From c5eff1d89eee1aa6203cd305acec6d49f4f03483 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 9 Jul 2020 14:47:55 -0400 Subject: [PATCH 01/16] [feat][WIP] Add option to run `so-allow -a ` during setup --- salt/common/tools/sbin/so-allow | 26 +++++++++++++------------- setup/so-setup | 4 +++- setup/so-whiptail | 26 +++++++++++++++++++++++--- 3 files changed, 39 insertions(+), 17 deletions(-) diff --git a/salt/common/tools/sbin/so-allow b/salt/common/tools/sbin/so-allow index 71c8f8c9b..c6d3d6bf0 100755 --- a/salt/common/tools/sbin/so-allow +++ b/salt/common/tools/sbin/so-allow @@ -89,7 +89,7 @@ if [ "$SKIP" -eq 0 ]; then echo "[p] - Wazuh API - port 55000/tcp" echo "[r] - Wazuh registration service - 1515/tcp" echo "" - echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):" + echo "Please enter your selection:" read -r ROLE echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):" read -r IP @@ -127,16 +127,16 @@ salt-call state.apply firewall queue=True if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then # If analyst, add to Wazuh AR whitelist if [ "$FULLROLE" == "analyst" ]; then - WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" - if ! grep -q "$IP" $WAZUH_MGR_CFG ; then - DATE=$(date) - sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG - sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG - echo -e "\n \n $IP\n \n" >> $WAZUH_MGR_CFG - echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG." - echo - echo "Restarting OSSEC Server..." - /usr/sbin/so-wazuh-restart - fi - fi + WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" + if ! grep -q "$IP" $WAZUH_MGR_CFG ; then + DATE=$(date) + sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG + sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG + echo -e "\n \n $IP\n \n" >> $WAZUH_MGR_CFG + echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG." + echo + echo "Restarting OSSEC Server..." + /usr/sbin/so-wazuh-restart + fi + fi fi diff --git a/setup/so-setup b/setup/so-setup index 3f6d42380..0f28f1244 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -331,6 +331,8 @@ else FLEETNODEPASSWD1=$WEBPASSWD1 fi +if [[ $is_master ]]; then whiptail_so_allow; fi + whiptail_make_changes if [[ -n "$TURBO" ]]; then @@ -620,7 +622,7 @@ if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi -if [[ $success != 0 || $SO_ERROR == 1 ]]; then whiptail_setup_failed +if [[ $success != 0 || -n $SO_ERROR ]]; then whiptail_setup_failed else whiptail_setup_complete if [[ $THEHIVE == 1 ]]; then check_hive_init; fi diff --git a/setup/so-whiptail b/setup/so-whiptail index e165ba351..0b34d3cb8 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -435,9 +435,7 @@ whiptail_homenet_sensor() { whiptail_check_exitstatus $exitstatus export HNSENSOR - fi - } whiptail_install_type() { @@ -1057,6 +1055,29 @@ whiptail_shard_count() { } +whiptail_so_allow() { + + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" \ + --yesno "Do you want to run so-allow to allow access to the web tools?" \ + 8 75 + + local exitstatus=$? + + if [[ $exitstatus == 0 ]]; then + ALLOW_CIDR=$(whiptail --title "Security Onion Setup" \ + --inputbox "Enter a single ip address or range (in CIDR notation) to allow" \ + 10 75 125 3>&1 1>&2 2>&3) + local exitstatus=$? + + export ALLOW_ROLE='a' + export ALLOW_CIDR + fi + + whiptail_check_exitstatus $exitstatus +} + whiptail_strelka_rules() { [ -n "$TESTING" ] && return @@ -1073,7 +1094,6 @@ whiptail_strelka_rules() { export STRELKARULES fi - } whiptail_suricata_pins() { From 72aa91b7634dd9f6e52b7be56fbdc142cc417cb1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 14:38:03 -0400 Subject: [PATCH 02/16] [feat] Add message in setup and motd on where to access SOC --- ...te_reboot_required.jinja => so_motd.jinja} | 5 +++++ salt/motd/init.sls | 4 ++-- setup/so-functions | 6 +++--- setup/so-whiptail | 20 ++++++++++++++++--- 4 files changed, 27 insertions(+), 8 deletions(-) rename salt/motd/files/{package_update_reboot_required.jinja => so_motd.jinja} (86%) diff --git a/salt/motd/files/package_update_reboot_required.jinja b/salt/motd/files/so_motd.jinja similarity index 86% rename from salt/motd/files/package_update_reboot_required.jinja rename to salt/motd/files/so_motd.jinja index 6d94fc613..941aa2350 100644 --- a/salt/motd/files/package_update_reboot_required.jinja +++ b/salt/motd/files/so_motd.jinja @@ -1,4 +1,9 @@ {% set needs_restarting_check = salt['mine.get']('*', 'needs_restarting.check', tgt_type='glob') -%} +{% set url = salt['pillar.get']('master:url_base') -%} + + +Access