From 11ebc6b8b20f48e75ecfb30b1dc298e846ce8e16 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 14 Aug 2020 15:28:35 -0400 Subject: [PATCH 1/6] Do not cancel setup if user choose not to run so-allow during setup --- setup/so-whiptail | 2 -- 1 file changed, 2 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 6cf4374fc..1e019b58c 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1123,8 +1123,6 @@ whiptail_so_allow() { export ALLOW_ROLE='a' export ALLOW_CIDR fi - - whiptail_check_exitstatus $exitstatus } whiptail_gauge_post_setup() { From bac58abf3e71ff80558fa485d682019da0add9c1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 14 Aug 2020 15:32:33 -0400 Subject: [PATCH 2/6] Airgap round 1 --- setup/so-functions | 89 +++++++++++++++++++++++++++++----------------- setup/so-setup | 16 +++++++++ setup/so-whiptail | 12 +++++++ 3 files changed, 84 insertions(+), 33 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 95409b84a..d155f7881 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -655,24 +655,27 @@ detect_os() { echo "Installing required packages to run installer..." >> "$setup_log" 2>&1 # Install bind-utils so the host command exists - if ! command -v host > /dev/null 2>&1; then + if [[ ! $is_iso ]]; then + if ! command -v host > /dev/null 2>&1; then yum -y install bind-utils >> "$setup_log" 2>&1 - fi - if ! command -v nmcli > /dev/null 2>&1; then + fi + if ! command -v nmcli > /dev/null 2>&1; then { yum -y install NetworkManager; systemctl enable NetworkManager; systemctl start NetworkManager; } >> "$setup_log" 2<&1 - fi - if ! command -v bc > /dev/null 2>&1; then + fi + if ! command -v bc > /dev/null 2>&1; then yum -y install bc >> "$setup_log" 2>&1 - fi - if ! yum versionlock > /dev/null 2>&1; then + fi + if ! yum versionlock > /dev/null 2>&1; then yum -y install yum-plugin-versionlock >> "$setup_log" 2>&1 - fi - - + fi + else + logCmd "systemctl enable NetworkManager" + logCmd "systemctl start NetworkManager" + fi elif [ -f /etc/os-release ]; then OS=ubuntu if grep -q "UBUNTU_CODENAME=bionic" /etc/os-release; then @@ -745,8 +748,12 @@ docker_install() { if [ $OS = 'centos' ]; then { yum clean expire-cache; - yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo; - yum -y install docker-ce-19.03.11-3.el7 containerd.io-1.2.13-3.2.el7; + if [[ ! $is_airgap ]]; then + yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo; + fi + if [[ ! $is_iso ]]; then + yum -y install docker-ce-19.03.11-3.el7 containerd.io-1.2.13-3.2.el7; + fi yum versionlock docker-ce-19.03.11-3.el7; yum versionlock containerd.io-1.2.13-3.2.el7 } >> "$setup_log" 2>&1 @@ -989,10 +996,10 @@ install_cleanup() { import_registry_docker() { if [ -f /nsm/docker-registry/docker/registry_image.tar ]; then - service docker start - docker import /nsm/docker-registry/docker/registry_image.tar registry:2 + logCmd "service docker start" + logCmd "docker import /nsm/docker-registry/docker/registry_image.tar registry:2" else - echo "Need to download registry" + info "Need to download registry" fi } @@ -1341,41 +1348,56 @@ saltify() { cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo; } >> "$setup_log" 2>&1 set_progress_str 6 'Installing various dependencies' - yum -y install wget nmap-ncat >> "$setup_log" 2>&1 + if [[ ! $is_iso ]]; then + logCmd "yum -y install wget nmap-ncat" + fi case "$install_type" in 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') reserve_group_ids >> "$setup_log" 2>&1 - yum -y install epel-release >> "$setup_log" 2>&1 - yum -y install sqlite argon2 curl mariadb-devel >> "$setup_log" 2>&1 + if [[ ! $is_iso ]]; then + logCmd "yum -y install epel-release" + logCmd "yum -y install sqlite argon2 curl mariadb-devel" + fi # Download Ubuntu Keys in case manager updates = 1 mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3001.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1 + if [[ ! $is_airgap ]]; then + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3001.1/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" + logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" + logCmd "cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo" + fi set_progress_str 7 'Installing salt-master' - yum -y install salt-master-3001.1 >> "$setup_log" 2>&1 + if [[ ! $is_iso ]]; then + logCmd "yum -y install salt-master-3001.1" + fi systemctl enable salt-master >> "$setup_log" 2>&1 ;; *) if [ "$MANAGERUPDATES" = '1' ]; then { - # Create the GPG Public Key for the Salt Repo - cp ./public_keys/salt.pem /etc/pki/rpm-gpg/saltstack-signing-key; + if [[ ! $is_airgap ]]; then + # Create the GPG Public Key for the Salt Repo + cp ./public_keys/salt.pem /etc/pki/rpm-gpg/saltstack-signing-key; - # Copy repo files over - cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo; + # Copy repo files over + cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo; + else + info "This is airgap" + fi } >> "$setup_log" 2>&1 fi ;; esac - cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1 - yum clean expire-cache >> "$setup_log" 2>&1 + if [[ ! $is_airgap ]]; then + cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1 + yum clean expire-cache >> "$setup_log" 2>&1 + fi set_progress_str 8 'Installing salt-minion & python modules' { - yum -y install epel-release - yum -y install salt-minion-3001.1\ - python3\ + if [[ ! $is_iso ]]; then + yum -y install epel-release + yum -y install salt-minion-3001.1\ + python3\ python36-docker\ python36-dateutil\ python36-m2crypto\ @@ -1385,7 +1407,8 @@ saltify() { lvm2\ openssl\ jq; - yum -y update --exclude=salt*; + yum -y update --exclude=salt*; + fi systemctl enable salt-minion; } >> "$setup_log" 2>&1 yum versionlock salt* diff --git a/setup/so-setup b/setup/so-setup index e99ab399b..7c5d5a8a2 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -182,6 +182,22 @@ elif [ "$install_type" = 'IMPORT' ]; then is_import=true fi +# Say yes to the dress if its an ISO install +if [[ "$setup_type" == 'iso' ]]; then + is_iso=true +fi + +#Check if this is an airgap install + +if [[ $is_manager ]]; then + if [[ $is_iso ]]; then + whiptail_airgap + if [[ "$INTERWEBS" == 'AIRGAP' ]]; then + is_airgap=true + fi + fi +fi + if [[ $is_manager && $is_sensor ]]; then check_requirements "standalone" elif [[ $is_fleet_standalone ]]; then diff --git a/setup/so-whiptail b/setup/so-whiptail index 6cf4374fc..9dfe566c1 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -18,6 +18,18 @@ source ./so-variables source ./so-common-functions +whiptail_airgap() { + + [ -n "$TESTING" ] && return + + INTERWEBS=$(whiptail --title "Security Onion Setup" --radiolist \ + "Choose your install conditions:" 20 75 4 \ + "STANDARD" "This manager has internet accesss" ON \ + "AIRGAP" "This manager does not have internet access" OFF 3>&1 1>&2 2>&3 ) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} whiptail_basic_zeek() { From 47faee48a6a01083d41f09ca6b2d3ad6518ba0e1 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 14 Aug 2020 15:58:59 -0400 Subject: [PATCH 3/6] heavynode firewall rules --- salt/firewall/assigned_hostgroups.map.yaml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index b6dd7b9bc..f7f87eb5f 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -442,16 +442,24 @@ role: chain: DOCKER-USER: hostgroups: - self: + manager: portgroups: - - {{ portgroups.redis }} - - {{ portgroups.beats_5044 }} - - {{ portgroups.beats_5644 }} + - {{ portgroups.elasticsearch_node }} + dockernet: + portgroups: + - {{ portgroups.elasticsearch_node }} + - {{ portgroups.elasticsearch_rest }} + elasticsearch_rest: + portgroups: + - {{ portgroups.elasticsearch_rest }} INPUT: hostgroups: anywhere: portgroups: - {{ portgroups.ssh }} + dockernet: + portgroups: + - {{ portgroups.all }} localhost: portgroups: - {{ portgroups.all }} From 5220b5ae0c0f03bb4ce6668506b3d1984fc16b1c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 14 Aug 2020 16:37:45 -0400 Subject: [PATCH 4/6] use new module.run style --- salt/patch/needs_restarting.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/patch/needs_restarting.sls b/salt/patch/needs_restarting.sls index f60909d22..40280d6e2 100644 --- a/salt/patch/needs_restarting.sls +++ b/salt/patch/needs_restarting.sls @@ -1,5 +1,5 @@ needs_restarting: module.run: - mine.send: - - func: needs_restarting.check + - name: needs_restarting.check - order: last From 43f6f5c27a98af7ab8fcfba79eb9710155c84b7a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 14 Aug 2020 16:45:28 -0400 Subject: [PATCH 5/6] send service status to /dev/null to prevent FP on install failure --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 773f634cf..c2b9b9fff 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -233,7 +233,7 @@ check_service_status() { local service_name=$1 echo "Checking service $service_name status" >> "$setup_log" 2>&1 - systemctl status $service_name >> "$setup_log" 2>&1 + systemctl status $service_name > /dev/null 2>&1 local status=$? #true if there is an issue with the service false if it is running properly if [ $status -gt 0 ]; then From 387c26f052c1a74990ec61cba7c45113b974986f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 14 Aug 2020 17:10:36 -0400 Subject: [PATCH 6/6] set checking interval for sensoroni on import node --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index c2b9b9fff..b09693e14 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1080,7 +1080,7 @@ manager_global() { if [ -z "$SENSOR_CHECKIN_INTERVAL_MS" ]; then SENSOR_CHECKIN_INTERVAL_MS=10000 - if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'STANDALONE' ]; then + if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'STANDALONE' ] || [ "$install_type" = 'IMPORT' ]; then SENSOR_CHECKIN_INTERVAL_MS=1000 fi fi