[merge] Merge master into feature/setup-refactor

2025-12-28 11:53:37 +01:00 · 2020-04-28 01:15:02 -04:00
parent 5c5a97ca75
commit 3bfaa6f8de
254 changed files with 26274 additions and 112 deletions
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -21,14 +21,9 @@ source ./so-common-functions
 so_version=1.2.1


-accept_salt_key_local() {
-	echo "Accept the key locally on the master" >> "$setup_log" 2>&1
-	# Accept the key locally on the master
-	salt-key -ya "$MINION_ID"
-
-}
-
 accept_salt_key_remote() {
+	systemctl restart salt-minion
+	
 	echo "Accept the key remotely on the master" >> "$setup_log" 2>&1
 	# Delete the key just in case.
 	ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -d "$MINION_ID" -y
@@ -185,6 +180,9 @@ bro_logs_enabled() {
 			"    - socks"\
 			"    - x509" >> "$brologs_pillar"
 	fi
+
+	printf '%s\n'  '----' >> "$setup_log" 2>&1
+	cat "$brologs_pillar" >> "$setup_log" 2>&1
 }

 check_admin_pass() {
@@ -351,12 +349,15 @@ configure_minion() {

 	echo "Enabling checkin at boot" >> "$setup_log" 2>&1
 	echo "startup_states: highstate" >> "$minion_config"
+
+	printf '%s\n'  '----' >> "$setup_log" 2>&1
+	cat "$minion_config" >> "$setup_log" 2>&1
 }

 copy_master_config() {

 	# Copy the master config template to the proper directory
-	if [ "$INSTALLMETHOD" = 'iso' ]; then
+	if [ "$setup_type" = 'iso' ]; then
 		cp /root/SecurityOnion/files/master /etc/salt/master >> "$setup_log" 2>&1
 	else
 		cp "../files/master" /etc/salt/master >> "$setup_log" 2>&1
@@ -625,11 +626,11 @@ docker_seed_registry() {
 				"so-strelka-filestream:$VERSION" 
 			)
 		fi
-		local initial_percent=30
+		local percent=25
 		for i in "${TRUSTED_CONTAINERS[@]}"; do
-			if [ "$install_type" != 'HELIXSENSOR' ]; then ((intial_percent++)); else ((initial_percent+=6)); fi
+			if [ "$install_type" != 'HELIXSENSOR' ]; then ((percent=percent+1)); else ((percent=percent+6)); fi
 			# Pull down the trusted docker image
-			set_progress_str "$initial_percent" "Downloading $i"
+			set_progress_str "$percent" "Downloading $i"
 			{
 				docker pull --disable-content-trust=false docker.io/soshybridhunter/"$i"
 				# Tag it with the new registry destination
@@ -800,7 +801,8 @@ master_pillar() {
 		"  redirect: $REDIRECTIT"\
 		"" >> "$pillar_file"

-
+	printf '%s\n'  '----' >> "$setup_log" 2>&1
+	cat "$pillar_file" >> "$setup_log" 2>&1
  }

 master_static() {
@@ -892,6 +894,8 @@ node_pillar() {
 		"  cur_close_days: $CURCLOSEDAYS"\
 		"" >> "$pillar_file"

+	printf '%s\n'  '----' >> "$setup_log" 2>&1
+	cat "$pillar_file" >> "$setup_log" 2>&1
 }

 patch_pillar() {
@@ -899,7 +903,6 @@ patch_pillar() {
 	local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls

 	printf '%s\n'\
-		""\
 		"patch:"\
 		"  os:"\
 		"    schedule_name: $PATCHSCHEDULENAME"\
@@ -907,6 +910,9 @@ patch_pillar() {
 		"    splay: 300"\
 		"" >> "$pillar_file"

+	printf '%s\n'  '----' >> "$setup_log" 2>&1
+	cat "$pillar_file" >> "$setup_log" 2>&1
+
 }

 patch_schedule_os_new() {
@@ -929,6 +935,8 @@ patch_schedule_os_new() {
 		done
 	done

+	printf '%s\n'  '----' >> "$setup_log" 2>&1
+	cat "$OSPATCHSCHEDULE" >> "$setup_log" 2>&1
 }

 print_salt_state_apply() {
@@ -980,10 +988,10 @@ saltify() {
 				if [ "$MASTERUPDATES" = '1' ]; then
 					{
 						# Create the GPG Public Key for the Salt Repo
-						cp "./public_keys/salt.pem" /etc/pki/rpm-gpg/saltstack-signing-key;
+						cp ./public_keys/salt.pem /etc/pki/rpm-gpg/saltstack-signing-key;
 										
