From 7b29c6427b5f5efc1ef53052c65e588d992b4a90 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 7 May 2021 10:55:17 -0400 Subject: [PATCH 01/38] Add preliminary error handling in soup --- salt/common/tools/sbin/so-common | 15 ++++ salt/common/tools/sbin/so-image-common | 13 ++- salt/common/tools/sbin/soup | 107 +++++++++++++++++++++---- 3 files changed, 117 insertions(+), 18 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 22c7543ea..f78919226 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -324,6 +324,21 @@ retry() { return 1 } +run_check_net_err() { + local cmd=$1 + local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable + + local exit_code + retry 50 10 "$cmd" + exit_code=$? + + if [[ $exit_code -ne 0 ]]; then + echo "Command failed with error $exit_code" + echo "$err_msg" + exit $exit_code + fi +} + set_os() { if [ -f /etc/redhat-release ]; then OS=centos diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index be5a327f0..c855abd15 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -18,6 +18,7 @@ # NOTE: This script depends on so-common IMAGEREPO=security-onion-solutions +# shellcheck disable=SC2120 container_list() { MANAGERCHECK=$1 @@ -128,7 +129,9 @@ update_docker_containers() { mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 # Let's make sure we have the public key - retry 50 10 "curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" >> "$LOG_FILE" 2>&1 + run_check_net_err \ + "curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" \ + "Could not pull signature key file, please ensure connectivity to https://raw.gihubusercontent.com" >> "$LOG_FILE" 2>&1 result=$? if [[ $result -eq 0 ]]; then cat $SIGNPATH/KEYS | gpg --import - >> "$LOG_FILE" 2>&1 @@ -148,10 +151,14 @@ update_docker_containers() { # Pull down the trusted docker image local image=$i:$VERSION$IMAGE_TAG_SUFFIX - retry 50 10 "docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image" >> "$LOG_FILE" 2>&1 + run_check_net_err \ + "docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image" \ + "Could not pull pull $image, please ensure connectivity to $CONTAINER_REGISTRY" >> "$LOG_FILE" 2>&1 # Get signature - retry 50 10 "curl -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" >> "$LOG_FILE" 2>&1 + run_check_net_err \ + "curl -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" \ + "Could not pull signature file, please ensure connectivity to https://sigs.securityonion.net " >> "$LOG_FILE" 2>&1 if [[ $? -ne 0 ]]; then echo "Unable to pull signature file for $image" >> "$LOG_FILE" 2>&1 exit 1 diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 8e7f70517..f43a31740 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -20,11 +20,83 @@ UPDATE_DIR=/tmp/sogh/securityonion INSTALLEDVERSION=$(cat /etc/soversion) POSTVERSION=$INSTALLEDVERSION -INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk {'print $2'}) +INSTALLEDSALTVERSION=$(salt --versions-report | grep Salt: | awk '{print $2}') BATCHSIZE=5 SOUP_LOG=/root/soup.log WHATWOULDYOUSAYYAHDOHERE=soup +set -e + +trap 'check_err $? $BASH_LINENO $BASH_COMMAND' EXIT + +check_err() { + local exit_code=$1 + local lineno=$2 + local cmd=$3 + local err_msg="Unknown error occured, please check $SOUP_LOG for details." + + if [[ $exit_code -ne 0 ]]; then + printf '%s' "Soup failed on line $lineno with error $exit_code: " + case $exit_code in + 2) + echo 'No such file or directory' + ;; + 5) + echo 'Interrupted system call' + ;; + 12) + echo 'Out of memory' + ;; + 28) + echo 'No space left on device' + echo 'Likely ran out of space on disk, please review hardware requirements for Security Onion: https://docs.securityonion.net/en/2.3/hardware.html' + ;; + 30) + echo 'Read-only file system' + ;; + 35) + echo 'Resource temporarily unavailable' + ;; + 64) + echo 'Machine is not on the network' + ;; + 67) + echo 'Link has been severed' + ;; + 100) + echo 'Netowrk is down' + ;; + 101) + echo 'Network is unreachable' + ;; + 102) + echo 'Network reset' + ;; + 110) + echo 'Connection timed out' + ;; + 111) + echo 'Connection refused' + ;; + 112) + echo 'Host is down' + ;; + 113) + echo 'No route to host' + ;; + *) + echo '' + echo "$err_msg" + ;; + esac + if [[ $exit_code -ge 64 && $exit_code -le 113 ]]; then + echo "$err_msg" + fi + exit $exit_code + fi + +} + add_common() { cp $UPDATE_DIR/salt/common/tools/sbin/so-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/ cp $UPDATE_DIR/salt/common/tools/sbin/so-image-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/ @@ -87,9 +159,9 @@ airgap_update_dockers() { docker stop so-dockerregistry docker rm so-dockerregistry echo "Copying the new dockers over" - tar xvf $AGDOCKER/registry.tar -C /nsm/docker-registry/docker + tar xvf "$AGDOCKER/registry.tar" -C /nsm/docker-registry/docker echo "Add Registry back" - docker load -i $AGDOCKER/registry_image.tar + docker load -i "$AGDOCKER/registry_image.tar" fi fi } @@ -101,9 +173,9 @@ update_registry() { } check_sudoers() { - if grep -q "so-setup" /etc/sudoers; then - echo "There is an entry for so-setup in the sudoers file, this can be safely deleted using \"visudo\"." - fi + if grep -q "so-setup" /etc/sudoers; then + echo "There is an entry for so-setup in the sudoers file, this can be safely deleted using \"visudo\"." + fi } check_log_size_limit() { @@ -177,7 +249,7 @@ check_os_updates() { echo "Continuing without updating packages" elif [[ "$confirm" == [uU] ]]; then echo "Applying Grid Updates" - salt \* -b 5 state.apply patch.os queue=True + run_check_net_err "salt '*' -b 5 state.apply patch.os queue=True" 'Could not apply OS updates, please check your network connection.' else echo "Exiting soup" exit 0 @@ -205,7 +277,7 @@ clone_to_tmp() { if [ -n "$BRANCH" ]; then SOUP_BRANCH="-b $BRANCH" fi - git clone $SOUP_BRANCH https://github.com/Security-Onion-Solutions/securityonion.git + run_check_net_err "git clone $SOUP_BRANCH https://github.com/Security-Onion-Solutions/securityonion.git" "Could not clone repo, please ensure network access to https://github.com" cd /tmp if [ ! -f $UPDATE_DIR/VERSION ]; then echo "Update was unable to pull from github. Please check your internet." @@ -586,13 +658,14 @@ upgrade_check() { } upgrade_check_salt() { - NEWSALTVERSION=$(grep version: $UPDATE_DIR/salt/salt/master.defaults.yaml | awk {'print $2'}) + NEWSALTVERSION=$(grep version: $UPDATE_DIR/salt/salt/master.defaults.yaml | awk '{print $2}') if [ "$INSTALLEDSALTVERSION" == "$NEWSALTVERSION" ]; then echo "You are already running the correct version of Salt for Security Onion." else UPGRADESALT=1 fi } + upgrade_salt() { SALTUPGRADED=True echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION." @@ -604,7 +677,9 @@ upgrade_salt() { yum versionlock delete "salt-*" echo "Updating Salt packages and restarting services." echo "" - sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable "$NEWSALTVERSION" + run_check_net_err \ + "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable \"$NEWSALTVERSION\"" \ + "Could not update soup, please check $SOUP_LOG for details." echo "Applying yum versionlock for Salt." echo "" yum versionlock add "salt-*" @@ -617,7 +692,9 @@ upgrade_salt() { apt-mark unhold "salt-minion" echo "Updating Salt packages and restarting services." echo "" - sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable "$NEWSALTVERSION" + run_check_net_err \ + "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable \"$NEWSALTVERSION\"" \ + "Could not update soup, please check $SOUP_LOG for details." echo "Applying apt hold for Salt." echo "" apt-mark hold "salt-common" @@ -650,7 +727,7 @@ verify_latest_update_script() { } main () { -echo "### Preparing soup at `date` ###" +echo "### Preparing soup at $(date) ###" while getopts ":b" opt; do case "$opt" in b ) # process option b @@ -756,7 +833,7 @@ else echo "Checking if Salt was upgraded." echo "" # Check that Salt was upgraded - SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk {'print $2'}) + SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}') if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." echo "Once the issue is resolved, run soup again." @@ -874,7 +951,7 @@ EOF fi fi -echo "### soup has been served at `date` ###" +echo "### soup has been served at $(date) ###" } cat << EOF @@ -889,6 +966,6 @@ Press Enter to continue or Ctrl-C to cancel. EOF -read input +read -r input main "$@" | tee -a $SOUP_LOG From f8dd6890b27f6109d8f31a7dbbf3db709d312ea9 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 7 May 2021 16:50:59 -0400 Subject: [PATCH 02/38] Unset/set exit on command fail for retries --- salt/common/tools/sbin/soup | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index f43a31740..b02a63fc6 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -249,7 +249,9 @@ check_os_updates() { echo "Continuing without updating packages" elif [[ "$confirm" == [uU] ]]; then echo "Applying Grid Updates" + set +e run_check_net_err "salt '*' -b 5 state.apply patch.os queue=True" 'Could not apply OS updates, please check your network connection.' + set -e else echo "Exiting soup" exit 0 @@ -277,7 +279,9 @@ clone_to_tmp() { if [ -n "$BRANCH" ]; then SOUP_BRANCH="-b $BRANCH" fi + set +e run_check_net_err "git clone $SOUP_BRANCH https://github.com/Security-Onion-Solutions/securityonion.git" "Could not clone repo, please ensure network access to https://github.com" + set -e cd /tmp if [ ! -f $UPDATE_DIR/VERSION ]; then echo "Update was unable to pull from github. Please check your internet." @@ -677,9 +681,11 @@ upgrade_salt() { yum versionlock delete "salt-*" echo "Updating Salt packages and restarting services." echo "" + set +e run_check_net_err \ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable \"$NEWSALTVERSION\"" \ "Could not update soup, please check $SOUP_LOG for details." + set -e echo "Applying yum versionlock for Salt." echo "" yum versionlock add "salt-*" @@ -692,9 +698,11 @@ upgrade_salt() { apt-mark unhold "salt-minion" echo "Updating Salt packages and restarting services." echo "" + set +e run_check_net_err \ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable \"$NEWSALTVERSION\"" \ "Could not update soup, please check $SOUP_LOG for details." + set -e echo "Applying apt hold for Salt." echo "" apt-mark hold "salt-common" @@ -808,7 +816,9 @@ else check_os_updates else update_registry + set +e update_docker_containers "soup" + set -e fi echo "" From 8b3730748b7a26d58489a9b803337b54e3f5827c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 10 May 2021 10:58:29 -0400 Subject: [PATCH 03/38] Add debug line and remove exit command on retry failure --- salt/common/tools/sbin/soup | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 398aed29c..fdc983d30 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -662,6 +662,7 @@ upgrade_check() { is_hotfix=true fi else + echo "DEBUG: here" is_hotfix=false fi @@ -889,7 +890,7 @@ else systemctl start salt-master # Testing that that salt-master is up by checking that is it connected to itself - retry 50 10 "salt-call state.show_top -l error" || exit 1 + retry 50 10 "salt-call state.show_top -l error" echo "" echo "Ensuring python modules for Salt are installed and patched." @@ -923,7 +924,7 @@ else systemctl start salt-master # Testing that that salt-master is up by checking that is it connected to itself - retry 50 10 "salt-call state.show_top -l error" || exit 1 + retry 50 10 "salt-call state.show_top -l error" echo "Running a highstate. This could take several minutes." salt-call state.highstate -l info queue=True From a75d4841d0a29eb06ec492fbf0518f3c6bb86b45 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 10 May 2021 11:05:24 -0400 Subject: [PATCH 04/38] Add debug lines --- salt/common/tools/sbin/soup | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index fdc983d30..d1d3f5e6e 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -734,7 +734,7 @@ verify_latest_update_script() { cp $UPDATE_DIR/salt/common/tools/sbin/soup $DEFAULT_SALT_DIR/salt/common/tools/sbin/ cp $UPDATE_DIR/salt/common/tools/sbin/so-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/ cp $UPDATE_DIR/salt/common/tools/sbin/so-image-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/ - salt-call state.apply common queue=True + salt-call state.apply -l info common queue=True echo "" echo "soup has been updated. Please run soup again." exit 0 @@ -796,7 +796,9 @@ add_common fi echo "Let's see if we need to update Security Onion." +echo "DEBUG: before upgrade_check" upgrade_check +echo "DEBUG: after upgrade_check" upgrade_space echo "Checking for Salt Master and Minion updates." From d3b08beb534a2b3cd336d7d2dcdb9dc8ab8dc7b0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 10 May 2021 11:11:54 -0400 Subject: [PATCH 05/38] Only cat file if it exists --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index d1d3f5e6e..6c4af361b 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -651,7 +651,7 @@ upgrade_check() { # Let's make sure we actually need to update. NEWVERSION=$(cat $UPDATE_DIR/VERSION) HOTFIXVERSION=$(cat $UPDATE_DIR/HOTFIX) - CURRENTHOTFIX=$(cat /etc/sohotfix 2>/dev/null) + [[ -f /etc/sohotfix ]] && CURRENTHOTFIX=$(cat /etc/sohotfix) if [ "$INSTALLEDVERSION" == "$NEWVERSION" ]; then echo "Checking to see if there are hotfixes needed" if [ "$HOTFIXVERSION" == "$CURRENTHOTFIX" ]; then From fec868432f3d240a216b42647cc633a6cd9c168c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 10 May 2021 11:59:22 -0400 Subject: [PATCH 06/38] Try to fix bash trap --- salt/common/tools/sbin/soup | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 6c4af361b..364a769c0 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -28,13 +28,12 @@ WHATWOULDYOUSAYYAHDOHERE=soup set -e -trap 'check_err $? $BASH_LINENO $BASH_COMMAND' EXIT +trap 'check_err $? $BASH_LINENO' EXIT check_err() { local exit_code=$1 local lineno=$2 - local cmd=$3 - local err_msg="Unknown error occured, please check $SOUP_LOG for details." + local err_msg="Unhandled error occured, please check $SOUP_LOG for details." if [[ $exit_code -ne 0 ]]; then printf '%s' "Soup failed on line $lineno with error $exit_code: " @@ -86,7 +85,7 @@ check_err() { echo 'No route to host' ;; *) - echo '' + echo 'Unhandled error' echo "$err_msg" ;; esac From f793450d972cb69743fe7cac96644e934ac275b6 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 10 May 2021 13:22:13 -0400 Subject: [PATCH 07/38] Return actual exit code from retry --- salt/common/tools/sbin/so-common | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index f78919226..2b2bbf944 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -302,6 +302,7 @@ retry() { cmd=$3 expectedOutput=$4 attempt=0 + local exitcode=0 while [[ $attempt -lt $maxAttempts ]]; do attempt=$((attempt+1)) echo "Executing command with retry support: $cmd" @@ -321,7 +322,7 @@ retry() { sleep $sleepDelay done echo "Command continues to fail; giving up." - return 1 + return $exitcode } run_check_net_err() { From c379822bf0df0fb52083392498feebc8e22ddc1e Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 