From 97a2d91d15f85767c85a51e23f881c48a7a37fd3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Oct 2020 12:14:30 -0400 Subject: [PATCH 01/15] Re-arrange whiptail screens --- salt/elasticsearch/files/elasticsearch.yml | 7 +- setup/so-whiptail | 477 +++++++++++---------- 2 files changed, 250 insertions(+), 234 deletions(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index acad465d1..40f708057 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -42,5 +42,10 @@ cluster.routing.allocation.disk.watermark.flood_stage: 98% # authz_exception: true {%- endif %} node.attr.box_type: {{ NODE_ROUTE_TYPE }} -node.name: {{ ESCLUSTERNAME }} +node.name: {{ grains.host }} script.max_compilations_rate: 1000/1m +{%- if salt['pillar.get']('elasticsearch:true_cluster') %} + {%- if grains.role == 'so-manager' %} +node.roles: [ master ] + {%- endif %} +{%- endif %} diff --git a/setup/so-whiptail b/setup/so-whiptail index 0401146af..78e66285b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -31,24 +31,6 @@ whiptail_airgap() { whiptail_check_exitstatus $exitstatus } -whiptail_basic_zeek() { - - [ -n "$TESTING" ] && return - - if [[ $is_smooshed ]]; then - local PROCS=$(expr $lb_procs / 2) - if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi - else - local PROCS=$lb_procs - fi - - BASICZEEK=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter the number of zeek processes:" 10 75 "$PROCS" 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - whiptail_basic_suri() { [ -n "$TESTING" ] && return @@ -68,15 +50,10 @@ whiptail_basic_suri() { } -whiptail_zeek_pins() { +whiptail_basic_zeek() { [ -n "$TESTING" ] && return - local cpu_core_list_whiptail=() - for item in "${cpu_core_list[@]}"; do - cpu_core_list_whiptail+=("$item" "OFF") - done - if [[ $is_smooshed ]]; then local PROCS=$(expr $lb_procs / 2) if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi @@ -84,65 +61,11 @@ whiptail_zeek_pins() { local PROCS=$lb_procs fi - ZEEKPINS=$(whiptail --noitem --title "Pin Zeek CPUS" --checklist "Please select $PROCS cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 ) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - ZEEKPINS=$(echo "$ZEEKPINS" | tr -d '"') - - IFS=' ' read -ra ZEEKPINS <<< "$ZEEKPINS" -} - -whiptail_zeek_version() { - - [ -n "$TESTING" ] && return - - ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 "ZEEK" "Zeek (formerly known as Bro)" ON \ - "SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3) + BASICZEEK=$(whiptail --title "Security Onion Setup" --inputbox \ + "Enter the number of zeek processes:" 10 75 "$PROCS" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus - -} - -whiptail_sensor_nics() { - - [ -n "$TESTING" ] && return - - filter_unused_nics - - if [[ $is_ec2 ]]; then - local menu_text="Please select NIC for the Monitor Interface:" - local list_type="radiolist" - else - local menu_text="Please add NICs to the Monitor Interface:" - local list_type="checklist" - fi - - BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - while [ -z "$BNICS" ] - do - BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - done - - BNICS=$(echo "$BNICS" | tr -d '"') - - IFS=' ' read -ra BNICS <<< "$BNICS" - - for bond_nic in "${BNICS[@]}"; do - if [[ "${nmcli_dev_status_list}" =~ $bond_nic\:unmanaged ]]; then - whiptail \ - --title "Security Onion Setup" \ - --msgbox "$bond_nic is unmanaged by Network Manager. Please remove it from other network management tools then re-run setup." \ - 8 75 - exit - fi - done } whiptail_bond_nics_mtu() { @@ -184,6 +107,13 @@ whiptail_check_exitstatus() { esac } +whiptail_components_adv_warning() { + + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" --msgbox "Please keep in mind the more services that you enable the more RAM that is required." 