CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add more logging to setup process

Browse Source
This commit is contained in:
Mike Reeves
2022-09-12 12:48:02 -04:00
parent 3de4e56db9
commit 2254512a2a
4 changed files with 155 additions and 232 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
salt/filebeat/defaults.yaml Normal file
View File

@@ -0,0 +1,36 @@
filebeat:
config:
zeek_logs_enabled:
- conn
- dce_rpc
- dhcp
- dnp3
- dns
- dpd
- files
- ftp
- http
- intel
- irc
- kerberos
- modbus
- notice
- ntlm
- pe
- radius
- rfb
- rdp
- sip
- smb_files
- smb_mapping
- smtp
- snmp
- ssh
- ssl
- tunnel
- weird
- mysql
- socks
- x509

33
salt/zeek/defaults.yaml
View File

@@ -1,37 +1,4 @@
zeek: zeek:
logging:
enabled:
- conn
- dce_rpc
- dhcp
- dnp3
- dns
- dpd
- files
- ftp
- http
- intel
- irc
- kerberos
- modbus
- notice
- ntlm
- pe
- radius
- rfb
- rdp
- sip
- smb_files
- smb_mapping
- smtp
- snmp
- ssh
- ssl
- tunnel
- weird
- mysql
- socks
- x509
config: config:
node: node:
lb_procs: 1 lb_procs: 1

216
setup/so-functions
View File

@@ -13,7 +13,7 @@ log() {
msg=$1 msg=$1
level=${2:-I} level=${2:-I}
now=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ") now=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
echo -e "$now | $level | $msg" >> "$setup_log" 2>&1 echo -e "$now | $level | $msg" 2>&1 | tee -a "$setup_log"
} }
error() { error() {
@@ -31,7 +31,7 @@ title() {
logCmd() { logCmd() {
cmd=$1 cmd=$1
info "Executing command: $cmd" info "Executing command: $cmd"
$cmd >> "$setup_log" 2>&1 $cmd 2>&1 | tee -a $setup_log
} }
### End Logging Section ### ### End Logging Section ###
@@ -58,7 +58,7 @@ add_admin_user() {
} }
add_mngr_ip_to_hosts() { add_mngr_ip_to_hosts() {
echo "Adding $MSRV to /etc/hosts with IP: $MSRVIP" >> "$setup_log" 2>&1 info "Adding $MSRV to /etc/hosts with IP: $MSRVIP"
echo "$MSRVIP $MSRV" >> /etc/hosts echo "$MSRVIP $MSRV" >> /etc/hosts
} }
@@ -70,7 +70,7 @@ addtotab_generate_templates() {
printf '%s\n'\ printf '%s\n'\
"$i:"\ "$i:"\
"" > "$addtotab_path"/$i.sls "" > "$addtotab_path"/$i.sls
echo "Added $i Template" info "Added $i Template"
done done
} }
@@ -82,11 +82,11 @@ add_socore_user_manager() {
add_web_user() { add_web_user() {
wait_for_file /opt/so/conf/kratos/db/db.sqlite 30 5 wait_for_file /opt/so/conf/kratos/db/db.sqlite 30 5
{ {
echo "Attempting to add administrator user for web interface..."; info "Attempting to add administrator user for web interface...";
export SKIP_STATE_APPLY=true export SKIP_STATE_APPLY=true
echo "$WEBPASSWD1" | /usr/sbin/so-user add "$WEBUSER" "superuser"; echo "$WEBPASSWD1" | /usr/sbin/so-user add "$WEBUSER" "superuser";
unset SKIP_STATE_APPLY unset SKIP_STATE_APPLY
echo "Add user result: $?"; info "Add user result: $?";
} >> "/root/so-user-add.log" 2>&1 } >> "/root/so-user-add.log" 2>&1
} }
@@ -154,13 +154,13 @@ check_admin_pass() {
} }
check_manager_state() { check_manager_state() {
echo "Checking state of manager services. This may take a moment..." info "Checking state of manager services. This may take a moment..."
retry 2 15 "__check_so_status" >> $setup_log 2>&1 && retry 2 15 "__check_salt_master" >> $setup_log 2>&1 && return 0 || return 1 retry 2 15 "__check_so_status" >> $setup_log 2>&1 && retry 2 15 "__check_salt_master" >> $setup_log 2>&1 && return 0 || return 1
} }
check_manager_connection() { check_manager_connection() {
# See if you can curl the manager. If not you can either try again or continue # See if you can curl the manager. If not you can either try again or continue
echo "Checking manager connectivity" info "Checking manager connectivity"
man_test_err=$(curl -k -L -sS https://$MSRVIP/repo --connect-timeout 5 2>&1) man_test_err=$(curl -k -L -sS https://$MSRVIP/repo --connect-timeout 5 2>&1)
local ret=$? local ret=$?
@@ -217,7 +217,7 @@ check_pass_match() {
check_service_status() { check_service_status() {
local service_name=$1 local service_name=$1
echo "Checking service $service_name status" >> "$setup_log" 2>&1 info "Checking service $service_name status"
systemctl status $service_name > /dev/null 2>&1 systemctl status $service_name > /dev/null 2>&1
local status=$? local status=$?
