CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #3940 from Security-Onion-Solutions/foxtrot

Browse Source 
Foxtrot
This commit is contained in:
Mike Reeves
2021-04-21 18:44:37 -04:00
committed by GitHub
parent 0a2d44131b c297031f6b
commit 81581711da
32 changed files with 157 additions and 128 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
salt/common/tools/sbin/so-common
View File

@@ -122,6 +122,10 @@ check_elastic_license() {
fi fi
} }
disable_fastestmirror() {
sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
}
elastic_license() { elastic_license() {
read -r -d '' message <<- EOM read -r -d '' message <<- EOM

3
salt/common/tools/sbin/soup
View File

@@ -453,8 +453,9 @@ up_2.3.3X_to_2.3.50_repo() {
if [[ "$OS" == "centos" ]]; then if [[ "$OS" == "centos" ]]; then
# Import GPG Keys # Import GPG Keys
gpg_rpm_import gpg_rpm_import
if [ $is_airgap -eq 1 ]; then if [ $is_airgap -eq 1 ]; then
echo "Disabling fastestmirror."
disable_fastestmirror
echo "Deleting unneeded repo files." echo "Deleting unneeded repo files."
DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh') DELREPOS=('CentOS-Base' 'CentOS-CR' 'CentOS-Debuginfo' 'docker-ce' 'CentOS-fasttrack' 'CentOS-Media' 'CentOS-Sources' 'CentOS-Vault' 'CentOS-x86_64-kernel' 'epel' 'epel-testing' 'saltstack' 'wazuh')

4
salt/manager/files/acng/acng.conf
View File

@@ -90,3 +90,7 @@ PassThroughPattern: (repo\.securityonion\.net:443|download\.docker\.com:443|mirr
# MaxDlSpeed: 500 # MaxDlSpeed: 500
# MaxInresponsiveDlSize: 64000 # MaxInresponsiveDlSize: 64000
# BadRedirDetectMime: text/html # BadRedirDetectMime: text/html
{% set proxy = salt['pillar.get']('manager:proxy') -%}
{% if proxy -%}
Proxy: {{ proxy }}
{% endif -%}

8
salt/manager/init.sls
View File

@@ -18,7 +18,6 @@
{% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %}
{% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %}
{% set MANAGER = salt['grains.get']('master') %} {% set MANAGER = salt['grains.get']('master') %}
{% set managerproxy = salt['pillar.get']('global:managerupdate', '0') %}
{% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %}
socore_own_saltstack: socore_own_saltstack:
@@ -35,8 +34,6 @@ socore_own_saltstack:
- mode: 750 - mode: 750
- replace: False - replace: False
{% if managerproxy == 1 %}
# Create the directories for apt-cacher-ng # Create the directories for apt-cacher-ng
aptcacherconfdir: aptcacherconfdir:
file.directory: file.directory:
@@ -60,11 +57,12 @@ aptcacherlogdir:
- makedirs: true - makedirs: true
# Copy the config # Copy the config
acngcopyconf: acngcopyconf:
file.managed: file.managed:
- name: /opt/so/conf/aptcacher-ng/etc/acng.conf - name: /opt/so/conf/aptcacher-ng/etc/acng.conf
- source: salt://manager/files/acng/acng.conf - source: salt://manager/files/acng/acng.conf
- template: jinja
- show_changes: False
# Install the apt-cacher-ng container # Install the apt-cacher-ng container
so-aptcacherng: so-aptcacherng:
@@ -84,8 +82,6 @@ append_so-aptcacherng_so-status.conf:
- name: /opt/so/conf/so-status/so-status.conf - name: /opt/so/conf/so-status/so-status.conf
- text: so-aptcacherng - text: so-aptcacherng
{% endif %}
strelka_yara_update_old_1: strelka_yara_update_old_1:
cron.absent: cron.absent:
- user: root - user: root

2
salt/repo/client/files/centos/yum.conf.jinja
View File

@@ -12,7 +12,7 @@ installonly_limit={{ salt['pillar.get']('yum:config:installonly_limit', 2) }}
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release distroverpkg=centos-release
clean_requirements_on_remove=1 clean_requirements_on_remove=1
{% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', '0') -%} {% if (grains['role'] not in ['so-eval','so-managersearch', 'so-manager', 'so-standalone']) and salt['pillar.get']('global:managerupdate', 'direct') == 'manager' -%}
proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142 proxy=http://{{ salt['pillar.get']('yum:config:proxy', salt['config.get']('master')) }}:3142
{% elif proxy -%} {% elif proxy -%}
proxy={{ proxy }} proxy={{ proxy }}