11 May 2021 12:59:49 -0400 Subject: [PATCH 08/38] Set variable to skip trap if error already handled --- salt/common/tools/sbin/so-common | 1 + salt/common/tools/sbin/soup | 1 + 2 files changed, 2 insertions(+) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 2b2bbf944..2b22ebbeb 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -334,6 +334,7 @@ run_check_net_err() { exit_code=$? if [[ $exit_code -ne 0 ]]; then + ERR_HANDLED=true echo "Command failed with error $exit_code" echo "$err_msg" exit $exit_code diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 364a769c0..c8601fe1a 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -35,6 +35,7 @@ check_err() { local lineno=$2 local err_msg="Unhandled error occured, please check $SOUP_LOG for details." + [[ $ERR_HANDLED == true ]] && exit $exit_code if [[ $exit_code -ne 0 ]]; then printf '%s' "Soup failed on line $lineno with error $exit_code: " case $exit_code in From 7bd04deae78f0199afb706afefb8ca4b20588b5e Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 12 May 2021 10:45:03 -0400 Subject: [PATCH 09/38] Unset exit on failure for pkill command --- salt/common/tools/sbin/soup | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index c8601fe1a..7c97a540a 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -834,7 +834,9 @@ else echo "Stopping Salt Minion service." systemctl stop salt-minion echo "Killing any remaining Salt Minion processes." + set +e pkill -9 -ef /usr/bin/salt-minion + set -e echo "" echo "Stopping Salt Master service." systemctl stop salt-master From 807b525c797bd280036bf06d0a63a17693894f44 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 12 May 2021 11:19:33 -0400 Subject: [PATCH 10/38] Temp remove exit on failure + bash trap --- salt/common/tools/sbin/soup | 83 ------------------------------------- 1 file changed, 83 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 7c97a540a..53dd7f176 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -26,77 +26,6 @@ SOUP_LOG=/root/soup.log INFLUXDB_MIGRATION_LOG=/opt/so/log/influxdb/soup_migration.log WHATWOULDYOUSAYYAHDOHERE=soup -set -e - -trap 'check_err $? $BASH_LINENO' EXIT - -check_err() { - local exit_code=$1 - local lineno=$2 - local err_msg="Unhandled error occured, please check $SOUP_LOG for details." - - [[ $ERR_HANDLED == true ]] && exit $exit_code - if [[ $exit_code -ne 0 ]]; then - printf '%s' "Soup failed on line $lineno with error $exit_code: " - case $exit_code in - 2) - echo 'No such file or directory' - ;; - 5) - echo 'Interrupted system call' - ;; - 12) - echo 'Out of memory' - ;; - 28) - echo 'No space left on device' - echo 'Likely ran out of space on disk, please review hardware requirements for Security Onion: https://docs.securityonion.net/en/2.3/hardware.html' - ;; - 30) - echo 'Read-only file system' - ;; - 35) - echo 'Resource temporarily unavailable' - ;; - 64) - echo 'Machine is not on the network' - ;; - 67) - echo 'Link has been severed' - ;; - 100) - echo 'Netowrk is down' - ;; - 101) - echo 'Network is unreachable' - ;; - 102) - echo 'Network reset' - ;; - 110) - echo 'Connection timed out' - ;; - 111) - echo 'Connection refused' - ;; - 112) - echo 'Host is down' - ;; - 113) - echo 'No route to host' - ;; - *) - echo 'Unhandled error' - echo "$err_msg" - ;; - esac - if [[ $exit_code -ge 64 && $exit_code -le 113 ]]; then - echo "$err_msg" - fi - exit $exit_code - fi - -} add_common() { cp $UPDATE_DIR/salt/common/tools/sbin/so-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/ @@ -250,9 +179,7 @@ check_os_updates() { echo "Continuing without updating packages" elif [[ "$confirm" == [uU] ]]; then echo "Applying Grid Updates" - set +e run_check_net_err "salt '*' -b 5 state.apply patch.os queue=True" 'Could not apply OS updates, please check your network connection.' - set -e else echo "Exiting soup" exit 0 @@ -280,9 +207,7 @@ clone_to_tmp() { if [ -n "$BRANCH" ]; then SOUP_BRANCH="-b $BRANCH" fi - set +e run_check_net_err "git clone $SOUP_BRANCH https://github.com/Security-Onion-Solutions/securityonion.git" "Could not clone repo, please ensure network access to https://github.com" - set -e cd /tmp if [ ! -f $UPDATE_DIR/VERSION ]; then echo "Update was unable to pull from github. Please check your internet." @@ -688,11 +613,9 @@ upgrade_salt() { yum versionlock delete "salt-*" echo "Updating Salt packages and restarting services." echo "" - set +e run_check_net_err \ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable \"$NEWSALTVERSION\"" \ "Could not update soup, please check $SOUP_LOG for details." - set -e echo "Applying yum versionlock for Salt." echo "" yum versionlock add "salt-*" @@ -705,11 +628,9 @@ upgrade_salt() { apt-mark unhold "salt-minion" echo "Updating Salt packages and restarting services." echo "" - set +e run_check_net_err \ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable \"$NEWSALTVERSION\"" \ "Could not update soup, please check $SOUP_LOG for details." - set -e echo "Applying apt hold for Salt." echo "" apt-mark hold "salt-common" @@ -825,18 +746,14 @@ else check_os_updates else update_registry - set +e update_docker_containers "soup" - set -e fi echo "" echo "Stopping Salt Minion service." systemctl stop salt-minion echo "Killing any remaining Salt Minion processes." - set +e pkill -9 -ef /usr/bin/salt-minion - set -e echo "" echo "Stopping Salt Master service." systemctl stop salt-master From 9ced391c11f255a7fe22b4e740b436398de0983d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 12 May 2021 13:20:59 -0400 Subject: [PATCH 11/38] Fix indent in main(), re-add trap, remove ERR_HANDLED variable --- salt/common/tools/sbin/so-common | 1 - salt/common/tools/sbin/soup | 534 ++++++++++++++++++------------- 2 files changed, 309 insertions(+), 226 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 2b22ebbeb..2b2bbf944 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -334,7 +334,6 @@ run_check_net_err() { exit_code=$? if [[ $exit_code -ne 0 ]]; then - ERR_HANDLED=true echo "Command failed with error $exit_code" echo "$err_msg" exit $exit_code diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 53dd7f176..814f9fd1b 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -26,6 +26,72 @@ SOUP_LOG=/root/soup.log INFLUXDB_MIGRATION_LOG=/opt/so/log/influxdb/soup_migration.log WHATWOULDYOUSAYYAHDOHERE=soup +check_err() { + local exit_code=$1 + local lineno=$2 + local err_msg="Unhandled error occured, please check $SOUP_LOG for details." + + if [[ $exit_code -ne 0 ]]; then + printf '%s' "Soup failed on line $lineno with error $exit_code: " + case $exit_code in + 2) + echo 'No such file or directory' + ;; + 5) + echo 'Interrupted system call' + ;; + 12) + echo 'Out of memory' + ;; + 28) + echo 'No space left on device' + echo 'Likely ran out of space on disk, please review hardware requirements for Security Onion: https://docs.securityonion.net/en/2.3/hardware.html' + ;; + 30) + echo 'Read-only file system' + ;; + 35) + echo 'Resource temporarily unavailable' + ;; + 64) + echo 'Machine is not on the network' + ;; + 67) + echo 'Link has been severed' + ;; + 100) + echo 'Netowrk is down' + ;; + 101) + echo 'Network is unreachable' + ;; + 102) + echo 'Network reset' + ;; + 110) + echo 'Connection timed out' + ;; + 111) + echo 'Connection refused' + ;; + 112) + echo 'Host is down' + ;; + 113) + echo 'No route to host' + ;; + *) + echo 'Unhandled error' + echo "$err_msg" + ;; + esac + if [[ $exit_code -ge 64 && $exit_code -le 113 ]]; then + echo "$err_msg" + fi + exit $exit_code + fi + +} add_common() { cp $UPDATE_DIR/salt/common/tools/sbin/so-common $DEFAULT_SALT_DIR/salt/common/tools/sbin/ @@ -48,8 +114,8 @@ airgap_mounted() { echo "Example: /home/user/securityonion-2.X.0.iso" echo "Example: /dev/sdx1" echo "" - read -p 'Enter the location of the iso: ' ISOLOC - if [ -f $ISOLOC ]; then + read -rp 'Enter the location of the iso: ' ISOLOC + if [[ -f $ISOLOC ]]; then # Mounting the ISO image mkdir -p /tmp/soagupdate mount -t iso9660 -o loop $ISOLOC /tmp/soagupdate @@ -61,7 +127,7 @@ airgap_mounted() { else echo "ISO has been mounted!" fi - elif [ -f $ISOLOC/SecurityOnion/VERSION ]; then + elif [[ -f $ISOLOC/SecurityOnion/VERSION ]]; then ln -s $ISOLOC /tmp/soagupdate echo "Found the update content" else @@ -79,9 +145,9 @@ airgap_mounted() { } airgap_update_dockers() { - if [ $is_airgap -eq 0 ]; then + if [[ $is_airgap -eq 0 ]]; then # Let's copy the tarball - if [ ! -f $AGDOCKER/registry.tar ]; then + if [[ ! -f $AGDOCKER/registry.tar ]]; then echo "Unable to locate registry. Exiting" exit 1 else @@ -179,7 +245,9 @@ check_os_updates() { echo "Continuing without updating packages" elif [[ "$confirm" == [uU] ]]; then echo "Applying Grid Updates" + set +e run_check_net_err "salt '*' -b 5 state.apply patch.os queue=True" 'Could not apply OS updates, please check your network connection.' + set -e else echo "Exiting soup" exit 0 @@ -207,7 +275,9 @@ clone_to_tmp() { if [ -n "$BRANCH" ]; then SOUP_BRANCH="-b $BRANCH" fi + set +e run_check_net_err "git clone $SOUP_BRANCH https://github.com/Security-Onion-Solutions/securityonion.git" "Could not clone repo, please ensure network access to https://github.com" + set -e cd /tmp if [ ! -f $UPDATE_DIR/VERSION ]; then echo "Update was unable to pull from github. Please check your internet." @@ -253,7 +323,11 @@ preupgrade_changes_2.3.50_repo() { # We made repo changes in 2.3.50 and this prepares for that on upgrade echo "Checking to see if 2.3.50 repo changes are needed." - [[ "$INSTALLEDVERSION" == 2.3.30 || "$INSTALLEDVERSION" == 2.3.40 ]] && up_2.3.3X_to_2.3.50_repo + if [[ "$INSTALLEDVERSION" == 2.3.30 || "$INSTALLEDVERSION" == 2.3.40 ]]; then + up_2.3.3X_to_2.3.50_repo + else + echo "No changes needed." + fi } preupgrade_changes() { @@ -433,7 +507,7 @@ up_2.3.2X_to_2.3.30() { sed -i "/ imagerepo: securityonion/c\ imagerepo: 'security-onion-solutions'" /opt/so/saltstack/local/pillar/global.sls # Strelka rule repo pillar addition - if [ $is_airgap -eq 0 ]; then + if [[ $is_airgap -eq 0 ]]; then # Add manager as default Strelka YARA rule repo sed -i "/^strelka:/a \\ repos: \n - https://$HOSTNAME/repo/rules/strelka" /opt/so/saltstack/local/pillar/global.sls; else @@ -460,7 +534,7 @@ up_2.3.3X_to_2.3.50_repo() { rm -f "/etc/yum.repos.d/$DELREPO.repo" fi done - if [ $is_airgap -eq 1 ]; then + if [[ $is_airgap -eq 1 ]]; then # Copy the new repo file if not airgap cp $UPDATE_DIR/salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/ yum clean all @@ -613,9 +687,11 @@ upgrade_salt() { yum versionlock delete "salt-*" echo "Updating Salt packages and restarting services." echo "" + set +e run_check_net_err \ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable \"$NEWSALTVERSION\"" \ "Could not update soup, please check $SOUP_LOG for details." + set -e echo "Applying yum versionlock for Salt." echo "" yum versionlock add "salt-*" @@ -628,9 +704,11 @@ upgrade_salt() { apt-mark unhold "salt-minion" echo "Updating Salt packages and restarting services." echo "" + set +e run_check_net_err \ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable \"$NEWSALTVERSION\"" \ "Could not update soup, please check $SOUP_LOG for details." + set -e echo "Applying apt hold for Salt." echo "" apt-mark hold "salt-common" @@ -662,229 +740,235 @@ verify_latest_update_script() { fi } -main () { -echo "### Preparing soup at $(date) ###" -while getopts ":b" opt; do - case "$opt" in - b ) # process option b - shift - BATCHSIZE=$1 - if ! [[ "$BATCHSIZE" =~ ^[0-9]+$ ]]; then - echo "Batch size must be a number greater than 0." - exit 1 - fi - ;; - \? ) - echo "Usage: cmd [-b]" - ;; - esac -done - -echo "Checking to see if this is a manager." -echo "" -require_manager -set_minionid -echo "Checking to see if this is an airgap install" -echo "" -check_airgap -echo "Found that Security Onion $INSTALLEDVERSION is currently installed." -echo "" -set_os -set_palette -check_elastic_license -echo "" -if [ $is_airgap -eq 0 ]; then - # Let's mount the ISO since this is airgap - airgap_mounted -else - echo "Cloning Security Onion github repo into $UPDATE_DIR." - echo "Removing previous upgrade sources." - rm -rf $UPDATE_DIR - clone_to_tmp -fi -check_os_updates -echo "" -echo "Verifying we have the latest soup script." -verify_latest_update_script -echo "" - -echo "Generating new repo archive" -generate_and_clean_tarballs -if [ -f /usr/sbin/so-image-common ]; then - . /usr/sbin/so-image-common -else -add_common -fi - -echo "Let's see if we need to update Security Onion." -echo "DEBUG: before upgrade_check" -upgrade_check -echo "DEBUG: after upgrade_check" -upgrade_space - -echo "Checking for Salt Master and Minion updates." -upgrade_check_salt - - -if [ "$is_hotfix" == "true" ]; then - echo "Applying $HOTFIXVERSION" - copy_new_files - echo "" - update_version - salt-call state.highstate -l info queue=True +main() { + set -e + trap 'check_err $? $BASH_LINENO' EXIT -else - echo "" - echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION." - echo "" - - echo "Updating dockers to $NEWVERSION." - if [ $is_airgap -eq 0 ]; then - airgap_update_dockers - update_centos_repo - yum clean all - check_os_updates - else - update_registry - update_docker_containers "soup" - fi - - echo "" - echo "Stopping Salt Minion service." - systemctl stop salt-minion - echo "Killing any remaining Salt Minion processes." - pkill -9 -ef /usr/bin/salt-minion - echo "" - echo "Stopping Salt Master service." - systemctl stop salt-master - echo "" - - preupgrade_changes_2.3.50_repo - - # Does salt need upgraded. If so update it. - if [ "$UPGRADESALT" == "1" ]; then - echo "Upgrading Salt" - # Update the repo files so it can actually upgrade - upgrade_salt - fi - - echo "Checking if Salt was upgraded." - echo "" - # Check that Salt was upgraded - SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}') - if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then - echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." - echo "Once the issue is resolved, run soup again." - echo "Exiting." - echo "" - exit 1 - else - echo "Salt upgrade success." - echo "" - fi - - preupgrade_changes - echo "" - - if [ $is_airgap -eq 0 ]; then - echo "Updating Rule Files to the Latest." - update_airgap_rules - fi - - # Only update the repo if its airgap - if [[ $is_airgap -eq 0 ]] && [[ "$UPGRADESALT" != "1" ]]; then - update_centos_repo - fi - - echo "" - echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR." - copy_new_files - echo "" - update_version - - echo "" - echo "Locking down Salt Master for upgrade" - masterlock - - echo "" - echo "Starting Salt Master service." - systemctl start salt-master - - # Testing that that salt-master is up by checking that is it connected to itself - retry 50 10 "salt-call state.show_top -l error" - - echo "" - echo "Ensuring python modules for Salt are installed and patched." - salt-call state.apply salt.python3-influxdb -l info queue=True - echo "" - - # Only regenerate osquery packages if Fleet is enabled - FLEET_MANAGER=$(lookup_pillar fleet_manager) - FLEET_NODE=$(lookup_pillar fleet_node) - if [[ "$FLEET_MANAGER" == "True" || "$FLEET_NODE" == "True" ]]; then - echo "" - echo "Regenerating Osquery Packages.... This will take several minutes." - salt-call state.apply fleet.event_gen-packages -l info queue=True - echo "" - fi - - echo "" - echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes." - salt-call state.highstate -l info queue=True - echo "" - echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete." - - echo "" - echo "Stopping Salt Master to remove ACL" - systemctl stop salt-master - - masterunlock - - echo "" - echo "Starting Salt Master service." - systemctl start salt-master - - # Testing that that salt-master is up by checking that is it connected to itself - retry 50 10 "salt-call state.show_top -l error" - - echo "Running a highstate. This could take several minutes." - salt-call state.highstate -l info queue=True - postupgrade_changes - unmount_update - thehive_maint - - if [ "$UPGRADESALT" == "1" ]; then - if [ $is_airgap -eq 0 ]; then - echo "" - echo "Cleaning repos on remote Security Onion nodes." - salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all" - echo "" - fi - fi - - check_sudoers - - if [[ -n $lsl_msg ]]; then - case $lsl_msg in - 'distributed') - echo "[INFO] The value of log_size_limit in any heavy node minion pillars may be incorrect." - echo " -> We recommend checking and adjusting the values as necessary." - echo " -> Minion pillar directory: /opt/so/saltstack/local/pillar/minions/" + echo "### Preparing soup at $(date) ###" + while getopts ":b" opt; do + case "$opt" in + b ) # process option b + shift + BATCHSIZE=$1 + if ! [[ "$BATCHSIZE" =~ ^[0-9]+$ ]]; then + echo "Batch size must be a number greater than 0." + exit 1 + fi ;; - 'single-node') - # We can assume the lsl_details array has been set if lsl_msg has this value - echo "[WARNING] The value of log_size_limit (${lsl_details[0]}) does not match the recommended value of ${lsl_details[1]}." - echo " -> We recommend checking and adjusting the value as necessary." - echo " -> File: /opt/so/saltstack/local/pillar/minions/${lsl_details[2]}.sls" + \? ) + echo "Usage: cmd [-b]" ;; esac + done + + echo "Checking to see if this is a manager." + echo "" + require_manager + set_minionid + echo "Checking to see if this is an airgap install" + echo "" + check_airgap + echo "Found that Security Onion $INSTALLEDVERSION is currently installed." + echo "" + set_os + set_palette + check_elastic_license + echo "" + if [[ $is_airgap -eq 0 ]]; then + # Let's mount the ISO since this is airgap + airgap_mounted + else + echo "Cloning Security Onion github repo into $UPDATE_DIR." + echo "Removing previous upgrade sources." + rm -rf $UPDATE_DIR + clone_to_tmp + fi + check_os_updates + echo "" + echo "Verifying we have the latest soup script." + verify_latest_update_script + echo "" + + echo "Generating new repo archive" + generate_and_clean_tarballs + if [ -f /usr/sbin/so-image-common ]; then + . /usr/sbin/so-image-common + else + add_common fi - NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l) + echo "Let's see if we need to update Security Onion." + echo "DEBUG: before upgrade_check" + upgrade_check + echo "DEBUG: after upgrade_check" + upgrade_space - if [ $NUM_MINIONS -gt 1 ]; then + echo "Checking for Salt Master and Minion updates." + upgrade_check_salt - cat << EOF + + if [ "$is_hotfix" == "true" ]; then + echo "Applying $HOTFIXVERSION" + copy_new_files + echo "" + update_version + salt-call state.highstate -l info queue=True + else + echo "" + echo "Performing upgrade from Security Onion $INSTALLEDVERSION to Security Onion $NEWVERSION." + echo "" + + echo "Updating dockers to $NEWVERSION." + if [[ $is_airgap -eq 0 ]]; then + airgap_update_dockers + update_centos_repo + yum clean all + check_os_updates + else + update_registry + set +e + update_docker_containers "soup" + set -e + fi + + echo "" + echo "Stopping Salt Minion service." + systemctl stop salt-minion + echo "Killing any remaining Salt Minion processes." + set +e + pkill -9 -ef /usr/bin/salt-minion + set -e + echo "" + echo "Stopping Salt Master service." + systemctl stop salt-master + echo "" + + preupgrade_changes_2.3.50_repo + + # Does salt need upgraded. If so update it. + if [[ $UPGRADESALT -eq 1 ]]; then + echo "Upgrading Salt" + # Update the repo files so it can actually upgrade + upgrade_salt + fi + + echo "Checking if Salt was upgraded." + echo "" + # Check that Salt was upgraded + SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}') + if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then + echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." + echo "Once the issue is resolved, run soup again." + echo "Exiting." + echo "" + exit 1 + else + echo "Salt upgrade success." + echo "" + fi + + preupgrade_changes + echo "" + + if [[ $is_airgap -eq 0 ]]; then + echo "Updating Rule Files to the Latest." + update_airgap_rules + fi + + # Only update the repo if its airgap + if [[ $is_airgap -eq 0 ]] && [[ $UPGRADESALT -ne 1 ]]; then + update_centos_repo + fi + + echo "" + echo "Copying new Security Onion code from $UPDATE_DIR to $DEFAULT_SALT_DIR." + copy_new_files + echo "" + update_version + + echo "" + echo "Locking down Salt Master for upgrade" + masterlock + + echo "" + echo "Starting Salt Master service." + systemctl start salt-master + + # Testing that that salt-master is up by checking that is it connected to itself + retry 50 10 "salt-call state.show_top -l error" + + echo "" + echo "Ensuring python modules for Salt are installed and patched." + salt-call state.apply salt.python3-influxdb -l info queue=True + echo "" + + # Only regenerate osquery packages if Fleet is enabled + FLEET_MANAGER=$(lookup_pillar fleet_manager) + FLEET_NODE=$(lookup_pillar fleet_node) + if [[ "$FLEET_MANAGER" == "True" || "$FLEET_NODE" == "True" ]]; then + echo "" + echo "Regenerating Osquery Packages.... This will take several minutes." + salt-call state.apply fleet.event_gen-packages -l info queue=True + echo "" + fi + + echo "" + echo "Running a highstate to complete the Security Onion upgrade on this manager. This could take several minutes." + salt-call state.highstate -l info queue=True + echo "" + echo "Upgrade from $INSTALLEDVERSION to $NEWVERSION complete." + + echo "" + echo "Stopping Salt Master to remove ACL" + systemctl stop salt-master + + masterunlock + + echo "" + echo "Starting Salt Master service." + systemctl start salt-master + + # Testing that that salt-master is up by checking that is it connected to itself + retry 50 10 "salt-call state.show_top -l error" + + echo "Running a highstate. This could take several minutes." + salt-call state.highstate -l info queue=True + postupgrade_changes + unmount_update + thehive_maint + + if [[ $UPGRADESALT -eq 1 ]]; then + if [[ $is_airgap -eq 0 ]]; then + echo "" + echo "Cleaning repos on remote Security Onion nodes." + salt -C 'not *_eval and not *_helixsensor and not *_manager and not *_managersearch and not *_standalone and G@os:CentOS' cmd.run "yum clean all" + echo "" + fi + fi + + check_sudoers + + if [[ -n $lsl_msg ]]; then + case $lsl_msg in + 'distributed') + echo "[INFO] The value of log_size_limit in any heavy node minion pillars may be incorrect." + echo " -> We recommend checking and adjusting the values as necessary." + echo " -> Minion pillar directory: /opt/so/saltstack/local/pillar/minions/" + ;; + 'single-node') + # We can assume the lsl_details array has been set if lsl_msg has this value + echo "[WARNING] The value of log_size_limit (${lsl_details[0]}) does not match the recommended value of ${lsl_details[1]}." + echo " -> We recommend checking and adjusting the value as necessary." + echo " -> File: /opt/so/saltstack/local/pillar/minions/${lsl_details[2]}.sls" + ;; + esac + fi + + NUM_MINIONS=$(ls /opt/so/saltstack/local/pillar/minions/*_*.sls | wc -l) + + if [[ $NUM_MINIONS -gt 1 ]]; then + + cat << EOF @@ -898,10 +982,10 @@ For more information, please see https://docs.securityonion.net/en/2.3/soup.html EOF + fi fi -fi -echo "### soup has been served at $(date) ###" + echo "### soup has been served at $(date) ###" } cat << EOF From 192b5db25a5c3d2746da34f8cf8d79c8a388ba28 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 12 May 2021 15:26:39 -0400 Subject: [PATCH 12/38] Add true to end of functions ending with shorthand comparison Functions ending with test using [[ ]] && will trip set -e, so adding true to the last line of the function will prevent the function from returning a nonzero code --- salt/common/tools/sbin/soup | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 814f9fd1b..e5c09a487 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -28,11 +28,10 @@ WHATWOULDYOUSAYYAHDOHERE=soup check_err() { local exit_code=$1 - local lineno=$2 local err_msg="Unhandled error occured, please check $SOUP_LOG for details." if [[ $exit_code -ne 0 ]]; then - printf '%s' "Soup failed on line $lineno with error $exit_code: " + printf '%s' "Soup failed with error $exit_code: " case $exit_code in 2) echo 'No such file or directory' @@ -323,11 +322,8 @@ preupgrade_changes_2.3.50_repo() { # We made repo changes in 2.3.50 and this prepares for that on upgrade echo "Checking to see if 2.3.50 repo changes are needed." - if [[ "$INSTALLEDVERSION" == 2.3.30 || "$INSTALLEDVERSION" == 2.3.40 ]]; then - up_2.3.3X_to_2.3.50_repo - else - echo "No changes needed." - fi + [[ "$INSTALLEDVERSION" == 2.3.30 || "$INSTALLEDVERSION" == 2.3.40 ]] && up_2.3.3X_to_2.3.50_repo + true } preupgrade_changes() { @@ -340,6 +336,7 @@ preupgrade_changes() { [[ "$INSTALLEDVERSION" == 2.3.0 || "$INSTALLEDVERSION" == 2.3.1 || "$INSTALLEDVERSION" == 2.3.2 || "$INSTALLEDVERSION" == 2.3.10 ]] && up_2.3.0_to_2.3.20 [[ "$INSTALLEDVERSION" == 2.3.20 || "$INSTALLEDVERSION" == 2.3.21 ]] && up_2.3.2X_to_2.3.30 [[ "$INSTALLEDVERSION" == 2.3.30 || "$INSTALLEDVERSION" == 2.3.40 ]] && up_2.3.3X_to_2.3.50 + true } postupgrade_changes() { @@ -350,6 +347,7 @@ postupgrade_changes() { [[ "$POSTVERSION" == 2.3.20 || "$POSTVERSION" == 2.3.21 ]] && post_2.3.2X_to_2.3.30 [[ "$POSTVERSION" == 2.3.30 ]] && post_2.3.30_to_2.3.40 [[ "$POSTVERSION" == 2.3.50 ]] && post_2.3.5X_to_2.3.60 + true } post_rc1_to_2.3.21() { @@ -661,7 +659,6 @@ upgrade_check() { is_hotfix=true fi else - echo "DEBUG: here" is_hotfix=false fi @@ -742,7 +739,7 @@ verify_latest_update_script() { main() { set -e - trap 'check_err $? $BASH_LINENO' EXIT + trap 'check_err $?' EXIT echo "### Preparing soup at $(date) ###" while getopts ":b" opt; do @@ -876,7 +873,7 @@ main() { fi # Only update the repo if its airgap - if [[ $is_airgap -eq 0 ]] && [[ $UPGRADESALT -ne 1 ]]; then + if [[ $is_airgap -eq 0 && $UPGRADESALT -ne 1 ]]; then update_centos_repo fi From 3625453668953d6d6a7c18cea26e4c16909a6344 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 17 May 2021 11:00:28 -0400 Subject: [PATCH 13/38] Don't unmount airgap directory if not airgap --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index e5c09a487..676c5b0bc 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -931,7 +931,7 @@ main() { echo "Running a highstate. This could take several minutes." salt-call state.highstate -l info queue=True postupgrade_changes - unmount_update + [[ $is_airgap -eq 0 ]] && unmount_update thehive_maint if [[ $UPGRADESALT -eq 1 ]]; then From 2bcd51b21c3771e3ee488a7a63b6342e8481bebe Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 17 May 2021 15:10:57 -0400 Subject: [PATCH 14/38] Fix error message --- salt/common/tools/sbin/soup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 676c5b0bc..323e755b2 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -687,7 +687,7 @@ upgrade_salt() { set +e run_check_net_err \ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable \"$NEWSALTVERSION\"" \ - "Could not update soup, please check $SOUP_LOG for details." + "Could not update salt, please check $SOUP_LOG or scrollback for details." set -e echo "Applying yum versionlock for Salt." echo "" @@ -704,7 +704,7 @@ upgrade_salt() { set +e run_check_net_err \ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable \"$NEWSALTVERSION\"" \ - "Could not update soup, please check $SOUP_LOG for details." + "Could not update salt, please check $SOUP_LOG or scrollback for details." set -e echo "Applying apt hold for Salt." echo "" From 992b76a0f09c40b6e7631767397e94039c5a79f0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 17 May 2021 15:38:10 -0400 Subject: [PATCH 15/38] Remove debug lines --- salt/common/tools/sbin/soup | 2 -- 1 file changed, 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 323e755b2..2f27939e6 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -795,9 +795,7 @@ main() { fi echo "Let's see if we need to update Security Onion." - echo "DEBUG: before upgrade_check" upgrade_check - echo "DEBUG: after upgrade_check" upgrade_space echo "Checking for Salt Master and Minion updates." From b89091cc7d441361e571f31d1dd723606088ebb7 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 17 May 2021 15:58:25 -0400 Subject: [PATCH 16/38] Try retrying in curl instead of shell function --- salt/common/tools/sbin/so-common | 10 ++++++++-- salt/common/tools/sbin/so-image-common | 10 ++++++---- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 2b2bbf944..d5450f096 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -328,10 +328,16 @@ retry() { run_check_net_err() { local cmd=$1 local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable + local no_retry=$3 local exit_code - retry 50 10 "$cmd" - exit_code=$? + if [[ -z $no_retry ]]; then + retry 50 10 "$cmd" + exit_code=$? + else + eval "$cmd" + exit_code=$? + fi if [[ $exit_code -ne 0 ]]; then echo "Command failed with error $exit_code" diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index c855abd15..fa1d6c6dd 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -130,8 +130,9 @@ update_docker_containers() { # Let's make sure we have the public key run_check_net_err \ - "curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" \ - "Could not pull signature key file, please ensure connectivity to https://raw.gihubusercontent.com" >> "$LOG_FILE" 2>&1 + "curl --retry 20 --retry-delay 30 -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" \ + "Could not pull signature key file, please ensure connectivity to https://raw.gihubusercontent.com" \ + noretry >> "$LOG_FILE" 2>&1 result=$? if [[ $result -eq 0 ]]; then cat $SIGNPATH/KEYS | gpg --import - >> "$LOG_FILE" 2>&1 @@ -157,8 +158,9 @@ update_docker_containers() { # Get signature run_check_net_err \ - "curl -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" \ - "Could not pull signature file, please ensure connectivity to https://sigs.securityonion.net " >> "$LOG_FILE" 2>&1 + "curl --retry 20 --retry-delay 30 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" \ + "Could not pull signature file, please ensure connectivity to https://sigs.securityonion.net " \ + noretry >> "$LOG_FILE" 2>&1 if [[ $? -ne 0 ]]; then echo "Unable to pull signature file for $image" >> "$LOG_FILE" 2>&1 exit 1 From 3f238f7a4ad911e605c5c859d9edaf564a012aa4 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 17 May 2021 16:02:52 -0400 Subject: [PATCH 17/38] Set flag so trap doesn't repeat info --- salt/common/tools/sbin/so-common | 1 + salt/common/tools/sbin/soup | 1 + 2 files changed, 2 insertions(+) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index d5450f096..0390a2bf2 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -340,6 +340,7 @@ run_check_net_err() { fi if [[ $exit_code -ne 0 ]]; then + ERR_HANDLED=true echo "Command failed with error $exit_code" echo "$err_msg" exit $exit_code diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 2f27939e6..9a1afb2bb 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -30,6 +30,7 @@ check_err() { local exit_code=$1 local err_msg="Unhandled error occured, please check $SOUP_LOG for details." + [[ $ERR_HANDLED == true ]] && exit $exit_code if [[ $exit_code -ne 0 ]]; then printf '%s' "Soup failed with error $exit_code: " case $exit_code in From 4e1fba5b38183cad4c479fab7149946c06c8be83 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 17 May 2021 16:04:13 -0400 Subject: [PATCH 18/38] Only echo error code if not using retry --- salt/common/tools/sbin/so-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 0390a2bf2..0b8cd97aa 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -341,7 +341,7 @@ run_check_net_err() { if [[ $exit_code -ne 0 ]]; then ERR_HANDLED=true - echo "Command failed with error $exit_code" + [[ -z $no_retry ]] && echo "Command failed with error $exit_code" echo "$err_msg" exit $exit_code fi From ce9554281ee2d83567a9cd1f2b5a9a7a3f1eab13 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 17 May 2021 16:08:34 -0400 Subject: [PATCH 19/38] Fix backwards logic --- salt/common/tools/sbin/so-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 0b8cd97aa..c6b0c0bd8 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -341,7 +341,7 @@ run_check_net_err() { if [[ $exit_code -ne 0 ]]; then ERR_HANDLED=true - [[ -z $no_retry ]] && echo "Command failed with error $exit_code" + [[ -z $no_retry ]] || echo "Command failed with error $exit_code" echo "$err_msg" exit $exit_code fi From dbd5ef70c995eb6a8065487d9e3908307e41bf26 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 17 May 2021 16:19:31 -0400 Subject: [PATCH 20/38] Change retry delay + count --- salt/common/tools/sbin/so-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index c6b0c0bd8..3ab260eb8 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -332,7 +332,7 @@ run_check_net_err() { local exit_code if [[ -z $no_retry ]]; then - retry 50 10 "$cmd" + retry 20 30 "$cmd" exit_code=$? else eval "$cmd" From bdd53ed5e3a806ed26786a43df20b85ce9002294 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 18 May 2021 12:23:40 -0400 Subject: [PATCH 21/38] Change retry delay + count --- salt/common/tools/sbin/so-common | 2 +- salt/common/tools/sbin/so-image-common | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 3ab260eb8..55350d702 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -332,7 +332,7 @@ run_check_net_err() { local exit_code if [[ -z $no_retry ]]; then - retry 20 30 "$cmd" + retry 5 60 "$cmd" exit_code=$? else eval "$cmd" diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index fa1d6c6dd..2c61838b5 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -130,7 +130,7 @@ update_docker_containers() { # Let's make sure we have the public key run_check_net_err \ - "curl --retry 20 --retry-delay 30 -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" \ + "curl --retry 5 --retry-delay 60 -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" \ "Could not pull signature key file, please ensure connectivity to https://raw.gihubusercontent.com" \ noretry >> "$LOG_FILE" 2>&1 result=$? @@ -158,7 +158,7 @@ update_docker_containers() { # Get signature run_check_net_err \ - "curl --retry 20 --retry-delay 30 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" \ + "curl --retry 5 --retry-delay 60 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" \ "Could not pull signature file, please ensure connectivity to https://sigs.securityonion.net " \ noretry >> "$LOG_FILE" 2>&1 if [[ $? -ne 0 ]]; then From f445186f1ebb2b28fd3f6592e8b07c98fce06fd5 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 18 May 2021 13:38:55 -0400 Subject: [PATCH 22/38] Remove redundant error messages --- salt/common/tools/sbin/so-image-common | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 2c61838b5..f840e07ab 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -136,9 +136,6 @@ update_docker_containers() { result=$? if [[ $result -eq 0 ]]; then cat $SIGNPATH/KEYS | gpg --import - >> "$LOG_FILE" 2>&1 - else - echo "Failed to pull signature key file: $result" - exit 1 fi # Download the containers from the interwebs @@ -159,12 +156,8 @@ update_docker_containers() { # Get signature run_check_net_err \ "curl --retry 5 --retry-delay 60 -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" \ - "Could not pull signature file, please ensure connectivity to https://sigs.securityonion.net " \ + "Could not pull signature file for $image, please ensure connectivity to https://sigs.securityonion.net " \ noretry >> "$LOG_FILE" 2>&1 - if [[ $? -ne 0 ]]; then - echo "Unable to pull signature file for $image" >> "$LOG_FILE" 2>&1 - exit 1 - fi # Dump our hash values DOCKERINSPECT=$(docker inspect $CONTAINER_REGISTRY/$IMAGEREPO/$image) From 99d41d1606245cc0d75520545e55bf9b27dd1e9b Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 24 May 2021 11:29:40 -0400 Subject: [PATCH 23/38] Add ending newline to soup --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 9a1afb2bb..eb15305aa 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -999,3 +999,4 @@ EOF read -r input main "$@" | tee -a $SOUP_LOG + \ No newline at end of file From 686c7c5a6c5cf5010851381900f1cd8f9ea3a2f5 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 24 May 2021 13:26:43 -0400 Subject: [PATCH 24/38] Add exception handling for docker API error to so-docker-prune --- salt/common/tools/sbin/so-docker-prune | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/so-docker-prune b/salt/common/tools/sbin/so-docker-prune index f6c043ef3..754a0f171 100755 --- a/salt/common/tools/sbin/so-docker-prune +++ b/salt/common/tools/sbin/so-docker-prune @@ -38,7 +38,7 @@ def get_image_version(string) -> str: Version(ver) except InvalidVersion: # Strip the last substring following a hyphen for automated branches - ver = '-'.join(ver.split('-')[:-1]) + ver = '-'.join(ver.split('-')[:-1]) return ver @@ -73,8 +73,12 @@ def main(quiet): for tag in group: if not quiet: print(f'Removing image {tag}') client.images.remove(tag) - except InvalidVersion as e: - print(f'so-{get_so_image_basename(t_list[0])}: {e.args[0]}', file=sys.stderr) + except (docker.errors.APIError, InvalidVersion) as e: + print(f'so-{get_so_image_basename(t_list[0])}: {e}', file=sys.stderr) + exit(1) + except Exception as e: + print('Unhandled exception occurred:') + print(f'so-{get_so_image_basename(t_list[0])}: {e}', file=sys.stderr) exit(1) if no_prunable and not quiet: @@ -86,4 +90,4 @@ if __name__ == "__main__": main_parser.add_argument('-q', '--quiet', action='store_const', const=True, required=False) args = main_parser.parse_args(sys.argv[1:]) - main(args.quiet) \ No newline at end of file + main(args.quiet) From dcb89b704a373cf804b318b2c261e97e39dcb4e2 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 24 May 2021 13:45:12 -0400 Subject: [PATCH 25/38] Move sensoroni state out of the * block of top.sls Resolves #3559 --- salt/top.sls | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/salt/top.sls b/salt/top.sls index 8a12aaa26..f3ccc9dda 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -38,7 +38,6 @@ base: - patch.os.schedule - motd - salt.minion-check - - sensoroni - salt.lasthighstate '*_helixsensor and G@saltversion:{{saltversion}}': @@ -47,6 +46,7 @@ base: - ca - ssl - registry + - sensoroni - telegraf - firewall - idstools @@ -66,6 +66,7 @@ base: - match: compound - ca - ssl + - sensoroni - telegraf - firewall - nginx @@ -92,6 +93,7 @@ base: - ca - ssl - registry + - sensoroni - manager - nginx - telegraf @@ -160,6 +162,7 @@ base: - ca - ssl - registry + - sensoroni - nginx - telegraf - influxdb @@ -220,6 +223,7 @@ base: - ca - ssl - registry + - sensoroni - manager - nginx - telegraf @@ -290,6 +294,7 @@ base: - match: compound - ca - ssl + - sensoroni - nginx - telegraf - firewall @@ -320,6 +325,7 @@ base: - ca - ssl - registry + - sensoroni - nginx - telegraf - influxdb @@ -382,6 +388,7 @@ base: - match: compound - ca - ssl + - sensoroni - nginx - telegraf - firewall @@ -424,6 +431,7 @@ base: - match: compound - ca - ssl + - sensoroni - nginx - telegraf - firewall @@ -441,6 +449,7 @@ base: - ca - ssl - registry + - sensoroni - manager - nginx - soc From ffd5bfc48063aeb501def0030748b93091dd6678 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 24 May 2021 15:25:03 -0400 Subject: [PATCH 26/38] Force images from automated branches to a very high semver --- salt/common/tools/sbin/so-docker-prune | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-docker-prune b/salt/common/tools/sbin/so-docker-prune index 754a0f171..2dd183c10 100755 --- a/salt/common/tools/sbin/so-docker-prune +++ b/salt/common/tools/sbin/so-docker-prune @@ -37,8 +37,10 @@ def get_image_version(string) -> str: try: Version(ver) except InvalidVersion: - # Strip the last substring following a hyphen for automated branches - ver = '-'.join(ver.split('-')[:-1]) + # Also return a very high (but less than 'latest') semver for automated branches + # since the image will most likely be the latest version + if any(substr in ver for substr in ['bravo', 'delta', 'foxtrot', 'kilo']): + return '99999.9.9' return ver From 3bc0def02af00ab5741f903722f8316e68d3bfe1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 24 May 2021 16:45:05 -0400 Subject: [PATCH 27/38] Add failure message to salt-master check --- salt/common/tools/sbin/soup | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index eb15305aa..d2b96b194 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -890,8 +890,10 @@ main() { echo "Starting Salt Master service." systemctl start salt-master - # Testing that that salt-master is up by checking that is it connected to itself - retry 50 10 "salt-call state.show_top -l error" + # Testing that salt-master is up by checking that is it connected to itself + set +e + retry 50 10 "salt-call state.show_top -l error" || fail "salt-master could not be reached. Check /root/soup.log for details." + set -e echo "" echo "Ensuring python modules for Salt are installed and patched." @@ -924,9 +926,11 @@ main() { echo "Starting Salt Master service." systemctl start salt-master - # Testing that that salt-master is up by checking that is it connected to itself - retry 50 10 "salt-call state.show_top -l error" - + # Testing that salt-master is up by checking that is it connected to itself + set +e + retry 50 10 "salt-call state.show_top -l error" || fail "salt-master could not be reached. Check /root/soup.log for details." + set -e + echo "Running a highstate. This could take several minutes." salt-call state.highstate -l info queue=True postupgrade_changes From dbc4ffd69ad757d59d9e3d8351a7f1c1510fa0e6 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 25 May 2021 09:20:45 -0400 Subject: [PATCH 28/38] Fix typo --- salt/common/tools/sbin/so-image-common | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index f840e07ab..9b6e2174a 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -151,7 +151,7 @@ update_docker_containers() { local image=$i:$VERSION$IMAGE_TAG_SUFFIX run_check_net_err \ "docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image" \ - "Could not pull pull $image, please ensure connectivity to $CONTAINER_REGISTRY" >> "$LOG_FILE" 2>&1 + "Could not pull $image, please ensure connectivity to $CONTAINER_REGISTRY" >> "$LOG_FILE" 2>&1 # Get signature run_check_net_err \ From 7e008378bae365a16ae4d9741e3346eebcae04c0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 25 May 2021 09:23:44 -0400 Subject: [PATCH 29/38] Replace string with variable, remove unnecessary text --- salt/common/tools/sbin/soup | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index d2b96b194..7fca8ceb9 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -688,7 +688,7 @@ upgrade_salt() { set +e run_check_net_err \ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -r -F -M -x python3 stable \"$NEWSALTVERSION\"" \ - "Could not update salt, please check $SOUP_LOG or scrollback for details." + "Could not update salt, please check $SOUP_LOG for details." set -e echo "Applying yum versionlock for Salt." echo "" @@ -705,7 +705,7 @@ upgrade_salt() { set +e run_check_net_err \ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -F -M -x python3 stable \"$NEWSALTVERSION\"" \ - "Could not update salt, please check $SOUP_LOG or scrollback for details." + "Could not update salt, please check $SOUP_LOG for details." set -e echo "Applying apt hold for Salt." echo "" @@ -892,7 +892,7 @@ main() { # Testing that salt-master is up by checking that is it connected to itself set +e - retry 50 10 "salt-call state.show_top -l error" || fail "salt-master could not be reached. Check /root/soup.log for details." + retry 50 10 "salt-call state.show_top -l error" || fail "salt-master could not be reached. Check $SOUP_LOG for details." set -e echo "" @@ -928,7 +928,7 @@ main() { # Testing that salt-master is up by checking that is it connected to itself set +e - retry 50 10 "salt-call state.show_top -l error" || fail "salt-master could not be reached. Check /root/soup.log for details." + retry 50 10 "salt-call state.show_top -l error" || fail "salt-master could not be reached. Check $SOUP_LOG for details." set -e echo "Running a highstate. This could take several minutes." From 192cec182550135ad711b4c58b61cbe86c5ae7bb Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 25 May 2021 11:25:12 -0400 Subject: [PATCH 30/38] Change how version with dashes are handled by so-docker-prune --- salt/common/tools/sbin/so-docker-prune | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/so-docker-prune b/salt/common/tools/sbin/so-docker-prune index 2dd183c10..b1c359b58 100755 --- a/salt/common/tools/sbin/so-docker-prune +++ b/salt/common/tools/sbin/so-docker-prune @@ -32,15 +32,15 @@ def get_image_version(string) -> str: ver = string.split(':')[-1] if ver == 'latest': # Version doesn't like "latest", so use a high semver - return '999999.9.9' + return '99999.9.9' else: try: Version(ver) except InvalidVersion: - # Also return a very high (but less than 'latest') semver for automated branches - # since the image will most likely be the latest version - if any(substr in ver for substr in ['bravo', 'delta', 'foxtrot', 'kilo']): - return '99999.9.9' + # Also