mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
Add more logging to setup process
This commit is contained in:
Mike Reeves
@@ -48,13 +48,10 @@ airgap_rules() {
|
||||
}
|
||||
|
||||
add_admin_user() {
|
||||
# Add an admin user with full sudo rights if this is an ISO install.
|
||||
{
|
||||
useradd "$ADMINUSER";
|
||||
echo "$ADMINUSER":"$ADMINPASS1" | chpasswd --crypt-method=SHA512;
|
||||
usermod -aG wheel "$ADMINUSER";
|
||||
} >> "$setup_log" 2>&1
|
||||
|
||||
title "Adding $ADMINUSER to the system with sudo rights"
|
||||
logCmd "useradd '$ADMINUSER'"
|
||||
echo "$ADMINUSER":"$ADMINPASS1" | chpasswd --crypt-method=SHA512
|
||||
logCmd "usermod -aG wheel '$ADMINUSER'"
|
||||
}
|
||||
|
||||
add_mngr_ip_to_hosts() {
|
||||
@@ -62,21 +59,9 @@ add_mngr_ip_to_hosts() {
|
||||
echo "$MSRVIP $MSRV" >> /etc/hosts
|
||||
}
|
||||
|
||||
addtotab_generate_templates() {
|
||||
|
||||
local addtotab_path=$local_salt_dir/pillar/data
|
||||
|
||||
for i in evaltab managersearchtab managertab nodestab sensorstab standalonetab receiverstab; do
|
||||
printf '%s\n'\
|
||||
"$i:"\
|
||||
"" > "$addtotab_path"/$i.sls
|
||||
info "Added $i Template"
|
||||
done
|
||||
|
||||
}
|
||||
|
||||
add_socore_user_manager() {
|
||||
so_add_user "socore" "939" "939" "/opt/so" >> "$setup_log" 2>&1
|
||||
info "Adding socore user"
|
||||
logCmd "so_add_user 'socore' '939' '939' '/opt/so'"
|
||||
}
|
||||
|
||||
add_web_user() {
|
||||
@@ -110,7 +95,7 @@ analyst_salt_local() {
|
||||
logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq"
|
||||
logCmd "yum -y update --exclude=salt*"
|
||||
|
||||
salt-call state.apply workstation --local --file-root=../salt/ -l info 2>&1 | tee -a outfile
|
||||
logCmd "salt-call state.apply workstation --local --file-root=../salt/ -l info"
|
||||
read -r -d '' message <<- EOM
|
||||
Finished Analyst workstation installation.
|
||||
|
||||
@@ -153,11 +138,6 @@ check_admin_pass() {
|
||||
check_pass_match "$ADMINPASS1" "$ADMINPASS2" "APMATCH"
|
||||
}
|
||||
|
||||
check_manager_state() {
|
||||
info "Checking state of manager services. This may take a moment..."
|
||||
retry 2 15 "__check_so_status" >> $setup_log 2>&1 && retry 2 15 "__check_salt_master" >> $setup_log 2>&1 && return 0 || return 1
|
||||
}
|
||||
|
||||
check_manager_connection() {
|
||||
# See if you can curl the manager. If not you can either try again or continue
|
||||
info "Checking manager connectivity"
|
||||
@@ -171,18 +151,6 @@ check_manager_connection() {
|
||||
fi
|
||||
}
|
||||
|
||||
__check_so_status() {
|
||||
local so_status_output
|
||||
so_status_output=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /opt/so/log/sostatus/status.log)
|
||||
[[ -z $so_status_output ]] && so_status_output=1
|
||||
return $so_status_output
|
||||
}
|
||||
|
||||
__check_salt_master() {
|
||||
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" systemctl is-active --quiet salt-master
|
||||
return $?
|
||||
}
|
||||
|
||||
check_network_manager_conf() {
|
||||
local gmdconf="/usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf"
|
||||
local nmconf="/etc/NetworkManager/NetworkManager.conf"
|
||||
@@ -202,6 +170,7 @@ check_network_manager_conf() {
|
||||
}
|
||||
|
||||
check_pass_match() {
|
||||
info "Making sure passwords match"
|
||||
local pass=$1
|
||||
local confirm_pass=$2
|
||||
local var=$3
|
||||
@@ -221,16 +190,17 @@ check_service_status() {
|
||||
systemctl status $service_name > /dev/null 2>&1
|
||||
local status=$?
