CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #60 from TOoSmOotH/master

Browse Source 
Alpha 1.1.0
This commit is contained in:
Mike Reeves
2019-07-25 16:04:23 -04:00
committed by GitHub
parent 1d738abf1f e98b0587c2
commit ac040dd7d9
37 changed files with 715 additions and 368 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
README.md
View File

@@ -1,21 +1,19 @@
## Hybrid Hunter 1.0.8 ## Hybrid Hunter Alpha 1.1.0
### Changes: ### Changes:
- Suricata 4.1.4 - Alpha is here!! Check out the [[Hybrid Hunter Quick Start Guide|Hybrid-Hunter-Quick-Start-Guide]].
- Eval and Master installs now ask which components you would like to install - There is a new PCAP interface called [Sensoroni](https://github.com/sensoroni/sensoroni). Pivoting is done via Kibana. See details [[here|Pulling-PCAP]].
- Fleet (osquery) now has it's own additional setup script. [See the docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/Configuring-Osquery-with-Security-Onion) - Bond interface setup now uses `nmcli` for better compatibility in the network based setup script.
- Fleet setup script now generates auto install packages for Windows, CentOS, and Ubuntu - Filebeat traffic for HH components now use a separate port (5644). This will allow you to send Beats to the default port (5044) and choose how you want to secure it. It is still recommended to use full SSL via Filebeat and if you already have this set up you will need to change to port 5044. We will continue to refine this in future versions.
- When Fleet setup is completed, all SO nodes will auto install the appropriate auto install package - Authentication is now enabled by default for all the web based components. There will be some major changes before we get to beta with how authentication in general is handled due to Elastic "Features" and other components.
- We now have a progress bar during install! - Add users to the web interface via `so-user-add` and follow the prompts.
- The setup script will now tell you if it was successful - `so-allow` now exists to make your life easier.
- Added Grafana plugin Pie Chart - Bro 2.6.2.
- The Hive Docker moved to Centos 7 based container. [See the docs](https://github.com/Security-Onion-Solutions/securityonion-saltstack/wiki/The-Hive) - All Docker images were updated to reflect Alpha status.
- Disabled DEBUG logging on a lot of components to reduce space usage.
### Notes: - Added a rule update cron job so the master pulls new rules down every day at 7AM UTC.
- Attempting to send a Bro event to The Hive that does not contain a source and destination IP (ex. Bro files, or X509) will result in an exception - a fix for this will be implemented in the next release. - You can now manually run a rule update using the `so-rule-update` command.
- If attempting to pivot from Kibana, ensure that you can resolve the master via DNS -- otherwise, populate your local hosts file with an entry to point to the master.
### Warnings and Disclaimers ### Warnings and Disclaimers

2
pillar/firewall/wazuh_endpoint.sls Normal file
View File

@@ -0,0 +1,2 @@
wazuh_endpoint:
- 127.0.0.1

2
salt/bro/files/local.bro
View File

@@ -100,7 +100,7 @@
# Uncomment the following line to enable the SMB analyzer. The analyzer # Uncomment the following line to enable the SMB analyzer. The analyzer
# is currently considered a preview and therefore not loaded by default. # is currently considered a preview and therefore not loaded by default.
@load policy/protocols/smb @load base/protocols/smb
# Add the interface to the log event # Add the interface to the log event
#@load securityonion/add-interface-to-logs.bro #@load securityonion/add-interface-to-logs.bro

4
salt/bro/init.sls
View File

@@ -125,13 +125,13 @@ localbrosync:
so-broimage: so-broimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-bro:HH1.0.6 - name: docker pull --disable-content-trust=false soshybridhunter/so-bro:HH1.1.0
so-bro: so-bro:
docker_container.running: docker_container.running:
- require: - require:
- so-broimage - so-broimage
- image: soshybridhunter/so-bro:HH1.0.6 - image: soshybridhunter/so-bro:HH1.1.0
- privileged: True - privileged: True
- binds: - binds:
- /nsm/bro/logs:/nsm/bro/logs:rw - /nsm/bro/logs:/nsm/bro/logs:rw

34
salt/common/init.sls
View File

@@ -41,9 +41,11 @@ sensorpkgs:
{% if grains['os'] != 'CentOS' %} {% if grains['os'] != 'CentOS' %}
- python-docker - python-docker
- python-m2crypto - python-m2crypto
- apache2-utils
{% else %} {% else %}
- net-tools - net-tools
- tcpdump - tcpdump
- httpd-tools
{% endif %} {% endif %}
# Always keep these packages up to date # Always keep these packages up to date
@@ -61,6 +63,16 @@ alwaysupdated:
Etc/UTC: Etc/UTC:
timezone.system timezone.system
# Sync some Utilities
utilsyncscripts:
file.recurse:
- name: /usr/sbin
- user: 0
- group: 0
- file_mode: 755
- template: jinja
- source: salt://common/tools/sbin
# Make sure Docker is running! # Make sure Docker is running!
docker: docker:
service.running: service.running:
@@ -104,13 +116,13 @@ nginxtmp:
# Start the core docker # Start the core docker
so-coreimage: so-coreimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-core:HH1.0.7 - name: docker pull --disable-content-trust=false soshybridhunter/so-core:HH1.1.0
so-core: so-core:
docker_container.running: docker_container.running:
- require: - require:
- so-coreimage - so-coreimage
- image: soshybridhunter/so-core:HH1.0.8 - image: soshybridhunter/so-core:HH1.1.0
- hostname: so-core - hostname: so-core
- user: socore - user: socore
- binds: - binds:
@@ -164,13 +176,13 @@ tgrafconf:
so-telegrafimage: so-telegrafimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-telegraf:HH1.0.7 - name: docker pull --disable-content-trust=false soshybridhunter/so-telegraf:HH1.1.0
so-telegraf: so-telegraf:
docker_container.running: docker_container.running:
- require: - require:
- so-telegrafimage - so-telegrafimage
- image: soshybridhunter/so-telegraf:HH1.0.7 - image: soshybridhunter/so-telegraf:HH1.1.0
- environment: - environment:
- HOST_PROC=/host/proc - HOST_PROC=/host/proc
- HOST_ETC=/host/etc - HOST_ETC=/host/etc
@@ -225,13 +237,13 @@ influxdbconf:
so-influximage: so-influximage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-influxdb:HH1.0.7 - name: docker pull --disable-content-trust=false soshybridhunter/so-influxdb:HH1.1.0
so-influxdb: so-influxdb:
docker_container.running: docker_container.running:
- require: - require:
- so-influximage - so-influximage
- image: soshybridhunter/so-influxdb:HH1.0.7 - image: soshybridhunter/so-influxdb:HH1.1.0
- hostname: influxdb - hostname: influxdb
- environment: - environment:
- INFLUXDB_HTTP_LOG_ENABLED=false - INFLUXDB_HTTP_LOG_ENABLED=false
@@ -242,6 +254,8 @@ so-influxdb:
- /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro - /etc/pki/influxdb.key:/etc/ssl/influxdb.key:ro
- port_bindings: - port_bindings:
- 0.0.0.0:8086:8086 - 0.0.0.0:8086:8086
- watch:
- file: /opt/so/conf/influxdb/etc/influxdb.conf
# Grafana all the things # Grafana all the things
grafanadir: grafanadir:
@@ -355,7 +369,7 @@ dashboard-{{ SN }}:
- defaults: - defaults:
SERVERNAME: {{ SN }} SERVERNAME: {{ SN }}
MANINT: {{ SNDATA.manint }} MANINT: {{ SNDATA.manint }}
MONINT: {{ SNDATA.monint }} MONINT: {{ SNDATA.manint }}
CPUS: {{ SNDATA.totalcpus }} CPUS: {{ SNDATA.totalcpus }}
UID: {{ SNDATA.guid }} UID: {{ SNDATA.guid }}
ROOTFS: {{ SNDATA.rootfs }} ROOTFS: {{ SNDATA.rootfs }}
@@ -386,9 +400,13 @@ dashboard-{{ SN }}:
{% endif %} {% endif %}
# Install the docker. This needs to be behind nginx at some point # Install the docker. This needs to be behind nginx at some point
so-grafanaimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-grafana:HH1.1.0
so-grafana: so-grafana:
docker_container.running: docker_container.running:
- image: soshybridhunter/so-grafana:HH1.0.8 - image: soshybridhunter/so-grafana:HH1.1.0
- hostname: grafana - hostname: grafana
- user: socore - user: socore
- binds: - binds:

40
salt/common/nginx/nginx.conf.so-eval
View File

@@ -100,6 +100,8 @@ http {
} }
location /kibana/ { location /kibana/ {
auth_basic "Security Onion";
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
rewrite /kibana/(.*) /$1 break; rewrite /kibana/(.*) /$1 break;
proxy_pass http://{{ masterip }}:5601/; proxy_pass http://{{ masterip }}:5601/;
proxy_read_timeout 90; proxy_read_timeout 90;
@@ -125,6 +127,8 @@ http {
} }
location /fleet/ { location /fleet/ {
auth_basic "Security Onion";
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
rewrite /fleet/(.*) /$1 break; rewrite /fleet/(.*) /$1 break;
proxy_pass https://{{ masterip }}:8080/; proxy_pass https://{{ masterip }}:8080/;
proxy_read_timeout 90; proxy_read_timeout 90;
@@ -157,6 +161,42 @@ http {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy ""; proxy_set_header Proxy "";
}
location /sensoroni/ {
auth_basic "Security Onion";
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /kibana/app/sensoroni/ {
rewrite ^/kibana/app/sensoroni/(.*) /sensoroni/$1 permanent;
}
location /kibana/app/fleet/ {
rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
}
location /kibana/app/soctopus/ {
rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
}
location /sensoroniagents/ {
proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
} }
error_page 404 /404.html; error_page 404 /404.html;
location = /40x.html { location = /40x.html {

41
salt/common/nginx/nginx.conf.so-master
View File

@@ -100,6 +100,8 @@ http {
} }
location /kibana/ { location /kibana/ {
auth_basic "Security Onion";
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
rewrite /kibana/(.*) /$1 break; rewrite /kibana/(.*) /$1 break;
proxy_pass http://{{ masterip }}:5601/; proxy_pass http://{{ masterip }}:5601/;
proxy_read_timeout 90; proxy_read_timeout 90;
@@ -126,6 +128,8 @@ http {
location /fleet/ { location /fleet/ {
rewrite /fleet/(.*) /$1 break; rewrite /fleet/(.*) /$1 break;
auth_basic "Security Onion";
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
proxy_pass https://{{ masterip }}:8080/; proxy_pass https://{{ masterip }}:8080/;
proxy_read_timeout 90; proxy_read_timeout 90;
proxy_connect_timeout 90; proxy_connect_timeout 90;
@@ -159,6 +163,43 @@ http {
} }
location /sensoroni/ {
auth_basic "Security Onion";
auth_basic_user_file /opt/so/conf/nginx/.htpasswd;
proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
location /kibana/app/sensoroni/ {
rewrite ^/kibana/app/sensoroni/(.*) /sensoroni/$1 permanent;
}
location /kibana/app/fleet/ {
rewrite ^/kibana/app/fleet/(.*) /fleet/$1 permanent;
}
location /kibana/app/soctopus/ {
rewrite ^/kibana/app/soctopus/(.*) /soctopus/$1 permanent;
}
location /sensoroniagents/ {
proxy_pass http://{{ masterip }}:9822/;
proxy_read_timeout 90;
proxy_connect_timeout 90;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Proxy "";
}
error_page 404 /404.html; error_page 404 /404.html;
location = /40x.html { location = /40x.html {
} }

