Merge remote-tracking branch 'remotes/origin/dev' into issue/1039

salt/firewall/assigned_hostgroups.map.yaml

@@ -442,16 +442,24 @@ role:
     chain:
       DOCKER-USER:
         hostgroups:
-          self:
+          manager:
             portgroups:
-              - {{ portgroups.redis }}
-              - {{ portgroups.beats_5044 }}
-              - {{ portgroups.beats_5644 }}
+              - {{ portgroups.elasticsearch_node }}
+          dockernet:
+            portgroups:
+              - {{ portgroups.elasticsearch_node }}
+              - {{ portgroups.elasticsearch_rest }}
+          elasticsearch_rest:
+            portgroups:
+              - {{ portgroups.elasticsearch_rest }}
       INPUT:
         hostgroups:
           anywhere:
             portgroups:
               - {{ portgroups.ssh }}
+          dockernet:
+            portgroups:
+              - {{ portgroups.all }}
           localhost:
             portgroups:
               - {{ portgroups.all }}

salt/patch/needs_restarting.sls

@@ -1,5 +1,5 @@
 needs_restarting:
   module.run:
     - mine.send:
-      - func: needs_restarting.check
+      - name: needs_restarting.check
     - order: last

setup/so-functions

@@ -233,7 +233,7 @@ check_service_status() {
 
 	local service_name=$1
 	echo "Checking service $service_name status" >> "$setup_log" 2>&1
-	systemctl status $service_name >> "$setup_log" 2>&1
+	systemctl status $service_name > /dev/null 2>&1
 	local status=$?
 	#true if there is an issue with the service false if it is running properly
 	if [ $status -gt 0 ]; then
@@ -655,24 +655,27 @@ detect_os() {
 
 		echo "Installing required packages to run installer..." >> "$setup_log" 2>&1
 		# Install bind-utils so the host command exists
-		if ! command -v host > /dev/null 2>&1; then
+		if [[ ! $is_iso ]]; then
+		  if ! command -v host > /dev/null 2>&1; then
 			yum -y install bind-utils >> "$setup_log" 2>&1
-		fi
-		if ! command -v nmcli > /dev/null 2>&1; then
+		  fi
+		  if ! command -v nmcli > /dev/null 2>&1; then
 			{
 				yum -y install NetworkManager;
 				systemctl enable NetworkManager;
 				systemctl start NetworkManager;
 			} >> "$setup_log" 2<&1
-		fi
-		if ! command -v bc > /dev/null 2>&1; then
+		  fi
+		  if ! command -v bc > /dev/null 2>&1; then
 			yum -y install bc >> "$setup_log" 2>&1
-		fi
-		if ! yum versionlock > /dev/null 2>&1; then
+		  fi
+		  if ! yum versionlock > /dev/null 2>&1; then
 			yum -y install yum-plugin-versionlock >> "$setup_log" 2>&1
-		fi
-
-
+		  fi
+        else
+		  logCmd "systemctl enable NetworkManager"
+		  logCmd "systemctl start NetworkManager"
+        fi
 	elif [ -f /etc/os-release ]; then
 		OS=ubuntu
 		if grep -q "UBUNTU_CODENAME=bionic" /etc/os-release; then
@@ -745,8 +748,12 @@ docker_install() {
 	if [ $OS = 'centos' ]; then
 		{
 			yum clean expire-cache;
-			yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo;
-			yum -y install docker-ce-19.03.11-3.el7 containerd.io-1.2.13-3.2.el7;
+			if [[ ! $is_airgap ]]; then
+			  yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo;
+			fi
+			if [[ ! $is_iso ]]; then
+			  yum -y install docker-ce-19.03.11-3.el7 containerd.io-1.2.13-3.2.el7;
+			fi
 			yum versionlock docker-ce-19.03.11-3.el7;
 			yum versionlock containerd.io-1.2.13-3.2.el7
 		} >> "$setup_log" 2>&1
@@ -990,10 +997,10 @@ install_cleanup() {
 
 import_registry_docker() {
 	if [ -f /nsm/docker-registry/docker/registry_image.tar ]; then
-	  service docker start
-	  docker import /nsm/docker-registry/docker/registry_image.tar registry:2
+	  logCmd "service docker start"
+	  logCmd "docker import /nsm/docker-registry/docker/registry_image.tar registry:2" 
 	else
-	  echo "Need to download registry"
+	  info "Need to download registry"
 	fi
 }
 
