From 2389d3fac98b905af224bf2696573e3924c3c241 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 Apr 2022 12:32:05 -0400 Subject: [PATCH 1/6] modify so-analyst-install to work with new states and install on managers --- salt/common/tools/sbin/so-analyst-install | 313 ++-------------------- 1 file changed, 28 insertions(+), 285 deletions(-) diff --git a/salt/common/tools/sbin/so-analyst-install b/salt/common/tools/sbin/so-analyst-install index 6917725fc..ea62b87bb 100755 --- a/salt/common/tools/sbin/so-analyst-install +++ b/salt/common/tools/sbin/so-analyst-install @@ -14,296 +14,39 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . +{# if this is a manager #} +{% if grains.master == grains.id.split('_')|first -%} -if [ "$(id -u)" -ne 0 ]; then - echo "This script must be run using sudo!" - exit 1 -fi +source /usr/sbin/so-common +doc_workstation_url="https://docs.securityonion.net/en/2.3/analyst-vm.html" +pillar_file="/opt/so/saltstack/local/pillar/minions/{{grains.id}}.sls" -INSTALL_LOG=/root/so-analyst-install.log -exec &> >(tee -a "$INSTALL_LOG") - -log() { - msg=$1 - level=${2:-I} - now=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ") - echo -e "$now | $level | $msg" >> "$INSTALL_LOG" 2>&1 -} - -error() { - log "$1" "E" -} - -info() { - log "$1" "I" -} - -title() { - echo -e "\n-----------------------------\n $1\n-----------------------------\n" >> "$INSTALL_LOG" 2>&1 -} - -logCmd() { - cmd=$1 - info "Executing command: $cmd" - $cmd >> "$INSTALL_LOG" 2>&1 -} - -analyze_system() { - title "System Characteristics" - logCmd "uptime" - logCmd "uname -a" - logCmd "free -h" - logCmd "lscpu" - logCmd "df -h" - logCmd "ip a" -} - -analyze_system - -OS=$(grep PRETTY_NAME /etc/os-release | grep 'CentOS Linux 7') -if [ $? -ne 0 ]; then - echo "This is an unsupported OS. Please use CentOS 7 to install the analyst node." - exit 1 -fi - -if [[ "$manufacturer" == "Security Onion Solutions" && "$family" == "Automated" ]]; then - INSTALL=yes - CURLCONTINUE=no -else - INSTALL='' - CURLCONTINUE='' -fi - -FIRSTPASS=yes -while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do - if [[ "$FIRSTPASS" == "yes" ]]; then - clear - echo "###########################################" - echo "## ** W A R N I N G ** ##" - echo "## _______________________________ ##" - echo "## ##" - echo "## Installing the Security Onion ##" - echo "## analyst node on this device will ##" - echo "## make permanent changes to ##" - echo "## the system. ##" - echo "## ##" - echo "###########################################" - echo "Do you wish to continue? (Type the entire word 'yes' to proceed or 'no' to exit)" - FIRSTPASS=no - else - echo "Please type 'yes' to continue or 'no' to exit." - fi - read INSTALL -done - -if [[ $INSTALL == "no" ]]; then - echo "Exiting analyst node installation." - exit 0 -fi - -echo "Testing for internet connection with curl https://securityonionsolutions.com/" -CANCURL=$(curl -sI https://securityonionsolutions.com/ | grep "200 OK") - if [ $? -ne 0 ]; then - FIRSTPASS=yes - while [[ $CURLCONTINUE != "yes" ]] && [[ $CURLCONTINUE != "no" ]]; do - if [[ "$FIRSTPASS" == "yes" ]]; then - echo "We could not access https://securityonionsolutions.com/." - echo "Since packages are downloaded from the internet, internet access is required." - echo "If you would like to ignore this warning and continue anyway, please type 'yes'." - echo "Otherwise, type 'no' to exit." - FIRSTPASS=no - else - echo "Please type 'yes' to continue or 'no' to exit." - fi - read CURLCONTINUE - done - if [[ "$CURLCONTINUE" == "no" ]]; then - echo "Exiting analyst node installation." - exit 0 - fi - else - echo "We were able to curl https://securityonionsolutions.com/." - sleep 3 +if [ -f "$pillar_file" ]; then + if ! grep -q "^workstation:$" "$pillar_file"; then + # Add workstation pillar to the minion's pillar file + printf '%s\n'\ + "workstation:"\ + " gui:"\ + " enabled: true"\ + "" >> "$pillar_file" + echo "Applying the workstation state. This could take some time since there are many packages that need to be installed." + salt-call state.apply workstation -linfo queue=True + echo "" + echo "Analyst workstation has been installed!" + else # workstation is already added + echo "The workstation pillar already exists in $pillar_file." + echo "To enable/disable the gui, set 