From 449e0d853ce36c2fb31fd3e35a8bc5cee0306f01 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 22 Mar 2021 15:52:51 -0400 Subject: [PATCH 01/20] Initial support for ntp service via chronyd --- setup/so-functions | 57 ++++++++++++++++++++++++++++++++++++++++++++-- setup/so-setup | 5 ++++ setup/so-variables | 3 +++ setup/so-whiptail | 18 +++++++++++++++ 4 files changed, 81 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 29a58e718..d5e8c0a6e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -486,6 +486,17 @@ collect_node_ls_pipeline_worker_count() { done } +collect_ntp_servers() { + if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' ]]; then + if whiptail_ntp_ask; then + [[ $is_airgap ]] && ntp_servers="" + whiptail_ntp_servers "$ntp_servers" + else + ntp_servers="" + fi + fi +} + collect_oinkcode() { whiptail_oinkcode @@ -702,6 +713,38 @@ configure_minion() { } >> "$setup_log" 2>&1 } +configure_ntp() { + local chrony_conf=/etc/chrony.conf + + # Install chrony if it isn't already installed + if command -v chronyc &> /dev/null; then + if [ "$OS" == centos ]; then + yum -y install chrony + else + retry 50 10 "apt-get -y install chrony" || exit 1 + fi + fi + + [[ -f $chrony_conf ]] && rm -f $chrony_conf + + # Build list of servers + for addr in "${ntp_servers[@]}"; do + echo "server $addr iburst" >> $chrony_conf + done + + printf '%s\n' \ + 'driftfile /var/lib/chrony/drift' \ + 'makestep 1.0 3' \ + 'rtcsync' \ + 'logdir /var/log/chrony' >> $chrony_conf + + systemctl enable chronyd + systemctl start chronyd + + # Sync time + chronyc -a makestep +} + checkin_at_boot() { local minion_config=/etc/salt/minion @@ -709,6 +752,12 @@ checkin_at_boot() { echo "startup_states: highstate" >> "$minion_config" } +check_ntp_configured() { + if systemctl is-active --quiet chronyd || systemctl is-active --quiet ntpd; then + ntp_configured=true + fi +} + check_requirements() { local standalone_or_dist=$1 local node_type=$2 # optional @@ -1564,12 +1613,16 @@ manager_global() { "global:"\ " soversion: '$SOVERSION'"\ " hnmanager: '$HNMANAGER'"\ - " ntpserver: '$NTPSERVER'"\ " dockernet: '$DOCKERNET'"\ " mdengine: '$ZEEKVERSION'"\ " ids: '$NIDS'"\ " url_base: '$REDIRECTIT'"\ - " managerip: '$MAINIP'" > "$global_pillar" + " managerip: '$MAINIP'" + " ntp_servers:" > "$global_pillar" + + for addr in "${ntp_servers[@]}"; do + echo " - '$addr'" >> "$global_pillar" + done if [[ $is_airgap ]]; then printf '%s\n'\ diff --git a/setup/so-setup b/setup/so-setup index 82e414ca4..2082653c5 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -534,6 +534,9 @@ if [[ $is_sensor && ! $is_eval ]]; then fi fi +check_ntp_configured +[[ -z $ntp_configured ]] || collect_ntp_servers + if [[ $is_node && ! $is_eval ]]; then whiptail_node_advanced if [ "$NODESETUP" == 'NODEADVANCED' ]; then @@ -581,6 +584,8 @@ set_redirect >> $setup_log 2>&1 # Show initial progress message set_progress_str 0 'Running initial configuration steps' + [[ -z $ntp_configured ]] || [[ -n $ntp_servers ]] && configure_ntp >> $setup_log 2>&1 + reserve_ports set_path diff --git a/setup/so-variables b/setup/so-variables index a2fdf03c6..0a07fc79d 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -72,3 +72,6 @@ export install_opt_file net_init_file=/root/net_init export net_init_file + +ntp_servers="0.pool.ntp.org,1.pool.ntp.org" +export ntp_servers diff --git a/setup/so-whiptail b/setup/so-whiptail index a0425b5af..1ccdf6a90 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1105,6 +1105,24 @@ whiptail_node_ls_pipeline_worker() { } +whiptail_ntp_ask() { + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" --yesno "Would you like to configure ntp servers?" 