return a very high semver for any version + # with a dash in it since it will likely be a dev version of some kind + if '-' in ver: + return '999999.9.9' return ver From 94af55a95104cd4229a315343973c8167b6cadd6 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 25 May 2021 11:25:37 -0400 Subject: [PATCH 31/38] Fix typo --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 7fca8ceb9..d1261fe30 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -60,7 +60,7 @@ check_err() { echo 'Link has been severed' ;; 100) - echo 'Netowrk is down' + echo 'Network is down' ;; 101) echo 'Network is unreachable' From 0187c9d6df5aeb4a62c7c963231f4d0f7b2cefe6 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 26 May 2021 09:51:37 -0400 Subject: [PATCH 32/38] Adds so-pcap-export --- salt/common/tools/sbin/so-pcap-export | 26 +++++++++++++++++++++ salt/common/tools/sbin/so-suricata-testrule | 5 ++++ 2 files changed, 31 insertions(+) create mode 100644 salt/common/tools/sbin/so-pcap-export diff --git a/salt/common/tools/sbin/so-pcap-export b/salt/common/tools/sbin/so-pcap-export new file mode 100644 index 000000000..076b4eae6 --- /dev/null +++ b/salt/common/tools/sbin/so-pcap-export @@ -0,0 +1,26 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +if [ $# -lt 2 ]; then + echo "Usage: $0 Output-Filename" + exit 1 +fi + +docker exec -it so-sensoroni scripts/stenoquery.sh "$1" -w /nsm/pcapout/$2.pcap + +echo "" +echo "If successful, the output was written to: /nsm/pcapout/$2.pcap" \ No newline at end of file diff --git a/salt/common/tools/sbin/so-suricata-testrule b/salt/common/tools/sbin/so-suricata-testrule index ac4b81d3c..f9f23e70f 100755 --- a/salt/common/tools/sbin/so-suricata-testrule +++ b/salt/common/tools/sbin/so-suricata-testrule @@ -23,6 +23,11 @@ TESTPCAP=$2 . /usr/sbin/so-common +if [ $# -lt 2 ]; then + echo "Usage: $0 " + exit 1 +fi + echo "" echo "===============" echo "Running all.rules and $TESTRULE against the following pcap: $TESTPCAP" From cb40a76247141f45ccb2886e3637e2386a3a1b76 Mon Sep 17 00:00:00 2001 From: John Bernal <59663876+j-bernal@users.noreply.github.com> Date: Wed, 26 May 2021 09:55:14 -0400 Subject: [PATCH 33/38] Update so-whiptail Updated Zeek capitalization when prompting for the number of processes. --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 5eca2d39a..b7fc50495 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -64,7 +64,7 @@ whiptail_basic_zeek() { [ -n "$TESTING" ] && return BASICZEEK=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter the number of zeek processes:" 10 75 "$1" 3>&1 1>&2 2>&3) + "Enter the number of Zeek processes:" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus From ee675546ac751615ac9fa0fac00b5540bba4aaa5 Mon Sep 17 00:00:00 2001 From: doug Date: Wed, 26 May 2021 14:09:00 -0400 Subject: [PATCH 34/38] add menu.actions.json and update soc.json --- salt/soc/files/soc/menu.actions.json | 33 ++++++++++++++++++++++++++++ salt/soc/files/soc/soc.json | 8 +++++-- 2 files changed, 39 insertions(+), 2 deletions(-) create mode 100644 salt/soc/files/soc/menu.actions.json diff --git a/salt/soc/files/soc/menu.actions.json b/salt/soc/files/soc/menu.actions.json new file mode 100644 index 000000000..558d10a36 --- /dev/null +++ b/salt/soc/files/soc/menu.actions.json @@ -0,0 +1,33 @@ +[ + { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", + "links": [ + "/#/hunt?q=\"{value|escape}\" | groupby event.module event.dataset" + ]}, + { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", + "links": [ + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", + "/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset" + ]}, + { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "target": "", + "links": [ + "/joblookup?esid={:soc_id}", + "/joblookup?ncid={:network.community_id}" + ]}, + { "name": "actionCyberChef", "description": "actionCyberChefHelp", "icon": "fas fa-bread-slice", "target": "_blank", + "links": [ + "/cyberchef/#input={value|base64}" + ]}, + { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "target": "_blank", + "links": [ + "https://www.google.com/search?q={value}" + ]}, + { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank", + "links": [ + "https://www.virustotal.com/gui/search/{value}" + ]} +] diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index 5dfd364d2..a3326ab4a 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -17,6 +17,7 @@ {%- import_json "soc/files/soc/hunt.queries.json" as hunt_queries %} {%- import_json "soc/files/soc/hunt.actions.json" as hunt_actions %} {%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %} +{%- import_json "soc/files/soc/menu.actions.json" as menu_actions %} {%- import_json "soc/files/soc/tools.json" as tools %} {%- set DNET = salt['pillar.get']('global:dockernet', '172.17.0.0') %} @@ -123,8 +124,11 @@ "queryBaseFilter": "", "queryToggleFilters": [], "queries": {{ hunt_queries | json }}, - "actions": {{ hunt_actions | json }} + "actions": {{ menu_actions | json }} }, + "job": { + "actions": {{ menu_actions | json }} + }, "alerts": { "advanced": false, "groupItemsPerPage": 50, @@ -143,7 +147,7 @@ { "name": "escalated", "filter": "event.escalated:true", "enabled": false, "exclusive": true, "enablesToggles":["acknowledged"] } ], "queries": {{ alerts_queries | json }}, - "actions": {{ alerts_actions | json }} + "actions": {{ menu_actions | json }} } } } From aeea5701e490e69254b9fd6d1470a9e8db67da65 Mon Sep 17 00:00:00 2001 From: doug Date: Wed, 26 May 2021 16:34:05 -0400 Subject: [PATCH 35/38] completely disable both alerts.actions.json and hunt.actions.json --- salt/soc/files/soc/alerts.actions.json | 34 +------------------------- salt/soc/files/soc/hunt.actions.json | 34 +------------------------- salt/soc/files/soc/soc.json | 2 -- 3 files changed, 2 insertions(+), 68 deletions(-) diff --git a/salt/soc/files/soc/alerts.actions.json b/salt/soc/files/soc/alerts.actions.json index 558d10a36..1addf23c6 100644 --- a/salt/soc/files/soc/alerts.actions.json +++ b/salt/soc/files/soc/alerts.actions.json @@ -1,33 +1 @@ -[ - { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", - "links": [ - "/#/hunt?q=\"{value|escape}\" | groupby event.module event.dataset" - ]}, - { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", - "links": [ - "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", - "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset", - "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", - "/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset" - ]}, - { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "target": "", - "links": [ - "/joblookup?esid={:soc_id}", - "/joblookup?ncid={:network.community_id}" - ]}, - { "name": "actionCyberChef", "description": "actionCyberChefHelp", "icon": "fas fa-bread-slice", "target": "_blank", - "links": [ - "/cyberchef/#input={value|base64}" - ]}, - { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "target": "_blank", - "links": [ - "https://www.google.com/search?q={value}" - ]}, - { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank", - "links": [ - "https://www.virustotal.com/gui/search/{value}" - ]} -] +This file is no longer used. Please use menu.actions.json instead. diff --git a/salt/soc/files/soc/hunt.actions.json b/salt/soc/files/soc/hunt.actions.json index 558d10a36..1addf23c6 100644 --- a/salt/soc/files/soc/hunt.actions.json +++ b/salt/soc/files/soc/hunt.actions.json @@ -1,33 +1 @@ -[ - { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", - "links": [ - "/#/hunt?q=\"{value|escape}\" | groupby event.module event.dataset" - ]}, - { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", - "links": [ - "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", - "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:log.id.uid}\") | groupby event.module event.dataset", - "/#/hunt?q=(\"{:log.id.fuid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", - "/#/hunt?q=(\"{:log.id.uid}\" OR \"{:network.community_id}\") | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", - "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset" - ]}, - { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "target": "", - "links": [ - "/joblookup?esid={:soc_id}", - "/joblookup?ncid={:network.community_id}" - ]}, - { "name": "actionCyberChef", "description": "actionCyberChefHelp", "icon": "fas fa-bread-slice", "target": "_blank", - "links": [ - "/cyberchef/#input={value|base64}" - ]}, - { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "target": "_blank", - "links": [ - "https://www.google.com/search?q={value}" - ]}, - { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank", - "links": [ - "https://www.virustotal.com/gui/search/{value}" - ]} -] +This file is no longer used. Please use menu.actions.json instead. diff --git a/salt/soc/files/soc/soc.json b/salt/soc/files/soc/soc.json index a3326ab4a..8048970f3 100644 --- a/salt/soc/files/soc/soc.json +++ b/salt/soc/files/soc/soc.json @@ -12,10 +12,8 @@ {%- set CACHE_EXPIRATION = salt['pillar.get']('sensoroni:cache_expiration_ms', 0) %} {%- set ES_FIELDCAPS_CACHE = salt['pillar.get']('sensoroni:es_fieldcaps_cache_ms', '300000') %} {%- import_json "soc/files/soc/alerts.queries.json" as alerts_queries %} -{%- import_json "soc/files/soc/alerts.actions.json" as alerts_actions %} {%- import_json "soc/files/soc/alerts.eventfields.json" as alerts_eventfields %} {%- import_json "soc/files/soc/hunt.queries.json" as hunt_queries %} -{%- import_json "soc/files/soc/hunt.actions.json" as hunt_actions %} {%- import_json "soc/files/soc/hunt.eventfields.json" as hunt_eventfields %} {%- import_json "soc/files/soc/menu.actions.json" as menu_actions %} {%- import_json "soc/files/soc/tools.json" as tools %} From ada8255af04aaf952c2c9a92f52507ce9ba5e757 Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 28 May 2021 08:59:40 -0400 Subject: [PATCH 36/38] bump version to 7.13.0 --- salt/kibana/files/saved_objects.ndjson | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/kibana/files/saved_objects.ndjson b/salt/kibana/files/saved_objects.ndjson index 863209d48..21ef5a94a 100644 --- a/salt/kibana/files/saved_objects.ndjson +++ b/salt/kibana/files/saved_objects.ndjson @@ -460,7 +460,7 @@ {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\",\"time_zone\":\"America/New_York\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":48,\"x\":0,\"y\":0,\"i\":\"1\"},\"panelIndex\":\"1\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":96,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":8,\"y\":20,\"i\":\"7\"},\"panelIndex\":\"7\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":28,\"x\":28,\"y\":20,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":0,\"y\":72,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":48,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":24,\"x\":16,\"y\":72,\"i\":\"12\"},\"panelIndex\":\"12\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":20,\"h\":12,\"x\":28,\"y\":8,\"i\":\"13\"},\"panelIndex\":\"13\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":120,\"i\":\"14\"},\"panelIndex\":\"14\",\"embeddableConfig\":{\"columns\":[\"event_type\",\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_10\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"15\"},\"panelIndex\":\"15\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_11\"}]","timeRestore":false,"title":"z16.04 - Sysmon - Logs","version":1},"id":"6d189680-6d62-11e7-8ddb-e71eb260f4a3","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"8cfdeff0-6d6b-11e7-ad64-15aa071374a6","name":"panel_1","type":"visualization"},{"id":"0eb1fd80-6d70-11e7-b09b-f57b22df6524","name":"panel_2","type":"visualization"},{"id":"3072c750-6d71-11e7-b09b-f57b22df6524","name":"panel_3","type":"visualization"},{"id":"7bc74b40-6d71-11e7-b09b-f57b22df6524","name":"panel_4","type":"visualization"},{"id":"13ed0810-6d72-11e7-b09b-f57b22df6524","name":"panel_5","type":"visualization"},{"id":"3b6c92c0-6d72-11e7-b09b-f57b22df6524","name":"panel_6","type":"visualization"},{"id":"e09f6010-6d72-11e7-b09b-f57b22df6524","name":"panel_7","type":"visualization"},{"id":"29611940-6d75-11e7-b09b-f57b22df6524","name":"panel_8","type":"visualization"},{"id":"6b70b840-6d75-11e7-b09b-f57b22df6524","name":"panel_9","type":"visualization"},{"id":"248c1d20-6d6b-11e7-ad64-15aa071374a6","name":"panel_10","type":"search"},{"id":"AWDHHk1sxQT5EBNmq43Y","name":"panel_11","type":"visualization"}],"type":"dashboard","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQyLDRd"} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"},"savedSearchRefName":"search_0","title":"SMB - Action (Pie Chart)","uiStateJSON":"{}","version":1,"visState":"{\"title\":\"SMB - Action (Pie Chart)\",\"type\":\"pie\",\"params\":{\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"type\":\"pie\",\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"action.keyword\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"size\":20,\"order\":\"desc\",\"orderBy\":\"1\"}}]}"},"id":"6f883480-3aad-11e7-8b17-0d8709b02c80","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"19849f30-3aab-11e7-8b17-0d8709b02c80","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQzLDRd"} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - SSL - Subject","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - SSL - Subject\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"ssl.certificate.subject.keyword: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"ssl.certificate.subject.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Subject\"}}]}"},"id":"6fccb600-75ec-11ea-9565-7315f4ee5cac","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ0LDRd"} -{"attributes":{"buildNum":39457,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":100,"theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion":"7.12.1","id":"7.12.1","migrationVersion":{"config":"7.12.0"},"references":[],"type":"config","updated_at":"2021-04-29T21:42:52.430Z","version":"WzY3NTUsM10="} +{"attributes":{"buildNum":39457,"defaultIndex":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","defaultRoute":"/app/dashboards#/view/a8411b30-6d03-11ea-b301-3d6c35840645","discover:sampleSize":100,"theme:darkMode":true,"timepicker:timeDefaults":"{\n \"from\": \"now-24h\",\n \"to\": \"now\"\n}"},"coreMigrationVersion":"7.13.0","id":"7.13.0","migrationVersion":{"config":"7.12.0"},"references":[],"type":"config","updated_at":"2021-04-29T21:42:52.430Z","version":"WzY3NTUsM10="} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Strelka - File - MIME Flavors","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Strelka - File - MIME Flavors\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":0,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"file.flavors.mime.