Merge pull request #7784 from Security-Onion-Solutions/workstation_script

modify so-analyst-install to work with new states and install on managers
2025-12-07 01:32:47 +01:00 · 2022-04-13 14:37:24 -04:00
parent ecc29b586d 371fda09db
commit 2d094a3bfc
5 changed files with 112 additions and 277 deletions
--- a/salt/common/tools/sbin/so-analyst-install
+++ b/salt/common/tools/sbin/so-analyst-install
@@ -15,295 +15,86 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-if [ "$(id -u)" -ne 0 ]; then
+doc_workstation_url="https://docs.securityonion.net/en/2.3/analyst-vm.html"
-	echo "This script must be run using sudo!"
+{# we only want the script to install the workstation if it is CentOS -#}
-	exit 1
+{% if grains.os == 'CentOS' -%}
-fi
+{#   if this is a manager -#}
 {%   if grains.master == grains.id.split('_')|first -%}
-INSTALL_LOG=/root/so-analyst-install.log
+source /usr/sbin/so-common
-exec &> >(tee -a "$INSTALL_LOG")
+pillar_file="/opt/so/saltstack/local/pillar/minions/{{grains.id}}.sls"
-log() {
+if [ -f "$pillar_file" ]; then
-	msg=$1
+  if ! grep -q "^workstation:$" "$pillar_file"; then
 	level=${2:-I}
 	now=$(TZ=GMT date +"%Y-%m-%dT%H:%M:%SZ")
 	echo -e "$now | $level | $msg" >> "$INSTALL_LOG" 2>&1
 }
 error() {
 	log "$1" "E"
 }
 info() {
 	log "$1" "I"
 }
 title() {
 	echo -e "\n-----------------------------\n $1\n-----------------------------\n" >> "$INSTALL_LOG" 2>&1
 }
 logCmd() {
 	cmd=$1
 	info "Executing command: $cmd"
 	$cmd >> "$INSTALL_LOG" 2>&1
 }
 analyze_system() {
 	title "System Characteristics"
 	logCmd "uptime"
 	logCmd "uname -a"
 	logCmd "free -h"
 	logCmd "lscpu"
 	logCmd "df -h"
 	logCmd "ip a"
 }
 analyze_system
 OS=$(grep PRETTY_NAME /etc/os-release | grep 'CentOS Linux 7')
 if [ $? -ne 0 ]; then
  echo "This is an unsupported OS. Please use CentOS 7 to install the analyst node."
  exit 1
 fi
 if [[ "$manufacturer" == "Security Onion Solutions" && "$family" == "Automated" ]]; then
  INSTALL=yes
  CURLCONTINUE=no
 else
  INSTALL=''
  CURLCONTINUE=''
 fi
 FIRSTPASS=yes
 while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do
  if [[ "$FIRSTPASS" == "yes" ]]; then
    clear
    echo "###########################################"
    echo "##          ** W A R N I N G **          ##"
    echo "##    _______________________________    ##"
    echo "##                                       ##"
    echo "##    Installing the Security Onion      ##"
    echo "##   analyst node on this device will    ##"
    echo "##       make permanent changes to       ##"
    echo "##              the system.              ##"
    echo "##                                       ##"
    echo "###########################################"
    echo "Do you wish to continue? (Type the entire word 'yes' to proceed or 'no' to exit)"
    FIRSTPASS=no
  else
    echo "Please type 'yes' to continue or 'no' to exit."
  fi      
  read INSTALL
 done
 if [[ $INSTALL == "no" ]]; then
  echo "Exiting analyst node installation."
  exit 0
 fi
 echo "Testing for internet connection with curl https://securityonionsolutions.com/"
 CANCURL=$(curl -sI https://securityonionsolutions.com/ | grep "200 OK")
  if [ $? -ne 0 ]; then
    FIRSTPASS=yes
-    while [[ $CURLCONTINUE != "yes" ]] && [[ $CURLCONTINUE != "no" ]]; do
+    while [[ $INSTALL != "yes" ]] && [[ $INSTALL != "no" ]]; do
      if [[ "$FIRSTPASS" == "yes" ]]; then
-        echo "We could not access https://securityonionsolutions.com/."
+        echo "###########################################"
-        echo "Since packages are downloaded from the internet, internet access is required."
