From e8553162a53fa61b55673aaa306ef28cfa09167c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 19 Apr 2021 10:50:42 -0400 Subject: [PATCH 01/24] [refactor] Change how whiptail asks for proxy settings --- salt/manager/init.sls | 6 -- setup/automation/distributed-airgap-manager | 1 - setup/automation/distributed-ami-manager | 1 - setup/automation/distributed-iso-manager | 1 - .../automation/distributed-net-centos-manager | 1 - .../automation/distributed-net-ubuntu-manager | 1 - .../distributed-net-ubuntu-suricata-manager | 1 - setup/automation/eval-airgap | 1 - setup/automation/eval-ami | 1 - setup/automation/eval-iso | 1 - setup/automation/eval-net-centos | 1 - setup/automation/eval-net-ubuntu | 1 - setup/automation/import-airgap | 1 - setup/automation/import-ami | 1 - setup/automation/import-iso | 1 - setup/automation/import-net-centos | 1 - setup/automation/import-net-ubuntu | 1 - setup/automation/standalone-airgap | 1 - setup/automation/standalone-ami | 1 - setup/automation/standalone-iso | 1 - setup/automation/standalone-iso-suricata | 1 - setup/automation/standalone-net-centos | 1 - setup/automation/standalone-net-centos-proxy | 1 - setup/automation/standalone-net-ubuntu | 1 - setup/so-functions | 27 ++++-- setup/so-setup | 11 +-- setup/so-whiptail | 89 ++++++++++++++----- 27 files changed, 89 insertions(+), 67 deletions(-) diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 908ef4502..1d21c95d3 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -18,7 +18,6 @@ {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} -{% set managerproxy = salt['pillar.get']('global:managerupdate', '0') %} {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} socore_own_saltstack: @@ -35,8 +34,6 @@ socore_own_saltstack: - mode: 750 - replace: False -{% if managerproxy == 1 %} - # Create the directories for apt-cacher-ng aptcacherconfdir: file.directory: @@ -60,7 +57,6 @@ aptcacherlogdir: - makedirs: true # Copy the config - acngcopyconf: file.managed: - name: /opt/so/conf/aptcacher-ng/etc/acng.conf @@ -84,8 +80,6 @@ append_so-aptcacherng_so-status.conf: - name: /opt/so/conf/so-status/so-status.conf - text: so-aptcacherng -{% endif %} - strelka_yara_update_old_1: cron.absent: - user: root diff --git a/setup/automation/distributed-airgap-manager b/setup/automation/distributed-airgap-manager index 3ed1a34f8..ddf44c100 100644 --- a/setup/automation/distributed-airgap-manager +++ b/setup/automation/distributed-airgap-manager @@ -42,7 +42,6 @@ INTERWEBS=AIRGAP # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/distributed-ami-manager b/setup/automation/distributed-ami-manager index 793e07ceb..6f5fb93dc 100644 --- a/setup/automation/distributed-ami-manager +++ b/setup/automation/distributed-ami-manager @@ -41,7 +41,6 @@ install_type=MANAGER # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/distributed-iso-manager b/setup/automation/distributed-iso-manager index 72cedb75e..07a22b588 100644 --- a/setup/automation/distributed-iso-manager +++ b/setup/automation/distributed-iso-manager @@ -41,7 +41,6 @@ install_type=MANAGER # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/distributed-net-centos-manager b/setup/automation/distributed-net-centos-manager index 72cedb75e..07a22b588 100644 --- a/setup/automation/distributed-net-centos-manager +++ b/setup/automation/distributed-net-centos-manager @@ -41,7 +41,6 @@ install_type=MANAGER # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/distributed-net-ubuntu-manager b/setup/automation/distributed-net-ubuntu-manager index 104bf4df4..712db3020 100644 --- a/setup/automation/distributed-net-ubuntu-manager +++ b/setup/automation/distributed-net-ubuntu-manager @@ -41,7 +41,6 @@ install_type=MANAGER # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/distributed-net-ubuntu-suricata-manager b/setup/automation/distributed-net-ubuntu-suricata-manager index d1fdf158d..30aebc122 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-manager +++ b/setup/automation/distributed-net-ubuntu-suricata-manager @@ -41,7 +41,6 @@ install_type=MANAGER # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/eval-airgap b/setup/automation/eval-airgap index 095075a6b..e8deebe69 100644 --- a/setup/automation/eval-airgap +++ b/setup/automation/eval-airgap @@ -42,7 +42,6 @@ INTERWEBS=AIRGAP # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/eval-ami b/setup/automation/eval-ami index 1efab191d..ac8e42728 100644 --- a/setup/automation/eval-ami +++ b/setup/automation/eval-ami @@ -41,7 +41,6 @@ install_type=EVAL # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/eval-iso b/setup/automation/eval-iso index 880b3cc0c..d8a8c800a 100644 --- a/setup/automation/eval-iso +++ b/setup/automation/eval-iso @@ -41,7 +41,6 @@ install_type=EVAL # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/eval-net-centos b/setup/automation/eval-net-centos index 82d2cc9ec..5c0ea36a3 100644 --- a/setup/automation/eval-net-centos +++ b/setup/automation/eval-net-centos @@ -41,7 +41,6 @@ install_type=EVAL # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/eval-net-ubuntu b/setup/automation/eval-net-ubuntu index 132b8766e..4dc0eceda 100644 --- a/setup/automation/eval-net-ubuntu +++ b/setup/automation/eval-net-ubuntu @@ -41,7 +41,6 @@ install_type=EVAL # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-airgap b/setup/automation/import-airgap index 9c394ef2f..dc524e0c3 100644 --- a/setup/automation/import-airgap +++ b/setup/automation/import-airgap @@ -42,7 +42,6 @@ INTERWEBS=AIRGAP # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-ami b/setup/automation/import-ami index 10758be9a..039e9caee 100644 --- a/setup/automation/import-ami +++ b/setup/automation/import-ami @@ -41,7 +41,6 @@ install_type=IMPORT # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-iso b/setup/automation/import-iso index fbfdd364b..6cc3106fd 100644 --- a/setup/automation/import-iso +++ b/setup/automation/import-iso @@ -41,7 +41,6 @@ install_type=IMPORT # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-net-centos b/setup/automation/import-net-centos index f6394bde1..2536c8516 100644 --- a/setup/automation/import-net-centos +++ b/setup/automation/import-net-centos @@ -41,7 +41,6 @@ install_type=IMPORT # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-net-ubuntu b/setup/automation/import-net-ubuntu index ded17d09f..dc72c8184 100644 --- a/setup/automation/import-net-ubuntu +++ b/setup/automation/import-net-ubuntu @@ -41,7 +41,6 @@ install_type=IMPORT # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/standalone-airgap b/setup/automation/standalone-airgap index 649b51e3c..99b003e05 100644 --- a/setup/automation/standalone-airgap +++ b/setup/automation/standalone-airgap @@ -42,7 +42,6 @@ INTERWEBS=AIRGAP # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/standalone-ami b/setup/automation/standalone-ami index 7200d3637..c006b28fb 100644 --- a/setup/automation/standalone-ami +++ b/setup/automation/standalone-ami @@ -41,7 +41,6 @@ install_type=STANDALONE # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/standalone-iso b/setup/automation/standalone-iso index dd0edb67f..ec972b066 100644 --- a/setup/automation/standalone-iso +++ b/setup/automation/standalone-iso @@ -41,7 +41,6 @@ install_type=STANDALONE # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/standalone-iso-suricata b/setup/automation/standalone-iso-suricata index f4697f308..d6dbc73d2 100644 --- a/setup/automation/standalone-iso-suricata +++ b/setup/automation/standalone-iso-suricata @@ -41,7 +41,6 @@ install_type=STANDALONE # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/standalone-net-centos b/setup/automation/standalone-net-centos index 6b7a7ebac..a711ba878 100644 --- a/setup/automation/standalone-net-centos +++ b/setup/automation/standalone-net-centos @@ -41,7 +41,6 @@ install_type=STANDALONE # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/standalone-net-centos-proxy b/setup/automation/standalone-net-centos-proxy index ee2504a98..1fc245cba 100644 --- a/setup/automation/standalone-net-centos-proxy +++ b/setup/automation/standalone-net-centos-proxy @@ -41,7 +41,6 @@ install_type=STANDALONE # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/standalone-net-ubuntu b/setup/automation/standalone-net-ubuntu index fafb98cd4..a30e2a444 100644 --- a/setup/automation/standalone-net-ubuntu +++ b/setup/automation/standalone-net-ubuntu @@ -41,7 +41,6 @@ install_type=STANDALONE # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/so-functions b/setup/so-functions index a37867b5a..7dd5511fb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -480,6 +480,21 @@ collect_mtu() { done } +collect_net_method() { + whiptail_net_method + + [[ -n $network_traffic ]] && collect_proxy + + if [[ "$network_traffic" == *"_MANAGER" ]]; then + whiptail_manager_updates_warning + MANAGERUPDATES=1 + fi + + if [[ "$network_traffic" == "PROXY"* ]]; then + collect_proxy no_ask + fi +} + collect_node_es_heap() { whiptail_node_es_heap "$ES_HEAP_SIZE" } @@ -582,7 +597,9 @@ collect_patch_schedule_name_import() { collect_proxy() { [[ -n $TESTING ]] && return - collect_proxy_details || return + local ask=${1:-true} + + collect_proxy_details "$ask" || return while ! proxy_validate; do if whiptail_invalid_proxy; then collect_proxy_details no_ask @@ -2671,10 +2688,10 @@ set_redirect() { set_updates() { if [ "$MANAGERUPDATES" = '1' ]; then if [ "$OS" = 'centos' ]; then - if [[ ! $is_airgap ]]; then - if ! grep -q "$MSRV" /etc/yum.conf; then - echo "proxy=http://$MSRV:3142" >> /etc/yum.conf - fi + if [[ ! $is_airgap ]]; then + if ! grep -q "$MSRV" /etc/yum.conf; then + echo "proxy=http://$MSRV:3142" >> /etc/yum.conf + fi fi else # Set it up so the updates roll through the manager diff --git a/setup/so-setup b/setup/so-setup index ad210048a..0667c99db 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -211,7 +211,7 @@ if ! [[ -f $install_opt_file ]]; then set_main_ip >> $setup_log 2>&1 compare_main_nic_ip reset_proxy - collect_proxy + collect_net_method [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 