7 44 +} + +whiptail_ntp_servers() { + [ -n "$TESTING" ] && return + + ntp_string=$(whiptail --title "Security Onion Setup" \ + --inputbox "Input the NTP server(s) you would like to use, separated by commas:" 8 75 "$1" 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + + IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array +} + whiptail_oinkcode() { [ -n "$TESTING" ] && return From b3f558a1f8481a9144c2d96a50cb3ad8b0c147c9 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 09:14:34 -0400 Subject: [PATCH 02/20] [fix] Also check if proxy is set before asking for ntp servers --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index d5e8c0a6e..fd998da14 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -487,7 +487,7 @@ collect_node_ls_pipeline_worker_count() { } collect_ntp_servers() { - if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' ]]; then + if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' || -n $so_proxy ]]; then if whiptail_ntp_ask; then [[ $is_airgap ]] && ntp_servers="" whiptail_ntp_servers "$ntp_servers" From ace30c07ea5bb75489add30067bb802244764eca Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 09:22:09 -0400 Subject: [PATCH 03/20] [fix] Also sync time before updating system clock --- setup/so-functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index fd998da14..a7a596abe 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -741,7 +741,8 @@ configure_ntp() { systemctl enable chronyd systemctl start chronyd - # Sync time + # Sync time & update the system time + chronyc -a 'burst 4/4' chronyc -a makestep } From 184c763b02d36e78024417cc31edfbe1b181d05f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 09:36:08 -0400 Subject: [PATCH 04/20] [fix] Export correct variable to check later in setup --- setup/so-functions | 2 +- setup/so-whiptail | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index a7a596abe..a346128e1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -592,7 +592,7 @@ collect_proxy_details() { else so_proxy="$proxy_addr" fi - export proxy + export so_proxy fi } diff --git a/setup/so-whiptail b/setup/so-whiptail index 1ccdf6a90..2743ab65b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1289,11 +1289,7 @@ whiptail_proxy_auth_pass() { [ -n "$TESTING" ] && return - if [[ $arg != 'confirm' ]]; then - proxy_pass=$(whiptail --title "Security Onion Setup" --passwordbox "Please input the proxy password:" 8 60 3>&1 1>&2 2>&3) - else - proxy_pass_confirm=$(whiptail --title "Security Onion Setup" --passwordbox "Please confirm the proxy password:" 8 60 3>&1 1>&2 2>&3) - fi + proxy_pass=$(whiptail --title "Security Onion Setup" --passwordbox "Please input the proxy password:" 8 60 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus From 0e9c81c145b1229bf82fc4976b55630b4a77e0aa Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 09:44:44 -0400 Subject: [PATCH 05/20] Fix logic around ntp prompt --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 2082653c5..6ed3fa344 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -535,7 +535,7 @@ if [[ $is_sensor && ! $is_eval ]]; then fi check_ntp_configured -[[ -z $ntp_configured ]] || collect_ntp_servers +[[ -z $ntp_configured ]] && collect_ntp_servers if [[ $is_node && ! $is_eval ]]; then whiptail_node_advanced From 2d873b92fa3c19b43b5850220d65270536901a13 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 10:22:41 -0400 Subject: [PATCH 06/20] Fix ntp logic elsewhere --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 6ed3fa344..07eb49500 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -584,7 +584,7 @@ set_redirect >> $setup_log 2>&1 # Show initial progress message set_progress_str 0 'Running initial configuration steps' - [[ -z $ntp_configured ]] || [[ -n $ntp_servers ]] && configure_ntp >> $setup_log 2>&1 + [[ -z $ntp_configured ]] && [[ -n $ntp_servers ]] && configure_ntp >> $setup_log 2>&1 reserve_ports From 9f0afd90f1852d28ad42d126f3cee187d3ef2115 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 11:27:37 -0400 Subject: [PATCH 07/20] [fix] Add missing backslash --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index