From 547abb0fe1ae23d44dddd2957bcec779c2ad8dfa Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 14 Sep 2022 12:12:33 -0400 Subject: [PATCH] Remove learn --- salt/allowed_states.map.jinja | 15 +- salt/common/tools/sbin/so-learn | 295 -------- salt/top.sls | 5 - setup/so-setup.old | 1146 ------------------------------- 4 files changed, 5 insertions(+), 1456 deletions(-) delete mode 100755 salt/common/tools/sbin/so-learn delete mode 100755 setup/so-setup.old diff --git a/salt/allowed_states.map.jinja b/salt/allowed_states.map.jinja index ed530ac91..fa74b3751 100644 --- a/salt/allowed_states.map.jinja +++ b/salt/allowed_states.map.jinja @@ -47,8 +47,7 @@ 'schedule', 'soctopus', 'tcpreplay', - 'docker_clean', - 'learn' + 'docker_clean' ], 'so-heavynode': [ 'ssl', @@ -106,8 +105,7 @@ 'zeek', 'schedule', 'tcpreplay', - 'docker_clean', - 'learn' + 'docker_clean' ], 'so-manager': [ 'salt.master', @@ -128,8 +126,7 @@ 'utility', 'schedule', 'soctopus', - 'docker_clean', - 'learn' + 'docker_clean' ], 'so-managersearch': [ 'salt.master', @@ -150,8 +147,7 @@ 'utility', 'schedule', 'soctopus', - 'docker_clean', - 'learn' + 'docker_clean' ], 'so-searchnode': [ 'ssl', @@ -184,8 +180,7 @@ 'schedule', 'soctopus', 'tcpreplay', - 'docker_clean', - 'learn' + 'docker_clean' ], 'so-sensor': [ 'ssl', diff --git a/salt/common/tools/sbin/so-learn b/salt/common/tools/sbin/so-learn deleted file mode 100755 index 2b766c738..000000000 --- a/salt/common/tools/sbin/so-learn +++ /dev/null @@ -1,295 +0,0 @@ -#!/usr/bin/env python3 - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - - -from itertools import chain -from typing import List - -import signal -import sys -import os -import re -import subprocess -import argparse -import textwrap -import yaml -import multiprocessing -import docker -import pty - -minion_pillar_dir = '/opt/so/saltstack/local/pillar/minions' -so_status_conf = '/opt/so/conf/so-status/so-status.conf' -proc: subprocess.CompletedProcess = None - -# Temp store of modules, will likely be broken out into salt -def get_learn_modules(): - return { - 'logscan': { 'cpu_period': get_cpu_period(fraction=0.25), 'enabled': False, 'description': 'Scan log files against pre-trained models to alert on anomalies.' } - } - - -def get_cpu_period(fraction: float): - multiplier = 10000 - - num_cores = multiprocessing.cpu_count() - if num_cores <= 2: - fraction = 1. - - num_used_cores = int(num_cores * fraction) - cpu_period = num_used_cores * multiplier - return cpu_period - - -def sigint_handler(*_): - print('Exiting gracefully on Ctrl-C') - if proc is not None: proc.send_signal(signal.SIGINT) - sys.exit(1) - - -def find_minion_pillar() -> str: - regex = '^.*_(manager|managersearch|standalone|import|eval)\.sls$' - - result = [] - for root, _, files in os.walk(minion_pillar_dir): - for f_minion_id in files: - if re.search(regex, f_minion_id): - result.append(os.path.join(root, f_minion_id)) - - if len(result) == 0: - print('Could not find manager-type pillar (eval, standalone, manager, managersearch, import). Are you running this script on the manager?', file=sys.stderr) - sys.exit(3) - elif len(result) > 1: - res_str = ', '.join(f'\"{result}\"') - print('(This should not happen, the system is in an error state if you see this message.)\n', file=sys.stderr) - print('More than one manager-type pillar exists, minion id\'s listed below:', file=sys.stderr) - print(f' {res_str}', file=sys.stderr) - sys.exit(3) - else: - return result[0] - - -def read_pillar(pillar: str): - try: - with open(pillar, 'r') as pillar_file: - loaded_yaml = yaml.safe_load(pillar_file.read()) - if loaded_yaml is None: - print(f'Could not parse {pillar}', file=sys.stderr) - sys.exit(3) - return loaded_yaml - except: - print(f'Could not open {pillar}', file=sys.stderr) - sys.exit(3) - - -def write_pillar(pillar: str, content: dict): - try: - with open(pillar, 'w') as pillar_file: - yaml.dump(content, pillar_file, default_flow_style=False) - except: - print(f'Could not open {pillar}', file=sys.stderr) - sys.exit(3) - - -def mod_so_status(action: str, item: str): - with open(so_status_conf, 'a+') as conf: - conf.seek(0) - containers = conf.readlines() - - if f'so-{item}\n' in containers: - if action == 'remove': containers.remove(f'so-{item}\n') - if action == 'add': pass - else: - if action == 'remove': pass - if action == 'add': containers.append(f'so-{item}\n') - - [containers.remove(c_name) for c_name in containers if c_name == '\n'] # remove extra newlines - - conf.seek(0) - conf.truncate(0) - conf.writelines(containers) - - -def create_pillar_if_not_exist(pillar:str, content: dict): - pillar_dict = content - - if pillar_dict.get('learn', {}).get('modules') is None: - pillar_dict['learn'] = {} - pillar_dict['learn']['modules'] = get_learn_modules() - content.update() - write_pillar(pillar, content) - - return content - - -def salt_call(module: str): - salt_cmd = ['salt-call', 'state.apply', '-l', 'quiet', f'learn.