if [ $status -gt 0 ]; then if [ $status -gt 0 ]; then
@@ -239,7 +239,7 @@ clear_manager() {
# This only happens if you re-install the manager. # This only happens if you re-install the manager.
if [ -f /etc/salt/pki/minion/minion_master.pub ]; then if [ -f /etc/salt/pki/minion/minion_master.pub ]; then
{ {
echo "Clearing old Salt master key"; info "Clearing old Salt master key";
rm -f /etc/salt/pki/minion/minion_master.pub; rm -f /etc/salt/pki/minion/minion_master.pub;
systemctl -q restart salt-minion; systemctl -q restart salt-minion;
} >> "$setup_log" 2>&1 } >> "$setup_log" 2>&1
@@ -397,7 +397,7 @@ collect_mngr_hostname() {
# Remove the manager from /etc/hosts incase a user entered the wrong IP when prompted # Remove the manager from /etc/hosts incase a user entered the wrong IP when prompted
# and they are going through the installer again # and they are going through the installer again
if [[ "$HOSTNAME" != "$MSRV" ]]; then if [[ "$HOSTNAME" != "$MSRV" ]]; then
echo "Removing $MSRV from /etc/hosts if present." >> "$setup_log" 2>&1 info "Removing $MSRV from /etc/hosts if present."
sed -i "/$MSRV/d" /etc/hosts sed -i "/$MSRV/d" /etc/hosts
fi fi
@@ -611,7 +611,7 @@ configure_minion() {
if [[ $is_analyst ]]; then if [[ $is_analyst ]]; then
minion_type=workstation minion_type=workstation
fi fi
echo "Configuring minion type as $minion_type" >> "$setup_log" 2>&1 info "Configuring minion type as $minion_type"
echo "role: so-$minion_type" > /etc/salt/grains echo "role: so-$minion_type" > /etc/salt/grains
local minion_config=/etc/salt/minion local minion_config=/etc/salt/minion
@@ -695,7 +695,7 @@ configure_ntp() {
checkin_at_boot() { checkin_at_boot() {
local minion_config=/etc/salt/minion local minion_config=/etc/salt/minion
echo "Enabling checkin at boot" >> "$setup_log" 2>&1 info "Enabling checkin at boot"
echo "startup_states: highstate" >> "$minion_config" echo "startup_states: highstate" >> "$minion_config"
} }
@@ -780,7 +780,7 @@ check_sos_appliance() {
# Lets see if this is a SOS Appliance # Lets see if this is a SOS Appliance
if [ -f "/etc/SOSMODEL" ]; then if [ -f "/etc/SOSMODEL" ]; then
local MODEL=$(cat /etc/SOSMODEL) local MODEL=$(cat /etc/SOSMODEL)
echo "Found SOS Model $MODEL" info "Found SOS Model $MODEL"
echo "sosmodel: $MODEL" >> /etc/salt/grains echo "sosmodel: $MODEL" >> /etc/salt/grains
fi fi
} }
@@ -812,7 +812,7 @@ compare_versions() {
manager_ver=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) manager_ver=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion)
if [[ $manager_ver == '' ]]; then if [[ $manager_ver == '' ]]; then
echo "Could not determine version of Security Onion running on manager $MSRV. Please check your network settings and run setup again." | tee -a "$setup_log" info "Could not determine version of Security Onion running on manager $MSRV. Please check your network settings and run setup again."
exit 1 exit 1
fi fi
@@ -821,7 +821,7 @@ compare_versions() {
} }
configure_network_sensor() { configure_network_sensor() {
echo "Setting up sensor interface" >> "$setup_log" 2>&1 info "Setting up sensor interface"
if [[ $is_cloud ]]; then if [[ $is_cloud ]]; then
local nmcli_con_args=( "type" "ethernet" ) local nmcli_con_args=( "type" "ethernet" )
@@ -879,7 +879,7 @@ copy_minion_tmp_files() {
case "$install_type" in case "$install_type" in
'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') 'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT')
echo "Copying pillar and salt files in $temp_install_dir to $local_salt_dir" info "Copying pillar and salt files in $temp_install_dir to $local_salt_dir"
cp -Rv "$temp_install_dir"/pillar/ $local_salt_dir/ >> "$setup_log" 2>&1 cp -Rv "$temp_install_dir"/pillar/ $local_salt_dir/ >> "$setup_log" 2>&1
if [ -d "$temp_install_dir"/salt ] ; then if [ -d "$temp_install_dir"/salt ] ; then
cp -Rv "$temp_install_dir"/salt/ $local_salt_dir/ >> "$setup_log" 2>&1 cp -Rv "$temp_install_dir"/salt/ $local_salt_dir/ >> "$setup_log" 2>&1
@@ -887,7 +887,7 @@ copy_minion_tmp_files() {
;; ;;
*) *)
{ {
echo "scp pillar and salt files in $temp_install_dir to manager $local_salt_dir"; info "scp pillar and salt files in $temp_install_dir to manager $local_salt_dir";
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar;
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules;
$scpcmd -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; $scpcmd -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/;
@@ -900,12 +900,12 @@ copy_minion_tmp_files() {
} >> "$setup_log" 2>&1 } >> "$setup_log" 2>&1
;; ;;
esac esac
echo "Syncing all salt modules." >> "$setup_log" 2>&1 info "Syncing all salt modules."
salt-call saltutil.sync_modules >> "$setup_log" 2>&1 salt-call saltutil.sync_modules >> "$setup_log" 2>&1
} }
create_local_directories() { create_local_directories() {
echo "Creating local pillar and salt directories" info "Creating local pillar and salt directories"
PILLARSALTDIR=${SCRIPTDIR::-5} PILLARSALTDIR=${SCRIPTDIR::-5}
for i in "pillar" "salt"; do for i in "pillar" "salt"; do
for d in $(find $PILLARSALTDIR/$i -type d); do for d in $(find $PILLARSALTDIR/$i -type d); do
@@ -950,15 +950,12 @@ create_repo() {
} }
detect_cloud() { detect_cloud() {
echo "Testing if setup is running on a cloud instance..." | tee -a "$setup_log" info "Testing if setup is running on a cloud instance..."