a346128e1..dbc92aabc 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1618,7 +1618,7 @@ manager_global() { " mdengine: '$ZEEKVERSION'"\ " ids: '$NIDS'"\ " url_base: '$REDIRECTIT'"\ - " managerip: '$MAINIP'" + " managerip: '$MAINIP'"\ " ntp_servers:" > "$global_pillar" for addr in "${ntp_servers[@]}"; do From 3287a777a2203a775265c25ca85d9b34ab1acaf7 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 11:41:12 -0400 Subject: [PATCH 08/20] [fix] Pre-fill hostname re-enter on default --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index dbc92aabc..ffaa079c1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -400,7 +400,7 @@ collect_hostname() { if [[ $HOSTNAME == 'securityonion' ]]; then # Will only check HOSTNAME=securityonion once if ! (whiptail_avoid_default_hostname); then - whiptail_set_hostname + whiptail_set_hostname "$HOSTNAME" fi fi From 08f46a779ac6b1ae2f5754b078a7238f4eb3b9aa Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 23 Mar 2021 21:16:17 -0400 Subject: [PATCH 09/20] Remove freqserver, minio, and domainstats from image list --- salt/common/tools/sbin/so-image-common | 3 --- 1 file changed, 3 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 402ae97f3..be5a327f0 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -47,20 +47,17 @@ container_list() { TRUSTED_CONTAINERS=( "so-acng" "so-curator" - "so-domainstats" "so-elastalert" "so-elasticsearch" "so-filebeat" "so-fleet" "so-fleet-launcher" - "so-freqserver" "so-grafana" "so-idstools" "so-influxdb" "so-kibana" "so-kratos" "so-logstash" - "so-minio" "so-mysql" "so-nginx" "so-pcaptools" From 150e724a4a52f0e58a224f3d1f82311964118abb Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 25 Mar 2021 13:37:54 -0400 Subject: [PATCH 10/20] Fix chrony install logic + add sleep for chrony to finish sync --- setup/so-functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index ffaa079c1..c2ddb2125 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -717,7 +717,7 @@ configure_ntp() { local chrony_conf=/etc/chrony.conf # Install chrony if it isn't already installed - if command -v chronyc &> /dev/null; then + if ! command -v chronyc &> /dev/null; then if [ "$OS" == centos ]; then yum -y install chrony else @@ -743,6 +743,7 @@ configure_ntp() { # Sync time & update the system time chronyc -a 'burst 4/4' + sleep 20 # Wait for chrony to sync chronyc -a makestep } From eb674b3b938b3769ab5ae0886b80d7a6a462c29d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 25 Mar 2021 14:45:33 -0400 Subject: [PATCH 11/20] Validate list of ntp servers (ip4, hostname, or fqdn) --- salt/common/tools/sbin/so-common | 14 ++++++++++++++ setup/so-functions | 13 ++++++++++--- setup/so-setup | 2 +- setup/so-variables | 4 ++-- setup/so-whiptail | 2 -- 5 files changed, 27 insertions(+), 8 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 676b908ce..340525272 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -419,6 +419,20 @@ valid_proxy() { [[ $has_prefix == true ]] && [[ $valid_url == true ]] && return 0 || return 1 } +valid_ntp_list() { + local string=$1 + local ntp_arr + IFS="," read -r -a ntp_arr <<< "$string" + + for ntp in "${ntp_arr[@]}"; do + if ! valid_ip4 "$ntp" && ! valid_hostname "$ntp" && ! valid_fqdn "$ntp"; then + return 1 + fi + done + + return 0 +} + valid_string() { local str=$1 local min_length=${2:-1} diff --git a/setup/so-functions b/setup/so-functions index c2ddb2125..6dd10096b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -489,10 +489,17 @@ collect_node_ls_pipeline_worker_count() { collect_ntp_servers() { if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' || -n $so_proxy ]]; then if whiptail_ntp_ask; then - [[ $is_airgap ]] && ntp_servers="" - whiptail_ntp_servers "$ntp_servers" + [[ $is_airgap ]] && ntp_servers=() + whiptail_ntp_servers "$ntp_string" + + while ! valid_ntp_list "$ntp_string"; do + whiptail_invalid_input + whiptail_ntp_servers "$ntp_string" + done + + IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array else - ntp_servers="" + ntp_servers=() fi fi } diff --git a/setup/so-setup b/setup/so-setup index 07eb49500..d9e64105a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -584,7 +584,7 @@ set_redirect >> $setup_log 2>&1 # Show initial progress message set_progress_str 0 'Running initial configuration steps' - [[ -z $ntp_configured ]] && [[ -n $ntp_servers ]] && configure_ntp >> $setup_log 2>&1 + [[ -z $ntp_configured ]] && [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 reserve_ports diff --git a/setup/so-variables b/setup/so-variables index 0a07fc79d..676cba4f0 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -73,5 +73,5 @@ export install_opt_file net_init_file=/root/net_init export net_init_file -ntp_servers="0.pool.ntp.org,1.pool.ntp.org" -export ntp_servers +ntp_string="0.pool.ntp.org,1.pool.ntp.org" +export ntp_string diff --git a/setup/so-whiptail b/setup/so-whiptail index 2743ab65b..00397a6fa 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1119,8 +1119,6 @@ whiptail_ntp_servers() { local exitstatus=$? whiptail_check_exitstatus $exitstatus - - IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array } whiptail_oinkcode() { From 2ff790699fc9960c85d1566a3558f9ca5840e87c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 29 Mar 2021 09:36:24 -0400 Subject: [PATCH 12/20] [fix] Set ntp_string to empty, not ntp_servers --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 6dd10096b..533a77a92 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -489,7 +489,7 @@ collect_node_ls_pipeline_worker_count() { collect_ntp_servers() { if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' || -n $so_proxy ]]; then if whiptail_ntp_ask; then - [[ $is_airgap ]] && ntp_servers=() + [[ $is_airgap ]] && ntp_string="" whiptail_ntp_servers "$ntp_string" while ! valid_ntp_list "$ntp_string"; do From 0e9ffe033d86ce9ab78df1d6c1d157692ef6e40c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Mar 2021 09:30:06 -0400 Subject: [PATCH 13/20] Show message about setting up network earlier during setup --- setup/so-setup | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index d9e64105a..982195703 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -298,6 +298,10 @@ if ! [[ -f $install_opt_file ]]; then source "$net_init_file" fi + if [[ $is_minion ]] || [[ $reinit_networking ]] || [[ $is_iso ]] && ! [[ -f $net_init_file ]]; then + whiptail_management_interface_setup + fi + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then network_init fi @@ -315,10 +319,6 @@ if ! [[ -f $install_opt_file ]]; then [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 fi - if [[ $is_minion ]] || [[ $reinit_networking ]] || [[ $is_iso ]] && ! [[ -f $net_init_file ]]; then - whiptail_management_interface_setup - fi - if [[ $is_minion ]]; then add_mngr_ip_to_hosts fi From 25eca39428a585557183535c3424b0cda00d9479 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Mar 2021 09:54:21 -0400 Subject: [PATCH 14/20] Always ask for ntp setup on iso installs, don't ask on network installs --- setup/so-functions | 48 ++++++++++++++++++---------------------------- setup/so-setup | 5 ++--- 2 files changed, 21 insertions(+), 32 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 533a77a92..5c69b817a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -487,20 +487,18 @@ collect_node_ls_pipeline_worker_count() { } collect_ntp_servers() { - if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' || -n $so_proxy ]]; then - if whiptail_ntp_ask; then - [[ $is_airgap ]] && ntp_string="" + if whiptail_ntp_ask; then + [[ $is_airgap ]] && ntp_string="" + whiptail_ntp_servers "$ntp_string" + + while ! valid_ntp_list "$ntp_string"; do + whiptail_invalid_input whiptail_ntp_servers "$ntp_string" + done - while ! valid_ntp_list "$ntp_string"; do - whiptail_invalid_input - whiptail_ntp_servers "$ntp_string" - done - - IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array - else - ntp_servers=() - fi + IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array + else + ntp_servers=() fi } @@ -725,21 +723,19 @@ configure_ntp() { # Install chrony if it isn't already installed if ! command -v chronyc &> /dev/null; then - if [ "$OS" == centos ]; then - yum -y install chrony - else - retry 50 10 "apt-get -y install chrony" || exit 1 - fi + yum -y install chrony fi - [[ -f $chrony_conf ]] && rm -f $chrony_conf + [[ -f $chrony_conf ]] && mv $chrony_conf "$chrony_conf.bak" + + echo "# Config created by Security Onion" > $chrony_conf # Build list of servers for addr in "${ntp_servers[@]}"; do echo "server $addr iburst" >> $chrony_conf done - printf '%s\n' \ + printf '%s\n\n' \ 'driftfile /var/lib/chrony/drift' \ 'makestep 1.0 3' \ 'rtcsync' \ @@ -748,10 +744,10 @@ configure_ntp() { systemctl enable chronyd systemctl start chronyd - # Sync time & update the system time - chronyc -a 'burst 4/4' - sleep 20 # Wait for chrony to sync - chronyc -a makestep + # Tell the chrony daemon to sync time & update the system time + # Since these commands only make a call to chronyd, wait after each command to make sure the changes are made + chronyc -a 'burst 4/4' && sleep 30 + chronyc -a makestep && sleep 30 } checkin_at_boot() { @@ -761,12 +757,6 @@ checkin_at_boot() { echo "startup_states: highstate" >> "$minion_config" } -check_ntp_configured() { - if systemctl is-active --quiet chronyd || systemctl is-active --quiet ntpd; then - ntp_configured=true - fi -} - check_requirements() { local standalone_or_dist=$1 local node_type=$2 # optional diff --git a/setup/so-setup b/setup/so-setup index 982195703..37121c4fb 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -534,8 +534,7 @@ if [[ $is_sensor && ! $is_eval ]]; then fi fi -check_ntp_configured -[[ -z $ntp_configured ]] && collect_ntp_servers +[[ $is_iso ]] && collect_ntp_servers if [[ $is_node && ! $is_eval ]]; then whiptail_node_advanced @@ -584,7 +583,7 @@ set_redirect >> $setup_log 2>&1 # Show initial progress message set_progress_str 0 'Running initial configuration steps' - [[ -z $ntp_configured ]] && [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 + [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 reserve_ports From be6eb3ed6c91495a79c8e760f0cf15372a5eee16 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Mar 2021 14:17:05 -0400 Subject: [PATCH 15/20] Restart chrony in case it's already running --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 5c69b817a..87c9b4885 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -742,7 +742,7 @@ configure_ntp() { 'logdir /var/log/chrony' >> $chrony_conf systemctl enable chronyd - systemctl start chronyd + systemctl restart chronyd # Tell the chrony daemon to sync time & update the system time # Since these commands only make a call to chronyd, wait after each command to make sure the changes are made From fd51b327ee1d860221c88dbb30c7c16a9cd105c5 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Mar 2021 15:23:57 -0400 Subject: [PATCH 16/20] Add messaging to explain chronyc output to log --- setup/so-functions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index 87c9b4885..d31eb28a3 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -746,7 +746,9 @@ configure_ntp() { # Tell the chrony daemon to sync time & update the system time # Since these commands only make a call to chronyd, wait after each command to make sure the changes are made + printf "Syncing chrony time to server: " chronyc -a 'burst 4/4' && sleep 30 + printf "Forcing chrony to update the time: " chronyc -a makestep && sleep 30 } From 177989269fda48a1fa833cbf3e75e2379e07ed1b Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Mar 2021 15:50:37 -0400 Subject: [PATCH 17/20] Better formatting