'workstation:gui:enabled' to true or false in $pillar_file." + echo "Additional documentation can be found at $doc_workstation_url." fi - -# Install a GUI text editor -yum -y install gedit - -# Install misc utils -yum -y install wget curl unzip epel-release yum-plugin-versionlock; - -# Install xWindows -yum -y groupinstall "X Window System"; -yum -y install gnome-classic-session gnome-terminal nautilus-open-terminal control-center liberation-mono-fonts; -unlink /etc/systemd/system/default.target; -ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target; -yum -y install file-roller - -# Install Mono - prereq for NetworkMiner -yum -y install mono-core mono-basic mono-winforms expect - -# Install NetworkMiner -yum -y install libcanberra-gtk2; -wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip; -mkdir -p /opt/networkminer/ -unzip /tmp/nm.zip -d /opt/networkminer/; -rm /tmp/nm.zip; -mv /opt/networkminer/NetworkMiner_*/* /opt/networkminer/ -chmod +x /opt/networkminer/NetworkMiner.exe; -chmod -R go+w /opt/networkminer/AssembledFiles/; -chmod -R go+w /opt/networkminer/Captures/; -# Create networkminer shim -cat << EOF >> /bin/networkminer -#!/bin/bash -/bin/mono /opt/networkminer/NetworkMiner.exe --noupdatecheck "\$@" -EOF -chmod +x /bin/networkminer -# Convert networkminer ico file to png format -yum -y install ImageMagick -convert /opt/networkminer/networkminericon.ico /opt/networkminer/networkminericon.png -# Create menu entry -cat << EOF >> /usr/share/applications/networkminer.desktop -[Desktop Entry] -Name=NetworkMiner -Comment=NetworkMiner -Encoding=UTF-8 -Exec=/bin/networkminer %f -Icon=/opt/networkminer/networkminericon-4.png -StartupNotify=true -Terminal=false -X-MultipleArgs=false -Type=Application -MimeType=application/x-pcap; -Categories=Network; -EOF - -# Set default monospace font to Liberation -cat << EOF >> /etc/fonts/local.conf - - - monospace - - - Liberation Mono - - -EOF - -# Install Wireshark for Gnome -yum -y install wireshark-gnome; - -# Install dnsiff -yum -y install dsniff; - -# Install hping3 -yum -y install hping3; - -# Install netsed -yum -y install netsed; - -# Install ngrep -yum -y install ngrep; - -# Install scapy -yum -y install python36-scapy; - -# Install ssldump -yum -y install ssldump; - -# Install tcpdump -yum -y install tcpdump; - -# Install tcpflow -yum -y install tcpflow; - -# Install tcpxtract -yum -y install tcpxtract; - -# Install whois -yum -y install whois; - -# Install foremost -yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm; - -# Install chromium -yum -y install chromium; - -# Install tcpstat -yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcpstat-1.5.0/securityonion-tcpstat-1.5.0.rpm; - -# Install tcptrace -yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcptrace-6.6.7/securityonion-tcptrace-6.6.7.rpm; - -# Install sslsplit -yum -y install libevent; -yum -y install sslsplit; - -# Install Bit-Twist -yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-bittwist-2.0.0/securityonion-bittwist-2.0.0.rpm; - -# Install chaosreader -yum -y install perl-IO-Compress perl-Net-DNS; -yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-chaosreader-0.95.10/securityonion-chaosreader-0.95.10.rpm; -chmod +x /bin/chaosreader; - -if [ -f ../../files/analyst/README ]; then - cp ../../files/analyst/README /; - cp ../../files/analyst/so-wallpaper.jpg /usr/share/backgrounds/; - cp ../../files/analyst/so-lockscreen.jpg /usr/share/backgrounds/; - cp ../../files/analyst/so-login-logo-dark.svg /usr/share/pixmaps/; -else - cp /opt/so/saltstack/default/salt/common/files/analyst/README /; - cp /opt/so/saltstack/default/salt/common/files/analyst/so-wallpaper.jpg /usr/share/backgrounds/; - cp /opt/so/saltstack/default/salt/common/files/analyst/so-lockscreen.jpg /usr/share/backgrounds/; - cp /opt/so/saltstack/default/salt/common/files/analyst/so-login-logo-dark.svg /usr/share/pixmaps/; +else # if the pillar file doesn't exist + echo "Could not find $pillar_file and add the workstation pillar." fi -# Set background wallpaper -cat << EOF >> /etc/dconf/db/local.d/00-background -# Specify the dconf path -[org/gnome/desktop/background] +{#- if this is not a manager#} +{% else -%} -# Specify the path to the desktop background image file -picture-uri='file:///usr/share/backgrounds/so-wallpaper.jpg' -# Specify