whiptail_net_setup_complete else @@ -319,7 +319,7 @@ if ! [[ -f $install_opt_file ]]; then reset_proxy if [[ -z $is_airgap ]]; then - collect_proxy + collect_net_method [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 fi @@ -499,13 +499,6 @@ if [[ $is_manager || $is_import ]]; then get_redirect fi -if [[ ! $is_airgap && ( $is_distmanager || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ) ]]; then - whiptail_manager_updates - if [[ $setup_type == 'network' && $MANAGERUPDATES == 1 ]]; then - whiptail_manager_updates_warning - fi -fi - if [[ $is_distmanager ]]; then collect_soremote_inputs fi diff --git a/setup/so-whiptail b/setup/so-whiptail index 6127a174a..06a1afec1 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1027,6 +1027,68 @@ whiptail_management_interface_setup() { whiptail_check_exitstatus $exitstatus } +whiptail_net_method() { + [ -n "$TESTING" ] && return + + [[ $is_airgap ]] && return + + local pkg_mngr + if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi + + read -r -d '' options_msg <<- EOM + "Direct" - Internet requests connect directly to the Internet. + + EOM + local options=( + " Direct" "" + ) + local proxy_desc="proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment." + + if [[ $is_minion ]]; then + local mngr_article + if [[ $is_distmanager ]]; then mngr_article="this"; else mngr_article="the"; fi + + read -r -d '' options_msg <<- EOM + ${options_msg} + + "Direct + Manager" - all traffic passes to the Internet normally, but ${pkg_mngr} updates will instead be pulled from ${mngr_article} manager. + + "Proxy" - ${proxy_desc} + + "Proxy + Manager" - proxy all traffic from the "Proxy" option except ${pkg_mngr} updates, which will instead pull from the manager. + EOM + + options+=( + " Direct + Manager" "" + " Proxy" "" + " Proxy + Manager" "" + ) + local height=25 + else + read -r -d '' options_msg <<- EOM + ${options_msg} + + "Proxy" - ${proxy_desc} + EOM + options+=( + " Proxy" "" + ) + local height=17 + fi + + local msg + read -r -d '' msg <<- EOM + How would you like to connect to the Internet? + + $options_msg + EOM + + local option_count=$(( ${#options[@]} / 2 )) + + network_traffic=$(whiptail --title "Security Onion Setup" --menu "$msg" $height 75 $option_count "${options[@]}" 3>&1 1>&2 2>&3) + network_traffic=$(echo "${network_traffic^^}" | tr -d ' ' | tr '+' '_') +} + whiptail_net_setup_complete() { [ -n "$TESTING" ] && return @@ -1161,29 +1223,6 @@ whiptail_manager_error() { whiptail --title "Security Onion Setup" --yesno "$msg" 13 75 || whiptail_check_exitstatus 1 } -whiptail_manager_updates() { - - [ -n "$TESTING" ] && return - - local update_string - update_string=$(whiptail --title "Security Onion Setup" --radiolist \ - "How would you like to download OS package updates for your grid?" 20 75 4 \ - "MANAGER" "Manager node is proxy for updates" ON \ - "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - case "$update_string" in - 'MANAGER') - export MANAGERUPDATES='1' - ;; - *) - export MANAGERUPDATES='0' - ;; - esac - -} - whiptail_manager_updates_warning() { [ -n "$TESTING" ] && return @@ -1485,7 +1524,9 @@ whiptail_patch_schedule_select_hours() { whiptail_proxy_ask() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --yesno "Do you want to set a proxy server for this installation?" 7 60 --defaultno + local pkg_mngr + if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi + whiptail --title "Security Onion Setup" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno } whiptail_proxy_addr() { From c907d416dfd623601dc27b80625d774f8907ad5c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 19 Apr 2021 11:27:17 -0400 Subject: [PATCH 02/24] Set proxy for apt cacher too --- salt/manager/files/acng/acng.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/manager/files/acng/acng.conf b/salt/manager/files/acng/acng.conf index 3492cf111..df934643b 100644 --- a/salt/manager/files/acng/acng.conf +++ b/salt/manager/files/acng/acng.conf @@ -90,3 +90,7 @@ PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirr # MaxDlSpeed: 500 # MaxInresponsiveDlSize: 64000 # BadRedirDetectMime: text/html +{% set proxy = salt['pillar.get']('manager:proxy') -%} +{{ if proxy }} +Proxy: {{ proxy }} +{{ endif }} From 59247b4579db88a914a274060a0e259fb42df9f8 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 19 Apr 2021 13:45:01 -0400 Subject: [PATCH 03/24] Add exit check to new menu --- setup/so-whiptail | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index 06a1afec1..35c9f53ab 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1086,6 +1086,10 @@ whiptail_net_method() { local option_count=$(( ${#options[@]} / 2 )) network_traffic=$(whiptail --title "Security Onion Setup" --menu "$msg" $height 75 $option_count "${options[@]}" 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + network_traffic=$(echo "${network_traffic^^}" | tr -d ' ' | tr '+' '_') } From 002fa990559f75f2ed6eb86036c2d3b0052daa24 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 19 Apr 2021 13:47:50 -0400 Subject: [PATCH 