@@ -1072,7 +1079,7 @@ manager_global() {
 
 	if [ -z "$SENSOR_CHECKIN_INTERVAL_MS" ]; then
 		SENSOR_CHECKIN_INTERVAL_MS=10000
-		if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'STANDALONE' ]; then
+		if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'STANDALONE' ] || [ "$install_type" = 'IMPORT' ]; then
 			SENSOR_CHECKIN_INTERVAL_MS=1000
 		fi
 	fi
@@ -1342,41 +1349,56 @@ saltify() {
 			cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo;
 		} >> "$setup_log" 2>&1
 		set_progress_str 6 'Installing various dependencies'
-		yum -y install wget nmap-ncat >> "$setup_log" 2>&1
+		if [[ ! $is_iso ]]; then
+		  logCmd "yum -y install wget nmap-ncat"
+		fi 
 		case "$install_type" in
 			'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT')
 				reserve_group_ids >> "$setup_log" 2>&1
-				yum -y install epel-release >> "$setup_log" 2>&1
-				yum -y install sqlite argon2 curl mariadb-devel >> "$setup_log" 2>&1
+				if [[ ! $is_iso ]]; then
+				  logCmd "yum -y install epel-release"
+				  logCmd "yum -y install sqlite argon2 curl mariadb-devel"
+				fi 
 				# Download Ubuntu Keys in case manager updates = 1
 				mkdir -p /opt/so/gpg >> "$setup_log" 2>&1
-				wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3001.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
-				wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1
-				wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1
-				cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1
+				if [[ ! $is_airgap ]]; then
+				  logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3001.1/SALTSTACK-GPG-KEY.pub"
+				  logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg"
+				  logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH"
+				  logCmd "cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo"
+				fi
 				set_progress_str 7 'Installing salt-master'
-				yum -y install salt-master-3001.1 >> "$setup_log" 2>&1
+				if [[ ! $is_iso ]]; then
+				  logCmd "yum -y install salt-master-3001.1"
+				fi
 				systemctl enable salt-master >> "$setup_log" 2>&1
 				;;
 			*)
 				if [ "$MANAGERUPDATES" = '1' ]; then
 					{
-						# Create the GPG Public Key for the Salt Repo
-						cp ./public_keys/salt.pem /etc/pki/rpm-gpg/saltstack-signing-key;
+						if [[ ! $is_airgap ]]; then
+						  # Create the GPG Public Key for the Salt Repo
+						  cp ./public_keys/salt.pem /etc/pki/rpm-gpg/saltstack-signing-key;
 
-						# Copy repo files over
-						cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo;
+						  # Copy repo files over
+						  cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo;
+						else
+						  info "This is airgap"
+						fi
 					} >> "$setup_log" 2>&1
 				fi
 				;;
 		esac
-		cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1
-		yum clean expire-cache >> "$setup_log" 2>&1
+		if [[ ! $is_airgap ]]; then
+		  cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1
+		  yum clean expire-cache >> "$setup_log" 2>&1
+		fi
 		set_progress_str 8 'Installing salt-minion & python modules'
 		{
-			yum -y install epel-release
-			yum -y install salt-minion-3001.1\
-				python3\
+			if [[ ! $is_iso ]]; then
+			  yum -y install epel-release
+			  yum -y install salt-minion-3001.1\
+			   	python3\
 				python36-docker\
 				python36-dateutil\
 				python36-m2crypto\
@@ -1386,7 +1408,8 @@ saltify() {
 				lvm2\
 				openssl\
 				jq;
-			yum -y update --exclude=salt*;
+			  yum -y update --exclude=salt*;
+			fi
 			systemctl enable salt-minion;
 		} >> "$setup_log" 2>&1
 		yum versionlock salt*

setup/so-setup

@@ -182,6 +182,22 @@ elif [ "$install_type" = 'IMPORT' ]; then
 	is_import=true
 fi
 
+# Say yes to the dress if its an ISO install
+if [[ "$setup_type" == 'iso' ]]; then
+  is_iso=true
+fi
+
+#Check if this is an airgap install
+
+if [[ $is_manager ]]; then
+    if [[ $is_iso ]]; then
+      whiptail_airgap
+      if [[ "$INTERWEBS" == 'AIRGAP' ]]; then
+        is_airgap=true
+      fi
+    fi
+fi
+
 if [[ $is_manager && $is_sensor ]]; then
 	check_requirements "standalone"
 elif [[ $is_fleet_standalone ]]; then

setup/so-whiptail

@@ -18,6 +18,18 @@
 source ./so-variables
 source ./so-common-functions
 
+whiptail_airgap() {
+
+	[ -n "$TESTING" ] && return
+
+	INTERWEBS=$(whiptail --title "Security Onion Setup" --radiolist \
+	"Choose your install conditions:" 20 75 4 \
+	"STANDARD" "This manager has internet accesss" ON  \
+	"AIRGAP" "This manager does not have internet access" OFF 3>&1 1>&2 2>&3 )
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+}
 
 whiptail_basic_zeek() {
 
@@ -1123,8 +1135,6 @@ whiptail_so_allow() {
 		export ALLOW_ROLE='a'
 		export ALLOW_CIDR
 	fi
-
-	whiptail_check_exitstatus $exitstatus
 }
 
 whiptail_gauge_post_setup() {