 						# Add the Wazuh Key
-						cp "./public_keys/wazuh.pem" /etc/pki/rpm-gpg/GPG-KEY-WAZUH;
+						cp ./public_keys/wazuh.pem /etc/pki/rpm-gpg/GPG-KEY-WAZUH;

 						# Copy repo files over
 						cp "./yum_repos/salt-latest.repo" /etc/yum.repos.d/salt-latest.repo;
@@ -1099,9 +1107,9 @@ salt_checkin() {
 				echo "Building Certificate Authority";
 				salt-call state.apply ca;
 				echo " *** Restarting Salt to fix any SSL errors. ***";
-				service salt-master restart;
+				systemctl restart salt-master;
 				sleep 5;
-				service salt-minion restart;
+				systemctl restart salt-minion;
 				sleep 15;
 				echo " Applyng a mine hack";
 				salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt;
@@ -1129,7 +1137,7 @@ setup_salt_master_dirs() {
 	mkdir -p /opt/so/saltstack/pillar

 	# Copy over the salt code and templates
-	if [ "$INSTALLMETHOD" = 'iso' ]; then
+	if [ "$setup_type" = 'iso' ]; then
 		rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/pillar/* /opt/so/saltstack/pillar/ >> "$setup_log" 2>&1
 		rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/salt/* /opt/so/saltstack/salt/ >> "$setup_log" 2>&1
 	else
@@ -1152,7 +1160,11 @@ set_progress_str() {
 	fi

 	percentage_str="XXX\n${percentage}\n${progress_bar_text}\nXXX"
+
 	echo -e "$percentage_str"
+
+	printf '%s\n' '----' "${progress_bar_text^^}" "----" >> "$setup_log" 2>&1
+	
 	sleep 5
 }

@@ -1162,19 +1174,19 @@ sensor_pillar() {

 	# Create the sensor pillar
 	printf '%s\n'\
-		"sensor"\
+		"sensor:"\
 		"  interface: bond0"\
 		"  mainip: $MAINIP"\
-		"  mainint: $MNIC" > "$pillar_file"
+		"  mainint: $MNIC" >> "$pillar_file"
 	
 	if [ "$NSMSETUP" = 'ADVANCED' ]; then
 		echo "  bro_pins:" >> "$pillar_file"
-		for PIN in $BROPINS; do
+		for PIN in "${BROPINS[@]}"; do
 			PIN=$(echo "$PIN" |  cut -d\" -f2)
 		echo "    - $PIN" >> "$pillar_file"
 		done
 		echo "  suripins:" >> "$pillar_file"
-		for SPIN in $SURIPINS; do
+		for SPIN in "${SURIPINS[@]}"; do
 			SPIN=$(echo "$SPIN" |  cut -d\" -f2)
 		echo "    - $SPIN" >> "$pillar_file"
 		done
@@ -1199,6 +1211,9 @@ sensor_pillar() {
 		"  access_key: $ACCESS_KEY"\
 		"  access_secret: $ACCESS_SECRET"\
 		"" >> "$pillar_file"
+
+	printf '%s\n'  '----' >> "$setup_log" 2>&1
+	cat "$pillar_file" >> "$setup_log" 2>&1
 }

 set_hostname() {
@@ -1223,22 +1238,20 @@ set_hostname_iso() {
 	echo "::1   $HOSTNAME $HOSTNAME localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts
 	echo "$HOSTNAME" > /etc/hostname

+
 }

 set_initial_firewall_policy() {

  set_main_ip

-  mkdir -p /opt/so/saltstack/pillar/firewall
-  mkdir -p /opt/so/saltstack/pillar/data
-
 	case "$install_type" in
 		'MASTER')
-			printf "  - %s\n" "$MAINIP" | tee /opt/so/saltstack/pillar/firewall/minions.sls /opt/so/saltstack/pillar/firewall/masterfw.sls
+			printf "  - %s\n" "$MAINIP" | tee -a /opt/so/saltstack/pillar/firewall/minions.sls /opt/so/saltstack/pillar/firewall/masterfw.sls
 			/opt/so/saltstack/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$FSROOT" "$FSNSM"
 			;;
 		'EVAL' | 'MASTERSEARCH')
-			printf "  - %s\n" "$MAINIP" | tee /opt/so/saltstack/pillar/firewall/minions.sls\
+			printf "  - %s\n" "$MAINIP" | tee -a /opt/so/saltstack/pillar/firewall/minions.sls\
 				/opt/so/saltstack/pillar/firewall/masterfw.sls\
 				/opt/so/saltstack/pillar/firewall/forward_nodes.sls\
 				/opt/so/saltstack/pillar/firewall/search_nodes.sls
@@ -1252,7 +1265,7 @@ set_initial_firewall_policy() {
 			esac
 			;;
 		'HELIXSENSOR')
-			printf "  - %s\n" "$MAINIP" | tee /opt/so/saltstack/pillar/firewall/minions.sls\
+			printf "  - %s\n" "$MAINIP" | tee -a /opt/so/saltstack/pillar/firewall/minions.sls\
 				/opt/so/saltstack/pillar/firewall/masterfw.sls\
 				/opt/so/saltstack/pillar/firewall/forward_nodes.sls
 			;;
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -22,6 +22,7 @@ source ./so-whiptail
 source ./so-variables

