CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

[fix] Misc fixes for setup to run properly

Browse Source
This commit is contained in:
William Wernert
2020-04-22 13:15:39 -04:00
parent 3f264163d4
commit 39e6f8ecbd
4 changed files with 70 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
setup/so-common-functions
View File

@@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
source './so-variables' source ./so-variables
# Helper functions # Helper functions

42
setup/so-functions
View File

@@ -15,10 +15,9 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
cd "$(dirname "$0")" || exit 255 source ./so-whiptail
source "./so-whiptail" source ./so-variables
source "./so-variables" source ./so-common-functions
source "./so-common-functions"
so_version=1.2.1 so_version=1.2.1
@@ -132,7 +131,7 @@ secrets_pillar(){
bro_logs_enabled() { bro_logs_enabled() {
echo "Enabling Bro Logs" >> "$setup_log" 2>&1 echo "Enabling Bro Logs" >> "$setup_log" 2>&1
local brologs_pillar="$./pillar/brologs.sls" local brologs_pillar="./pillar/brologs.sls"
printf '%s\n'\ printf '%s\n'\
"brologs:"\ "brologs:"\
@@ -233,7 +232,7 @@ check_pass_match() {
local var=$3 local var=$3
if [ "$pass" = "$confirm_pass" ]; then if [ "$pass" = "$confirm_pass" ]; then
eval "$var"="\"yes\"" declare "$var=yes"
else else
whiptail_passwords_dont_match whiptail_passwords_dont_match
fi fi
@@ -416,12 +415,10 @@ create_sensor_bond() {
for BNIC in "${BNICS[@]}"; do for BNIC in "${BNICS[@]}"; do
BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" # Strip the quotes from the NIC names
# Check if specific offload features are able to be disabled # Check if specific offload features are able to be disabled
for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do
if ethtool -k "$BONDNIC" | grep $string | grep -q "on [fixed]"; then if ethtool -k "$BNIC" | grep $string | grep -q "on [fixed]"; then
echo "The hardware or driver for interface ${BONDNIC} is not supported, packet capture may not work as expected." >> "$setup_log" 2>&1 echo "The hardware or driver for interface ${BNIC} is not supported, packet capture may not work as expected." >> "$setup_log" 2>&1
nic_error=1 nic_error=1
break break
fi fi
@@ -429,18 +426,18 @@ create_sensor_bond() {
# Turn off various offloading settings for the interface # Turn off various offloading settings for the interface
for i in rx tx sg tso ufo gso gro lro; do for i in rx tx sg tso ufo gso gro lro; do
ethtool -K "$BONDNIC" $i off >> "$setup_log" 2>&1 ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1
done done
# Check if the bond slave connection has already been created # Check if the bond slave connection has already been created
if ! [[ $(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BONDNIC //p" | tr -d ' ') ]]; then if ! [[ $(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') ]]; then