the Security Onion web interface at https://{{ url }} +(You may need to run so-allow first if you haven't yet) {%- if needs_restarting_check %} {%- set minions_need_restarted = [] %} diff --git a/salt/motd/init.sls b/salt/motd/init.sls index 4dae979bf..06ad270a1 100644 --- a/salt/motd/init.sls +++ b/salt/motd/init.sls @@ -1,5 +1,5 @@ -package_update_reboot_required_motd: +so_motd: file.managed: - name: /etc/motd - - source: salt://motd/files/package_update_reboot_required.jinja + - source: salt://motd/files/so_motd.jinja - template: jinja diff --git a/setup/so-functions b/setup/so-functions index 63bed83dc..94caeba19 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -926,13 +926,13 @@ master_pillar() { case $REDIRECTINFO in 'IP') - REDIRECTIT="$MAINIP" + export REDIRECTIT="$MAINIP" ;; 'HOSTNAME') - REDIRECTIT=$HOSTNAME + export REDIRECTIT=$HOSTNAME ;; *) - REDIRECTIT="$REDIRECTHOST" + export REDIRECTIT="$REDIRECTHOST" ;; esac diff --git a/setup/so-whiptail b/setup/so-whiptail index 0b34d3cb8..20e4d7ee5 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1033,7 +1033,21 @@ whiptail_setup_complete() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --msgbox "Finished $install_type install. Press Ok to reboot." 8 75 + if [[ -n $ALLOW_CIDR ]]; then + local sentence_prefix="Access" + else + local sentence_prefix="Run so-allow after reboot to access" + fi + + read -r -d '' message <<- EOM + Finished ${install_type} install + + ${sentence_prefix} the web interface at https://${REDIRECTIT} + + Press ENTER to reboot + EOM + + whiptail --title "Security Onion Setup" --msgbox "$message" 12 75 } whiptail_setup_failed() { @@ -1068,7 +1082,7 @@ whiptail_so_allow() { if [[ $exitstatus == 0 ]]; then ALLOW_CIDR=$(whiptail --title "Security Onion Setup" \ --inputbox "Enter a single ip address or range (in CIDR notation) to allow" \ - 10 75 125 3>&1 1>&2 2>&3) + 10 75 3>&1 1>&2 2>&3) local exitstatus=$? export ALLOW_ROLE='a' @@ -1125,7 +1139,7 @@ whiptail_master_updates() { local update_string update_string=$(whiptail --title "Security Onion Setup" --radiolist \ "How would you like to download OS package updates for your grid?:" 20 75 4 \ - "MASTER" "Master node is proxy for updates." ON \ + "MASTER" "Master node is proxy for updates" ON \ "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus From 67c8836cd666226b93a9240bab2c013428ae1103 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 14:39:02 -0400 Subject: [PATCH 03/16] [fix] Use 100GB min space for standalone also --- setup/so-functions | 6 +++--- setup/so-setup | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 94caeba19..a35393ddf 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -398,7 +398,7 @@ checkin_at_boot() { } check_requirements() { - local eval_or_dist=$1 + local standalone_or_dist=$1 local node_type=$2 # optional local req_mem local req_cores @@ -407,12 +407,12 @@ check_requirements() { readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0" | sed 's/ //g')" local num_nics=${#nic_list[@]} - if [[ "$eval_or_dist" == 'eval' ]]; then + if [[ "$standalone_or_dist" == 'standalone' ]]; then req_mem=12 req_cores=4 req_nics=2 req_storage=100 - elif [[ "$eval_or_dist" == 'dist' ]]; then + elif [[ "$standalone_or_dist" == 'dist' ]]; then req_mem=8 req_cores=4 req_storage=40 diff --git a/setup/so-setup b/setup/so-setup index 0f28f1244..d9bc73d27 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -163,8 +163,8 @@ elif [ "$install_type" = 'HELIXSENSOR' ]; then is_helix=true fi -if [[ $is_eval ]]; then - check_requirements "eval" +if [[ $is_master && $is_sensor ]]; then + check_requirements "standalone" elif [[ $is_fleet_standalone ]]; then check_requirements "dist" "fleet" elif [[ $is_sensor && ! $is_eval ]]; then From f56811e745b4c69ccb13c817175ce1ba44f9d6f7 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 14:40:04 -0400 Subject: [PATCH 04/16] [feat] Use setup user+pass for TheHive, Cortex, and Fleet as well --- salt/thehive/scripts/cortex_init | 14 +++++++------- salt/thehive/scripts/hive_init | 8 ++++---- setup/so-functions | 11 ++++++----- setup/so-whiptail | 3 ++- 4 files changed, 19 insertions(+), 17 deletions(-) diff --git a/salt/thehive/scripts/cortex_init b/salt/thehive/scripts/cortex_init index 063ae498d..922ad45dc 100644 --- a/salt/thehive/scripts/cortex_init +++ b/salt/thehive/scripts/cortex_init @@ -1,11 +1,11 @@ #!