CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

[refactor] Simplify ec2 detection + handling

Browse Source
This commit is contained in:
William Wernert
2020-07-01 16:23:38 -04:00
parent 26b0daf2da
commit 54c3327240
4 changed files with 71 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
setup/install_scripts/99-so-checksum-offload-disable
View File

@@ -4,5 +4,5 @@ if [[ "$DEVICE_IFACE" != "$MNIC" && "$DEVICE_IFACE" != *"docker"* ]]; then
for i in rx tx sg tso ufo gso gro lro; do for i in rx tx sg tso ufo gso gro lro; do
ethtool -K "$DEVICE_IFACE" "$i" off; ethtool -K "$DEVICE_IFACE" "$i" off;
done done
ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on
fi fi

111
setup/so-functions
View File

@@ -495,29 +495,45 @@ create_local_directories() {
} }
create_sensor_bond() { configure_network_sensor() {
echo "Setting up sensor bond" >> "$setup_log" 2>&1 echo "Setting up sensor interface" >> "$setup_log" 2>&1
INTERFACE="bond0"
local nic_error=0 local nic_error=0
check_network_manager_conf >> "$setup_log" 2>&1
# Set the MTU # Set the MTU
if [[ $NSMSETUP != 'ADVANCED' ]]; then if [[ $NSMSETUP != 'ADVANCED' ]]; then
MTU=1500 if [[ $is_ec2 ]]; then MTU=1575; else MTU=1500; fi
fi
if [[ $is_ec2 ]]; then
INTERFACE=${BNICS[0]}
local nmcli_con_arg="type ethernet"
else
INTERFACE='bond0'
local nmcli_con_arg="type bond mode 0"
fi fi
# Create the bond interface only if it doesn't already exist # Create the bond interface only if it doesn't already exist
if ! [[ $(nmcli -f name,uuid -p con | sed -n 's/bond0 //p' | tr -d ' ') ]]; then
nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \ nmcli -f name,uuid -p con | grep -q "$INTERFACE"
local found_int=$?
if [[ ! $found_int ]]; then
nmcli con add ifname "$INTERFACE" con-name "$INTERFACE" $nmcli_con_arg -- \
ipv4.method disabled \
ipv6.method ignore \
ethernet.mtu $MTU \
connection.autoconnect "yes" >> "$setup_log" 2>&1
else
local int_uuid
int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/$INTERFACE //p" | tr -d ' ')
nmcli con mod "$int_uuid" \
ipv4.method disabled \ ipv4.method disabled \
ipv6.method ignore \ ipv6.method ignore \
ethernet.mtu $MTU \ ethernet.mtu $MTU \
connection.autoconnect "yes" >> "$setup_log" 2>&1 connection.autoconnect "yes" >> "$setup_log" 2>&1
fi fi
for BNIC in "${BNICS[@]}"; do for BNIC in "${BNICS[@]}"; do
# Check if specific offload features are able to be disabled # Check if specific offload features are able to be disabled
for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do
@@ -533,15 +549,29 @@ create_sensor_bond() {
ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1 ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1
done done
# Check if the bond slave connection has already been created if [[ $is_ec2 ]]; then
if ! [[ $(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') ]]; then nmcli con up "$BNIC" >> "$setup_log" 2>&1
# Create the slave interface and assign it to the bond else
nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \ # Check if the bond slave connection has already been created
ethernet.mtu $MTU \ nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC"
connection.autoconnect "yes" >> "$setup_log" 2>&1 local found_int=$?
fi
if [[ ! $found_int ]]; then
# Create the slave interface and assign it to the bond
nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \
ethernet.mtu $MTU \
connection.autoconnect "yes" >> "$setup_log" 2>&1
else
local int_uuid
int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ')
nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up nmcli con mod "$int_uuid" \
ethernet.mtu $MTU \
connection.autoconnect "yes" >> "$setup_log" 2>&1
fi
nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up
fi
done done
if [ $nic_error != 0 ]; then if [ $nic_error != 0 ]; then
@@ -1622,46 +1652,9 @@ es_heapsize() {
fi fi
} }
is_ec2() { detect_ec2() {
# Check if EC2 # Check if EC2
if curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null;then curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null
is_ec2=1 is_ec2=$?
else export is_ec2
is_ec2=0
fi
}
create_ec2_sniffing() {
echo "Setting up sensor sniffing interface" >> "$setup_log" 2>&1
local nic_error=0
check_network_manager_conf >> "$setup_log" 2>&1
# Set the MTU
if [[ $NSMSETUP != 'ADVANCED' ]]; then
MTU=1575
fi
for BNIC in "${BNICS[@]}"; do
# Check if specific offload features are able to be disabled
for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do
if ethtool -k "$BNIC" | grep $string | grep -q "on [fixed]"; then
echo "The hardware or driver for interface ${BNIC} is not supported, packet capture may not work as expected." >> "$setup_log" 2>&1
nic_error=1
break
fi
done
# Turn off various offloading settings for the interface
for i in rx tx sg tso ufo gso gro lro; do
ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1
done
done
INTERFACE=$BNIC
if [ $nic_error != 0 ]; then
return 1
fi
} }