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":100,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}"},"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ2LDRd"} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"filter\":[]}"},"savedSearchRefName":"search_0","title":"Modbus - Log Count","uiStateJSON":"{\"vis\":{\"defaultColors\":{\"0 - 100\":\"rgb(0,104,55)\"}}}","version":1,"visState":"{\"title\":\"Modbus - Log Count\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"gauge\",\"gauge\":{\"verticalSplit\":false,\"autoExtend\":false,\"percentageMode\":false,\"gaugeType\":\"Metric\",\"gaugeStyle\":\"Full\",\"backStyle\":\"Full\",\"orientation\":\"vertical\",\"colorSchema\":\"Green to Red\",\"gaugeColorMode\":\"None\",\"useRange\":false,\"colorsRange\":[{\"from\":0,\"to\":100}],\"invertColors\":false,\"labels\":{\"show\":false,\"color\":\"black\"},\"scale\":{\"show\":false,\"labels\":false,\"color\":\"#333\",\"width\":2},\"type\":\"simple\",\"style\":{\"fontSize\":\"30\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"bgFill\":\"#FB9E00\"}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}],\"listeners\":{}}"},"id":"AWDG_9KpxQT5EBNmq4Oo","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ3LDRd"} {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"highlightAll\":true,\"version\":true,\"query\":{\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\",\"default_field\":\"*\"}},\"language\":\"lucene\"},\"filter\":[]}"},"optionsJSON":"{\"darkTheme\":true,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":56,\"x\":0,\"y\":0,\"i\":\"2\"},\"panelIndex\":\"2\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":32,\"h\":8,\"x\":16,\"y\":0,\"i\":\"3\"},\"panelIndex\":\"3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":8,\"y\":32,\"i\":\"5\"},\"panelIndex\":\"5\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":12,\"h\":24,\"x\":20,\"y\":32,\"i\":\"6\"},\"panelIndex\":\"6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":48,\"h\":24,\"x\":0,\"y\":56,\"i\":\"8\"},\"panelIndex\":\"8\",\"embeddableConfig\":{\"columns\":[\"source_ip\",\"source_port\",\"destination_ip\",\"destination_port\",\"uid\",\"_id\"],\"sort\":[\"@timestamp\",\"desc\"],\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":16,\"h\":24,\"x\":32,\"y\":32,\"i\":\"9\"},\"panelIndex\":\"9\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":8,\"h\":8,\"x\":8,\"y\":0,\"i\":\"10\"},\"panelIndex\":\"10\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.9.0\",\"gridData\":{\"w\":40,\"h\":24,\"x\":8,\"y\":8,\"i\":\"11\"},\"panelIndex\":\"11\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"}]","timeRestore":false,"title":"z16.04 - Bro - Modbus","version":1},"id":"70c005f0-3583-11e7-a588-05992195c551","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"b3b449d0-3429-11e7-9d52-4f090484f59e","name":"panel_0","type":"visualization"},{"id":"0d168a30-363f-11e7-a6f7-4f44d7bf1c33","name":"panel_1","type":"visualization"},{"id":"20eabd60-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_2","type":"visualization"},{"id":"3c65f500-380b-11e7-a1cc-ebc6a7e70e84","name":"panel_3","type":"visualization"},{"id":"52dc9fe0-342e-11e7-9e93-53b62e1857b2","name":"panel_4","type":"search"},{"id":"178209e0-6e1b-11e7-b553-7f80727663c1","name":"panel_5","type":"visualization"},{"id":"AWDG_9KpxQT5EBNmq4Oo","name":"panel_6","type":"visualization"},{"id":"453f8b90-4a58-11e8-9b0a-f1d33346f773","name":"panel_7","type":"visualization"}],"type":"dashboard","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwMTQ4LDRd"} @@ -730,4 +730,4 @@ {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[],\"indexRefName\":\"kibanaSavedObjectMeta.searchSourceJSON.index\"}"},"title":"Security Onion - Syslog - Severity (Donut)","uiStateJSON":"{}","version":1,"visState":"{\"type\":\"pie\",\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"syslog.severity.keyword\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":25,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Severity\"}}],\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":false,\"values\":true,\"last_level\":true,\"truncate\":100},\"dimensions\":{\"metric\":{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"},\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"syslog.severity.keyword: Descending\",\"aggType\":\"terms\"}]}},\"title\":\"Security Onion - Syslog - Severity (Donut)\"}"},"id":"fc8d41a0-777b-11ea-bee5-af7f7c7b8e05","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"2289a0c0-6970-11ea-a0cd-ffa0f6a1bc29","name":"kibanaSavedObjectMeta.searchSourceJSON.index","type":"index-pattern"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwNDExLDRd"} {"attributes":{"description":"","kibanaSavedObjectMeta":{"searchSourceJSON":"{}"},"savedSearchRefName":"search_0","title":"Security Onion - Connections - Top Source IPs","uiStateJSON":"{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}","version":1,"visState":"{\"title\":\"Security Onion - Connections - Top Source IPs\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showMetricsAtAllLevels\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"percentageCol\":\"\",\"dimensions\":{\"metrics\":[{\"accessor\":1,\"format\":{\"id\":\"number\"},\"params\":{},\"label\":\"Count\",\"aggType\":\"count\"}],\"buckets\":[{\"accessor\":0,\"format\":{\"id\":\"terms\",\"params\":{\"id\":\"string\",\"otherBucketLabel\":\"Other\",\"missingBucketLabel\":\"Missing\",\"parsedUrl\":{\"origin\":\"https://PLACEHOLDER\",\"pathname\":\"/kibana/app/kibana\",\"basePath\":\"/kibana\"}}},\"params\":{},\"label\":\"source.ip: Descending\",\"aggType\":\"terms\"}]},\"showToolbar\":true},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source.ip\",\"orderBy\":\"1\",\"order\":\"desc\",\"size\":10,\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Source IP\"}}]}"},"id":"fd8b4640-6e9f-11ea-9266-1fd14ca6af34","migrationVersion":{"visualization":"7.11.0"},"references":[{"id":"9b333020-6e9f-11ea-9266-1fd14ca6af34","name":"search_0","type":"search"}],"type":"visualization","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwNDEyLDRd"} {"attributes":{"description":"","hits":0,"kibanaSavedObjectMeta":{"searchSourceJSON":"{\"query\":{\"language\":\"kuery\",\"query\":\"event.module:strelka\"},\"filter\":[]}"},"optionsJSON":"{\"hidePanelTitles\":false,\"useMargins\":true}","panelsJSON":"[{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":0,\"w\":8,\"h\":7,\"i\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\"},\"panelIndex\":\"a2e0a619-a5c5-40d9-8593-e60f13ae22bf\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_0\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":0,\"w\":21,\"h\":7,\"i\":\"566a9d04-f2dc-4868-9625-97a19d985703\"},\"panelIndex\":\"566a9d04-f2dc-4868-9625-97a19d985703\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_1\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":29,\"y\":0,\"w\":19,\"h\":7,\"i\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\"},\"panelIndex\":\"f247ec64-c278-4e05-ac4d-983bea9dfb7d\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_2\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":7,\"w\":12,\"h\":20,\"i\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\"},\"panelIndex\":\"6e80a142-ab0e-4fd3-891c-e495b78a1625\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_3\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":12,\"y\":7,\"w\":11,\"h\":20,\"i\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\"},\"panelIndex\":\"292cc879-6bc0-4541-ba92-3b3c5f4e3368\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_4\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":7,\"w\":14,\"h\":20,\"i\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\"},\"panelIndex\":\"66979b2c-e7c1-4291-91ac-16537b7f9ec3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_5\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":37,\"y\":7,\"w\":11,\"h\":20,\"i\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\"},\"panelIndex\":\"8bb1cf98-0401-4a2d-9dd8-deca08205a22\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_6\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":27,\"w\":8,\"h\":20,\"i\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\"},\"panelIndex\":\"393f3cec-3ee0-4275-b319-f307e7a260c6\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_7\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":8,\"y\":27,\"w\":15,\"h\":20,\"i\":\"0e8800a9-a6f5-4a79-8370-61713f584886\"},\"panelIndex\":\"0e8800a9-a6f5-4a79-8370-61713f584886\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_8\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":23,\"y\":27,\"w\":25,\"h\":20,\"i\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\"},\"panelIndex\":\"be9a0a2a-d8c6-4d15-b5d7-d5599d0482a3\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_9\"},{\"version\":\"7.6.1\",\"gridData\":{\"x\":0,\"y\":47,\"w\":48,\"h\":27,\"i\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\"},\"panelIndex\":\"40296d2b-cb6f-423f-989c-3fdaa82d2aad\",\"embeddableConfig\":{\"enhancements\":{}},\"panelRefName\":\"panel_10\"}]","timeRestore":false,"title":"Security Onion - Strelka","version":1},"id":"ff689c50-75f3-11ea-9565-7315f4ee5cac","migrationVersion":{"dashboard":"7.11.0"},"references":[{"id":"8cfec8c0-6ec2-11ea-9266-1fd14ca6af34","name":"panel_0","type":"visualization"},{"id":"d04b5130-6e99-11ea-9266-1fd14ca6af34","name":"panel_1","type":"visualization"},{"id":"23ed13a0-6e9a-11ea-9266-1fd14ca6af34","name":"panel_2","type":"visualization"},{"id":"7a88adc0-75f0-11ea-9565-7315f4ee5cac","name":"panel_3","type":"visualization"},{"id":"49cfe850-772c-11ea-bee5-af7f7c7b8e05","name":"panel_4","type":"visualization"},{"id":"70243970-772c-11ea-bee5-af7f7c7b8e05","name":"panel_5","type":"visualization"},{"id":"ce9e03f0-772c-11ea-bee5-af7f7c7b8e05","name":"panel_6","type":"visualization"},{"id":"a7ebb450-772c-11ea-bee5-af7f7c7b8e05","name":"panel_7","type":"visualization"},{"id":"08c0b770-772e-11ea-bee5-af7f7c7b8e05","name":"panel_8","type":"visualization"},{"id":"e087c7d0-772d-11ea-bee5-af7f7c7b8e05","name":"panel_9","type":"visualization"},{"id":"8b6f3150-72a2-11ea-8dd2-9d8795a1200b","name":"panel_10","type":"search"}],"type":"dashboard","updated_at":"2021-03-19T14:35:12.119Z","version":"WzcwNDEzLDRd"} -{"exportedCount":732,"missingRefCount":0,"missingReferences":[]} \ No newline at end of file +{"exportedCount":732,"missingRefCount":0,"missingReferences":[]} From ba011581ef0c1c2f35bd9925e4c1ddcfde1462c0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 28 May 2021 10:14:58 -0400 Subject: [PATCH 37/38] Add version to ending summary --- setup/so-whiptail | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index b7fc50495..d492d10cc 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -447,6 +447,7 @@ whiptail_end_settings() { # BASIC INFO (NETWORK, HOSTNAME, DESCRIPTION, ETC) read -r -d '' end_msg <<- EOM + Security Onion Version: $SOVERSION Node Type: $install_type Hostname: $HOSTNAME EOM From d55a9e6274ad381944504295af93a5905f0fbcfb Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 28 May 2021 10:20:19 -0400 Subject: [PATCH 38/38] Add version to all whiptail titles --- setup/so-whiptail | 200 +++++++++++++++++++++++----------------------- 1 file changed, 100 insertions(+), 100 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index d492d10cc..09792459d 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -22,7 +22,7 @@ whiptail_airgap() { local node_str='node' [[ $is_manager || $is_import ]] && node_str='manager' - INTERWEBS=$(whiptail --title "Security Onion Setup" --menu \ + INTERWEBS=$(whiptail --title "Security Onion Setup - $SOVERSION" --menu \ "How should this $node_str be installed?" 10 60 2 \ "Standard " "This $node_str has internet accesss" \ "Airgap " "This $node_str does not have internet access" 3>&1 1>&2 2>&3 ) @@ -42,7 +42,7 @@ whiptail_avoid_default_hostname() { You can choose to use this default hostname anyway, or change it to a new hostname. EOM - whiptail --title "Security Onion Setup" \ + whiptail --title "Security Onion Setup - $SOVERSION" \ --yesno "$message" 11 75 \ --yes-button "Use Anyway" --no-button "Change" --defaultno } @@ -51,7 +51,7 @@ whiptail_basic_suri() { [ -n "$TESTING" ] && return - BASICSURI=$(whiptail --title "Security Onion Setup" --inputbox \ + BASICSURI=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter the number of Suricata processes:" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -63,7 +63,7 @@ whiptail_basic_zeek() { [ -n "$TESTING" ] && return - BASICZEEK=$(whiptail --title "Security Onion Setup" --inputbox \ + BASICZEEK=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter the number of Zeek processes:" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -75,7 +75,7 @@ whiptail_bond_nics_mtu() { [ -n "$TESTING" ] && return # Set the MTU on the monitor interface - MTU=$(whiptail --title "Security Onion Setup" --inputbox \ + MTU=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter the MTU for the monitor NICs:" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -84,7 +84,7 @@ whiptail_bond_nics_mtu() { whiptail_cancel() { - whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup." 8 75 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Cancelling Setup." 8 75 if [ -d "/root/installtmp" ]; then { echo "/root/installtmp exists"; @@ -104,7 +104,7 @@ whiptail_check_exitstatus() { whiptail_cancel ;; 255) - whiptail --title "Security Onion Setup" --msgbox "Whiptail error occured, exiting. Check log for details." 8 75 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Whiptail error occured, exiting. Check log for details." 8 75 exit ;; esac @@ -114,7 +114,7 @@ whiptail_components_adv_warning() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --msgbox "Please keep in mind the more services that you enable the more RAM that is required." 8 75 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Please keep in mind the more services that you enable the more RAM that is required." 8 75 } whiptail_create_admin_user() { @@ -187,7 +187,7 @@ whiptail_create_soremote_user() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --msgbox "Set a password for the soremote user. This account is used for adding sensors remotely." 8 75 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Set a password for the soremote user. This account is used for adding sensors remotely." 8 75 } @@ -258,11 +258,11 @@ whiptail_requirements_error() { [ -n "$TESTING" ] && return if [[ $(echo "$requirement_needed" | tr '[:upper:]' '[:lower:]') == 'nics' ]]; then - whiptail --title "Security Onion Setup" \ + whiptail --title "Security Onion Setup - $SOVERSION" \ --msgbox "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Select OK to exit setup and reconfigure the machine." 10 75 # Same as whiptail_cancel, but changed the wording to exit instead of cancel. - whiptail --title "Security Onion Setup" --msgbox "Exiting Setup. No changes have been made." 8 75 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Exiting Setup. No changes have been made." 8 75 if [ -d "/root/installtmp" ]; then { echo "/root/installtmp exists"; @@ -272,7 +272,7 @@ whiptail_requirements_error() { fi exit else - whiptail --title "Security Onion Setup" \ + whiptail --title "Security Onion Setup - $SOVERSION" \ --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Select YES to continue anyway, or select NO to cancel." 