42
salt/common/tools/sbin/so-allow Normal file
View File

@@ -0,0 +1,42 @@
#!/bin/bash
got_root() {
# Make sure you are root
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
}
got_root
echo "This program allows you to add a firewall rule to allow connections from a new IP address."
echo ""
echo "Choose the role for the IP or Range you would like to add"
echo ""
echo "[a] - Analyst - ports 80/tcp and 443/tcp"
echo "[b] - Logstash Beat - port 5044/tcp"
echo "[o] - Osquery endpoint - port 8080/tcp"
echo "[w] - Wazuh endpoint - port 1514"
echo ""
echo "Please enter your selection (a - analyst, b - beats, o - osquery, w - wazuh):"
read ROLE
echo "Enter a single ip address or range to allow (example: 10.10.10.10 or 10.10.0.0/16):"
read IP
if [ "$ROLE" == "a" ]; then
FULLROLE=analyst
elif [ "$ROLE" == "b" ]; then
FULLROLE=beats_endpoint
elif [ "$ROLE" == "o" ]; then
FULLROLE=osquery_endpoint
elif [ "$ROLE" == "w" ]; then
FULLROLE=wazuh_endpoint
else
echo "I don't recognize that role"
exit 1
fi
echo "Adding $IP to the $FULLROLE role. This can take a few seconds"
/opt/so/saltstack/pillar/firewall/addfirewall.sh $FULLROLE $IP

13
salt/common/tools/sbin/so-rule-update Normal file
View File

@@ -0,0 +1,13 @@
#!/bin/bash
got_root() {
# Make sure you are root
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
}
got_root
docker exec -it so-idstools /bin/bash -c 'cd /opt/so/idstools/etc && idstools-rulecat'

17
salt/common/tools/sbin/so-user-add Normal file
View File

@@ -0,0 +1,17 @@
#!/bin/bash
USERNAME=$1
# Make sure a username is provided
[ $# -eq 0 ] && { echo "Usage: $0 username"; exit 1; }
# If the file is there already lets create it otherwise add the user
if [ ! -f /opt/so/conf/nginx/.htpasswd ]; then
# Create the password file
htpasswd -c /opt/so/conf/nginx/.htpasswd $USERNAME
else
htpasswd /opt/so/conf/nginx/.htpasswd $USERNAME
fi

4
salt/curator/init.sls
View File

@@ -114,13 +114,13 @@ curdel:
so-curatorimage: so-curatorimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-curator:HH1.0.3 - name: docker pull --disable-content-trust=false soshybridhunter/so-curator:HH1.1.0
so-curator: so-curator:
docker_container.running: docker_container.running:
- require: - require:
- so-curatorimage - so-curatorimage
- image: soshybridhunter/so-curator:HH1.0.3 - image: soshybridhunter/so-curator:HH1.1.0
- hostname: curator - hostname: curator
- name: so-curator - name: so-curator
- user: curator - user: curator

4
salt/elastalert/init.sls
View File

@@ -81,13 +81,13 @@ elastarules:
so-elastalertimage: so-elastalertimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-elastalert:HH1.0.3 - name: docker pull --disable-content-trust=false soshybridhunter/so-elastalert:HH1.1.0
so-elastalert: so-elastalert:
docker_container.running: docker_container.running:
- require: - require:
- so-elastalertimage - so-elastalertimage
- image: soshybridhunter/so-elastalert:HH1.0.3 - image: soshybridhunter/so-elastalert:HH1.1.0
- hostname: elastalert - hostname: elastalert
- name: so-elastalert - name: so-elastalert
- user: elastalert - user: elastalert

4
salt/elasticsearch/init.sls
View File

@@ -92,13 +92,13 @@ eslogdir:
so-elasticsearchimage: so-elasticsearchimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-elasticsearch:HH1.0.6 - name: docker pull --disable-content-trust=false soshybridhunter/so-elasticsearch:HH1.1.0
so-elasticsearch: so-elasticsearch:
docker_container.running: docker_container.running:
- require: - require:
- so-elasticsearchimage - so-elasticsearchimage
- image: soshybridhunter/so-elasticsearch:HH1.0.6 - image: soshybridhunter/so-elasticsearch:HH1.1.0
- hostname: elasticsearch - hostname: elasticsearch
- name: so-elasticsearch - name: so-elasticsearch
- user: elasticsearch - user: elasticsearch

2
salt/filebeat/etc/filebeat.yml
View File

@@ -80,7 +80,7 @@ output.logstash:
enabled: true enabled: true
# The Logstash hosts # The Logstash hosts
hosts: ["{{ MASTER }}:5044"] hosts: ["{{ MASTER }}:5644"]
# Number of workers per Logstash host. # Number of workers per Logstash host.
worker: 1 worker: 1

4
salt/filebeat/init.sls
View File

@@ -51,13 +51,13 @@ filebeatconfsync:
so-filebeatimage: so-filebeatimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-filebeat:HH1.0.6 - name: docker pull --disable-content-trust=false soshybridhunter/so-filebeat:HH1.1.0
so-filebeat: so-filebeat:
docker_container.running: docker_container.running:
- require: - require:
- so-filebeatimage - so-filebeatimage
- image: soshybridhunter/so-filebeat:HH1.0.6 - image: soshybridhunter/so-filebeat:HH1.1.0
- hostname: so-filebeat - hostname: so-filebeat
- user: root - user: root
- extra_hosts: {{ MASTER }}:{{ MASTERIP }} - extra_hosts: {{ MASTER }}:{{ MASTERIP }}

152
salt/firewall/init.sls
View File

@@ -315,6 +315,39 @@ enable_forwardnode_beats_5044_{{ip}}:
- position: 1 - position: 1
- save: True - save: True
enable_forwardnode_beats_5644_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 5644
- position: 1
- save: True
enable_forwardnode_sensoroni_443_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 443
- position: 1
- save: True
enable_forwardnode_sensoroni_9822_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 9822
- position: 1
- save: True
{% endfor %} {% endfor %}
{% for ip in pillar.get('storage_nodes') %} {% for ip in pillar.get('storage_nodes') %}
@@ -375,6 +408,33 @@ enable_standard_osquery_8080_{{ip}}:
{% endfor %} {% endfor %}
# Allow Wazuh Endpoints to send their traffic
{% for ip in pillar.get('wazuh_endpoint') %}
enable_wazuh_endpoint_tcp_1514_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: tcp
- source: {{ ip }}
- dport: 1514
- position: 1
- save: True
enable_wazuh_endpoint_udp_1514_{{ip}}:
iptables.insert:
- table: filter
- chain: DOCKER-USER
- jump: ACCEPT
- proto: udp
- source: {{ ip }}
- dport: 1514
- position: 1
- save: True
{% endfor %}
# Allow Analysts # Allow Analysts
{% for ip in pillar.get('analyst') %} {% for ip in pillar.get('analyst') %}
@@ -400,49 +460,61 @@ enable_standard_analyst_443_{{ip}}:
- position: 1 - position: 1
- save: True - save: True
enable_standard_analyst_3000_{{ip}}: #enable_standard_analyst_3000_{{ip}}:
iptables.insert: # iptables.insert:
- table: filter # - table: filter
- chain: DOCKER-USER # - chain: DOCKER-USER
- jump: ACCEPT # - jump: ACCEPT
- proto: tcp # - proto: tcp
- source: {{ ip }} # - source: {{ ip }}
- dport: 3000 # - dport: 3000
- position: 1 # - position: 1
- save: True # - save: True
enable_standard_analyst_7000_{{ip}}: #enable_standard_analyst_7000_{{ip}}:
iptables.insert: # iptables.insert:
- table: filter # - table: filter
- chain: DOCKER-USER # - chain: DOCKER-USER
- jump: ACCEPT # - jump: ACCEPT
- proto: tcp # - proto: tcp
- source: {{ ip }} # - source: {{ ip }}
- dport: 7000 # - dport: 7000
- position: 1 # - position: 1
- save: True # - save: True
enable_standard_analyst_9000_{{ip}}: #enable_standard_analyst_9000_{{ip}}:
iptables.insert: # iptables.insert:
- table: filter # - table: filter
- chain: DOCKER-USER # - chain: DOCKER-USER
- jump: ACCEPT # - jump: ACCEPT
- proto: tcp # - proto: tcp
- source: {{ ip }} # - source: {{ ip }}
- dport: 9000 # - dport: 9000
- position: 1 # - position: 1
- save: True # - save: True
enable_standard_analyst_9001_{{ip}}: #enable_standard_analyst_9001_{{ip}}:
iptables.insert: # iptables.insert:
- table: filter # - table: filter
- chain: DOCKER-USER # - chain: DOCKER-USER
- jump: ACCEPT # - jump: ACCEPT
- proto: tcp # - proto: tcp
- source: {{ ip }} # - source: {{ ip }}
- dport: 9001 # - dport: 9001
- position: 1 # - position: 1
- save: True # - save: True
# This is temporary for sensoroni testing
#enable_standard_analyst_9822_{{ip}}:
# iptables.insert:
# - table: filter
# - chain: DOCKER-USER
# - jump: ACCEPT
# - proto: tcp
# - source: {{ ip }}
# - dport: 9822
# - position: 1
# - save: True
{% endfor %} {% endfor %}

4
salt/fleet/init.sls
View File

@@ -61,13 +61,13 @@ fleetdbpriv:
so-fleetimage: so-fleetimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-fleet:HH1.0.6 - name: docker pull --disable-content-trust=false soshybridhunter/so-fleet:HH1.1.0
so-fleet: so-fleet:
docker_container.running: docker_container.running:
- require: - require:
- so-fleetimage - so-fleetimage
- image: soshybridhunter/so-fleet:HH1.0.6 - image: soshybridhunter/so-fleet:HH1.1.0
- hostname: so-fleet - hostname: so-fleet
- port_bindings: - port_bindings:
- 0.0.0.0:8080:8080 - 0.0.0.0:8080:8080

