CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 09:42:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update to merge in 2.4/dev

Browse Source 
Signed-off-by: reyesj2 <94730068+reyesj2@users.noreply.github.com>
This commit is contained in:
reyesj2
2023-11-29 13:41:23 -05:00
parent 86dc7cc804 93fb10de86
commit 8cf29682bb
196 changed files with 13941 additions and 21237 deletions
Download Patch File Download Diff File Expand all files Collapse all files

348
setup/so-functions
View File

@@ -91,9 +91,12 @@ desktop_salt_local() {
securityonion_repo
gpg_rpm_import
# Install salt
logCmd "yum -y install salt-minion-$SALTVERSION httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
logCmd "yum -y install salt-minion-$SALTVERSION httpd-tools python3 python3-dateutil yum-utils device-mapper-persistent-data lvm2 openssl jq"
logCmd "yum -y update --exclude=salt*"
salt_install_module_deps
salt_patch_x509_v2
logCmd "salt-call state.apply desktop --local --file-root=../salt/ -l info"
read -r -d '' message <<- EOM
Finished Security Onion Desktop installation.
@@ -101,8 +104,10 @@ desktop_salt_local() {
Press the Enter key to reboot.
EOM
whiptail --title "$whiptail_title" --msgbox "$message" 12 75
reboot
if [[ -z "$TESTING" ]]; then
whiptail --title "$whiptail_title" --msgbox "$message" 12 75
reboot
fi
exit 0
}
@@ -263,15 +268,6 @@ collect_dockernet() {
fi
}
collect_es_space_limit() {
whiptail_log_size_limit "$log_size_limit"
while ! valid_int "$log_size_limit"; do # Upper/lower bounds?
whiptail_invalid_input
whiptail_log_size_limit "$log_size_limit"
done
}
collect_gateway() {
whiptail_management_interface_gateway
@@ -281,28 +277,6 @@ collect_gateway() {
done
}
collect_homenet_mngr() {
whiptail_homenet_manager "10.0.0.0/8,192.168.0.0/16,172.16.0.0/12"
while ! valid_cidr_list "$HNMANAGER"; do
whiptail_invalid_input
whiptail_homenet_manager "$HNMANAGER"
done
}
collect_homenet_snsr() {
if whiptail_homenet_sensor_inherit; then
export HNSENSOR=inherit
else
whiptail_homenet_sensor "10.0.0.0/8,192.168.0.0/16,172.16.0.0/12"
while ! valid_cidr_list "$HNSENSOR"; do
whiptail_invalid_input
whiptail_homenet_sensor "$HNSENSOR"
done
fi
}
collect_hostname() {
collect_hostname_validate
@@ -341,26 +315,6 @@ collect_idh_preferences() {
if [[ "$idh_preferences" != "" ]]; then IDH_MGTRESTRICT='True'; fi
}
collect_idh_services() {
whiptail_idh_services
case "$IDH_SERVICES" in
'Linux Webserver (NAS Skin)')
IDH_SERVICES='"HTTP","FTP","SSH"'
;;
'MySQL Server')
IDH_SERVICES='"MYSQL","SSH"'
;;
'MSSQL Server')
IDH_SERVICES='"MSSQL","VNC'
;;
'Custom')
whiptail_idh_services_custom
IDH_SERVICES=$(echo "$IDH_SERVICES" | tr '[:blank:]' ',' )
;;
esac
}
collect_int_ip_mask() {
whiptail_management_interface_ip_mask
@@ -393,20 +347,22 @@ collect_mngr_hostname() {
sed -i "/$MSRV/d" /etc/hosts
fi
if ! getent hosts "$MSRV"; then
whiptail_manager_ip
if [[ -z "$MSRVIP" ]]; then
if ! getent hosts "$MSRV"; then
whiptail_manager_ip
while ! valid_ip4 "$MSRVIP" || [[ $MSRVIP == "$MAINIP" || $MSRVIP == "127.0.0.1" ]]; do
whiptail_invalid_input
while ! valid_ip4 "$MSRVIP" || [[ $MSRVIP == "$MAINIP" || $MSRVIP == "127.0.0.1" ]]; do
whiptail_invalid_input
whiptail_manager_ip "$MSRVIP"
done
else
MSRVIP=$(getent hosts "$MSRV" | awk 'NR==1{print $1}')
whiptail_manager_ip "$MSRVIP"
done
else