1
salt/repo/client/init.sls
View File

@@ -63,6 +63,7 @@ yumconf:
- source: salt://repo/client/files/centos/yum.conf.jinja - source: salt://repo/client/files/centos/yum.conf.jinja
- mode: 644 - mode: 644
- template: jinja - template: jinja
- show_changes: False
{% endif %} {% endif %}
cleanyum: cleanyum:

1
setup/automation/distributed-airgap-manager
View File

@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/distributed-ami-manager
View File

@@ -41,7 +41,6 @@ install_type=MANAGER
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/distributed-iso-manager
View File

@@ -41,7 +41,6 @@ install_type=MANAGER
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/distributed-net-centos-manager
View File

@@ -41,7 +41,6 @@ install_type=MANAGER
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/distributed-net-ubuntu-manager
View File

@@ -41,7 +41,6 @@ install_type=MANAGER
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/distributed-net-ubuntu-suricata-manager
View File

@@ -41,7 +41,6 @@ install_type=MANAGER
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/eval-airgap
View File

@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/eval-ami
View File

@@ -41,7 +41,6 @@ install_type=EVAL
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/eval-iso
View File

@@ -41,7 +41,6 @@ install_type=EVAL
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/eval-net-centos
View File

@@ -41,7 +41,6 @@ install_type=EVAL
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=0
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/eval-net-ubuntu
View File

@@ -41,7 +41,6 @@ install_type=EVAL
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/import-airgap
View File

@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=0
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/import-ami
View File

@@ -41,7 +41,6 @@ install_type=IMPORT
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=0
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/import-iso
View File

@@ -41,7 +41,6 @@ install_type=IMPORT
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=0
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/import-net-centos
View File

@@ -41,7 +41,6 @@ install_type=IMPORT
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=0
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/import-net-ubuntu
View File

@@ -41,7 +41,6 @@ install_type=IMPORT
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/standalone-airgap
View File

@@ -42,7 +42,6 @@ INTERWEBS=AIRGAP
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/standalone-ami
View File

@@ -41,7 +41,6 @@ install_type=STANDALONE
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/standalone-iso
View File

@@ -41,7 +41,6 @@ install_type=STANDALONE
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/standalone-iso-suricata
View File

@@ -41,7 +41,6 @@ install_type=STANDALONE
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/standalone-net-centos
View File

@@ -41,7 +41,6 @@ install_type=STANDALONE
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/standalone-net-centos-proxy
View File

@@ -41,7 +41,6 @@ install_type=STANDALONE
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

1
setup/automation/standalone-net-ubuntu
View File

@@ -41,7 +41,6 @@ install_type=STANDALONE
# LSPIPELINEBATCH= # LSPIPELINEBATCH=
# LSPIPELINEWORKERS= # LSPIPELINEWORKERS=
MANAGERADV=BASIC MANAGERADV=BASIC
MANAGERUPDATES=1
# MDNS= # MDNS=
# MGATEWAY= # MGATEWAY=
# MIP= # MIP=

