Merge pull request #979 from Security-Onion-Solutions/feature/setup

Feature/setup
2025-12-06 09:12:45 +01:00 · 2020-07-14 11:17:03 -04:00
parent f2d9abf1a5 caf9e3f75a
commit 3df5904269
10 changed files with 114 additions and 66 deletions
--- a/salt/common/tools/sbin/so-allow
+++ b/salt/common/tools/sbin/so-allow
@@ -89,7 +89,7 @@ if [ "$SKIP" -eq 0 ]; then
    echo "[p] - Wazuh API - port 55000/tcp"
    echo "[r] - Wazuh registration service - 1515/tcp"
    echo ""
-    echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
+    echo "Please enter your selection:"
    read -r ROLE
    echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
    read -r IP
--- a/salt/motd/files/package_update_reboot_required.jinja
+++ b/salt/motd/files/package_update_reboot_required.jinja
@@ -1,4 +1,9 @@
 {% set needs_restarting_check = salt['mine.get']('*', 'needs_restarting.check', tgt_type='glob') -%}
+{% set url = salt['pillar.get']('manager:url_base') -%}
+
+
+Access the Security Onion web interface at https://{{ url }}
+(You may need to run so-allow first if you haven't yet)

 {%- if needs_restarting_check %}
  {%- set minions_need_restarted = [] %}
--- a/salt/motd/init.sls
+++ b/salt/motd/init.sls
@@ -1,5 +1,5 @@
-package_update_reboot_required_motd:
+so_motd:
  file.managed:
    - name: /etc/motd
-    - source: salt://motd/files/package_update_reboot_required.jinja
+    - source: salt://motd/files/so_motd.jinja
    - template: jinja
--- a/salt/thehive/init.sls
+++ b/salt/thehive/init.sls
@@ -116,6 +116,7 @@ cortexscript:
    - source: salt://thehive/scripts/cortex_init
    - cwd: /opt/so
    - template: jinja
+    - hide_output: True

 so-thehive:
  docker_container.running:
@@ -135,3 +136,4 @@ thehivescript:
    - source: salt://thehive/scripts/hive_init
    - cwd: /opt/so
    - template: jinja
+    - hide_output: True
--- a/salt/thehive/scripts/cortex_init
+++ b/salt/thehive/scripts/cortex_init
@@ -1,11 +1,11 @@
 #!/bin/bash
-{% set MANAGERIP = salt['pillar.get']('static:managerip', '') %}
-{%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', '') %}
-{%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', '') %}
-{%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %}
-{%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %}
-{%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %}
-{%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %}
+# {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %}
+# {%- set CORTEXUSER = salt['pillar.get']('static:cortexuser', 'cortexadmin') %}
+# {%- set CORTEXPASSWORD = salt['pillar.get']('static:cortexpassword', 'cortexchangeme') %}
+# {%- set CORTEXKEY = salt['pillar.get']('static:cortexkey', '') %}
+# {%- set CORTEXORGNAME = salt['pillar.get']('static:cortexorgname', '') %}
+# {%- set CORTEXORGUSER = salt['pillar.get']('static:cortexorguser', '') %}
+# {%- set CORTEXORGUSERKEY = salt['pillar.get']('static:cortexorguserkey', '') %}

 default_salt_dir=/opt/so/saltstack/default

--- a/salt/thehive/scripts/hive_init
+++ b/salt/thehive/scripts/hive_init
@@ -1,8 +1,8 @@
 #!/bin/bash
-{% set MANAGERIP = salt['pillar.get']('static:managerip', '') %}
-{%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', '') %}
-{%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', '') %}
-{%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %}
+# {%- set MANAGERIP = salt['pillar.get']('static:managerip', '') %}
+# {%- set THEHIVEUSER = salt['pillar.get']('static:hiveuser', 'hiveadmin') %}
+# {%- set THEHIVEPASSWORD = salt['pillar.get']('static:hivepassword', 'hivechangeme') %}
+# {%- set THEHIVEKEY = salt['pillar.get']('static:hivekey', '') %}

 thehive_init(){
    sleep 120
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -398,7 +398,7 @@ checkin_at_boot() {
 }

 check_requirements() {
-	local eval_or_dist=$1
+	local standalone_or_dist=$1
 	local node_type=$2 # optional
 	local req_mem
 	local req_cores
@@ -407,12 +407,12 @@ check_requirements() {
 	readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0"  | sed 's/ //g')"
 	local num_nics=${#nic_list[@]}
 	
