files in $TMP to master /opt/so/saltstack"
ssh -i /root/.ssh/so.key soremote@$MSRV mkdir -p /tmp/$MINION_ID/pillar >> $SETUPLOG 2>&1 ssh -i /root/.ssh/so.key soremote@$MSRV mkdir -p /tmp/$MINION_ID/pillar >> "$SETUPLOG" 2>&1
ssh -i /root/.ssh/so.key soremote@$MSRV mkdir -p /tmp/$MINION_ID/schedules >> $SETUPLOG 2>&1 ssh -i /root/.ssh/so.key soremote@$MSRV mkdir -p /tmp/$MINION_ID/schedules >> "$SETUPLOG" 2>&1
scp -prv -i /root/.ssh/so.key $TMP/pillar/minions/* soremote@$MSRV:/tmp/$MINION_ID/pillar/ >> $SETUPLOG 2>&1 scp -prv -i /root/.ssh/so.key $TMP/pillar/minions/* soremote@$MSRV:/tmp/$MINION_ID/pillar/ >> "$SETUPLOG" 2>&1
scp -prv -i /root/.ssh/so.key $TMP/salt/patch/os/schedules/* soremote@$MSRV:/tmp/$MINION_ID/schedules >> $SETUPLOG 2>&1 scp -prv -i /root/.ssh/so.key $TMP/salt/patch/os/schedules/* soremote@$MSRV:/tmp/$MINION_ID/schedules >> "$SETUPLOG" 2>&1
ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/salt/master/files/add_minion.sh $MINION_ID >> $SETUPLOG 2>&1 ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/salt/master/files/add_minion.sh $MINION_ID >> "$SETUPLOG" 2>&1
fi fi
@@ -377,11 +378,11 @@ copy_ssh_key() {
create_sensor_bond() { create_sensor_bond() {
echo "Setting up sensor bond" >> $SETUPLOG 2>&1 echo "Setting up sensor bond" >> "$SETUPLOG" 2>&1
local nic_error=0 local nic_error=0
check_network_manager_conf >> $SETUPLOG 2>&1 check_network_manager_conf >> "$SETUPLOG" 2>&1
# Set the MTU # Set the MTU
if [[ $NSMSETUP != 'ADVANCED' ]]; then if [[ $NSMSETUP != 'ADVANCED' ]]; then
@@ -393,15 +394,15 @@ create_sensor_bond() {
ipv4.method disabled \ ipv4.method disabled \
ipv6.method ignore \ ipv6.method ignore \
ethernet.mtu $MTU \ ethernet.mtu $MTU \
connection.autoconnect "yes" >> $SETUPLOG 2>&1 connection.autoconnect "yes" >> "$SETUPLOG" 2>&1
for BNIC in ${BNICS[@]}; do for BNIC in "${BNICS[@]}"; do
BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" # Strip the quotes from the NIC names BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" # Strip the quotes from the NIC names
# Check if specific offload features are able to be disabled # Check if specific offload features are able to be disabled
for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do
if ethtool -k $BONDNIC | egrep $string | egrep -q "on [fixed]"; then if ethtool -k "$BONDNIC" | grep -e $string | grep -eq "on [fixed]"; then
echo "The hardware or driver for interface ${BONDNIC} is not supported, packet capture may not work as expected." >> $SETUPLOG 2>&1 echo "The hardware or driver for interface ${BONDNIC} is not supported, packet capture may not work as expected." >> "$SETUPLOG" 2>&1
nic_error=1 nic_error=1
break break
fi fi
@@ -409,15 +410,15 @@ create_sensor_bond() {
# Turn off various offloading settings for the interface # Turn off various offloading settings for the interface
for i in rx tx sg tso ufo gso gro lro; do for i in rx tx sg tso ufo gso gro lro; do
ethtool -K $BONDNIC $i off >> $SETUPLOG 2>&1 ethtool -K "$BONDNIC" $i off >> "$SETUPLOG" 2>&1
done done
