CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '2.4/dev' of https://github.com/Security-Onion-Solutions/securityonion into airgaps

Browse Source
This commit is contained in:
Mike Reeves
2023-05-26 15:16:38 -04:00
parent b2d2a9f0ed 32021cf272
commit 38881231ac
9 changed files with 275 additions and 141 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@@ -1,6 +1,6 @@
## Security Onion 2.4 Beta 2 ## Security Onion 2.4 Beta 3
Security Onion 2.4 Beta 2 is here! Security Onion 2.4 Beta 3 is here!
## Screenshots ## Screenshots

6
salt/elasticfleet/tools/sbin_jinja/so-elastic-agent-gen-installers
View File

@@ -10,12 +10,12 @@
. /usr/sbin/so-common . /usr/sbin/so-common
FLEETHOST="https://{{ GLOBALS.manager_ip }}:8220" #FLEETHOST="https://{{ GLOBALS.manager_ip }}:8220"
for i in {1..30} for i in {1..30}
do do
ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints")) | .api_key') ENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key')
#FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts' | jq -r '.items[].host_urls[]' | paste -sd ',') FLEETHOST=$(curl -K /opt/so/conf/elasticsearch/curl.config 'http://localhost:5601/api/fleet/fleet_server_hosts/grid-default' | jq -r '.item.host_urls[]' | paste -sd ',')
if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]]; then break; else sleep 10; fi if [[ $FLEETHOST ]] && [[ $ENROLLMENTOKEN ]]; then break; else sleep 10; fi
done done
if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then printf "\nFleet Host URL or Enrollment Token empty - exiting..." && exit; fi if [[ -z $FLEETHOST ]] || [[ -z $ENROLLMENTOKEN ]]; then printf "\nFleet Host URL or Enrollment Token empty - exiting..." && exit; fi

11
salt/elasticfleet/tools/sbin_jinja/so-elastic-fleet-setup
View File

@@ -35,9 +35,16 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fl
printf "\n\n" printf "\n\n"
{%- endif %} {%- endif %}
# Add Manager IP & URL Base to Fleet Host URLs
printf "\nAdd SO-Manager Fleet URL\n" printf "\nAdd SO-Manager Fleet URL\n"
if [ "{{ GLOBALS.manager_ip }}" = "{{ GLOBALS.url_base }}" ]; then
JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220"]}')
else
JSON_STRING=$( jq -n '{"id":"grid-default","name":"grid-default","is_default":true,"host_urls":["https://{{ GLOBALS.url_base }}:8220", "https://{{ GLOBALS.manager_ip }}:8220"]}')
fi
## This array replaces whatever URLs are currently configured ## This array replaces whatever URLs are currently configured
curl -K /opt/so/conf/elasticsearch/curl.config -L -X PUT "localhost:5601/api/fleet/settings" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '{"fleet_server_hosts":["https://{{ GLOBALS.manager_ip }}:8220", "https://{{ GLOBALS.manager }}:8220"]}' curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fleet/fleet_server_hosts" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d "$JSON_STRING"
printf "\n\n" printf "\n\n"
@@ -74,7 +81,7 @@ curl -K /opt/so/conf/elasticsearch/curl.config -L -X POST "localhost:5601/api/fl
### Finalization ### ### Finalization ###
# Query for Enrollment Tokens for default policies # Query for Enrollment Tokens for default policies
ENDPOINTSENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-default")) | .api_key') ENDPOINTSENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("endpoints-initial")) | .api_key')
GRIDNODESENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("so-grid-nodes")) | .api_key') GRIDNODESENROLLMENTOKEN=$(curl -K /opt/so/conf/elasticsearch/curl.config -L "localhost:5601/api/fleet/enrollment_api_keys" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' | jq .list | jq -r -c '.[] | select(.policy_id | contains("so-grid-nodes")) | .api_key')
# Store needed data in minion pillar # Store needed data in minion pillar

5
salt/global/soc_global.yaml
View File

@@ -6,8 +6,13 @@ global:
managerip: managerip:
description: The IP address of the grid manager. description: The IP address of the grid manager.
global: True global: True
advanced: True
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
mdengine: mdengine:
description: What engine to use for meta data generation. Options are ZEEK and SURICATA. description: What engine to use for meta data generation. Options are ZEEK and SURICATA.
regex: ^(ZEEK|SURICATA)$
regexFailureMessage: You must enter either ZEEK or SURICATA.
global: True global: True
ids: ids:
description: Which IDS engine to use. Currently only Suricata is supported. description: Which IDS engine to use. Currently only Suricata is supported.