if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null) || [ -f /var/log/waagent.log ]; then export is_cloud="true"; fi if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null) || [ -f /var/log/waagent.log ]; then export is_cloud="true"; fi
} }
detect_os() { detect_os() {
local log=${1:-${setup_log}} title "Detecting Base OS"
# Detect Base OS
echo "Detecting Base OS" >> "$log" 2>&1
if [ -f /etc/redhat-release ]; then if [ -f /etc/redhat-release ]; then
if grep -q "CentOS Linux release 7" /etc/redhat-release; then if grep -q "CentOS Linux release 7" /etc/redhat-release; then
OS=centos OS=centos
@@ -970,9 +967,9 @@ detect_os() {
OSVER=8 OSVER=8
is_rocky=true is_rocky=true
pkgman="dnf" pkgman="dnf"
echo "We currently do not support Rocky Linux $OSVER but we are working on it!" info "We currently do not support Rocky Linux $OSVER but we are working on it!"
else else
echo "We do not support the version of CentOS you are trying to use." info "We do not support the version of CentOS you are trying to use."
exit 1 exit 1
fi fi
@@ -983,16 +980,16 @@ detect_os() {
elif grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then elif grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
OSVER=focal OSVER=focal
else else
echo "We do not support your current version of Ubuntu." info "We do not support your current version of Ubuntu."
exit 1 exit 1
fi fi
else else
echo "We were unable to determine if you are using a supported OS." info "We were unable to determine if you are using a supported OS."
exit 1 exit 1
fi fi
echo "Found OS: $OS $OSVER" >> "$log" 2>&1 info "Found OS: $OS $OSVER" >> "$log" 2>&1
} }
@@ -1064,7 +1061,7 @@ disable_ipv6() {
docker_registry() { docker_registry() {
echo "Setting up Docker Registry" >> "$setup_log" 2>&1 info "Setting up Docker Registry"
mkdir -p /etc/docker >> "$setup_log" 2>&1 mkdir -p /etc/docker >> "$setup_log" 2>&1
# This will get applied so docker can attempt to start # This will get applied so docker can attempt to start
if [ -z "$DOCKERNET" ]; then if [ -z "$DOCKERNET" ]; then
@@ -1084,7 +1081,7 @@ docker_registry() {
" }"\ " }"\
" ]"\ " ]"\
"}" > /etc/docker/daemon.json "}" > /etc/docker/daemon.json
echo "Docker Registry Setup - Complete" >> "$setup_log" 2>&1 info "Docker Registry Setup - Complete"
} }
@@ -1133,7 +1130,7 @@ download_repo_tarball() {
if ! [ -f /root/manager_setup/"$manager_ver".tar.gz ]; then if ! [ -f /root/manager_setup/"$manager_ver".tar.gz ]; then
rm -rf $install_opt_file rm -rf $install_opt_file
local message="Could not download $manager_ver.tar.gz from manager, please check your network settings and verify the file /opt/so/repo/$manager_ver.tar.gz exists on the manager." local message="Could not download $manager_ver.tar.gz from manager, please check your network settings and verify the file /opt/so/repo/$manager_ver.tar.gz exists on the manager."
echo "$message" | tee -a "$setup_log" info "$message"
exit 1 exit 1
fi fi
@@ -1279,10 +1276,10 @@ firewall_generate_templates() {
generate_ca() { generate_ca() {
{ {
echo "Building Certificate Authority"; info "Building Certificate Authority";
salt-call state.apply ca; salt-call state.apply ca;
echo "Confirming existence of the CA certificate" info "Confirming existence of the CA certificate"
openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates
} >> "$setup_log" 2>&1 } >> "$setup_log" 2>&1
} }
@@ -1294,7 +1291,7 @@ generate_ssl() {
if [[ "$install_type" =~ ^(EVAL|MANAGER|MANAGERSEARCH|STANDALONE|IMPORT|HELIXSENSOR)$ ]]; then if [[ "$install_type" =~ ^(EVAL|MANAGER|MANAGERSEARCH|STANDALONE|IMPORT|HELIXSENSOR)$ ]]; then
wait_for_salt_minion wait_for_salt_minion
fi fi
echo "Applying SSL state"; info "Applying SSL state";
salt-call state.apply ssl; salt-call state.apply ssl;
} >> "$setup_log" 2>&1 } >> "$setup_log" 2>&1
} }
@@ -1345,7 +1342,7 @@ get_minion_type() {
install_cleanup() { install_cleanup() {
if [ -f "$temp_install_dir" ]; then if [ -f "$temp_install_dir" ]; then
echo "Installer removing the following files:" info "Installer removing the following files:"
ls -lR "$temp_install_dir" ls -lR "$temp_install_dir"
# Clean up after ourselves # Clean up after ourselves
@@ -1367,7 +1364,7 @@ install_cleanup() {
fi fi
if [[ -z $SO_ERROR ]]; then if [[ -z $SO_ERROR ]]; then
echo "Setup completed at $(date)" >> "$setup_log" 2>&1 info "Setup completed at $(date)"
fi fi
} }
@@ -1641,12 +1638,12 @@ networking_needful() {
network_setup() { network_setup() {
{ {
echo "Finishing up network setup"; info "Finishing up network setup";
echo "... Copying 99-so-checksum-offload-disable"; info "... Copying 99-so-checksum-offload-disable";
cp ./install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable ; cp ./install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable;
echo "... Modifying 99-so-checksum-offload-disable"; info "... Modifying 99-so-checksum-offload-disable";
sed -i "s/\$MNIC/${INTERFACE}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable; sed -i "s/\$MNIC/${INTERFACE}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable;
} >> "$setup_log" 2>&1 } >> "$setup_log" 2>&1
} }
@@ -1718,7 +1715,7 @@ patch_schedule_os_new() {
print_salt_state_apply() { print_salt_state_apply() {
local state=$1 local state=$1
echo "Applying $state Salt state" info "Applying $state Salt state"
} }
process_installtype() { process_installtype() {
@@ -1754,7 +1751,7 @@ process_installtype() {
} }
proxy_validate() { proxy_validate() {
echo "Testing proxy..." info "Testing proxy..."
