From 34c211666913b9aaafc1b4ab394e5ddcdd1d97d6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 27 Jan 2021 16:02:32 -0500 Subject: [PATCH 1/9] Adjust test network allocation --- setup/automation/distributed-net-centos-search | 2 +- setup/automation/distributed-net-centos-sensor | 2 +- setup/automation/distributed-net-ubuntu-search | 2 +- setup/automation/distributed-net-ubuntu-sensor | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/automation/distributed-net-centos-search b/setup/automation/distributed-net-centos-search index d95d7ff44..7a0888fee 100644 --- a/setup/automation/distributed-net-centos-search +++ b/setup/automation/distributed-net-centos-search @@ -49,7 +49,7 @@ MANAGERUPDATES=1 MNIC=eth0 # MSEARCH= MSRV=distributed-manager -MSRVIP=10.66.166.42 +MSRVIP=10.66.166.52 # MTU= # NIDS=Suricata # NODE_ES_HEAP_SIZE= diff --git a/setup/automation/distributed-net-centos-sensor b/setup/automation/distributed-net-centos-sensor index f932c80b4..91b9c24a9 100644 --- a/setup/automation/distributed-net-centos-sensor +++ b/setup/automation/distributed-net-centos-sensor @@ -49,7 +49,7 @@ MANAGERUPDATES=1 MNIC=eth0 # MSEARCH= MSRV=distributed-manager -MSRVIP=10.66.166.42 +MSRVIP=10.66.166.52 # MTU= # NIDS=Suricata # NODE_ES_HEAP_SIZE= diff --git a/setup/automation/distributed-net-ubuntu-search b/setup/automation/distributed-net-ubuntu-search index 454c23b16..62621208a 100644 --- a/setup/automation/distributed-net-ubuntu-search +++ b/setup/automation/distributed-net-ubuntu-search @@ -49,7 +49,7 @@ MANAGERUPDATES=1 MNIC=ens18 # MSEARCH= MSRV=distributed-manager -MSRVIP=10.66.166.42 +MSRVIP=10.66.166.62 # MTU= # NIDS=Suricata # NODE_ES_HEAP_SIZE= diff --git a/setup/automation/distributed-net-ubuntu-sensor b/setup/automation/distributed-net-ubuntu-sensor index 269545a0b..475481071 100644 --- a/setup/automation/distributed-net-ubuntu-sensor +++ b/setup/automation/distributed-net-ubuntu-sensor @@ -49,7 +49,7 @@ MANAGERUPDATES=1 MNIC=ens18 # MSEARCH= MSRV=distributed-manager -MSRVIP=10.66.166.42 +MSRVIP=10.66.166.62 # MTU= # NIDS=Suricata # NODE_ES_HEAP_SIZE= From bfa6aabc4b56bcf2e48c2038ec1d579e2b7d06b5 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 28 Jan 2021 10:38:03 -0500 Subject: [PATCH 2/9] Correct automation for airgap import to avoid infinite loop during setup --- setup/automation/import-airgap | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/automation/import-airgap b/setup/automation/import-airgap index 8844d19d1..6873cf120 100644 --- a/setup/automation/import-airgap +++ b/setup/automation/import-airgap @@ -63,8 +63,8 @@ OSQUERY=1 # PATCHSCHEDULEHOURS= PATCHSCHEDULENAME=auto # PLAYBOOK=1 -REDIRECTHOST=$(curl http://169.254.169.254/latest/meta-data/public-ipv4) -REDIRECTINFO=OTHER +# REDIRECTHOST= +REDIRECTINFO=IP RULESETUP=ETOPEN # SHARDCOUNT= # SKIP_REBOOT= From f12947362b2f12423f5bff7552077a86ab3b8bb6 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 28 Jan 2021 11:35:10 -0500 Subject: [PATCH 3/9] Adjust test network IPs --- setup/automation/distributed-net-centos-search | 2 +- setup/automation/distributed-net-centos-sensor | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/automation/distributed-net-centos-search b/setup/automation/distributed-net-centos-search index 7a0888fee..5f61edd52 100644 --- a/setup/automation/distributed-net-centos-search +++ b/setup/automation/distributed-net-centos-search @@ -49,7 +49,7 @@ MANAGERUPDATES=1 MNIC=eth0 # MSEARCH= MSRV=distributed-manager -MSRVIP=10.66.166.52 +MSRVIP=10.66.166.72 # MTU= # NIDS=Suricata # NODE_ES_HEAP_SIZE= diff --git a/setup/automation/distributed-net-centos-sensor b/setup/automation/distributed-net-centos-sensor index 91b9c24a9..23f32b319 100644 --- a/setup/automation/distributed-net-centos-sensor +++ b/setup/automation/distributed-net-centos-sensor @@ -49,7 +49,7 @@ MANAGERUPDATES=1 MNIC=eth0 # MSEARCH= MSRV=distributed-manager -MSRVIP=10.66.166.52 +MSRVIP=10.66.166.72 # MTU= # NIDS=Suricata # NODE_ES_HEAP_SIZE= From 194f480017bb403fb9847eaa91a3d2bce920710e Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 28 Jan 2021 13:03:47 -0500 Subject: [PATCH 4/9] Airgap fix for import nodes missing rules --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 