/bin/bash -{% set MASTERIP = salt['pillar.get']('static:masterip', '') %} -{%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', '') %} -{%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', '') %} -{%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %} -{%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %} -{%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %} -{%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %} +# {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +# {%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', '') %} +# {%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', 'cortexchangeme') %} +# {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %} +# {%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %} +# {%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %} +# {%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %} default_salt_dir=/opt/so/saltstack/default diff --git a/salt/thehive/scripts/hive_init b/salt/thehive/scripts/hive_init index 296004e77..0163b45f3 100755 --- a/salt/thehive/scripts/hive_init +++ b/salt/thehive/scripts/hive_init @@ -1,8 +1,8 @@ #!/bin/bash -{% set MASTERIP = salt['pillar.get']('static:masterip', '') %} -{%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', '') %} -{%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %} -{%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %} +# {%- set MASTERIP = salt['pillar.get']('static:masterip', '') %} +# {%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', '') %} +# {%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', 'hivechangeme') %} +# {%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %} thehive_init(){ sleep 120 diff --git a/setup/so-functions b/setup/so-functions index a35393ddf..d9ebf0d15 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -979,15 +979,16 @@ master_static() { " broversion: $BROVERSION"\ " ids: $NIDS"\ " masterip: $MAINIP"\ - " hiveuser: hiveadmin"\ - " hivepassword: hivechangeme"\ + " hiveuser: $WEBUSER"\ + " hivepassword: $WEBPASSWD1"\ " hivekey: $HIVEKEY"\ - " cortexuser: cortexadmin"\ - " cortexpassword: cortexchangeme"\ + " cortexuser: $WEBUSER"\ + " cortexpassword: $WEBPASSWD1"\ " cortexkey: $CORTEXKEY"\ " cortexorgname: SecurityOnion"\ - " cortexorguser: soadmin"\ + " cortexorguser: $WEBUSER"\ " cortexorguserkey: $CORTEXORGUSERKEY"\ + " grafanapassword: $WEBPASSWD1"\ " fleet_custom_hostname: "\ " fleet_master: False"\ " fleet_node: False"\ diff --git a/setup/so-whiptail b/setup/so-whiptail index 20e4d7ee5..3b8b13f79 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -252,7 +252,8 @@ whiptail_create_web_user() { [ -n "$TESTING" ] && return WEBUSER=$(whiptail --title "Security Onion Install" --inputbox \ - "Please enter an email address to create an administrator account for the web interface." 10 60 3>&1 1>&2 2>&3) + "Please enter an email address to create an administrator account for the web interface. \ + This will also be used for TheHive, Cortex, and Fleet" 10 60 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus From 547298fce0d9967fb10a965cae3bd51d1056cbd0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 17:34:33 -0400 Subject: [PATCH 05/16] [refactor] Hide output for cortex and thehive init scripts --- salt/thehive/init.sls | 2 ++ 1 file changed, 2 insertions(+) diff --git a/salt/thehive/init.sls b/salt/thehive/init.sls index da07247c4..3ca913221 100644 --- a/salt/thehive/init.sls +++ b/salt/thehive/init.sls @@ -115,6 +115,7 @@ cortexscript: - source: salt://thehive/scripts/cortex_init - cwd: /opt/so - template: jinja + - hide_output: True so-thehive: docker_container.running: @@ -134,3 +135,4 @@ thehivescript: - source: salt://thehive/scripts/hive_init - cwd: /opt/so - template: jinja + - hide_output: True From ce7373501bb869665d2e7546f0b4b238e0e8c4fb Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 17:58:47 -0400 Subject: [PATCH 06/16] [fix] Add fallback for hive + cortex users --- salt/thehive/scripts/cortex_init | 2 +- salt/thehive/scripts/hive_init | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/thehive/scripts/cortex_init b/salt/thehive/scripts/cortex_init index f653bc008..90980da9c 100644 --- a/salt/thehive/scripts/cortex_init +++ b/salt/thehive/scripts/cortex_init @@ -1,6 +1,6 @@ #!/bin/bash # {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} -# {%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', '') %} +# {%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', 'cortexadmin') %} # {%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', 'cortexchangeme') %} # {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %} # {%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %} diff --git a/salt/thehive/scripts/hive_init b/salt/thehive/scripts/hive_init index bcd911c1e..a8307c0d6 100755 --- a/salt/thehive/scripts/hive_init +++ b/salt/thehive/scripts/hive_init @@ -1,6 +1,6 @@ #!