153
salt/suricata/defaults.yaml
View File

@@ -2,56 +2,83 @@ suricata:
enabled: False enabled: False
config: config:
threading: threading:
set-cpu-affinity: 'no' set-cpu-affinity: "no"
detect-thread-ratio: 1.0 cpu-affinity:
cpu-affinity: management-cpu-set:
- management-cpu-set: cpu:
cpu: [] - 1
- receive-cpu-set: worker-cpu-set:
cpu: [] cpu:
- worker-cpu-set: - 2-3
cpu: [] mode: exclusive
mode: exclusive prio:
threads: 1 default: high
prio:
default: high
af-packet: af-packet:
interface: bond0 interface: bond0
cluster-id: 59 cluster-id: 59
cluster-type: cluster_flow cluster-type: cluster_flow
defrag: true defrag: "yes"
use-mmap: true use-mmap: "yes"
threads: 1 threads: 1
tpacket-v3: true tpacket-v3: "yes"
ring-size: 5000 ring-size: 5000
vars: vars:
address-groups: address-groups:
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]" HOME_NET:
EXTERNAL_NET: "any" - 192.168.0.0/16
HTTP_SERVERS: "$HOME_NET" - 10.0.0.0/8
SMTP_SERVERS: "$HOME_NET" - 172.16.0.0/12
SQL_SERVERS: "$HOME_NET" EXTERNAL_NET:
DNS_SERVERS: "$HOME_NET" - any
TELNET_SERVERS: "$HOME_NET" HTTP_SERVERS:
AIM_SERVERS: "$EXTERNAL_NET" - $HOME_NET
DC_SERVERS: "$HOME_NET" SMTP_SERVERS:
DNP3_SERVER: "$HOME_NET" - $HOME_NET
DNP3_CLIENT: "$HOME_NET" SQL_SERVERS:
MODBUS_CLIENT: "$HOME_NET" - $HOME_NET
MODBUS_SERVER: "$HOME_NET" DNS_SERVERS:
ENIP_CLIENT: "$HOME_NET" - $HOME_NET
ENIP_SERVER: "$HOME_NET" TELNET_SERVERS:
- $HOME_NET
AIM_SERVERS:
- $EXTERNAL_NET
DC_SERVERS:
- $HOME_NET
DNP3_SERVER:
- $HOME_NET
DNP3_CLIENT:
- $HOME_NET
MODBUS_CLIENT:
- $HOME_NET
MODBUS_SERVER:
- $HOME_NET
ENIP_CLIENT:
- $HOME_NET
ENIP_SERVER:
- $HOME_NET
port-groups: port-groups:
HTTP_PORTS: "80" HTTP_PORTS:
SHELLCODE_PORTS: "!80" - 80
ORACLE_PORTS: "1521" SHELLCODE_PORTS:
SSH_PORTS: "22" - "!80"
DNP3_PORTS: "20000" ORACLE_PORTS:
MODBUS_PORTS: "502" - 1521
FILE_DATA_PORTS: "[$HTTP_PORTS,110,143]" SSH_PORTS:
FTP_PORTS: "21" - 22
VXLAN_PORTS: "4789" DNP3_PORTS:
TEREDO_PORTS: "3544" - 20000
MODBUS_PORTS:
- 502
FILE_DATA_PORTS:
- $HTTP_PORTS
- 110
- 143
FTP_PORTS:
- 21
VXLAN_PORTS:
- 4789
TEREDO_PORTS:
- 3544
default-log-dir: /var/log/suricata/ default-log-dir: /var/log/suricata/
stats: stats:
enabled: "yes" enabled: "yes"
@@ -69,24 +96,24 @@ suricata:
pcap-file: false pcap-file: false
community-id: true community-id: true
community-id-seed: 0 community-id-seed: 0
xff:
enabled: "no"
mode: extra-data
deployment: reverse
header: X-Forwarded-For
types: types:
- alert: alert:
payload: "no" payload: "no"
payload-buffer-size: 4kb payload-buffer-size: 4kb
payload-printable: "yes" payload-printable: "yes"
packet: "yes" packet: "yes"
metadata: metadata:
app-layer: false app-layer: false
flow: false flow: false
rule: rule:
metadata: true metadata: true
raw: true raw: true
tagged-packets: "no" tagged-packets: "no"
xff:
enabled: "no"
mode: extra-data
deployment: reverse
header: X-Forwarded-For
unified2-alert: unified2-alert:
enabled: "no" enabled: "no"
http-log: http-log:

82
salt/suricata/map.jinja
View File

@@ -1,4 +1,4 @@
{% from 'vars/globals.map.jinja' import GLOBALS %} {% from 'vars/globals.map.jinja' import GLOBALS %}
{% import_yaml 'suricata/defaults.yaml' as SURICATADEFAULTS %} {% import_yaml 'suricata/defaults.yaml' as SURICATADEFAULTS %}
{% set SURICATAMERGED = salt['pillar.get']('suricata', SURICATADEFAULTS.suricata, merge=True) %} {% set SURICATAMERGED = salt['pillar.get']('suricata', SURICATADEFAULTS.suricata, merge=True) %}
{% import_yaml 'suricata/suricata_mdengine.yaml' as suricata_mdengine %} {% import_yaml 'suricata/suricata_mdengine.yaml' as suricata_mdengine %}
@@ -23,6 +23,45 @@
{% do SURICATAMERGED.config.pop('af-packet') %} {% do SURICATAMERGED.config.pop('af-packet') %}
{% do SURICATAMERGED.config.update({'af-packet': afpacket}) %} {% do SURICATAMERGED.config.update({'af-packet': afpacket}) %}
{# eve-log.types is a list but we convert to dict in defaults to work with ui #}
{# below they are converted back to lists #}
{% load_yaml as evelogtypes %}
{% for le, ld in SURICATAMERGED.config.outputs['eve-log'].types.items() %}
- {{ le }}: {{ ld }}
{% endfor %}
{% endload %}
{% do SURICATAMERGED.config.outputs['eve-log'].pop('types') %}
{% do SURICATAMERGED.config.outputs['eve-log'].update({'types': evelogtypes}) %}
{# threading.cpu-affinity is a list but we convert to dict in defaults to work with ui #}
{# below they are converted back to lists #}
{% load_yaml as cpuaffinity %}
{% for le, ld in SURICATAMERGED.config.threading['cpu-affinity'].items() %}
- {{ le }}: {{ ld }}
{% endfor %}
{% endload %}
{% do SURICATAMERGED.config.threading.pop('cpu-affinity') %}
{% do SURICATAMERGED.config.threading.update({'cpu-affinity': cpuaffinity}) %}
{# Find the index of eve-log and file-store in suricata_mdengine.suricata.config.outputs #}
{# update outputs eve-log.types and filestore with config for Suricata metadata engine #}
{% if GLOBALS.md_engine == 'SURICATA' %}
{% for li in suricata_mdengine.suricata.config.outputs %}
{% if 'eve-log' in li.keys() %}
{% do surimeta_evelog_index.append(loop.index0) %}
{% endif %}
{% if 'file-store' in li.keys() %}
{% do surimeta_filestore_index.append(loop.index0) %}
{% endif %}
{% endfor %}
{% set surimeta_evelog_index = surimeta_evelog_index[0] %}
{% set surimeta_filestore_index = surimeta_filestore_index[0] %}
{% do SURICATAMERGED.config.outputs['eve-log'].types.extend(suricata_mdengine.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %}
{% do SURICATAMERGED.config.outputs['file-store'].update({'enabled':suricata_mdengine.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %}
{% endif %}
{# outputs is a list but we convert to dict in defaults to work with ui #}
{# below they are converted back to lists #}
{% load_yaml as outputs %} {% load_yaml as outputs %}
{% for le, ld in SURICATAMERGED.config.outputs.items() %} {% for le, ld in SURICATAMERGED.config.outputs.items() %}
- {{ le }}: {{ ld }} - {{ le }}: {{ ld }}
@@ -31,31 +70,22 @@
{% do SURICATAMERGED.config.pop('outputs') %} {% do SURICATAMERGED.config.pop('outputs') %}
{% do SURICATAMERGED.config.update({'outputs': outputs}) %} {% do SURICATAMERGED.config.update({'outputs': outputs}) %}
{# Find the index of eve-log so it can be updated later #} {# change address-groups vars from list to comma seperated string #}
{% for li in SURICATAMERGED.config.outputs %} {% for k, v in SURICATAMERGED.config.vars['address-groups'].items() %}
{% if 'eve-log' in li.keys() %} {# if address-group value is a list #}
{% do default_evelog_index.append(loop.index0) %} {% if v is iterable and (v is not string and v is not mapping and v | length > 1) %}
{% endif %} {% do SURICATAMERGED.config.vars['address-groups'].update({k: '[' ~ v | join(',') ~ ']'}) %}
{% if 'file-store' in li.keys() %} {% else %}
{% do default_filestore_index.append(loop.index0) %} {% do SURICATAMERGED.config.vars['address-groups'].update({k: v[0]}) %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% set default_evelog_index = default_evelog_index[0] %}
{% set default_filestore_index = default_filestore_index[0] %}
{# Find the index of eve-log so it can be grabbed later #} {# change port-groups vars from list to comma seperated string #}
{% for li in suricata_mdengine.suricata.config.outputs %} {% for k, v in SURICATAMERGED.config.vars['port-groups'].items() %}
{% if 'eve-log' in li.keys() %} {# if address-group value is a list #}
{% do surimeta_evelog_index.append(loop.index0) %} {% if v is iterable and (v is not string and v is not mapping and v | length > 1) %}
{% endif %} {% do SURICATAMERGED.config.vars['port-groups'].update({k: '[' ~ v | join(',') ~ ']'}) %}
{% if 'file-store' in li.keys() %} {% else %}
{% do surimeta_filestore_index.append(loop.index0) %} {% do SURICATAMERGED.config.vars['port-groups'].update({k: v[0]}) %}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
{% set surimeta_evelog_index = surimeta_evelog_index[0] %}
{% set surimeta_filestore_index = surimeta_filestore_index[0] %}
{% if GLOBALS.md_engine == 'SURICATA' %}
{% do SURICATAMERGED.config.outputs[default_evelog_index]['eve-log'].types.extend(suricata_mdengine.suricata.config.outputs[surimeta_evelog_index]['eve-log'].types) %}
{% do SURICATAMERGED.config.outputs[default_filestore_index]['file-store'].update({'enabled':suricata_mdengine.suricata.config.outputs[surimeta_filestore_index]['file-store']['enabled']}) %}
{% endif %}