|
||||
if [ $status -gt 0 ]; then
|
||||
echo " $service_name is not running" >> "$setup_log" 2>&1
|
||||
info " $service_name is not running"
|
||||
return 1;
|
||||
else
|
||||
echo " $service_name is running" >> "$setup_log" 2>&1
|
||||
info " $service_name is running"
|
||||
return 0;
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
check_web_pass() {
|
||||
info Making sure web credential passwords match
|
||||
check_pass_match "$WEBPASSWD1" "$WEBPASSWD2" "WPMATCH"
|
||||
}
|
||||
|
||||
@@ -238,11 +208,10 @@ clear_manager() {
|
||||
# Clear out the old manager public key in case this is a re-install.
|
||||
# This only happens if you re-install the manager.
|
||||
if [ -f /etc/salt/pki/minion/minion_master.pub ]; then
|
||||
{
|
||||
info "Clearing old Salt master key";
|
||||
rm -f /etc/salt/pki/minion/minion_master.pub;
|
||||
systemctl -q restart salt-minion;
|
||||
} >> "$setup_log" 2>&1
|
||||
info "Clearing old Salt master key"
|
||||
logCmd "rm -f /etc/salt/pki/minion/minion_master.pub"
|
||||
info "Restarting Salt Minion"
|
||||
logCmd "systemctl -q restart salt-minion"
|
||||
fi
|
||||
|
||||
}
|
||||
@@ -312,10 +281,6 @@ collect_gateway() {
|
||||
done
|
||||
}
|
||||
|
||||
collect_helix_key() {
|
||||
whiptail_helix_apikey
|
||||
}
|
||||
|
||||
collect_homenet_mngr() {
|
||||
whiptail_homenet_manager "10.0.0.0/8,192.168.0.0/16,172.16.0.0/12"
|
||||
|
||||
@@ -777,7 +742,7 @@ check_requirements() {
|
||||
}
|
||||
|
||||
check_sos_appliance() {
|
||||
# Lets see if this is a SOS Appliance
|
||||
title "Is this is an SOS Appliance?"
|
||||
if [ -f "/etc/SOSMODEL" ]; then
|
||||
local MODEL=$(cat /etc/SOSMODEL)
|
||||
info "Found SOS Model $MODEL"
|
||||
@@ -808,18 +773,6 @@ compare_main_nic_ip() {
|
||||
|
||||
}
|
||||
|
||||
compare_versions() {
|
||||
manager_ver=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion)
|
||||
|
||||
if [[ $manager_ver == '' ]]; then
|
||||
info "Could not determine version of Security Onion running on manager $MSRV. Please check your network settings and run setup again."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
[[ "$manager_ver" == "$SOVERSION" ]]
|
||||
return
|
||||
}
|
||||
|
||||
configure_network_sensor() {
|
||||
info "Setting up sensor interface"
|
||||
|
||||
@@ -830,7 +783,7 @@ configure_network_sensor() {
|
||||
fi
|
||||
|
||||
# Create the bond interface only if it doesn't already exist
|
||||
nmcli -f name,uuid -p con | grep -q "$INTERFACE" >> "$setup_log" 2>&1
|
||||
logCmd "nmcli -f name,uuid -p con | grep -q '$INTERFACE'"
|
||||
local found_int=$?
|
||||
|
||||
if [[ $found_int != 0 ]]; then
|
||||
@@ -861,47 +814,18 @@ configure_network_sensor() {
|
||||
|
||||
copy_salt_master_config() {
|
||||
|
||||
# Copy the Salt master config template to the proper directory
|
||||
title "Copy the Salt master config template to the proper directory"
|
||||
if [ "$setup_type" = 'iso' ]; then
|
||||
cp /root/SecurityOnion/files/salt/master/master /etc/salt/master >> "$setup_log" 2>&1
|
||||
cp /root/SecurityOnion/files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service >> "$setup_log" 2>&1
|
||||
logCmd "cp /root/SecurityOnion/files/salt/master/master /etc/salt/master"
|
||||
logCmd "cp /root/SecurityOnion/files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service"
|
||||
else
|
||||
cp ../files/salt/master/master /etc/salt/master >> "$setup_log" 2>&1
|
||||
cp ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service >> "$setup_log" 2>&1
|
||||
logCmd "cp ../files/salt/master/master /etc/salt/master"
|
||||
logCmd " ../files/salt/master/salt-master.service /usr/lib/systemd/system/salt-master.service"
|
||||
fi
|
||||
|
||||
# Restart the service so it picks up the changes
|
||||
systemctl daemon-reload >> "$setup_log" 2>&1
|
||||
systemctl restart salt-master >> "$setup_log" 2>&1
|
||||
}
|
||||
|
||||
copy_minion_tmp_files() {
|
||||
|
||||
case "$install_type" in
|
||||
'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT')
|
||||
info "Copying pillar and salt files in $temp_install_dir to $local_salt_dir"
|
||||
cp -Rv "$temp_install_dir"/pillar/ $local_salt_dir/ >> "$setup_log" 2>&1
|
||||
if [ -d "$temp_install_dir"/salt ] ; then
|
||||
cp -Rv "$temp_install_dir"/salt/ $local_salt_dir/ >> "$setup_log" 2>&1
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
{
|
||||
info "scp pillar and salt files in $temp_install_dir to manager $local_salt_dir";
|
||||
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar;
|
||||
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules;
|
||||
$scpcmd -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/;
|
||||
if [ -d $temp_install_dir/salt/patch/os/schedules/ ]; then
|
||||
if [ "$(ls -A $temp_install_dir/salt/patch/os/schedules/)" ]; then
|
||||
$scpcmd -prv -i /root/.ssh/so.key $temp_install_dir/salt/patch/os/schedules/* soremote@$MSRV:/tmp/$MINION_ID/schedules;
|
||||
fi
|
||||
fi
|
||||
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/manager/files/add_minion.sh "$MINION_ID";
|
||||
} >> "$setup_log" 2>&1
|
||||
;;
|
||||
esac
|
||||
info "Syncing all salt modules."