{module}', 'queue=True'] - - print(f' Applying salt state for {module} module...') - proc = subprocess.run(salt_cmd, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) - return_code = proc.returncode - if return_code != 0: - print(f' [ERROR] Failed to apply salt state for {module} module.') - - return return_code - - -def pull_image(module: str): - container_basename = f'so-{module}' - - client = docker.from_env() - image_list = client.images.list(filters={ 'dangling': False }) - tag_list = list(chain.from_iterable(list(map(lambda x: x.attrs.get('RepoTags'), image_list)))) - basename_match = list(filter(lambda x: f'{container_basename}' in x, tag_list)) - local_registry_match = list(filter(lambda x: ':5000' in x, basename_match)) - - if len(local_registry_match) == 0: - print(f'Pulling and verifying missing image for {module} (may take several minutes) ...') - pull_command = ['so-image-pull', '--quiet', container_basename] - - proc = subprocess.run(pull_command, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL) - return_code = proc.returncode - if return_code != 0: - print(f'[ERROR] Failed to pull image so-{module}, skipping state.') - else: - return_code = 0 - return return_code - - -def apply(module_list: List): - return_code = 0 - for module in module_list: - salt_ret = salt_call(module) - # Only update return_code if the command returned a non-zero return - if salt_ret != 0: - return_code = salt_ret - - return return_code - - -def check_apply(args: dict): - if args.apply: - print('Configuration updated. Applying changes:') - return apply(args.modules) - else: - message = 'Configuration updated. Would you like to apply your changes now? (y/N) ' - answer = input(message) - while answer.lower() not in [ 'y', 'n', '' ]: - answer = input(message) - if answer.lower() in [ 'n', '' ]: - return 0 - else: - print('Applying changes:') - return apply(args.modules) - - -def enable_disable_modules(args, enable: bool): - pillar_modules = args.pillar_dict.get('learn', {}).get('modules') - pillar_mod_names = args.pillar_dict.get('learn', {}).get('modules').keys() - - action_str = 'add' if enable else 'remove' - - if 'all' in args.modules: - for module, details in pillar_modules.items(): - details['enabled'] = enable - mod_so_status(action_str, module) - if enable: pull_image(module) - args.pillar_dict.update() - write_pillar(args.pillar, args.pillar_dict) - else: - write_needed = False - for module in args.modules: - if module in pillar_mod_names: - if pillar_modules[module]['enabled'] == enable: - state_str = 'enabled' if enable else 'disabled' - print(f'{module} module already {state_str}.', file=sys.stderr) - else: - if enable and pull_image(module) != 0: - continue - pillar_modules[module]['enabled'] = enable - mod_so_status(action_str, module) - write_needed = True - if write_needed: - args.pillar_dict.update() - write_pillar(args.pillar, args.pillar_dict) - - cmd_ret = check_apply(args) - return cmd_ret - - -def enable_modules(args): - enable_disable_modules(args, enable=True) - - -def disable_modules(args): - enable_disable_modules(args, enable=False) - - -def list_modules(*_): - print('Available ML modules:') - for module, details in get_learn_modules().items(): - print(f' - { module } : {details["description"]}') - return 0 - - -def main(): - beta_str = 'BETA - SUBJECT TO CHANGE\n' - - apply_help='After ACTION the chosen modules, apply any necessary salt states.' - enable_apply_help = apply_help.replace('ACTION', 'enabling') - disable_apply_help = apply_help.replace('ACTION', 'disabling') - - signal.signal(signal.SIGINT, sigint_handler) - - if os.geteuid() != 0: - print('You must run this script as root', file=sys.stderr) - sys.exit(1) - - main_parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter) - - subcommand_desc = textwrap.dedent( - """\ - enable Enable one or more ML modules. - disable Disable one or more ML modules. - list List all available ML modules. - """ - ) - - subparsers = main_parser.add_subparsers(title='commands', description=subcommand_desc, metavar='', dest='command') - - module_help_str = 'One or more ML modules, which can be listed using \'so-learn list\'. Use the keyword \'all\' to apply the action to all available modules.' - - enable = subparsers.add_parser('enable') - enable.set_defaults(func=enable_modules) - enable.add_argument('modules', metavar='ML_MODULE', nargs='+', help=module_help_str) - enable.add_argument('--apply', action='store_const', const=True, required=False, help=enable_apply_help) - - disable = subparsers.add_parser('disable') - disable.set_defaults(func=disable_modules) - disable.add_argument('modules', metavar='ML_MODULE', nargs='+', help=module_help_str) - disable.add_argument('--apply', action='store_const', const=True, required=False, help=disable_apply_help) - - list = subparsers.add_parser('list') - list.set_defaults(func=list_modules) - - args = main_parser.parse_args(sys.argv[1:]) - args.pillar = find_minion_pillar() - args.pillar_dict = create_pillar_if_not_exist(args.pillar, read_pillar(args.pillar)) - - if hasattr(args, 'func'): - exit_code = args.func(args) - else: - if args.command is None: - print(beta_str) - main_parser.print_help() - sys.exit(0) - - sys.exit(exit_code) - - -if __name__ == '__main__': - main() diff --git a/salt/top.sls b/salt/top.sls index 6dc1f7dc2..e12a3a22e 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -114,7 +114,6 @@ base: {%- endif %} - docker_clean - pipeline.load - - learn '*_manager and G@saltversion:{{saltversion}}': - match: compound @@ -160,7 +159,6 @@ base: - playbook - docker_clean - pipeline.load - - learn '*_standalone and G@saltversion:{{saltversion}}': - match: compound @@ -215,7 +213,6 @@ base: - docker_clean - elastic-fleet - pipeline.load - - learn '*_searchnode and G@saltversion:{{saltversion}}': - match: compound @@ -281,7 +278,6 @@ base: - playbook - docker_clean - pipeline.load - - learn '*_heavynode and G@saltversion:{{saltversion}}': - match: compound @@ -348,7 +344,6 @@ base: - schedule - docker_clean - pipeline.load - - learn '*_receiver and G@saltversion:{{saltversion}}': - match: compound diff --git a/setup/so-setup.old b/setup/so-setup.old deleted file mode 100755 index d916777fd..000000000 --- a/setup/so-setup.old +++ /dev/null @@ -1,1146 +0,0 @@ -#!