72
salt/suricata/soc_suricata.yaml
View File

@@ -12,10 +12,54 @@ suricata:
title: SIDS title: SIDS
helpLink: suricata.html helpLink: suricata.html
config: config:
af-packet:
interface:
description: The network interface that Suricata will monitor.
helpLink: suricata.html
cluster-id:
advanced: True
cluster-type:
advanced: True
regex: ^(cluster_flow|cluster_qm)$
defrag:
advanced: True
regex: ^(yes|no)$
use-mmap:
advanced: True
readonly: True
threads:
description: The amount of worker threads.
helpLink: suricata.html
forcedType: int
tpacket-v3:
advanced: True
readonly: True
ring-size:
description: Buffer size for packets per thread.
forcedType: int
helpLink: suricata.html
threading:
set-cpu-affinity:
description: Bind(yes) or unbind(no) management and worker threads to a core or range of cores.
regex: ^(yes|no)$
helpLink: suricata.html
cpu-affinity:
management-cpu-set:
cpu:
description: Bind management threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
forcedType: "[]string"
helpLink: suricata.html
worker-cpu-set:
cpu:
description: Bind worker threads to a core or range of cores. This can be a sigle core, list of cores, or list of range of cores. set-cpu-affinity must be set to 'yes' for this to be used.
forcedType: "[]string"
helpLink: suricata.html
vars: vars:
address-groups: address-groups:
HOME_NET: HOME_NET:
description: List of hosts or networks. description: List of hosts or networks.
regex: ^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?)?$
regexFailureMessage: You must enter a valid IP address or CIDR.
helpLink: suricata.html helpLink: suricata.html
EXTERNAL_NET: EXTERNAL_NET:
description: List of hosts or networks. description: List of hosts or networks.
@@ -92,19 +136,21 @@ suricata:
helpLink: suricata.html helpLink: suricata.html
outputs: outputs:
eve-log: eve-log:
xff: types:
enabled: alert:
description: Enable X-Forward-For support. xff:
helpLink: suricata.html enabled:
mode: description: Enable X-Forward-For support.
description: Operation mode. This should always be extra-data if you use PCAP. helpLink: suricata.html
helpLink: suricata.html mode:
deployment: description: Operation mode. This should always be extra-data if you use PCAP.
description: forward would use the first IP address and reverse would use the last. helpLink: suricata.html
helpLink: suricata.html deployment:
header: description: forward would use the first IP address and reverse would use the last.
description: Header name where the actual IP address will be reported. helpLink: suricata.html
helpLink: suricata.html header:
description: Header name where the actual IP address will be reported.
helpLink: suricata.html
asn1-max-frames: asn1-max-frames:
description: Maximum nuber of asn1 frames to decode. description: Maximum nuber of asn1 frames to decode.
helpLink: suricata.html helpLink: suricata.html