8a2cb714c..ed0afe354 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -567,7 +567,7 @@ set_redirect >> $setup_log 2>&1 set_updates >> $setup_log 2>&1 fi - if [[ $is_manager && $is_airgap ]]; then + if [[ ( $is_manager || $is_import ) && $is_airgap ]]; then info "Creating airgap repo" create_repo >> $setup_log 2>&1 airgap_rules >> $setup_log 2>&1 From c055427e40ff412201d409c63a926aa77e033caf Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 29 Jan 2021 11:18:06 -0500 Subject: [PATCH 5/9] Add support for image key/sig retries --- salt/common/tools/sbin/so-common | 10 +++++----- salt/common/tools/sbin/so-image-common | 11 +++++++++-- setup/so-setup | 4 ++-- 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index eb3b89e7e..b1db4c04c 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -228,23 +228,23 @@ retry() { attempt=0 while [[ $attempt -lt $maxAttempts ]]; do attempt=$((attempt+1)) - info "Executing command with retry support: $cmd" + echo "Executing command with retry support: $cmd" output=$($cmd) - info "Results: $output" exitcode=$? + echo "Results: $output ($exitcode)" if [ -n "$expectedOutput" ]; then if [[ "$output" =~ "$expectedOutput" ]]; then return $exitCode else - info "Expected '$expectedOutput' but got '$output'" + echo "Expected '$expectedOutput' but got '$output'" fi elif [[ $exitcode -eq 0 ]]; then return $exitCode fi - info "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..." + echo "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..." sleep $sleepDelay done - error "Command continues to fail; giving up." + echo "Command continues to fail; giving up." return 1 } diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index c883fb3f1..76e5b9bdb 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -127,7 +127,14 @@ update_docker_containers() { fi # Let's make sure we have the public key - curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS | gpg --import - >> "$LOG_FILE" 2>&1 + retry 50 10 "curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o /tmp/sig.key" >> "$LOG_FILE" 2>&1 + result=$? + if [[ $result -eq 0 ]]; then + cat /tmp/sig.key | gpg --import - >> "$LOG_FILE" 2>&1 + else + echo "Failed to pull signature key file: $result" + exit 1 + fi rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 @@ -146,7 +153,7 @@ update_docker_containers() { docker pull $CONTAINER_REGISTRY/$IMAGEREPO/$image >> "$LOG_FILE" 2>&1 # Get signature - curl -A "$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)" https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig >> "$LOG_FILE" 2>&1 + retry 50 10 "curl -A '$CURLTYPE/$CURRENTVERSION/$OS/$(uname -r)' https://sigs.securityonion.net/$VERSION/$i:$VERSION$IMAGE_TAG_SUFFIX.sig --output $SIGNPATH/$image.sig" >> "$LOG_FILE" 2>&1 if [[ $? -ne 0 ]]; then echo "Unable to pull signature file for $image" >> "$LOG_FILE" 2>&1 exit 1 diff --git a/setup/so-setup b/setup/so-setup index ed0afe354..ea67ef5f4 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -652,12 +652,12 @@ set_redirect >> $setup_log 2>&1 if [[ $is_minion ]]; then set_progress_str 20 'Accepting Salt key on manager' - retry 20 10 accept_salt_key_remote "going to be accepted" + retry 20 10 accept_salt_key_remote "going to be accepted" >> $setup_log 2>&1 fi if [[ $is_manager || $is_import || $is_helix ]]; then set_progress_str 20 'Accepting Salt key' - retry 20 10 "salt-key -ya $MINION_ID" "going to be accepted" + retry 20 10 "salt-key -ya $MINION_ID" "going to be accepted" >> $setup_log 2>&1 fi set_progress_str 21 'Copying minion pillars to manager' From 73909c4dea4bc245eb71869ada42a4c69dba19bb Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 29 Jan 2021 13:00:56 -0500 Subject: [PATCH 6/9] Place sig keys in same dir as other sig files --- salt/common/tools/sbin/so-image-common | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 76e5b9bdb..cfcaceb48 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -127,10 +127,10 @@ update_docker_containers() { fi # Let's make sure we have the public key - retry 50 10 "curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o /tmp/sig.key" >> "$LOG_FILE" 2>&1 + retry 50 10 "curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" >> "$LOG_FILE" 