+        echo "##          ** W A R N I N G **          ##"
-        echo "If you would like to ignore this warning and continue anyway, please type 'yes'."
+        echo "##    _______________________________    ##"
-        echo "Otherwise, type 'no' to exit."
+        echo "##                                       ##"
        echo "##    Installing the Security Onion      ##"
        echo "##   analyst node on this device will    ##"
        echo "##       make permanent changes to       ##"
        echo "##              the system.              ##"
        echo "##    A system reboot will be required   ##"
        echo "##        to complete the install.       ##"
        echo "##                                       ##"
        echo "###########################################"
        echo "Do you wish to continue? (Type the entire word 'yes' to proceed or 'no' to exit)"
        FIRSTPASS=no
      else
        echo "Please type 'yes' to continue or 'no' to exit."
      fi      
-      read CURLCONTINUE
+      read INSTALL
    done
-    if [[ "$CURLCONTINUE" == "no" ]]; then
+
    if [[ $INSTALL == "no" ]]; then
      echo "Exiting analyst node installation."
      exit 0
    fi
-  else
+
-    echo "We were able to curl https://securityonionsolutions.com/."
+    # Add workstation pillar to the minion's pillar file
-    sleep 3
+    printf '%s\n'\
      "workstation:"\
      "  gui:"\
      "    enabled: true"\
 		  "" >> "$pillar_file"
    echo "Applying the workstation state. This could take some time since there are many packages that need to be installed."
    if salt-call state.apply workstation -linfo queue=True; then # make sure the state ran successfully
      echo ""
      echo "Analyst workstation has been installed!"
      echo "Press ENTER to reboot or Ctrl-C to cancel."
      read pause
      reboot;
    else
      echo "There was an issue applying the workstation state. Please review the log above or at /opt/so/logs/salt/minion."
    fi
  else # workstation is already added
    echo "The workstation pillar already exists in $pillar_file."
    echo "To enable/disable the gui, set 'workstation:gui:enabled' to true or false in $pillar_file."
    echo "Additional documentation can be found at $doc_workstation_url."
  fi
-
+else # if the pillar file doesn't exist
-# Install a GUI text editor
+  echo "Could not find $pillar_file and add the workstation pillar."
 yum -y install gedit
 # Install misc utils
 yum -y install wget curl unzip epel-release yum-plugin-versionlock;
 # Install xWindows
 yum -y groupinstall "X Window System";
 yum -y install gnome-classic-session gnome-terminal nautilus-open-terminal control-center liberation-mono-fonts;
 unlink /etc/systemd/system/default.target;
 ln -sf /lib/systemd/system/graphical.target /etc/systemd/system/default.target;
 yum -y install file-roller
 # Install Mono - prereq for NetworkMiner
 yum -y install mono-core mono-basic mono-winforms expect
 # Install NetworkMiner
 yum -y install libcanberra-gtk2;
 wget https://www.netresec.com/?download=NetworkMiner -O /tmp/nm.zip;
 mkdir -p /opt/networkminer/
 unzip /tmp/nm.zip -d /opt/networkminer/;
 rm /tmp/nm.zip;
 mv /opt/networkminer/NetworkMiner_*/* /opt/networkminer/
 chmod +x /opt/networkminer/NetworkMiner.exe;
 chmod -R go+w /opt/networkminer/AssembledFiles/;
 chmod -R go+w /opt/networkminer/Captures/;
 # Create networkminer shim
 cat << EOF >> /bin/networkminer
 #!/bin/bash
 /bin/mono /opt/networkminer/NetworkMiner.exe --noupdatecheck "\$@"
 EOF
 chmod +x /bin/networkminer
 # Convert networkminer ico file to png format
 yum -y install ImageMagick
 convert /opt/networkminer/networkminericon.ico /opt/networkminer/networkminericon.png
 # Create menu entry
 cat << EOF >> /usr/share/applications/networkminer.desktop
 [Desktop Entry]
 Name=NetworkMiner
 Comment=NetworkMiner
 Encoding=UTF-8
 Exec=/bin/networkminer %f