|
||||
salt-call saltutil.sync_modules >> "$setup_log" 2>&1
|
||||
logCmd "systemctl daemon-reload"
|
||||
logCmd "systemctl restart salt-master"
|
||||
}
|
||||
|
||||
create_local_directories() {
|
||||
@@ -911,19 +835,19 @@ create_local_directories() {
|
||||
for d in $(find $PILLARSALTDIR/$i -type d); do
|
||||
suffixdir=${d//$PILLARSALTDIR/}
|
||||
if [ ! -d "$local_salt_dir/$suffixdir" ]; then
|
||||
mkdir -pv "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1
|
||||
logCmd "mkdir -pv '$local_salt_dir$suffixdir'"
|
||||
fi
|
||||
done
|
||||
chown -R socore:socore "$local_salt_dir/$i"
|
||||
logCmd "chown -R socore:socore '$local_salt_dir/$i'"
|
||||
done
|
||||
|
||||
}
|
||||
|
||||
create_local_nids_rules() {
|
||||
# Create a local.rules file so it doesn't get blasted on updates
|
||||
mkdir -p /opt/so/saltstack/local/salt/idstools
|
||||
title "Create a local.rules file so it doesn't get removed on updates"
|
||||
logCmd "mkdir -p /opt/so/saltstack/local/salt/idstools"
|
||||
echo "# Custom Suricata rules go in this file" > /opt/so/saltstack/local/salt/idstools/local.rules
|
||||
salt-run fileserver.clear_file_list_cache
|
||||
logCmd "salt-run fileserver.clear_file_list_cache"
|
||||
}
|
||||
|
||||
create_manager_pillars() {
|
||||
@@ -945,8 +869,8 @@ create_manager_pillars() {
|
||||
}
|
||||
|
||||
create_repo() {
|
||||
# Create the repo for airgap
|
||||
createrepo /nsm/repo
|
||||
title "Create the repo directory"
|
||||
logCmd "createrepo /nsm/repo"
|
||||
}
|
||||
|
||||
detect_cloud() {
|
||||
@@ -1049,8 +973,8 @@ disable_auto_start() {
|
||||
disable_ipv6() {
|
||||
{
|
||||
info "Disabling ipv6"
|
||||
sysctl -w net.ipv6.conf.all.disable_ipv6=1
|
||||
sysctl -w net.ipv6.conf.default.disable_ipv6=1
|
||||
logCmd "sysctl -w net.ipv6.conf.all.disable_ipv6=1"
|
||||
logCmd "sysctl -w net.ipv6.conf.default.disable_ipv6=1"
|
||||
} >> "$setup_log" 2>&1
|
||||
{
|
||||
echo "net.ipv6.conf.all.disable_ipv6 = 1"
|
||||
@@ -1061,8 +985,8 @@ disable_ipv6() {
|
||||
|
||||
docker_registry() {
|
||||
|
||||
info "Setting up Docker Registry"
|
||||
mkdir -p /etc/docker >> "$setup_log" 2>&1
|
||||
title "Setting up Docker Registry"
|
||||
logCmd "mkdir -p /etc/docker"
|
||||
# This will get applied so docker can attempt to start
|
||||
if [ -z "$DOCKERNET" ]; then
|
||||
DOCKERNET=172.17.0.0
|
||||
@@ -1088,9 +1012,6 @@ docker_registry() {
|
||||
docker_seed_update() {
|
||||
local name=$1
|
||||
local percent_delta=1
|
||||
if [ "$install_type" == 'HELIXSENSOR' ]; then
|
||||
percent_delta=6
|
||||
fi
|
||||
((docker_seed_update_percent+=percent_delta))
|
||||
|
||||
set_progress_str "$docker_seed_update_percent" "Downloading $name"
|
||||
@@ -1112,38 +1033,14 @@ docker_seed_registry() {
|
||||
|
||||
update_docker_containers 'netinstall' '' 'docker_seed_update' "$setup_log"
|
||||
else
|
||||
tar xvf /nsm/docker-registry/docker/registry.tar -C /nsm/docker-registry/docker >> "$setup_log" 2>&1
|
||||
rm /nsm/docker-registry/docker/registry.tar >> "$setup_log" 2>&1
|
||||
logCmd "tar xvf /nsm/docker-registry/docker/registry.tar -C /nsm/docker-registry/docker"
|
||||
logCmd "rm /nsm/docker-registry/docker/registry.tar"
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
download_repo_tarball() {
|
||||
|
||||
mkdir -p /root/manager_setup
|
||||
|
||||
local manager_ver
|
||||
manager_ver=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) >> "$setup_log" 2>&1
|
||||
$scpcmd -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/repo/"$manager_ver".tar.gz /root/manager_setup >> "$setup_log" 2>&1