2
salt/fleet/so-fleet-setup.sh
View File

@@ -27,7 +27,7 @@ mkdir /opt/so/conf/fleet/packages
docker run \ docker run \
--mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \ --mount type=bind,source=/opt/so/conf/fleet/packages,target=/output \
--mount type=bind,source=/etc/pki/launcher.crt,target=/var/launcher/launcher.crt \ --mount type=bind,source=/etc/pki/launcher.crt,target=/var/launcher/launcher.crt \
soshybridhunter/so-fleet-launcher:HH1.0.8 "$esecret" "$1":8080 soshybridhunter/so-fleet-launcher:HH1.1.0 "$esecret" "$1":8080
cp /opt/so/conf/fleet/packages/launcher.* /opt/so/saltstack/salt/launcher/packages/ cp /opt/so/conf/fleet/packages/launcher.* /opt/so/saltstack/salt/launcher/packages/
#Update timestamp on packages webpage #Update timestamp on packages webpage

8
salt/hive/init.sls
View File

@@ -33,13 +33,13 @@ hiveesdata:
so-thehive-esimage: so-thehive-esimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-thehive-es:HH1.0.7 - name: docker pull --disable-content-trust=false soshybridhunter/so-thehive-es:HH1.1.0
so-thehive-es: so-thehive-es:
docker_container.running: docker_container.running:
- require: - require:
- so-thehive-esimage - so-thehive-esimage
- image: soshybridhunter/so-thehive-es:HH1.0.7 - image: soshybridhunter/so-thehive-es:HH1.1.0
- hostname: so-thehive-es - hostname: so-thehive-es
- name: so-thehive-es - name: so-thehive-es
- user: 939 - user: 939
@@ -81,13 +81,13 @@ so-thehive-es:
so-thehiveimage: so-thehiveimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-thehive:HH1.0.8 - name: docker pull --disable-content-trust=false soshybridhunter/so-thehive:HH1.1.0
so-thehive: so-thehive:
docker_container.running: docker_container.running:
- require: - require:
- so-thehiveimage - so-thehiveimage
- image: soshybridhunter/so-thehive:HH1.0.8 - image: soshybridhunter/so-thehive:HH1.1.0
- environment: - environment:
- ELASTICSEARCH_HOST={{ MASTERIP }} - ELASTICSEARCH_HOST={{ MASTERIP }}
- hostname: so-thehive - hostname: so-thehive

17
salt/idstools/init.sls
View File

@@ -21,6 +21,13 @@ idstoolsdir:
- group: 939 - group: 939
- makedirs: True - makedirs: True
idstoolslogdir:
file.directory:
- name: /opt/so/log/idstools
- user: 939
- group: 939
- makedirs: True
idstoolsetcsync: idstoolsetcsync:
file.recurse: file.recurse:
- name: /opt/so/conf/idstools/etc - name: /opt/so/conf/idstools/etc
@@ -29,6 +36,12 @@ idstoolsetcsync:
- group: 939 - group: 939
- template: jinja - template: jinja
/usr/sbin/so-rule-update.sh > /opt/so/log/idstools/download.log:
cron.present:
- user: root
- minute: '1'
- hour: '7'
rulesdir: rulesdir:
file.directory: file.directory:
- name: /opt/so/rules/nids - name: /opt/so/rules/nids
@@ -50,13 +63,13 @@ ruleslink:
so-idstoolsimage: so-idstoolsimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-idstools:HH1.0.3 - name: docker pull --disable-content-trust=false soshybridhunter/so-idstools:HH1.1.0
so-idstools: so-idstools:
docker_container.running: docker_container.running:
- require: - require:
- so-idstoolsimage - so-idstoolsimage
- image: soshybridhunter/so-idstools:HH1.0.3 - image: soshybridhunter/so-idstools:HH1.1.0
- hostname: so-idstools - hostname: so-idstools
- user: socore - user: socore
- binds: - binds:

4
salt/kibana/init.sls
View File

@@ -56,14 +56,14 @@ synckibanacustom:
so-kibanaimage: so-kibanaimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-kibana:HH1.0.7 - name: docker pull --disable-content-trust=false soshybridhunter/so-kibana:HH1.1.0
# Start the kibana docker # Start the kibana docker
so-kibana: so-kibana:
docker_container.running: docker_container.running:
- require: - require:
- so-kibanaimage - so-kibanaimage
- image: soshybridhunter/so-kibana:HH1.0.7 - image: soshybridhunter/so-kibana:HH1.1.0
- hostname: kibana - hostname: kibana
- user: kibana - user: kibana
- environment: - environment:

3
salt/logstash/conf/conf.enabled.txt.so-eval
View File

@@ -12,8 +12,9 @@
#/usr/share/logstash/pipeline.so/0002_input_windows_json.conf #/usr/share/logstash/pipeline.so/0002_input_windows_json.conf
#/usr/share/logstash/pipeline.so/0003_input_syslog.conf #/usr/share/logstash/pipeline.so/0003_input_syslog.conf
#/usr/share/logstash/pipeline.so/0005_input_suricata.conf #/usr/share/logstash/pipeline.so/0005_input_suricata.conf
/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf #/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
/usr/share/logstash/pipeline.so/0007_input_import.conf /usr/share/logstash/pipeline.so/0007_input_import.conf
/usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf
#/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf #/usr/share/logstash/pipeline.so/1000_preprocess_log_elapsed.conf
#/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf #/usr/share/logstash/pipeline.so/1001_preprocess_syslogng.conf
#/usr/share/logstash/pipeline.so/1002_preprocess_json.conf #/usr/share/logstash/pipeline.so/1002_preprocess_json.conf

3
salt/logstash/conf/conf.enabled.txt.so-master
View File

@@ -12,6 +12,7 @@
/usr/share/logstash/pipeline.so/0002_input_windows_json.conf /usr/share/logstash/pipeline.so/0002_input_windows_json.conf
/usr/share/logstash/pipeline.so/0003_input_syslog.conf /usr/share/logstash/pipeline.so/0003_input_syslog.conf
/usr/share/logstash/pipeline.so/0005_input_suricata.conf /usr/share/logstash/pipeline.so/0005_input_suricata.conf
/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf #/usr/share/logstash/pipeline.dynamic/0006_input_beats.conf
/usr/share/logstash/pipeline.dynamic/0010_input_hhbeats.conf
/usr/share/logstash/pipeline.so/0007_input_import.conf /usr/share/logstash/pipeline.so/0007_input_import.conf
/usr/share/logstash/pipeline.dynamic/9999_output_redis.conf /usr/share/logstash/pipeline.dynamic/9999_output_redis.conf

40
salt/logstash/files/dynamic/0010_input_hhbeats.conf Normal file
View File

@@ -0,0 +1,40 @@
input {
beats {
port => "5644"
ssl => true
ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
ssl_certificate => "/usr/share/logstash/filebeat.crt"
ssl_key => "/usr/share/logstash/filebeat.key"
tags => [ "beat" ]
}
}
filter {
if [type] == "ids" or [type] =~ "bro" {
mutate {
rename => { "host" => "beat_host" }
remove_tag => ["beat"]
add_field => { "sensor_name" => "%{[beat][name]}" }
add_field => { "syslog-host_from" => "%{[beat][name]}" }
remove_field => [ "beat", "prospector", "input", "offset" ]
}
}
if [type] =~ "ossec" {
mutate {
rename => { "host" => "beat_host" }
remove_tag => ["beat"]
add_field => { "syslog-host_from" => "%{[beat][name]}" }
remove_field => [ "beat", "prospector", "input", "offset" ]
}
}
if [type] == "osquery" {
mutate {
rename => { "host" => "beat_host" }
remove_tag => ["beat"]
add_tag => ["osquery"]
}
json {
source => "message"
target => "osquery"
}
}
}

5
salt/logstash/init.sls
View File

@@ -148,13 +148,13 @@ lslogdir:
# Add the container # Add the container
so-logstashimage: so-logstashimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-logstash:HH1.0.6 - name: docker pull --disable-content-trust=false soshybridhunter/so-logstash:HH1.1.0
so-logstash: so-logstash:
docker_container.running: docker_container.running:
- require: - require:
- so-logstashimage - so-logstashimage
- image: soshybridhunter/so-logstash:HH1.0.6 - image: soshybridhunter/so-logstash:HH1.1.0
- hostname: so-logstash - hostname: so-logstash
- name: so-logstash - name: so-logstash
- user: logstash - user: logstash
@@ -163,6 +163,7 @@ so-logstash:
- port_bindings: - port_bindings:
- 0.0.0.0:514:514 - 0.0.0.0:514:514
- 0.0.0.0:5044:5044 - 0.0.0.0:5044:5044
- 0.0.0.0:5644:5644
- 0.0.0.0:6050:6050 - 0.0.0.0:6050:6050
- 0.0.0.0:6051:6051 - 0.0.0.0:6051:6051
- 0.0.0.0:6052:6052 - 0.0.0.0:6052:6052

4
salt/master/init.sls
View File

@@ -48,14 +48,14 @@ acngcopyconf:
so-acngimage: so-acngimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-acng:HH1.0.7 - name: docker pull --disable-content-trust=false soshybridhunter/so-acng:HH1.1.0
# Install the apt-cacher-ng container # Install the apt-cacher-ng container
so-aptcacherng: so-aptcacherng:
docker_container.running: docker_container.running:
- require: - require:
- so-acngimage - so-acngimage
- image: soshybridhunter/so-acng:HH1.0.7 - image: soshybridhunter/so-acng:HH1.1.0
- hostname: so-acng - hostname: so-acng
- port_bindings: - port_bindings:
- 0.0.0.0:3142:3142 - 0.0.0.0:3142:3142

4
salt/mysql/init.sls
View File

@@ -50,13 +50,13 @@ mysqldatadir:
so-mysqlimage: so-mysqlimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-mysql:HH1.0.7 - name: docker pull --disable-content-trust=false soshybridhunter/so-mysql:HH1.1.0
so-mysql: so-mysql:
docker_container.running: docker_container.running:
- require: - require:
- so-mysqlimage - so-mysqlimage
- image: soshybridhunter/so-mysql:HH1.0.7 - image: soshybridhunter/so-mysql:HH1.1.0
- hostname: so-mysql - hostname: so-mysql
- user: socore - user: socore
- port_bindings: - port_bindings:

20
salt/pcap/files/sensoroni.json Normal file
View File

@@ -0,0 +1,20 @@
{%- set MASTER = grains['master'] -%}
{%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%}
{
"logFilename": "/opt/sensoroni/log/sensoroni.log",
"logLevel":"debug",
"agent": {
"pollIntervalMs": 10000,
"serverUrl": "https://{{ MASTER }}/sensoroniagents",
"verifyCert": false,
"modules": {
"statickeyauth": {
"apiKey": "{{ SENSORONIKEY }}"
},
"stenoquery": {
"pcapInputPath": "/nsm/pcap",
"pcapOutputPath": "/nsm/pcapout"
}
}
}
}