2>&1 result=$? if [[ $result -eq 0 ]]; then - cat /tmp/sig.key | gpg --import - >> "$LOG_FILE" 2>&1 + cat $SIGNPATH/KEYS | gpg --import - >> "$LOG_FILE" 2>&1 else echo "Failed to pull signature key file: $result" exit 1 From 2926527ad0d2d11c3c7c1c8e88eb5da7f723b556 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Fri, 29 Jan 2021 13:21:58 -0500 Subject: [PATCH 7/9] Place sig keys in same dir as other sig files --- salt/common/tools/sbin/so-image-common | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index cfcaceb48..9702da3f1 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -126,6 +126,9 @@ update_docker_containers() { container_list fi + rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 + mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 + # Let's make sure we have the public key retry 50 10 "curl -sSL https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS -o $SIGNPATH/KEYS" >> "$LOG_FILE" 2>&1 result=$? @@ -136,9 +139,6 @@ update_docker_containers() { exit 1 fi - rm -rf $SIGNPATH >> "$LOG_FILE" 2>&1 - mkdir -p $SIGNPATH >> "$LOG_FILE" 2>&1 - # Download the containers from the interwebs for i in "${TRUSTED_CONTAINERS[@]}" do From 18f2c7b48229284200041709388bcbc4f663b84e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 29 Jan 2021 16:03:18 -0500 Subject: [PATCH 8/9] Raid Setup for Appliances --- salt/common/init.sls | 15 ++++- salt/common/tools/sbin/so-raid-status | 81 +++++++++++++++++++++++++++ salt/common/tools/sbin/so-user | 20 +++++-- salt/zk/etc/zoo.cfg | 35 ++++++++++++ salt/zk/init.sls | 0 setup/so-functions | 2 + 6 files changed, 146 insertions(+), 7 deletions(-) create mode 100644 salt/common/tools/sbin/so-raid-status create mode 100644 salt/zk/etc/zoo.cfg create mode 100644 salt/zk/init.sls diff --git a/salt/common/init.sls b/salt/common/init.sls index 8b17cc7f5..b0289ed32 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -267,10 +267,23 @@ dockerreserveports: - source: salt://common/files/99-reserved-ports.conf - name: /etc/sysctl.d/99-reserved-ports.conf +{% if salt['grains.get']('sosmodel', '') %} +# Install raid check cron +/usr/sbin/so-raid-status > /dev/null 2>&1: + cron.present: + - user: root + - minute: '*/15' + - hour: '*' + - daymonth: '*' + - month: '*' + - dayweek: '*' + +{% endif %} + {% else %} {{sls}}_state_not_allowed: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} +{% endif %} \ No newline at end of file diff --git a/salt/common/tools/sbin/so-raid-status b/salt/common/tools/sbin/so-raid-status new file mode 100644 index 000000000..d55d158fe --- /dev/null +++ b/salt/common/tools/sbin/so-raid-status @@ -0,0 +1,81 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +#check_boss_raid() { +# BOSSBIN=/opt/boss/mvcli +# BOSSRC=$($BOSSBIN info -o vd | grep functional) +# +# if [[ $BOSSRC ]]; then +# # Raid is good +# BOSSRAID=0 +# else +# BOSSRAID=1 +# fi +#} + +check_lsi_raid() { + # For use for LSI on Ubuntu + #MEGA=/opt/MegaRAID/MegeCli/MegaCli64 + #LSIRC=$($MEGA -LDInfo -Lall -aALL | grep Optimal) + # Open Source Centos + MEGA=/opt/mega/megasasctl + LSIRC=$($MEGA | grep optimal) + + if [[ $LSIRC ]]; then + # Raid is good + LSIRAID=0 + else + LSIRAID=1 + fi + +} + +check_software_raid() { + SWRC=$(grep "_" /proc/mdstat) + + if [[ $SWRC ]]; then + # RAID is failed in some way + SWRAID=1 + else + SWRAID=0 + fi +} + +# This script checks raid status if you use SO appliances + +# See if this is an appliance + +{%- if salt['grains.get']('sosmodel', '') %} +mkdir -p /opt/so/log/raid + {%- if grains['sosmodel'] in ['SOSMN', 'SOSSNNV'] %} +#check_boss_raid +check_software_raid +echo "osraid=$BOSSRAID nsmraid=$SWRAID" > /opt/so/log/raid/status.log + {%- elif grains['sosmodel'] in ['SOS1000F', 'SOS1000', 'SOSSN7200', 'SOS10K', 'SOS4000'] %} +#check_boss_raid +check_lsi_raid +echo "osraid=$BOSSRAID nsmraid=$LSIRAID" > /opt/so/log/raid/status.log + {%- else %} +exit 0 + {%- endif %} +{%- else %} +exit 0 +{%- endif %} + + diff --git a/salt/common/tools/sbin/so-user b/salt/common/tools/sbin/so-user index 3ab9ae6a2..b918ff173 100755 --- a/salt/common/tools/sbin/so-user +++ b/salt/common/tools/sbin/so-user @@ -1,12 +1,20 @@ #!