/bin/bash - -# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one -# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at -# https://securityonion.net/license; you may not use this file except in compliance with the -# Elastic License 2.0. - - -# Make sure you are root before doing anything -uid="$(id -u)" -if [ "$uid" -ne 0 ]; then - echo "This script must be run using sudo!" - exit 1 -fi - -# Save the original argument array since we modify it -original_args=("$@") - -cd "$(dirname "$0")" || exit 255 - -echo "Getting started..." - -# Source the generic function libraries that are also used by the product after -# setup. These functions are intended to be reusable outside of the setup process. -source ../salt/common/tools/sbin/so-common -source ../salt/common/tools/sbin/so-image-common - -# Setup bash functionality is divided into functions and user-facing prompts. -# Do not attempt to re-use any of this functionality outside of setup. Instead, -# if needed, migrated generic functions into so-common. -source ./so-functions -source ./so-whiptail - -# Finally, source the default variable definitions, which require availability of -# functions sourced above. -source ./so-variables - -# Parse command line arguments -setup_type=$1 -automation=$2 -WHATWOULDYOUSAYYAHDOHERE=setup - -while [[ $# -gt 0 ]]; do - arg="$1" - shift - case "$arg" in - "--turbo="* ) - export TURBO="http://${arg#*=}";; - "--proxy="* ) - export {http,https,ftp,rsync,all}_proxy="${arg#*=}";; - "--allow-role="* ) - export ALLOW_ROLE="${arg#*=}";; - "--allow-cidr="* ) - export ALLOW_CIDR="${arg#*=}";; - "--skip-reboot" ) - export SKIP_REBOOT=1;; - * ) - if [[ "$arg" == "--"* ]]; then - echo "Invalid option" - fi - esac -done - -detect_os -is_analyst= -if [ "$setup_type" = 'analyst' ]; then - is_analyst=true - # Check to see if this is an ISO - if [ -d /root/SecurityOnion ]; then - is_analyst_iso=true - fi -fi - -if [[ "$setup_type" == 'iso' ]]; then - if [[ $is_centos ]]; then - is_iso=true - else - echo "Only use 'so-setup iso' for an ISO install on CentOS. Please run 'so-setup network' instead." - exit 1 - fi -fi - -# Check to see if this is an analyst install. If it is let's run things differently - -if [[ $is_analyst ]]; then - - # Make sure it's CentOS - if [[ ! $is_centos ]]; then - echo "Analyst Workstation is only supported on CentOS 7" - exit 1 - fi - - if ! whiptail_analyst_install; then - if [[ $is_analyst_iso ]]; then - if whiptail_analyst_nongrid_iso; then - # Remove setup from auto launching - parse_install_username - sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1 - echo "Enabling graphical interface and setting it to load at boot" - systemctl set-default graphical.target - startx - exit 0 - else - # Abort! - exit 0 - fi - else - if whiptail_analyst_nongrid_network; then - echo "" - echo "" - echo "Kicking off the automated setup of the analyst workstation. This can take a while depending on your network connection." - echo "" - echo "" - analyst_salt_local - else - # Abort! - exit 0 - fi - fi - fi - - # If you got this far then you want to join the grid - is_minion=true - -fi - - - -if ! [ -f $install_opt_file ] && [ -d /root/manager_setup/securityonion ] && [[ $(pwd) != /root/manager_setup/securityonion/setup ]]; then - exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" -fi - -if [[ -f /root/accept_changes ]]; then - is_reinstall=true - - # Move last setup log to backup - mv "$setup_log" "$setup_log.bak" - [ -f "$error_log" ] && mv "$error_log" "$error_log.bak" -fi - -parse_install_username - -if ! [ -f $install_opt_file ]; then - # Begin Installation pre-processing - title "Initializing Setup" - info "Installing as the $INSTALLUSERNAME user" - - analyze_system -fi - -# Set up handler for setup to exit early (use `kill -SIGUSR1 "$setup_proc"; exit 1` in child scripts) -trap 'catch $LINENO' SIGUSR1 -setup_proc="$$" -catch() { - info "Fatal error occurred at $1 in so-setup, failing setup." - grep --color=never "ERROR" "$setup_log" > "$error_log" - whiptail_setup_failed - exit 1 -} -automated=no -progress() { - local msg=${1:-'Please wait while installing...'} - - if [ $automated == no ]; then - whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text - else - cat >> $setup_log 2>&1 - fi -} - -if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then - echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1 - source automation/$automation - automated=yes - - attempt=1 - attempts=60 - ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 - while [ $? -ne 0 ]; do - ip a >> $setup_log 2>&1 - if [ $attempt -gt $attempts ]; then - echo "Network unavailable - setup cannot continue" >> $setup_log 2>&1 - exit 1 - fi - echo "Waiting for network to come up (attempt $attempt of $attempts)" >> $setup_log 2>&1 - attempt=$((attempt + 1)) - sleep 10; - ip a | grep "$MNIC:" | grep "state UP" >> $setup_log 2>&1 - done - echo "Network is up on $MNIC" >> $setup_log 2>&1 - - if [[ ! $is_iso ]]; then - echo "Installing sshpass for automated testing." >> $setup_log 2>&1 - if [ "$OS" == ubuntu ]; then - retry 50 10 "apt-get -y install sshpass" >> $setup_log 2>&1 || exit 1 - else - yum -y install sshpass >> $setup_log 2>&1 - fi - fi -fi - -case "$setup_type" in - iso | network | analyst) # Accepted values - echo "Beginning Security Onion $setup_type install" >> $setup_log 2>&1 - ;; - *) - echo "Invalid install type, must be 'iso', 'network' or 'analyst'." | tee -a $setup_log - exit 1 - ;; -esac - -#set ssh commands that will be used based on if this is an automated test install or not -set_ssh_cmds $automated - -# Allow execution of SO tools during setup -local_sbin="$(pwd)/../salt/common/tools/sbin" -export PATH=$PATH:$local_sbin - -set_palette >> $setup_log 2>&1 - -# Kernel messages can overwrite whiptail screen #812 -# https://github.com/Security-Onion-Solutions/securityonion/issues/812 -dmesg -D - -# Kernel consoleblank is causing whiptail progress screen to appear to hang #1084 -# https://github.com/Security-Onion-Solutions/securityonion/issues/1084 -if [ "$automated" == no ]; then - TTY=$(tty) - echo "Setup is running on TTY $TTY" >> $setup_log 2>&1 - if echo $TTY | grep -q "/dev/tty"; then - CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank) - echo "Kernel consoleblank value before: $CONSOLEBLANK" >> $setup_log 2>&1 - if [ $CONSOLEBLANK -gt 0 ]; then - echo "Running 'setterm -blank 0' for TTY $TTY" >> $setup_log 2>&1 - TERM=linux setterm -blank 0 >$TTY <$TTY - CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank) - echo "Kernel consoleblank value after: $CONSOLEBLANK" >> $setup_log 2>&1 - fi - fi -fi - -if ! [[ -f $install_opt_file ]]; then - if (whiptail_you_sure); then - true - else - echo "User cancelled setup." | tee -a "$setup_log" - whiptail_cancel - fi - if [[ $is_analyst ]]; then - collect_hostname - if [[ $is_analyst_iso ]]; then - # Prompt Network Setup - whiptail_management_nic - whiptail_dhcp_or_static - - if [ "$address_type" != 'DHCP' ]; then - collect_int_ip_mask - collect_gateway - collect_dns - collect_dns_domain - fi - - fi - if [[ ! $is_analyst_iso ]]; then - # This should be a network install - whiptail_network_notice - whiptail_dhcp_warn - whiptail_management_nic - fi - whiptail_network_init_notice - network_init - printf '%s\n' \ - "MNIC=$MNIC" \ - "HOSTNAME=$HOSTNAME" > "$net_init_file" - set_main_ip - compare_main_nic_ip - - fi - - if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then - whiptail_first_menu_iso - if [[ $option == "CONFIGURENETWORK" ]]; then - collect_hostname - network_init_whiptail - whiptail_network_init_notice - network_init - printf '%s\n' \ - "MNIC=$MNIC" \ - "HOSTNAME=$HOSTNAME" > "$net_init_file" - set_main_ip - compare_main_nic_ip - whiptail_net_setup_complete - else - true - fi - fi - if [[ ! $is_analyst ]]; then - whiptail_install_type - fi -else - source $install_opt_file -fi - -if [ "$install_type" = 'EVAL' ]; then - is_node=true - is_manager=true - is_sensor=true - is_eval=true - STRELKARULES=1 -elif [ "$install_type" = 'STANDALONE' ]; then - is_manager=true - is_distmanager=true - is_node=true - is_sensor=true -elif [ "$install_type" = 'MANAGERSEARCH' ]; then - is_manager=true - is_distmanager=true - is_node=true -elif [ "$install_type" = 'MANAGER' ]; then - is_manager=true - is_distmanager=true -elif [ "$install_type" = 'SENSOR' ]; then - is_sensor=true - is_minion=true -elif [[ "$install_type" =~ ^('SEARCHNODE'|'HOTNODE'|'WARMNODE')$ ]]; then - is_node=true - is_minion=true -elif [ "$install_type" = 'HEAVYNODE' ]; then - is_node=true - is_minion=true - is_sensor=true -elif [ "$install_type" = 'FLEET' ]; then - is_minion=true - is_fleet_standalone=true - OSQUERY=1 -elif [ "$install_type" = 'IDH' ]; then - is_minion=true - is_idh=true - IDH=1 -elif [ "$install_type" = 'HELIXSENSOR' ]; then - is_helix=true -elif [ "$install_type" = 'IMPORT' ]; then - is_import=true -elif [ "$install_type" = 'RECEIVER' ]; then - is_minion=true - is_receiver=true -elif [ "$install_type" = 'ANALYST' ]; then - if [ "$setup_type" != 'analyst' ]; then - exec bash so-setup analyst - fi -fi - -if [[ $is_manager || $is_import ]]; then - check_elastic_license -fi - -if ! [[ -f $install_opt_file ]]; then - if [[ $is_manager && $is_sensor ]]; then - check_requirements "standalone" - elif [[ $is_fleet_standalone ]]; then - check_requirements "dist" "fleet" - elif [[ $is_idh ]]; then - check_requirements "dist" "idh" - elif [[ $is_sensor && ! $is_eval ]]; then - check_requirements "dist" "sensor" - elif [[ $is_distmanager || $is_minion ]] && [[ ! ( $is_import || $is_analyst ) ]]; then - check_requirements "dist" - elif [[ $is_import ]]; then - check_requirements "import" - fi - - [[ -f $net_init_file ]] && whiptail_net_reinit && reinit_networking=true - - if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then - collect_hostname - fi - - [[ ! ( $is_eval || $is_import ) ]] && whiptail_node_description - - if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then - network_init_whiptail - else - source "$net_init_file" - fi - - if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then - whiptail_network_init_notice - network_init - fi - - set_main_ip - compare_main_nic_ip - - if [[ $is_minion ]]; then - collect_mngr_hostname - add_mngr_ip_to_hosts - whiptail_ssh_key_copy_notice - copy_ssh_key >> $setup_log 2>&1 - fi - - if [[ $is_idh ]]; then - collect_idh_services - collect_idh_preferences - fi - - # Check if this is an airgap install - if [[ ( $is_manager || $is_import) && $is_iso ]]; then - whiptail_airgap - if [[ "$INTERWEBS" == 'AIRGAP' ]]; then - is_airgap=true - fi - elif [[ $is_minion && ( $is_iso || $is_analyst ) ]]; then - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1 - airgap_check=$? - [[ $airgap_check == 0 ]] && is_airgap=true >> $setup_log 2>&1 - fi - - reset_proxy - if [[ -z $is_airgap ]]; then - collect_net_method - [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 - fi - - if [[ $is_minion ]] && ! (compare_versions); then - info "Installer version mismatch, downloading correct version from manager" - printf '%s\n' \ - "install_type=$install_type" \ - "MNIC=$MNIC" \ - "HOSTNAME=$HOSTNAME" \ - "MSRV=$MSRV" \ - "MSRVIP=$MSRVIP" \ - "is_airgap=$is_airgap" \ - "NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file" - [[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file" - download_repo_tarball - exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" - fi -else - rm -rf $install_opt_file >> "$setup_log" 2>&1 -fi - -if [[ -z $is_airgap ]]; then - percentage=0 - { - installer_progress_loop 'Running preflight checks...' & - progress_bg_proc=$! - ./so-preflight true "$setup_log" >> $setup_log 2>&1 - preflight_ret=$? - echo "$preflight_ret" > /tmp/preflight_ret - kill -9 "$progress_bg_proc" - wait "$progress_bg_proc" &> /dev/null - } | progress '...' - [[ -f /tmp/preflight_ret ]] && preflight_ret=$(cat /tmp/preflight_ret) - rm /tmp/preflight_ret - if [[ -n $preflight_ret && $preflight_ret -gt 0 ]] && ! ( whiptail_preflight_err ); then - whiptail_cancel - fi -fi - -percentage=0 -{ - installer_progress_loop 'Checking that all required packages are installed and enabled...' & # Run progress bar to 98 in ~8 minutes while waiting for package installs - progress_bg_proc=$! - installer_prereq_packages - install_success=$? - kill -9 "$progress_bg_proc" - wait "$progress_bg_proc" &> /dev/null # Kill just sends signal, redirect output of wait to catch stdout - if [[ $install_success -gt 0 ]]; then - echo "Could not install packages required for setup, exiting now." >> "$setup_log" 2>&1 - kill -SIGUSR1 "$setup_proc"; exit 1 - fi -} | progress '...' - -detect_cloud - -short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}') - -if [[ $is_analyst ]]; then - MINION_ID=$(echo "${short_name}_workstation" | tr '[:upper:]' '[:lower:]') -fi -if [[ ! $is_analyst ]]; then - MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') -fi -export MINION_ID - -echo "MINION_ID = $MINION_ID" >> $setup_log 2>&1 - -minion_type=$(get_minion_type) - -# Set any variables needed -set_default_log_size >> $setup_log 2>&1 - -if [[ $is_helix ]]; then - RULESETUP=${RULESETUP:-ETOPEN} - NSMSETUP=${NSMSETUP:-BASIC} - HNSENSOR=${HNSENSOR:-inherit} - MANAGERUPDATES=${MANAGERUPDATES:-0} -fi - -if [[ $is_helix || ( $is_manager && $is_node ) ]]; then - RULESETUP=${RULESETUP:-ETOPEN} - NSMSETUP=${NSMSETUP:-BASIC} -fi - -if [[ $is_manager && $is_node ]]; then - LSPIPELINEWORKERS=${LSPIPELINEWORKERS:-1} - LSPIPELINEBATCH=${LSPIPELINEBATCH:-125} - LSINPUTTHREADS=${LSINPUTTHREADS:-1} - LSPIPELINEWORKERS=${LSPIPELINEBATCH:-125} - NIDS=${NIDS:-Suricata} - ZEEKVERSION=${ZEEKVERSION:-ZEEK} -fi - -if [[ $is_import ]]; then - PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-auto} - MTU=${MTU:-1500} - RULESETUP=${RULESETUP:-ETOPEN} - NSMSETUP=${NSMSETUP:-BASIC} - HNSENSOR=${HNSENSOR:-inherit} - MANAGERUPDATES=${MANAGERUPDATES:-0} - MANAGERADV=${MANAGERADV:-BASIC} - INTERFACE=${INTERFACE:-bond0} - ZEEKVERSION=${ZEEKVERSION:-ZEEK} - NIDS=${NIDS:-Suricata} - RULESETUP=${RULESETUP:-ETOPEN} - GRAFANA=${GRAFANA:-0} - OSQUERY=${OSQUERY:-0} - WAZUH=${WAZUH:-0} - PLAYBOOK=${PLAYBOOK:-0} -fi - -if [[ $is_airgap ]]; then - PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-manual} - [[ ! $is_minion ]] && MANAGERUPDATES=${MANAGERUPDATES:-0} || MANAGERUPDATES=${MANAGERUPDATES:-1} -fi - -# Start user prompts - -if [[ $is_helix ]]; then - collect_helix_key -fi - -if [[ $is_helix || $is_sensor ]]; then - echo "Verifying all network devices are managed by Network Manager that should be" >> "$setup_log" 2>&1 - check_network_manager_conf - set_network_dev_status_list - whiptail_sensor_nics -fi - -if [[ $is_helix || $is_sensor || $is_import ]]; then - calculate_useable_cores -fi - -if [[ ! $is_airgap && ! $is_import ]]; then - collect_patch_schedule -fi - -if [[ $is_helix || $is_manager || $is_import ]]; then - collect_homenet_mngr -fi - -#set base elasticsearch heap size -if [[ $is_helix || $is_manager || $is_node || $is_import ]]; then - es_heapsize -fi - -#set base logstash heap size -if [[ $is_helix || $is_manager || $is_node || $is_import || $is_receiver ]]; then - ls_heapsize -fi - -if [[ $is_manager && ! $is_eval ]]; then - whiptail_manager_adv - if [ "$MANAGERADV" = 'ADVANCED' ]; then - if [ "$install_type" = 'MANAGER' ] || [ "$install_type" = 'MANAGERSEARCH' ]; then - collect_es_cluster_name - fi - fi - - whiptail_metadata_tool - - [[ $MANAGERADV == "ADVANCED" ]] && [[ $ZEEKVERSION == "ZEEK" ]] && whiptail_manager_adv_service_zeeklogs - - # Don't run this function for now since Snort is not yet supported - # whiptail_nids - NIDS=Suricata - whiptail_rule_setup - - if [ "$RULESETUP" != 'ETOPEN' ]; then - collect_oinkcode - fi -fi - -if [[ $is_manager ]]; then - whiptail_enable_components - - if [[ "$STRELKA" = 1 ]]; then - info "Enabling Strelka rules" - STRELKARULES=1 - else - info "Disabling Strelka rules: STRELKA='$STRELKA'" - fi - - collect_dockernet -fi - -if [[ $is_manager || $is_import ]]; then - collect_webuser_inputs - get_redirect -fi - -if [[ $is_distmanager ]]; then - collect_soremote_inputs -fi - -if [[ $is_sensor && ! $is_eval ]]; then - [[ $is_manager ]] || collect_homenet_snsr - whiptail_sensor_config - if [ $NSMSETUP == 'ADVANCED' ]; then - if [[ $is_manager ]]; then - [[ $ZEEKVERSION == "ZEEK" ]] && whiptail_zeek_pins - else - whiptail_zeek_pins - fi - - whiptail_suricata_pins - collect_mtu - else - if [[ $is_node && $is_sensor && ! $is_eval ]]; then - PROCS=$(( lb_procs / 2 )) - if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi - else - PROCS=$lb_procs - fi - - if [[ $is_manager ]]; then - [[ $ZEEKVERSION == "ZEEK" ]] && collect_zeek - else - collect_zeek - fi - - collect_suri - fi -fi - -[[ ( $is_iso || $is_analyst ) ]] && collect_ntp_servers - -if [[ ($is_node || $is_receiver) && ! $is_eval ]]; then - whiptail_node_advanced - if [ "$NODESETUP" == 'NODEADVANCED' ]; then - if [[ ! $is_receiver ]]; then - collect_node_es_heap - collect_es_space_limit - fi - collect_node_ls_heap - collect_node_ls_pipeline_worker_count - collect_node_ls_pipeline_batch_size - collect_node_ls_input - else - if [[ ! $is_receiver ]]; then - NODE_ES_HEAP_SIZE=$ES_HEAP_SIZE - fi - NODE_LS_HEAP_SIZE=$LS_HEAP_SIZE - LSPIPELINEWORKERS=$num_cpu_cores - LSPIPELINEBATCH=125 - LSINPUTTHREADS=1 - fi -fi - -if [ "$install_type" == 'FLEET' ]; then - collect_fleetuser_inputs - collect_fleet_custom_hostname_inputs -else - FLEETNODEUSER=$WEBUSER - FLEETNODEPASSWD1=$WEBPASSWD1 -fi - -if [[ $is_manager || $is_import ]]; then collect_so_allow; fi - -# This block sets REDIRECTIT which is used by a function outside the below subshell -set_redirect >> $setup_log 2>&1 - -if [[ $is_minion ]] && ! check_manager_state; then - echo "Manager was not in a good state" >> "$setup_log" 2>&1 - whiptail_manager_error -fi - -whiptail_end_settings - -# From here on changes will be made. -echo "1" > /root/accept_changes - - -# Begin install -{ - # Set initial percentage to 0 - export percentage=0 - - # Show initial progress message - set_progress_str 0 'Running initial configuration steps' - - [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 - - if [[ ! $is_analyst ]]; then - reserve_ports - fi - - set_path - - if [[ $is_reinstall ]]; then - reinstall_init - fi - - disable_auto_start - - { - mark_version; - clear_manager; - } >> $setup_log 2>&1 - - - if [[ $is_manager || $is_import ]]; then - { - generate_passwords; - secrets_pillar; - } >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_import || $is_helix ]]; then - add_socore_user_manager >> $setup_log 2>&1 - fi - - if [[ $is_manager && ! $is_eval ]]; then - add_soremote_user_manager >> $setup_log 2>&1 - fi - if [[ ! $is_analyst ]]; then - host_pillar >> $setup_log 2>&1 - fi - if [[ $is_analyst ]]; then - analyst_workstation_pillar - fi - ntp_pillar >> $setup_log 2>&1 - - - if [[ $is_minion || $is_import ]]; then - set_updates >> $setup_log 2>&1 - fi - - if [[ ( $is_manager || $is_import ) && $is_airgap ]]; then - info "Creating airgap repo" - create_repo >> $setup_log 2>&1 - airgap_rules >> $setup_log 2>&1 - fi - - if [[ $is_minion ]]; then - set_progress_str 1 'Configuring firewall' - set_initial_firewall_policy >> $setup_log 2>&1 - fi - - set_progress_str 2 'Updating packages' - # Import the gpg keys - gpg_rpm_import >> $setup_log 2>&1 - info "Disabling fastestmirror" - [[ $is_centos ]] && disable_fastestmirror - if [[ ! $is_airgap ]]; then - securityonion_repo >> $setup_log 2>&1 - update_packages >> $setup_log 2>&1 - else - airgap_repo >> $setup_log 2>&1 - fi - - if [[ $is_sensor || $is_helix || $is_import ]]; then - set_progress_str 3 'Generating sensor pillar' - generate_sensor_vars - sensor_pillar >> $setup_log 2>&1 - if [[ $is_sensor || $is_helix ]]; then - steno_pillar >> $setup_log - fi - fi - - if [[ $is_sensor || $is_helix ]]; then - set_progress_str 4 'Configuring sensor interface' - configure_network_sensor >> $setup_log 2>&1 - fi - - set_progress_str 5 'Installing Salt and dependencies' - saltify 2>> $setup_log - - if [[ ! $is_analyst ]]; then - set_progress_str 6 'Installing Docker and dependencies' - docker_install >> $setup_log 2>&1 - fi - - set_progress_str 7 'Generating patch pillar' - patch_pillar >> $setup_log 2>&1 - - set_progress_str 8 'Initializing Salt minion' - configure_minion "$minion_type" >> $setup_log 2>&1 - - if [[ ! $is_analyst ]]; then - check_sos_appliance >> $setup_log 2>&1 - fi - - update_sudoers_for_testing >> $setup_log 2>&1 - - if [[ $is_manager || $is_helix || $is_import ]]; then - set_progress_str 9 'Configuring Salt master' - { - create_local_directories; - addtotab_generate_templates; - copy_salt_master_config; - setup_salt_master_dirs; - firewall_generate_templates; - } >> $setup_log 2>&1 - - set_progress_str 10 'Updating sudoers file for soremote user' - update_sudoers >> $setup_log 2>&1 - - set_progress_str 11 'Generating manager global pillar' - #minio_generate_keys - manager_global >> $setup_log 2>&1 - - set_progress_str 12 'Generating manager pillar' - manager_pillar >> $setup_log 2>&1 - zeek_logs_enabled >> $setup_log 2>&1 - fi - - set_progress_str 16 'Running first Salt checkin' - salt_firstcheckin >> $setup_log 2>&1 - - if [[ $is_helix ]]; then - set_progress_str 17 'Generating the FireEye pillar' - fireeye_pillar >> $setup_log 2>&1 - fi - - if [[ $is_node ]]; then - set_progress_str 18 'Setting node type' - set_node_type >> $setup_log 2>&1 - - if ! [[ $is_manager || $is_helix ]]; then - set_progress_str 19 'Generating search node pillar' - elasticsearch_pillar >> $setup_log 2>&1 - fi - fi - - if [[ ($is_node || $is_receiver) && !