MSRVIP=$(getent hosts "$MSRV" | awk 'NR==1{print $1}')
whiptail_manager_ip "$MSRVIP"
while ! valid_ip4 "$MSRVIP" || [[ $MSRVIP == "$MAINIP" || $MSRVIP == "127.0.0.1" ]]; do
whiptail_invalid_input
whiptail_manager_ip "$MSRVIP"
done
while ! valid_ip4 "$MSRVIP" || [[ $MSRVIP == "$MAINIP" || $MSRVIP == "127.0.0.1" ]]; do
whiptail_invalid_input
whiptail_manager_ip "$MSRVIP"
done
fi
fi
}
@@ -418,71 +374,6 @@ collect_net_method() {
fi
}
collect_ntp_servers() {
if whiptail_ntp_ask; then
[[ $is_airgap ]] && ntp_string=""
whiptail_ntp_servers "$ntp_string"
while ! valid_ntp_list "$ntp_string"; do
whiptail_invalid_input
whiptail_ntp_servers "$ntp_string"
done
IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array
else
ntp_servers=()
fi
}
collect_oinkcode() {
whiptail_oinkcode
while ! valid_string "$OINKCODE" "" "128"; do
whiptail_invalid_input
whiptail_oinkcode "$OINKCODE"
done
}
collect_patch_schedule() {
whiptail_patch_schedule
case "$patch_schedule" in
'New Schedule')
whiptail_patch_schedule_select_days
whiptail_patch_schedule_select_hours
collect_patch_schedule_name_new
patch_schedule_os_new
;;
'Import Schedule')
collect_patch_schedule_name_import
;;
'Automatic')
PATCHSCHEDULENAME='auto'
;;
'Manual')
PATCHSCHEDULENAME='manual'
;;
esac
}
collect_patch_schedule_name_new() {
whiptail_patch_name_new_schedule
while ! valid_string "$PATCHSCHEDULENAME"; do
whiptail_invalid_string "schedule name"
whiptail_patch_name_new_schedule "$PATCHSCHEDULENAME"
done
}
collect_patch_schedule_name_import() {
whiptail_patch_schedule_import
while ! valid_string "$PATCHSCHEDULENAME"; do
whiptail_invalid_string "schedule name"
whiptail_patch_schedule_import "$PATCHSCHEDULENAME"
done
}
collect_proxy() {
[[ -n $TESTING ]] && return
local ask=${1:-true}
@@ -642,8 +533,8 @@ configure_minion() {
"log_level_logfile: info"\
"log_file: /opt/so/log/salt/minion" >> "$minion_config"
cp -f ../salt/salt/etc/minion.d/mine_functions.conf.jinja /etc/salt/minion.d/mine_functions.conf
sed -i "s/{{ GLOBALS.main_interface }}/$MNIC/" /etc/salt/minion.d/mine_functions.conf
info "Running: salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar='{"host": {"mainint": "$MNIC"}}'"
salt-call state.apply salt.mine_functions --local --file-root=../salt/ -l info pillar="{'host': {'mainint': $MNIC}}"
{
logCmd "systemctl enable salt-minion";
@@ -651,47 +542,6 @@ configure_minion() {
} >> "$setup_log" 2>&1
}
configure_ntp() {
local chrony_conf=/etc/chrony.conf
# Install chrony if it isn't already installed
if ! command -v chronyc &> /dev/null; then
logCmd "dnf -y install chrony"
fi
[[ -f $chrony_conf ]] && mv $chrony_conf "$chrony_conf.bak"
printf '%s\n' "# NTP server list" > $chrony_conf
# Build list of servers
for addr in "${ntp_servers[@]}"; do
echo "server $addr iburst" >> $chrony_conf
done
printf '\n%s\n' "# Config options" >> $chrony_conf
printf '%s\n' \
'driftfile /var/lib/chrony/drift' \
'makestep 1.0 3' \
'rtcsync' \
'logdir /var/log/chrony' >> $chrony_conf
if [[ $is_rpm ]]; then
systemctl enable chronyd
systemctl restart chronyd
else
systemctl enable chrony
systemctl restart chrony
fi
# Tell the chrony daemon to sync time & update the system time
# Since these commands only make a call to chronyd, wait after each command to make sure the changes are made
printf "Syncing chrony time to server: "