73
setup/so-functions
View File

@@ -28,6 +28,12 @@ title() {
echo -e "\n-----------------------------\n $1\n-----------------------------\n" >> "$setup_log" 2>&1 echo -e "\n-----------------------------\n $1\n-----------------------------\n" >> "$setup_log" 2>&1
} }
fail_setup() {
error "Setup encounted an unrecoverable failure, exiting"
touch /root/failure
exit 1
}
logCmd() { logCmd() {
cmd=$1 cmd=$1
info "Executing command: $cmd" info "Executing command: $cmd"
@@ -796,7 +802,7 @@ compare_main_nic_ip() {
EOM EOM
[[ -n $TESTING ]] || whiptail --title "$whiptail_title" --msgbox "$message" 11 75 [[ -n $TESTING ]] || whiptail --title "$whiptail_title" --msgbox "$message" 11 75
kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 kill -SIGINT "$(ps --pid $$ -oppid=)"; fail_setup
fi fi
else else
# Setup uses MAINIP, but since we ignore the equality condition when using a VPN # Setup uses MAINIP, but since we ignore the equality condition when using a VPN
@@ -921,9 +927,10 @@ create_repo() {
detect_cloud() { detect_cloud() {
info "Testing if setup is running on a cloud instance..." info "Testing if setup is running on a cloud instance..."
if dmidecode -s bios-version | grep -q amazon || \ if [ -f /etc/SOCLOUD ] || \
dmidecode -s bios-vendor | grep -q Amazon || \ dmidecode -s bios-version 2>&1 | grep -q amazon || \
dmidecode -s bios-vendor | grep -q Google || \ dmidecode -s bios-vendor 2>&1 | grep -q Amazon || \
dmidecode -s bios-vendor 2>&1 | grep -q Google || \
[ -f /var/log/waagent.log ]; then [ -f /var/log/waagent.log ]; then
info "Detected a cloud installation..." info "Detected a cloud installation..."
@@ -943,7 +950,7 @@ detect_os() {
pkgman="dnf" pkgman="dnf"
else else
info "We do not support the operating system you are trying to use." info "We do not support the operating system you are trying to use."
exit 1 fail_setup
fi fi
elif [ -f /etc/os-release ]; then elif [ -f /etc/os-release ]; then
@@ -953,12 +960,12 @@ detect_os() {
is_ubuntu=true is_ubuntu=true
else else
info "We do not support your current version of Ubuntu." info "We do not support your current version of Ubuntu."
exit 1 fail_setup
fi fi
else else
info "We were unable to determine if you are using a supported OS." info "We were unable to determine if you are using a supported OS."
exit 1 fail_setup
fi fi
info "Found OS: $OS $OSVER" info "Found OS: $OS $OSVER"
@@ -971,8 +978,20 @@ download_elastic_agent_artifacts() {
logCmd "tar -xf /nsm/elastic-fleet/artifacts/beats/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" logCmd "tar -xf /nsm/elastic-fleet/artifacts/beats/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/"
else else
logCmd "mkdir -p /nsm/elastic-fleet/artifacts/beats/elastic-agent/" logCmd "mkdir -p /nsm/elastic-fleet/artifacts/beats/elastic-agent/"
logCmd "curl --retry 5 --retry-delay 60 https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz" logCmd "curl --retry 5 --retry-delay 60 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.tar.gz --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz"
logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/" logCmd "curl --retry 5 --retry-delay 60 -L https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$SOVERSION.md5 --output /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5"
SOURCEHASH=$(md5sum /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz | awk '{ print $1 }')
HASH=$(cat /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.md5)
if [[ "$HASH" == "$SOURCEHASH" ]]; then
info "Elastic Agent source hash is good."
else
info "Unable to download the Elastic Agent source files."
fail_setup
fi
logCmd "tar -xf /nsm/elastic-fleet/artifacts/elastic-agent_SO-$SOVERSION.tar.gz -C /nsm/elastic-fleet/artifacts/beats/elastic-agent/"
fi fi
} }
@@ -1000,18 +1019,18 @@ installer_prereq_packages() {
if [ "$OS" == ubuntu ]; then if [ "$OS" == ubuntu ]; then
# Print message to stdout so the user knows setup is doing something # Print message to stdout so the user knows setup is doing something
info "Running apt-get update" info "Running apt-get update"
retry 150 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 retry 150 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup
# Install network manager so we can do interface stuff # Install network manager so we can do interface stuff
if ! command -v nmcli > /dev/null 2>&1; then if ! command -v nmcli > /dev/null 2>&1; then
info "Installing network-manager" info "Installing network-manager"
retry 150 10 "apt-get -y install network-manager" >> "$setup_log" 2>&1 || exit 1 retry 150 10 "apt-get -y install network-manager" >> "$setup_log" 2>&1 || fail_setup
{ {
systemctl enable NetworkManager systemctl enable NetworkManager
systemctl start NetworkManager systemctl start NetworkManager
} >> "$setup_log" 2<&1 } >> "$setup_log" 2<&1
fi fi
if ! command -v curl > /dev/null 2>&1; then if ! command -v curl > /dev/null 2>&1; then