31
setup/so-functions
View File

@@ -478,6 +478,19 @@ collect_mtu() {
done done
} }
collect_net_method() {
whiptail_net_method
if [[ "$network_traffic" == *"_MANAGER" ]]; then
whiptail_manager_updates_warning
MANAGERUPDATES=1
fi
if [[ "$network_traffic" == "PROXY"* ]]; then
collect_proxy no_ask
fi
}
collect_node_es_heap() { collect_node_es_heap() {
whiptail_node_es_heap "$ES_HEAP_SIZE" whiptail_node_es_heap "$ES_HEAP_SIZE"
} }
@@ -580,7 +593,9 @@ collect_patch_schedule_name_import() {
collect_proxy() { collect_proxy() {
[[ -n $TESTING ]] && return [[ -n $TESTING ]] && return
collect_proxy_details || return local ask=${1:-true}
collect_proxy_details "$ask" || return
while ! proxy_validate; do while ! proxy_validate; do
if whiptail_invalid_proxy; then if whiptail_invalid_proxy; then
collect_proxy_details no_ask collect_proxy_details no_ask
@@ -1654,7 +1669,6 @@ manager_global() {
" fleet_ip: 'N/A'"\ " fleet_ip: 'N/A'"\
" sensoronikey: '$SENSORONIKEY'"\ " sensoronikey: '$SENSORONIKEY'"\
" wazuh: $WAZUH"\ " wazuh: $WAZUH"\
" managerupdate: $MANAGERUPDATES"\
" imagerepo: '$IMAGEREPO'"\ " imagerepo: '$IMAGEREPO'"\
" pipeline: 'redis'"\ " pipeline: 'redis'"\
"sensoroni:"\ "sensoroni:"\
@@ -1850,9 +1864,16 @@ patch_pillar() {
local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls
if [[ $MANAGERUPDATES == 1 ]]; then
local source="manager"
else
local source="direct"
fi
printf '%s\n'\ printf '%s\n'\
"patch:"\ "patch:"\
" os:"\ " os:"\
" source: '$source'"\
" schedule_name: '$PATCHSCHEDULENAME'"\ " schedule_name: '$PATCHSCHEDULENAME'"\
" enabled: True"\ " enabled: True"\
" splay: 300"\ " splay: 300"\
@@ -2669,8 +2690,10 @@ set_redirect() {
set_updates() { set_updates() {
if [ "$MANAGERUPDATES" = '1' ]; then if [ "$MANAGERUPDATES" = '1' ]; then
if [ "$OS" = 'centos' ]; then if [ "$OS" = 'centos' ]; then
if [[ ! $is_airgap ]]; then if [[ ! $is_airgap ]] && ! ( grep -q "$MSRV" /etc/yum.conf); then
if ! grep -q "$MSRV" /etc/yum.conf; then if grep -q "proxy=" /etc/yum.conf; then
sed -i "s/proxy=.*/proxy=http:\/\/$MSRV:3142/" /etc/yum.conf
else
echo "proxy=http://$MSRV:3142" >> /etc/yum.conf echo "proxy=http://$MSRV:3142" >> /etc/yum.conf
fi fi
fi fi