local test_url="https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS" local test_url="https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS"
proxy_test_err=$(curl -sS "$test_url" --proxy "$so_proxy" --connect-timeout 5 2>&1) # set short connection timeout so user doesn't sit waiting for proxy test to timeout proxy_test_err=$(curl -sS "$test_url" --proxy "$so_proxy" --connect-timeout 5 2>&1) # set short connection timeout so user doesn't sit waiting for proxy test to timeout
local ret=$? local ret=$?
@@ -1788,10 +1785,10 @@ reserve_group_ids() {
reserve_ports() { reserve_ports() {
# These are also set via salt but need to be set pre-install to avoid conflicts before salt runs # These are also set via salt but need to be set pre-install to avoid conflicts before salt runs
if ! sysctl net.ipv4.ip_local_reserved_ports | grep 55000 | grep 57314; then if ! sysctl net.ipv4.ip_local_reserved_ports | grep 55000 | grep 57314; then
echo "Reserving ephemeral ports used by Security Onion components to avoid collisions" info "Reserving ephemeral ports used by Security Onion components to avoid collisions"
sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314" sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314"
else else
echo "Ephemeral ports already reserved" info "Ephemeral ports already reserved"
fi fi
} }
@@ -1827,7 +1824,7 @@ reinstall_init() {
local count=0 local count=0
while check_service_status "$service"; do while check_service_status "$service"; do
if [[ $count -gt $service_retry_count ]]; then if [[ $count -gt $service_retry_count ]]; then
echo "Could not stop $service after 1 minute, exiting setup." info "Could not stop $service after 1 minute, exiting setup."
# Stop the systemctl process trying to kill the service, show user a message, then exit setup # Stop the systemctl process trying to kill the service, show user a message, then exit setup
kill -9 $pid kill -9 $pid
@@ -1886,7 +1883,7 @@ reset_proxy() {
[[ -f /etc/systemd/system/docker.service.d/http-proxy.conf ]] && rm -f /etc/systemd/system/docker.service.d/http-proxy.conf [[ -f /etc/systemd/system/docker.service.d/http-proxy.conf ]] && rm -f /etc/systemd/system/docker.service.d/http-proxy.conf
systemctl daemon-reload systemctl daemon-reload
command -v docker &> /dev/null && echo "Restarting Docker..." | tee -a "$setup_log" && systemctl restart docker command -v docker &> /dev/null && info "Restarting Docker..." && logCmd "systemctl restart docker"
[[ -f /root/.docker/config.json ]] && rm -f /root/.docker/config.json [[ -f /root/.docker/config.json ]] && rm -f /root/.docker/config.json
@@ -1904,7 +1901,7 @@ restore_file() {
dst=$2 dst=$2
if [ -f "$src" ]; then if [ -f "$src" ]; then
[ ! -d "$dst" ] && mkdir -v -p "$dst" [ ! -d "$dst" ] && mkdir -v -p "$dst"
echo "Restoring $src to $dst." >> "$setup_log" 2>&1 info "Restoring $src to $dst."
cp -v "$src" "$dst" >> "$setup_log" 2>&1 cp -v "$src" "$dst" >> "$setup_log" 2>&1
fi fi
} }
@@ -1984,7 +1981,7 @@ securityonion_repo() {
# update this package because the repo config files get added back # update this package because the repo config files get added back
# if the package is updated when the update_packages function is called # if the package is updated when the update_packages function is called
logCmd "yum -v -y update centos-release" logCmd "yum -v -y update centos-release"
echo "Backing up the .repo files that were added by the centos-release package." info "Backing up the .repo files that were added by the centos-release package."
logCmd "find /etc/yum.repos.d/ -type f -not -name 'securityonion*repo' -print0 | xargs -0 -I {} mv -bvf {} /root/oldrepos/" logCmd "find /etc/yum.repos.d/ -type f -not -name 'securityonion*repo' -print0 | xargs -0 -I {} mv -bvf {} /root/oldrepos/"
logCmd "yum repolist all" logCmd "yum repolist all"
fi fi
@@ -1996,12 +1993,12 @@ repo_sync_local() {
REPOSYNC=$(rpm -qa | grep createrepo | wc -l) REPOSYNC=$(rpm -qa | grep createrepo | wc -l)
if [[ ! "$REPOSYNC" -gt 0 ]]; then if [[ ! "$REPOSYNC" -gt 0 ]]; then
# Install reposync # Install reposync
echo "Installing createrepo" info "Installing createrepo"
logCmd "yum -y install yum-utils createrepo" logCmd "yum -y install yum-utils createrepo"
else else
echo "We have what we need to sync" info "We have what we need to sync"
fi fi
echo "Backing up old repos" info "Backing up old repos"
mkdir -p /nsm/repo mkdir -p /nsm/repo
mkdir -p /root/reposync_cache mkdir -p /root/reposync_cache
echo "[main]" > /root/repodownload.conf echo "[main]" > /root/repodownload.conf
@@ -2037,7 +2034,7 @@ saltify() {
RUSALTY=$(rpm -qa | grep salt-minion | wc -l) RUSALTY=$(rpm -qa | grep salt-minion | wc -l)