# Create the slave interface and assign it to the bond # Create the slave interface and assign it to the bond
nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0 -- \ nmcli con add type ethernet ifname "$BONDNIC" con-name "bond0-slave-$BONDNIC" master bond0 -- \
ethernet.mtu $MTU \ ethernet.mtu $MTU \
connection.autoconnect "yes" >> $SETUPLOG 2>&1 connection.autoconnect "yes" >> "$SETUPLOG" 2>&1
nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1 # Bring the slave interface up nmcli con up "bond0-slave-$BONDNIC" >> "$SETUPLOG" 2>&1 # Bring the slave interface up
done done
if [ $nic_error != 0 ]; then if [ $nic_error != 0 ]; then
@@ -425,10 +426,11 @@ create_sensor_bond() {
fi fi
} }
# keep ">> $SETUPLOG" syntax
detect_os() { detect_os() {
# Detect Base OS # Detect Base OS
echo "Detecting Base OS" >> $SETUPLOG 2>&1 echo "Detecting Base OS" >> "$SETUPLOG" 2>&1
if [ -f /etc/redhat-release ]; then if [ -f /etc/redhat-release ]; then
OS=centos OS=centos
if grep -q "CentOS Linux release 7" /etc/redhat-release; then if grep -q "CentOS Linux release 7" /etc/redhat-release; then
@@ -443,7 +445,7 @@ detect_os() {
fi fi
# Install bind-utils so the host command exists # Install bind-utils so the host command exists
yum -y install bind-utils yum -y install bind-utils >> "$SETUPLOG" 2>&1
elif [ -f /etc/os-release ]; then elif [ -f /etc/os-release ]; then
@@ -457,15 +459,18 @@ detect_os() {
exit exit
fi fi
# Install network manager so we can do interface stuff # Install network manager so we can do interface stuff
apt-get install -y network-manager {
/bin/systemctl enable NetworkManager apt-get install -y network-manager;
/bin/systemctl start NetworkManager systemctl enable NetworkManager;
systemctl start NetworkManager;
} >> "$SETUPLOG" 2<&1
else else
echo "We were unable to determine if you are using a supported OS." >> $SETUPLOG 2>&1 echo "We were unable to determine if you are using a supported OS." >> "$SETUPLOG" 2>&1
exit exit
fi fi
echo "Found OS: $OS $OSVER" >> $SETUPLOG 2>&1 echo "Found OS: $OS $OSVER" >> "$SETUPLOG" 2>&1
} }
@@ -486,15 +491,15 @@ disable_onion_user() {
} }
disable_misc_network_features() { disable_misc_network_features() {
for UNUSED_NIC in ${FNICS[@]}; do for UNUSED_NIC in "${FNICS[@]}"; do
# Disable DHCPv4/v6 and autoconnect # Disable DHCPv4/v6 and autoconnect
nmcli con mod "$UNUSED_NIC" \ nmcli con mod "$UNUSED_NIC" \
ipv4.method disabled \ ipv4.method disabled \
ipv6.method ignore \ ipv6.method ignore \
connection.autoconnect "no" >> $SETUPLOG 2>&1 connection.autoconnect "no" >> "$SETUPLOG" 2>&1
# Flush any existing IPs # Flush any existing IPs
ip addr flush "$UNUSED_NIC" >> $SETUPLOG 2>&1 ip addr flush "$UNUSED_NIC" >> "$SETUPLOG" 2>&1
# Disable IPv6 # Disable IPv6
{ {
@@ -515,12 +520,12 @@ docker_install() {
yum -y install docker-ce python36-docker yum -y install docker-ce python36-docker
if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ]; then if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ]; then
docker_registry docker_registry
echo "Restarting Docker" >> $SETUPLOG 2>&1 echo "Restarting Docker" >> "$SETUPLOG" 2>&1
systemctl restart docker systemctl restart docker
