CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-01-01 22:03:37 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'remotes/origin/dev' into issue/142

Browse Source
This commit is contained in:
Mike Reeves
2020-07-06 14:35:46 -04:00
parent 1016315196 57bbb02c65
commit 623c37f1f5
34 changed files with 680 additions and 213 deletions
Download Patch File Download Diff File Expand all files Collapse all files

137
setup/so-functions
View File

@@ -388,8 +388,6 @@ configure_minion() {
printf '%s\n' '----';
cat "$minion_config";
} >> "$setup_log" 2>&1
}
checkin_at_boot() {
@@ -399,27 +397,33 @@ checkin_at_boot() {
echo "startup_states: highstate" >> "$minion_config"
}
check_requirements() {
local eval_or_dist=$1
local node_type=$2 # optional
local req_mem
local req_cores
local req_storage
local nic_list
readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0" | sed 's/ //g')"
local num_nics=${#nic_list[@]}
if [[ "$eval_or_dist" == 'eval' ]]; then
req_mem=12
req_cores=4
req_nics=2
req_storage=100
elif [[ "$eval_or_dist" == 'dist' ]]; then
req_mem=8
req_cores=4
req_storage=40
if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi
if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi
fi
if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then
whiptail_requirements_error "disk space" "${free_space_root} GB" "${req_storage} GB"
fi
if [[ $num_nics -lt $req_nics ]]; then
whiptail_requirements_error "NICs" "$num_nics" "$req_nics"
fi
@@ -429,7 +433,7 @@ check_requirements() {
fi
if [[ $total_mem_hr -lt $req_mem ]]; then
whiptail_requirements_error "memory" "${total_mem_hr}GB" "${req_mem}GB"
whiptail_requirements_error "memory" "${total_mem_hr} GB" "${req_mem} GB"
fi
}
@@ -481,42 +485,59 @@ copy_ssh_key() {
}
create_local_directories() {
echo "Creating local pillar and salt directories"
PILLARSALTDIR=${SCRIPTDIR::-5}
for i in "pillar" "salt"; do
for d in `find $PILLARSALTDIR/$i -type d`; do
suffixdir=${d//$PILLARSALTDIR/}
if [ ! -d "$local_salt_dir/$suffixdir" ]; then
mkdir -v "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1
fi
done
chown -R socore:socore "$local_salt_dir/$i"
done
echo "Creating local pillar and salt directories"
PILLARSALTDIR=${SCRIPTDIR::-5}
for i in "pillar" "salt"; do
for d in $(find $PILLARSALTDIR/$i -type d); do
suffixdir=${d//$PILLARSALTDIR/}
if [ ! -d "$local_salt_dir/$suffixdir" ]; then
mkdir -v "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1
fi
done
chown -R socore:socore "$local_salt_dir/$i"
done
}
create_sensor_bond() {
echo "Setting up sensor bond" >> "$setup_log" 2>&1
configure_network_sensor() {
echo "Setting up sensor interface" >> "$setup_log" 2>&1
local nic_error=0
check_network_manager_conf >> "$setup_log" 2>&1
# Set the MTU
if [[ $NSMSETUP != 'ADVANCED' ]]; then
MTU=1500
if [[ $is_ec2 ]]; then MTU=1575; else MTU=1500; fi
fi
if [[ $is_ec2 ]]; then
INTERFACE=${BNICS[0]}
local nmcli_con_arg="type ethernet"
else
INTERFACE='bond0'
local nmcli_con_arg="type bond mode 0"
fi
# Create the bond interface only if it doesn't already exist
if ! [[ $(nmcli -f name,uuid -p con | sed -n 's/bond0 //p' | tr -d ' ') ]]; then
nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \
nmcli -f name,uuid -p con | grep -q "$INTERFACE"
local found_int=$?
if [[ $found_int != 0 ]]; then
nmcli con add ifname "$INTERFACE" con-name "$INTERFACE" $nmcli_con_arg -- \
ipv4.method disabled \
ipv6.method ignore \
ethernet.mtu $MTU \
connection.autoconnect "yes" >> "$setup_log" 2>&1
else
local int_uuid
int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/$INTERFACE //p" | tr -d ' ')
nmcli con mod "$int_uuid" \
ipv4.method disabled \
ipv6.method ignore \
ethernet.mtu $MTU \
connection.autoconnect "yes" >> "$setup_log" 2>&1
fi
for BNIC in "${BNICS[@]}"; do
# Check if specific offload features are able to be disabled
for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do
@@ -532,15 +553,29 @@ create_sensor_bond() {
ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1
done