if [[ "$RUSALTY" -gt 0 ]]; then if [[ "$RUSALTY" -gt 0 ]]; then
# Salt is already installed. # Salt is already installed.
echo "salt is installed" info "salt is installed"
else else
# Install salt # Install salt
if [[ $waitforstate ]]; then if [[ $waitforstate ]]; then
@@ -2061,7 +2058,7 @@ salt_firstcheckin() {
# Create an secrets pillar so that passwords survive re-install # Create an secrets pillar so that passwords survive re-install
secrets_pillar(){ secrets_pillar(){
if [ ! -f $local_salt_dir/pillar/secrets.sls ]; then if [ ! -f $local_salt_dir/pillar/secrets.sls ]; then
echo "Creating Secrets Pillar" >> "$setup_log" 2>&1 info "Creating Secrets Pillar"
mkdir -p $local_salt_dir/pillar mkdir -p $local_salt_dir/pillar
printf '%s\n'\ printf '%s\n'\
"secrets:"\ "secrets:"\
@@ -2085,7 +2082,7 @@ set_main_ip() {
local c=0 local c=0
local m=3.3 local m=3.3
local max_attempts=30 local max_attempts=30
echo "Gathering the management IP. " info "Gathering the management IP. "
while ! valid_ip4 "$MAINIP" || ! valid_ip4 "$MNIC_IP"; do while ! valid_ip4 "$MAINIP" || ! valid_ip4 "$MNIC_IP"; do
MAINIP=$(ip route get 1 | awk '{print $7;exit}') MAINIP=$(ip route get 1 | awk '{print $7;exit}')
MNIC_IP=$(ip a s "$MNIC" | grep -oE 'inet [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d' ' -f2) MNIC_IP=$(ip a s "$MNIC" | grep -oE 'inet [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d' ' -f2)
@@ -2094,9 +2091,9 @@ set_main_ip() {
printf "%-*s" $((count+1)) '[' | tr ' ' '#' printf "%-*s" $((count+1)) '[' | tr ' ' '#'
printf "%*s%3d%%\r" $((max_attempts-count)) "]" "$p" printf "%*s%3d%%\r" $((max_attempts-count)) "]" "$p"
if [ $count = $max_attempts ]; then if [ $count = $max_attempts ]; then
echo "ERROR: Could not determine MAINIP or MNIC_IP." >> "$setup_log" 2>&1 info "ERROR: Could not determine MAINIP or MNIC_IP."
echo "MAINIP=$MAINIP" >> "$setup_log" 2>&1 info "MAINIP=$MAINIP"
echo "MNIC_IP=$MNIC_IP" >> "$setup_log" 2>&1 info "MNIC_IP=$MNIC_IP"
whiptail_error_message "The management IP could not be determined. Please check the log at /root/sosetup.log and verify the network configuration. Press OK to exit." whiptail_error_message "The management IP could not be determined. Please check the log at /root/sosetup.log and verify the network configuration. Press OK to exit."
exit 1 exit 1
fi fi
@@ -2120,7 +2117,7 @@ set_minion_info() {
fi fi
export MINION_ID export MINION_ID
echo "MINION_ID = $MINION_ID" >> $setup_log 2>&1 info "MINION_ID = $MINION_ID"
minion_type=$(get_minion_type) minion_type=$(get_minion_type)
} }
@@ -2208,7 +2205,7 @@ setup_salt_master_dirs() {
cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1 cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
fi fi
echo "Chown the salt dirs on the manager for socore" >> "$setup_log" 2>&1 info "Chown the salt dirs on the manager for socore"
chown -R socore:socore /opt/so chown -R socore:socore /opt/so
} }
@@ -2412,7 +2409,7 @@ so_add_user() {
local home_dir=$4 local home_dir=$4
if [ "$5" ]; then local pass=$5; fi if [ "$5" ]; then local pass=$5; fi
echo "Add $username user" >> "$setup_log" 2>&1 info "Add $username user"
groupadd --gid "$gid" "$username" groupadd --gid "$gid" "$username"
useradd -m --uid "$uid" --gid "$gid" --home-dir "$home_dir" "$username" useradd -m --uid "$uid" --gid "$gid" --home-dir "$home_dir" "$username"
@@ -2438,7 +2435,7 @@ update_sudoers() {
echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/pillar/data/addtotab.sh" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/pillar/data/addtotab.sh" | tee -a /etc/sudoers
echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/manager/files/add_minion.sh" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:$default_salt_dir/salt/manager/files/add_minion.sh" | tee -a /etc/sudoers
else else
echo "User soremote already granted sudo privileges" >> "$setup_log" 2>&1 info "User soremote already granted sudo privileges"
fi fi
} }
@@ -2456,7 +2453,7 @@ update_packages() {
# This is used for development to speed up network install tests. # This is used for development to speed up network install tests.
use_turbo_proxy() { use_turbo_proxy() {
if [[ ! $install_type =~ ^(MANAGER|EVAL|HELIXSENSOR|MANAGERSEARCH|STANDALONE)$ ]]; then if [[ ! $install_type =~ ^(MANAGER|EVAL|HELIXSENSOR|MANAGERSEARCH|STANDALONE)$ ]]; then
echo "turbo is not supported on this install type" >> $setup_log 2>&1 info "turbo is not supported on this install type"
return return
fi fi
@@ -2482,103 +2479,18 @@ wait_for_file() {
while [[ $cur_attempts -lt $max_attempts ]]; do while [[ $cur_attempts -lt $max_attempts ]]; do
if [ -f "$filename" ]; then if [ -f "$filename" ]; then
echo "File $filename found at $date" >> "$setup_log" 2>&1 info "File $filename found at $date"
return 0 return 0
else else
((cur_attempts++)) ((cur_attempts++))
echo "File $filename does not exist; waiting ${wait_interval}s then checking again ($cur_attempts/$max_attempts)..." >> "$setup_log" 2>&1 info "File $filename does not exist; waiting ${wait_interval}s then checking again ($cur_attempts/$max_attempts)..."