17
salt/pcap/init.sls
View File

@@ -44,6 +44,15 @@ stenoconf:
- mode: 644 - mode: 644
- template: jinja - template: jinja
sensoroniagentconf:
file.managed:
- name: /opt/so/conf/steno/sensoroni.json
- source: salt://pcap/files/sensoroni.json
- user: root
- group: root
- mode: 644
- template: jinja
stenoca: stenoca:
file.directory: file.directory:
- name: /opt/so/conf/steno/certs - name: /opt/so/conf/steno/certs
@@ -87,13 +96,13 @@ stenolog:
so-stenoimage: so-stenoimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-steno:HH1.0.3 - name: docker pull --disable-content-trust=false soshybridhunter/so-steno:HH1.1.0
so-steno: so-steno:
docker_container.running: docker_container.running:
- require: - require:
- so-stenoimage - so-stenoimage
- image: soshybridhunter/so-steno:HH1.0.3 - image: soshybridhunter/so-steno:HH1.1.0
- network_mode: host - network_mode: host
- privileged: True - privileged: True
- port_bindings: - port_bindings:
@@ -106,3 +115,7 @@ so-steno:
- /nsm/pcaptmp:/tmp:rw - /nsm/pcaptmp:/tmp:rw
- /nsm/pcapout:/nsm/pcapout:rw - /nsm/pcapout:/nsm/pcapout:rw
- /opt/so/log/stenographer:/var/log/stenographer:rw - /opt/so/log/stenographer:/var/log/stenographer:rw
- /opt/so/conf/steno/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
- /opt/so/log/stenographer:/opt/sensoroni/log:rw
- watch:
- /opt/so/conf/steno/sensoroni.json

9
salt/redis/init.sls
View File

@@ -44,18 +44,15 @@ redisconfsync:
- group: 939 - group: 939
- template: jinja - template: jinja
toosmooth/so-redis:test2:
docker_image.present
so-redisimage: so-redisimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-redis:HH1.0.7 - name: docker pull --disable-content-trust=false soshybridhunter/so-redis:HH1.1.0
so-redis: so-redis:
docker_container.running: docker_container.running:
- require: - require:
- so-redisimage - so-redisimage
- image: soshybridhunter/so-redis:HH1.0.7 - image: soshybridhunter/so-redis:HH1.1.0
- hostname: so-redis - hostname: so-redis
- user: socore - user: socore
- port_bindings: - port_bindings:
@@ -65,3 +62,5 @@ so-redis:
- /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro - /opt/so/conf/redis/etc/redis.conf:/usr/local/etc/redis/redis.conf:ro
- /opt/so/conf/redis/working:/redis:rw - /opt/so/conf/redis/working:/redis:rw
- entrypoint: "redis-server /usr/local/etc/redis/redis.conf" - entrypoint: "redis-server /usr/local/etc/redis/redis.conf"
- watch:
- file: /opt/so/conf/redis/etc

25
salt/sensoroni/files/sensoroni.json Normal file
View File

@@ -0,0 +1,25 @@
{%- set MASTERIP = salt['pillar.get']('static:masterip', '') -%}
{%- set SENSORONIKEY = salt['pillar.get']('static:sensoronikey', '') -%}
{
"logFilename": "/opt/sensoroni/logs/sensoroni-server.log",
"server": {
"bindAddress": "0.0.0.0:9822",
"maxPacketCount": 5000,
"htmlDir": "html",
"modules": {
"filedatastore": {
"jobDir": "jobs"
},
"securityonion": {
"elasticsearchHost": "http://{{ MASTERIP }}:9200",
"elasticsearchUsername": "",
"elasticsearchPassword": "",
"elasticsearchVerifyCert": false
},
"statickeyauth": {
"anonymousCidr": "172.17.0.0/24",
"apiKey": "{{ SENSORONIKEY }}"
}
}
}
}

48
salt/sensoroni/init.sls Normal file
View File

@@ -0,0 +1,48 @@
sensoronidir:
file.directory:
- name: /opt/so/conf/sensoroni
- user: 939
- group: 939
- makedirs: True
sensoronidatadir:
file.directory:
- name: /nsm/sensoroni/jobs
- user: 939
- group: 939
- makedirs: True
sensoronilogdir:
file.directory:
- name: /opt/so/log/sensoroni
- user: 939
- group: 939
- makedirs: True
sensoronisync:
file.recurse:
- name: /opt/so/conf/sensoroni
- source: salt://sensoroni/files
- user: 939
- group: 939
- template: jinja
so-sensoroniimage:
cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-sensoroni:HH1.1.0
so-sensoroni:
docker_container.running:
- require:
- so-sensoroniimage
- image: soshybridhunter/so-sensoroni:HH1.1.0
- hostname: sensoroni
- name: so-sensoroni
- binds:
- /nsm/sensoroni/jobs:/opt/sensoroni/jobs:rw
- /opt/so/conf/sensoroni/sensoroni.json:/opt/sensoroni/sensoroni.json:ro
- /opt/so/log/sensoroni/:/opt/sensoroni/log/:rw
- port_bindings:
- 0.0.0.0:9822:9822
- watch:
- file: /opt/so/conf/sensoroni

4
salt/soctopus/init.sls
View File

@@ -15,13 +15,13 @@ soctopussync:
so-soctopusimage: so-soctopusimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.0.8 - name: docker pull --disable-content-trust=false soshybridhunter/so-soctopus:HH1.1.0
so-soctopus: so-soctopus:
docker_container.running: docker_container.running:
- require: - require:
- so-soctopusimage - so-soctopusimage
- image: soshybridhunter/so-soctopus:HH1.0.8 - image: soshybridhunter/so-soctopus:HH1.1.0
- hostname: soctopus - hostname: soctopus
- name: so-soctopus - name: so-soctopus
- binds: - binds:

4
salt/suricata/init.sls
View File

@@ -72,13 +72,13 @@ suriconfigsync:
so-suricataimage: so-suricataimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-suricata:HH1.0.8 - name: docker pull --disable-content-trust=false soshybridhunter/so-suricata:HH1.1.0
so-suricata: so-suricata:
docker_container.running: docker_container.running:
- require: - require:
- so-suricataimage - so-suricataimage
- image: soshybridhunter/so-suricata:HH1.0.8 - image: soshybridhunter/so-suricata:HH1.1.0
- privileged: True - privileged: True
- environment: - environment:
- INTERFACE={{ interface }} - INTERFACE={{ interface }}

2
salt/top.sls
View File

@@ -25,6 +25,7 @@ base:
- ca - ca
- ssl - ssl
- common - common
- sensoroni
- firewall - firewall
- master - master
- idstools - idstools
@@ -60,6 +61,7 @@ base:
- ca - ca
- ssl - ssl
- common - common
- sensoroni
- firewall - firewall
- master - master
- idstools - idstools

4
salt/wazuh/init.sls
View File

@@ -58,13 +58,13 @@ wazuhagentregister:
so-wazuhimage: so-wazuhimage:
cmd.run: cmd.run:
- name: docker pull --disable-content-trust=false soshybridhunter/so-wazuh:HH1.0.7 - name: docker pull --disable-content-trust=false soshybridhunter/so-wazuh:HH1.1.0
so-wazuh: so-wazuh:
docker_container.running: docker_container.running:
- require: - require:
- so-wazuhimage - so-wazuhimage
- image: soshybridhunter/so-wazuh:HH1.0.7 - image: soshybridhunter/so-wazuh:HH1.1.0
- hostname: {{HOSTNAME}}-wazuh-manager - hostname: {{HOSTNAME}}-wazuh-manager
- name: so-wazuh - name: so-wazuh
- detach: True - detach: True