 setup_type=$1
+export setup_type

 case "$setup_type" in
 	iso | network) # Accepted values
@@ -232,27 +233,27 @@ if [[ $is_node && ! $is_eval ]]; then
 fi

 whiptail_make_changes
-set_hostname
-set_version
-clear_master
+set_hostname 2>> "$setup_log"
+set_version 2>> "$setup_log"
+clear_master 2>> "$setup_log"

 if [[ $is_master ]]; then
-	generate_passwords
-	secrets_pillar
-	add_socore_user_master
+	generate_passwords 2>> "$setup_log"
+	secrets_pillar 2>> "$setup_log"
+	add_socore_user_master 2>> "$setup_log"
 fi

 if [[ $is_master && ! $is_eval ]]; then
-	add_soremote_user_master
+	add_soremote_user_master 2>> "$setup_log"
 fi

 if [[ $is_helix || $is_master ]]; then
-	set_main_ip
+	set_main_ip 2>> "$setup_log"
 fi

 if [[ $is_minion ]]; then
-	set_updates
-	copy_ssh_key
+	set_updates 2>> "$setup_log"
+	copy_ssh_key 2>> "$setup_log"
 fi

 # Begin install
@@ -262,92 +263,97 @@ fi
 		set_progress_str 1 'Creating bond interface'
 		create_sensor_bond >> "$setup_log" 2>&1
 		
-		set_progress_str 2 'Generating the sensor pillar'
+		set_progress_str 2 'Generating sensor pillar'
 		sensor_pillar >> "$setup_log" 2>&1
 	fi

 	set_progress_str 3 'Installing Salt and dependencies'
-	saltify
+	saltify 2>> "$setup_log"
+
+	set_progress_str 7 'Installing Docker and dependencies'
+	docker_install 2>> "$setup_log"
 	
-	set_progress_str 8 'Installing Docker and dependencies'
-	docker_install
+	set_progress_str 8 'Generating patch pillar'
+	patch_pillar 2>> "$setup_log"

-	set_progress_str 9 'Configuring firewall'
-	set_initial_firewall_policy
+	set_progress_str 9 'Initializing Salt minion'
+	configure_minion "$minion_type" 2>> "$setup_log"

-	set_progress_str 10 "$(print_salt_state_apply 'firewall')"
-	salt-call state.apply -l info firewall >> $setup_log 2>&1
-	
-	set_progress_str 11 'Initializing Salt minion'
-	configure_minion "$minion_type"
-
-	set_progress_str 12 'Generating CA'
-	gen_ca

 	if [[ $is_master || $is_helix ]]; then
-		set_progress_str 13 'Configuring Salt master'
-		copy_master_config
-		setup_salt_master_dirs
+		set_progress_str 10 'Configuring Salt master'
+		copy_master_config 2>> "$setup_log"
+		setup_salt_master_dirs 2>> "$setup_log"
 		
-		set_progress_str 15 'Updating sudoers file for soremote user'
-		update_sudoers
+		set_progress_str 11 'Updating sudoers file for soremote user'
+		update_sudoers 2>> "$setup_log"
 		
-		set_progress_str 16 'Generating master static pillar'
-		master_static
+		set_progress_str 12 'Generating master static pillar'
+		master_static 2>> "$setup_log"
 		
-		set_progress_str 17 'Generating master pillar'
-		master_pillar
-		
-		set_progress_str 18 'Accepting Salt key'
-		salt-key -ya "$MINION_ID" >> "$setup_log" 2>&1
+		set_progress_str 13 'Generating master pillar'
+		master_pillar 2>> "$setup_log"
 	fi

 	if [[ $is_helix ]]; then
-		set_progress_str 19 'Generating the FireEye pillar'
-		fireeye_pillar
+		set_progress_str 15 'Generating the FireEye pillar'
+		fireeye_pillar 2>> "$setup_log"
 	fi