/bin/bash -# Copyright 2020 Security Onion Solutions. All rights reserved. + +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. # -# This program is distributed under the terms of version 2 of the -# GNU General Public License. See LICENSE for further details. +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. # -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + source $(dirname $0)/so-common diff --git a/salt/zk/etc/zoo.cfg b/salt/zk/etc/zoo.cfg new file mode 100644 index 000000000..8cf00da2f --- /dev/null +++ b/salt/zk/etc/zoo.cfg @@ -0,0 +1,35 @@ +# The number of milliseconds of each tick +tickTime=2000 +# The number of ticks that the initial +# synchronization phase can take +initLimit=10 +# The number of ticks that can pass between +# sending a request and getting an acknowledgement +syncLimit=5 +# the directory where the snapshot is stored. +# do not use /tmp for storage, /tmp here is just +# example sakes. +dataDir=/nsm/zk +# the port at which the clients will connect +clientPort=2181 +# the maximum number of client connections. +# increase this if you need to handle more clients +#maxClientCnxns=60 +# +# Be sure to read the maintenance section of the +# administrator guide before turning on autopurge. +# +# http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_maintenance +# +# The number of snapshots to retain in dataDir +#autopurge.snapRetainCount=3 +# Purge task interval in hours +# Set to "0" to disable auto purge feature +#autopurge.purgeInterval=1 + +## Metrics Providers +# +# https://prometheus.io Metrics Exporter +#metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider +#metricsProvider.httpPort=7000 +#metricsProvider.exportJvmInfo=true diff --git a/salt/zk/init.sls b/salt/zk/init.sls new file mode 100644 index 000000000..e69de29bb diff --git a/setup/so-functions b/setup/so-functions index 379cb6e30..34840a41e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1786,6 +1786,8 @@ reserve_group_ids() { groupadd -g 941 stenographer groupadd -g 945 ossec groupadd -g 946 cyberchef + groupadd -g 947 zookeeper + groupadd -g 948 kafka } reinstall_init() { From 22e6e456671dee471978cafa1a91a0309aaa5495 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 29 Jan 2021 16:14:14 -0500 Subject: [PATCH 9/9] Remove other changes --- salt/zk/etc/zoo.cfg | 35 ----------------------------------- salt/zk/init.sls | 0 setup/so-functions | 2 -- 3 files changed, 37 deletions(-) delete mode 100644 salt/zk/etc/zoo.cfg delete mode 100644 salt/zk/init.sls diff --git a/salt/zk/etc/zoo.cfg b/salt/zk/etc/zoo.cfg deleted file mode 100644 index 8cf00da2f..000000000 --- a/salt/zk/etc/zoo.cfg +++ /dev/null @@ -1,35 +0,0 @@ -# The number of milliseconds of each tick -tickTime=2000 -# The number of ticks that the initial -# synchronization phase can take -initLimit=10 -# The number of ticks that can pass between -# sending a request and getting an acknowledgement -syncLimit=5 -# the directory where the snapshot is stored. -# do not use /tmp for storage, /tmp here is just -# example sakes. -dataDir=/nsm/zk -# the port at which the clients will connect -clientPort=2181 -# the maximum number of client connections. -# increase this if you need to handle more clients -#maxClientCnxns=60 -# -# Be sure to read the maintenance section of the -# administrator guide before turning on autopurge. -# -# http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_maintenance -# -# The number of snapshots to retain in dataDir -#autopurge.snapRetainCount=3 -# Purge task interval in hours -# Set to "0" to disable auto purge feature -#autopurge.purgeInterval=1 - -## Metrics Providers -# -# https://prometheus.io Metrics Exporter -#metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider -#metricsProvider.httpPort=7000 -#metricsProvider.exportJvmInfo=true diff --git a/salt/zk/init.sls b/salt/zk/init.sls deleted file mode 100644 index e69de29bb..000000000 diff --git a/setup/so-functions b/setup/so-functions index 34840a41e..379cb6e30 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1786,8 +1786,6 @@ reserve_group_ids() { groupadd -g 941 stenographer groupadd -g 945 ossec groupadd -g 946 cyberchef - groupadd -g 947 zookeeper - groupadd -g 948 kafka } reinstall_init() {