461
so-setup-network.sh
View File

@@ -23,23 +23,24 @@ CPUCORES=$(cat /proc/cpuinfo | grep processor | wc -l)
LISTCORES=$(cat /proc/cpuinfo | grep processor | awk '{print $3 " \"" "core" "\""}') LISTCORES=$(cat /proc/cpuinfo | grep processor | awk '{print $3 " \"" "core" "\""}')
RANDOMUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1) RANDOMUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
NODE_ES_PORT="9200" NODE_ES_PORT="9200"
SETUPLOG="/root/sosetup.log"
# Reset the Install Log # Reset the Install Log
date -u >~/sosetup.log 2>&1 date -u >$SETUPLOG 2>&1
# End Global Variable Section # End Global Variable Section
# Functions # Functions
accept_salt_key_local() { accept_salt_key_local() {
echo "Accept the key locally on the master" >>~/sosetup.log 2>&1 echo "Accept the key locally on the master" >> $SETUPLOG 2>&1
# Accept the key locally on the master # Accept the key locally on the master
salt-key -ya $HOSTNAME salt-key -ya $HOSTNAME
} }
accept_salt_key_remote() { accept_salt_key_remote() {
echo "Accept the key remotely on the master" >>~/sosetup.log 2>&1 echo "Accept the key remotely on the master" >> $SETUPLOG 2>&1
# Delete the key just in case. # Delete the key just in case.
ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y ssh -i /root/.ssh/so.key socore@$MSRV sudo salt-key -d $HOSTNAME -y
salt-call state.apply ca salt-call state.apply ca
@@ -48,7 +49,7 @@ accept_salt_key_remote() {
} }
add_master_hostfile() { add_master_hostfile() {
echo "Checking if I can resolve master. If not add to hosts file" >>~/sosetup.log 2>&1 echo "Checking if I can resolve master. If not add to hosts file" >> $SETUPLOG 2>&1
# Pop up an input to get the IP address # Pop up an input to get the IP address
local MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \ local MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3) "Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
@@ -60,7 +61,7 @@ add_master_hostfile() {
} }
add_socore_user_master() { add_socore_user_master() {
echo "Add socore on the master" >>~/sosetup.log 2>&1 echo "Add socore on the master" >> $SETUPLOG 2>&1
if [ $OS == 'centos' ]; then if [ $OS == 'centos' ]; then
local ADDUSER=adduser local ADDUSER=adduser
else else
@@ -75,7 +76,7 @@ add_socore_user_master() {
} }
add_socore_user_notmaster() { add_socore_user_notmaster() {
echo "Add socore user on non master" >>~/sosetup.log 2>&1 echo "Add socore user on non master" >> $SETUPLOG 2>&1
# Add socore user to the non master system. Probably not a bad idea to make system user # Add socore user to the non master system. Probably not a bad idea to make system user
groupadd --gid 939 socore groupadd --gid 939 socore
$ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore $ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore
@@ -86,7 +87,7 @@ add_socore_user_notmaster() {
auth_pillar(){ auth_pillar(){
if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then if [ ! -f /opt/so/saltstack/pillar/auth.sls ]; then
echo "Creating Auth Pillar" >>~/sosetup.log 2>&1 echo "Creating Auth Pillar" >> $SETUPLOG 2>&1
mkdir -p /opt/so/saltstack/pillar mkdir -p /opt/so/saltstack/pillar
echo "auth:" >> /opt/so/saltstack/pillar/auth.sls echo "auth:" >> /opt/so/saltstack/pillar/auth.sls
echo " mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/auth.sls echo " mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/auth.sls
@@ -97,7 +98,7 @@ auth_pillar(){
# Enable Bro Logs # Enable Bro Logs
bro_logs_enabled() { bro_logs_enabled() {
echo "Enabling Bro Logs" >>~/sosetup.log 2>&1 echo "Enabling Bro Logs" >> $SETUPLOG 2>&1
echo "brologs:" > pillar/brologs.sls echo "brologs:" > pillar/brologs.sls
echo " enabled:" >> pillar/brologs.sls echo " enabled:" >> pillar/brologs.sls
@@ -163,13 +164,13 @@ calculate_useable_cores() {
} }
checkin_at_boot() { checkin_at_boot() {
echo "Enabling checkin at boot" >>~/sosetup.log 2>&1 echo "Enabling checkin at boot" >> $SETUPLOG 2>&1
echo "startup_states: highstate" >> /etc/salt/minion echo "startup_states: highstate" >> /etc/salt/minion
} }
chown_salt_master() { chown_salt_master() {
echo "Chown the salt dirs on the master for socore" >>~/sosetup.log 2>&1 echo "Chown the salt dirs on the master for socore" >> $SETUPLOG 2>&1
chown -R socore:socore /opt/so chown -R socore:socore /opt/so
} }
@@ -178,7 +179,7 @@ clear_master() {
# Clear out the old master public key in case this is a re-install. # Clear out the old master public key in case this is a re-install.
# This only happens if you re-install the master. # This only happens if you re-install the master.
if [ -f /etc/salt/pki/minion/minion_master.pub ]; then if [ -f /etc/salt/pki/minion/minion_master.pub ]; then
echo "Clearing old master key" >>~/sosetup.log 2>&1 echo "Clearing old master key" >> $SETUPLOG 2>&1
rm /etc/salt/pki/minion/minion_master.pub rm /etc/salt/pki/minion/minion_master.pub
service salt-minion restart service salt-minion restart
fi fi
@@ -189,7 +190,7 @@ configure_minion() {
# You have to pass the TYPE to this function so it knows if its a master or not # You have to pass the TYPE to this function so it knows if its a master or not
local TYPE=$1 local TYPE=$1
echo "Configuring minion type as $TYPE" >>~/sosetup.log 2>&1 echo "Configuring minion type as $TYPE" >> $SETUPLOG 2>&1
touch /etc/salt/grains touch /etc/salt/grains
echo "role: so-$TYPE" > /etc/salt/grains echo "role: so-$TYPE" > /etc/salt/grains
if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ]; then if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ]; then
@@ -229,7 +230,7 @@ copy_minion_pillar() {
local TYPE=$1 local TYPE=$1
# Copy over the pillar # Copy over the pillar
echo "Copying the pillar over" >>~/sosetup.log 2>&1 echo "Copying the pillar over" >> $SETUPLOG 2>&1
scp -v -i /root/.ssh/so.key $TMP/$HOSTNAME.sls socore@$MSRV:/opt/so/saltstack/pillar/$TYPE/$HOSTNAME.sls scp -v -i /root/.ssh/so.key $TMP/$HOSTNAME.sls socore@$MSRV:/opt/so/saltstack/pillar/$TYPE/$HOSTNAME.sls
} }
@@ -245,113 +246,47 @@ copy_ssh_key() {
} }
create_bond() { create_bond_nmcli() {
echo "Setting up Bond" >> $SETUPLOG 2>&1
# Create the bond interface
echo "Setting up Bond" >>~/sosetup.log 2>&1
# Set the MTU # Set the MTU
if [ $NSMSETUP != 'ADVANCED' ]; then if [ $NSMSETUP != 'ADVANCED' ]; then
MTU=1500 MTU=1500
fi fi
# Do something different based on the OS # Create the bond interface
if [ $OS == 'centos' ]; then nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \
modprobe --first-time bonding ipv4.method disabled \
touch /etc/sysconfig/network-scripts/ifcfg-bond0 ipv6.method link-local \
echo "DEVICE=bond0" > /etc/sysconfig/network-scripts/ifcfg-bond0 ethernet.mtu $MTU \
echo "NAME=bond0" >> /etc/sysconfig/network-scripts/ifcfg-bond0 connection.autoconnect "yes" >> $SETUPLOG 2>&1
echo "Type=Bond" >> /etc/sysconfig/network-scripts/ifcfg-bond0
echo "BONDING_MASTER=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0
echo "BOOTPROTO=none" >> /etc/sysconfig/network-scripts/ifcfg-bond0
echo "BONDING_OPTS=\"mode=0\"" >> /etc/sysconfig/network-scripts/ifcfg-bond0
echo "ONBOOT=yes" >> /etc/sysconfig/network-scripts/ifcfg-bond0
echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-bond0
# Create Bond configs for the selected monitor interface
for BNIC in ${BNICS[@]}; do for BNIC in ${BNICS[@]}; do
BONDNIC="${BNIC%\"}" # Strip the quotes from the NIC names
BONDNIC="${BONDNIC#\"}" BONDNIC="$(echo -e "${BNIC}" | tr -d '"')"
sed -i 's/ONBOOT=no/ONBOOT=yes/g' /etc/sysconfig/network-scripts/ifcfg-$BONDNIC # Create the slave interface and assign it to the bond
echo "MASTER=bond0" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0 -- \
echo "SLAVE=yes" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC ethernet.mtu $MTU \
echo "MTU=$MTU" >> /etc/sysconfig/network-scripts/ifcfg-$BONDNIC connection.autoconnect "yes" >> $SETUPLOG 2>&1
# Bring the slave interface up
nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1
done done
nmcli con reload >>~/sosetup.log 2>&1
systemctl restart network >>~/sosetup.log 2>&1
else
# Need to add 17.04 support still
apt-get -y install ifenslave >>~/sosetup.log 2>&1
if ! grep -q bonding /etc/modules; then
echo "bonding" >> /etc/modules
fi
modprobe bonding >>~/sosetup.log 2>&1
local LBACK=$(awk '/auto lo/,/^$/' /etc/network/interfaces)
local MINT=$(awk "/auto $MNIC/,/^$/" /etc/network/interfaces)
# Backup and create a new interface file
cp /etc/network/interfaces /etc/network/interfaces.sosetup
echo "source /etc/network/interfaces.d/*" > /etc/network/interfaces
echo "" >> /etc/network/interfaces
# Let's set up the new interface file
# Populate lo and create file for the management interface
IFS=$'\n'
for line in $LBACK
do
echo $line >> /etc/network/interfaces
done
IFS=$'\n'
for line in $MINT
do
echo $line >> /etc/network/interfaces.d/$MNIC
done
# Create entries for each interface that is part of the bond.
for BNIC in ${BNICS[@]}; do
BNIC=$(echo $BNIC | cut -d\" -f2)
echo "auto $BNIC" >> /etc/network/interfaces.d/$BNIC
echo "iface $BNIC inet manual" >> /etc/network/interfaces.d/$BNIC
echo " up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/$BNIC
echo " down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/$BNIC
echo " post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/$BNIC
echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/$BNIC
echo " bond-master bond0" >> /etc/network/interfaces.d/$BNIC
echo " mtu $MTU" >> /etc/network/interfaces.d/$BNIC
done
BN=("${BNICS[@]//\"/}")
echo "auto bond0" > /etc/network/interfaces.d/bond0
echo "iface bond0 inet manual" >> /etc/network/interfaces.d/bond0
echo " bond-mode 0" >> /etc/network/interfaces.d/bond0
echo " bond-slaves $BN" >> /etc/network/interfaces.d/bond0
echo " mtu $MTU" >> /etc/network/interfaces.d/bond0