sleep "$wait_interval" sleep "$wait_interval"
fi fi
done done
echo "Could not find $filename after waiting ${total_time}s" >> "$setup_log" 2>&1 info "Could not find $filename after waiting ${total_time}s"
return 1 return 1
} }
wait_for_salt_minion() { wait_for_salt_minion() {
retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$setup_log" 2>&1 || exit 1 retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$setup_log" 2>&1 || exit 1
} }
# Enable Zeek Logs
zeek_logs_enabled() {
echo "Enabling Zeek Logs" >> "$setup_log" 2>&1
local zeeklogs_pillar=$local_salt_dir/pillar/zeek/zeeklogs.sls
printf '%s\n'\
"zeeklogs:"\
" enabled:" > "$zeeklogs_pillar"
if [ "$MANAGERADV" = 'ADVANCED' ]; then
for BLOG in "${BLOGS[@]}"; do
echo " - $BLOG" | tr -d '"' >> "$zeeklogs_pillar"
done
elif [ "$install_type" == "EVAL" ] || [ "$install_type" == "IMPORT" ]; then
printf '%s\n'\
" - conn"\
" - dce_rpc"\
" - dhcp"\
" - dnp3"\
" - dns"\
" - dpd"\
" - files"\
" - ftp"\
" - http"\
" - intel"\
" - irc"\
" - kerberos"\
" - modbus"\
" - notice"\
" - ntlm"\
" - pe"\
" - radius"\
" - rfb"\
" - rdp"\
" - sip"\
" - smb_files"\
" - smb_mapping"\
" - smtp"\
" - snmp"\
" - ssh"\
" - ssl"\
" - syslog"\
" - tunnel"\
" - weird"\
" - mysql"\
" - socks"\
" - x509" >> "$zeeklogs_pillar"
# Disable syslog log by default
else
printf '%s\n'\
" - conn"\
" - dce_rpc"\
" - dhcp"\
" - dnp3"\
" - dns"\
" - dpd"\
" - files"\
" - ftp"\
" - http"\
" - intel"\
" - irc"\
" - kerberos"\
" - modbus"\
" - notice"\
" - ntlm"\
" - pe"\
" - radius"\
" - rfb"\
" - rdp"\
" - sip"\
" - smb_files"\
" - smb_mapping"\
" - smtp"\
" - snmp"\
" - ssh"\
" - ssl"\
" - tunnel"\
" - weird"\
" - mysql"\
" - socks"\
" - x509" >> "$zeeklogs_pillar"
fi
}

100
setup/so-setup
View File

@@ -76,6 +76,7 @@ if [ "$setup_type" = 'analyst' ]; then
fi fi
# Make sure if ISO is specified that we are dealing with CentOS or Rocky # Make sure if ISO is specified that we are dealing with CentOS or Rocky
title "Detecting if this is an ISO install"
if [[ "$setup_type" == 'iso' ]]; then if [[ "$setup_type" == 'iso' ]]; then
if [[ $is_centos || $is_rocky ]]; then if [[ $is_centos || $is_rocky ]]; then
is_iso=true is_iso=true
@@ -87,10 +88,11 @@ fi
# Check to see if this is an analyst install. If it is let's run things differently # Check to see if this is an analyst install. If it is let's run things differently
if [[ $is_analyst ]]; then if [[ $is_analyst ]]; then
title "This is an analyst workstation install"
# Make sure it's CentOS or Rocky Linux # Make sure it's CentOS or Rocky Linux
if [[ ! $is_centos ]]; then if [[ ! $is_centos ]]; then
echo "Analyst Workstation is only supported on CentOS 7 or Rocky Linux 8" info "Analyst Workstation is only supported on CentOS 7 or Rocky Linux 8"
exit 1 exit 1
fi fi
@@ -100,7 +102,7 @@ if [[ $is_analyst ]]; then
# Remove setup from auto launching # Remove setup from auto launching
parse_install_username parse_install_username
sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1 sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1
echo "Enabling graphical interface and setting it to load at boot" info "Enabling graphical interface and setting it to load at boot"
systemctl set-default graphical.target systemctl set-default graphical.target
startx startx
exit 0 exit 0
@@ -110,11 +112,11 @@ if [[ $is_analyst ]]; then
fi fi
else else
if whiptail_analyst_nongrid_network; then if whiptail_analyst_nongrid_network; then
echo "" info ""
echo "" info ""
echo "Kicking off the automated setup of the analyst workstation. This can take a while depending on your network connection." info "Kicking off the automated setup of the analyst workstation. This can take a while depending on your network connection."
echo "" info ""
echo "" info ""
