From 03dfece9af3f8266caba7687d32a2ddf720dde92 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 10 Jun 2020 14:18:25 -0400 Subject: [PATCH 1/6] [feat] Fail setup early if "ERROR" is found in setup log --- setup/so-functions | 5 +++-- setup/so-setup | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 70c96f794..3fb98cd23 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1241,8 +1241,9 @@ salt_checkin() { cat /etc/pki/ca.crt echo " Applyng a mine hack"; salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt; - echo " Confirming salt mine now contain the certificate" - salt \* mine.get \* x509.get_pem_entries + salt '*' mine.update; + echo " Confirming salt mine now contain the certificate"; + salt '*' mine.get '*' x509.get_pem_entries; echo " Applying SSL state"; salt-call state.apply ssl; } >> "$setup_log" 2>&1 diff --git a/setup/so-setup b/setup/so-setup index 478151def..54b5a03e4 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -52,10 +52,14 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { if [ $automated == no ]; then + if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + whiptail_setup_failed + fi whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 else cat >> $setup_log 2>&1 fi + } if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then @@ -389,7 +393,6 @@ fi set_progress_str 9 'Initializing Salt minion' configure_minion "$minion_type" >> $setup_log 2>&1 - if [[ $is_master || $is_helix ]]; then set_progress_str 10 'Configuring Salt master' create_local_directories >> $setup_log 2>&1 From 379a5445e88dbcb61ce53f097d2958018c85e0fe Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 10 Jun 2020 14:27:18 -0400 Subject: [PATCH 2/6] [feat] Also exit with non-zero status for automated installs --- setup/so-setup | 3 +++ 1 file changed, 3 insertions(+) diff --git a/setup/so-setup b/setup/so-setup index 54b5a03e4..86d3b5e5c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -57,6 +57,9 @@ function progress() { fi whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 else + if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + exit 1 + fi cat >> $setup_log 2>&1 fi From 7de02752e5d9c44e294714ca74aede5ceb62f870 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 10 Jun 2020 15:29:54 -0400 Subject: [PATCH 3/6] [fix] Reboot on early failure too, better if statements --- setup/so-setup | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 86d3b5e5c..495e92637 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -51,18 +51,17 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { - if [ $automated == no ]; then - if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then - whiptail_setup_failed - fi - whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 + if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + if [[ $automated == no ]]; then whiptail_setup_failed; else exit 1; fi + + if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; fi else - if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then - exit 1 + if [ $automated == no ]; then + whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 + else + cat >> $setup_log 2>&1 fi - cat >> $setup_log 2>&1 fi - } if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then @@ -368,10 +367,10 @@ fi # Set initial percentage to 0 export percentage=0 - if [[ $is_minion ]]; then - set_progress_str 1 'Configuring firewall' - set_initial_firewall_policy >> $setup_log 2>&1 - fi + if [[ $is_minion ]]; then + set_progress_str 1 'Configuring firewall' + set_initial_firewall_policy >> $setup_log 2>&1 + fi set_progress_str 2 'Updating packages' update_packages >> $setup_log 2>&1 @@ -599,10 +598,12 @@ fi success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') if [[ "$success" = 0 ]]; then whiptail_setup_complete + if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then export IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi + if [[ $THEHIVE == 1 ]]; then check_hive_init fi From 07b2f2885cce4935a99269ee0add4037b2b502af Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 10 Jun 2020 15:32:46 -0400 Subject: [PATCH 4/6] [fix] Always exit on early failure --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 495e92637..8c1ffe6a1 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -54,7 +54,7 @@ function progress() { if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then if [[ $automated == no ]]; then whiptail_setup_failed; else exit 1; fi - if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; fi + if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit 1; fi else if [ $automated == no ]; then whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 From ce86dbfac0b11366ab04bc352f74a86c3feefe30 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 11 Jun 2020 09:24:23 -0400 Subject: [PATCH 5/6] [feat] Add message about root mail spool growing --- setup/so-setup | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/setup/so-setup b/setup/so-setup index 8c1ffe6a1..3b5653cbc 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -52,6 +52,10 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + if [[ -s /var/spool/mail/root ]]; then + echo '[ ERROR ] /var/spool/mail/root grew unexpectedly' >> $setup_log 2>&1 + fi + if [[ $automated == no ]]; then whiptail_setup_failed; else exit 1; fi if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit 1; fi From ce8a59243c18af9dfa9b5ffd562601c49fc92197 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Jun 2020 14:26:48 -0400 Subject: [PATCH 6/6] [feat] Add grep for "Error" to fail if nmcli fails --- setup/so-setup | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 3b5653cbc..f2f92cf93 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -51,7 +51,7 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { - if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + if grep -q "ERROR" $setup_log || grep -q "Error" $setup_log || [[ -s /var/spool/mail/root ]]; then if [[ -s /var/spool/mail/root ]]; then echo '[ ERROR ] /var/spool/mail/root grew unexpectedly' >> $setup_log 2>&1 fi @@ -341,14 +341,19 @@ if [[ "$setup_type" == 'iso' ]]; then disable_onion_user fi -set_hostname >> $setup_log 2>&1 -set_version >> $setup_log 2>&1 -clear_master >> $setup_log 2>&1 +{ + set_hostname; + set_version; + clear_master; +} >> $setup_log 2>&1 + if [[ $is_master ]]; then - generate_passwords >> $setup_log 2>&1 - secrets_pillar >> $setup_log 2>&1 - add_socore_user_master >> $setup_log 2>&1 + { + generate_passwords; + secrets_pillar; + add_socore_user_master; + } >> $setup_log 2>&1 fi if [[ $is_master && ! $is_eval ]]; then @@ -401,11 +406,13 @@ fi if [[ $is_master || $is_helix ]]; then set_progress_str 10 'Configuring Salt master' - create_local_directories >> $setup_log 2>&1 - addtotab_generate_templates >> $setup_log 2>&1 - copy_master_config >> $setup_log 2>&1 - setup_salt_master_dirs >> $setup_log 2>&1 - firewall_generate_templates >> $setup_log 2>&1 + { + create_local_directories; + addtotab_generate_templates; + copy_master_config; + setup_salt_master_dirs; + firewall_generate_templates; + } >> $setup_log 2>&1 set_progress_str 11 'Updating sudoers file for soremote user' update_sudoers >> $setup_log 2>&1 @@ -540,7 +547,7 @@ fi fi set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')" - so-fleet-setup $FLEETNODEUSER $FLEETNODEPASSWD1 >> $setup_log 2>&1 + so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1 fi @@ -605,7 +612,7 @@ if [[ "$success" = 0 ]]; then if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then export IP=$ALLOW_CIDR - so-allow -$ALLOW_ROLE >> $setup_log 2>&1 + so-allow -"$ALLOW_ROLE" >> $setup_log 2>&1 fi if [[ $THEHIVE == 1 ]]; then