46
setup/so-setup
View File

@@ -203,16 +203,13 @@ if ! [[ -f $install_opt_file ]]; then
if [[ $option == "CONFIGURENETWORK" ]]; then if [[ $option == "CONFIGURENETWORK" ]]; then
collect_hostname collect_hostname
network_init_whiptail network_init_whiptail
whiptail_management_interface_setup whiptail_network_init_notice
network_init network_init
printf '%s\n' \ printf '%s\n' \
"MNIC=$MNIC" \ "MNIC=$MNIC" \
"HOSTNAME=$HOSTNAME" > "$net_init_file" "HOSTNAME=$HOSTNAME" > "$net_init_file"
set_main_ip >> $setup_log 2>&1 set_main_ip >> $setup_log 2>&1
compare_main_nic_ip compare_main_nic_ip
reset_proxy
collect_proxy
[[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1
whiptail_net_setup_complete whiptail_net_setup_complete
else else
true true
@@ -263,19 +260,19 @@ elif [ "$install_type" = 'ANALYST' ]; then
is_analyst=true is_analyst=true
fi fi
# Check if this is an airgap install
if [[ $is_iso || $is_minion ]]; then
whiptail_airgap
if [[ "$INTERWEBS" == 'AIRGAP' ]]; then
is_airgap=true
fi
fi
if [[ $is_manager || $is_import ]]; then if [[ $is_manager || $is_import ]]; then
check_elastic_license check_elastic_license
fi fi
if ! [[ -f $install_opt_file ]]; then if ! [[ -f $install_opt_file ]]; then
# Check if this is an airgap install
if [[ ( $is_manager || $is_import || $is_minion ) && $is_iso ]]; then
whiptail_airgap
if [[ "$INTERWEBS" == 'AIRGAP' ]]; then
is_airgap=true
fi
fi
if [[ $is_manager && $is_sensor ]]; then if [[ $is_manager && $is_sensor ]]; then
check_requirements "standalone" check_requirements "standalone"
elif [[ $is_fleet_standalone ]]; then elif [[ $is_fleet_standalone ]]; then
@@ -302,11 +299,8 @@ if ! [[ -f $install_opt_file ]]; then
source "$net_init_file" source "$net_init_file"
fi fi
if [[ $is_minion ]] || [[ $reinit_networking ]] || [[ $is_iso ]] && ! [[ -f $net_init_file ]]; then
whiptail_management_interface_setup
fi
if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then
whiptail_network_init_notice
network_init network_init
fi fi
@@ -315,19 +309,17 @@ if ! [[ -f $install_opt_file ]]; then
if [[ $is_minion ]]; then if [[ $is_minion ]]; then
collect_mngr_hostname collect_mngr_hostname
add_mngr_ip_to_hosts
fi fi
reset_proxy reset_proxy
if [[ -z $is_airgap ]]; then if [[ -z $is_airgap ]]; then
collect_proxy collect_net_method
[[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1
fi fi
if [[ $is_minion ]]; then if [[ $is_minion ]]; then
add_mngr_ip_to_hosts whiptail_ssh_key_copy_notice
fi
if [[ $is_minion ]]; then
copy_ssh_key >> $setup_log 2>&1 copy_ssh_key >> $setup_log 2>&1
fi fi
@@ -339,6 +331,7 @@ if ! [[ -f $install_opt_file ]]; then
"HOSTNAME=$HOSTNAME" \ "HOSTNAME=$HOSTNAME" \
"MSRV=$MSRV" \ "MSRV=$MSRV" \
"MSRVIP=$MSRVIP" \ "MSRVIP=$MSRVIP" \
"is_airgap=$is_airgap" \
"NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file" "NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file"
[[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file" [[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file"
download_repo_tarball download_repo_tarball
@@ -428,7 +421,7 @@ fi
if [[ $is_airgap ]]; then if [[ $is_airgap ]]; then
PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-manual} PATCHSCHEDULENAME=${PATCHSCHEDULENAME:-manual}
MANAGERUPDATES=${MANAGERUPDATES:-0} [[ ! $is_minion ]] && MANAGERUPDATES=${MANAGERUPDATES:-0} || MANAGERUPDATES=${MANAGERUPDATES:-1}
fi fi
# Start user prompts # Start user prompts
@@ -499,13 +492,6 @@ if [[ $is_manager || $is_import ]]; then
get_redirect get_redirect
fi fi
if [[ ! $is_airgap && ( $is_distmanager || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ) ]]; then
whiptail_manager_updates
if [[ $setup_type == 'network' && $MANAGERUPDATES == 1 ]]; then
whiptail_manager_updates_warning
fi
fi
if [[ $is_distmanager ]]; then if [[ $is_distmanager ]]; then
collect_soremote_inputs collect_soremote_inputs
fi fi
@@ -648,6 +634,8 @@ echo "1" > /root/accept_changes
set_progress_str 2 'Updating packages' set_progress_str 2 'Updating packages'
# Import the gpg keys # Import the gpg keys
gpg_rpm_import >> $setup_log 2>&1 gpg_rpm_import >> $setup_log 2>&1
info "Disabling fastestmirror"
[[ $OS == 'centos' ]] && disable_fastestmirror
if [[ ! $is_airgap ]]; then if [[ ! $is_airgap ]]; then
securityonion_repo >> $setup_log 2>&1 securityonion_repo >> $setup_log 2>&1
update_packages >> $setup_log 2>&1 update_packages >> $setup_log 2>&1