analyst_salt_local analyst_salt_local
else else
# Abort! # Abort!
@@ -132,15 +134,16 @@ if ! [ -f $install_opt_file ] && [ -d /root/manager_setup/securityonion ] && [[
exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}"
fi fi
title "Checking to see if install has run before"
if [[ -f /root/accept_changes ]]; then if [[ -f /root/accept_changes ]]; then
is_reinstall=true is_reinstall=true
# Move last setup log to backup info "Old setup detected. Moving the last setup.log to setup.log.bak"
mv "$setup_log" "$setup_log.bak" mv "$setup_log" "$setup_log.bak"
[ -f "$error_log" ] && mv "$error_log" "$error_log.bak" [ -f "$error_log" ] && mv "$error_log" "$error_log.bak"
fi fi
# Figure out the user id that is running the install title "Parsing Username for Install"
parse_install_username parse_install_username
if ! [ -f $install_opt_file ]; then if ! [ -f $install_opt_file ]; then
@@ -176,7 +179,7 @@ progress() {
# If using automation let's do automation things. # If using automation let's do automation things.
if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then
echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1 info "Preselecting variable values based on automated setup: $automation"
source automation/$automation source automation/$automation
automated=yes automated=yes
@@ -184,24 +187,26 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th
attempts=60 attempts=60
ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1
while [ $? -ne 0 ]; do while [ $? -ne 0 ]; do
ip a >> $setup_log 2>&1 logCmd "ip a"
if [ $attempt -gt $attempts ]; then if [ $attempt -gt $attempts ]; then
echo "Network unavailable - setup cannot continue" >> $setup_log 2>&1 error "Network unavailable - setup cannot continue"
exit 1 exit 1
fi fi
echo "Waiting for network to come up (attempt $attempt of $attempts)" >> $setup_log 2>&1 info "Waiting for network to come up (attempt $attempt of $attempts)"
attempt=$((attempt + 1)) attempt=$((attempt + 1))
info "Sleeping 10s to try again"
sleep 10; sleep 10;
ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 logCmd 'ip a | grep "$MNIC:" | grep "state UP"'
done done
echo "Network is up on $MNIC" >> $setup_log 2>&1 info "Network is up on $MNIC"
if [[ ! $is_iso ]]; then if [[ ! $is_iso ]]; then
echo "Installing sshpass for automated testing." >> $setup_log 2>&1 # We might not need this any more
info "Installing sshpass for automated testing."
if [ "$OS" == ubuntu ]; then if [ "$OS" == ubuntu ]; then
retry 50 10 "apt-get -y install sshpass" >> $setup_log 2>&1 || exit 1 retry 50 10 "apt-get -y install sshpass" >> $setup_log 2>&1 || exit 1
else else
yum -y install sshpass >> $setup_log 2>&1 logCmd "yum -y install sshpass"
fi fi
fi fi
fi fi
@@ -209,10 +214,10 @@ fi
# Make sure the setup type is suppoted. # Make sure the setup type is suppoted.
case "$setup_type" in case "$setup_type" in
iso | network | analyst) # Accepted values iso | network | analyst) # Accepted values
echo "Beginning Security Onion $setup_type install" >> $setup_log 2>&1 info "Beginning Security Onion $setup_type install"
;; ;;
*) *)
echo "Invalid install type, must be 'iso', 'network' or 'analyst'." | tee -a $setup_log error "Invalid install type, must be 'iso', 'network' or 'analyst'."
exit 1 exit 1
;; ;;
esac esac
@@ -232,15 +237,15 @@ dmesg -D
# https://github.com/Security-Onion-Solutions/securityonion/issues/1084 # https://github.com/Security-Onion-Solutions/securityonion/issues/1084
if [ "$automated" == no ]; then if [ "$automated" == no ]; then
TTY=$(tty) TTY=$(tty)
echo "Setup is running on TTY $TTY" >> $setup_log 2>&1 info "Setup is running on TTY $TTY"
if echo $TTY | grep -q "/dev/tty"; then if echo $TTY | grep -q "/dev/tty"; then
CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank) CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank)
echo "Kernel consoleblank value before: $CONSOLEBLANK" >> $setup_log 2>&1 info "Kernel consoleblank value before: $CONSOLEBLANK"
if [ $CONSOLEBLANK -gt 0 ]; then if [ $CONSOLEBLANK -gt 0 ]; then
echo "Running 'setterm -blank 0' for TTY $TTY" >> $setup_log 2>&1 info "Running 'setterm -blank 0' for TTY $TTY"
TERM=linux setterm -blank 0 >$TTY <$TTY TERM=linux setterm -blank 0 >$TTY <$TTY
CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank) CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank)
echo "Kernel consoleblank value after: $CONSOLEBLANK" >> $setup_log 2>&1 info "Kernel consoleblank value after: $CONSOLEBLANK"
fi fi
fi fi
fi fi
@@ -250,7 +255,7 @@ if ! [[ -f $install_opt_file ]]; then
if (whiptail_you_sure); then if (whiptail_you_sure); then
true true
else else
echo "User cancelled setup." | tee -a "$setup_log" error "User cancelled setup."
whiptail_cancel whiptail_cancel
fi fi
# If this is an analyst install lets streamline the process. # If this is an analyst install lets streamline the process.