8 75 +} + whiptail_create_admin_user() { [ -n "$TESTING" ] && return @@ -291,13 +221,6 @@ whiptail_create_web_user() { whiptail_check_exitstatus $exitstatus } -whiptail_invalid_user_warning() { - - [ -n "$TESTING" ] && return - - whiptail --title "Security Onion Setup" --msgbox "Please enter a valid email address." 8 75 -} - whiptail_create_web_user_password1() { [ -n "$TESTING" ] && return @@ -321,72 +244,6 @@ whiptail_create_web_user_password2() { } -whiptail_fleet_custom_hostname() { - - [ -n "$TESTING" ] && return - - FLEETCUSTOMHOSTNAME=$(whiptail --title "Security Onion Install" --inputbox \ - "What FQDN should osquery clients use for connections to this Fleet node? Leave blank if the local system hostname will be used." 10 60 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_requirements_error() { - - local requirement_needed=$1 - local current_val=$2 - local needed_val=$3 - - [ -n "$TESTING" ] && return - - whiptail --title "Security Onion Setup" \ - --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press YES to continue anyway, or press NO to cancel." 10 75 - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_storage_requirements() { - local mount=$1 - local current_val=$2 - local needed_val=$3 - - [ -n "$TESTING" ] && return - - read -r -d '' message <<- EOM - Free space on mount point '${mount}' is currently ${current_val}. - - You need ${needed_val} to meet minimum requirements. - - Visit https://docs.securityonion.net/en/2.1/hardware.html for more information. - - Press YES to continue anyway, or press NO to cancel. - EOM - - whiptail \ - --title "Security Onion Setup" \ - --yesno "$message" \ - 14 75 - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - -whiptail_invalid_pass_warning() { - - [ -n "$TESTING" ] && return - - whiptail --title "Security Onion Setup" --msgbox "Please choose a more secure password." 8 75 -} - -whiptail_invalid_pass_characters_warning() { - - [ -n "$TESTING" ] && return - - whiptail --title "Security Onion Setup" --msgbox "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." 8 75 -} - whiptail_cur_close_days() { [ -n "$TESTING" ] && return @@ -502,11 +359,26 @@ whiptail_eval_adv() { whiptail_check_exitstatus $exitstatus } -whiptail_components_adv_warning() { +whiptail_fleet_custom_hostname() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --msgbox "Please keep in mind the more services that you enable the more RAM that is required." 8 75 + FLEETCUSTOMHOSTNAME=$(whiptail --title "Security Onion Install" --inputbox \ + "What FQDN should osquery clients use for connections to this Fleet node? Leave blank if the local system hostname will be used." 10 60 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + +whiptail_gauge_post_setup() { + + if [ -n "$TESTING" ]; then + cat >> $setup_log 2>&1 + else + local msg=$1 + + whiptail --title "Security Onion Setup" --gauge "$msg" 6 60 96 + fi } whiptail_helix_apikey() { @@ -594,6 +466,27 @@ whiptail_install_type() { export install_type } +whiptail_invalid_pass_characters_warning() { + + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" --msgbox "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." 8 75 +} + +whiptail_invalid_pass_warning() { + + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" --msgbox "Please choose a more secure password." 8 75 +} + +whiptail_invalid_user_warning() { + + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" --msgbox "Please enter a valid email address." 8 75 +} + whiptail_log_size_limit() { [ -n "$TESTING" ] && return @@ -608,6 +501,17 @@ whiptail_log_size_limit() { } +whiptail_make_changes() { + + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" --yesno "We are going to set this machine up as a $install_type. Please press YES to make changes or NO to cancel." 