04/24] Fix whiptail order --- setup/so-setup | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 0667c99db..6353cb996 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -302,6 +302,10 @@ if ! [[ -f $install_opt_file ]]; then source "$net_init_file" fi + if [[ $is_minion ]]; then + collect_mngr_hostname + fi + if [[ $is_minion ]] || [[ $reinit_networking ]] || [[ $is_iso ]] && ! [[ -f $net_init_file ]]; then whiptail_management_interface_setup fi @@ -313,10 +317,6 @@ if ! [[ -f $install_opt_file ]]; then set_main_ip >> $setup_log 2>&1 compare_main_nic_ip - if [[ $is_minion ]]; then - collect_mngr_hostname - fi - reset_proxy if [[ -z $is_airgap ]]; then collect_net_method From 07e0ce563da0e154d7e439f3555d2f2a1e1fd800 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 19 Apr 2021 13:50:30 -0400 Subject: [PATCH 05/24] Symmetrical spaces + remove useless logic --- setup/so-whiptail | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 35c9f53ab..b5cf52a68 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1040,14 +1040,11 @@ whiptail_net_method() { EOM local options=( - " Direct" "" + " Direct " "" ) local proxy_desc="proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment." if [[ $is_minion ]]; then - local mngr_article - if [[ $is_distmanager ]]; then mngr_article="this"; else mngr_article="the"; fi - read -r -d '' options_msg <<- EOM ${options_msg} @@ -1059,9 +1056,9 @@ whiptail_net_method() { EOM options+=( - " Direct + Manager" "" - " Proxy" "" - " Proxy + Manager" "" + " Direct + Manager " "" + " Proxy " "" + " Proxy + Manager " "" ) local height=25 else @@ -1071,7 +1068,7 @@ whiptail_net_method() { "Proxy" - ${proxy_desc} EOM options+=( - " Proxy" "" + " Proxy " "" ) local height=17 fi From ba9a45bd0f4e663f349ae2b857fd95ed42d4bfa8 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 19 Apr 2021 14:02:00 -0400 Subject: [PATCH 06/24] Split network init + ssh copy notices --- setup/so-setup | 18 ++++++------- setup/so-whiptail | 68 +++++++++++++++++++---------------------------- 2 files changed, 37 insertions(+), 49 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 6353cb996..f75e195b8 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -203,7 +203,7 @@ if ! [[ -f $install_opt_file ]]; then if [[ $option == "CONFIGURENETWORK" ]]; then collect_hostname network_init_whiptail - whiptail_management_interface_setup + whiptail_network_init_notice network_init printf '%s\n' \ "MNIC=$MNIC" \ @@ -302,15 +302,8 @@ if ! [[ -f $install_opt_file ]]; then source "$net_init_file" fi - if [[ $is_minion ]]; then - collect_mngr_hostname - fi - - if [[ $is_minion ]] || [[ $reinit_networking ]] || [[ $is_iso ]] && ! [[ -f $net_init_file ]]; then - whiptail_management_interface_setup - fi - if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then + whiptail_network_init_notice network_init fi @@ -323,14 +316,21 @@ if ! [[ -f $install_opt_file ]]; then [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 fi + if [[ $is_minion ]]; then + collect_mngr_hostname + fi + if [[ $is_minion ]]; then add_mngr_ip_to_hosts fi if [[ $is_minion ]]; then + whiptail_ssh_key_copy_notice copy_ssh_key >> $setup_log 2>&1 fi + + if [[ $is_minion ]] && ! (compare_versions); then info "Installer version mismatch, downloading correct version from manager" printf '%s\n' \ diff --git a/setup/so-whiptail b/setup/so-whiptail index b5cf52a68..392d46078 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -987,46 +987,6 @@ whiptail_management_nic() { } -whiptail_management_interface_setup() { - [ -n "$TESTING" ] && return - - local minion_msg - local msg - local line_count - - if [[ $is_minion ]]; then - line_count=11 - minion_msg="copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ECDSA certificate and enter the password for soremote" - else - line_count=9 - minion_msg="" - fi - - if [[ $is_iso ]]; then - if [[ $minion_msg != "" ]]; then - if [[ -f $net_init_file ]]; then - msg=$minion_msg - else - msg="initialize networking and $minion_msg" - fi - else - msg="initialize networking" - fi - else - msg=$minion_msg - fi - - read -r -d '' message <<- EOM - Setup will now $msg. - - Select OK to continue. - EOM - - whiptail --title "Security Onion Setup" --msgbox "$message" $line_count 75 - local exitstatus=$? - whiptail_check_exitstatus $exitstatus -} - whiptail_net_method() { [ -n "$TESTING" ] && return @@ -1098,6 +1058,20 @@ whiptail_net_setup_complete() { exit 0 } +whiptail_network_init_notice() { + [ -n "$TESTING" ] && return + + read -r -d '' message <<- EOM + Setup will now initialize networking. + + Select OK to continue. + EOM + + whiptail --title "Security Onion Setup" --msgbox "$message" 9 75 + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + whiptail_management_server() { [ -n "$TESTING" ] && return @@ -1760,6 +1734,20 @@ whiptail_so_allow() { whiptail_check_exitstatus $exitstatus } +whiptail_ssh_key_copy_notice() { + [ -n "$TESTING" ] && return + + read -r -d '' message <<- EOM + Setup will now copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ECDSA