retry 150 10 "apt-get -y install curl" >> "$setup_log" 2>&1 || exit 1 retry 150 10 "apt-get -y install curl" >> "$setup_log" 2>&1 || fail_setup
fi fi
fi fi
} }
@@ -1728,7 +1747,7 @@ proxy_validate() {
error "Received error: $proxy_test_err" error "Received error: $proxy_test_err"
if [[ -n $TESTING ]]; then if [[ -n $TESTING ]]; then
error "Exiting setup" error "Exiting setup"
kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 kill -SIGINT "$(ps --pid $$ -oppid=)"; fail_setup
fi fi
fi fi
return $ret return $ret
@@ -1799,7 +1818,7 @@ reinstall_init() {
# Stop the systemctl process trying to kill the service, show user a message, then exit setup # Stop the systemctl process trying to kill the service, show user a message, then exit setup
kill -9 $pid kill -9 $pid
exit 1 fail_setup
fi fi
sleep 5 sleep 5
@@ -2002,7 +2021,7 @@ saltify() {
SALTVERSION=$(egrep 'version: [0-9]{4}' ../salt/salt/master.defaults.yaml | sed 's/^.*version: //') SALTVERSION=$(egrep 'version: [0-9]{4}' ../salt/salt/master.defaults.yaml | sed 's/^.*version: //')
if [[ $is_ubuntu ]]; then if [[ $is_ubuntu ]]; then
DEBIAN_FRONTEND=noninteractive retry 150 20 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || exit 1 DEBIAN_FRONTEND=noninteractive retry 150 20 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || fail_setup
update-alternatives --install /usr/bin/python python /usr/bin/python3.8 10 update-alternatives --install /usr/bin/python python /usr/bin/python3.8 10
local pkg_arr=( local pkg_arr=(
'apache2-utils' 'apache2-utils'
@@ -2014,7 +2033,7 @@ saltify() {
'netcat' 'netcat'
'jq' 'jq'
) )
retry 150 20 "apt-get -y install ${pkg_arr[*]}" || exit 1 retry 150 20 "apt-get -y install ${pkg_arr[*]}" || fail_setup
logCmd "mkdir -vp /etc/apt/keyrings" logCmd "mkdir -vp /etc/apt/keyrings"
#logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt/SALTSTACK-GPG-KEY.pub" #logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt/SALTSTACK-GPG-KEY.pub"
@@ -2035,9 +2054,9 @@ saltify() {
# Ain't nothing but a GPG # Ain't nothing but a GPG
retry 150 20 "apt-get update" "" "Err:" || exit 1 retry 150 20 "apt-get update" "" "Err:" || fail_setup
retry 150 20 "apt-get -y install salt-common-$SALTVERSION salt-minion-$SALTVERSION" || exit 1 retry 150 20 "apt-get -y install salt-common-$SALTVERSION salt-minion-$SALTVERSION" || fail_setup
retry 150 20 "apt-mark hold salt-minion salt-common" || exit 1 retry 150 20 "apt-mark hold salt-minion salt-common" || fail_setup
#retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" || exit 1 #retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" || exit 1
fi fi
@@ -2104,7 +2123,7 @@ set_main_ip() {
info "MAINIP=$MAINIP" info "MAINIP=$MAINIP"
info "MNIC_IP=$MNIC_IP" info "MNIC_IP=$MNIC_IP"
whiptail_error_message "The management IP could not be determined. Please check the log at /root/sosetup.log and verify the network configuration. Select OK to exit." whiptail_error_message "The management IP could not be determined. Please check the log at /root/sosetup.log and verify the network configuration. Select OK to exit."
exit 1 fail_setup
fi fi
sleep 1 sleep 1
done done
@@ -2296,8 +2315,8 @@ set_initial_firewall_access() {
so-firewall includehost analyst $ALLOW_CIDR --apply so-firewall includehost analyst $ALLOW_CIDR --apply
fi fi
if [[ ! -z "$MINION_CIDR" ]]; then if [[ ! -z "$MINION_CIDR" ]]; then
so-firewall includehost sensors $MINION_CIDR so-firewall includehost sensor $MINION_CIDR
so-firewall includehost searchnodes $MINION_CIDR --apply so-firewall includehost searchnode $MINION_CIDR --apply
fi fi
} }
@@ -2354,13 +2373,13 @@ ubuntu_check() {
if [[ $OS == "ubuntu" ]]; then if [[ $OS == "ubuntu" ]]; then
if [[ $waitforstate ]]; then if [[ $waitforstate ]]; then
whiptail_ubuntu_notsupported whiptail_ubuntu_notsupported
exit 1 fail_setup
else else
if [[ $UBUNTUINSTALL == "needtoupgrade" ]]; then if [[ $UBUNTUINSTALL == "needtoupgrade" ]]; then
whiptail_ubuntu_warning whiptail_ubuntu_warning
else else
whiptail_ubuntu_notsupported whiptail_ubuntu_notsupported
exit 1 fail_setup
fi fi
fi fi
fi fi
@@ -2379,9 +2398,9 @@ update_packages() {
logCmd "dnf -y update --allowerasing --exclude=salt*,wazuh*,docker*,containerd*" logCmd "dnf -y update --allowerasing --exclude=salt*,wazuh*,docker*,containerd*"
else else
info "Running apt-get update" info "Running apt-get update"
retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup
info "Running apt-get upgrade" info "Running apt-get upgrade"
retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || fail_setup
fi fi
} }
@@ -2427,7 +2446,7 @@ wait_for_file() {
} }
wait_for_salt_minion() { wait_for_salt_minion() {
retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$setup_log" 2>&1 || exit 1 retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$setup_log" 2>&1 || fail_setup
} }
verify_setup() { verify_setup() {