of chrony.conf --- setup/so-functions | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index d31eb28a3..862854c69 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -728,14 +728,16 @@ configure_ntp() { [[ -f $chrony_conf ]] && mv $chrony_conf "$chrony_conf.bak" - echo "# Config created by Security Onion" > $chrony_conf + printf '%s\n' "# NTP server list" > $chrony_conf # Build list of servers for addr in "${ntp_servers[@]}"; do echo "server $addr iburst" >> $chrony_conf done - printf '%s\n\n' \ + printf '\n%s\n' "# Config options" >> $chrony_conf + + printf '%s\n' \ 'driftfile /var/lib/chrony/drift' \ 'makestep 1.0 3' \ 'rtcsync' \ From c03e2b2c11279bb3fc7b1c53815b01207a252cfa Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 31 Mar 2021 09:14:40 -0400 Subject: [PATCH 18/20] Move ntp server array to its own pillar in the minion sls file --- setup/so-functions | 24 +++++++++++++++--------- setup/so-setup | 1 + 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 862854c69..702ccece3 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1591,8 +1591,7 @@ manager_pillar() { printf '%s\n'\ " kratoskey: '$KRATOSKEY'"\ "" >> "$pillar_file" - - } +} manager_global() { local global_pillar="$local_salt_dir/pillar/global.sls" @@ -1620,12 +1619,7 @@ manager_global() { " mdengine: '$ZEEKVERSION'"\ " ids: '$NIDS'"\ " url_base: '$REDIRECTIT'"\ - " managerip: '$MAINIP'"\ - " ntp_servers:" > "$global_pillar" - - for addr in "${ntp_servers[@]}"; do - echo " - '$addr'" >> "$global_pillar" - done + " managerip: '$MAINIP'" > "$global_pillar" if [[ $is_airgap ]]; then printf '%s\n'\ @@ -1774,7 +1768,6 @@ manager_global() { " bip: '$DOCKERBIP'"\ "redis_settings:"\ " redis_maxmemory: 812" >> "$global_pillar" - printf '%s\n' '----' >> "$setup_log" 2>&1 } @@ -1837,6 +1830,19 @@ network_setup() { } >> "$setup_log" 2>&1 } +ntp_pillar() { + local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls + + if [[ ${#ntp_servers[@]} -gt 0 ]]; then + printf '%s\n'\ + "ntp:"\ + " servers:" >> "$global_pillar" + for addr in "${ntp_servers[@]}"; do + printf '%s\n' " - '$addr'" >> "$pillar_file" + done + fi +} + parse_install_username() { # parse out the install username so things copy correctly INSTALLUSERNAME=${SUDO_USER:-${USER}} diff --git a/setup/so-setup b/setup/so-setup index 37121c4fb..65be15dc1 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -584,6 +584,7 @@ set_redirect >> $setup_log 2>&1 set_progress_str 0 'Running initial configuration steps' [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 + ntp_pillar >> $setup_log 2>&1 reserve_ports From 1c4ba28336423c6164c671615e2d90d52e4fd4c4 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 31 Mar 2021 13:28:42 -0400 Subject: [PATCH 19/20] [fix] host_pillar overwrites the file, so run ntp_pillar after it --- setup/so-setup | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 84e94e780..e2c866964 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -585,7 +585,6 @@ set_redirect >> $setup_log 2>&1 set_progress_str 0 'Running initial configuration steps' [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 - ntp_pillar >> $setup_log 2>&1 reserve_ports @@ -619,6 +618,8 @@ set_redirect >> $setup_log 2>&1 fi host_pillar >> $setup_log 2>&1 + ntp_pillar >> $setup_log 2>&1 + if [[ $is_minion || $is_import ]]; then set_updates >> $setup_log 2>&1 From 761a12ebbb6a95f8414f7b6e07b074a46ae025c2 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 31 Mar 2021 13:32:49 -0400 Subject: [PATCH 20/20] Fix variable name --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 6b4f693e3..2732a0ee9 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1802,7 +1802,7 @@ ntp_pillar() { if [[ ${#ntp_servers[@]} -gt 0 ]]; then printf '%s\n'\ "ntp:"\ - " servers:" >> "$global_pillar" + " servers:" >> "$pillar_file" for addr in "${ntp_servers[@]}"; do printf '%s\n' " - '$addr'" >> "$pillar_file" done