+	set_progress_str 16 'Copying minion pillars to master'
+	copy_minion_tmp_files 2>> "$setup_log"
+
 	if [[ $is_minion ]]; then
-		set_progress_str 20 'Accepting salt key on master'
-		accept_salt_key_remote
+		set_progress_str 17 'Accepting Salt key on master'
+		accept_salt_key_remote 2>> "$setup_log"
 	fi

-	set_progress_str 20 'Copying minion pillars to master'
-	copy_minion_tmp_files
-
-	set_progress_str 21 'Running intial Salt highstate'
-	salt-call state.highstate -l info >> "$setup_log" 2>&1
+	if [[ $is_master ]]; then
+		set_progress_str 17 'Accepting Salt key'
+		salt-key -ya "$MINION_ID" >> "$setup_log" 2>&1
+	fi

 	if [[ $is_node ]]; then
-		set_progress_str 25 'Setting node type'
-		set_node_type
+		set_progress_str 18 'Setting node type'
+		set_node_type 2>> "$setup_log"

-		set_progress_str 26 'Generating search node pillar'
-		node_pillar
-
-		set_progress_str 27 "$(print_salt_state_apply 'curator')"
-		salt-call state.apply -l info curator >> $setup_log 2>&1
+		set_progress_str 19 'Generating search node pillar'
+		node_pillar 2>> "$setup_log"
 	fi

-	if [[ $is_sensor ]]; then
-		set_progress_str 28 "$(print_salt_state_apply 'pcap')"
+	set_progress_str 20 'Generating CA'
+	gen_ca 2>> "$setup_log"
+
+	if [[ $is_master || $is_helix ]]; then
+		set_progress_str 25 'Downloading containers from the internet'
+		salt-call state.apply -l info registry >> "$setup_log" 2>&1
+		docker_seed_registry 2>> "$setup_log" # ~ 60% when finished
+	fi
+	
+	set_progress_str 59 'Configuring firewall'
+	set_initial_firewall_policy 2>> "$setup_log"
+
+	set_progress_str 60 "$(print_salt_state_apply 'firewall')"
+	salt-call state.apply -l info firewall >> $setup_log 2>&1
+
+	set_progress_str 61 "$(print_salt_state_apply 'common')"
+	salt-call state.apply -l info common >> $setup_log 2>&1
+
+		if [[ $is_sensor ]]; then
+		set_progress_str 62 "$(print_salt_state_apply 'pcap')"
 		salt-call state.apply -l info pcap >> $setup_log 2>&1

-		set_progress_str 29 "$(print_salt_state_apply 'suricata')"
+		set_progress_str 63 "$(print_salt_state_apply 'suricata')"
 		salt-call state.apply -l info suricata >> $setup_log 2>&1

-		set_progress_str 30 "$(print_salt_state_apply 'zeek')"
+		set_progress_str 64 "$(print_salt_state_apply 'zeek')"
 		salt-call state.apply -l info zeek >> $setup_log 2>&1
 	fi

-	if [[ $is_master || $is_helix ]]; then
-		set_progress_str 30 'Downloading containers from the internet'
-		salt-call state.apply -l info registry >> "$setup_log" 2>&1
-		docker_seed_registry # ~ 65% when finished
+	if [[ $is_node ]]; then
+		set_progress_str 65 "$(print_salt_state_apply 'curator')"
+		salt-call state.apply -l info curator >> $setup_log 2>&1
 	fi
-
-	set_progress_str 65 "$(print_salt_state_apply 'common')"
-	salt-call state.apply -l info common >> $setup_log 2>&1
 	
 	if [[ "$OSQUERY" = 1 ]]; then
 		set_progress_str 66 "$(print_salt_state_apply 'fleet')"
@@ -419,8 +425,8 @@ fi
 	salt-call state.apply -l info schedule >> $setup_log 2>&1

 	set_progress_str 90 'Applying finishing touches'
-	filter_unused_nics
-	network_setup
+	filter_unused_nics 2>> "$setup_log"
+	network_setup 2>> "$setup_log"

 	set_progress_str 91 'Verifying setup'
 	salt-call -l info  state.highstate >> $setup_log 2>&1
@@ -430,7 +436,7 @@ fi
 success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}')
 if [[ "$success" = 0 ]]; then
 	whiptail_setup_complete
-	if [[ $THEHIVE == '1' ]]; then
+	if [[ $THEHIVE == 1 ]]; then
 		check_hive_init_then_reboot
 	else
 		shutdown -r now