8 75 + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + +} + whiptail_management_interface_dns() { [ -n "$TESTING" ] && return @@ -672,43 +576,6 @@ whiptail_management_nic() { } -whiptail_nids() { - - [ -n "$TESTING" ] && return - - NIDS=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose which IDS to run: \n\n(Snort 3.0 support will be added once it is out of beta.)" 25 75 4 \ - "Suricata" "Suricata" ON \ - "Snort" "Placeholder for Snort 3.0 " OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - -whiptail_oinkcode() { - - [ -n "$TESTING" ] && return - - OINKCODE=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter your ET Pro or oinkcode:" 10 75 XXXXXXX 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - -whiptail_make_changes() { - - [ -n "$TESTING" ] && return - - whiptail --title "Security Onion Setup" --yesno "We are going to set this machine up as a $install_type. Please press YES to make changes or NO to cancel." 8 75 - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} - whiptail_management_server() { [ -n "$TESTING" ] && return @@ -756,6 +623,17 @@ whiptail_manager_adv() { } +# Ask if you want to do true clustering +whiptail_manager_adv_escluster(){ + + [ -n "$TESTING" ] && return + + MGRCLUSTER=$(whiptail --title "Security Onion Setup" --yesno "Do you want to set up a traditional ES cluster?" 8 75) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + # Ask which additional components to install whiptail_manager_adv_service_zeeklogs() { @@ -810,6 +688,54 @@ whiptail_manager_adv_service_zeeklogs() { } +whiptail_manager_updates() { + + [ -n "$TESTING" ] && return + + local update_string + update_string=$(whiptail --title "Security Onion Setup" --radiolist \ + "How would you like to download OS package updates for your grid?" 20 75 4 \ + "MANAGER" "Manager node is proxy for updates" ON \ + "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + + case "$update_string" in + 'MANAGER') + export MANAGERUPDATES='1' + ;; + *) + export MANAGERUPDATES='0' + ;; + esac + +} + +whiptail_manager_updates_warning() { + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup"\ + --msgbox "Updating through the manager node requires the manager to have internet access, press ENTER to continue."\ + 8 75 + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + +whiptail_nids() { + + [ -n "$TESTING" ] && return + + NIDS=$(whiptail --title "Security Onion Setup" --radiolist \ + "Choose which IDS to run: \n\n(Snort 3.0 support will be added once it is out of beta.)" 25 75 4 \ + "Suricata" "Suricata" ON \ + "Snort" "Placeholder for Snort 3.0 " OFF 3>&1 1>&2 2>&3 ) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + +} + whiptail_network_notice() { [ -n "$TESTING" ] && return @@ -895,6 +821,18 @@ whiptail_node_ls_input_threads() { } +whiptail_oinkcode() { + + [ -n "$TESTING" ] && return + + OINKCODE=$(whiptail --title "Security Onion Setup" --inputbox \ + "Enter your ET Pro or oinkcode:" 10 75 XXXXXXX 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + +} + #TODO: helper function to display error message or exit if batch mode # exit_if_batch <"Error string"> @@ -1049,6 +987,21 @@ whiptail_patch_schedule_select_hours() { } +whiptail_requirements_error() { + + local requirement_needed=$1 + local current_val=$2 + local needed_val=$3 + + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" \ + --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press YES to continue anyway, or press NO to cancel." 10 75 + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + whiptail_rule_setup() { [ -n "$TESTING" ] && return @@ -1080,6 +1033,46 @@ whiptail_sensor_config() { } +whiptail_sensor_nics() { + + [ -n "$TESTING" ] && return + + filter_unused_nics + + if [[ $is_ec2 ]]; then + local menu_text="Please select NIC for the Monitor Interface:" + local list_type="radiolist" + else + local menu_text="Please add NICs to the Monitor Interface:" + local list_type="checklist" + fi + + BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + + while [ -z "$BNICS" ] + do + BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + done + + BNICS=$(echo "$BNICS" | tr -d '"') + + IFS=' ' read -ra BNICS <<< "$BNICS" + + for bond_nic in "${BNICS[@]}"; do + if [[ "${nmcli_dev_status_list}" =~ $bond_nic\:unmanaged ]]; then + whiptail \ + --title "Security Onion Setup" \ + --msgbox "$bond_nic is unmanaged by Network Manager. Please remove it from other network management tools then re-run setup." \ + 8 75 + exit + fi + done +} + whiptail_set_hostname() { [ -n "$TESTING" ] && return @@ -1200,15 +1193,30 @@ whiptail_so_allow() { fi } -whiptail_gauge_post_setup() { +whiptail_storage_requirements() { + local mount=$1 + local current_val=$2 + local needed_val=$3 - if [ -n "$TESTING" ]; then - cat >> $setup_log 2>&1 - else - local msg=$1 + [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --gauge "$msg" 6 60 96 - fi + read -r -d '' message <<- EOM + Free space on mount point '${mount}' is currently ${current_val}. + + You need ${needed_val} to meet minimum requirements. + + Visit https://docs.securityonion.net/en/2.1/hardware.html for more information. + + Press YES to continue anyway, or press NO to cancel. + EOM + + whiptail \ + --title "Security Onion Setup" \ + --yesno "$message" \ + 14 75 + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus } whiptail_strelka_rules() { @@ -1251,40 +1259,6 @@ whiptail_suricata_pins() { } -whiptail_manager_updates() { - - [ -n "$TESTING" ] && return - - local update_string - update_string=$(whiptail --title "Security Onion Setup" --radiolist \ - "How would you like to download OS package updates for your grid?" 20 75 4 \ - "MANAGER" "Manager node is proxy for updates" ON \ - "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - case "$update_string" in - 'MANAGER') - export MANAGERUPDATES='1' - ;; - *) - export MANAGERUPDATES='0' - ;; - esac - -} - -whiptail_manager_updates_warning() { - [ -n "$TESTING" ] && return - - whiptail --title "Security Onion Setup"\ - --msgbox "Updating through the manager node requires the manager to have internet access, press ENTER to continue."\ - 8 75 - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - whiptail_node_updates() { [ -n "$TESTING" ] && return @@ -1322,3 +1296,40 @@ whiptail_you_sure() { return $exitstatus } + +whiptail_zeek_pins() { + + [ -n "$TESTING" ] && return + + local cpu_core_list_whiptail=() + for item in "${cpu_core_list[@]}"; do + cpu_core_list_whiptail+=("$item" "OFF") + done + + if [[ $is_smooshed ]]; then + local PROCS=$(expr $lb_procs / 2) + if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi + else + local PROCS=$lb_procs + fi + + ZEEKPINS=$(whiptail --noitem --title "Pin Zeek CPUS" --checklist "Please select $PROCS cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 ) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + + ZEEKPINS=$(echo "$ZEEKPINS" | tr -d '"') + + IFS=' ' read -ra ZEEKPINS <<< "$ZEEKPINS" +} + +whiptail_zeek_version() { + + [ -n "$TESTING" ] && return + + ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 "ZEEK" "Zeek (formerly known as Bro)" ON \ + "SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + +} From bab6b151ff9f0fbf58e9ecb36c4d3adac3824959 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Oct 2020 16:07:22 -0400 Subject: [PATCH 02/15] Add cluster whiptail questions --- setup/so-setup | 3 +++ setup/so-whiptail | 14 +++++++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 1c46a8bf9..e9ad3a281 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -320,6 +320,9 @@ fi if [[ $is_manager && ! $is_eval ]]; then whiptail_manager_adv + if [[ "$install_type" = 'MANAGER' ]] || [[ "$install_type" = 'MANAGERSEARCH' ] + whiptail_manager_adv_escluster + fi whiptail_zeek_version # Don't run this function for now since Snort is not yet supported # whiptail_nids diff --git a/setup/so-whiptail b/setup/so-whiptail index 78e66285b..437b2192c 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -631,7 +631,19 @@ whiptail_manager_adv_escluster(){ MGRCLUSTER=$(whiptail --title "Security Onion Setup" --yesno "Do you want to set up a traditional ES cluster?" 