chronyc -a 'burst 4/4' && sleep 30
printf "Forcing chrony to update the time: "
chronyc -a makestep && sleep 30
}
checkin_at_boot() {
local minion_config=/etc/salt/minion
@@ -700,8 +550,6 @@ checkin_at_boot() {
}
check_requirements() {
local standalone_or_dist=$1
local node_type=$2 # optional
local req_mem
local req_cores
local req_storage
@@ -709,27 +557,57 @@ check_requirements() {
readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0" | sed 's/ //g' | sed -r 's/(.*)(\.[0-9]+)@\1/\1\2/g')"
local num_nics=${#nic_list[@]}
if [[ "$standalone_or_dist" == 'standalone' ]]; then
if [[ $is_eval ]]; then
req_mem=12
req_cores=4
req_nics=2
elif [[ "$standalone_or_dist" == 'dist' ]]; then
req_mem=8
elif [[ $is_standalone ]]; then
req_mem=16
req_cores=4
if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi
if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi
if [[ "$node_type" == 'idh' ]]; then req_mem=1 req_cores=2; fi
elif [[ "$standalone_or_dist" == 'import' ]]; then
req_nics=2
elif [[ $is_manager ]]; then
req_mem=16
req_cores=4
req_nics=1
elif [[ $is_managersearch ]]; then
req_mem=16
req_cores=8
req_nics=1
elif [[ $is_sensor ]]; then
req_mem=12
req_cores=4
req_nics=2
elif [[ $is_fleet ]]; then
req_mem=4
req_cores=4
req_nics=1
elif [[ $is_searchnode ]]; then
req_mem=16
req_cores=4
req_nics=1
elif [[ $is_heavynode ]]; then
req_mem=16
req_cores=4
req_nics=2
elif [[ $is_idh ]]; then
req_mem=1
req_cores=2
req_nics=1
elif [[ $is_import ]]; then
req_mem=4
req_cores=2
req_nics=1
elif [[ $is_receiver ]]; then
req_mem=8
req_cores=2
req_nics=1
fi
if [[ $setup_type == 'network' ]] ; then
if [[ -n $nsm_mount ]]; then
if [[ "$standalone_or_dist" == 'import' ]]; then
if [[ -n $nsm_mount ]]; then # does a /nsm mount exist
if [[ $is_import ]]; then
req_storage=50
elif [[ "$node_type" == 'idh' ]]; then
elif [[ $is_idh ]]; then
req_storage=12
else
req_storage=100
@@ -741,10 +619,10 @@ check_requirements() {
whiptail_storage_requirements "/nsm" "${free_space_nsm} GB" "${req_storage} GB"
fi
else
if [[ "$standalone_or_dist" == 'import' ]]; then
if [[ $is_import ]]; then
req_storage=50
elif [[ "$node_type" == 'idh' ]]; then
req_storage=12
elif [[ $is_idh ]]; then
req_storage=12
else
req_storage=200
fi
@@ -773,6 +651,17 @@ check_requirements() {
if [[ $total_mem_hr -lt $req_mem ]]; then
whiptail_requirements_error "memory" "${total_mem_hr} GB" "${req_mem} GB"
if [[ $is_standalone || $is_heavynode ]]; then
echo "This install type will fail with less than $req_mem GB of memory. Exiting setup."
exit 0
fi
fi
if [[ $is_standalone || $is_heavynode ]]; then
if [[ $total_mem_hr -gt 15 && $total_mem_hr -lt 24 ]]; then
low_mem=true
else
low_mem=false
fi
fi
}
@@ -1020,16 +909,6 @@ download_elastic_agent_artifacts() {
fi
}
installer_progress_loop() {
local i=0
local msg="${1:-Performing background actions...}"
while true; do
[[ $i -lt 98 ]] && ((i++))
set_progress_str "$i" "$msg" nolog
[[ $i -gt 0 ]] && sleep 5s
done
}
installer_prereq_packages() {
if [[ $is_deb ]]; then
# Print message to stdout so the user knows setup is doing something
@@ -1088,9 +967,7 @@ docker_seed_registry() {
if ! [ -f /nsm/docker-registry/docker/registry.tar ]; then
if [ "$install_type" == 'IMPORT' ]; then
container_list 'so-import'
elif [ "$install_type" == 'HELIXSENSOR' ]; then
container_list 'so-helix'
