CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #979 from Security-Onion-Solutions/feature/setup

Browse Source 
Feature/setup
This commit is contained in:
William Wernert
2020-07-14 11:17:03 -04:00
committed by GitHub
parent f2d9abf1a5 caf9e3f75a
commit 3df5904269
10 changed files with 114 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
salt/common/tools/sbin/so-allow
View File

@@ -89,7 +89,7 @@ if [ "$SKIP" -eq 0 ]; then
echo "[p] - Wazuh API - port 55000/tcp" echo "[p] - Wazuh API - port 55000/tcp"
echo "[r] - Wazuh registration service - 1515/tcp" echo "[r] - Wazuh registration service - 1515/tcp"
echo "" echo ""
echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):" echo "Please enter your selection:"
read -r ROLE read -r ROLE
echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):" echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
read -r IP read -r IP
@@ -127,16 +127,16 @@ salt-call state.apply firewall queue=True
if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then if grep -q -R "wazuh: 1" $local_salt_dir/pillar/*; then
# If analyst, add to Wazuh AR whitelist # If analyst, add to Wazuh AR whitelist
if [ "$FULLROLE" == "analyst" ]; then if [ "$FULLROLE" == "analyst" ]; then
WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf" WAZUH_MGR_CFG="/opt/so/wazuh/etc/ossec.conf"
if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then if ! grep -q "<white_list>$IP</white_list>" $WAZUH_MGR_CFG ; then
DATE=$(date) DATE=$(date)
sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG sed -i 's/<\/ossec_config>//' $WAZUH_MGR_CFG
sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG sed -i '/^$/N;/^\n$/D' $WAZUH_MGR_CFG
echo -e "<!--Address $IP added by /usr/sbin/so-allow on \"$DATE\"-->\n <global>\n <white_list>$IP</white_list>\n </global>\n</ossec_config>" >> $WAZUH_MGR_CFG echo -e "<!--Address $IP added by /usr/sbin/so-allow on \"$DATE\"-->\n <global>\n <white_list>$IP</white_list>\n </global>\n</ossec_config>" >> $WAZUH_MGR_CFG
echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG." echo "Added whitelist entry for $IP in $WAZUH_MGR_CFG."
echo echo
echo "Restarting OSSEC Server..." echo "Restarting OSSEC Server..."
/usr/sbin/so-wazuh-restart /usr/sbin/so-wazuh-restart
fi fi
fi fi
fi fi

5
salt/motd/files/package_update_reboot_required.jinja → salt/motd/files/so_motd.jinja
View File

@@ -1,4 +1,9 @@
{% set needs_restarting_check = salt['mine.get']('*', 'needs_restarting.check', tgt_type='glob') -%} {% set needs_restarting_check = salt['mine.get']('*', 'needs_restarting.check', tgt_type='glob') -%}
{% set url = salt['pillar.get']('manager:url_base') -%}
Access the Security Onion web interface at https://{{ url }}
(You may need to run so-allow first if you haven't yet)
{%- if needs_restarting_check %} {%- if needs_restarting_check %}
{%- set minions_need_restarted = [] %} {%- set minions_need_restarted = [] %}

4
salt/motd/init.sls
View File

@@ -1,5 +1,5 @@
package_update_reboot_required_motd: so_motd:
file.managed: file.managed:
- name: /etc/motd - name: /etc/motd
- source: salt://motd/files/package_update_reboot_required.jinja - source: salt://motd/files/so_motd.jinja
- template: jinja - template: jinja

2
salt/thehive/init.sls
View File

@@ -116,6 +116,7 @@ cortexscript:
- source: salt://thehive/scripts/cortex_init - source: salt://thehive/scripts/cortex_init
- cwd: /opt/so - cwd: /opt/so
- template: jinja - template: jinja
- hide_output: True
so-thehive: so-thehive:
docker_container.running: docker_container.running:
@@ -135,3 +136,4 @@ thehivescript:
- source: salt://thehive/scripts/hive_init - source: salt://thehive/scripts/hive_init
- cwd: /opt/so - cwd: /opt/so
- template: jinja - template: jinja
- hide_output: True

14
salt/thehive/scripts/cortex_init
View File

@@ -1,11 +1,11 @@
#!/bin/bash #!/bin/bash
{% set MANAGERIP = salt['pillar.get']('static:managerip', '') %} # {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %}
{%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', '') %} # {%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', 'cortexadmin') %}
{%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', '') %} # {%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', 'cortexchangeme') %}
{%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %} # {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %}
{%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %} # {%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %}
{%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %} # {%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %}
{%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %} # {%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %}
default_salt_dir=/opt/so/saltstack/default default_salt_dir=/opt/so/saltstack/default

8
salt/thehive/scripts/hive_init
View File

@@ -1,8 +1,8 @@
#!/bin/bash #!/bin/bash
{% set MANAGERIP = salt['pillar.get']('static:managerip', '') %} # {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %}
{%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', '') %} # {%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', 'hiveadmin') %}
{%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %} # {%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', 'hivechangeme') %}
{%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %} # {%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %}
thehive_init(){ thehive_init(){
sleep 120 sleep 120