($is_manager || $is_helix) ]]; then - set_progress_str 19 'Generating logstash pillar' - logstash_pillar >> $setup_log 2>&1 - fi - - if [[ $is_idh ]]; then - # Write out services to minion pillar file - set_progress_str 19 'Generating IDH services pillar' - write_out_idh_services - fi - - - if [[ $is_minion ]]; then - set_progress_str 20 'Accepting Salt key on manager' - retry 20 10 accept_salt_key_remote "going to be accepted" >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_import || $is_helix ]]; then - set_progress_str 20 'Accepting Salt key' - retry 20 10 "salt-key -ya $MINION_ID" "going to be accepted" >> $setup_log 2>&1 - fi - - set_progress_str 21 'Copying minion pillars to manager' - copy_minion_tmp_files >> $setup_log 2>&1 - - if [[ $is_minion ]]; then - set_progress_str 22 'Checking if the Salt Minion needs to be updated' - salt-call state.apply -l info salt.minion >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_helix || $is_import ]]; then - set_progress_str 23 'Generating CA' - generate_ca >> $setup_log 2>&1 - fi - - if [[ ! $is_analyst ]]; then - set_progress_str 24 'Generating SSL' - generate_ssl >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_helix || $is_import ]]; then - set_progress_str 25 'Configuring firewall' - set_initial_firewall_policy >> $setup_log 2>&1 - - # create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf - mkdir -p /opt/so/conf/so-status/ >> $setup_log 2>&1 - touch /opt/so/conf/so-status/so-status.conf >> $setup_log 2>&1 - - if [[ "$setup_type" == 'iso' ]]; then - set_progress_str 26 'Copying containers from iso' - else - set_progress_str 26 'Downloading containers from the internet' - fi - import_registry_docker >> $setup_log 2>&1 - salt-call state.apply -l info registry >> $setup_log 2>&1 - docker_seed_registry # ~ 60% when finished - - set_progress_str 60 "$(print_salt_state_apply 'manager')" - salt-call state.apply -l info manager >> $setup_log 2>&1 - - echo "Executing so-elastic-auth..." >> $setup_log 2>&1 - ELASTIC_AUTH_SKIP_HIGHSTATE=true bash /opt/so/saltstack/default/salt/common/tools/sbin/so-elastic-auth true >> $setup_log 2>&1 - echo "Finished so-elastic-auth..." >> $setup_log 2>&1 - fi - - if [[ ! $is_analyst ]]; then - set_progress_str 61 "$(print_salt_state_apply 'firewall')" - salt-call state.apply -l info firewall >> $setup_log 2>&1 - fi - - if [[ $is_centos ]]; then - set_progress_str 61 'Installing Yum utilities' - salt-call state.apply -l info yum.packages >> $setup_log 2>&1 - fi - - if [[ ! $is_analyst ]]; then - set_progress_str 62 "$(print_salt_state_apply 'common')" - salt-call state.apply -l info common >> $setup_log 2>&1 - fi - - if [[ ! $is_helix && ! $is_receiver && ! $is_idh && ! $is_analyst ]]; then - set_progress_str 62 "$(print_salt_state_apply 'nginx')" - salt-call state.apply -l info nginx >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_helix || $is_import ]]; then - set_progress_str 63 "$(print_salt_state_apply 'idstools')" - create_local_nids_rules >> $setup_log 2>&1 - salt-call state.apply -l info idstools >> $setup_log 2>&1 - - set_progress_str 63 "$(print_salt_state_apply 'suricata.manager')" - salt-call state.apply -l info suricata.manager >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_node || $is_import || $is_helix ]]; then - set_progress_str 64 "$(print_salt_state_apply 'elasticsearch')" - salt-call state.apply -l info elasticsearch >> $setup_log 2>&1 - fi - - if [[ $is_sensor || $is_import ]]; then - set_progress_str 65 "$(print_salt_state_apply 'pcap')" - salt-call state.apply -l info pcap >> $setup_log 2>&1 - fi - - if [[ $is_sensor || $is_import || $is_helix ]]; then - set_progress_str 66 "$(print_salt_state_apply 'suricata')" - salt-call state.apply -l info suricata >> $setup_log 2>&1 - - if [[ $(lookup_pillar "mdengine") == 'ZEEK' ]]; then - set_progress_str 67 "$(print_salt_state_apply 'zeek')" - salt-call state.apply -l info zeek >> $setup_log 2>&1 - fi - fi - - if [[ $is_node ]]; then - set_progress_str 68 "$(print_salt_state_apply 'curator')" - salt-call state.apply -l info curator >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_import ]]; then - set_progress_str 69 "$(print_salt_state_apply 'soc')" - salt-call state.apply -l info soc >> $setup_log 2>&1 - - set_progress_str 70 "$(print_salt_state_apply 'kibana')" - salt-call state.apply -l info kibana.so_config_load >> $setup_log 2>&1 - salt-call state.apply -l info kibana.so_securitySolution_load >> $setup_log 2>&1 - salt-call state.apply -l info kibana.so_dashboard_load >> $setup_log 2>&1 - - set_progress_str 70 "Setting up default Space in Kibana" - so-kibana-space-defaults >> $setup_log 2>&1 - fi - - if [[ "$PLAYBOOK" = 1 ]]; then - set_progress_str 71 "$(print_salt_state_apply 'playbook.db_init')" - salt-call state.apply -l info playbook.db_init >> $setup_log 2>&1 - - set_progress_str 71 "$(print_salt_state_apply 'playbook')" - salt-call state.apply -l info playbook >> $setup_log 2>&1 - - set_progress_str 71 "$(print_salt_state_apply 'playbook.automation_user_create')" - salt-call state.apply -l info playbook.automation_user_create >> $setup_log 2>&1 - fi - - if [[ $is_manager ]]; then - set_progress_str 72 "$(print_salt_state_apply 'elastalert')" - salt-call state.apply -l info elastalert >> $setup_log 2>&1 - - set_progress_str 73 "$(print_salt_state_apply 'soctopus')" - salt-call state.apply -l info soctopus >> $setup_log 2>&1 - - if [[ "$PLAYBOOK" = 1 ]]; then - set_progress_str 73 "Update playbook rules" - so-playbook-ruleupdate >> /root/setup_playbook_rule_update.log 2>&1 & - fi - - if [[ "$GRAFANA" = 1 ]]; then - set_progress_str 74 "Installing InfluxDB and Grafana" - salt-call state.apply -l info influxdb >> $setup_log 2>&1 - salt-call state.apply -l info grafana >> $setup_log 2>&1 - fi - - fi - - if [[ "$OSQUERY" = 1 ]]; then - - set_progress_str 75 "$(print_salt_state_apply 'fleet.event_enable-fleet')" - salt-call state.apply -l info fleet.event_enable-fleet >> $setup_log 2>&1 - - set_progress_str 75 "$(print_salt_state_apply 'fleet')" - salt-call state.apply -l info fleet >> $setup_log 2>&1 - - set_progress_str 76 "$(print_salt_state_apply 'redis')" - salt-call state.apply -l info redis >> $setup_log 2>&1 - - if [[ $is_fleet_standalone && $FLEETCUSTOMHOSTNAME != '' ]]; then - set_progress_str 77 "$(print_salt_state_apply 'fleet.event_update-custom-hostname')" - pillar_override="{\"global\":{\"fleet_custom_hostname\": \"$FLEETCUSTOMHOSTNAME\"}}" - salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1 - rm -f /etc/pki/managerssl.crt - salt-call state.apply -l info ssl >> $setup_log 2>&1 - fi - - set_progress_str 78 "$(print_salt_state_apply 'so-fleet-setup')" - so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1 - - fi - - if [[ $is_idh ]]; then - set_progress_str 79 "$(print_salt_state_apply 'idh')" - salt-call state.apply -l info idh >> $setup_log 2>&1 - - fi - - if [[ "$WAZUH" = 1 ]]; then - set_progress_str 79 "$(print_salt_state_apply 'wazuh')" - salt-call state.apply -l info wazuh >> $setup_log 2>&1 - fi - - if [[ "$STRELKA" = 1 ]]; then - if [[ $is_sensor ]]; then - set_progress_str 81 "$(print_salt_state_apply 'strelka')" - salt-call state.apply -l info strelka >> $setup_log 2>&1 - fi - if [[ "$STRELKARULES" = 1 ]]; then - logCmd /usr/sbin/so-yara-update - else - info "Skipping running yara update: STRELKARULES='$STRELKARULES'" - fi - fi - - if [[ $is_manager || $is_import ]]; then - set_progress_str 82 "$(print_salt_state_apply 'utility')" - salt-call state.apply -l info utility >> $setup_log 2>&1 - fi - - if [[ ( $is_helix || $is_manager || $is_node ) && ! $is_eval ]]; then - set_progress_str 83 "$(print_salt_state_apply 'logstash')" - salt-call state.apply -l info logstash >> $setup_log 2>&1 - - set_progress_str 84 "$(print_salt_state_apply 'filebeat')" - salt-call state.apply -l info filebeat >> $setup_log 2>&1 - fi - - if [[ ! $is_analyst ]]; then - set_progress_str 85 'Applying finishing touches' - filter_unused_nics >> $setup_log 2>&1 - network_setup >> $setup_log 2>&1 - so-ssh-harden >> $setup_log 2>&1 - fi - - if [[ $is_manager || $is_import ]]; then - set_progress_str 87 'Adding user to SOC' - add_web_user >> $setup_log 2>&1 - fi - - if [[ $is_analyst ]]; then - # Remove access to the manager from the analyst workstation - rm -rf /root/.ssh/so.key* - fi - - set_progress_str 90 'Enabling checkin at boot' - checkin_at_boot >> $setup_log 2>&1 - - set_progress_str 95 'Verifying setup' - salt-call -l info state.highstate queue=True >> $setup_log 2>&1 - -} | progress - -success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') -if [[ $success != 0 ]]; then SO_ERROR=1; fi - -# Check entire setup log for errors or unexpected salt states and ensure cron jobs are not reporting errors to root's mailbox -# Ignore "Status .* was not found" due to output from salt http.query or http.wait_for_successful_query states used with retry -# Uncaught exception, closing connection|Exception in callback None - this is seen during influxdb / http.wait_for_successful_query state for ubuntu reinstall -if grep -E "ERROR|Result: False" $setup_log | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None|deprecation: ERROR" || [[ -s /var/spool/mail/root && "$setup_type" == "iso" ]]; then - SO_ERROR=1 - grep --color=never "ERROR" "$setup_log" | grep -qvE "Status .* was not found|An exception occurred in this state|Uncaught exception, closing connection|Exception in callback None" > "$error_log" -fi - -if [[ -n $SO_ERROR ]]; then - echo "Errors detected during setup; skipping post-setup steps to allow for analysis of failures." >> $setup_log 2>&1 - - SKIP_REBOOT=1 - whiptail_setup_failed -else - echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1 - { - export percentage=95 # set to last percentage used in previous subshell - if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then - set_progress_str 96 "Stopping SOC prior to adjusting firewall rules" - so-soc-stop # Stop SOC so it doesn't accept external requests prior to the reboot - - set_progress_str 97 "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" - IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 - fi - - if [[ $is_manager ]]; then - set_progress_str 98 "Generating archive for setup directory" - generate_repo_tarball >> "$setup_log" 2>&1 - fi - - if [[ -n $LEARN_LOGSCAN_ENABLE ]]; then - set_progress_str 99 'Enabling logscan' - so-learn enable logscan --apply >> $setup_log 2>&1 - fi - - if [[ -n $ENDGAMEHOST ]]; then - set_progress_str 99 'Configuring firewall for Endgame SMP' - so-firewall --apply includehost endgame $ENDGAMEHOST >> $setup_log 2>&1 - fi - - } | whiptail_gauge_post_setup "Running post-installation steps..." - - echo "Post-installation steps have completed. Awaiting user input to clean up installer." >> $setup_log 2>&1 - whiptail_setup_complete - [[ $setup_type != 'iso' && ! $is_idh ]] && whiptail_ssh_warning -fi - -install_cleanup >> "$setup_log" 2>&1 - -if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit; fi