|
||||
|
||||
# Fail if the file doesn't download
|
||||
if ! [ -f /root/manager_setup/"$manager_ver".tar.gz ]; then
|
||||
rm -rf $install_opt_file
|
||||
local message="Could not download $manager_ver.tar.gz from manager, please check your network settings and verify the file /opt/so/repo/$manager_ver.tar.gz exists on the manager."
|
||||
info "$message"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
mkdir -p /root/manager_setup/securityonion
|
||||
{
|
||||
tar -xzf /root/manager_setup/"$manager_ver".tar.gz -C /root/manager_setup/securityonion
|
||||
rm -rf /root/manager_setup/"$manager_ver".tar.gz
|
||||
} >> "$setup_log" 2>&1
|
||||
}
|
||||
|
||||
elasticsearch_pillar() {
|
||||
# Create Advanced File
|
||||
touch $adv_elasticsearch_pillar_file
|
||||
title "Create Advanced File"
|
||||
logCmd "touch '$adv_elasticsearch_pillar_file'"
|
||||
# Create the Elasticsearch pillar
|
||||
printf '%s\n'\
|
||||
"elasticsearch:"\
|
||||
@@ -1188,7 +1085,7 @@ elasticsearch_pillar() {
|
||||
|
||||
es_heapsize() {
|
||||
|
||||
# Determine ES Heap Size
|
||||
title "Determine ES Heap Size"
|
||||
if [ "$total_mem" -lt 8000 ] ; then
|
||||
ES_HEAP_SIZE="600m"
|
||||
elif [ "$total_mem" -ge 100000 ]; then
|
||||
@@ -1247,26 +1144,14 @@ filter_unused_nics() {
|
||||
export nic_list
|
||||
}
|
||||
|
||||
fireeye_pillar() {
|
||||
|
||||
local fireeye_pillar_path=$local_salt_dir/pillar/fireeye
|
||||
mkdir -p "$fireeye_pillar_path"
|
||||
|
||||
printf '%s\n'\
|
||||
"fireeye:"\
|
||||
" helix:"\
|
||||
" api_key: '$HELIXAPIKEY'" \
|
||||
"" > "$fireeye_pillar_path/init.sls"
|
||||
|
||||
}
|
||||
|
||||
# Generate Firewall Templates
|
||||
firewall_generate_templates() {
|
||||
title "Generate Firewall Template"
|
||||
|
||||
local firewall_pillar_path=$local_salt_dir/salt/firewall
|
||||
mkdir -p "$firewall_pillar_path"
|
||||
logCmd "mkdir -p '$firewall_pillar_path'"
|
||||
|
||||
cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/ >> "$setup_log" 2>&1
|
||||
logCmd "cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/"
|
||||
|
||||
for i in analyst beats_endpoint endgame sensor manager minion elastic_agent_endpoint search_node; do
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost "$i" 127.0.0.1
|
||||
@@ -1275,29 +1160,24 @@ firewall_generate_templates() {
|
||||
}
|
||||
|
||||
generate_ca() {
|
||||
{
|
||||
info "Building Certificate Authority";
|
||||
salt-call state.apply ca;
|
||||
|
||||
info "Confirming existence of the CA certificate"
|
||||
openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates
|
||||
} >> "$setup_log" 2>&1
|
||||
title "Generating the certificate authority"
|
||||
logCmd "salt-call state.apply ca -l info"
|
||||
info "Confirming existence of the CA certificate"
|
||||
logCmd "openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates"
|
||||
}
|
||||
|
||||
generate_ssl() {
|
||||
{
|
||||
# if the install type is a manager then we need to wait for the minion to be ready before trying
|
||||
# to run the ssl state since we need the minion to sign the certs
|
||||
if [[ "$install_type" =~ ^(EVAL|MANAGER|MANAGERSEARCH|STANDALONE|IMPORT|HELIXSENSOR)$ ]]; then
|
||||
wait_for_salt_minion
|
||||
fi
|
||||
info "Applying SSL state";
|
||||
salt-call state.apply ssl;
|
||||
} >> "$setup_log" 2>&1
|
||||
# if the install type is a manager then we need to wait for the minion to be ready before trying
|
||||
# to run the ssl state since we need the minion to sign the certs
|
||||