container_list 'so-import'
else
container_list
fi
@@ -1223,7 +1100,7 @@ generate_ssl() {
# if the install type is a manager then we need to wait for the minion to be ready before trying
# to run the ssl state since we need the minion to sign the certs
if [[ "$install_type" =~ ^(EVAL|MANAGER|MANAGERSEARCH|STANDALONE|IMPORT|HELIXSENSOR)$ ]]; then
wait_for_salt_minion
(wait_for_salt_minion "$MINION_ID" "5" '/dev/stdout' || fail_setup) 2>&1 | tee -a "$setup_log"
fi
info "Applying SSL state"
logCmd "salt-call state.apply ssl -l info"
@@ -1270,7 +1147,7 @@ get_redirect() {
get_minion_type() {
local minion_type
case "$install_type" in
'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'SEARCHNODE' | 'FLEET' | 'IDH' | 'STANDALONE' | 'IMPORT' | 'RECEIVER' | 'KAFKANODE')
'EVAL' | 'MANAGERSEARCH' | 'MANAGER' | 'SENSOR' | 'HEAVYNODE' | 'SEARCHNODE' | 'FLEET' | 'IDH' | 'STANDALONE' | 'IMPORT' | 'RECEIVER' | 'DESKTOP' | 'KAFKANODE')
minion_type=$(echo "$install_type" | tr '[:upper:]' '[:lower:]')
;;
esac
@@ -1350,7 +1227,7 @@ ls_heapsize() {
fi
case "$install_type" in
'MANAGERSEARCH' | 'HEAVYNODE' | 'HELIXSENSOR' | 'STANDALONE')
'MANAGERSEARCH' | 'HEAVYNODE' | 'STANDALONE')
LS_HEAP_SIZE='1000m'
;;
'EVAL')
@@ -1614,21 +1491,6 @@ network_setup() {
logCmd "sed -i '/\$MNIC/${INTERFACE}/g' /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable"
}
ntp_pillar_entries() {
local pillar_file=$local_salt_dir/pillar/minions/$MINION_ID.sls
if [[ ${#ntp_servers[@]} -gt 0 ]]; then
printf '%s\n'\
"ntp:"\
" servers:" > "$pillar_file"
for addr in "${ntp_servers[@]}"; do
printf '%s\n' " - '$addr'" >> "$pillar_file"
done
fi
}
parse_install_username() {
# parse out the install username so things copy correctly
INSTALLUSERNAME=${SUDO_USER:-${USER}}
@@ -1667,9 +1529,7 @@ process_installtype() {
elif [ "$install_type" = 'KAFKANODE' ]; then
is_kafka=true
elif [ "$install_type" = 'DESKTOP' ]; then
if [ "$setup_type" != 'desktop' ]; then
exec bash so-setup desktop
fi
is_desktop=true
fi
}
@@ -1851,7 +1711,11 @@ drop_install_options() {
echo "INTERFACE=$INTERFACE" >> /opt/so/install.txt
NODETYPE=${install_type^^}
echo "NODETYPE=$NODETYPE" >> /opt/so/install.txt
echo "CORECOUNT=$lb_procs" >> /opt/so/install.txt
if [[ $low_mem == "true" ]]; then
echo "CORECOUNT=1" >> /opt/so/install.txt
else
echo "CORECOUNT=$lb_procs" >> /opt/so/install.txt
fi
echo "LSHOSTNAME=$HOSTNAME" >> /opt/so/install.txt
echo "LSHEAP=$LS_HEAP_SIZE" >> /opt/so/install.txt
echo "CPUCORES=$num_cpu_cores" >> /opt/so/install.txt
@@ -1888,7 +1752,7 @@ securityonion_repo() {
if [ -n "$(ls -A /etc/yum.repos.d/ 2>/dev/null)" ]; then
logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/"
fi
if [[ $is_desktop_iso ]]; then
if ! $is_desktop_grid; then
gpg_rpm_import
if [[ ! $is_airgap ]]; then
echo "https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9" > /etc/yum/mirror.txt
@@ -1933,22 +1797,21 @@ securityonion_repo() {
fi
if [[ $is_rpm ]]; then logCmd "dnf repolist all"; fi
if [[ $waitforstate ]]; then
if [[ ! $is_airgap ]]; then
if [[ $is_rpm ]]; then
if [[ $is_rpm ]]; then
# Build the repo locally so we can use it
echo "Syncing Repos"
repo_sync_local
fi
fi
fi
}
repo_sync_local() {
SALTVERSION=$(egrep 'version: [0-9]{4}' ../salt/salt/master.defaults.yaml | sed 's/^.*version: //')
info "Repo Sync"