systemctl enable docker systemctl enable docker
else else
docker_registry docker_registry
echo "Restarting Docker" >> $SETUPLOG 2>&1 echo "Restarting Docker" >> "$SETUPLOG" 2>&1
systemctl restart docker systemctl restart docker
systemctl enable docker systemctl enable docker
fi fi
@@ -528,27 +533,27 @@ docker_install() {
else else
if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ]; then if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ]; then
apt-get update >> $SETUPLOG 2>&1 apt-get update >> "$SETUPLOG" 2>&1
if [ $OSVER != "xenial" ]; then if [ $OSVER != "xenial" ]; then
apt-get -y install docker-ce python3-docker >> $SETUPLOG 2>&1 apt-get -y install docker-ce python3-docker >> "$SETUPLOG" 2>&1
else else
apt-get -y install docker-ce python-docker >> $SETUPLOG 2>&1 apt-get -y install docker-ce python-docker >> "$SETUPLOG" 2>&1
fi fi
docker_registry >> $SETUPLOG 2>&1 docker_registry >> "$SETUPLOG" 2>&1
echo "Restarting Docker" >> $SETUPLOG 2>&1 echo "Restarting Docker" >> "$SETUPLOG" 2>&1
systemctl restart docker >> $SETUPLOG 2>&1 systemctl restart docker >> "$SETUPLOG" 2>&1
else else
apt-key add $TMP/gpg/docker.pub >> $SETUPLOG 2>&1 apt-key add $TMP/gpg/docker.pub >> "$SETUPLOG" 2>&1
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >> $SETUPLOG 2>&1 add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >> "$SETUPLOG" 2>&1
apt-get update >> $SETUPLOG 2>&1 apt-get update >> "$SETUPLOG" 2>&1
if [ $OSVER != "xenial" ]; then if [ $OSVER != "xenial" ]; then
apt-get -y install docker-ce python3-docker >> $SETUPLOG 2>&1 apt-get -y install docker-ce python3-docker >> "$SETUPLOG" 2>&1
else else
apt-get -y install docker-ce python-docker >> $SETUPLOG 2>&1 apt-get -y install docker-ce python-docker >> "$SETUPLOG" 2>&1
fi fi
docker_registry >> $SETUPLOG 2>&1 docker_registry >> "$SETUPLOG" 2>&1
echo "Restarting Docker" >> $SETUPLOG 2>&1 echo "Restarting Docker" >> "$SETUPLOG" 2>&1
systemctl restart docker >> $SETUPLOG 2>&1 systemctl restart docker >> "$SETUPLOG" 2>&1
fi fi
fi fi
@@ -556,13 +561,13 @@ docker_install() {
docker_registry() { docker_registry() {
echo "Setting up Docker Registry" >> $SETUPLOG 2>&1 echo "Setting up Docker Registry" >> "$SETUPLOG" 2>&1
mkdir -p /etc/docker >> $SETUPLOG 2>&1 mkdir -p /etc/docker >> "$SETUPLOG" 2>&1
# Make the host use the master docker registry # Make the host use the master docker registry
echo "{" > /etc/docker/daemon.json echo "{" > /etc/docker/daemon.json
echo " \"registry-mirrors\": [\"https://$MSRV:5000\"]" >> /etc/docker/daemon.json echo " \"registry-mirrors\": [\"https://$MSRV:5000\"]" >> /etc/docker/daemon.json
echo "}" >> /etc/docker/daemon.json echo "}" >> /etc/docker/daemon.json
echo "Docker Registry Setup - Complete" >> $SETUPLOG 2>&1 echo "Docker Registry Setup - Complete" >> "$SETUPLOG" 2>&1
} }
docker_seed_registry() { docker_seed_registry() {
@@ -751,13 +756,11 @@ get_redirect() {
} }
got_root() { got_root() {
# Make sure you are root # Make sure you are root
if [ "$(id -u)" -ne 0 ]; then if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!" echo "This script must be run using sudo!"