-	if [[ "$eval_or_dist" == 'eval' ]]; then
+	if [[ "$standalone_or_dist" == 'standalone' ]]; then
 		req_mem=12
 		req_cores=4
 		req_nics=2
 		req_storage=100
-	elif [[ "$eval_or_dist" == 'dist' ]]; then
+	elif [[ "$standalone_or_dist" == 'dist' ]]; then
 		req_mem=8
 		req_cores=4
 		req_storage=40
@@ -420,7 +420,7 @@ check_requirements() {
 		if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi
 	fi

-	if (( $(echo "$free_space_root < $req_storage" | bc -l) )) && [[ $setup_type == 'network' ]]; then
+	if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then
 		whiptail_requirements_error "disk space" "${free_space_root} GB" "${req_storage} GB"
 	fi

@@ -939,18 +939,6 @@ manager_pillar() {
 			"  mtu: $MTU" >> "$pillar_file"
 	fi

-	case $REDIRECTINFO in
-		'IP')
-			REDIRECTIT="$MAINIP"
-			;;
-		'HOSTNAME')
-			REDIRECTIT=$HOSTNAME
-			;;
-		*)
-			REDIRECTIT="$REDIRECTHOST"
-			;;
-	esac
-
 	printf '%s\n'\
 		"  elastalert: 1"\
 		"  nids_rules: $RULESETUP"\
@@ -1004,14 +992,14 @@ manager_static() {
 		"  broversion: $BROVERSION"\
 		"  ids: $NIDS"\
 		"  managerip: $MAINIP"\
-		"  hiveuser: hiveadmin"\
-		"  hivepassword: hivechangeme"\
+		"  hiveuser: $WEBUSER"\
+		"  hivepassword: $WEBPASSWD1"\
 		"  hivekey: $HIVEKEY"\
-		"  cortexuser: cortexadmin"\
-		"  cortexpassword: cortexchangeme"\
+		"  cortexuser: $WEBUSER"\
+		"  cortexpassword: $WEBPASSWD1"\
 		"  cortexkey: $CORTEXKEY"\
 		"  cortexorgname: SecurityOnion"\
-		"  cortexorguser: soadmin"\
+		"  cortexorguser: $WEBUSER"\
 		"  cortexorguserkey: $CORTEXORGUSERKEY"\
 		"  fleet_custom_hostname: "\
 		"  fleet_manager: False"\
@@ -1656,6 +1644,20 @@ set_node_type() {
 	esac
 }

+set_redirect() {
+	case $REDIRECTINFO in
+		'IP')
+			REDIRECTIT="$MAINIP"
+			;;
+		'HOSTNAME')
+			REDIRECTIT="$HOSTNAME"
+			;;
+		*)
+			REDIRECTIT="$REDIRECTHOST"
+			;;
+	esac
+}
+
 set_updates() {
 	if [ "$MANAGERUPDATES" = '1' ]; then
 		if [ "$OS" = 'centos' ]; then
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -165,8 +165,8 @@ elif [ "$install_type" = 'HELIXSENSOR' ]; then
 	is_helix=true
 fi

-if [[ $is_eval ]]; then
-	check_requirements "eval"
+if [[ $is_manager && $is_sensor ]]; then
+	check_requirements "standalone"
 elif [[ $is_fleet_standalone ]]; then
 	check_requirements "dist" "fleet"
 elif [[ $is_sensor && ! $is_eval ]]; then
@@ -333,6 +333,8 @@ else
 	FLEETNODEPASSWD1=$WEBPASSWD1
 fi

+if [[ $is_manager ]]; then whiptail_so_allow; fi
+
 whiptail_make_changes

 if [[ -n "$TURBO" ]]; then
@@ -367,7 +369,10 @@ if [[ $is_manager && ! $is_eval ]]; then
 	add_soremote_user_manager >> $setup_log 2>&1
 fi

-set_main_ip >> $setup_log 2>&1
+{
+	set_main_ip;
+	set_redirect;
+} >> $setup_log 2>&1

 host_pillar >> $setup_log 2>&1

@@ -376,8 +381,6 @@ if [[ $is_minion ]]; then
 	copy_ssh_key >> $setup_log 2>&1
 fi