# Check if the bond slave connection has already been created
if ! [[ $(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') ]]; then
# Create the slave interface and assign it to the bond
nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \
ethernet.mtu $MTU \
connection.autoconnect "yes" >> "$setup_log" 2>&1
fi
if [[ $is_ec2 ]]; then
nmcli con up "$BNIC" >> "$setup_log" 2>&1
else
# Check if the bond slave connection has already been created
nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC"
local found_int=$?
if [[ $found_int != 0 ]]; then
# Create the slave interface and assign it to the bond
nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \
ethernet.mtu $MTU \
connection.autoconnect "yes" >> "$setup_log" 2>&1
else
local int_uuid
int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ')
nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up
nmcli con mod "$int_uuid" \
ethernet.mtu $MTU \
connection.autoconnect "yes" >> "$setup_log" 2>&1
fi
nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up
fi
done
if [ $nic_error != 0 ]; then
@@ -548,6 +583,11 @@ create_sensor_bond() {
fi
}
detect_ec2() {
echo "Testing if setup is running on an EC2 instance"
if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ); then export is_ec2="true"; fi
}
detect_os() {
# Detect Base OS
@@ -565,11 +605,19 @@ detect_os() {
exit 1
fi
echo "Installing required packages to run installer"
# Install bind-utils so the host command exists
if ! command -v host > /dev/null 2>&1; then
echo "Installing required packages to run installer"
yum -y install bind-utils yum-plugin-versionlock >> "$setup_log" 2>&1
yum -y install bind-utils >> "$setup_log" 2>&1
fi
if ! command -v nmcli > /dev/null 2>&1; then
{
yum -y install NetworkManager;
systemctl enable NetworkManager;
systemctl start NetworkManager;
} >> "$setup_log" 2<&1
fi
yum -y install yum-plugin-versionlock bc >> "$setup_log" 2>&1
elif [ -f /etc/os-release ]; then
@@ -582,15 +630,17 @@ detect_os() {
echo "We do not support your current version of Ubuntu."
exit 1
fi
echo "Installing required packages to run installer"
# Install network manager so we can do interface stuff
if ! command -v nmcli > /dev/null 2>&1; then
echo "Installing required packages to run installer"
{
apt-get install -y network-manager;
systemctl enable NetworkManager;
systemctl start NetworkManager;
} >> "$setup_log" 2<&1
fi
apt-get install -y bc >> "$setup_log" 2>&1
else
echo "We were unable to determine if you are using a supported OS."
@@ -1275,6 +1325,11 @@ set_base_heapsizes() {
ls_heapsize
}
set_network_dev_status_list() {
readarray -t nmcli_dev_status_list <<< "$(nmcli -t -f DEVICE,STATE -c no dev status)"
export nmcli_dev_status_list
}
set_main_ip() {
MAINIP=$(ip route get 1 | awk '{print $7;exit}')
}
@@ -1324,7 +1379,7 @@ sensor_pillar() {
# Create the sensor pillar
printf '%s\n'\
"sensor:"\
" interface: bond0"\
" interface: $INTERFACE"\
" mainip: $MAINIP"\
" mainint: $MNIC" >> "$pillar_file"
@@ -1435,13 +1490,13 @@ set_initial_firewall_policy() {
$default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP"
case "$install_type" in
'EVAL')
$default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 True
$default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE True
;;
'MASTERSEARCH')
$default_salt_dir/pillar/data/addtotab.sh mastersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
;;
'STANDALONE')
$default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
$default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE
;;
esac
;;
@@ -1455,7 +1510,7 @@ set_initial_firewall_policy() {
case "$install_type" in
'SENSOR')
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP"
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE
;;
'SEARCHNODE')
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP"
@@ -1464,7 +1519,7 @@ set_initial_firewall_policy() {
'HEAVYNODE')
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP"
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
;;
'FLEET')