echo " up ip link set \$IFACE promisc on arp off up" >> /etc/network/interfaces.d/bond0
echo " down ip link set \$IFACE promisc off down" >> /etc/network/interfaces.d/bond0
echo " post-up for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces.d/bond0
echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces.d/bond0
fi
} }
detect_os() { detect_os() {
# Detect Base OS # Detect Base OS
echo "Detecting Base OS" >>~/sosetup.log 2>&1 echo "Detecting Base OS" >> $SETUPLOG 2>&1
if [ -f /etc/redhat-release ]; then if [ -f /etc/redhat-release ]; then
OS=centos OS=centos
yum -y install bind-utils yum -y install bind-utils
elif [ -f /etc/os-release ]; then elif [ -f /etc/os-release ]; then
OS=ubuntu OS=ubuntu
apt install -y network-manager
/bin/systemctl enable network-manager
/bin/systemctl start network-manager
else else
echo "We were unable to determine if you are using a supported OS." >>~/sosetup.log 2>&1 echo "We were unable to determine if you are using a supported OS." >> $SETUPLOG 2>&1
exit exit
fi fi
@@ -365,26 +300,30 @@ docker_install() {
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum -y update yum -y update
yum -y install docker-ce docker-python python-docker yum -y install docker-ce docker-python python-docker
docker_registry if [ $INSTALLTYPE != 'EVALMODE' ]; then
echo "Restarting Docker" >>~/sosetup.log 2>&1 docker_registry
fi
echo "Restarting Docker" >> $SETUPLOG 2>&1
systemctl restart docker systemctl restart docker
systemctl enable docker systemctl enable docker
else else
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
apt-get update >>~/sosetup.log 2>&1 apt-get update >> $SETUPLOG 2>&1
apt-get -y install docker-ce >>~/sosetup.log 2>&1 apt-get -y install docker-ce >> $SETUPLOG 2>&1
docker_registry >>~/sosetup.log 2>&1 if [ $INSTALLTYPE != 'EVALMODE' ]; then
echo "Restarting Docker" >>~/sosetup.log 2>&1 docker_registry >> $SETUPLOG 2>&1
systemctl restart docker >>~/sosetup.log 2>&1 fi
echo "Restarting Docker" >> $SETUPLOG 2>&1
systemctl restart docker >> $SETUPLOG 2>&1
else else
apt-key add $TMP/gpg/docker.pub >>~/sosetup.log 2>&1 apt-key add $TMP/gpg/docker.pub >> $SETUPLOG 2>&1
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >>~/sosetup.log 2>&1 add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >> $SETUPLOG 2>&1
apt-get update >>~/sosetup.log 2>&1 apt-get update >> $SETUPLOG 2>&1
apt-get -y install docker-ce >>~/sosetup.log 2>&1 apt-get -y install docker-ce >> $SETUPLOG 2>&1
docker_registry >>~/sosetup.log 2>&1 docker_registry >> $SETUPLOG 2>&1
echo "Restarting Docker" >>~/sosetup.log 2>&1 echo "Restarting Docker" >> $SETUPLOG 2>&1
systemctl restart docker >>~/sosetup.log 2>&1 systemctl restart docker >> $SETUPLOG 2>&1
fi fi
fi fi
@@ -392,13 +331,13 @@ docker_install() {
docker_registry() { docker_registry() {
echo "Setting up Docker Registry" >>~/sosetup.log 2>&1 echo "Setting up Docker Registry" >> $SETUPLOG 2>&1
mkdir -p /etc/docker >>~/sosetup.log 2>&1 mkdir -p /etc/docker >> $SETUPLOG 2>&1
# Make the host use the master docker registry # Make the host use the master docker registry
echo "{" > /etc/docker/daemon.json echo "{" > /etc/docker/daemon.json
echo " \"registry-mirrors\": [\"https://$MSRV:5000\"]" >> /etc/docker/daemon.json echo " \"registry-mirrors\": [\"https://$MSRV:5000\"]" >> /etc/docker/daemon.json
echo "}" >> /etc/docker/daemon.json echo "}" >> /etc/docker/daemon.json
echo "Docker Registry Setup - Complete" >>~/sosetup.log 2>&1 echo "Docker Registry Setup - Complete" >> $SETUPLOG 2>&1
} }
@@ -436,6 +375,7 @@ generate_passwords(){
MYSQLPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) MYSQLPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
SENSORONIKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
} }
get_filesystem_nsm(){ get_filesystem_nsm(){
@@ -497,7 +437,7 @@ install_master() {
# Install the salt master package # Install the salt master package
if [ $OS == 'centos' ]; then if [ $OS == 'centos' ]; then
yum -y install wget salt-common salt-master >>~/sosetup.log 2>&1 yum -y install wget salt-common salt-master >> $SETUPLOG 2>&1
# Create a place for the keys for Ubuntu minions # Create a place for the keys for Ubuntu minions
mkdir -p /opt/so/gpg mkdir -p /opt/so/gpg
@@ -583,6 +523,7 @@ master_static() {
echo " hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls echo " hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls
echo " hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls echo " hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls
echo " fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls echo " fleetsetup: 0" >> /opt/so/saltstack/pillar/static.sls
echo " sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls
if [[ $MASTERUPDATES == 'MASTER' ]]; then if [[ $MASTERUPDATES == 'MASTER' ]]; then
echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls
else else
@@ -810,7 +751,7 @@ EOF
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade
# Add the pre-requisites for installing docker-ce # Add the pre-requisites for installing docker-ce
apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl >>~/sosetup.log 2>&1 apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl >> $SETUPLOG 2>&1
# Grab the version from the os-release file # Grab the version from the os-release file
UVER=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}') UVER=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}')
@@ -840,8 +781,8 @@ EOF
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
# Initialize the new repos # Initialize the new repos
apt-get update >>~/sosetup.log 2>&1 apt-get update >> $SETUPLOG 2>&1
apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >>~/sosetup.log 2>&1 apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >> $SETUPLOG 2>&1
apt-mark hold salt-minion salt-common apt-mark hold salt-minion salt-common
else else
@@ -854,8 +795,8 @@ EOF
echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest xenial main" > /etc/apt/sources.list.d/saltstack.list echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest xenial main" > /etc/apt/sources.list.d/saltstack.list
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
# Initialize the new repos # Initialize the new repos
apt-get update >>~/sosetup.log 2>&1 apt-get update >> $SETUPLOG 2>&1
apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >>~/sosetup.log 2>&1 apt-get -y install salt-minion=2018.3.4+ds-1 salt-common=2018.3.4+ds-1 python-m2crypto >> $SETUPLOG 2>&1
apt-mark hold salt-minion salt-common apt-mark hold salt-minion salt-common
fi fi
@@ -868,25 +809,25 @@ salt_checkin() {
# Master State to Fix Mine Usage # Master State to Fix Mine Usage
if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then if [ $INSTALLTYPE == 'MASTERONLY' ] || [ $INSTALLTYPE == 'EVALMODE' ]; then
echo "Building Certificate Authority" echo "Building Certificate Authority"
salt-call state.apply ca >>~/sosetup.log 2>&1 salt-call state.apply ca >> $SETUPLOG 2>&1
echo " *** Restarting Salt to fix any SSL errors. ***" echo " *** Restarting Salt to fix any SSL errors. ***"
service salt-master restart >>~/sosetup.log 2>&1 service salt-master restart >> $SETUPLOG 2>&1
sleep 5 sleep 5
service salt-minion restart >>~/sosetup.log 2>&1 service salt-minion restart >> $SETUPLOG 2>&1
sleep 15 sleep 15
echo " Applyng a mine hack " echo " Applyng a mine hack "
sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >>~/sosetup.log 2>&1 sudo salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >> $SETUPLOG 2>&1
echo " Applying SSL state " echo " Applying SSL state "
salt-call state.apply ssl >>~/sosetup.log 2>&1 salt-call state.apply ssl >> $SETUPLOG 2>&1
echo "Still Working... Hang in there" echo "Still Working... Hang in there"
#salt-call state.highstate #salt-call state.highstate
else else
# Run Checkin # Run Checkin
salt-call state.apply ca >>~/sosetup.log 2>&1 salt-call state.apply ca >> $SETUPLOG 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1 salt-call state.apply ssl >> $SETUPLOG 2>&1
#salt-call state.highstate >>~/sosetup.log 2>&1 #salt-call state.highstate >> $SETUPLOG 2>&1
fi fi
@@ -907,7 +848,7 @@ salt_checkin_message() {
salt_firstcheckin() { salt_firstcheckin() {
#First Checkin #First Checkin
salt-call state.highstate >>~/sosetup.log 2>&1 salt-call state.highstate >> $SETUPLOG 2>&1
} }
@@ -1456,7 +1397,7 @@ whiptail_sensor_config() {
whiptail_setup_complete() { whiptail_setup_complete() {
whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. A reboot is recommended." 8 78 whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE." 8 78
install_cleanup install_cleanup
exit exit
@@ -1464,7 +1405,7 @@ whiptail_setup_complete() {
whiptail_setup_failed() { whiptail_setup_failed() {
whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see /root/sosetup.log for details" 8 78 whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $SETUPLOG for details" 8 78
install_cleanup install_cleanup
exit exit
@@ -1623,83 +1564,83 @@ if (whiptail_you_sure); then
{ {
sleep 0.5 sleep 0.5
echo -e "XXX\n0\nInstalling and configuring Salt... \nXXX" echo -e "XXX\n0\nInstalling and configuring Salt... \nXXX"
echo " ** Installing Salt and Dependencies **" >>~/sosetup.log echo " ** Installing Salt and Dependencies **" >> $SETUPLOG
saltify >>~/sosetup.log 2>&1 saltify >> $SETUPLOG 2>&1
echo -e "XXX\n5\nInstalling Docker... \nXXX" echo -e "XXX\n5\nInstalling Docker... \nXXX"
docker_install >>~/sosetup.log 2>&1 docker_install >> $SETUPLOG 2>&1
echo -e "XXX\n10\nConfiguring Salt Master... \nXXX" echo -e "XXX\n10\nConfiguring Salt Master... \nXXX"
echo " ** Configuring Minion **" >>~/sosetup.log echo " ** Configuring Minion **" >> $SETUPLOG
configure_minion master >>~/sosetup.log 2>&1 configure_minion master >> $SETUPLOG 2>&1
echo " ** Installing Salt Master **" >>~/sosetup.log echo " ** Installing Salt Master **" >> $SETUPLOG