exit 1 exit 1
fi fi
} }
install_cleanup() { install_cleanup() {
@@ -784,7 +787,7 @@ install_master() {
# Install the salt master package # Install the salt master package
if [ $OS == 'centos' ]; then if [ $OS == 'centos' ]; then
#yum -y install wget salt-common salt-master python36-mysql python36-dateutil python36-m2crypto >> $SETUPLOG 2>&1 #yum -y install wget salt-common salt-master python36-mysql python36-dateutil python36-m2crypto >> "$SETUPLOG" 2>&1
echo "" echo ""
# Create a place for the keys for Ubuntu minions # Create a place for the keys for Ubuntu minions
#mkdir -p /opt/so/gpg #mkdir -p /opt/so/gpg
@@ -924,22 +927,22 @@ minio_generate_keys() {
} }
network_setup() { network_setup() {
echo "Finishing up network setup" >> $SETUPLOG 2>&1 echo "Finishing up network setup" >> "$SETUPLOG" 2>&1
echo "... Verifying all network devices are managed by Network Manager" >> $SETUPLOG 2>&1 echo "... Verifying all network devices are managed by Network Manager" >> "$SETUPLOG" 2>&1
check_network_manager_conf >> $SETUPLOG 2>&1 check_network_manager_conf >> "$SETUPLOG" 2>&1
echo "... Disabling unused NICs" >> $SETUPLOG 2>&1 echo "... Disabling unused NICs" >> "$SETUPLOG" 2>&1
disable_misc_network_features >> $SETUPLOG 2>&1 disable_misc_network_features >> "$SETUPLOG" 2>&1
echo "... Setting ONBOOT for management interface" >> $SETUPLOG 2>&1 echo "... Setting ONBOOT for management interface" >> "$SETUPLOG" 2>&1
nmcli con mod $MAININT connection.autoconnect "yes" >> $SETUPLOG 2>&1 nmcli con mod $MAININT connection.autoconnect "yes" >> "$SETUPLOG" 2>&1
echo "... Copying 99-so-checksum-offload-disable" >> $SETUPLOG 2>&1 echo "... Copying 99-so-checksum-offload-disable" >> "$SETUPLOG" 2>&1
cp $SCRIPTDIR/install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable >> $SETUPLOG 2>&1 cp $SCRIPTDIR/install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable >> "$SETUPLOG" 2>&1
echo "... Modifying 99-so-checksum-offload-disable" >> $SETUPLOG 2>&1 echo "... Modifying 99-so-checksum-offload-disable" >> "$SETUPLOG" 2>&1
sed -i "s/\$MAININT/${MAININT}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable >> $SETUPLOG 2>&1 sed -i "s/\$MAININT/${MAININT}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable >> "$SETUPLOG" 2>&1
} }
node_pillar() { node_pillar() {
@@ -988,17 +991,17 @@ patch_schedule_os_new() {
mkdir -p $OSPATCHSCHEDULEDIR mkdir -p $OSPATCHSCHEDULEDIR
fi fi
echo "patch:" > $OSPATCHSCHEDULE echo "patch:" > "$OSPATCHSCHEDULE"
echo " os:" >> $OSPATCHSCHEDULE echo " os:" >> "$OSPATCHSCHEDULE"
echo " schedule:" >> $OSPATCHSCHEDULE echo " schedule:" >> "$OSPATCHSCHEDULE"
for psd in "${PATCHSCHEDULEDAYS[@]}" for psd in "${PATCHSCHEDULEDAYS[@]}"
do do
psd=$(echo $psd | sed 's/"//g') psd="${psd//\"/}"
echo " - $psd:" >> $OSPATCHSCHEDULE echo " - $psd:" >> "$OSPATCHSCHEDULE"
for psh in "${PATCHSCHEDULEHOURS[@]}" for psh in "${PATCHSCHEDULEHOURS[@]}"
do do
psh=$(echo $psh | sed 's/"//g') psh="${psh//\"/}"
echo " - '$psh'" >> $OSPATCHSCHEDULE echo " - '$psh'" >> "$OSPATCHSCHEDULE"
done done
done done
@@ -1230,7 +1233,7 @@ EOF
fi fi