8 75) local exitstatus=$? - whiptail_check_exitstatus $exitstatus + + if [[ $exitstatus == 0 ]]; then + whiptail_manager_adv_escluster_name + fi +} + +# Get a cluster name +whiptail_manager_adv_escluster_name(){ + + [ -n "$TESTING" ] && return + + ESCLUSTERNAME=$(whiptail --title "Security Onion Setup" --inputbox \ + "Enter a name for your ES cluster!" 10 75 securityonion 3>&1 1>&2 2>&3) } # Ask which additional components to install From bbb825a2079423d87796c3a68c201ed2f256f4c9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Oct 2020 16:33:40 -0400 Subject: [PATCH 03/15] Add cluster whiptail questions --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index e9ad3a281..cad7fea6a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -320,7 +320,7 @@ fi if [[ $is_manager && ! $is_eval ]]; then whiptail_manager_adv - if [[ "$install_type" = 'MANAGER' ]] || [[ "$install_type" = 'MANAGERSEARCH' ] + if [[ "$install_type" = 'MANAGER' ]] || [[ "$install_type" = 'MANAGERSEARCH' ]]; then whiptail_manager_adv_escluster fi whiptail_zeek_version From f893cf203f37be8dc6dd35e00237ec78a2dc92cc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Oct 2020 16:38:17 -0400 Subject: [PATCH 04/15] Change whiptail logic --- setup/so-setup | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index cad7fea6a..93a63a758 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -320,8 +320,10 @@ fi if [[ $is_manager && ! $is_eval ]]; then whiptail_manager_adv - if [[ "$install_type" = 'MANAGER' ]] || [[ "$install_type" = 'MANAGERSEARCH' ]]; then - whiptail_manager_adv_escluster + if [ "$MANAGERADV" = 'ADVANCED' ] && [ "$ZEEKVERSION" != 'SURICATA' ]; then + if [ "$install_type" = 'MANAGER' ]] || [ $install_type = 'MANAGERSEARCH' ]; then + whiptail_manager_adv_escluster + fi fi whiptail_zeek_version # Don't run this function for now since Snort is not yet supported From c22e8c08a6074a786726170752f1b57a7357f0e5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Oct 2020 16:40:22 -0400 Subject: [PATCH 05/15] Change whiptail logic --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 93a63a758..74ff6c0b8 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -320,7 +320,7 @@ fi if [[ $is_manager && ! $is_eval ]]; then whiptail_manager_adv - if [ "$MANAGERADV" = 'ADVANCED' ] && [ "$ZEEKVERSION" != 'SURICATA' ]; then + if [ "$MANAGERADV" = 'ADVANCED' ]; then if [ "$install_type" = 'MANAGER' ]] || [ $install_type = 'MANAGERSEARCH' ]; then whiptail_manager_adv_escluster fi From c538e5f85b9ea83eb8d48ece5356e87d70571ead Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Oct 2020 16:40:56 -0400 Subject: [PATCH 06/15] Change whiptail logic --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 74ff6c0b8..ab0d809a1 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -321,7 +321,7 @@ fi if [[ $is_manager && ! $is_eval ]]; then whiptail_manager_adv if [ "$MANAGERADV" = 'ADVANCED' ]; then - if [ "$install_type" = 'MANAGER' ]] || [ $install_type = 'MANAGERSEARCH' ]; then + if [ "$install_type" = 'MANAGER' ] || [ "$install_type" = 'MANAGERSEARCH' ]; then whiptail_manager_adv_escluster fi fi From 6f703fad259775cffd67fdddf44fc884f2d93143 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Oct 2020 16:44:43 -0400 Subject: [PATCH 07/15] Change whiptail logic --- setup/so-whiptail | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 437b2192c..302fb96e6 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -628,7 +628,8 @@ whiptail_manager_adv_escluster(){ [ -n "$TESTING" ] && return - MGRCLUSTER=$(whiptail --title "Security Onion Setup" --yesno "Do you want to set up a traditional ES cluster?" 