if [[ $is_supported ]]; then
# Sync the repo from the the SO repo locally.
# Check for reposync
info "Backing up old repos"
info "Adding Repo Download Configuration"
mkdir -p /nsm/repo
mkdir -p /opt/so/conf/reposync/cache
echo "https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9" > /opt/so/conf/reposync/mirror.txt
@@ -1972,10 +1835,10 @@ repo_sync_local() {
if [[ ! $is_airgap ]]; then
curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
logCmd "dnf reposync --norepopath -g --delete -m -c /opt/so/conf/reposync/repodownload.conf --repoid=securityonionsync --download-metadata -p /nsm/repo/"
# After the download is complete run createrepo
create_repo
fi
# After the download is complete run createrepo
create_repo
else
# Add the proper repos for unsupported stuff
echo "Adding Repos"
@@ -1993,7 +1856,7 @@ repo_sync_local() {
curl -fsSL https://repo.securityonion.net/file/so-repo/prod/2.4/so/so.repo | tee /etc/yum.repos.d/so.repo
rpm --import https://repo.saltproject.io/salt/py3/redhat/9/x86_64/SALT-PROJECT-GPG-PUBKEY-2023.pub
dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
curl -fsSL https://repo.saltproject.io/salt/py3/redhat/9/x86_64/minor/3006.1.repo | tee /etc/yum.repos.d/salt.repo
curl -fsSL "https://repo.saltproject.io/salt/py3/redhat/9/x86_64/minor/$SALTVERSION.repo" | tee /etc/yum.repos.d/salt.repo
dnf repolist
curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
else
@@ -2060,7 +1923,7 @@ saltify() {
if [[ $waitforstate ]]; then
retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION salt-master=$SALTVERSION" || fail_setup
retry 150 20 "apt-mark hold salt-minion salt-common salt-master" || fail_setup
retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" || exit 1
retry 150 20 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-packaging python3-influxdb python3-lxml" || exit 1
else
retry 150 20 "apt-get -y install salt-common=$SALTVERSION salt-minion=$SALTVERSION" || fail_setup
retry 150 20 "apt-mark hold salt-minion salt-common" || fail_setup
@@ -2078,21 +1941,22 @@ saltify() {
fi
logCmd "mkdir -p /etc/salt/minion.d"
salt_install_module_deps
salt_patch_x509_v2
}
salt_install_module_deps() {
logCmd "salt-pip install docker --no-index --only-binary=:all: --find-links files/salt_module_deps/docker/"
logCmd "salt-pip install pymysql --no-index --only-binary=:all: --find-links files/salt_module_deps/pymysql/"
}
salt_patch_x509_v2() {
# this can be removed when https://github.com/saltstack/salt/issues/64195 is resolved
if [ $SALTVERSION == "3006.1" ]; then
info "Salt version 3006.1 found. Patching /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py"
\cp -v ./files/patch/states/x509_v2.py /opt/saltstack/salt/lib/python3.10/site-packages/salt/states/x509_v2.py
fi
}
# Run a salt command to generate the minion key
salt_firstcheckin() {
salt-call state.show_top >> /dev/null 2>&1 # send output to /dev/null because we don't actually care about the ouput
}
# Create an secrets pillar so that passwords survive re-install
@@ -2465,10 +2329,6 @@ wait_for_file() {
return 1
}
wait_for_salt_minion() {
retry 60 5 "journalctl -u salt-minion.service | grep 'Minion is ready to receive requests'" >> "$setup_log" 2>&1 || fail_setup
}
verify_setup() {
info "Verifying setup"
set -o pipefail

166
setup/so-setup
View File

@@ -91,7 +91,7 @@ fi
# if packages are updated and the box isn't rebooted
if [[ $is_debian ]]; then
update_packages
if [[ -f "/var/run/reboot-required" ]]; then
if [[ -f "/var/run/reboot-required" ]] && [ -z "$test_profile" ]; then
whiptail_debian_reboot_required
reboot
fi
@@ -104,6 +104,7 @@ if [ "$setup_type" = 'desktop' ]; then
# Check to see if this is an ISO. Usually this dir on exists on ISO installs.
if [ -d /root/SecurityOnion ]; then
is_desktop_iso=true
install_type='DESKTOP'
fi
fi
@@ -182,9 +183,40 @@ if [ -n "$test_profile" ]; then
install_type=SEARCHNODE
HOSTNAME=search
MSRVIP_OFFSET=-1
elif [[ "$test_profile" =~ "-managersearch" ]]; then
install_type=MANAGERSEARCH
HOSTNAME=manager
elif [[ "$test_profile" =~ "-heavynode" ]]; then
install_type=HEAVYNODE
HOSTNAME=sensor
MSRVIP_OFFSET=-1
elif [[ "$test_profile" =~ "-desktop" ]]; then
install_type=DESKTOP
MSRVIP_OFFSET=-3
is_desktop_grid=true
elif [[ "$test_profile" =~ "-idh" ]]; then
install_type=IDH
HOSTNAME=idh
MSRVIP_OFFSET=-4
elif [[ "$test_profile" =~ "-receiver" ]]; then
install_type=RECEIVER
HOSTNAME=receiver
MSRVIP_OFFSET=-5
elif [[ "$test_profile" =~ "-fleet" ]]; then
install_type=FLEET
HOSTNAME=fleet
MSRVIP_OFFSET=-6
else
HOSTNAME=manager
fi
if [[ "$install_type" =~ "DESKTOP" ]]; then
is_desktop=true
HOSTNAME=desktop
if [[ -z "$is_desktop_grid" ]]; then
is_desktop_grid=false
fi
fi
info "Activating test profile; profile=$test_profile; install_type=$install_type"
@@ -333,39 +365,41 @@ if [[ $is_desktop ]]; then
exit 1
fi
# if ! whiptail_desktop_install; then
if [[ $is_desktop_iso ]]; then
if whiptail_desktop_nongrid_iso; then
# Remove setup from auto launching
parse_install_username
sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1
securityonion_repo
info "Enabling graphical interface and setting it to load at boot"
systemctl set-default graphical.target
info "Setting desktop background"
set_desktop_background
echo "Desktop Install Complete!"