install_master >>~/sosetup.log 2>&1 install_master >> $SETUPLOG 2>&1
salt_master_directories >>~/sosetup.log 2>&1 salt_master_directories >> $SETUPLOG 2>&1
update_sudoers >>~/sosetup.log 2>&1 update_sudoers >> $SETUPLOG 2>&1
chown_salt_master >>~/sosetup.log 2>&1 chown_salt_master >> $SETUPLOG 2>&1
es_heapsize >>~/sosetup.log 2>&1 es_heapsize >> $SETUPLOG 2>&1
ls_heapsize >>~/sosetup.log 2>&1 ls_heapsize >> $SETUPLOG 2>&1
echo -e "XXX\n25\nConfiguring Default Pillars... \nXXX" echo -e "XXX\n25\nConfiguring Default Pillars... \nXXX"
master_static >>~/sosetup.log 2>&1 master_static >> $SETUPLOG 2>&1
echo "** Generating the master pillar **" >>~/sosetup.log echo "** Generating the master pillar **" >> $SETUPLOG
master_pillar >>~/sosetup.log 2>&1 master_pillar >> $SETUPLOG 2>&1
echo -e "XXX\n30\nAccepting Salt Keys... \nXXX" echo -e "XXX\n30\nAccepting Salt Keys... \nXXX"
# Do a checkin to push the key up # Do a checkin to push the key up
echo "** Pushing the key up to Master **" >>~/sosetup.log echo "** Pushing the key up to Master **" >> $SETUPLOG
salt_firstcheckin >>~/sosetup.log 2>&1 salt_firstcheckin >> $SETUPLOG 2>&1
# Accept the Master Key # Accept the Master Key
echo "** Accepting the key on the master **" >>~/sosetup.log echo "** Accepting the key on the master **" >> $SETUPLOG
accept_salt_key_local >>~/sosetup.log 2>&1 accept_salt_key_local >> $SETUPLOG 2>&1
echo -e "XXX\n35\nConfiguring Firewall... \nXXX" echo -e "XXX\n35\nConfiguring Firewall... \nXXX"
# Open the firewall # Open the firewall
echo "** Setting the initial firewall policy **" >>~/sosetup.log echo "** Setting the initial firewall policy **" >> $SETUPLOG
set_initial_firewall_policy >>~/sosetup.log 2>&1 set_initial_firewall_policy >> $SETUPLOG 2>&1
# Do the big checkin but first let them know it will take a bit. # Do the big checkin but first let them know it will take a bit.
echo -e "XXX\n40\nGenerating CA... \nXXX" echo -e "XXX\n40\nGenerating CA... \nXXX"
salt_checkin >>~/sosetup.log 2>&1 salt_checkin >> $SETUPLOG 2>&1
salt-call state.apply ca >>~/sosetup.log 2>&1 salt-call state.apply ca >> $SETUPLOG 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1 salt-call state.apply ssl >> $SETUPLOG 2>&1
echo -e "XXX\n43\nInstalling Common Components... \nXXX" echo -e "XXX\n43\nInstalling Common Components... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1 salt-call state.apply common >> $SETUPLOG 2>&1
echo -e "XXX\n45\nApplying firewall rules... \nXXX" echo -e "XXX\n45\nApplying firewall rules... \nXXX"
salt-call state.apply firewall >>~/sosetup.log 2>&1 salt-call state.apply firewall >> $SETUPLOG 2>&1
salt-call state.apply master >>~/sosetup.log 2>&1 salt-call state.apply master >> $SETUPLOG 2>&1
salt-call state.apply idstools >>~/sosetup.log 2>&1 salt-call state.apply idstools >> $SETUPLOG 2>&1
echo -e "XXX\n40\nInstalling Redis... \nXXX" echo -e "XXX\n40\nInstalling Redis... \nXXX"
salt-call state.apply redis >>~/sosetup.log 2>&1 salt-call state.apply redis >> $SETUPLOG 2>&1
if [[ $OSQUERY == '1' ]]; then if [[ $OSQUERY == '1' ]]; then
echo -e "XXX\n41\nInstalling MySQL... \nXXX" echo -e "XXX\n41\nInstalling MySQL... \nXXX"
salt-call state.apply mysql >>~/sosetup.log 2>&1 salt-call state.apply mysql >> $SETUPLOG 2>&1
fi fi
echo -e "XXX\n45\nInstalling Elastic Components... \nXXX" echo -e "XXX\n45\nInstalling Elastic Components... \nXXX"
salt-call state.apply elasticsearch >>~/sosetup.log 2>&1 salt-call state.apply elasticsearch >> $SETUPLOG 2>&1
salt-call state.apply logstash >>~/sosetup.log 2>&1 salt-call state.apply logstash >> $SETUPLOG 2>&1
salt-call state.apply kibana >>~/sosetup.log 2>&1 salt-call state.apply kibana >> $SETUPLOG 2>&1
salt-call state.apply elastalert >>~/sosetup.log 2>&1 salt-call state.apply elastalert >> $SETUPLOG 2>&1
if [[ $WAZUH == '1' ]]; then if [[ $WAZUH == '1' ]]; then
echo -e "XXX\n68\nInstalling Wazuh... \nXXX" echo -e "XXX\n68\nInstalling Wazuh... \nXXX"
salt-call state.apply wazuh >>~/sosetup.log 2>&1 salt-call state.apply wazuh >> $SETUPLOG 2>&1
fi fi
echo -e "XXX\n75\nInstalling Filebeat... \nXXX" echo -e "XXX\n75\nInstalling Filebeat... \nXXX"
salt-call state.apply filebeat >>~/sosetup.log 2>&1 salt-call state.apply filebeat >> $SETUPLOG 2>&1
salt-call state.apply utility >>~/sosetup.log 2>&1 salt-call state.apply utility >> $SETUPLOG 2>&1
salt-call state.apply schedule >>~/sosetup.log 2>&1 salt-call state.apply schedule >> $SETUPLOG 2>&1
if [[ $OSQUERY == '1' ]]; then if [[ $OSQUERY == '1' ]]; then
echo -e "XXX\n79\nInstalling Fleet... \nXXX" echo -e "XXX\n79\nInstalling Fleet... \nXXX"
salt-call state.apply fleet >>~/sosetup.log 2>&1 salt-call state.apply fleet >> $SETUPLOG 2>&1
salt-call state.apply launcher >>~/sosetup.log 2>&1 salt-call state.apply launcher >> $SETUPLOG 2>&1
fi fi
echo -e "XXX\n85\nConfiguring SOctopus... \nXXX" echo -e "XXX\n85\nConfiguring SOctopus... \nXXX"
salt-call state.apply soctopus >>~/sosetup.log 2>&1 salt-call state.apply soctopus >> $SETUPLOG 2>&1
if [[ $THEHIVE == '1' ]]; then if [[ $THEHIVE == '1' ]]; then
echo -e "XXX\n87\nInstalling TheHive... \nXXX" echo -e "XXX\n87\nInstalling TheHive... \nXXX"
salt-call state.apply hive >>~/sosetup.log 2>&1 salt-call state.apply hive >> $SETUPLOG 2>&1
fi fi
echo -e "XXX\n75\nEnabling Checking at Boot... \nXXX" echo -e "XXX\n75\nEnabling Checking at Boot... \nXXX"
checkin_at_boot >>~/sosetup.log 2>&1 checkin_at_boot >> $SETUPLOG 2>&1
echo -e "XXX\n95\nVerifying Install... \nXXX" echo -e "XXX\n95\nVerifying Install... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1 salt-call state.highstate >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}') GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then if [[ $GOODSETUP == '0' ]]; then
whiptail_setup_complete whiptail_setup_complete
else else
@@ -1740,39 +1681,39 @@ if (whiptail_you_sure); then
{ {
sleep 0.5 sleep 0.5
echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX" echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
set_initial_firewall_policy >>~/sosetup.log 2>&1 set_initial_firewall_policy >> $SETUPLOG 2>&1
echo -e "XXX\n3\nCreating Bond Interface... \nXXX" echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
create_bond >>~/sosetup.log 2>&1 create_bond_nmcli >> $SETUPLOG 2>&1
echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX" echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
sensor_pillar >>~/sosetup.log 2>&1 sensor_pillar >> $SETUPLOG 2>&1
echo -e "XXX\n5\nInstalling Salt Components... \nXXX" echo -e "XXX\n5\nInstalling Salt Components... \nXXX"
saltify >>~/sosetup.log 2>&1 saltify >> $SETUPLOG 2>&1
echo -e "XXX\n20\nInstalling Docker... \nXXX" echo -e "XXX\n20\nInstalling Docker... \nXXX"
docker_install >>~/sosetup.log 2>&1 docker_install >> $SETUPLOG 2>&1
echo -e "XXX\n22\nConfiguring Salt Minion... \nXXX" echo -e "XXX\n22\nConfiguring Salt Minion... \nXXX"
configure_minion sensor >>~/sosetup.log 2>&1 configure_minion sensor >> $SETUPLOG 2>&1
echo -e "XXX\n24\nCopying Sensor Pillar to Master... \nXXX" echo -e "XXX\n24\nCopying Sensor Pillar to Master... \nXXX"
copy_minion_pillar sensors >>~/sosetup.log 2>&1 copy_minion_pillar sensors >> $SETUPLOG 2>&1
echo -e "XXX\n25\nSending Salt Key to Master... \nXXX" echo -e "XXX\n25\nSending Salt Key to Master... \nXXX"
salt_firstcheckin >>~/sosetup.log 2>&1 salt_firstcheckin >> $SETUPLOG 2>&1
echo -e "XXX\n26\nTelling the Master to Accept Key... \nXXX" echo -e "XXX\n26\nTelling the Master to Accept Key... \nXXX"
# Accept the Salt Key # Accept the Salt Key
accept_salt_key_remote >>~/sosetup.log 2>&1 accept_salt_key_remote >> $SETUPLOG 2>&1
echo -e "XXX\n27\nApplying SSL Certificates... \nXXX" echo -e "XXX\n27\nApplying SSL Certificates... \nXXX"
salt-call state.apply ca >>~/sosetup.log 2>&1 salt-call state.apply ca >> $SETUPLOG 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1 salt-call state.apply ssl >> $SETUPLOG 2>&1
echo -e "XXX\n35\nInstalling Core Components... \nXXX" echo -e "XXX\n35\nInstalling Core Components... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1 salt-call state.apply common >> $SETUPLOG 2>&1
salt-call state.apply firewall >>~/sosetup.log 2>&1 salt-call state.apply firewall >> $SETUPLOG 2>&1
echo -e "XXX\n50\nInstalling PCAP... \nXXX" echo -e "XXX\n50\nInstalling PCAP... \nXXX"
salt-call state.apply pcap >>~/sosetup.log 2>&1 salt-call state.apply pcap >> $SETUPLOG 2>&1
echo -e "XXX\n60\nInstalling IDS components... \nXXX" echo -e "XXX\n60\nInstalling IDS components... \nXXX"
salt-call state.apply suricata >>~/sosetup.log 2>&1 salt-call state.apply suricata >> $SETUPLOG 2>&1
echo -e "XXX\n80\nVerifying Install... \nXXX" echo -e "XXX\n80\nVerifying Install... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1 salt-call state.highstate >> $SETUPLOG 2>&1
checkin_at_boot >>~/sosetup.log 2>&1 checkin_at_boot >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}') GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then if [[ $GOODSETUP == '0' ]]; then
whiptail_setup_complete whiptail_setup_complete
else else
@@ -1832,91 +1773,91 @@ if (whiptail_you_sure); then
{ {
sleep 0.5 sleep 0.5
echo -e "XXX\n0\nCreating Bond Interface... \nXXX" echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
create_bond >>~/sosetup.log 2>&1 create_bond_nmcli >> $SETUPLOG 2>&1
echo -e "XXX\n1\nInstalling saltstack... \nXXX" echo -e "XXX\n1\nInstalling saltstack... \nXXX"
saltify >>~/sosetup.log 2>&1 saltify >> $SETUPLOG 2>&1
echo -e "XXX\n3\nInstalling docker... \nXXX" echo -e "XXX\n3\nInstalling docker... \nXXX"
docker_install >>~/sosetup.log 2>&1 docker_install >> $SETUPLOG 2>&1
echo -e "XXX\n5\nInstalling master code... \nXXX" echo -e "XXX\n5\nInstalling master code... \nXXX"
install_master >>~/sosetup.log 2>&1 install_master >> $SETUPLOG 2>&1