139
setup/so-whiptail
View File

@@ -616,7 +616,14 @@ whiptail_end_settings() {
fi fi
fi fi
whiptail --title "The following options have been set, would you like to proceed?" --yesno "$end_msg" 24 75 --scrolltext local msg
read -r -d '' msg <<-EOM
$end_msg
Press TAB to select yes or no.
EOM
whiptail --title "The following options have been set, would you like to proceed?" --yesno "$msg" 24 75 --scrolltext
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
@@ -987,44 +994,65 @@ whiptail_management_nic() {
} }
whiptail_management_interface_setup() { whiptail_net_method() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
local minion_msg local pkg_mngr
local msg if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
local line_count
read -r -d '' options_msg <<- EOM
"Direct" - Internet requests connect directly to the Internet.
EOM
local options=(
" Direct " ""
)
local proxy_desc="proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment."
if [[ $is_minion ]]; then if [[ $is_minion ]]; then
line_count=11 read -r -d '' options_msg <<- EOM
minion_msg="copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ECDSA certificate and enter the password for soremote" ${options_msg}
else
line_count=9
minion_msg=""
fi
if [[ $is_iso ]]; then "Direct + Manager" - all traffic passes to the Internet normally, but ${pkg_mngr} updates will instead be pulled from ${mngr_article} manager.
if [[ $minion_msg != "" ]]; then
if [[ -f $net_init_file ]]; then
msg=$minion_msg
else
msg="initialize networking and $minion_msg"
fi
else
msg="initialize networking"
fi
else
msg=$minion_msg
fi
read -r -d '' message <<- EOM "Proxy" - ${proxy_desc}
Setup will now $msg.
Select OK to continue. "Proxy + Manager" - proxy all traffic from the "Proxy" option except ${pkg_mngr} updates, which will instead pull from the manager.
EOM EOM
whiptail --title "Security Onion Setup" --msgbox "$message" $line_count 75 options+=(
" Direct + Manager " ""
" Proxy " ""
" Proxy + Manager " ""
)
local height=25
else
read -r -d '' options_msg <<- EOM
${options_msg}
"Proxy" - ${proxy_desc}
EOM
options+=(
" Proxy " ""
)
local height=17
fi
local msg
read -r -d '' msg <<- EOM
How would you like to connect to the Internet?
$options_msg
EOM
local option_count=$(( ${#options[@]} / 2 ))
network_traffic=$(whiptail --title "Security Onion Setup" --menu "$msg" $height 75 $option_count "${options[@]}" 3>&1 1>&2 2>&3)
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
network_traffic=$(echo "${network_traffic^^}" | tr -d ' ' | tr '+' '_')
} }
whiptail_net_setup_complete() { whiptail_net_setup_complete() {
@@ -1035,6 +1063,20 @@ whiptail_net_setup_complete() {
exit 0 exit 0
} }
whiptail_network_init_notice() {
[ -n "$TESTING" ] && return
read -r -d '' message <<- EOM
Setup will now initialize networking.
Select OK to continue.
EOM
whiptail --title "Security Onion Setup" --msgbox "$message" 9 75
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_management_server() { whiptail_management_server() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
@@ -1161,29 +1203,6 @@ whiptail_manager_error() {
whiptail --title "Security Onion Setup" --yesno "$msg" 13 75 || whiptail_check_exitstatus 1 whiptail --title "Security Onion Setup" --yesno "$msg" 13 75 || whiptail_check_exitstatus 1
} }
whiptail_manager_updates() {
[ -n "$TESTING" ] && return
local update_string
update_string=$(whiptail --title "Security Onion Setup" --radiolist \
"How would you like to download OS package updates for your grid?" 20 75 4 \
"MANAGER" "Manager node is proxy for updates" ON \
"OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 )
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
case "$update_string" in
'MANAGER')
export MANAGERUPDATES='1'
;;
*)
export MANAGERUPDATES='0'
;;
esac
}
whiptail_manager_updates_warning() { whiptail_manager_updates_warning() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
@@ -1485,7 +1504,9 @@ whiptail_patch_schedule_select_hours() {
whiptail_proxy_ask() { whiptail_proxy_ask() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
whiptail --title "Security Onion Setup" --yesno "Do you want to set a proxy server for this installation?" 7 60 --defaultno local pkg_mngr
if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi
whiptail --title "Security Onion Setup" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno
} }
whiptail_proxy_addr() { whiptail_proxy_addr() {
@@ -1718,6 +1739,20 @@ whiptail_so_allow() {
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
} }
whiptail_ssh_key_copy_notice() {
[ -n "$TESTING" ] && return
read -r -d '' message <<- EOM
Setup will now copy the ssh key for soremote to the manager. This will bring you to the command line temporarily to accept the manager's ED25519 certificate and enter the password for soremote.
Select OK to continue.
EOM
whiptail --title "Security Onion Setup" --msgbox "$message" 11 75
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whitpail_ssh_warning() { whitpail_ssh_warning() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return