# Create the slave interface and assign it to the bond # Create the slave interface and assign it to the bond
nmcli con add type ethernet ifname "$BONDNIC" con-name "bond0-slave-$BONDNIC" master bond0 -- \ nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \
ethernet.mtu $MTU \ ethernet.mtu $MTU \
connection.autoconnect "yes" >> "$setup_log" 2>&1 connection.autoconnect "yes" >> "$setup_log" 2>&1
fi fi
nmcli con up "bond0-slave-$BONDNIC" >> "$setup_log" 2>&1 # Bring the slave interface up nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up
done done
if [ $nic_error != 0 ]; then if [ $nic_error != 0 ]; then
@@ -624,6 +621,7 @@ docker_seed_registry() {
# Prune any images that aren't used by containers # Prune any images that aren't used by containers
docker image prune -af docker image prune -af
else else
tar xvf /nsm/docker-registry/dockerso-dockers-$VERSION.tar
rm /nsm/docker-registry/docker/so-dockers-$VERSION.tar rm /nsm/docker-registry/docker/so-dockers-$VERSION.tar
fi fi
@@ -687,7 +685,8 @@ get_redirect() {
got_root() { got_root() {
# Make sure you are root # Make sure you are root
if [ "$(id -u)" -ne 0 ]; then uid="$(id -u)"
if [ "$uid" -ne 0 ]; then
echo "This script must be run using sudo!" echo "This script must be run using sudo!"
exit 1 exit 1
fi fi
@@ -811,7 +810,7 @@ master_static() {
" fleet_packages-version: 1"\ " fleet_packages-version: 1"\
" fleet_hostname: N/A"\ " fleet_hostname: N/A"\
" fleet_ip: N/A"\ " fleet_ip: N/A"\
" sensoronikey: $SENSORONIKEY" " sensoronikey: $SENSORONIKEY"\
" masterupdate: $MASTERUPDATES" > "$static_pillar" " masterupdate: $MASTERUPDATES" > "$static_pillar"
echo "elastic:" >> /opt/so/saltstack/pillar/static.sls echo "elastic:" >> /opt/so/saltstack/pillar/static.sls
echo " features: False" >> /opt/so/saltstack/pillar/static.sls echo " features: False" >> /opt/so/saltstack/pillar/static.sls
@@ -1140,14 +1139,7 @@ set_progress_str() {
fi fi
percentage_str="XXX\n${percentage}\n${progress_bar_text}\nXXX" percentage_str="XXX\n${percentage}\n${progress_bar_text}\nXXX"
export percentage_str echo -e "$percentage_str"
}
progress_str_printer() {
while [ "$percentage" -lt 100 ]; do
echo "$percentage_str"
done
sleep 0.5s
} }
sensor_pillar() { sensor_pillar() {
@@ -1315,7 +1307,7 @@ set_node_type() {
} }
set_updates() { set_updates() {
if [ "$MASTERUPDATES" -eq 1 ]; then if [ "$MASTERUPDATES" = '1' ]; then
if [ "$OS" = 'centos' ]; then if [ "$OS" = 'centos' ]; then
if ! grep -q "$MSRV" /etc/yum.conf; then if ! grep -q "$MSRV" /etc/yum.conf; then
echo "proxy=http://$MSRV:3142" >> /etc/yum.conf echo "proxy=http://$MSRV:3142" >> /etc/yum.conf