one of the rendering options for the background image: -# 'none', 'wallpaper', 'centered', 'scaled', 'stretched', 'zoom', 'spanned' -picture-options='zoom' -# Specify the left or top color when drawing gradients or the solid color -primary-color='000000' -# Specify the right or bottom color when drawing gradients -secondary-color='FFFFFF' -EOF +echo "Since this is not a manager, the pillar values to enable analyst workstation must be set manually. Please follow the documention at $doc_workstation_url." -# Set lock screen -cat << EOF >> /etc/dconf/db/local.d/00-screensaver -[org/gnome/desktop/session] -idle-delay=uint32 180 +{% endif -%} -[org/gnome/desktop/screensaver] -lock-enabled=true -lock-delay=uint32 120 -picture-options='zoom' -picture-uri='file:///usr/share/backgrounds/so-lockscreen.jpg' -EOF - -cat << EOF >> /etc/dconf/db/local.d/locks/screensaver -/org/gnome/desktop/session/idle-delay -/org/gnome/desktop/screensaver/lock-enabled -/org/gnome/desktop/screensaver/lock-delay -EOF - -# Do not show the user list at login screen -cat << EOF >> /etc/dconf/db/local.d/00-login-screen -[org/gnome/login-screen] -logo='/usr/share/pixmaps/so-login-logo-dark.svg' -disable-user-list=true -EOF - -dconf update; - -echo -echo "Analyst workstation has been installed!" -echo "Press ENTER to reboot or Ctrl-C to cancel." -read pause - -reboot; +exit 0 From 6477e6c5a254bb94146a0111f0e24e2d5b144d09 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 Apr 2022 13:39:39 -0400 Subject: [PATCH 2/6] added warning about installing and ensure can only install workstation on centos --- salt/common/tools/sbin/so-analyst-install | 48 ++++++++++++++++++++--- 1 file changed, 43 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/so-analyst-install b/salt/common/tools/sbin/so-analyst-install index ea62b87bb..11e478ca9 100755 --- a/salt/common/tools/sbin/so-analyst-install +++ b/salt/common/tools/sbin/so-analyst-install @@ -14,8 +14,10 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{# if this is a manager #} -{% if grains.master == grains.id.split('_')|first -%} +{# we only want the script to install the workstation if it is CentOS #} +{% if grains.os == 'CentOS' -%} +{# if this is a manager -#} +{% if grains.master == grains.id.split('_')|first -%} source /usr/sbin/so-common doc_workstation_url="https://docs.securityonion.net/en/2.3/analyst-vm.html" @@ -23,6 +25,33 @@ pillar_file="/opt/so/saltstack/local/pillar/minions/{{grains.id}}.sls" if [ -f "$pillar_file" ]; then if ! grep -q "^workstation:$" "$pillar_file"; then + + FIRSTPASS=yes + while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do + if [[ "$FIRSTPASS" == "yes" ]]; then + echo "###########################################" + echo "## ** W A R N I N G ** ##" + echo "## _______________________________ ##" + echo "## ##" + echo "## Installing the Security Onion ##" + echo "## analyst node on this device will ##" + echo "## make permanent changes to ##" + echo "## the system. ##" + echo "## ##" + echo "###########################################" + echo "Do you wish to continue? (Type the entire word 'yes' to proceed or 'no' to exit)" + FIRSTPASS=no + else + echo "Please type 'yes' to continue or 'no' to exit." + fi + read INSTALL + done + + if [[ $INSTALL == "no" ]]; then + echo "Exiting analyst node installation." + exit 0 + fi + # Add workstation pillar to the minion's pillar file printf '%s\n'\ "workstation:"\ @@ -42,11 +71,20 @@ else # if the pillar file doesn't exist echo "Could not find $pillar_file and add the workstation pillar." fi -{#- if this is not a manager#} -{% else -%} +{#- if this is not a manager #} +{% else -%} -echo "Since this is not a manager, the pillar values to enable analyst workstation must be set manually. Please follow the documention at $doc_workstation_url." +echo "Since this is not a manager, the pillar values to enable analyst workstation must be set manually. Please view the documention at $doc_workstation_url." +{#- endif if this is a manager #} +{% endif -%} + +{#- if not CentOS #} +{%- else %} + +echo "The Analyst Workstation can only be installed on CentOS. Please view the documention at $doc_workstation_url." + +{#- endif grains.os == CentOS #} {% endif -%} exit 0 From 3ee09db7521878ffbbd42f04b73e3a2fe41f13b5 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 