 Icon=/opt/networkminer/networkminericon-4.png
 StartupNotify=true
 Terminal=false
 X-MultipleArgs=false
 Type=Application
 MimeType=application/x-pcap;
 Categories=Network;
 EOF
 # Set default monospace font to Liberation
 cat << EOF >> /etc/fonts/local.conf
 <match target="pattern">
  <test name="family" qual="any">
   <string>monospace</string>
  </test>
  <edit binding="strong" mode="prepend" name="family">
   <string>Liberation Mono</string>
  </edit>
 </match>
 EOF
 # Install Wireshark for Gnome
 yum -y install wireshark-gnome; 
 # Install dnsiff
 yum -y install dsniff;
 # Install hping3
 yum -y install hping3;
 # Install netsed
 yum -y install netsed;
 # Install ngrep
 yum -y install ngrep;
 # Install scapy
 yum -y install python36-scapy;
 # Install ssldump
 yum -y install ssldump;
 # Install tcpdump
 yum -y install tcpdump;
 # Install tcpflow
 yum -y install tcpflow;
 # Install tcpxtract
 yum -y install tcpxtract;
 # Install whois
 yum -y install whois;
 # Install foremost
 yum -y install https://forensics.cert.org/centos/cert/7/x86_64//foremost-1.5.7-13.1.el7.x86_64.rpm;
 # Install chromium
 yum -y install chromium;
 # Install tcpstat
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcpstat-1.5.0/securityonion-tcpstat-1.5.0.rpm;
 # Install tcptrace
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-tcptrace-6.6.7/securityonion-tcptrace-6.6.7.rpm;
 # Install sslsplit
 yum -y install libevent;
 yum -y install sslsplit;
 # Install Bit-Twist
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-bittwist-2.0.0/securityonion-bittwist-2.0.0.rpm;
 # Install chaosreader
 yum -y install perl-IO-Compress perl-Net-DNS;
 yum -y install https://github.com/Security-Onion-Solutions/securityonion-docker-rpm/releases/download/securityonion-chaosreader-0.95.10/securityonion-chaosreader-0.95.10.rpm;
 chmod +x /bin/chaosreader;
 if [ -f ../../files/analyst/README ]; then
  cp ../../files/analyst/README /;
  cp ../../files/analyst/so-wallpaper.jpg /usr/share/backgrounds/;
  cp ../../files/analyst/so-lockscreen.jpg /usr/share/backgrounds/;
  cp ../../files/analyst/so-login-logo-dark.svg /usr/share/pixmaps/;
 else
  cp /opt/so/saltstack/default/salt/common/files/analyst/README /;
  cp /opt/so/saltstack/default/salt/common/files/analyst/so-wallpaper.jpg /usr/share/backgrounds/;
  cp /opt/so/saltstack/default/salt/common/files/analyst/so-lockscreen.jpg /usr/share/backgrounds/;
  cp /opt/so/saltstack/default/salt/common/files/analyst/so-login-logo-dark.svg /usr/share/pixmaps/;
 fi
-# Set background wallpaper
+{#-  if this is not a manager #}
-cat << EOF >> /etc/dconf/db/local.d/00-background
+{%   else -%}
 # Specify the dconf path
 [org/gnome/desktop/background]
-# Specify the path to the desktop background image file
+echo "Since this is not a manager, the pillar values to enable analyst workstation must be set manually. Please view the documentation at $doc_workstation_url."
 picture-uri='file:///usr/share/backgrounds/so-wallpaper.jpg'
 # Specify one of the rendering options for the background image:
 # 'none', 'wallpaper', 'centered', 'scaled', 'stretched', 'zoom', 'spanned'
 picture-options='zoom'
 # Specify the left or top color when drawing gradients or the solid color
 primary-color='000000'
 # Specify the right or bottom color when drawing gradients
 secondary-color='FFFFFF'
 EOF
-# Set lock screen
+{#- endif if this is a manager #}
-cat << EOF >> /etc/dconf/db/local.d/00-screensaver
+{%   endif -%}
 [org/gnome/desktop/session]
 idle-delay=uint32 180
-[org/gnome/desktop/screensaver]
+{#- if not CentOS #}
-lock-enabled=true
+{%- else %}
 lock-delay=uint32 120
 picture-options='zoom'
 picture-uri='file:///usr/share/backgrounds/so-lockscreen.jpg'
 EOF
-cat << EOF >> /etc/dconf/db/local.d/locks/screensaver
+echo "The Analyst Workstation can only be installed on CentOS. Please view the documentation at $doc_workstation_url."