# Add the pre-requisites for installing docker-ce # Add the pre-requisites for installing docker-ce
apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl jq >> $SETUPLOG 2>&1 apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl jq >> "$SETUPLOG" 2>&1
# Grab the version from the os-release file # Grab the version from the os-release file
UVER=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}') UVER=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}')
@@ -1267,13 +1270,13 @@ EOF
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
# Initialize the new repos # Initialize the new repos
apt-get update >> $SETUPLOG 2>&1 apt-get update >> "$SETUPLOG" 2>&1
if [ $OSVER != "xenial" ]; then if [ $OSVER != "xenial" ]; then
apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python3-dateutil python3-m2crypto sqlite3 argon2 curl jq openssl >> $SETUPLOG 2>&1 apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python3-dateutil python3-m2crypto sqlite3 argon2 curl jq openssl >> "$SETUPLOG" 2>&1
apt-mark hold salt-minion salt-common apt-mark hold salt-minion salt-common
else else
# Need to add python packages here # Need to add python packages here
apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto sqlite3 argon2 curl jq openssl >> $SETUPLOG 2>&1 apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto sqlite3 argon2 curl jq openssl >> "$SETUPLOG" 2>&1
apt-mark hold salt-minion salt-common apt-mark hold salt-minion salt-common
fi fi
else else
@@ -1288,13 +1291,13 @@ EOF
echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2019.2 $OSVER main" > /etc/apt/sources.list.d/saltstack.list echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2019.2 $OSVER main" > /etc/apt/sources.list.d/saltstack.list
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
# Initialize the new repos # Initialize the new repos
apt-get update >> $SETUPLOG 2>&1 apt-get update >> "$SETUPLOG" 2>&1
if [ $OSVER != "xenial" ]; then if [ $OSVER != "xenial" ]; then
apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python3-dateutil python3-m2crypto >> $SETUPLOG 2>&1 apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python3-dateutil python3-m2crypto >> "$SETUPLOG" 2>&1
apt-mark hold salt-minion salt-common apt-mark hold salt-minion salt-common
else else
# Need to add python packages here # Need to add python packages here
apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto >> $SETUPLOG 2>&1 apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto >> "$SETUPLOG" 2>&1
apt-mark hold salt-minion salt-common apt-mark hold salt-minion salt-common
fi fi
fi fi
@@ -1307,25 +1310,25 @@ salt_checkin() {
# Master State to Fix Mine Usage # Master State to Fix Mine Usage
if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then
echo "Building Certificate Authority" echo "Building Certificate Authority"
salt-call state.apply ca >> $SETUPLOG 2>&1 salt-call state.apply ca >> "$SETUPLOG" 2>&1
echo " *** Restarting Salt to fix any SSL errors. ***" echo " *** Restarting Salt to fix any SSL errors. ***"
service salt-master restart >> $SETUPLOG 2>&1 service salt-master restart >> "$SETUPLOG" 2>&1
sleep 5 sleep 5
service salt-minion restart >> $SETUPLOG 2>&1 service salt-minion restart >> "$SETUPLOG" 2>&1
sleep 15 sleep 15
echo " Applyng a mine hack " echo " Applyng a mine hack "
salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >> $SETUPLOG 2>&1 salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >> "$SETUPLOG" 2>&1
echo " Applying SSL state " echo " Applying SSL state "
salt-call state.apply ssl >> $SETUPLOG 2>&1 salt-call state.apply ssl >> "$SETUPLOG" 2>&1
echo "Still Working... Hang in there" echo "Still Working... Hang in there"
#salt-call state.highstate #salt-call state.highstate
else else
# Run Checkin # Run Checkin
salt-call state.apply ca >> $SETUPLOG 2>&1 salt-call state.apply ca >> "$SETUPLOG" 2>&1
salt-call state.apply ssl >> $SETUPLOG 2>&1 salt-call state.apply ssl >> "$SETUPLOG" 2>&1
#salt-call state.highstate >> $SETUPLOG 2>&1 #salt-call state.highstate >> "$SETUPLOG" 2>&1
fi fi
@@ -1334,7 +1337,7 @@ salt_checkin() {
salt_firstcheckin() { salt_firstcheckin() {
#First Checkin #First Checkin
salt-call state.highstate >> $SETUPLOG 2>&1 salt-call state.highstate >> "$SETUPLOG" 2>&1
} }
@@ -1364,7 +1367,7 @@ salt_install_mysql_deps() {
yum -y install mariadb-devel yum -y install mariadb-devel
elif [ $OS == 'ubuntu' ]; then elif [ $OS == 'ubuntu' ]; then
if [ $OSVER != "xenial" ]; then if [ $OSVER != "xenial" ]; then
apt-get -y install python3-mysqldb >> $SETUPLOG 2>&1 apt-get -y install python3-mysqldb >> "$SETUPLOG" 2>&1
else else
apt-get -y install python-mysqldb apt-get -y install python-mysqldb
fi fi
@@ -1426,9 +1429,9 @@ set_environment_var() {
set_hostname() { set_hostname() {
echo 'set_hostname called' >> $SETUPLOG 2>&1 echo 'set_hostname called' >> "$SETUPLOG" 2>&1
echo $TESTHOST >> $SETUPLOG 2>&1 echo $TESTHOST >> "$SETUPLOG" 2>&1
echo $INSTALLTYPE >> $SETUPLOG 2>&1 echo $INSTALLTYPE >> "$SETUPLOG" 2>&1
hostnamectl set-hostname --static $HOSTNAME hostnamectl set-hostname --static $HOSTNAME
echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts
echo "::1 localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts echo "::1 localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts

46
setup/so-setup
View File

@@ -17,8 +17,8 @@
# Source the other pieces of the setup # Source the other pieces of the setup
SCRIPTDIR=$(dirname "$0") SCRIPTDIR=$(dirname "$0")
source $SCRIPTDIR/so-functions source "$SCRIPTDIR/so-functions"
source $SCRIPTDIR/so-whiptail source "$SCRIPTDIR/so-whiptail"
# See if this is an ISO install # See if this is an ISO install
OPTIONS=$1 OPTIONS=$1
@@ -44,16 +44,16 @@ SETUPLOG="/root/sosetup.log"
# End Global Variables # End Global Variables
# Reset the Install Log # Reset the Install Log
date -u >$SETUPLOG 2>&1 date -u > $SETUPLOG 2>&1
echo "stty size is: $(stty size)" >> $SETUPLOG 2>&1 echo "stty size is: $(stty size)" >> $SETUPLOG 2>&1
# Check for prerequisites # Check for prerequisites
got_root got_root
detect_os detect_os
if [ $OS == ubuntu ]; then if [ "$OS" == ubuntu ]; then
# Override the horrible Ubuntu whiptail color pallete # Override the horrible Ubuntu whiptail color pallete
update-alternatives --set newt-palette /etc/newt/palette.original update-alternatives --set newt-palette /etc/newt/palette.original >> $SETUPLOG 2>&1
fi fi
# Question Time # Question Time
@@ -61,7 +61,7 @@ echo "Asking user if they are sure they want to proceed" >> $SETUPLOG 2>&1
