From 2389d3fac98b905af224bf2696573e3924c3c241 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 Apr 2022 12:32:05 -0400 Subject: [PATCH] modify so-analyst-install to work with new states and install on managers --- salt/common/tools/sbin/so-analyst-install | 313 ++-------------------- 1 file changed, 28 insertions(+), 285 deletions(-) diff --git a/salt/common/tools/sbin/so-analyst-install b/salt/common/tools/sbin/so-analyst-install index 6917725fc..ea62b87bb 100755 --- a/salt/common/tools/sbin/so-analyst-install +++ b/salt/common/tools/sbin/so-analyst-install @@ -14,296 +14,39 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{# if this is a manager #} +{% if grains.master == grains.id.split('_')|first -%} -if [ "$(id -u)" -ne 0 ]; then - echo "This script must be run using sudo!" - exit 1 -fi +source /usr/sbin/so-common +doc_workstation_url="https://docs.securityonion.net/en/2.3/analyst-vm.html" +pillar_file="/opt/so/saltstack/local/pillar/minions/{{grains.id}}.sls" -INSTALL_LOG=/root/so-analyst-install.log -exec &> >(tee -a "$INSTALL_LOG") - -log() { - msg=$1 - level=${2:-I} - now=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ") - echo -e "$now | $level | $msg" >> "$INSTALL_LOG" 2>&1 -} - -error() { - log "$1" "E" -} - -info() { - log "$1" "I" -} - -title() { - echo -e "\n-----------------------------\n $1\n-----------------------------\n" >> "$INSTALL_LOG" 2>&1 -} - -logCmd() { - cmd=$1 - info "Executing command: $cmd" - $cmd >> "$INSTALL_LOG" 2>&1 -} - -analyze_system() { - title "System Characteristics" - logCmd "uptime" - logCmd "uname -a" - logCmd "free -h" - logCmd "lscpu" - logCmd "df -h" - logCmd "ip a" -} - -analyze_system - -OS=$(grep PRETTY_NAME /etc/os-release | grep 'CentOS Linux 7') -if [ $? -ne 0 ]; then - echo "This is an unsupported OS. Please use CentOS 7 to install the analyst node." - exit 1 -fi - -if [[ "$manufacturer" == "Security Onion Solutions" && "$family" == "Automated" ]]; then - INSTALL=yes - CURLCONTINUE=no -else - INSTALL='' - CURLCONTINUE='' -fi - -FIRSTPASS=yes -while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do - if [[ "$FIRSTPASS" == "yes" ]]; then - clear - echo "###########################################" - echo "## ** W A R N I N G ** ##" - echo "## _______________________________ ##" - echo "## ##" - echo "## Installing the Security Onion ##" - echo "## analyst node on this device will ##" - echo "## make permanent changes to ##" - echo "## the system. ##" - echo "## ##" - echo "###########################################" - echo "Do you wish to continue? (Type the entire word 'yes' to proceed or 'no' to exit)" - FIRSTPASS=no - else - echo "Please type 'yes' to continue or 'no' to exit." - fi - read INSTALL -done - -if [[ $INSTALL == "no" ]]; then - echo "Exiting analyst node installation." - exit 0 -fi - -echo "Testing for internet connection with curl https://securityonionsolutions.com/" -CANCURL=$(curl -sI https://securityonionsolutions.com/ | grep "200 OK") - if [ $? -ne 0 ]; then - FIRSTPASS=yes - while [[ $CURLCONTINUE != "yes" ]] && [[ $CURLCONTINUE != "no" ]]; do - if [[ "$FIRSTPASS" == "yes" ]]; then - echo "We could not access https://securityonionsolutions.com/." - echo "Since packages are downloaded from the internet, internet access is required." - echo "If you would like to ignore this warning and continue anyway, please type 'yes'." - echo "Otherwise, type 'no' to exit." - FIRSTPASS=no - else - echo "Please type 'yes' to continue or 'no' to exit." - fi - read CURLCONTINUE - done - if [[ "$CURLCONTINUE" == "no" ]]; then - echo "Exiting analyst node installation." - exit 0 - fi - else - echo "We were able to curl https://securityonionsolutions.com/." - sleep 3 +if [ -f "$pillar_file" ]; then + if ! grep -q "^workstation:$" "$pillar_file"; then + # Add workstation pillar to the minion's pillar file + printf '%s\n'\ + "workstation:"\ + " gui:"\ + " enabled: true"\ + "" >> "$pillar_file" + echo "Applying the workstation state. This could take some time since there are many packages that need to be installed." + salt-call state.apply workstation -linfo queue=True + echo "" + echo "Analyst workstation has been installed!" + else # workstation is already added + echo "The workstation pillar already exists in $pillar_file." + echo "To enable/disable the gui, set 'workstation:gui:enabled' to true or false in $pillar_file." + echo "Additional documentation can be found at $doc_workstation_url." fi - -# Install a GUI text editor -yum -y install gedit - -# Install misc utils -yum -y install wget curl unzip epel-release yum-plugin-versionlock; - -# Install xWindows -yum -y groupinstall "X Window System"; -yum -y install gnome-classic-session gnome-terminal nautilus-open-terminal control-center liberation-mono-fonts; -unlink /etc/systemd/system/default.target; -ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target; -yum -y install file-roller - -# Install Mono - prereq for NetworkMiner -yum -y install mono-core mono-basic mono-winforms expect - -# Install NetworkMiner -yum -y install libcanberra-gtk2; -wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip; -mkdir -p /opt/networkminer/ -unzip /tmp/nm.zip -d /opt/networkminer/; -rm /tmp/nm.zip; -mv /opt/networkminer/NetworkMiner_*/* /opt/networkminer/ -chmod +x /opt/networkminer/NetworkMiner.exe; -chmod -R go+w /opt/networkminer/AssembledFiles/; -chmod -R go+w /opt/networkminer/Captures/; -# Create networkminer shim -cat << EOF >> /bin/networkminer -#!