10 75 local exitstatus=$? @@ -298,7 +298,7 @@ whiptail_storage_requirements() { EOM whiptail \ - --title "Security Onion Setup" \ + --title "Security Onion Setup - $SOVERSION" \ --yesno "$message" \ 14 75 @@ -310,7 +310,7 @@ whiptail_cur_close_days() { [ -n "$TESTING" ] && return - CURCLOSEDAYS=$(whiptail --title "Security Onion Setup" --inputbox \ + CURCLOSEDAYS=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Please specify the threshold (in days) at which Elasticsearch indices will be closed:" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -322,7 +322,7 @@ whiptail_dhcp_or_static() { [ -n "$TESTING" ] && return - address_type=$(whiptail --title "Security Onion Setup" --radiolist \ + address_type=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \ "Choose how to set up your management interface:" 20 78 4 \ "STATIC" "Set a static IPv4 address" ON \ "DHCP" "Use DHCP to configure the Management Interface" OFF 3>&1 1>&2 2>&3 ) @@ -355,7 +355,7 @@ whiptail_dhcp_warn() { EOM whiptail \ - --title "Security Onion Setup" \ + --title "Security Onion Setup - $SOVERSION" \ --"$window_type" "$dhcp_message" \ 14 75 @@ -366,7 +366,7 @@ whiptail_dhcp_warn() { whiptail_dhcp_or_static ;; 255) - whiptail --title "Security Onion Setup" --msgbox "Whiptail error occured, exiting. Check log for details." 8 75 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Whiptail error occured, exiting. Check log for details." 8 75 exit ;; esac @@ -380,7 +380,7 @@ whiptail_dockernet_check(){ [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --yesno \ + whiptail --title "Security Onion Setup - $SOVERSION" --yesno \ "Do you want to keep the default Docker IP range?\n\nIf you are unsure, please accept the default option of Yes." 10 75 } @@ -389,7 +389,7 @@ whiptail_dockernet_net() { [ -n "$TESTING" ] && return - DOCKERNET=$(whiptail --title "Security Onion Setup" --inputbox \ + DOCKERNET=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "\nEnter a /24 size network range for docker to use WITHOUT the /24 suffix. This range will be used on ALL nodes." 11 65 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -409,7 +409,7 @@ whiptail_enable_components() { STRELKA=0 if [[ $is_eval ]]; then - COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \ + COMPONENTS=$(whiptail --title "Security Onion Setup - $SOVERSION" --checklist \ "Select Components to install:" 20 75 8 \ GRAFANA "Enable Grafana for system monitoring" ON \ OSQUERY "Enable Fleet with osquery" ON \ @@ -418,7 +418,7 @@ if [[ $is_eval ]]; then PLAYBOOK "Enable Playbook" ON \ STRELKA "Enable Strelka" ON 3>&1 1>&2 2>&3) else - COMPONENTS=$(whiptail --title "Security Onion Setup" --checklist \ + COMPONENTS=$(whiptail --title "Security Onion Setup - $SOVERSION" --checklist \ "Select Components to install:" 20 75 7 \ OSQUERY "Enable Fleet with osquery" ON \ WAZUH "Enable Wazuh" ON \ @@ -658,7 +658,7 @@ whiptail_eval_adv() { [ -n "$TESTING" ] && return - EVALADVANCED=$(whiptail --title "Security Onion Setup" --radiolist \ + EVALADVANCED=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \ "Choose your eval install:" 20 75 4 \ "BASIC" "Install basic components for evaluation" ON \ "ADVANCED" "Choose additional components to be installed" OFF 3>&1 1>&2 2>&3 ) @@ -685,7 +685,7 @@ whiptail_gauge_post_setup() { else local msg=$1 - whiptail --title "Security Onion Setup" --gauge "$msg" 6 60 96 + whiptail --title "Security Onion Setup - $SOVERSION" --gauge "$msg" 6 60 96 fi } @@ -693,7 +693,7 @@ whiptail_helix_apikey() { [ -n "$TESTING" ] && return - HELIXAPIKEY=$(whiptail --title "Security Onion Setup" --inputbox \ + HELIXAPIKEY=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter your Helix API Key: \n \nThis can be set later using so-helix-apikey" 10 75 3>&1 1>&2 2>&3) local exitstatus=$? @@ -707,7 +707,7 @@ whiptail_homenet_manager() { [ -n "$TESTING" ] && return - HNMANAGER=$(whiptail --title "Security Onion Setup" --inputbox \ + HNMANAGER=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter your home network(s), separating CIDR blocks with a comma (,):" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -719,13 +719,13 @@ whiptail_homenet_sensor_inherit() { [ -n "$TESTING" ] && return # Ask to inherit from manager - whiptail --title "Security Onion Setup" --yesno "Do you want to inherit the HOME_NET from the Manager?" 8 75 + whiptail --title "Security Onion Setup - $SOVERSION" --yesno "Do you want to inherit the HOME_NET from the Manager?" 8 75 } whiptail_homenet_sensor() { [ -n "$TESTING" ] && return - HNSENSOR=$(whiptail --title "Security Onion Setup" --inputbox \ + HNSENSOR=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter your home network(s), separating CIDR blocks with a comma (,):" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -738,7 +738,7 @@ whiptail_install_type() { [ -n "$TESTING" ] && return # What kind of install are we doing? - install_type=$(whiptail --title "Security Onion Setup" --radiolist \ + install_type=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \ "Choose install type:" 12 65 5 \ "EVAL" "Evaluation mode (not for production) " ON \ "STANDALONE" "Standalone production install " OFF \ @@ -764,7 +764,7 @@ whiptail_install_type_dist() { [ -n "$TESTING" ] && return - install_type=$(whiptail --title "Security Onion Setup" --radiolist \ + install_type=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \ "Choose distributed node type:" 13 60 6 \ "MANAGER" "Start a new grid " ON \ "SENSOR" "Create a forward only sensor " OFF \ @@ -792,14 +792,14 @@ whiptail_install_type_other() { # so-analyst-install will only work with a working network connection # so only show it on network installs for now if [[ $setup_type == 'network' ]]; then - install_type=$(whiptail --title "Security Onion Setup" --radiolist \ + install_type=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \ "Choose distributed node type:" 9 65 2 \ "ANALYST" "Quit setup and run so-analyst-install " ON \ "HELIXSENSOR" "Create a Helix sensor " OFF \ 3>&1 1>&2 2>&3 ) else - install_type=$(whiptail --title "Security Onion Setup" --radiolist \ + install_type=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \ "Choose distributed node type:" 8 65 1 \ "HELIXSENSOR" "Create a Helix sensor " ON \ 3>&1 1>&2 2>&3 @@ -815,7 +815,7 @@ whiptail_install_type_other() { whiptail_invalid_input() { # TODO: This should accept a list of arguments to specify what general pattern the input should follow [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --msgbox " Invalid input, please try again." 7 40 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox " Invalid input, please try again." 7 40 } @@ -829,13 +829,13 @@ whiptail_invalid_proxy() { Error was: ${proxy_test_err} EOM - whiptail --title "Security Onion Setup" --yesno "$message" --yes-button "Enter Again" --no-button "Skip" 11 60 + whiptail --title "Security Onion Setup - $SOVERSION" --yesno "$message" --yes-button "Enter Again" --no-button "Skip" 11 60 } whiptail_invalid_string() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --msgbox "Invalid input, please try again.\n\nThe $1 cannot contain spaces." 9 45 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Invalid input, please try again.\n\nThe $1 cannot contain spaces." 9 45 } @@ -843,21 +843,21 @@ whiptail_invalid_pass_characters_warning() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --msgbox "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." 8 75 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." 8 75 } whiptail_invalid_pass_warning() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --msgbox "Please choose a more secure password." 8 75 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Please choose a more secure password." 8 75 } whiptail_invalid_user_warning() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --msgbox "Please enter a valid email address." 8 75 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Please enter a valid email address." 8 75 } whiptail_invalid_hostname() { @@ -868,7 +868,7 @@ whiptail_invalid_hostname() { the ASCII letters 'A-Z' and 'a-z' (case-sensitive), the digits '0' through '9', \ and hyphen ('-')" | tr -d '\t') - whiptail --title "Security Onion Setup" \ + whiptail --title "Security Onion Setup - $SOVERSION" \ --msgbox "$error_message" 10 75 } @@ -891,7 +891,7 @@ whiptail_log_size_limit() { By default, this is set to ${percentage}% of the disk space allotted for /nsm. EOM - log_size_limit=$(whiptail --title "Security Onion Setup" --inputbox "$message" 11 75 "$1" 3>&1 1>&2 2>&3) + log_size_limit=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox "$message" 11 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -901,7 +901,7 @@ whiptail_log_size_limit() { whiptail_first_menu_iso() { [ -n "$TESTING" ] && return - option=$(whiptail --title "Security Onion Setup" --menu "Select an option" 10 75 2 \ + option=$(whiptail --title "Security Onion Setup - $SOVERSION" --menu "Select an option" 10 75 2 \ "Install " "Run the standard Security Onion installation " \ "Configure Network " "Configure networking only " \ 3>&1 1>&2 2>&3 @@ -915,7 +915,7 @@ whiptail_make_changes() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --yesno "We are going to set this machine up as a $install_type. Please press YES to make changes or NO to cancel." 8 75 + whiptail --title "Security Onion Setup - $SOVERSION" --yesno "We are going to set this machine up as a $install_type. Please press YES to make changes or NO to cancel." 8 75 local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -926,7 +926,7 @@ whiptail_management_interface_dns() { [ -n "$TESTING" ] && return - MDNS=$(whiptail --title "Security Onion Setup" --inputbox \ + MDNS=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter your DNS servers separated by commas:" 10 60 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -938,7 +938,7 @@ whiptail_management_interface_dns_search() { [ -n "$TESTING" ] && return - MSEARCH=$(whiptail --title "Security Onion Setup" --inputbox \ + MSEARCH=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter your DNS search domain:" 10 60 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -949,7 +949,7 @@ whiptail_management_interface_gateway() { [ -n "$TESTING" ] && return - MGATEWAY=$(whiptail --title "Security Onion Setup" --inputbox \ + MGATEWAY=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter your gateway's IPv4 address:" 10 60 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -959,7 +959,7 @@ whiptail_management_interface_gateway() { whiptail_management_interface_ip_mask() { [ -n "$TESTING" ] && return - manager_ip_mask=$(whiptail --title "Security Onion Setup" --inputbox \ + manager_ip_mask=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter your IPv4 address with CIDR mask (e.g. 192.168.1.2/24):" 10 60 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -970,7 +970,7 @@ whiptail_management_interface_ip() { [ -n "$TESTING" ] && return - MIP=$(whiptail --title "Security Onion Setup" --inputbox \ + MIP=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter your IP address:" 10 60 X.X.X.X 3>&1 1>&2 2>&3) local exitstatus=$? @@ -981,7 +981,7 @@ whiptail_management_interface_mask() { [ -n "$TESTING" ] && return - MMASK=$(whiptail --title "Security Onion Setup" --inputbox \ + MMASK=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter the bit mask for your subnet:" 10 60 24 3>&1 1>&2 2>&3) local exitstatus=$? @@ -1060,7 +1060,7 @@ whiptail_net_method() { local option_count=$(( ${#options[@]} / 2 )) - network_traffic=$(whiptail --title "Security Onion Setup" --menu "$msg" $height 75 $option_count "${options[@]}" 3>&1 1>&2 2>&3) + network_traffic=$(whiptail --title "Security Onion Setup - $SOVERSION" --menu "$msg" $height 75 $option_count "${options[@]}" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -1071,7 +1071,7 @@ whiptail_net_method() { whiptail_net_setup_complete() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" \ + whiptail --title "Security Onion Setup - $SOVERSION" \ --msgbox "Successfully set up networking, setup will now exit." 7 75 exit 0 } @@ -1085,7 +1085,7 @@ whiptail_network_init_notice() { Select OK to continue. EOM - whiptail --title "Security Onion Setup" --msgbox "$message" 9 75 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "$message" 9 75 local exitstatus=$? whiptail_check_exitstatus $exitstatus } @@ -1094,7 +1094,7 @@ whiptail_management_server() { [ -n "$TESTING" ] && return - MSRV=$(whiptail --title "Security Onion Setup" --inputbox \ + MSRV=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter your Manager Server hostname: \nIt is CASE SENSITIVE!" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -1105,7 +1105,7 @@ whiptail_management_server() { whiptail_manager_ip() { [ -n "$TESTING" ] && return - MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \ + MSRVIP=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter your Manager Server IP Address:" 10 60 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -1117,7 +1117,7 @@ whiptail_manager_adv() { [ -n "$TESTING" ] && return - MANAGERADV=$(whiptail --title "Security Onion Setup" --radiolist \ + MANAGERADV=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \ "Choose which type of manager to install:" 20 75 4 \ "BASIC" "Install manager with recommended settings" ON \ "ADVANCED" "Do additional configuration to the manager" OFF 3>&1 1>&2 2>&3 ) @@ -1132,7 +1132,7 @@ whiptail_manager_adv_escluster(){ [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --yesno \ + whiptail --title "Security Onion Setup - $SOVERSION" --yesno \ "Do you want to set up a traditional ES cluster for using replicas and/or Hot-Warm indices? Recommended only for those who have experience with ES clustering! " 12 75 } @@ -1142,7 +1142,7 @@ whiptail_manager_adv_escluster_name(){ [ -n "$TESTING" ] && return - ESCLUSTERNAME=$(whiptail --title "Security Onion Setup" --inputbox \ + ESCLUSTERNAME=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter a name for your ES cluster!" 10 75 "$1" 3>&1 1>&2 2>&3) } @@ -1151,7 +1151,7 @@ whiptail_manager_adv_service_zeeklogs() { [ -n "$TESTING" ] && return - BLOGS=$(whiptail --title "Security Onion Setup" --checklist "Please select logs to send:" 24 75 12 \ + BLOGS=$(whiptail --title "Security Onion Setup - $SOVERSION" --checklist "Please select logs to send:" 24 75 12 \ "conn" "Connection Logging" ON \ "dce_rpc" "RPC Logs" ON \ "dhcp" "DHCP Logs" ON \ @@ -1213,13 +1213,13 @@ whiptail_manager_error() { Would you like to continue anyway? EOM - whiptail --title "Security Onion Setup" --yesno "$msg" 13 75 || whiptail_check_exitstatus 1 + whiptail --title "Security Onion Setup - $SOVERSION" --yesno "$msg" 13 75 || whiptail_check_exitstatus 1 } whiptail_manager_updates_warning() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup"\ + whiptail --title "Security Onion Setup - $SOVERSION"\ --msgbox "Updating through the manager node requires the manager to have internet access, press ENTER to continue."