echo ""
echo "Please reboot to start graphical interface."
exit 0
whiptail_desktop_install
if ! $is_desktop_grid; then
if [[ $is_desktop_iso ]]; then
if whiptail_desktop_nongrid_iso; then
# Remove setup from auto launching
parse_install_username
sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1
securityonion_repo
info "Enabling graphical interface and setting it to load at boot"
systemctl set-default graphical.target
info "Setting desktop background"
set_desktop_background
echo "Desktop Install Complete!"
echo ""
echo "Please reboot to start graphical interface."
exit 0
else
# Abort!
exit 0
fi
else
# Abort!
exit 0
fi
else
if whiptail_desktop_nongrid_network; then
info ""
info ""
info "Kicking off the automated setup of the Security Onion Desktop. This can take a while depending on your network connection."
info ""
info ""
desktop_salt_local
else
# Abort!
exit 0
if whiptail_desktop_nongrid_network; then
networking_needful
info ""
info ""
info "Kicking off the automated setup of the Security Onion Desktop. This can take a while depending on your network connection."
info ""
info ""
desktop_salt_local
else
# Abort!
exit 0
fi
fi
fi
# fi
# If you got this far then you want to join the grid
is_minion=true
@@ -388,7 +422,7 @@ if ! [[ -f $install_opt_file ]]; then
# If it is an install from ISO is this airgap?
[[ $is_iso ]] && whiptail_airgap
# Make sure minimum requirements are met
check_requirements "manager"
check_requirements
# Do networking things
networking_needful
# Do we need a proxy?
@@ -419,7 +453,7 @@ if ! [[ -f $install_opt_file ]]; then
monints=true
check_elastic_license
[[ $is_iso ]] && whiptail_airgap
check_requirements "manager"
check_requirements
networking_needful
[[ ! $is_airgap ]] && collect_net_method
collect_dockernet
@@ -440,7 +474,7 @@ if ! [[ -f $install_opt_file ]]; then
check_elastic_license
waitforstate=true
[[ $is_iso ]] && whiptail_airgap
check_requirements "manager"
check_requirements
networking_needful
[[ ! $is_airgap ]] && collect_net_method
collect_dockernet
@@ -460,7 +494,7 @@ if ! [[ -f $install_opt_file ]]; then
check_elastic_license
waitforstate=true
[[ $is_iso ]] && whiptail_airgap
check_requirements "manager"
check_requirements
networking_needful
[[ ! $is_airgap ]] && collect_net_method
collect_dockernet
@@ -478,7 +512,7 @@ if ! [[ -f $install_opt_file ]]; then
elif [[ $is_sensor ]]; then
info "Setting up as node type sensor"
monints=true
check_requirements "sensor"
check_requirements
calculate_useable_cores
networking_needful
check_network_manager_conf
@@ -493,7 +527,7 @@ if ! [[ -f $install_opt_file ]]; then
elif [[ $is_fleet ]]; then
info "Setting up as node type fleet"
check_requirements "fleet"
check_requirements
networking_needful
check_network_manager_conf
set_network_dev_status_list
@@ -506,7 +540,7 @@ if ! [[ -f $install_opt_file ]]; then
elif [[ $is_searchnode ]]; then
info "Setting up as node type searchnode"
check_requirements "elasticsearch"
check_requirements
networking_needful
check_network_manager_conf
set_network_dev_status_list
@@ -520,7 +554,7 @@ if ! [[ -f $install_opt_file ]]; then
elif [[ $is_heavynode ]]; then
info "Setting up as node type heavynode"
monints=true
check_requirements "heavynode"
check_requirements
calculate_useable_cores
networking_needful
check_network_manager_conf
@@ -535,7 +569,7 @@ if ! [[ -f $install_opt_file ]]; then
elif [[ $is_idh ]]; then
info "Setting up as node type idh"
check_requirements "idh"
check_requirements
networking_needful
collect_mngr_hostname
add_mngr_ip_to_hosts
@@ -549,7 +583,7 @@ if ! [[ -f $install_opt_file ]]; then
waitforstate=true
[[ $is_iso ]] && whiptail_airgap
check_elastic_license
check_requirements "import"
check_requirements
networking_needful
[[ ! $is_airgap ]] && detect_cloud
collect_dockernet
@@ -567,7 +601,27 @@ if ! [[ -f $install_opt_file ]]; then
elif [[ $is_receiver ]]; then
info "Setting up as node type receiver"
check_requirements "receiver"
check_requirements
networking_needful
collect_mngr_hostname
add_mngr_ip_to_hosts