8 75) + whiptail --title "Security Onion Setup" --yesno \ + "Do you want to set up a traditional ES cluster?" 8 75 local exitstatus=$? From 23bc5e303e873372f12ad51ca2d02d05b52be64c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Oct 2020 16:52:43 -0400 Subject: [PATCH 08/15] Add clustering to ES function --- setup/so-functions | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 06f103cfc..dc2a9e7fd 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1200,14 +1200,19 @@ manager_global() { " features: False"\ "elasticsearch:"\ " replicas: 0"\ - " true_cluster: False"\ - " true_cluster_name: 'so'"\ + if [ -z "$ESCLUSTERNAME" ]; then + " true_cluster: False" + " true_cluster_name: 'so'" + else + " true_cluster: True" + " true_cluster_name: '$ESCLUSTERNAME'" + fi " discovery_nodes: 1"\ " hot_warm_enabled: False"\ " cluster_routing_allocation_disk.threshold_enabled: true"\ - " cluster_routing_allocation_disk_watermark_low: '95%'"\ - " cluster_routing_allocation_disk_watermark_high: '98%'"\ - " cluster_routing_allocation_disk_watermark_flood_stage: '98%'"\ + " cluster_routing_allocation_disk_watermark_low: '95%'"\ + " cluster_routing_allocation_disk_watermark_high: '98%'"\ + " cluster_routing_allocation_disk_watermark_flood_stage: '98%'"\ " index_settings:"\ " so-beats:"\ " shards: 1"\ From 7e0063d47467b184f7b3dc81db166582a810cdb9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Oct 2020 16:55:11 -0400 Subject: [PATCH 09/15] Fix pillar syntax --- setup/so-functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index dc2a9e7fd..d134a8ac8 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1201,11 +1201,11 @@ manager_global() { "elasticsearch:"\ " replicas: 0"\ if [ -z "$ESCLUSTERNAME" ]; then - " true_cluster: False" - " true_cluster_name: 'so'" + printf " true_cluster: False" + " true_cluster_name: 'so'" else - " true_cluster: True" - " true_cluster_name: '$ESCLUSTERNAME'" + printf " true_cluster: True" + " true_cluster_name: '$ESCLUSTERNAME'" fi " discovery_nodes: 1"\ " hot_warm_enabled: False"\ From 4e1bff2231799b951d7495bc722227d48a392edf Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Oct 2020 16:56:13 -0400 Subject: [PATCH 10/15] Fix pillar syntax --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index d134a8ac8..fab24b2f2 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1200,7 +1200,7 @@ manager_global() { " features: False"\ "elasticsearch:"\ " replicas: 0"\ - if [ -z "$ESCLUSTERNAME" ]; then + if [[ -z "$ESCLUSTERNAME" ]]; then printf " true_cluster: False" " true_cluster_name: 'so'" else From 55b6f5ce996bdb126451f4fde21703e451b5e976 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Oct 2020 17:02:26 -0400 Subject: [PATCH 11/15] Fix pillar syntax --- setup/so-functions | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index fab24b2f2..cb7e447ea 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1200,13 +1200,14 @@ manager_global() { " features: False"\ "elasticsearch:"\ " replicas: 0"\ - if [[ -z "$ESCLUSTERNAME" ]]; then - printf " true_cluster: False" - " true_cluster_name: 'so'" + if [ -n "$ESCLUSTERNAME" ]; then + printf " true_cluster: True"\ + " true_cluster_name: '$ESCLUSTERNAME'"\ else - printf " true_cluster: True" - " true_cluster_name: '$ESCLUSTERNAME'" + printf " true_cluster: False"\ + " true_cluster_name: 'so'"\ fi + " discovery_nodes: 1"\ " hot_warm_enabled: False"\ " cluster_routing_allocation_disk.threshold_enabled: true"\ From 3cb419174af91ddc1f0148a8eb3943ddbeae48c9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Oct 2020 17:04:06 -0400 Subject: [PATCH 12/15] Fix pillar syntax --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index cb7e447ea..cae48c777 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1199,7 +1199,7 @@ manager_global() { "elastic:"\ " features: False"\ "elasticsearch:"\ - " replicas: 0"\ + " replicas: 0" if [ -n "$ESCLUSTERNAME" ]; then printf " true_cluster: True"\ " true_cluster_name: '$ESCLUSTERNAME'"\ From 722f2b3913cca624520ce230c9ad163d1ba5337e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Oct 2020 17:08:06 -0400 Subject: [PATCH 13/15] Fix pillar syntax --- setup/so-functions | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index cae48c777..0c2bc804d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1201,13 +1201,15 @@ manager_global() { "elasticsearch:"\ " replicas: 0" if [ -n "$ESCLUSTERNAME" ]; then - printf " true_cluster: True"\ - " true_cluster_name: '$ESCLUSTERNAME'"\ + printf '%s\n'\ + " true_cluster: True"\ + " true_cluster_name: '$ESCLUSTERNAME'" else - printf " true_cluster: False"\ - " true_cluster_name: 'so'"\ + printf '%s\n'\ + " true_cluster: False"\ + " true_cluster_name: 'so'" fi - + printf '%s\n'\ " discovery_nodes: 1"\ " hot_warm_enabled: False"\ " cluster_routing_allocation_disk.threshold_enabled: true"\ From 87adbb5f819b4864062800d06886226b604942ff Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 19 Oct 2020 17:20:33 -0400 Subject: [PATCH 14/15] printf issues --- setup/so-functions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 0c2bc804d..9ded48ddf 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1199,15 +1199,15 @@ manager_global() { "elastic:"\ " features: False"\ "elasticsearch:"\ - " replicas: 0" + " replicas: 0" >> "$global_pillar" if [ -n "$ESCLUSTERNAME" ]; then printf '%s\n'\ " true_cluster: True"\ - " true_cluster_name: '$ESCLUSTERNAME'" + " true_cluster_name: '$ESCLUSTERNAME'" >> "$global_pillar" else printf '%s\n'\ " true_cluster: False"\ - " true_cluster_name: 'so'" + " true_cluster_name: 'so'" >> "$global_pillar" fi printf '%s\n'\ " discovery_nodes: 1"\ From 57d8f2542212230740ed33ee4a9c84ee31f0f5e0 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 28 Oct 2020 16:44:14 -0400 Subject: [PATCH 15/15] Create master node role in ES --- salt/elasticsearch/files/elasticsearch.yml | 11 ++++------- setup/so-functions | 11 +++++++++-- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index 40f708057..b5d0b0293 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -1,11 +1,8 @@ {%- set NODE_ROUTE_TYPE = salt['pillar.get']('elasticsearch:node_route_type', 'hot') %} -{%- if salt['pillar.get']('elasticsearch:hot_warm_enabled') or salt['pillar.get']('elasticsearch:true_cluster') %} -{%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:true_cluster_name', '') %} -{%- else %} {%- set ESCLUSTERNAME = salt['pillar.get']('elasticsearch:esclustername', '') %} -{%- endif %} -{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') -%} -{% set FEATURES = salt['pillar.get']('elastic:features', False) %} +{%- set NODEIP = salt['pillar.get']('elasticsearch:mainip', '') %} +{%- set FEATURES = salt['pillar.get']('elastic:features', False) %} +{%- set TRUECLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} cluster.name: "{{ ESCLUSTERNAME }}" network.host: 0.0.0.0 @@ -44,7 +41,7 @@ cluster.routing.allocation.disk.watermark.flood_stage: 98% node.attr.box_type: {{ NODE_ROUTE_TYPE }} node.name: {{ grains.host }} script.max_compilations_rate: 1000/1m -{%- if salt['pillar.get']('elasticsearch:true_cluster') %} +{%- if TRUECLUSTER is sameas true %} {%- if grains.role == 'so-manager' %} node.roles: [ master ] {%- endif %} diff --git a/setup/so-functions b/setup/so-functions index 9ded48ddf..3566d0d5e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1331,8 +1331,15 @@ elasticsearch_pillar() { "elasticsearch:"\ " mainip: '$MAINIP'"\ " mainint: '$MNIC'"\ - " esheap: '$NODE_ES_HEAP_SIZE'"\ - " esclustername: {{ grains.host }}"\ + " esheap: '$NODE_ES_HEAP_SIZE'" + if [ -n "$ESCLUSTERNAME" ]; then + printf '%s\n'\ + " esclustername: $ESCLUSTERNAME" + else + printf '%s\n'\ + " esclustername: {{ grains.host }}" + fi + printf '%s\n'\ " node_type: '$NODETYPE'"\ " es_port: $node_es_port"\ " log_size_limit: $log_size_limit"\