44
setup/so-functions
View File

@@ -398,7 +398,7 @@ checkin_at_boot() {
} }
check_requirements() { check_requirements() {
local eval_or_dist=$1 local standalone_or_dist=$1
local node_type=$2 # optional local node_type=$2 # optional
local req_mem local req_mem
local req_cores local req_cores
@@ -407,12 +407,12 @@ check_requirements() {
readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0" | sed 's/ //g')" readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0" | sed 's/ //g')"
local num_nics=${#nic_list[@]} local num_nics=${#nic_list[@]}
if [[ "$eval_or_dist" == 'eval' ]]; then if [[ "$standalone_or_dist" == 'standalone' ]]; then
req_mem=12 req_mem=12
req_cores=4 req_cores=4
req_nics=2 req_nics=2
req_storage=100 req_storage=100
elif [[ "$eval_or_dist" == 'dist' ]]; then elif [[ "$standalone_or_dist" == 'dist' ]]; then
req_mem=8 req_mem=8
req_cores=4 req_cores=4
req_storage=40 req_storage=40
@@ -420,7 +420,7 @@ check_requirements() {
if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi
fi fi
if (( $(echo "$free_space_root < $req_storage" | bc -l) )) && [[ $setup_type == 'network' ]]; then if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then
whiptail_requirements_error "disk space" "${free_space_root} GB" "${req_storage} GB" whiptail_requirements_error "disk space" "${free_space_root} GB" "${req_storage} GB"
fi fi
@@ -939,18 +939,6 @@ manager_pillar() {
" mtu: $MTU" >> "$pillar_file" " mtu: $MTU" >> "$pillar_file"
fi fi
case $REDIRECTINFO in
'IP')
REDIRECTIT="$MAINIP"
;;
'HOSTNAME')
REDIRECTIT=$HOSTNAME
;;
*)
REDIRECTIT="$REDIRECTHOST"
;;
esac
printf '%s\n'\ printf '%s\n'\
" elastalert: 1"\ " elastalert: 1"\
" nids_rules: $RULESETUP"\ " nids_rules: $RULESETUP"\
@@ -1004,14 +992,14 @@ manager_static() {
" broversion: $BROVERSION"\ " broversion: $BROVERSION"\
" ids: $NIDS"\ " ids: $NIDS"\
" managerip: $MAINIP"\ " managerip: $MAINIP"\
" hiveuser: hiveadmin"\ " hiveuser: $WEBUSER"\
" hivepassword: hivechangeme"\ " hivepassword: $WEBPASSWD1"\
" hivekey: $HIVEKEY"\ " hivekey: $HIVEKEY"\
" cortexuser: cortexadmin"\ " cortexuser: $WEBUSER"\
" cortexpassword: cortexchangeme"\ " cortexpassword: $WEBPASSWD1"\
" cortexkey: $CORTEXKEY"\ " cortexkey: $CORTEXKEY"\
" cortexorgname: SecurityOnion"\ " cortexorgname: SecurityOnion"\
" cortexorguser: soadmin"\ " cortexorguser: $WEBUSER"\
" cortexorguserkey: $CORTEXORGUSERKEY"\ " cortexorguserkey: $CORTEXORGUSERKEY"\
" fleet_custom_hostname: "\ " fleet_custom_hostname: "\
" fleet_manager: False"\ " fleet_manager: False"\
@@ -1656,6 +1644,20 @@ set_node_type() {
esac esac
} }
set_redirect() {
case $REDIRECTINFO in
'IP')
REDIRECTIT="$MAINIP"
;;
'HOSTNAME')
REDIRECTIT="$HOSTNAME"
;;
*)
REDIRECTIT="$REDIRECTHOST"
;;
esac
}
set_updates() { set_updates() {
if [ "$MANAGERUPDATES" = '1' ]; then if [ "$MANAGERUPDATES" = '1' ]; then
if [ "$OS" = 'centos' ]; then if [ "$OS" = 'centos' ]; then