\ 8 75 @@ -1230,7 +1230,7 @@ whiptail_manager_updates_warning() { whiptail_manager_unreachable() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --msgbox "Setup cannot determine if $1 is listening on port 22. Please check the address entered and try again." 7 75 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Setup cannot determine if $1 is listening on port 22. Please check the address entered and try again." 7 75 } whiptail_metadata_tool() { @@ -1248,7 +1248,7 @@ whiptail_metadata_tool() { EOM # Legacy variable naming - ZEEKVERSION=$(whiptail --title "Security Onion Setup" --menu "$message" 20 75 2 \ + ZEEKVERSION=$(whiptail --title "Security Onion Setup - $SOVERSION" --menu "$message" 20 75 2 \ "Zeek " "Use Zeek (Bro) for metadata and Suricata for NIDS alerts" \ "Suricata " "Use Suricata for both metadata and NIDS alerts" 3>&1 1>&2 2>&3) @@ -1262,7 +1262,7 @@ whiptail_nids() { [ -n "$TESTING" ] && return - NIDS=$(whiptail --title "Security Onion Setup" --radiolist \ + NIDS=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \ "Choose which IDS to run: \n\n(Snort 3.0 support will be added once it is out of beta.)" 25 75 4 \ "Suricata" "Suricata" ON \ "Snort" "Placeholder for Snort 3.0 " OFF 3>&1 1>&2 2>&3 ) @@ -1276,7 +1276,7 @@ whiptail_network_notice() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Select YES to continue." 8 75 + whiptail --title "Security Onion Setup - $SOVERSION" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Select YES to continue." 8 75 local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -1286,14 +1286,14 @@ whiptail_network_notice() { whiptail_net_reinit() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --yesno "The management interface has already been configured. Do you want to reconfigure it?" 8 75 + whiptail --title "Security Onion Setup - $SOVERSION" --yesno "The management interface has already been configured. Do you want to reconfigure it?" 8 75 } whiptail_node_advanced() { [ -n "$TESTING" ] && return - NODESETUP=$(whiptail --title "Security Onion Setup" --radiolist \ + NODESETUP=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \ "What type of config would you like to use?:" 20 75 4 \ "NODEBASIC" "Install Search Node with recommended settings" ON \ "NODEADVANCED" "Advanced Node Setup" OFF 3>&1 1>&2 2>&3 ) @@ -1306,7 +1306,7 @@ whiptail_node_advanced() { whiptail_node_description() { [ -n "$TESTING" ] && return - NODE_DESCRIPTION=$(whiptail --title "Security Onion Setup" \ + NODE_DESCRIPTION=$(whiptail --title "Security Onion Setup - $SOVERSION" \ --inputbox "Enter a short description for the node or press ENTER to leave blank:" 10 75 3>&1 1>&2 2>&3) local exitstatus=$? @@ -1317,7 +1317,7 @@ whiptail_node_es_heap() { [ -n "$TESTING" ] && return - NODE_ES_HEAP_SIZE=$(whiptail --title "Security Onion Setup" --inputbox \ + NODE_ES_HEAP_SIZE=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter ES heap size:" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -1329,7 +1329,7 @@ whiptail_node_ls_heap() { [ -n "$TESTING" ] && return - NODE_LS_HEAP_SIZE=$(whiptail --title "Security Onion Setup" --inputbox \ + NODE_LS_HEAP_SIZE=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter Logstash heap size:" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -1341,7 +1341,7 @@ whiptail_node_ls_input_threads() { [ -n "$TESTING" ] && return - LSINPUTTHREADS=$(whiptail --title "Security Onion Setup" --inputbox \ + LSINPUTTHREADS=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter number of Logstash input threads:" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -1354,7 +1354,7 @@ whiptail_node_ls_pipline_batchsize() { [ -n "$TESTING" ] && return - LSPIPELINEBATCH=$(whiptail --title "Security Onion Setup" --inputbox \ + LSPIPELINEBATCH=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter Logstash pipeline batch size:" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -1366,7 +1366,7 @@ whiptail_node_ls_pipeline_worker() { [ -n "$TESTING" ] && return - LSPIPELINEWORKERS=$(whiptail --title "Security Onion Setup" --inputbox \ + LSPIPELINEWORKERS=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter number of Logstash pipeline workers:" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -1377,13 +1377,13 @@ whiptail_node_ls_pipeline_worker() { whiptail_ntp_ask() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --yesno "Would you like to configure ntp servers?" 7 44 + whiptail --title "Security Onion Setup - $SOVERSION" --yesno "Would you like to configure ntp servers?" 7 44 } whiptail_ntp_servers() { [ -n "$TESTING" ] && return - ntp_string=$(whiptail --title "Security Onion Setup" \ + ntp_string=$(whiptail --title "Security Onion Setup - $SOVERSION" \ --inputbox "Input the NTP server(s) you would like to use, separated by commas:" 8 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -1394,7 +1394,7 @@ whiptail_oinkcode() { [ -n "$TESTING" ] && return - OINKCODE=$(whiptail --title "Security Onion Setup" --inputbox \ + OINKCODE=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter your ET Pro or oinkcode:" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -1407,7 +1407,7 @@ whiptail_oinkcode() { whiptail_passwords_dont_match() { - whiptail --title "Security Onion Setup" --msgbox "Passwords don't match. Please re-enter." 8 75 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "Passwords don't match. Please re-enter." 8 75 } @@ -1415,7 +1415,7 @@ whiptail_patch_name_new_schedule() { [ -n "$TESTING" ] && return - PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \ + PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "What name do you want to give this OS patch schedule? This schedule needs to be named uniquely. Available schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -1426,7 +1426,7 @@ whiptail_patch_schedule() { [ -n "$TESTING" ] && return - patch_schedule=$(whiptail --title "Security Onion Setup" --radiolist \ + patch_schedule=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \ "Choose OS patch schedule.\n\nThis schedule will update the operating system packages but will NOT update Security Onion related tools such as Zeek, Elasticsearch, Kibana, SaltStack, etc." 20 75 5 \ "Automatic" "Updates installed every 8 hours if available" ON \ "Manual" "Updates will be installed manually" OFF \ @@ -1442,7 +1442,7 @@ whiptail_patch_schedule_import() { [ -n "$TESTING" ] && return unset PATCHSCHEDULENAME - PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup" --inputbox \ + PATCHSCHEDULENAME=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter the name of the OS patch schedule you want to inherit. \nAvailable schedules can be found on the manager under /opt/so/salt/patch/os/schedules/.yml" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -1454,7 +1454,7 @@ whiptail_patch_schedule_select_days() { [ -n "$TESTING" ] && return # Select the days to patch - PATCHSCHEDULEDAYS=$(whiptail --title "Security Onion Setup" --checklist \ + PATCHSCHEDULEDAYS=$(whiptail --title "Security Onion Setup - $SOVERSION" --checklist \ "Which days do you want to apply OS patches?" 15 75 8 \ Monday "" OFF \ Tuesday "" ON \ @@ -1478,7 +1478,7 @@ whiptail_patch_schedule_select_hours() { [ -n "$TESTING" ] && return # Select the hours to patch - PATCHSCHEDULEHOURS=$(whiptail --title "Security Onion Setup" --checklist \ + PATCHSCHEDULEHOURS=$(whiptail --title "Security Onion Setup - $SOVERSION" --checklist \ "At which time, UTC, do you want to apply OS patches on the selected days?" 22 75 13 \ 00:00 "" OFF \ 01:00 "" OFF \ @@ -1519,7 +1519,7 @@ whiptail_proxy_ask() { local pkg_mngr if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi - whiptail --title "Security Onion Setup" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno + whiptail --title "Security Onion Setup - $SOVERSION" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno } whiptail_proxy_addr() { @@ -1532,7 +1532,7 @@ whiptail_proxy_addr() { If your proxy requires a username and password do not include them in your input. Setup will ask for those values next. EOM - proxy_addr=$(whiptail --title "Security Onion Setup" --inputbox "$message" 13 60 "$1" 3>&1 1>&2 2>&3) + proxy_addr=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox "$message" 13 60 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -1541,13 +1541,13 @@ whiptail_proxy_addr() { whiptail_proxy_auth_ask() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --yesno "Does your proxy require authentication?" 7 60 + whiptail --title "Security Onion Setup - $SOVERSION" --yesno "Does your proxy require authentication?" 7 60 } whiptail_proxy_auth_user() { [ -n "$TESTING" ] && return - proxy_user=$(whiptail --title "Security Onion Setup" --inputbox "Please input the proxy user:" 8 60 "$1" 3>&1 1>&2 2>&3) + proxy_user=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox "Please input the proxy user:" 8 60 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -1558,7 +1558,7 @@ whiptail_proxy_auth_pass() { [ -n "$TESTING" ] && return - proxy_pass=$(whiptail --title "Security Onion Setup" --passwordbox "Please input the proxy password:" 8 60 3>&1 1>&2 2>&3) + proxy_pass=$(whiptail --title "Security Onion Setup - $SOVERSION" --passwordbox "Please input the proxy password:" 8 60 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -1572,7 +1572,7 @@ whiptail_requirements_error() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" \ + whiptail --title "Security Onion Setup - $SOVERSION" \ --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press YES to continue anyway, or press NO to cancel." 10 75 local exitstatus=$? @@ -1584,7 +1584,7 @@ whiptail_rule_setup() { [ -n "$TESTING" ] && return # Get pulled pork info - RULESETUP=$(whiptail --title "Security Onion Setup" --radiolist \ + RULESETUP=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \ "Which IDS ruleset would you like to use?\n\nThis manager server is responsible for downloading the IDS ruleset from the Internet.\n\nSensors then pull a copy of this ruleset from the manager server.\n\nIf you select a commercial ruleset, it is your responsibility to purchase enough licenses for all of your sensors in compliance with your vendor's policies." 20 75 4 \ "ETOPEN" "Emerging Threats Open" ON \ "ETPRO" "Emerging Threats PRO" OFF \ @@ -1600,7 +1600,7 @@ whiptail_sensor_config() { [ -n "$TESTING" ] && return - NSMSETUP=$(whiptail --title "Security Onion Setup" --radiolist \ + NSMSETUP=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \ "What type of configuration would you like to use?" 20 75 4 \ "BASIC" "Install NSM components with recommended settings" ON \ "ADVANCED" "Configure each component individually" OFF 3>&1 1>&2 2>&3 ) @@ -1642,7 +1642,7 @@ whiptail_sensor_nics() { for bond_nic in "${BNICS[@]}"; do if [[ "${nmcli_dev_status_list}" =~ $bond_nic\:unmanaged ]]; then whiptail \ - --title "Security Onion Setup" \ + --title "Security Onion Setup - $SOVERSION" \ --msgbox "$bond_nic is unmanaged by Network Manager. Please remove it from other network management tools then re-run setup." \ 8 75 exit @@ -1654,7 +1654,7 @@ whiptail_set_hostname() { [ -n "$TESTING" ] && return - HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \ + HOSTNAME=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter the hostname (not FQDN) you would like to set:" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -1665,7 +1665,7 @@ whiptail_set_redirect() { [ -n "$TESTING" ] && return - REDIRECTINFO=$(whiptail --title "Security Onion Setup" --radiolist \ + REDIRECTINFO=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \ "How would you like to access the web interface?\n\nSecurity Onion uses strict cookie enforcement, so whatever you choose here will be the only way that you can access the web interface.\n\nIf you choose something other than IP address, then you'll need to ensure that you can resolve the name via DNS or hosts entry. If you are unsure, please select IP." 20 75 4 \ "IP" "Use IP address to access the web interface" ON \ "HOSTNAME" "Use hostname to access the web interface" OFF \ @@ -1678,7 +1678,7 @@ whiptail_set_redirect_host() { [ -n "$TESTING" ] && return - REDIRECTHOST=$(whiptail --title "Security Onion Setup" --inputbox \ + REDIRECTHOST=$(whiptail --title "Security Onion Setup - $SOVERSION" --inputbox \ "Enter the Hostname, IP, or FQDN you would like to use for the web interface:" 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -1706,7 +1706,7 @@ whiptail_setup_complete() { Press ENTER to reboot. EOM - whiptail --title "Security Onion Setup" --msgbox "$message" 12 75 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "$message" 12 75 } whiptail_setup_failed() { @@ -1726,13 +1726,13 @@ whiptail_setup_failed() { Press Ok to exit. EOM - whiptail --title "Security Onion Setup" --msgbox "$message" $height 75 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "$message" $height 75 } whiptail_so_allow_yesno() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" \ + whiptail --title "Security Onion Setup - $SOVERSION" \ --yesno "Do you want to run so-allow to allow access to the web tools?" \ 8 75 } @@ -1741,7 +1741,7 @@ whiptail_so_allow() { [ -n "$TESTING" ] && return - ALLOW_CIDR=$(whiptail --title "Security Onion Setup" \ + ALLOW_CIDR=$(whiptail --title "Security Onion Setup - $SOVERSION" \ --inputbox "Enter a single IP address or an IP range, in CIDR notation, to allow:" \ 10 75 "$1" 3>&1 1>&2 2>&3) local exitstatus=$? @@ -1761,7 +1761,7 @@ whiptail_ssh_key_copy_notice() { Select OK to continue. EOM - whiptail --title "Security Onion Setup" --msgbox "$message" 11 75 + whiptail --title "Security Onion Setup - $SOVERSION" --msgbox "$message" 11 75 local exitstatus=$? whiptail_check_exitstatus $exitstatus } @@ -1800,7 +1800,7 @@ whiptail_storage_requirements() { EOM whiptail \ - --title "Security Onion Setup" \ + --title "Security Onion Setup - $SOVERSION" \ --yesno "$message" \ 14 75 @@ -1812,7 +1812,7 @@ whiptail_strelka_rules() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --yesno "Do you want to enable the default YARA rules for Strelka?" 8 75 + whiptail --title "Security Onion Setup - $SOVERSION" --yesno "Do you want to enable the default YARA rules for Strelka?" 8 75 local exitstatus=$? @@ -1852,7 +1852,7 @@ whiptail_node_updates() { [ -n "$TESTING" ] && return - NODEUPDATES=$(whiptail --title "Security Onion Setup" --radiolist \ + NODEUPDATES=$(whiptail --title "Security Onion Setup - $SOVERSION" --radiolist \ "How would you like to download OS package updates for your grid?" 20 75 4 \ "MANAGER" "Manager node is proxy for updates." ON \ "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) @@ -1877,7 +1877,7 @@ whiptail_you_sure() { EOM whiptail \ - --title "Security Onion Setup" \ + --title "Security Onion Setup - $SOVERSION" \ --yesno "$you_sure_text" \ 20 75