26
setup/so-setup
View File

@@ -98,9 +98,7 @@ export PATH=$PATH:../salt/common/tools/sbin
got_root got_root
detect_os detect_os && detect_ec2
is_ec2
if [ "$OS" == ubuntu ]; then if [ "$OS" == ubuntu ]; then
update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1 update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1
@@ -227,11 +225,7 @@ fi
# Start user prompts # Start user prompts
if [[ $is_helix || $is_sensor ]]; then if [[ $is_helix || $is_sensor ]]; then
if [ $is_ec2 -eq 1 ]; then whiptail_sensor_nics
whiptail_ec2_nic
else
whiptail_bond_nics
fi
calculate_useable_cores calculate_useable_cores
fi fi
@@ -370,21 +364,17 @@ fi
# Set initial percentage to 0 # Set initial percentage to 0
export percentage=0 export percentage=0
if [[ $is_minion ]]; then if [[ $is_minion ]]; then
set_progress_str 1 'Configuring firewall' set_progress_str 1 'Configuring firewall'
set_initial_firewall_policy >> $setup_log 2>&1 set_initial_firewall_policy >> $setup_log 2>&1
fi fi
set_progress_str 2 'Updating packages' set_progress_str 2 'Updating packages'
update_packages >> $setup_log 2>&1 update_packages >> $setup_log 2>&1
if [[ $is_sensor || $is_helix ]]; then if [[ $is_sensor || $is_helix ]]; then
set_progress_str 3 'Creating bond/sniffing interface' set_progress_str 3 'Configuring sensor interface'
if [ $is_ec2 -eq 1 ]; then configure_network_sensor >> $setup_log 2>&1
create_ec2_sniffing >> $setup_log 2>&1
else
create_sensor_bond >> $setup_log 2>&1
fi
set_progress_str 4 'Generating sensor pillar' set_progress_str 4 'Generating sensor pillar'
sensor_pillar >> $setup_log 2>&1 sensor_pillar >> $setup_log 2>&1
fi fi

34
setup/so-whiptail
View File

@@ -78,13 +78,21 @@ whiptail_bond_nics() {
filter_unused_nics filter_unused_nics
BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) if [[ $is_ec2 ]]; then
local menu_text="Please select NIC for the Monitor Interface"
local list_type="radiolist"
else
local menu_text="Please add NICs to the Monitor Interface"
local list_type="checklist"
fi
BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3)
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
while [ -z "$BNICS" ] while [ -z "$BNICS" ]
do do
BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 )
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
done done
@@ -107,28 +115,6 @@ whiptail_bond_nics_mtu() {
} }
whiptail_ec2_nic() {
[ -n "$TESTING" ] && return
filter_unused_nics
BNICS=$(whiptail --title "NIC Setup" --radiolist "Please select NIC for the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
while [ -z "$BNICS" ]
do
BNICS=$(whiptail --title "NIC Setup" --radiolist "Please select NIC for the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 )
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
done
BNICS=$(echo "$BNICS" | tr -d '"')
IFS=' ' read -ra BNICS <<< "$BNICS"
}
whiptail_cancel() { whiptail_cancel() {
whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75 whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75