24
setup/so-setup
View File

@@ -165,8 +165,8 @@ elif [ "$install_type" = 'HELIXSENSOR' ]; then
is_helix=true is_helix=true
fi fi
if [[ $is_eval ]]; then if [[ $is_manager && $is_sensor ]]; then
check_requirements "eval" check_requirements "standalone"
elif [[ $is_fleet_standalone ]]; then elif [[ $is_fleet_standalone ]]; then
check_requirements "dist" "fleet" check_requirements "dist" "fleet"
elif [[ $is_sensor && ! $is_eval ]]; then elif [[ $is_sensor && ! $is_eval ]]; then
@@ -333,6 +333,8 @@ else
FLEETNODEPASSWD1=$WEBPASSWD1 FLEETNODEPASSWD1=$WEBPASSWD1
fi fi
if [[ $is_manager ]]; then whiptail_so_allow; fi
whiptail_make_changes whiptail_make_changes
if [[ -n "$TURBO" ]]; then if [[ -n "$TURBO" ]]; then
@@ -367,7 +369,10 @@ if [[ $is_manager && ! $is_eval ]]; then
add_soremote_user_manager >> $setup_log 2>&1 add_soremote_user_manager >> $setup_log 2>&1
fi fi
set_main_ip >> $setup_log 2>&1 {
set_main_ip;
set_redirect;
} >> $setup_log 2>&1
host_pillar >> $setup_log 2>&1 host_pillar >> $setup_log 2>&1
@@ -376,8 +381,6 @@ if [[ $is_minion ]]; then
copy_ssh_key >> $setup_log 2>&1 copy_ssh_key >> $setup_log 2>&1
fi fi
# Begin install # Begin install
{ {
# Set initial percentage to 0 # Set initial percentage to 0
@@ -622,16 +625,17 @@ success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}')
if [[ $success != 0 ]]; then SO_ERROR=1; fi # evaluate success first so it doesn't check against the output of so-allow if [[ $success != 0 ]]; then SO_ERROR=1; fi # evaluate success first so it doesn't check against the output of so-allow
if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then
IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1
fi
if [[ -n $SO_ERROR ]]; then if [[ -n $SO_ERROR ]]; then
SKIP_REBOOT=1 SKIP_REBOOT=1
whiptail_setup_failed whiptail_setup_failed
else else
whiptail_setup_complete whiptail_setup_complete
if [[ $THEHIVE == 1 ]]; then check_hive_init; fi if [[ $THEHIVE == 1 ]]; then check_hive_init >> $setup_log 2>&1; fi
fi
if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then
echo "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}"
IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1
fi fi
install_cleanup >> $setup_log 2>&1 install_cleanup >> $setup_log 2>&1

2
setup/so-variables
View File

@@ -28,7 +28,7 @@ mkdir -p /nsm
filesystem_nsm=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }') filesystem_nsm=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }')
export filesystem_nsm export filesystem_nsm
free_space_root=$(df -Pk / | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }') free_space_root=$(df -Pk /nsm | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }')
export free_space_root export free_space_root
mkdir -p /root/installtmp/pillar/minions mkdir -p /root/installtmp/pillar/minions

51
setup/so-whiptail
View File

@@ -252,7 +252,8 @@ whiptail_create_web_user() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
WEBUSER=$(whiptail --title "Security Onion Install" --inputbox \ WEBUSER=$(whiptail --title "Security Onion Install" --inputbox \
"Please enter an email address to create an administrator account for the web interface." 10 60 3>&1 1>&2 2>&3) "Please enter an email address to create an administrator account for the web interface. \
This will also be used for TheHive, Cortex, and Fleet" 10 60 3>&1 1>&2 2>&3)
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
@@ -435,9 +436,7 @@ whiptail_homenet_sensor() {
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
export HNSENSOR export HNSENSOR
fi fi
} }
whiptail_install_type() { whiptail_install_type() {
@@ -1028,7 +1027,21 @@ whiptail_setup_complete() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
whiptail --title "Security Onion Setup" --msgbox "Finished $install_type install. Press Ok to reboot." 8 75 if [[ -n $ALLOW_CIDR ]]; then
local sentence_prefix="Access"
else
local sentence_prefix="Run so-allow after reboot to access"
fi
read -r -d '' message <<- EOM
Finished ${install_type} install
${sentence_prefix} the web interface at https://${REDIRECTIT}
Press ENTER to reboot
EOM
whiptail --title "Security Onion Setup" --msgbox "$message" 12 75
} }
whiptail_setup_failed() { whiptail_setup_failed() {
@@ -1050,6 +1063,29 @@ whiptail_shard_count() {
} }
whiptail_so_allow() {
[ -n "$TESTING" ] && return
whiptail --title "Security Onion Setup" \
--yesno "Do you want to run so-allow to allow access to the web tools?" \
8 75
local exitstatus=$?
if [[ $exitstatus == 0 ]]; then
ALLOW_CIDR=$(whiptail --title "Security Onion Setup" \
--inputbox "Enter a single ip address or range (in CIDR notation) to allow" \
10 75 3>&1 1>&2 2>&3)
local exitstatus=$?
export ALLOW_ROLE='a'
export ALLOW_CIDR
fi
whiptail_check_exitstatus $exitstatus
}
whiptail_strelka_rules() { whiptail_strelka_rules() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
@@ -1066,7 +1102,6 @@ whiptail_strelka_rules() {
export STRELKARULES export STRELKARULES
fi fi
} }
whiptail_suricata_pins() { whiptail_suricata_pins() {
@@ -1098,17 +1133,17 @@ whiptail_manager_updates() {
local update_string local update_string
update_string=$(whiptail --title "Security Onion Setup" --radiolist \ update_string=$(whiptail --title "Security Onion Setup" --radiolist \
"How would you like to download OS package updates for your grid?:" 20 75 4 \ "How would you like to download OS package updates for your grid?:" 20 75 4 \
"MANAGER" "Manager node is proxy for updates." ON \ "MANAGER" "Manager node is proxy for updates" ON \
"OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 )
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
case "$update_string" in case "$update_string" in
'MANAGER') 'MANAGER')
MANAGERUPDATES='1' export MANAGERUPDATES='1'
;; ;;
*) *)
MANAGERUPDATES='0' export MANAGERUPDATES='0'
;; ;;
esac esac