/bin/bash # {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %} -# {%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', '') %} +# {%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', 'hiveadmin') %} # {%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', 'hivechangeme') %} # {%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %} From 4cfecae3b2dcef8f2ed1955619d6d255727f3305 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 17:59:51 -0400 Subject: [PATCH 07/16] [ix] Remove grafanapassword pillar key --- setup/so-functions | 1 - 1 file changed, 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 487eb9a40..1f48e4939 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1010,7 +1010,6 @@ manager_static() { " cortexorgname: SecurityOnion"\ " cortexorguser: $WEBUSER"\ " cortexorguserkey: $CORTEXORGUSERKEY"\ - " grafanapassword: $WEBPASSWD1"\ " fleet_custom_hostname: "\ " fleet_manager: False"\ " fleet_node: False"\ From aee304e5d5f5be9986af3950fd76bd4cdd624a0d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 10 Jul 2020 18:13:20 -0400 Subject: [PATCH 08/16] [fix] master -> manager --- setup/so-setup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 42fa6c33a..4e12dc8b9 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -163,7 +163,7 @@ elif [ "$install_type" = 'HELIXSENSOR' ]; then is_helix=true fi -if [[ $is_master && $is_sensor ]]; then +if [[ $is_manager && $is_sensor ]]; then check_requirements "standalone" elif [[ $is_fleet_standalone ]]; then check_requirements "dist" "fleet" @@ -331,7 +331,7 @@ else FLEETNODEPASSWD1=$WEBPASSWD1 fi -if [[ $is_master ]]; then whiptail_so_allow; fi +if [[ $is_manager ]]; then whiptail_so_allow; fi whiptail_make_changes From c31c24ccd85edc7d2f76234caabe7f985b9e59c3 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 13 Jul 2020 09:12:24 -0400 Subject: [PATCH 09/16] [fix] Check /nsm instead of / for free space --- setup/so-variables | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-variables b/setup/so-variables index 1123562d9..07f7aa71b 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -28,7 +28,7 @@ mkdir -p /nsm filesystem_nsm=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }') export filesystem_nsm -free_space_root=$(df -Pk / | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }') +free_space_root=$(df -Pk /nsm | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }') export free_space_root mkdir -p /root/installtmp/pillar/minions From c58571312212164ad8bd57cd163cd5860b0e78b1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 13 Jul 2020 13:28:54 -0400 Subject: [PATCH 10/16] [style] Change SO_ERROR check to non-empty check --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index c22d49ee8..0ddf99895 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -623,7 +623,7 @@ if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi -if [[ $success != 0 || $SO_ERROR == 1 ]]; then +if [[ $success != 0 || -n $SO_ERROR ]]; then SKIP_REBOOT=1 whiptail_setup_failed else From 81c8185cb559cbb1f126e6d90affe76e5ecec95b Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 13 Jul 2020 14:53:47 -0400 Subject: [PATCH 11/16] [refactor] Delete check for network install since we check /nsm now --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 3b5fc81b7..df7a3f254 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -420,7 +420,7 @@ check_requirements() { if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi fi - if (( $(echo "$free_space_root < $req_storage" | bc -l) )) && [[ $setup_type == 'network' ]]; then + if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then whiptail_requirements_error "disk space" "${free_space_root} GB" "${req_storage} GB" fi From aa4d435020333e39207f9fdc6dd51529114c135a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 13 Jul 2020 15:21:05 -0400 Subject: [PATCH 12/16] [fix] Don't run so-allow before setup complete menu --- setup/so-setup | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index b5f6d1d52..c10ff4737 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -624,10 +624,6 @@ success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') if [[ $success != 0 ]]; then SO_ERROR=1; fi # evaluate success first so it doesn't check against the output of so-allow -if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then - IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 -fi - if [[ -n $SO_ERROR ]]; then SKIP_REBOOT=1 whiptail_setup_failed @@ -636,6 +632,10 @@ else if [[ $THEHIVE == 1 ]]; then check_hive_init; fi fi +if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then + IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 +fi + install_cleanup >> $setup_log 2>&1 if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit; fi From 178ac79da8b65b56fa110da0d2658de899b13bad Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 14 Jul 2020 09:05:09 -0400 Subject: [PATCH 13/16] [refactor] Set $REDIRECTIT outside of subshell --- setup/so-functions | 23 +++++++++++------------ setup/so-setup | 3 +-- 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index df7a3f254..26f7af0fc 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -871,6 +871,17 @@ get_redirect() { if [ "$REDIRECTINFO" = "OTHER" ]; then whiptail_set_redirect_host fi + case $REDIRECTINFO in + 'IP') + export REDIRECTIT="$MAINIP" + ;; + 'HOSTNAME') + export REDIRECTIT="$HOSTNAME" + ;; + *) + export REDIRECTIT="$REDIRECTHOST" + ;; + esac } got_root() { @@ -938,18 +949,6 @@ manager_pillar() { " mtu: $MTU" >> "$pillar_file" fi - case $REDIRECTINFO in - 'IP') - export REDIRECTIT="$MAINIP" - ;; - 'HOSTNAME') - export REDIRECTIT=$HOSTNAME - ;; - *) - export REDIRECTIT="$REDIRECTHOST" - ;; - esac - printf '%s\n'\ " elastalert: 1"\ " nids_rules: $RULESETUP"\ diff --git a/setup/so-setup b/setup/so-setup index c10ff4737..6ca4d3d57 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -378,8 +378,6 @@ if [[ $is_minion ]]; then copy_ssh_key >> $setup_log 2>&1 fi - - # Begin install { # Set initial percentage to 0 @@ -633,6 +631,7 @@ else fi if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then + echo "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi From 4ab90a9a30ac4a7783419e4a2d9f9257883ee0c6 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 14 Jul 2020 10:12:51 -0400 Subject: [PATCH 14/16] [fix] Move redirect var to function after $MAINIP has been set --- setup/so-functions | 25 ++++++++++++++----------- setup/so-setup | 5 ++++- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 26f7af0fc..ee5c15368 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -871,17 +871,6 @@ get_redirect() { if [ "$REDIRECTINFO" = "OTHER" ]; then whiptail_set_redirect_host fi - case $REDIRECTINFO in - 'IP') - export REDIRECTIT="$MAINIP" - ;; - 'HOSTNAME') - export REDIRECTIT="$HOSTNAME" - ;; - *) - export REDIRECTIT="$REDIRECTHOST" - ;; - esac } got_root() { @@ -1653,6 +1642,20 @@ set_node_type() { esac } +set_redirect() { + case $REDIRECTINFO in + 'IP') + REDIRECTIT="$MAINIP" + ;; + 'HOSTNAME') + REDIRECTIT="$HOSTNAME" + ;; + *) + REDIRECTIT="$REDIRECTHOST" + ;; + esac +} + set_updates() { if [ "$MANAGERUPDATES" = '1' ]; then if [ "$OS" = 'centos' ]; then diff --git a/setup/so-setup b/setup/so-setup index 6ca4d3d57..4f681e12e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -369,7 +369,10 @@ if [[ $is_manager && ! $is_eval ]]; then add_soremote_user_manager >> $setup_log 2>&1 fi -set_main_ip >> $setup_log 2>&1 +{ + set_main_ip; + set_redirect; +} >> $setup_log 2>&1 host_pillar >> $setup_log 2>&1 From ad3c4c49503369306873e08a6372d96327053c0c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 14 Jul 2020 11:09:12 -0400 Subject: [PATCH 15/16] [fix] master -> manager --- salt/motd/files/so_motd.jinja | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/motd/files/so_motd.jinja b/salt/motd/files/so_motd.jinja index 941aa2350..4b22eb56c 100644 --- a/salt/motd/files/so_motd.jinja +++ b/salt/motd/files/so_motd.jinja @@ -1,5 +1,5 @@ {% set needs_restarting_check = salt['mine.get']('*', 'needs_restarting.check', tgt_type='glob') -%} -{% set url = salt['pillar.get']('master:url_base') -%} +{% set url = salt['pillar.get']('manager:url_base') -%} Access the Security Onion web interface at https://{{ url }} From caf9e3f75a6ac679bab56038cb23870bcc12757a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 14 Jul 2020 11:13:50 -0400 Subject: [PATCH 16/16] [fix] Redirect hive_init output to log --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 4f681e12e..91c2d4806 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -630,7 +630,7 @@ if [[ -n $SO_ERROR ]]; then whiptail_setup_failed else whiptail_setup_complete - if [[ $THEHIVE == 1 ]]; then check_hive_init; fi + if [[ $THEHIVE == 1 ]]; then check_hive_init >> $setup_log 2>&1; fi fi if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then