check_manager_connection
set_minion_info
whiptail_end_settings
# desktop install will only get this far if joining the grid
elif [[ $is_desktop ]]; then
info "Setting up as node type desktop"
networking_needful
collect_mngr_hostname
add_mngr_ip_to_hosts
check_manager_connection
set_minion_info
whiptail_end_settings
elif [[ $is_kafka ]]; then
info "Setting up as node type Kafka broker"
#check_requirements "kafka"
networking_needful
collect_mngr_hostname
add_mngr_ip_to_hosts
@@ -641,7 +695,11 @@ if ! [[ -f $install_opt_file ]]; then
export MAINIP=$MAINIP
export PATCHSCHEDULENAME=$PATCHSCHEDULENAME
export INTERFACE=$INTERFACE
export CORECOUNT=$lb_procs
if [[ $low_mem == "true" ]]; then
export CORECOUNT=1
else
export CORECOUNT=$lb_procs
fi
export LSHOSTNAME=$HOSTNAME
export LSHEAP=$LS_HEAP_SIZE
export CPUCORES=$num_cpu_cores
@@ -679,6 +737,17 @@ if ! [[ -f $install_opt_file ]]; then
logCmd "salt-call state.apply common.packages"
logCmd "salt-call state.apply common"
# this will apply the salt.minion state first since salt.master includes salt.minion
logCmd "salt-call state.apply salt.master"
# wait here until we get a response from the salt-master since it may have just restarted
# exit setup after 5-6 minutes of trying
check_salt_master_status || fail "Can't access salt master or it is not ready"
# apply the ca state to create the ca and put it in the mine early in the install
# the minion ip will already be in the mine from configure_minion function in so-functions
generate_ca
# this will also call the ssl state since docker requires the intca
# the salt-minion service will need to be up on the manager to sign requests
generate_ssl
logCmd "salt-call state.apply docker"
firewall_generate_templates
set_initial_firewall_policy
@@ -686,8 +755,6 @@ if ! [[ -f $install_opt_file ]]; then
title "Downloading Elastic Agent Artifacts"
download_elastic_agent_artifacts
generate_ca
generate_ssl
logCmd "salt-call state.apply -l info firewall"
# create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf
@@ -724,8 +791,11 @@ if ! [[ -f $install_opt_file ]]; then
info "Restarting SOC to pick up initial user"
logCmd "so-soc-restart"
title "Setting up Elastic Fleet"
logCmd "salt-call state.apply elasticfleet.config"
logCmd "so-elastic-fleet-setup"
logCmd "salt-call state.apply elasticfleet.config"
if ! logCmd so-elastic-fleet-setup; then
error "Failed to run so-elastic-fleet-setup"
fail_setup
fi
if [[ ! $is_import ]]; then
title "Setting up Playbook"
logCmd "so-playbook-reset"
@@ -733,8 +803,6 @@ if ! [[ -f $install_opt_file ]]; then
checkin_at_boot
set_initial_firewall_access
logCmd "salt-call schedule.enable -linfo --local"
systemctl restart salt-master
systemctl restart salt-minion
verify_setup
else
touch /root/accept_changes

8
setup/so-variables
View File

@@ -5,7 +5,7 @@ mkdir -p /nsm
total_mem=$(grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//')
export total_mem
total_mem_hr=$(grep MemTotal /proc/meminfo | awk '{ printf("%.0f", $2/1024/1024); }')
total_mem_hr=$(grep MemTotal /proc/meminfo | awk '{ printf("%.0f", $2/1000/1000); }')
export total_mem_hr
num_cpu_cores=$(nproc)
@@ -32,10 +32,10 @@ export filesystem_root
filesystem_nsm=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }')
export filesystem_nsm
free_space_nsm=$(df -Pk /nsm | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }')
free_space_nsm=$(df -Pk /nsm | sed 1d | grep -v used | awk '{ print $4 / 1042803 }' | awk '{ printf("%.0f", $1) }')
export free_space_nsm
free_space_root=$(df -Pk / | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }')
free_space_root=$(df -Pk / | sed 1d | grep -v used | awk '{ print $4 / 1042803 }' | awk '{ printf("%.0f", $1) }')
export free_space_root
readarray -t mountpoints <<< "$(lsblk -nlo MOUNTPOINT)"
@@ -218,4 +218,4 @@ patch_pillar_file="$local_salt_dir/pillar/patch/soc_patch.sls"
export patch_pillar_file
adv_patch_pillar_file="$local_salt_dir/pillar/patch/adv_patch.sls"
export adv_patch_pillar_file
export adv_patch_pillar_file

21
setup/so-verify
View File