certificate and enter the password for soremote. + + Select OK to continue. + EOM + + whiptail --title "Security Onion Setup" --msgbox "$message" 11 75 + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + whitpail_ssh_warning() { [ -n "$TESTING" ] && return From 7948906f51486a04d693e0f726f1cb348b7decba Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 19 Apr 2021 14:04:01 -0400 Subject: [PATCH 07/24] Fix minion airgap logic --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index f75e195b8..4cb9c98a2 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -264,7 +264,7 @@ elif [ "$install_type" = 'ANALYST' ]; then fi # Check if this is an airgap install -if [[ $is_iso || $is_minion ]]; then +if [[ ( $is_manager || $is_import || $is_minion ) && $is_iso ]]; then whiptail_airgap if [[ "$INTERWEBS" == 'AIRGAP' ]]; then is_airgap=true From d8457255cb357c6dac80eeaeb71c95cfa7df656f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 19 Apr 2021 14:06:10 -0400 Subject: [PATCH 08/24] n -> z --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 7dd5511fb..73eef96c2 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -483,7 +483,7 @@ collect_mtu() { collect_net_method() { whiptail_net_method - [[ -n $network_traffic ]] && collect_proxy + [[ -z $network_traffic ]] && collect_proxy if [[ "$network_traffic" == *"_MANAGER" ]]; then whiptail_manager_updates_warning From b37da027fd4c0d480110ec6e919bf5e34e94055c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 19 Apr 2021 14:08:25 -0400 Subject: [PATCH 09/24] ECDSA to ED25519 --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 392d46078..ce6f0c112 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1738,7 +1738,7 @@ whiptail_ssh_key_copy_notice() { [ -n "$TESTING" ] && return read -r -d '' message <<- EOM - Setup will now copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ECDSA certificate and enter the password for soremote. + Setup will now copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ED25519 certificate and enter the password for soremote. Select OK to continue. EOM From d2067a42bdccc8b2f85bc2d55a45a516abe13f6f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 19 Apr 2021 14:12:53 -0400 Subject: [PATCH 10/24] Don't skip new menu on airgap minions --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index ce6f0c112..a04636f6a 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -990,7 +990,7 @@ whiptail_management_nic() { whiptail_net_method() { [ -n "$TESTING" ] && return - [[ $is_airgap ]] && return + [[ $is_airgap && ! $is_minion ]] && return local pkg_mngr if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi From b4499557115ccca8f80f41dc707e1493b83b0cb1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 19 Apr 2021 16:26:53 -0400 Subject: [PATCH 11/24] Proxy whiptail fixes * Don't try to set up proxy/manager proxy during network only flow * Fix logic to never show new menu on airgap, set MANAGERUPDATES to 1 on airgap minions --- setup/so-functions | 2 -- setup/so-setup | 5 +---- setup/so-whiptail | 2 -- 3 files changed, 1 insertion(+), 8 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 73eef96c2..198178d03 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -483,8 +483,6 @@ collect_mtu() { collect_net_method() { whiptail_net_method - [[ -z $network_traffic ]] && collect_proxy - if [[ "$network_traffic" == *"_MANAGER" ]]; then whiptail_manager_updates_warning MANAGERUPDATES=1 diff --git a/setup/so-setup b/setup/so-setup index 4cb9c98a2..aa6ce489e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -210,9 +210,6 @@ if ! [[ -f $install_opt_file ]]; then "HOSTNAME=$HOSTNAME" > "$net_init_file" set_main_ip >> $setup_log 2>&1 compare_main_nic_ip - reset_proxy - collect_net_method - [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 whiptail_net_setup_complete else true @@ -428,7 +425,7 @@ fi if [[ $is_airgap ]]; then PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-manual} - MANAGERUPDATES=${MANAGERUPDATES:-0} + [[ ! $is_minion ]] && MANAGERUPDATES=${MANAGERUPDATES:-0} || MANAGERUPDATES=${MANAGERUPDATES:-1} fi # Start user prompts diff --git a/setup/so-whiptail b/setup/so-whiptail index a04636f6a..03011e7c6 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -990,8 +990,6 @@ whiptail_management_nic() { whiptail_net_method() { [ -n "$TESTING" ] && return - [[ $is_airgap && ! $is_minion ]] && return - local pkg_mngr if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi From bbf16d0f11b5da8b39ac1243dc68553ec3993245 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 20 Apr 2021 11:34:17 -0400 Subject: [PATCH 12/24] Show airgap prompt within if statement + persist variable for node installs --- setup/so-setup | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index aa6ce489e..08d67d2da 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -260,19 +260,19 @@ elif [ "$install_type" = 'ANALYST' ]; then is_analyst=true fi -# Check if this is an airgap install -if [[ ( $is_manager || $is_import || $is_minion ) && $is_iso ]]; then - whiptail_airgap - if [[ "$INTERWEBS" == 'AIRGAP' ]]; then - is_airgap=true - fi -fi - if [[ $is_manager || $is_import ]]; then check_elastic_license fi if ! [[ -f $install_opt_file ]]; then + # Check if this is an airgap install + if [[ ( $is_manager || $is_import || $is_minion ) && $is_iso ]]; then + whiptail_airgap + if [[ "$INTERWEBS" == 'AIRGAP' ]]; then + is_airgap=true + fi + fi + if [[ $is_manager && $is_sensor ]]; then check_requirements "standalone" elif [[ $is_fleet_standalone ]]; then @@ -326,8 +326,6 @@ if ! [[ -f $install_opt_file ]]; then copy_ssh_key >> $setup_log 2>&1 fi - - if [[ $is_minion ]] && ! (compare_versions); then info "Installer version mismatch, downloading correct version from manager" printf '%s\n' \ @@ -336,6 +334,7 @@ if ! [[ -f $install_opt_file ]]; then "HOSTNAME=$HOSTNAME" \ "MSRV=$MSRV" \ "MSRVIP=$MSRVIP" \ + "is_airgap=$is_airgap" \ "NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file" [[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file" download_repo_tarball From cd0a115ac71b9f7b9a2fd56221c11c30f12a2dd2 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 20 Apr 2021 12:55:00 -0400 Subject: [PATCH 13/24] Fix acng config and don't show changes when proxy string can exist in file --- salt/manager/files/acng/acng.conf | 4 ++-- salt/manager/init.sls | 2 ++ salt/repo/client/init.sls | 1 + 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/salt/manager/files/acng/acng.conf b/salt/manager/files/acng/acng.conf index df934643b..55a46e616 100644 --- a/salt/manager/files/acng/acng.conf +++ b/salt/manager/files/acng/acng.conf @@ -91,6 +91,6 @@ PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirr # MaxInresponsiveDlSize: 64000 # BadRedirDetectMime: text/html {% set proxy = salt['pillar.get']('manager:proxy') -%} -{{ if proxy }} +{% if proxy %} Proxy: {{ proxy }} -{{ endif }} +{% endif %} diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 1d21c95d3..91635eb59 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -61,6 +61,8 @@ acngcopyconf: file.managed: - name: /opt/so/conf/aptcacher-ng/etc/acng.conf - source: salt://manager/files/acng/acng.conf + - template: jinja + - show_changes: False # Install the apt-cacher-ng container so-aptcacherng: diff --git a/salt/repo/client/init.sls b/salt/repo/client/init.sls index 5567caac2..cff28fb4a 100644 --- a/salt/repo/client/init.sls +++ b/salt/repo/client/init.sls @@ -63,6 +63,7 @@ yumconf: - source: salt://repo/client/files/centos/yum.conf.jinja - mode: 644 - template: jinja + - show_changes: False {% endif %} cleanyum: From 369c0b43f57766435c7184d18817978efeee27b3 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 20 Apr 2021 12:55:23 -0400 Subject: [PATCH 14/24] Further jinja fixes --- salt/manager/files/acng/acng.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/manager/files/acng/acng.conf b/salt/manager/files/acng/acng.conf index 55a46e616..993452b57 100644 --- a/salt/manager/files/acng/acng.conf +++ b/salt/manager/files/acng/acng.conf @@ -91,6 +91,6 @@ PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirr # MaxInresponsiveDlSize: 64000 # BadRedirDetectMime: text/html {% set proxy = salt['pillar.get']('manager:proxy') -%} -{% if proxy %} +{% if proxy -%} Proxy: {{ proxy }} -{% endif %} +{% endif -%} From 95bb757b033220ffcf3ebe662cb13675cdefdd9d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 20 Apr 2021 13:12:55 -0400 Subject: [PATCH 15/24] Fix salt-master check --- setup/so-functions | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 198178d03..fcdb66c15 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -175,10 +175,8 @@ __check_so_status() { } __check_salt_master() { - local salt_master_status - salt_master_status=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" systemctl is-active --quiet salt-master) - [[ -z $salt_master_status ]] && salt_master_status=1 - return $salt_master_status + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" systemctl is-active --quiet salt-master + return $? } check_network_manager_conf() { From ca9ac46cd2957f6fe309cad27ab47bd27ce8a150 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 20 Apr 2021 13:27:52 -0400 Subject: [PATCH 16/24] Add keypress instruction at end of summary --- setup/so-whiptail | 3 +++ 1 file changed, 3 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index 03011e7c6..926487f5b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -616,6 +616,9 @@ whiptail_end_settings() { fi fi + __append_end_msg "" + __append_end_msg "Press TAB to select yes or no." + whiptail --title "The following options have been set, would you like to proceed?" --yesno "$end_msg" 24 75 --scrolltext local exitstatus=$? From 113e558a0538b62ae44fc1ef99f06b8707feef4f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 20 Apr 2021 14:32:17 -0400 Subject: [PATCH 17/24] Set manager early for proxy config --- setup/so-setup | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 08d67d2da..e75bfd8c8 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -307,20 +307,17 @@ if ! [[ -f $install_opt_file ]]; then set_main_ip >> $setup_log 2>&1 compare_main_nic_ip + if [[ $is_minion ]]; then + collect_mngr_hostname + add_mngr_ip_to_hosts + fi + reset_proxy if [[ -z $is_airgap ]]; then collect_net_method [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 fi - if [[ $is_minion ]]; then - collect_mngr_hostname - fi - - if [[ $is_minion ]]; then - add_mngr_ip_to_hosts - fi - if [[ $is_minion ]]; then whiptail_ssh_key_copy_notice copy_ssh_key >> $setup_log 2>&1 From 3d9042349561613ca8efdb46cc18ce08f5700f9d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 20 Apr 2021 14:44:58 -0400 Subject: [PATCH 18/24] Fix summary message to preserve empty line --- setup/so-whiptail | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 926487f5b..09346828f 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -616,10 +616,14 @@ whiptail_end_settings() { fi fi - __append_end_msg "" - __append_end_msg "Press TAB to select yes or no." + local msg + read -r -d '' msg <<-EOM + $end_msg - whiptail --title "The following options have been set, would you like to proceed?" --yesno "$end_msg" 24 75 --scrolltext + Press TAB to select yes or no. + EOM + + whiptail --title "The following options have been set, would you like to proceed?" --yesno "$msg" 24 75 --scrolltext local exitstatus=$? whiptail_check_exitstatus $exitstatus From 3f007f102686f7036a274bc8b1480a059cb55526 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 20 Apr 2021 15:18:06 -0400 Subject: [PATCH 19/24] Disable fastestmirror during setup + soup --- salt/common/tools/sbin/so-common | 4 ++++ salt/common/tools/sbin/soup | 3 ++- setup/so-functions | 22 +++++++++++----------- setup/so-setup | 2 ++ 4 files changed, 19 insertions(+), 12 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 97e61e6e2..a425bf7bd 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -122,6 +122,10 @@ check_elastic_license() { fi } +disable_fastestmirror() { + sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf +} + elastic_license() { read -r -d '' message <<- EOM diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 2a1ddab1c..f17c180b8 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -425,8 +425,9 @@ up_2.3.3X_to_2.3.50_repo() { if [[ "$OS" == "centos" ]]; then # Import GPG Keys gpg_rpm_import - if [ $is_airgap -eq 1 ]; then + echo "Disabling fastestmirror." + disable_fastestmirror echo "Deleting unneeded repo files." DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh') diff --git a/setup/so-functions b/setup/so-functions index fcdb66c15..c6925b778 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2321,24 +2321,24 @@ secrets_pillar(){ securityonion_repo() { # Remove all the current repos if [[ "$OS" == "centos" ]]; then - if [[ "$INTERWEBS" == "AIRGAP" ]]; then - echo "This is airgap I don't need to add this repo" + if [[ "$INTERWEBS" == "AIRGAP" ]]; then + echo "This is airgap I don't need to add this repo" else - mkdir -p /root/oldrepos - mv -v /etc/yum.repos.d/* /root/oldrepos/ + mkdir -p /root/oldrepos + mv -v /etc/yum.repos.d/* /root/oldrepos/ ls -la /etc/yum.repos.d/ - rm -rf /etc/yum.repos.d + rm -rf /etc/yum.repos.d yum clean all yum repolist all mkdir -p /etc/yum.repos.d - if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then - cp -f ../salt/repo/client/files/centos/securityonioncache.repo /etc/yum.repos.d/ - else - cp -f ../salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/ - fi + if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then + cp -f ../salt/repo/client/files/centos/securityonioncache.repo /etc/yum.repos.d/ + else + cp -f ../salt/repo/client/files/centos/securityonion.repo /etc/yum.repos.d/ + fi fi else - echo "This is Ubuntu" + echo "This is Ubuntu" fi } diff --git a/setup/so-setup b/setup/so-setup index e75bfd8c8..d7dd3b660 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -634,6 +634,8 @@ echo "1" > /root/accept_changes set_progress_str 2 'Updating packages' # Import the gpg keys gpg_rpm_import >> $setup_log 2>&1 + info "Disabling fastestmirror" + [[ $OS == 'centos' ]] && disable_fastestmirror if [[ ! $is_airgap ]]; then securityonion_repo >> $setup_log 2>&1 update_packages >> $setup_log 2>&1 From f3d663f0906f86e5b752cfbfcd2c21f924e4aaa6 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 21 Apr 2021 15:59:37 -0400 Subject: [PATCH 20/24] Don't set yum/apt proxy if updating through manager --- setup/so-functions | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index c6925b778..f8c78238d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2410,13 +2410,15 @@ set_proxy() { "}" > /root/.docker/config.json # Set proxy for package manager - if [ "$OS" = 'centos' ]; then - echo "proxy=$so_proxy" >> /etc/yum.conf - else - # Set it up so the updates roll through the manager - printf '%s\n'\ - "Acquire::http::Proxy \"$so_proxy\";"\ - "Acquire::https::Proxy \"$so_proxy\";" > /etc/apt/apt.conf.d/00-proxy.conf + if [[ $MANAGERUPDATES != 1 ]]; then + if [ "$OS" = 'centos' ]; then + echo "proxy=$so_proxy" >> /etc/yum.conf + else + # Set it up so the updates roll through the manager + printf '%s\n'\ + "Acquire::http::Proxy \"$so_proxy\";"\ + "Acquire::https::Proxy \"$so_proxy\";" > /etc/apt/apt.conf.d/00-proxy.conf + fi fi # Set global git proxy @@ -2684,10 +2686,8 @@ set_redirect() { set_updates() { if [ "$MANAGERUPDATES" = '1' ]; then if [ "$OS" = 'centos' ]; then - if [[ ! $is_airgap ]]; then - if ! grep -q "$MSRV" /etc/yum.conf; then - echo "proxy=http://$MSRV:3142" >> /etc/yum.conf - fi + if [[ ! $is_airgap ]] && ! ( grep -q "$MSRV" /etc/yum.conf); then + echo "proxy=http://$MSRV:3142" >> /etc/yum.conf fi else # Set it up so the updates roll through the manager From c1ae7ff3b65376a27289134e1ba04e9b7d00f290 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 21 Apr 2021 16:18:20 -0400 Subject: [PATCH 21/24] Set proxy, replace when setting up yum for manager proxy --- setup/so-functions | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index f8c78238d..86ef60203 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2410,15 +2410,13 @@ set_proxy() { "}" > /root/.docker/config.json # Set proxy for package manager - if [[ $MANAGERUPDATES != 1 ]]; then - if [ "$OS" = 'centos' ]; then - echo "proxy=$so_proxy" >> /etc/yum.conf - else - # Set it up so the updates roll through the manager - printf '%s\n'\ - "Acquire::http::Proxy \"$so_proxy\";"\ - "Acquire::https::Proxy \"$so_proxy\";" > /etc/apt/apt.conf.d/00-proxy.conf - fi + if [ "$OS" = 'centos' ]; then + echo "proxy=$so_proxy" >> /etc/yum.conf + else + # Set it up so the updates roll through the manager + printf '%s\n'\ + "Acquire::http::Proxy \"$so_proxy\";"\ + "Acquire::https::Proxy \"$so_proxy\";" > /etc/apt/apt.conf.d/00-proxy.conf fi # Set global git proxy @@ -2687,7 +2685,11 @@ set_updates() { if [ "$MANAGERUPDATES" = '1' ]; then if [ "$OS" = 'centos' ]; then if [[ ! $is_airgap ]] && ! ( grep -q "$MSRV" /etc/yum.conf); then - echo "proxy=http://$MSRV:3142" >> /etc/yum.conf + if grep -q "proxy="; then + sed -i "s/proxy=.*/proxy=http:\/\/$MSRV:3142/" + else + echo "proxy=http://$MSRV:3142" >> /etc/yum.conf + fi fi else # Set it up so the updates roll through the manager From 261e7f7fd978a1243b051d419b877d61ec22dcec Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 21 Apr 2021 16:29:24 -0400 Subject: [PATCH 22/24] sed and grep need input files --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 86ef60203..e1467191e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2685,8 +2685,8 @@ set_updates() { if [ "$MANAGERUPDATES" = '1' ]; then if [ "$OS" = 'centos' ]; then if [[ ! $is_airgap ]] && ! ( grep -q "$MSRV" /etc/yum.conf); then - if grep -q "proxy="; then - sed -i "s/proxy=.*/proxy=http:\/\/$MSRV:3142/" + if grep -q "proxy=" /etc/yum.conf; then + sed -i "s/proxy=.*/proxy=http:\/\/$MSRV:3142/" /etc/yum.conf else echo "proxy=http://$MSRV:3142" >> /etc/yum.conf fi From 071e5166b40c894a78c5063ba2a335dbc22168f5 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 21 Apr 2021 17:57:02 -0400 Subject: [PATCH 23/24] Set package manager source in patch pillar for yum.conf --- salt/repo/client/files/centos/yum.conf.jinja | 2 +- setup/so-functions | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/salt/repo/client/files/centos/yum.conf.jinja b/salt/repo/client/files/centos/yum.conf.jinja index 506036421..d8cb32de1 100644 --- a/salt/repo/client/files/centos/yum.conf.jinja +++ b/salt/repo/client/files/centos/yum.conf.jinja @@ -12,7 +12,7 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }} bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum distroverpkg=centos-release clean_requirements_on_remove=1 -{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', '0') -%} +{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', 'direct') == 'manager' -%} proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142 {% elif proxy -%} proxy={{ proxy }} diff --git a/setup/so-functions b/setup/so-functions index e1467191e..217f9f360 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1669,7 +1669,6 @@ manager_global() { " fleet_ip: 'N/A'"\ " sensoronikey: '$SENSORONIKEY'"\ " wazuh: $WAZUH"\ - " managerupdate: $MANAGERUPDATES"\ " imagerepo: '$IMAGEREPO'"\ " pipeline: 'redis'"\ "sensoroni:"\ @@ -1865,9 +1864,16 @@ patch_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls + if [[ $MANAGERUPDATES == 1 ]]; then + local source="manager" + else + local source="direct" + fi + printf '%s\n'\ "patch:"\ " os:"\ + " source: $source"\ " schedule_name: '$PATCHSCHEDULENAME'"\ " enabled: True"\ " splay: 300"\ From c297031f6b2d438a9a035dbbf07a3086a92f27cc Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 21 Apr 2021 17:58:13 -0400 Subject: [PATCH 24/24] Surround scalar in single quotes --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 217f9f360..d9309f098 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1873,7 +1873,7 @@ patch_pillar() { printf '%s\n'\ "patch:"\ " os:"\ - " source: $source"\ + " source: '$source'"\ " schedule_name: '$PATCHSCHEDULENAME'"\ " enabled: True"\ " splay: 300"\