 /org/gnome/desktop/session/idle-delay
 /org/gnome/desktop/screensaver/lock-enabled
 /org/gnome/desktop/screensaver/lock-delay
 EOF
-# Do not show the user list at login screen
+{#- endif grains.os == CentOS #}
-cat << EOF >> /etc/dconf/db/local.d/00-login-screen
+{% endif -%}
 [org/gnome/login-screen]
 logo='/usr/share/pixmaps/so-login-logo-dark.svg'
 disable-user-list=true
 EOF
-dconf update;
+exit 0
 echo
 echo "Analyst workstation has been installed!"
 echo "Press ENTER to reboot or Ctrl-C to cancel."
 read pause
 reboot;
--- a/salt/workstation/packages.sls
+++ b/salt/workstation/packages.sls
@@ -1,3 +1,6 @@
 {# we only want this state to run it is CentOS #}
 {% if grains.os == 'CentOS' %}
 xwindows_group:
  pkg.group_installed:
    - name: X Window System
@@ -45,3 +48,11 @@ workstation_packages:
      - perl-Net-DNS
      - securityonion-chaosreader
      - securityonion-analyst-extras
 {% else %}
 workstation_packages_os_fail:
  test.fail_without_changes:
    - comment: 'SO Analyst Workstation can only be installed on CentOS'
 {% endif %}
--- a/salt/workstation/remove_gui.sls
+++ b/salt/workstation/remove_gui.sls
@@ -1,5 +1,15 @@
 {# we only want this state to run it is CentOS #}
 {% if grains.os == 'CentOS' %}
 remove_graphical_target:
  file.symlink:
    - name: /etc/systemd/system/default.target
    - target: /lib/systemd/system/multi-user.target
    - force: True
 {% else %}
 workstation_trusted-ca_os_fail:
  test.fail_without_changes:
    - comment: 'SO Analyst Workstation can only be installed on CentOS'
 {% endif %}
--- a/salt/workstation/trusted-ca.sls
+++ b/salt/workstation/trusted-ca.sls
@@ -1,16 +1,19 @@
-    {% set global_ca_text = [] %}
+{# we only want this state to run it is CentOS #}
-    {% set global_ca_server = [] %}
+{% if grains.os == 'CentOS' %}
-    {% set manager = salt['grains.get']('master') %}
+
-    {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %}
+  {% set global_ca_text = [] %}
  {% set global_ca_server = [] %}
  {% set manager = salt['grains.get']('master') %}
  {% set x509dict = salt['mine.get'](manager | lower~'*', 'x509.get_pem_entries') %}
    {% for host in x509dict %}
      {% if host.split('_')|last in ['manager', 'managersearch', 'standalone', 'import'] %}
        {% do global_ca_text.append(x509dict[host].get('/etc/pki/ca.crt')|replace('\n', '')) %}
        {% do global_ca_server.append(host) %}
      {% endif %}
    {% endfor %}
-    {% set trusttheca_text = global_ca_text[0] %}
+  {% set trusttheca_text = global_ca_text[0] %}
-    {% set ca_server = global_ca_server[0] %}
+  {% set ca_server = global_ca_server[0] %}
 trusted_ca:
  x509.pem_managed:
@@ -22,3 +25,11 @@ update_ca_certs:
    - name: update-ca-trust
    - onchanges:
      - x509: trusted_ca
 {% else %}
 workstation_trusted-ca_os_fail:
  test.fail_without_changes:
    - comment: 'SO Analyst Workstation can only be installed on CentOS'
 {% endif %}
--- a/salt/workstation/xwindows.sls
+++ b/salt/workstation/xwindows.sls
@@ -1,3 +1,7 @@
 {# we only want this state to run it is CentOS #}
 {% if grains.os == 'CentOS' %}
 include:
  - workstation.packages
@@ -9,3 +13,11 @@ graphical_target:
    - require:
      - pkg: X Window System
      - pkg: graphical_extras
 {% else %}
 workstation_xwindows_os_fail:
  test.fail_without_changes:
    - comment: 'SO Analyst Workstation can only be installed on CentOS'
 {% endif %}