if [[ "$install_type" =~ ^(EVAL|MANAGER|MANAGERSEARCH|STANDALONE|IMPORT|HELIXSENSOR)$ ]]; then
|
||||
wait_for_salt_minion
|
||||
fi
|
||||
info "Applying SSL state"
|
||||
logCmd "salt-call state.apply ssl -l info"
|
||||
}
|
||||
|
||||
generate_passwords(){
|
||||
# Generate Random Passwords for Things
|
||||
title "Generate Random Passwords"
|
||||
MYSQLPASS=$(get_random_value)
|
||||
PLAYBOOKDBPASS=$(get_random_value)
|
||||
PLAYBOOKADMINPASS=$(get_random_value)
|
||||
@@ -1308,10 +1188,8 @@ generate_passwords(){
|
||||
}
|
||||
|
||||
generate_interface_vars() {
|
||||
# Set the MTU
|
||||
if [[ $NSMSETUP != 'ADVANCED' ]]; then
|
||||
if [[ $is_cloud ]]; then MTU=1575; else MTU=9000; fi
|
||||
fi
|
||||
title "Setting the MTU to 9000 on all monitor NICS"
|
||||
MTU=9000
|
||||
export MTU
|
||||
|
||||
# Set interface variable
|
||||
@@ -1343,10 +1221,10 @@ get_minion_type() {
|
||||
install_cleanup() {
|
||||
if [ -f "$temp_install_dir" ]; then
|
||||
info "Installer removing the following files:"
|
||||
ls -lR "$temp_install_dir"
|
||||
logCmd "ls -lR '$temp_install_dir'"
|
||||
|
||||
# Clean up after ourselves
|
||||
rm -rf "$temp_install_dir"
|
||||
logCmd "rm -rf '$temp_install_dir'"
|
||||
fi
|
||||
|
||||
# All cleanup prior to this statement must be compatible with automated testing. Cleanup
|
||||
@@ -1355,12 +1233,12 @@ install_cleanup() {
|
||||
|
||||
# If Mysql is running stop it
|
||||
if docker ps --format "{{.Names}}" 2>&1 | grep -q "so-mysql"; then
|
||||
/usr/sbin/so-mysql-stop
|
||||
logVmd "/usr/sbin/so-mysql-stop"
|
||||
fi
|
||||
|
||||
if [[ $setup_type == 'iso' ]]; then
|
||||
info "Removing so-setup permission entry from sudoers file"
|
||||
sed -i '/so-setup/d' /etc/sudoers
|
||||
logCmd "sed -i '/so-setup/d' /etc/sudoers"
|
||||
fi
|
||||
|
||||
if [[ -z $SO_ERROR ]]; then
|
||||
@@ -1379,7 +1257,7 @@ import_registry_docker() {
|
||||
|
||||
idh_pillar() {
|
||||
touch $adv_idh_pillar_file
|
||||
# Create the IDH Pillar
|
||||
title "Create the IDH Pillar"
|
||||
printf '%s\n'\
|
||||
"idh:"\
|
||||
" listen_on_mgnt_int: True"\
|
||||
@@ -1396,7 +1274,7 @@ idh_pillar() {
|
||||
logstash_pillar() {
|
||||
# Create the logstash advanced pillar
|
||||
touch $adv_logstash_pillar_file
|
||||
# Create the logstash pillar
|
||||
title "Create the logstash pillar"
|
||||
printf '%s\n'\
|
||||
"logstash_settings:"\
|
||||
" ls_host: '$HOSTNAME'"\
|
||||
@@ -1409,7 +1287,7 @@ logstash_pillar() {
|
||||
|
||||
# Set Logstash heap size based on total memory
|
||||
ls_heapsize() {
|
||||
|
||||
title "Setting Logstash heap size"
|
||||
if [ "$total_mem" -ge 32000 ]; then
|
||||
LS_HEAP_SIZE='1000m'
|
||||
return
|
||||
@@ -1435,6 +1313,7 @@ ls_heapsize() {
|
||||
}
|
||||
|
||||
idstools_pillar() {
|
||||
title "Ading IDSTOOLS pillar options"
|
||||
touch $adv_idstools_pillar_file
|
||||
printf '%s\n'\
|
||||
"idstools:"\
|
||||
@@ -1451,13 +1330,14 @@ idstools_pillar() {
|
||||
}
|
||||
|
||||
soc_pillar() {
|
||||
title "Creating the SOC pillar"
|
||||
touch $adv_soc_pillar_file
|
||||
touch $soc_pillar_file
|
||||
}
|
||||
|
||||
manager_pillar() {
|
||||
touch $adv_manager_pillar_file
|
||||
# Create the manager pillar
|
||||
title "Create the manager pillar"
|
||||
printf '%s\n'\
|
||||
"manager:"\
|
||||
" proxy: '$so_proxy'"\
|
||||
@@ -1469,6 +1349,7 @@ manager_pillar() {
|
||||
}
|
||||
|
||||
kratos_pillar() {
|
||||
title "Create the Kratos pillar file"
|
||||
touch $adv_kratos_pillar_file
|
||||
printf '%s\n'\
|
||||
"kratos:"\
|
||||