96
setup/so-setup
View File

@@ -16,13 +16,12 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
cd "$(dirname "$0")" || exit 255 cd "$(dirname "$0")" || exit 255
source "./so-functions" source ./so-functions
source "./so-whiptail" source ./so-common-functions
source "./so-variables" source ./so-whiptail
source "./so-common-functions" source ./so-variables
setup_type=$1 setup_type=$1
export setup_type
case "$setup_type" in case "$setup_type" in
iso | network) # Accepted values iso | network) # Accepted values
@@ -35,8 +34,7 @@ case "$setup_type" in
esac esac
# Allow execution of SO tools during setup # Allow execution of SO tools during setup
PATH=$PATH:"$(dirname "$0")"/../salt/common/tools/sbin export PATH=$PATH:../salt/common/tools/sbin
export PATH
date -u > $setup_log 2>&1 date -u > $setup_log 2>&1
@@ -47,43 +45,13 @@ if [ "$OS" == ubuntu ]; then
update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1 update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1
fi fi
setterm -blank 0 if (whiptail_you_sure); then
true
if ! (whiptail_you_sure); then else
echo "User cancelled setup.">> $setup_log 2>&1 echo "User cancelled setup." >> $setup_log 2>&1
whiptail_cancel whiptail_cancel
fi fi
case "$setup_type" in
'iso')
whiptail_set_hostname
whiptail_management_nic
whiptail_dhcp_or_static
if [ "$address_type" != 'DHCP' ]; then
whiptail_management_interface_ip
whiptail_management_interface_mask
whiptail_management_interface_gateway
whiptail_management_interface_dns
whiptail_management_interface_dns_search
fi
# Init networking so rest of install works
set_hostname_iso
set_management_interface
collect_adminuser_inputs
add_admin_user
disable_onion_user
;;
'network')
whiptail_network_notice
whiptail_set_hostname
whiptail_management_nic
;;
esac
whiptail_install_type whiptail_install_type
short_name=$(echo "$hostname" | awk -F. '{print $1}') short_name=$(echo "$hostname" | awk -F. '{print $1}')
@@ -95,9 +63,6 @@ echo "MINION_ID = $MINION_ID" >> $setup_log 2>&1
whiptail_patch_schedule whiptail_patch_schedule
filter_unused_nics
minion_type=$(get_minion_type)
if [ "$install_type" = 'EVAL' ]; then if [ "$install_type" = 'EVAL' ]; then
is_node=true is_node=true
is_master=true is_master=true
@@ -127,6 +92,37 @@ elif [ "$install_type" = 'HELIXSENSOR' ]; then
is_helix=true is_helix=true
fi fi
case "$setup_type" in
'iso')
whiptail_set_hostname
whiptail_management_nic
whiptail_dhcp_or_static
if [ "$address_type" != 'DHCP' ]; then
whiptail_management_interface_ip
whiptail_management_interface_mask
whiptail_management_interface_gateway
whiptail_management_interface_dns
whiptail_management_interface_dns_search
fi
# Init networking so rest of install works
set_hostname_iso
set_management_interface
collect_adminuser_inputs
add_admin_user
disable_onion_user
;;
'network')
whiptail_network_notice
whiptail_set_hostname
whiptail_management_nic
;;
esac
minion_type=$(get_minion_type)
# Set any constants needed # Set any constants needed
if [[ $is_helix ]]; then if [[ $is_helix ]]; then
RULESETUP=ETOPEN RULESETUP=ETOPEN
@@ -226,7 +222,7 @@ if [[ $is_node && ! $is_eval ]]; then
else else
NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE
NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE
LSPIPELINEWORKERS=$cpu_cores LSPIPELINEWORKERS=$num_cpu_cores
LSPIPELINEBATCH=125 LSPIPELINEBATCH=125
LSINPUTTHREADS=1 LSINPUTTHREADS=1
LSINPUTBATCHCOUNT=125 LSINPUTBATCHCOUNT=125
@@ -238,10 +234,13 @@ set_hostname
set_version set_version
clear_master clear_master
if [[ $is_master && ! $is_eval ]]; then if [[ $is_master ]]; then
generate_passwords generate_passwords
secrets_pillar secrets_pillar
add_socore_user_master add_socore_user_master
fi
if [[ $is_master && ! $is_eval ]]; then
add_soremote_user_master add_soremote_user_master
fi fi
@@ -255,14 +254,13 @@ fi
# Begin install # Begin install
{ {
progress_str_printer &
if [[ $is_sensor || $is_helix ]]; then if [[ $is_sensor || $is_helix ]]; then
set_progress_str 1 'Creating bond interface' set_progress_str 1 'Creating bond interface'
create_sensor_bond create_sensor_bond >> "$setup_log" 2>&1
set_progress_str 2 'Generating the sensor pillar' set_progress_str 2 'Generating the sensor pillar'
sensor_pillar sensor_pillar >> "$setup_log" 2>&1
fi fi
set_progress_str 2 'Installing Salt and dependencies' set_progress_str 2 'Installing Salt and dependencies'

14
setup/so-variables
View File

@@ -3,16 +3,10 @@
total_mem=$(grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//') total_mem=$(grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//')
export total_mem export total_mem
hostname=$(cat /etc/hostname) num_cpu_cores=$(grep -c "processor" /proc/cpuinfo | grep -v "KVM")
export hostname export num_cpu_cores
all_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}') readarray -t cpu_core_list <<< "$(grep "processor" /proc/cpuinfo | grep -v "KVM" | awk '{print $3 ""}')"
export all_nics
cpu_cores=$(grep -c "processor" /proc/cpuinfo | grep -v "KVM")
export cpu_cores
cpu_core_list=$(grep "processor" /proc/cpuinfo | grep -v "KVM" | awk '{print $3 " \"" "core" "\""}')
export cpu_core_list export cpu_core_list
random_uid=$(</dev/urandom tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) random_uid=$(</dev/urandom tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
@@ -37,3 +31,5 @@ export temp_install_dir=/root/installtmp
export percentage=0 export percentage=0
export percentage_str='Getting started' export percentage_str='Getting started'
export DEBIAN_FRONTEND=noninteractive