@@ -328,7 +333,7 @@ if ! [[ -f $install_opt_file ]]; then
detect_cloud detect_cloud
set_minion_info set_minion_info
set_default_log_size >> $setup_log 2>&1 set_default_log_size >> $setup_log 2>&1
echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 info "Verifying all network devices are managed by Network Manager that should be"
check_network_manager_conf check_network_manager_conf
set_network_dev_status_list set_network_dev_status_list
whiptail_sensor_nics whiptail_sensor_nics
@@ -349,7 +354,7 @@ if ! [[ -f $install_opt_file ]]; then
detect_cloud detect_cloud
set_minion_info set_minion_info
set_default_log_size >> $setup_log 2>&1 set_default_log_size >> $setup_log 2>&1
echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 info "Verifying all network devices are managed by Network Manager that should be"
check_network_manager_conf check_network_manager_conf
set_network_dev_status_list set_network_dev_status_list
whiptail_sensor_nics whiptail_sensor_nics
@@ -367,7 +372,7 @@ if ! [[ -f $install_opt_file ]]; then
whiptail_airgap whiptail_airgap
detect_cloud detect_cloud
set_default_log_size >> $setup_log 2>&1 set_default_log_size >> $setup_log 2>&1
echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 info "Verifying all network devices are managed by Network Manager that should be"
check_network_manager_conf check_network_manager_conf
set_network_dev_status_list set_network_dev_status_list
calculate_useable_cores calculate_useable_cores
@@ -384,7 +389,7 @@ if ! [[ -f $install_opt_file ]]; then
whiptail_airgap whiptail_airgap
detect_cloud detect_cloud
set_default_log_size >> $setup_log 2>&1 set_default_log_size >> $setup_log 2>&1
echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 info "Verifying all network devices are managed by Network Manager that should be"
check_network_manager_conf check_network_manager_conf
set_network_dev_status_list set_network_dev_status_list
calculate_useable_cores calculate_useable_cores
@@ -466,15 +471,15 @@ if ! [[ -f $install_opt_file ]]; then
configure_network_sensor configure_network_sensor
fi fi
# Configure NTP # Configure NTP
echo "Configuring NTP" info "Configuring NTP"
[[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1
# Reserve the ports that SO needs # Reserve the ports that SO needs
echo "Reserving ports" info "Reserving ports"
reserve_ports reserve_ports
echo "Setting Paths" info "Setting Paths"
# Set the paths # Set the paths
set_path set_path
echo "Checking if this is a re-install" info "Checking if this is a re-install"
# Check to see if its a reinstall. THIS NEEDS REVIEW # Check to see if its a reinstall. THIS NEEDS REVIEW
if [[ $is_reinstall ]]; then if [[ $is_reinstall ]]; then
reinstall_init reinstall_init
@@ -482,19 +487,19 @@ if ! [[ -f $install_opt_file ]]; then
echo "Disable auto start of setup" echo "Disable auto start of setup"
# Disable the setup from prompting at login # Disable the setup from prompting at login
disable_auto_start disable_auto_start
echo "Setting the version" info "Setting the version"
# Set the version # Set the version
mark_version mark_version
echo "Clearing the old manager" info "Clearing the old manager"
# Remove old manager if re-install # Remove old manager if re-install
clear_manager clear_manager
echo "Generating Secrets" info "Generating Secrets"
# Generate passwords # Generate passwords
generate_passwords generate_passwords
echo "Populating the secrets pillar" info "Populating the secrets pillar"
# Create the secrets pillar # Create the secrets pillar
secrets_pillar secrets_pillar
echo "Add socore user" info "Add socore user"
# Add the socore user # Add the socore user
add_socore_user_manager add_socore_user_manager
@@ -502,7 +507,7 @@ if ! [[ -f $install_opt_file ]]; then
setup_salt_master_dirs setup_salt_master_dirs
create_manager_pillars create_manager_pillars
echo "Generating the minion pillar" info "Generating the minion pillar"
# Create the minion defaults # Create the minion defaults
export NODETYPE=$install_type export NODETYPE=$install_type
@@ -516,7 +521,7 @@ if ! [[ -f $install_opt_file ]]; then
export PATCHSCHEDULENAME=$PATCHSCHEDULENAME export PATCHSCHEDULENAME=$PATCHSCHEDULENAME
export INTERFACE="bond0" export INTERFACE="bond0"
so-minion -o=setup so-minion -o=setup
echo "Creating Global SLS" title "Creating Global SLS"
if [[ $is_airgap ]]; then if [[ $is_airgap ]]; then
# Airgap Rules # Airgap Rules
@@ -525,7 +530,6 @@ if ! [[ -f $install_opt_file ]]; then
manager_pillar manager_pillar
zeek_logs_enabled
# Set up the repo to point to local file https://access.redhat.com/solutions/1355683 # Set up the repo to point to local file https://access.redhat.com/solutions/1355683
# reposync down the files is network and createrepo if CentOS # reposync down the files is network and createrepo if CentOS
# Import the GPG keys # Import the GPG keys
@@ -558,20 +562,23 @@ if ! [[ -f $install_opt_file ]]; then
# create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf
mkdir -p /opt/so/conf/so-status/ mkdir -p /opt/so/conf/so-status/
touch /opt/so/conf/so-status/so-status.conf touch /opt/so/conf/so-status/so-status.conf
echo "Importing Registry Docker" title "Importing Registry Docker"
import_registry_docker import_registry_docker
echo "Applying the registry state" title "Applying the registry state"
salt-call state.apply -l info registry salt-call state.apply -l info registry
echo "Seeding the docker registry" title "Seeding the docker registry"
docker_seed_registry docker_seed_registry
echo "Applying the manager state" title "Applying the manager state"
salt-call state.apply -l info manager salt-call state.apply -l info manager
salt-call state.apply -l info firewall salt-call state.apply -l info firewall
salt-call state.highstate -l info salt-call state.highstate -l info
add_web_user add_web_user
info "Restarting SOC to pick up initial user"
so-soc-restart
so-elastic-fleet-setup so-elastic-fleet-setup
echo "Setting up Playbook" title "Setting up Playbook"
so-playbook-reset so-playbook-reset
checkin_at_boot
whiptail_setup_complete whiptail_setup_complete
else else
es_heapsize es_heapsize
@@ -583,7 +590,7 @@ if ! [[ -f $install_opt_file ]]; then
reserve_ports reserve_ports
# Set the version # Set the version
mark_version mark_version
echo "Clearing the old manager" info "Clearing the old manager"
# Remove old manager if re-install # Remove old manager if re-install
clear_manager clear_manager
gpg_rpm_import gpg_rpm_import
@@ -592,6 +599,7 @@ if ! [[ -f $install_opt_file ]]; then
saltify saltify
configure_minion "$minion_type" configure_minion "$minion_type"
drop_install_options drop_install_options
checkin_at_boot
whiptail_setup_complete whiptail_setup_complete
fi fi