/bin/bash -/bin/mono /opt/networkminer/NetworkMiner.exe --noupdatecheck "\$@" -EOF -chmod +x /bin/networkminer -# Convert networkminer ico file to png format -yum -y install ImageMagick -convert /opt/networkminer/networkminericon.ico /opt/networkminer/networkminericon.png -# Create menu entry -cat << EOF >> /usr/share/applications/networkminer.desktop -[Desktop Entry] -Name=NetworkMiner -Comment=NetworkMiner -Encoding=UTF-8 -Exec=/bin/networkminer %f -Icon=/opt/networkminer/networkminericon-4.png -StartupNotify=true -Terminal=false -X-MultipleArgs=false -Type=Application -MimeType=application/x-pcap; -Categories=Network; -EOF - -# Set default monospace font to Liberation -cat << EOF >> /etc/fonts/local.conf - - - monospace - - - Liberation Mono - - -EOF - -# Install Wireshark for Gnome -yum -y install wireshark-gnome; - -# Install dnsiff -yum -y install dsniff; - -# Install hping3 -yum -y install hping3; - -# Install netsed -yum -y install netsed; - -# Install ngrep -yum -y install ngrep; - -# Install scapy -yum -y install python36-scapy; - -# Install ssldump -yum -y install ssldump; - -# Install tcpdump -yum -y install tcpdump; - -# Install tcpflow -yum -y install tcpflow; - -# Install tcpxtract -yum -y install tcpxtract; - -# Install whois -yum -y install whois; - -# Install foremost -yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm; - -# Install chromium -yum -y install chromium; - -# Install tcpstat -yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcpstat-1.5.0/securityonion-tcpstat-1.5.0.rpm; - -# Install tcptrace -yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcptrace-6.6.7/securityonion-tcptrace-6.6.7.rpm; - -# Install sslsplit -yum -y install libevent; -yum -y install sslsplit; - -# Install Bit-Twist -yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-bittwist-2.0.0/securityonion-bittwist-2.0.0.rpm; - -# Install chaosreader -yum -y install perl-IO-Compress perl-Net-DNS; -yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-chaosreader-0.95.10/securityonion-chaosreader-0.95.10.rpm; -chmod +x /bin/chaosreader; - -if [ -f ../../files/analyst/README ]; then - cp ../../files/analyst/README /; - cp ../../files/analyst/so-wallpaper.jpg /usr/share/backgrounds/; - cp ../../files/analyst/so-lockscreen.jpg /usr/share/backgrounds/; - cp ../../files/analyst/so-login-logo-dark.svg /usr/share/pixmaps/; -else - cp /opt/so/saltstack/default/salt/common/files/analyst/README /; - cp /opt/so/saltstack/default/salt/common/files/analyst/so-wallpaper.jpg /usr/share/backgrounds/; - cp /opt/so/saltstack/default/salt/common/files/analyst/so-lockscreen.jpg /usr/share/backgrounds/; - cp /opt/so/saltstack/default/salt/common/files/analyst/so-login-logo-dark.svg /usr/share/pixmaps/; +else # if the pillar file doesn't exist + echo "Could not find $pillar_file and add the workstation pillar." fi -# Set background wallpaper -cat << EOF >> /etc/dconf/db/local.d/00-background -# Specify the dconf path -[org/gnome/desktop/background] +{#- if this is not a manager#} +{% else -%} -# Specify the path to the desktop background image file -picture-uri='file:///usr/share/backgrounds/so-wallpaper.jpg' -# Specify one of the rendering options for the background image: -# 'none', 'wallpaper', 'centered', 'scaled', 'stretched', 'zoom', 'spanned' -picture-options='zoom' -# Specify the left or top color when drawing gradients or the solid color -primary-color='000000' -# Specify the right or bottom color when drawing gradients -secondary-color='FFFFFF' -EOF +echo "Since this is not a manager, the pillar values to enable analyst workstation must be set manually. Please follow the documention at $doc_workstation_url." -# Set lock screen -cat << EOF >> /etc/dconf/db/local.d/00-screensaver -[org/gnome/desktop/session] -idle-delay=uint32 180 +{% endif -%} -[org/gnome/desktop/screensaver] -lock-enabled=true -lock-delay=uint32 120 -picture-options='zoom' -picture-uri='file:///usr/share/backgrounds/so-lockscreen.jpg' -EOF - -cat << EOF >> /etc/dconf/db/local.d/locks/screensaver -/org/gnome/desktop/session/idle-delay -/org/gnome/desktop/screensaver/lock-enabled -/org/gnome/desktop/screensaver/lock-delay -EOF - -# Do not show the user list at login screen -cat << EOF >> /etc/dconf/db/local.d/00-login-screen -[org/gnome/login-screen] -logo='/usr/share/pixmaps/so-login-logo-dark.svg' -disable-user-list=true -EOF - -dconf update; - -echo -echo "Analyst workstation has been installed!" -echo "Press ENTER to reboot or Ctrl-C to cancel." -read pause - -reboot; +exit 0