@@ -1479,6 +1360,7 @@ kratos_pillar() {
|
||||
}
|
||||
|
||||
create_global() {
|
||||
title "Creating the global.sls"
|
||||
touch $adv_global_pillar_file
|
||||
if [ -z "$NODE_CHECKIN_INTERVAL_MS" ]; then
|
||||
NODE_CHECKIN_INTERVAL_MS=10000
|
||||
@@ -1523,6 +1405,7 @@ create_global() {
|
||||
}
|
||||
|
||||
create_sensoroni_pillar() {
|
||||
title "Create the sensoroni pillar file"
|
||||
touch $adv_sensoroni_pillar_file
|
||||
|
||||
printf '%s\n'\
|
||||
@@ -1534,6 +1417,7 @@ create_sensoroni_pillar() {
|
||||
}
|
||||
|
||||
create_strelka_pillar() {
|
||||
title "Create the Strelka pillar file"
|
||||
touch $adv_strelka_pillar_file
|
||||
printf '%s\n'\
|
||||
"strelka:"\
|
||||
@@ -1551,6 +1435,7 @@ create_strelka_pillar() {
|
||||
}
|
||||
|
||||
backup_pillar() {
|
||||
title "Create the backup pillar file"
|
||||
touch $adv_backup_pillar_file
|
||||
printf '%s\n'\
|
||||
"backup:"\
|
||||
@@ -1559,6 +1444,7 @@ backup_pillar() {
|
||||
}
|
||||
|
||||
soctopus_pillar() {
|
||||
title "Create the soctopus pillar file"
|
||||
touch $adv_soctopus_pillar_file
|
||||
printf '%s\n'\
|
||||
"soctopus:"\
|
||||
@@ -1568,6 +1454,7 @@ soctopus_pillar() {
|
||||
}
|
||||
|
||||
docker_pillar() {
|
||||
title "Create the docker pillar file"
|
||||
touch $adv_docker_pillar_file
|
||||
printf '%s\n'\
|
||||
"docker:"\
|
||||
@@ -1576,6 +1463,7 @@ docker_pillar() {
|
||||
}
|
||||
|
||||
redis_pillar() {
|
||||
title "Create the redis pillar file"
|
||||
touch $adv_redis_pillar_file
|
||||
printf '%s\n'\
|
||||
"redis_settings:"\
|
||||
@@ -1583,11 +1471,12 @@ redis_pillar() {
|
||||
}
|
||||
|
||||
mark_version() {
|
||||
# Drop a file with the current version
|
||||
title "Marking the current version"
|
||||
echo "$SOVERSION" > /etc/soversion
|
||||
}
|
||||
|
||||
network_init() {
|
||||
title "Initializing Network"
|
||||
disable_ipv6
|
||||
set_hostname
|
||||
if [[ ( $is_iso || $is_analyst_iso ) ]]; then
|
||||
@@ -1637,15 +1526,11 @@ networking_needful() {
|
||||
}
|
||||
|
||||
network_setup() {
|
||||
{
|
||||
info "Finishing up network setup";
|
||||
|
||||
info "... Copying 99-so-checksum-offload-disable";
|
||||
cp ./install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable;
|
||||
|
||||
info "... Modifying 99-so-checksum-offload-disable";
|
||||
sed -i "s/\$MNIC/${INTERFACE}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable;
|
||||
} >> "$setup_log" 2>&1
|
||||
info "Finishing up network setup"
|
||||
info "... Copying 99-so-checksum-offload-disable"
|
||||
logCmd "cp ./install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable"
|
||||
info "... Modifying 99-so-checksum-offload-disable";
|
||||
logCmd "sed -i '/\$MNIC/${INTERFACE}/g' /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable"
|
||||
}
|
||||
|
||||
ntp_pillar_entries() {
|
||||
@@ -1669,7 +1554,7 @@ parse_install_username() {
|
||||
}
|
||||
|
||||
patch_pillar() {
|
||||
|
||||
title "Create the patch pillar file"
|
||||
local pillar_file=$local_salt_dir/pillar/minions/$MINION_ID.sls
|
||||
|
||||
|
||||
@@ -1691,10 +1576,11 @@ patch_pillar() {
|
||||
}
|
||||
|
||||
patch_schedule_os_new() {
|
||||
title "Create the patch schedule"
|
||||
local OSPATCHSCHEDULEDIR="$temp_install_dir/salt/patch/os/schedules"
|
||||
local OSPATCHSCHEDULE="$OSPATCHSCHEDULEDIR/$PATCHSCHEDULENAME.yml"
|
||||
|
||||
mkdir -p $OSPATCHSCHEDULEDIR
|
||||
logCmd "mkdir -p '$OSPATCHSCHEDULEDIR'"
|
||||
|
||||
printf '%s\n'\
|
||||
"patch:"\
|
||||
@@ -2194,19 +2080,19 @@ setup_salt_master_dirs() {
|
||||
|