echo -e "XXX\n6\nCopying salt code... \nXXX" echo -e "XXX\n6\nCopying salt code... \nXXX"
salt_master_directories >>~/sosetup.log 2>&1 salt_master_directories >> $SETUPLOG 2>&1
echo -e "XXX\n6\nupdating suduers... \nXXX" echo -e "XXX\n6\nupdating suduers... \nXXX"
update_sudoers >>~/sosetup.log 2>&1 update_sudoers >> $SETUPLOG 2>&1
echo -e "XXX\n7\nFixing some permissions... \nXXX" echo -e "XXX\n7\nFixing some permissions... \nXXX"
chown_salt_master >>~/sosetup.log 2>&1 chown_salt_master >> $SETUPLOG 2>&1
echo -e "XXX\n7\nCreating the static pillar... \nXXX" echo -e "XXX\n7\nCreating the static pillar... \nXXX"
# Set the static values # Set the static values
master_static >>~/sosetup.log 2>&1 master_static >> $SETUPLOG 2>&1
echo -e "XXX\n7\nCreating the master pillar... \nXXX" echo -e "XXX\n7\nCreating the master pillar... \nXXX"
master_pillar >>~/sosetup.log 2>&1 master_pillar >> $SETUPLOG 2>&1
echo -e "XXX\n7\nConfiguring minion... \nXXX" echo -e "XXX\n7\nConfiguring minion... \nXXX"
configure_minion eval >>~/sosetup.log 2>&1 configure_minion eval >> $SETUPLOG 2>&1
echo -e "XXX\n7\nSetting the node type to eval... \nXXX" echo -e "XXX\n7\nSetting the node type to eval... \nXXX"
set_node_type >>~/sosetup.log 2>&1 set_node_type >> $SETUPLOG 2>&1
echo -e "XXX\n7\nStorage node pillar... \nXXX" echo -e "XXX\n7\nStorage node pillar... \nXXX"
node_pillar >>~/sosetup.log 2>&1 node_pillar >> $SETUPLOG 2>&1
echo -e "XXX\n8\nCreating firewall policies... \nXXX" echo -e "XXX\n8\nCreating firewall policies... \nXXX"
set_initial_firewall_policy >>~/sosetup.log 2>&1 set_initial_firewall_policy >> $SETUPLOG 2>&1
echo -e "XXX\n10\nRegistering agent... \nXXX" echo -e "XXX\n10\nRegistering agent... \nXXX"
salt_firstcheckin >>~/sosetup.log 2>&1 salt_firstcheckin >> $SETUPLOG 2>&1
echo -e "XXX\n11\nAccepting Agent... \nXXX" echo -e "XXX\n11\nAccepting Agent... \nXXX"
accept_salt_key_local >>~/sosetup.log 2>&1 accept_salt_key_local >> $SETUPLOG 2>&1
echo -e "XXX\n12\nRunning the SSL states... \nXXX" echo -e "XXX\n12\nRunning the SSL states... \nXXX"
salt_checkin >>~/sosetup.log 2>&1 salt_checkin >> $SETUPLOG 2>&1
salt-call state.apply ca >>~/sosetup.log 2>&1 salt-call state.apply ca >> $SETUPLOG 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1 salt-call state.apply ssl >> $SETUPLOG 2>&1
echo -e "XXX\n15\nInstalling core components... \nXXX" echo -e "XXX\n15\nInstalling core components... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1 salt-call state.apply common >> $SETUPLOG 2>&1
echo -e "XXX\n18\nInitializing firewall rules... \nXXX" echo -e "XXX\n18\nInitializing firewall rules... \nXXX"
salt-call state.apply firewall >>~/sosetup.log 2>&1 salt-call state.apply firewall >> $SETUPLOG 2>&1
echo -e "XXX\n25\nInstalling master components... \nXXX" echo -e "XXX\n25\nInstalling master components... \nXXX"
salt-call state.apply master >>~/sosetup.log 2>&1 salt-call state.apply master >> $SETUPLOG 2>&1
salt-call state.apply idstools >>~/sosetup.log 2>&1 salt-call state.apply idstools >> $SETUPLOG 2>&1
if [[ $OSQUERY == '1' ]]; then if [[ $OSQUERY == '1' ]]; then
salt-call state.apply mysql >>~/sosetup.log 2>&1 salt-call state.apply mysql >> $SETUPLOG 2>&1
fi fi
echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX" echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX"
salt-call state.apply elasticsearch >>~/sosetup.log 2>&1 salt-call state.apply elasticsearch >> $SETUPLOG 2>&1
echo -e "XXX\n40\nInstalling Logstash... \nXXX" echo -e "XXX\n40\nInstalling Logstash... \nXXX"
salt-call state.apply logstash >>~/sosetup.log 2>&1 salt-call state.apply logstash >> $SETUPLOG 2>&1
echo -e "XXX\n45\nInstalling ElasticSearch... \nXXX" echo -e "XXX\n45\nInstalling Kibana... \nXXX"
salt-call state.apply kibana >>~/sosetup.log 2>&1 salt-call state.apply kibana >> $SETUPLOG 2>&1
echo -e "XXX\n50\nInstalling pcap... \nXXX" echo -e "XXX\n50\nInstalling pcap... \nXXX"
salt-call state.apply pcap >>~/sosetup.log 2>&1 salt-call state.apply pcap >> $SETUPLOG 2>&1
echo -e "XXX\n52\nInstalling Suricata... \nXXX" echo -e "XXX\n52\nInstalling Suricata... \nXXX"
salt-call state.apply suricata >>~/sosetup.log 2>&1 salt-call state.apply suricata >> $SETUPLOG 2>&1
echo -e "XXX\n54\nInstalling Zeek... \nXXX" echo -e "XXX\n54\nInstalling Zeek... \nXXX"
salt-call state.apply bro >>~/sosetup.log 2>&1 salt-call state.apply bro >> $SETUPLOG 2>&1
echo -e "XXX\n56\nInstalling curator... \nXXX" echo -e "XXX\n56\nInstalling curator... \nXXX"
salt-call state.apply curator >>~/sosetup.log 2>&1 salt-call state.apply curator >> $SETUPLOG 2>&1
echo -e "XXX\n58\nInstalling elastalert... \nXXX" echo -e "XXX\n58\nInstalling elastalert... \nXXX"
salt-call state.apply elastalert >>~/sosetup.log 2>&1 salt-call state.apply elastalert >> $SETUPLOG 2>&1
if [[ $OSQUERY == '1' ]]; then if [[ $OSQUERY == '1' ]]; then
echo -e "XXX\n60\nInstalling fleet... \nXXX" echo -e "XXX\n60\nInstalling fleet... \nXXX"
salt-call state.apply fleet >>~/sosetup.log 2>&1 salt-call state.apply fleet >> $SETUPLOG 2>&1
salt-call state.apply redis >>~/sosetup.log 2>&1 salt-call state.apply redis >> $SETUPLOG 2>&1
fi fi
if [[ $WAZUH == '1' ]]; then if [[ $WAZUH == '1' ]]; then
echo -e "XXX\n65\nInstalling Wazuh components... \nXXX" echo -e "XXX\n65\nInstalling Wazuh components... \nXXX"
salt-call state.apply wazuh >>~/sosetup.log 2>&1 salt-call state.apply wazuh >> $SETUPLOG 2>&1
fi fi
echo -e "XXX\n85\nInstalling filebeat... \nXXX" echo -e "XXX\n85\nInstalling filebeat... \nXXX"
salt-call state.apply filebeat >>~/sosetup.log 2>&1 salt-call state.apply filebeat >> $SETUPLOG 2>&1
salt-call state.apply utility >>~/sosetup.log 2>&1 salt-call state.apply utility >> $SETUPLOG 2>&1
echo -e "XXX\n95\nInstalling misc components... \nXXX" echo -e "XXX\n95\nInstalling misc components... \nXXX"
salt-call state.apply schedule >>~/sosetup.log 2>&1 salt-call state.apply schedule >> $SETUPLOG 2>&1
salt-call state.apply soctopus >>~/sosetup.log 2>&1 salt-call state.apply soctopus >> $SETUPLOG 2>&1
if [[ $THEHIVE == '1' ]]; then if [[ $THEHIVE == '1' ]]; then
salt-call state.apply hive >>~/sosetup.log 2>&1 salt-call state.apply hive >> $SETUPLOG 2>&1
fi fi
echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX" echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX"
checkin_at_boot >>~/sosetup.log 2>&1 checkin_at_boot >> $SETUPLOG 2>&1
echo -e "XXX\n99\nVerifying Setup... \nXXX" echo -e "XXX\n99\nVerifying Setup... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1 salt-call state.highstate >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}') GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [ $OS == 'centos' ]; then if [ $OS == 'centos' ]; then
if [[ $GOODSETUP == '1' ]]; then if [[ $GOODSETUP == '1' ]]; then
whiptail_setup_complete whiptail_setup_complete
@@ -1972,37 +1913,37 @@ if (whiptail_you_sure); then
{ {
sleep 0.5 sleep 0.5
echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX" echo -e "XXX\n0\nSetting Initial Firewall Policy... \nXXX"
set_initial_firewall_policy >>~/sosetup.log 2>&1 set_initial_firewall_policy >> $SETUPLOG 2>&1
echo -e "XXX\n5\nInstalling Salt Packages... \nXXX" echo -e "XXX\n5\nInstalling Salt Packages... \nXXX"
saltify >>~/sosetup.log 2>&1 saltify >> $SETUPLOG 2>&1
echo -e "XXX\n20\nInstalling Docker... \nXXX" echo -e "XXX\n20\nInstalling Docker... \nXXX"
docker_install >>~/sosetup.log 2>&1 docker_install >> $SETUPLOG 2>&1
echo -e "XXX\n30\nInitializing Minion... \nXXX" echo -e "XXX\n30\nInitializing Minion... \nXXX"
configure_minion node >>~/sosetup.log 2>&1 configure_minion node >> $SETUPLOG 2>&1
set_node_type >>~/sosetup.log 2>&1 set_node_type >> $SETUPLOG 2>&1
node_pillar >>~/sosetup.log 2>&1 node_pillar >> $SETUPLOG 2>&1
copy_minion_pillar nodes >>~/sosetup.log 2>&1 copy_minion_pillar nodes >> $SETUPLOG 2>&1
echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX" echo -e "XXX\n35\nSending and Accepting Salt Key... \nXXX"
salt_firstcheckin >>~/sosetup.log 2>&1 salt_firstcheckin >> $SETUPLOG 2>&1
# Accept the Salt Key # Accept the Salt Key
accept_salt_key_remote >>~/sosetup.log 2>&1 accept_salt_key_remote >> $SETUPLOG 2>&1
echo -e "XXX\n40\nApplying SSL Certificates... \nXXX" echo -e "XXX\n40\nApplying SSL Certificates... \nXXX"
salt-call state.apply ca >>~/sosetup.log 2>&1 salt-call state.apply ca >> $SETUPLOG 2>&1
salt-call state.apply ssl >>~/sosetup.log 2>&1 salt-call state.apply ssl >> $SETUPLOG 2>&1
echo -e "XXX\n50\nConfiguring Firewall... \nXXX" echo -e "XXX\n50\nConfiguring Firewall... \nXXX"
salt-call state.apply common >>~/sosetup.log 2>&1 salt-call state.apply common >> $SETUPLOG 2>&1
salt-call state.apply firewall >>~/sosetup.log 2>&1 salt-call state.apply firewall >> $SETUPLOG 2>&1
echo -e "XXX\n70\nInstalling Elastic Components... \nXXX" echo -e "XXX\n70\nInstalling Elastic Components... \nXXX"
salt-call state.apply logstash >>~/sosetup.log 2>&1 salt-call state.apply logstash >> $SETUPLOG 2>&1
salt-call state.apply elasticsearch >>~/sosetup.log 2>&1 salt-call state.apply elasticsearch >> $SETUPLOG 2>&1
salt-call state.apply curator >>~/sosetup.log 2>&1 salt-call state.apply curator >> $SETUPLOG 2>&1
salt-call state.apply filebeat >>~/sosetup.log 2>&1 salt-call state.apply filebeat >> $SETUPLOG 2>&1
echo -e "XXX\n90\nVerifying Install... \nXXX" echo -e "XXX\n90\nVerifying Install... \nXXX"
salt-call state.highstate >>~/sosetup.log 2>&1 salt-call state.highstate >> $SETUPLOG 2>&1
checkin_at_boot >>~/sosetup.log 2>&1 checkin_at_boot >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 /root/sosetup.log | grep Failed | awk '{ print $2}') GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then if [[ $GOODSETUP == '0' ]]; then
whiptail_setup_complete whiptail_setup_complete
else else