-
-
 # Begin install
 {
 	# Set initial percentage to 0
@@ -622,16 +625,17 @@ success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}')

 if [[ $success != 0 ]]; then SO_ERROR=1; fi # evaluate success first so it doesn't check against the output of so-allow

-if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then 
-	IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1
-fi
-
 if [[ -n $SO_ERROR ]]; then 
 	SKIP_REBOOT=1
 	whiptail_setup_failed
 else 
 	whiptail_setup_complete
-	if [[ $THEHIVE == 1 ]]; then check_hive_init; fi
+	if [[ $THEHIVE == 1 ]]; then check_hive_init >> $setup_log 2>&1; fi
+fi
+
+if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then 
+	echo "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}"
+	IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1
 fi

 install_cleanup >> $setup_log 2>&1
--- a/setup/so-variables
+++ b/setup/so-variables
@@ -28,7 +28,7 @@ mkdir -p /nsm
 filesystem_nsm=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }')
 export filesystem_nsm

-free_space_root=$(df -Pk / | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }')
+free_space_root=$(df -Pk /nsm | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }')
 export free_space_root

 mkdir -p /root/installtmp/pillar/minions
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -252,7 +252,8 @@ whiptail_create_web_user() {
 	[ -n "$TESTING" ] && return

 	WEBUSER=$(whiptail --title "Security Onion Install" --inputbox \
-	"Please enter an email address to create an administrator account for the web interface." 10 60 3>&1 1>&2 2>&3)
+	"Please enter an email address to create an administrator account for the web interface. \
+	This will also be used for TheHive, Cortex, and Fleet" 10 60 3>&1 1>&2 2>&3)

 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
@@ -435,9 +436,7 @@ whiptail_homenet_sensor() {
 		whiptail_check_exitstatus $exitstatus

 		export HNSENSOR
-
 	fi
-
 }

 whiptail_install_type() {
@@ -1028,7 +1027,21 @@ whiptail_setup_complete() {

 	[ -n "$TESTING" ] && return

-	whiptail --title "Security Onion Setup" --msgbox "Finished $install_type install. Press Ok to reboot." 8 75
+	if [[ -n $ALLOW_CIDR ]]; then
+		local sentence_prefix="Access"
+	else
+		local sentence_prefix="Run so-allow after reboot to access"
+	fi
+
+	read -r -d '' message <<- EOM
+		Finished ${install_type} install
+
+		${sentence_prefix} the web interface at https://${REDIRECTIT}
+
+		Press ENTER to reboot
+	EOM
+
+	whiptail --title "Security Onion Setup" --msgbox "$message" 12 75
 }

 whiptail_setup_failed() {
@@ -1050,6 +1063,29 @@ whiptail_shard_count() {

 }

+whiptail_so_allow() {
+
+	[ -n "$TESTING" ] && return
+
+	whiptail --title "Security Onion Setup" \
+	--yesno "Do you want to run so-allow to allow access to the web tools?" \
+	8 75
+
+	local exitstatus=$?
+
+	if [[ $exitstatus == 0 ]]; then
+		ALLOW_CIDR=$(whiptail --title "Security Onion Setup" \
+		--inputbox "Enter a single ip address or range (in CIDR notation) to allow" \
+		10 75 3>&1 1>&2 2>&3)
+		local exitstatus=$?
+		
+		export ALLOW_ROLE='a'
+		export ALLOW_CIDR
+	fi
+
+	whiptail_check_exitstatus $exitstatus
+}
+
 whiptail_strelka_rules() {

        [ -n "$TESTING" ] && return
@@ -1066,7 +1102,6 @@ whiptail_strelka_rules() {
                export STRELKARULES

        fi
-
 }

 whiptail_suricata_pins() {
@@ -1098,17 +1133,17 @@ whiptail_manager_updates() {
 	local update_string
 	update_string=$(whiptail --title "Security Onion Setup" --radiolist \
 	"How would you like to download OS package updates for your grid?:" 20 75 4 \
-	"MANAGER" "Manager node is proxy for updates." ON \
+	"MANAGER" "Manager node is proxy for updates" ON \
 	"OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 )
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus

 	case "$update_string" in
 		'MANAGER')
-			MANAGERUPDATES='1'
+			export MANAGERUPDATES='1'
 			;;
 		*)
-			MANAGERUPDATES='0'
+			export MANAGERUPDATES='0'
 			;;
 	esac