Apr 2022 13:39:48 -0400 Subject: [PATCH 3/6] added warning about installing and ensure can only install workstation on centos --- salt/common/tools/sbin/so-analyst-install | 7 ++++--- salt/workstation/packages.sls | 11 +++++++++++ salt/workstation/remove_gui.sls | 10 ++++++++++ salt/workstation/trusted-ca.sls | 23 +++++++++++++++++------ salt/workstation/xwindows.sls | 12 ++++++++++++ 5 files changed, 54 insertions(+), 9 deletions(-) diff --git a/salt/common/tools/sbin/so-analyst-install b/salt/common/tools/sbin/so-analyst-install index 11e478ca9..65f78921c 100755 --- a/salt/common/tools/sbin/so-analyst-install +++ b/salt/common/tools/sbin/so-analyst-install @@ -14,13 +14,14 @@ # # You should have received a copy of the GNU General Public License # along with this program. If not, see . -{# we only want the script to install the workstation if it is CentOS #} + +doc_workstation_url="https://docs.securityonion.net/en/2.3/analyst-vm.html" +{# we only want the script to install the workstation if it is CentOS -#} {% if grains.os == 'CentOS' -%} {# if this is a manager -#} {% if grains.master == grains.id.split('_')|first -%} source /usr/sbin/so-common -doc_workstation_url="https://docs.securityonion.net/en/2.3/analyst-vm.html" pillar_file="/opt/so/saltstack/local/pillar/minions/{{grains.id}}.sls" if [ -f "$pillar_file" ]; then @@ -51,7 +52,7 @@ if [ -f "$pillar_file" ]; then echo "Exiting analyst node installation." exit 0 fi - + # Add workstation pillar to the minion's pillar file printf '%s\n'\ "workstation:"\ diff --git a/salt/workstation/packages.sls b/salt/workstation/packages.sls index 3d4794fb5..6f31bcceb 100644 --- a/salt/workstation/packages.sls +++ b/salt/workstation/packages.sls @@ -1,3 +1,6 @@ +{# we only want this state to run it is CentOS #} +{% if grains.os == 'CentOS' %} + xwindows_group: pkg.group_installed: - name: X Window System @@ -45,3 +48,11 @@ workstation_packages: - perl-Net-DNS - securityonion-chaosreader - securityonion-analyst-extras + +{% else %} + +workstation_packages_os_fail: + test.fail_without_changes: + - comment: 'SO Analyst Workstation can only be installed on CentOS' + +{% endif %} diff --git a/salt/workstation/remove_gui.sls b/salt/workstation/remove_gui.sls index 96880a5ab..097e23151 100644 --- a/salt/workstation/remove_gui.sls +++ b/salt/workstation/remove_gui.sls @@ -1,5 +1,15 @@ +{# we only want this state to run it is CentOS #} +{% if grains.os == 'CentOS' %} + remove_graphical_target: file.symlink: - name: /etc/systemd/system/default.target - target: /lib/systemd/system/multi-user.target - force: True + +{% else %} +workstation_trusted-ca_os_fail: + test.fail_without_changes: + - comment: 'SO Analyst Workstation can only be installed on CentOS' + +{% endif %} diff --git a/salt/workstation/trusted-ca.sls b/salt/workstation/trusted-ca.sls index 6d86a8157..78104be4a 100644 --- a/salt/workstation/trusted-ca.sls +++ b/salt/workstation/trusted-ca.sls @@ -1,16 +1,19 @@ - {% set global_ca_text = [] %} - {% set global_ca_server = [] %} - {% set manager = salt['grains.get']('master') %} - {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %} +{# we only want this state to run it is CentOS #} +{% if grains.os == 'CentOS' %} + + {% set global_ca_text = [] %} + {% set global_ca_server = [] %} + {% set manager = salt['grains.get']('master') %} + {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %} {% for host in x509dict %} {% if host.split('_')|last in ['manager', 'managersearch', 'standalone', 'import'] %} {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %} {% do global_ca_server.append(host) %} {% endif %} {% endfor %} - {% set trusttheca_text = global_ca_text[0] %} - {% set ca_server = global_ca_server[0] %} + {% set trusttheca_text = global_ca_text[0] %} + {% set ca_server = global_ca_server[0] %} trusted_ca: x509.pem_managed: @@ -22,3 +25,11 @@ update_ca_certs: - name: update-ca-trust - onchanges: - x509: trusted_ca + +{% else %} + +workstation_trusted-ca_os_fail: + test.fail_without_changes: + - comment: 'SO Analyst Workstation can only be installed on CentOS' + +{% endif %} diff --git a/salt/workstation/xwindows.sls b/salt/workstation/xwindows.sls index c4d870f07..015fb0d3c 100644 --- a/salt/workstation/xwindows.sls +++ b/salt/workstation/xwindows.sls @@ -1,3 +1,7 @@ + +{# we only