||||
# Copy over the salt code and templates
|
||||
if [ "$setup_type" = 'iso' ]; then
|
||||
rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
|
||||
rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
|
||||
mkdir -p $local_salt_dir/salt/zeek/policy/intel >> "$setup_log" 2>&1
|
||||
cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
|
||||
logCmd "rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/"
|
||||
ogCmd "rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/"
|
||||
logCmd "mkdir -p $local_salt_dir/salt/zeek/policy/intel"
|
||||
logCmd "cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/"
|
||||
else
|
||||
cp -Rv ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
|
||||
cp -Rv ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
|
||||
mkdir -p $local_salt_dir/salt/zeek/policy/intel >> "$setup_log" 2>&1
|
||||
cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
|
||||
logCmd "cp -Rv ../pillar/* $default_salt_dir/pillar/"
|
||||
logCmd "cp -Rv ../salt/* $default_salt_dir/salt/"
|
||||
logCmd "mkdir -p $local_salt_dir/salt/zeek/policy/intel"
|
||||
logCmd "cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/"
|
||||
fi
|
||||
|
||||
info "Chown the salt dirs on the manager for socore"
|
||||
chown -R socore:socore /opt/so
|
||||
logCmd "chown -R socore:socore /opt/so"
|
||||
}
|
||||
|
||||
set_progress_str() {
|
||||
@@ -2233,20 +2119,6 @@ set_progress_str() {
|
||||
fi
|
||||
}
|
||||
|
||||
set_ssh_cmds() {
|
||||
local automated=$1
|
||||
|
||||
if [ $automated == yes ]; then
|
||||
sshcmd="sshpass -p $SOREMOTEPASS1 ssh -o StrictHostKeyChecking=no"
|
||||
sshcopyidcmd="sshpass -p $SOREMOTEPASS1 ssh-copy-id -o StrictHostKeyChecking=no"
|
||||
scpcmd="sshpass -p $SOREMOTEPASS1 scp -o StrictHostKeyChecking=no"
|
||||
else
|
||||
sshcmd='ssh'
|
||||
sshcopyidcmd='ssh-copy-id'
|
||||
scpcmd='scp'
|
||||
fi
|
||||
}
|
||||
|
||||
set_default_log_size() {
|
||||
local percentage
|
||||
|
||||
@@ -2280,82 +2152,39 @@ set_default_log_size() {
|
||||
|
||||
set_hostname() {
|
||||
|
||||
hostnamectl set-hostname --static "$HOSTNAME"
|
||||
logcmd "hostnamectl set-hostname --static '$HOSTNAME'"
|
||||
echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts
|
||||
echo "::1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts
|
||||
echo "$HOSTNAME" > /etc/hostname
|
||||
|
||||
hostname -F /etc/hostname
|
||||
logCmd "hostname -F /etc/hostname"
|
||||
}
|
||||
|
||||
set_initial_firewall_policy() {
|
||||
title "Setting Initial Firewall Policy"
|
||||
if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi
|
||||
|
||||
if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi
|
||||
|
||||
case "$install_type" in
|
||||
'MANAGER')
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP"
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost minion "$MAINIP"
|
||||
;;
|
||||
'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT')
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP"
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP"
|
||||
;;
|
||||
'HELIXSENSOR')
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP"
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP"
|
||||
;;
|
||||
'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'IDH' | 'RECEIVER')
|
||||
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
|
||||
case "$install_type" in
|
||||
'SENSOR')
|
||||
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP"
|
||||
;;
|
||||
'SEARCHNODE')
|
||||
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP"