10
setup/so-setup
View File

@@ -10,13 +10,13 @@
uid="$(id -u)" uid="$(id -u)"
if [ "$uid" -ne 0 ]; then if [ "$uid" -ne 0 ]; then
echo "This script must be run using sudo!" echo "This script must be run using sudo!"
exit 1 fail_setup
fi fi
# Save the original argument array since we modify it # Save the original argument array since we modify it
original_args=("$@") original_args=("$@")
cd "$(dirname "$0")" || exit 255 cd "$(dirname "$0")" || fail_setup
echo "Getting started..." echo "Getting started..."
@@ -82,7 +82,7 @@ if [[ "$setup_type" == 'iso' ]]; then
is_iso=true is_iso=true
else else
echo "Only use 'so-setup iso' for an ISO install on Security Onion ISO images. Please run 'so-setup network' instead." echo "Only use 'so-setup iso' for an ISO install on Security Onion ISO images. Please run 'so-setup network' instead."
exit 1 fail_setup
fi fi
fi fi
@@ -161,7 +161,7 @@ catch() {
info "Fatal error occurred at $1 in so-setup, failing setup." info "Fatal error occurred at $1 in so-setup, failing setup."
grep --color=never "ERROR" "$setup_log" > "$error_log" grep --color=never "ERROR" "$setup_log" > "$error_log"
whiptail_setup_failed whiptail_setup_failed
exit 1 fail_setup
} }
# Add the progress function for manager node type installs # Add the progress function for manager node type installs
@@ -236,7 +236,7 @@ case "$setup_type" in
;; ;;
*) *)
error "Invalid install type, must be 'iso', 'network' or 'analyst'." error "Invalid install type, must be 'iso', 'network' or 'analyst'."
exit 1 fail_setup
;; ;;
esac esac