want this state to run it is CentOS #} +{% if grains.os == 'CentOS' %} + include: - workstation.packages @@ -9,3 +13,11 @@ graphical_target: - require: - pkg: X Window System - pkg: graphical_extras + +{% else %} + +workstation_xwindows_os_fail: + test.fail_without_changes: + - comment: 'SO Analyst Workstation can only be installed on CentOS' + +{% endif %} From 4728bea6331e509c3ae4fb16ca3e052f91da2189 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 Apr 2022 14:03:09 -0400 Subject: [PATCH 4/6] fix typo --- salt/common/tools/sbin/so-analyst-install | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-analyst-install b/salt/common/tools/sbin/so-analyst-install index 65f78921c..79dd0cc20 100755 --- a/salt/common/tools/sbin/so-analyst-install +++ b/salt/common/tools/sbin/so-analyst-install @@ -75,7 +75,7 @@ fi {#- if this is not a manager #} {% else -%} -echo "Since this is not a manager, the pillar values to enable analyst workstation must be set manually. Please view the documention at $doc_workstation_url." +echo "Since this is not a manager, the pillar values to enable analyst workstation must be set manually. Please view the documentation at $doc_workstation_url." {#- endif if this is a manager #} {% endif -%} @@ -83,7 +83,7 @@ echo "Since this is not a manager, the pillar values to enable analyst workstati {#- if not CentOS #} {%- else %} -echo "The Analyst Workstation can only be installed on CentOS. Please view the documention at $doc_workstation_url." +echo "The Analyst Workstation can only be installed on CentOS. Please view the documentation at $doc_workstation_url." {#- endif grains.os == CentOS #} {% endif -%} From 149375115e24536c570aa67fc8bc42950a53d9f6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 Apr 2022 14:26:14 -0400 Subject: [PATCH 5/6] warn about required reboot and prompt if reboot desired at completion of install --- salt/common/tools/sbin/so-analyst-install | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-analyst-install b/salt/common/tools/sbin/so-analyst-install index 79dd0cc20..fd15a2196 100755 --- a/salt/common/tools/sbin/so-analyst-install +++ b/salt/common/tools/sbin/so-analyst-install @@ -38,6 +38,8 @@ if [ -f "$pillar_file" ]; then echo "## analyst node on this device will ##" echo "## make permanent changes to ##" echo "## the system. ##" + echo "## A system reboot will be required ##" + echo "## to complete the install. ##" echo "## ##" echo "###########################################" echo "Do you wish to continue? (Type the entire word 'yes' to proceed or 'no' to exit)" @@ -60,9 +62,18 @@ if [ -f "$pillar_file" ]; then " enabled: true"\ "" >> "$pillar_file" echo "Applying the workstation state. This could take some time since there are many packages that need to be installed." - salt-call state.apply workstation -linfo queue=True - echo "" - echo "Analyst workstation has been installed!" + if salt-call state.apply workstation -linfo queue=True; then # make sure the state ran successfully + echo "" + echo "Analyst workstation has been installed!" + echo + echo "Analyst workstation has been installed!" + echo "Press ENTER to reboot or Ctrl-C to cancel." + read pause + + reboot; + else + echo "There was an issue applying the workstation state. Please review the log above or at /opt/so/logs/salt/minion." + fi else # workstation is already added echo "The workstation pillar already exists in $pillar_file." echo "To enable/disable the gui, set 'workstation:gui:enabled' to true or false in $pillar_file." From 371fda09dbd66cb890f2384de1b1d4e1b5bccc26 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 13 Apr 2022 14:28:05 -0400 Subject: [PATCH 6/6] fix copy paste fail --- salt/common/tools/sbin/so-analyst-install | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/common/tools/sbin/so-analyst-install b/salt/common/tools/sbin/so-analyst-install index fd15a2196..12b940897 100755 --- a/salt/common/tools/sbin/so-analyst-install +++ b/salt/common/tools/sbin/so-analyst-install @@ -65,8 +65,6 @@ if [ -f "$pillar_file" ]; then if salt-call state.apply workstation -linfo queue=True; then # make sure the state ran successfully echo "" echo "Analyst workstation has been installed!" - echo - echo "Analyst workstation has been installed!" echo "Press ENTER to reboot or Ctrl-C to cancel." read pause