@@ -25,7 +25,8 @@ log_has_errors() {
# Ignore salt mast cached public key and minion failed to auth because this is a test
# to see if the salt key had already been accepted.
# Ignore failed to connect to ::1 since we have most curls wrapped in a retry.
# Ignore failed to connect to since we have most curls wrapped in a retry and there are
# multiple mirrors available.
# Ignore perl-Error- since that is the name of a Perl package SO installs.
@@ -35,11 +36,15 @@ log_has_errors() {
# This is ignored for Ubuntu
# Failed to restart snapd.mounts-pre.target: Operation refused, unit snapd.mounts-pre.target
# may be requested by dependency only (it is configured to refuse manual start/stop).
# Command failed with exit code is output during retry loops.
# "remove failed" is caused by a warning generated by upgrade of libwbclient
grep -E "FAILED|Failed|failed|ERROR|Result: False|Error is not recoverable" "$setup_log" | \
grep -vE "The Salt Master has cached the public key for this node" | \
grep -vE "Minion failed to authenticate with the master" | \
grep -vE "Failed to connect to ::1" | \
grep -vE "Failed to connect to " | \
grep -vE "Failed to set locale" | \
grep -vE "perl-Error-" | \
grep -vE "Failed:\s*?[0-9]+" | \
@@ -50,13 +55,20 @@ log_has_errors() {
grep -vE "code: 100" | \
grep -vE "/nsm/rules/sigma*" | \
grep -vE "/nsm/rules/yara*" | \
grep -vE "remove failed" | \
grep -vE "Failed to restart snapd" | \
grep -vE "Login Failed Details" | \
grep -vE "response from daemon: unauthorized" | \
grep -vE "Reading first line of patchfile" | \
grep -vE "Command failed with exit code" | \
grep -vE "Running scope as unit" &> "$error_log"
if [[ $? -eq 0 ]]; then
# This function succeeds (returns 0) if errors are detected
return 0
fi
# No errors found, return 1 (function failed to find errors)
return 1
}
@@ -115,7 +127,10 @@ main() {
echo "WARNING: Failed setup a while ago"
exit_code=1
elif log_has_errors; then
echo "WARNING: Errors detected during setup"
echo "WARNING: Errors detected during setup."
echo "--------- ERRORS ---------"
cat $error_log
echo "--------------------------"
exit_code=1
touch /root/failure
elif using_iso && cron_error_in_mail_spool; then

46
setup/so-whiptail
View File

@@ -58,6 +58,12 @@ whiptail_desktop_install() {
whiptail --title "$whiptail_title" \
--yesno "$message" 11 75 --defaultno
if [ $? -eq 0 ]; then
is_desktop_grid=true
else
is_desktop_grid=false
fi
}
whiptail_desktop_nongrid_iso() {
@@ -226,7 +232,7 @@ whiptail_requirements_error() {
[ -n "$TESTING" ] && return
if [[ $(echo "$requirement_needed" | tr '[:upper:]' '[:lower:]') == 'nics' ]]; then
if [[ $(echo "$requirement_needed" | tr '[:upper:]' '[:lower:]') =~ 'nic' ]]; then
whiptail --title "$whiptail_title" \
--msgbox "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Select OK to exit setup and reconfigure the machine." 10 75
@@ -557,7 +563,7 @@ whiptail_install_type() {
"EVAL" "Evaluation mode (not for production) " \
"STANDALONE" "Standalone production install " \
"DISTRIBUTED" "Distributed install submenu " \
"OTHER" "Other install types" \
"DESKTOP" "Install Security Onion Desktop" \
3>&1 1>&2 2>&3
)
elif [[ "$OSVER" == "focal" ]]; then
@@ -578,8 +584,6 @@ whiptail_install_type() {
else
whiptail_install_type_dist_existing
fi
elif [[ $install_type == "OTHER" ]]; then
whiptail_install_type_other
fi
export install_type
@@ -681,30 +685,13 @@ whiptail_install_type_dist_existing() {
elif [ "$install_type" = 'KAFKANODE' ]; then
is_kafka=true
elif [ "$install_type" = 'DESKTOP' ]; then
if [ "$setup_type" != 'desktop' ]; then
exec bash so-setup desktop
fi
is_desktop=true
fi
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_install_type_other() {
[ -n "$TESTING" ] && return
install_type=$(whiptail --title "$whiptail_title" --menu \
"Choose node type:" 10 65 2 \
"DESKTOP" "Setup will run 'so-setup desktop' " 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
export install_type
}
whiptail_invalid_input() { # TODO: This should accept a list of arguments to specify what general pattern the input should follow
[ -n "$TESTING" ] && return
@@ -1200,21 +1187,6 @@ whiptail_reinstall() {
whiptail_check_exitstatus $exitstatus
}
whiptail_requirements_error() {
local requirement_needed=$1
local current_val=$2
local needed_val=$3
[ -n "$TESTING" ] && return
whiptail --title "$whiptail_title" \
--yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Select YES to continue anyway, or select NO to cancel." 10 75
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_sensor_config() {
[ -n "$TESTING" ] && return