|
||||
;;
|
||||
'HEAVYNODE')
|
||||
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
|
||||
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost heavy_node "$MAINIP"
|
||||
;;
|
||||
'FLEET')
|
||||
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP"
|
||||
;;
|
||||
'IDH')
|
||||
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost beats_endpoint_ssl "$MAINIP"
|
||||
;;
|
||||
'RECEIVER')
|
||||
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost receiver "$MAINIP"
|
||||
esac
|
||||
;;
|
||||
'PARSINGNODE')
|
||||
# TODO: implement
|
||||
;;
|
||||
'HOTNODE')
|
||||
# TODO: implement
|
||||
;;
|
||||
'WARMNODE')
|
||||
# TODO: implement
|
||||
;;
|
||||
esac
|
||||
|
||||
# Add some firewall rules for analyst workstations that get added to the grid
|
||||
if [[ $is_analyst ]]; then
|
||||
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
|
||||
$sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost analyst "$MAINIP"
|
||||
case "$install_type" in
|
||||
'MANAGER')
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP"
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost minion "$MAINIP"
|
||||
;;
|
||||
'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT')
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP"
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP"
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP"
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
# Set up the management interface on the ISO
|
||||
set_management_interface() {
|
||||
|
||||
title "Setting up the main interface"
|
||||
if [ "$address_type" = 'DHCP' ]; then
|
||||
nmcli con mod "$MNIC" connection.autoconnect yes >> "$setup_log" 2>&1
|
||||
nmcli con up "$MNIC" >> "$setup_log" 2>&1
|
||||
logCmd "nmcli con mod '$MNIC' connection.autoconnect yes"
|
||||
logCmd "nmcli con up '$MNIC'"
|
||||
else
|
||||
# Set Static IP
|
||||
nmcli con mod "$MNIC" ipv4.addresses "$MIP"/"$MMASK"\
|
||||
@@ -2369,6 +2198,7 @@ set_management_interface() {
|
||||
}
|
||||
|
||||
set_redirect() {
|
||||
title "Setting redirect host"
|
||||
case $REDIRECTINFO in
|
||||
'IP')
|
||||
REDIRECTIT="$MAINIP"
|
||||
@@ -2381,27 +2211,6 @@ set_redirect() {
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
set_updates() {
|
||||
if [ "$MANAGERUPDATES" = '1' ]; then
|
||||
if [[ $is_centos ]]; then
|
||||
if [[ ! $is_airgap ]] && ! ( grep -q "$MSRV" /etc/yum.conf); then
|
||||
if grep -q "proxy=" /etc/yum.conf; then
|
||||
sed -i "s/proxy=.*/proxy=http:\/\/$MSRV:3142/" /etc/yum.conf
|
||||
else
|
||||
echo "proxy=http://$MSRV:3142" >> /etc/yum.conf
|
||||
fi
|
||||
fi
|
||||
else
|
||||
# Set it up so the updates roll through the manager
|
||||
printf '%s\n'\
|
||||
"Acquire::http::Proxy \"http://$MSRV:3142\";"\
|
||||
"Acquire::https::Proxy \"http://$MSRV:3142\";" > /etc/apt/apt.conf.d/00Proxy
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# $5 => (optional) password variable
|
||||
so_add_user() {
|
||||
local username=$1
|
||||
local uid=$2
|
||||
@@ -2410,8 +2219,8 @@ so_add_user() {
|
||||
if [ "$5" ]; then local pass=$5; fi
|
||||
|
||||
info "Add $username user"
|
||||
groupadd --gid "$gid" "$username"
|
||||
useradd -m --uid "$uid" --gid "$gid" --home-dir "$home_dir" "$username"
|
||||
logCmd "groupadd --gid '$gid' '$username'"
|
||||
logCmd "useradd -m --uid '$uid' --gid '$gid' --home-dir '$home_dir' '$username'"
|
||||
|
||||
# If a password has been passed in, set the password
|
||||
if [ "$pass" ]; then
|
||||
|
||||
Reference in New Issue
Block a user