if (whiptail_you_sure) ; then if (whiptail_you_sure) ; then
# Create a temp dir to get started # Create a temp dir to get started
install_prep install_prep >> $SETUPLOG 2>&1
setterm -blank 0 setterm -blank 0
if [ $INSTALLMETHOD == network ]; then if [ $INSTALLMETHOD == network ]; then
@@ -84,7 +84,7 @@ if (whiptail_you_sure) ; then
whiptail_dhcp_or_static whiptail_dhcp_or_static
# Do this if it static is selected # Do this if it static is selected
if [ $ADDRESSTYPE != 'DHCP' ]; then if [ "$ADDRESSTYPE" != 'DHCP' ]; then
whiptail_management_interface_ip whiptail_management_interface_ip
whiptail_management_interface_mask whiptail_management_interface_mask
whiptail_management_interface_gateway whiptail_management_interface_gateway
@@ -114,8 +114,8 @@ if (whiptail_you_sure) ; then
# What kind of install are we doing? # What kind of install are we doing?
whiptail_install_type whiptail_install_type
SHORTNAME=$(echo $HOSTNAME | awk -F. {'print $1'}) SHORTNAME=$(echo "$HOSTNAME" | awk -F. '{print $1}')
MINION_ID=$(echo $SHORTNAME'_'$INSTALLTYPE | tr '[:upper:]' '[:lower:]') MINION_ID=$(echo "$SHORTNAME'_'$INSTALLTYPE" | tr '[:upper:]' '[:lower:]')
echo "MINION_ID = $MINION_ID" >> $SETUPLOG 2>&1 echo "MINION_ID = $MINION_ID" >> $SETUPLOG 2>&1
# How do we want to handle OS patching? manual, auto or scheduled days and hours # How do we want to handle OS patching? manual, auto or scheduled days and hours
@@ -130,10 +130,10 @@ if (whiptail_you_sure) ; then
'Import Schedule') 'Import Schedule')
whiptail_patch_schedule_import whiptail_patch_schedule_import
;; ;;
Automatic) 'Automatic')
PATCHSCHEDULENAME=auto PATCHSCHEDULENAME=auto
;; ;;
Manual) 'Manual')
PATCHSCHEDULENAME=manual PATCHSCHEDULENAME=manual
;; ;;
esac esac
@@ -141,21 +141,23 @@ if (whiptail_you_sure) ; then
#################### ####################
## Helix ## ## Helix ##
#################### ####################
if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then if [ $"INSTALLTYPE" == 'HELIXSENSOR' ]; then
MASTERUPDATES=OPEN MASTERUPDATES=OPEN
filter_unused_nics filter_unused_nics
[[ $SKIP_BOND != 'yes' ]] && whiptail_bond_nics [[ "$SKIP_BOND" != 'yes' ]] && whiptail_bond_nics
whiptail_helix_apikey whiptail_helix_apikey
whiptail_homenet_master whiptail_homenet_master
RULESETUP=ETOPEN RULESETUP=ETOPEN
NSMSETUP=BASIC NSMSETUP=BASIC
HNSENSOR=inherit HNSENSOR=inherit
LS_HEAP_SIZE="1000m" LS_HEAP_SIZE="1000m"
calculate_useable_cores calculate_useable_cores >> "$SETUPLOG" 2>&1
whiptail_make_changes whiptail_make_changes
set_hostname {
set_version set_hostname;
clear_master set_version;
clear_master;
} >> "$SETUPLOG" 2>&1
mkdir -p /nsm mkdir -p /nsm
get_filesystem_root get_filesystem_root
get_filesystem_nsm get_filesystem_nsm
@@ -276,7 +278,7 @@ if (whiptail_you_sure) ; then
#################### ####################
## Master ## ## Master ##
#################### ####################
if [ $INSTALLTYPE == 'MASTER' ]; then if [ "$INSTALLTYPE" == 'MASTER' ]; then
# Would you like to do an advanced install? # Would you like to do an advanced install?
whiptail_master_adv whiptail_master_adv
@@ -294,7 +296,7 @@ if (whiptail_you_sure) ; then
whiptail_rule_setup whiptail_rule_setup
# Get the code if it isn't ET Open # Get the code if it isn't ET Open
if [ $RULESETUP != 'ETOPEN' ]; then if [ "$RULESETUP" != 'ETOPEN' ]; then
# Get the code # Get the code
whiptail_oinkcode whiptail_oinkcode
fi fi
@@ -305,9 +307,9 @@ if (whiptail_you_sure) ; then
process_components process_components
# Do Advacned Setup if they chose it # Do Advacned Setup if they chose it
if [ $MASTERADV == 'ADVANCED' ]; then if [ "$MASTERADV" == 'ADVANCED' ]; then
# Ask which bro logs to enable - Need to add Suricata check # Ask which bro logs to enable - Need to add Suricata check
if [ $BROVERSION != 'SURICATA' ]; then if [ "$BROVERSION" != 'SURICATA' ]; then
whiptail_master_adv_service_brologs whiptail_master_adv_service_brologs
fi fi
fi fi
@@ -315,7 +317,7 @@ if (whiptail_you_sure) ; then
# Get a password for the soremote user # Get a password for the soremote user
whiptail_create_soremote_user whiptail_create_soremote_user
SCMATCH=no SCMATCH=no
while [ $SCMATCH != yes ]; do while [ "$SCMATCH" != 'yes' ]; do
whiptail_create_soremote_user_password1 whiptail_create_soremote_user_password1
whiptail_create_soremote_user_password2 whiptail_create_soremote_user_password2
check_soremote_pass check_soremote_pass