From 352e30f9e1509a23a0f64b8ae6ee0608085c9d38 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 22 Oct 2021 11:16:29 -0400 Subject: [PATCH 01/12] Add CUSTOM_FLEET_HOSTNAME to subjectAltName of fleet.key Resolves #4319 --- salt/ssl/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/ssl/init.sls b/salt/ssl/init.sls index 5690691fc..9d4026b56 100644 --- a/salt/ssl/init.sls +++ b/salt/ssl/init.sls @@ -445,7 +445,7 @@ msslkeyperms: x509.certificate_managed: - signing_private_key: /etc/pki/fleet.key - CN: {{ manager }} - - subjectAltName: DNS:{{ manager }},IP:{{ managerip }} + - subjectAltName: DNS:{{ manager }},IP:{{ managerip }}{% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }}{% endif %} - days_remaining: 0 - days_valid: 820 - backup: True From 62971d8c15ea29e58794d0c153e0d6fef2ced20c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 22 Oct 2021 11:57:47 -0400 Subject: [PATCH 02/12] Add Fleet custom hostname to end summary --- setup/so-whiptail | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index ed4067da1..3e4bf6151 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -505,6 +505,8 @@ whiptail_end_settings() { [[ -n $WEBUSER ]] && __append_end_msg "Web User: $WEBUSER" [[ -n $FLEETNODEUSER ]] && __append_end_msg "Fleet User: $FLEETNODEUSER" + + [[ -n $FLEETCUSTOMHOSTNAME ]] && __append_end_msg "Fleet Custom Hostname: $FLEETCUSTOMHOSTNAME" if [[ $is_manager ]]; then __append_end_msg "Enabled Optional Components:" From 17af513692e8cf39e4206b485b67341c5ea96e85 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 22 Oct 2021 15:28:37 -0400 Subject: [PATCH 03/12] Escape single quotes and allow for any character in node description --- salt/sensoroni/files/sensoroni.json | 2 +- setup/so-functions | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index 1a6e6fc8c..743021a7d 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -17,7 +17,7 @@ "agent": { "nodeId": "{{ grains.host | lower }}", "role": "{{ grains.role }}", - "description": "{{ DESCRIPTION }}", + "description": {{ DESCRIPTION | tojson }}, "address": "{{ ADDRESS }}", "model": "{{ MODEL }}", "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }}, diff --git a/setup/so-functions b/setup/so-functions index 58fbca562..62d458911 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1509,7 +1509,7 @@ host_pillar() { " mainint: '$MNIC'"\ "sensoroni:"\ " node_address: '$MAINIP'"\ - " node_description: '$NODE_DESCRIPTION'"\ + " node_description: '${NODE_DESCRIPTION//\'/''}'"\ "" > "$pillar_file" } From 38b16a507baa3c8cd2d00e16de768d7162c38471 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 22 Oct 2021 15:29:32 -0400 Subject: [PATCH 04/12] Update ip for root user in mysql when running so-ip-update --- salt/common/tools/sbin/so-ip-update | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/salt/common/tools/sbin/so-ip-update b/salt/common/tools/sbin/so-ip-update index 9976a42e8..8ef99fadc 100755 --- a/salt/common/tools/sbin/so-ip-update +++ b/salt/common/tools/sbin/so-ip-update @@ -8,9 +8,9 @@ fi echo "This tool will update a manager's IP address to the new IP assigned to the management network interface." -echo +echo "" echo "WARNING: This tool is still undergoing testing, use at your own risk!" -echo +echo "" if [ -z "$OLD_IP" ]; then OLD_IP=$(lookup_pillar "managerip") @@ -27,7 +27,7 @@ if [ -z "$NEW_IP" ]; then NEW_IP=$(ip -4 addr list $iface | grep inet | cut -d' ' -f6 | cut -d/ -f1) if [ -z "$NEW_IP" ]; then - fail "Unable to detect new IP on interface $iface. " + fail "Unable to detect new IP on interface $iface." fi echo "Detected new IP $NEW_IP on interface $iface." @@ -39,15 +39,20 @@ fi echo "About to change old IP $OLD_IP to new IP $NEW_IP." -echo +echo "" read -n 1 -p "Would you like to continue? (y/N) " CONTINUE -echo +echo "" if [ "$CONTINUE" == "y" ]; then - for file in $(grep -rlI $OLD_IP /opt/so/saltstack /etc); do - echo "Updating file: $file" - sed -i "s|$OLD_IP|$NEW_IP|g" $file - done + for file in $(grep -rlI $OLD_IP /opt/so/saltstack /etc); do + echo "Updating file: $file" + sed -i "s|$OLD_IP|$NEW_IP|g" $file + done + + echo "Granting MySQL root user permissions on $NEW_IP" + docker exec -i so-mysql mysql --user=root --password=$(lookup_pillar_secret 'mysql') -e "GRANT ALL PRIVILEGES ON *.* TO 'root'@'$NEW_IP' IDENTIFIED BY '$(lookup_pillar_secret 'mysql')' WITH GRANT OPTION;" &> /dev/null + echo "Removing MySQL root user from $OLD_IP" + docker exec -i so-mysql mysql --user=root --password=$(lookup_pillar_secret 'mysql') -e "DROP USER 'root'@'$OLD_IP';" &> /dev/null echo "The IP has been changed from $OLD_IP to $NEW_IP." @@ -60,4 +65,4 @@ if [ "$CONTINUE" == "y" ]; then fi else echo "Exiting without changes." -fi \ No newline at end of file +fi From 9e9079f9cb76144658e15bf357488a8a248735c8 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 27 Oct 2021 11:03:00 -0400 Subject: [PATCH 05/12] Reorder airgap prompt and add additional logic Setup should now only ask the user whether to setup as airgap on manager-type installs. For all distributed minions setup will now inherit the airgap boolean from the manager. --- setup/so-setup | 44 ++++++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 119a0d2ff..982ce5f05 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -265,14 +265,6 @@ if [[ $is_manager || $is_import ]]; then fi if ! [[ -f $install_opt_file ]]; then - # Check if this is an airgap install - if [[ ( $is_manager || $is_import || $is_minion ) && $is_iso ]]; then - whiptail_airgap - if [[ "$INTERWEBS" == 'AIRGAP' ]]; then - is_airgap=true - fi - fi - if [[ $is_manager && $is_sensor ]]; then check_requirements "standalone" elif [[ $is_fleet_standalone ]]; then @@ -312,17 +304,6 @@ if ! [[ -f $install_opt_file ]]; then add_mngr_ip_to_hosts fi - reset_proxy - if [[ -z $is_airgap ]]; then - collect_net_method - [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 - fi - - if [[ $is_minion ]]; then - whiptail_ssh_key_copy_notice - copy_ssh_key >> $setup_log 2>&1 - fi - if [[ $is_minion ]] && ! (compare_versions); then info "Installer version mismatch, downloading correct version from manager" printf '%s\n' \ @@ -331,17 +312,36 @@ if ! [[ -f $install_opt_file ]]; then "HOSTNAME=$HOSTNAME" \ "MSRV=$MSRV" \ "MSRVIP=$MSRVIP" \ - "is_airgap=$is_airgap" \ "NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file" - [[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file" download_repo_tarball exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" fi - else rm -rf $install_opt_file >> "$setup_log" 2>&1 fi +# Check if this is an airgap install +if [[ ( $is_manager || $is_import) && $is_iso ]]; then + whiptail_airgap + if [[ "$INTERWEBS" == 'AIRGAP' ]]; then + is_airgap=true + fi +el [[ $is_minion ]] + airgap_mngr_str=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /opt/so/saltstack/local/pillar/global.sls | grep airgap: | awk '{print $2}') >> $setup_log 2>&1 + [[ $airgap_mngr_str == "True" ]] && is_airgap=true >> $setup_log 2>&1 +fi + +reset_proxy +if [[ -z $is_airgap ]]; then + collect_net_method + [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 +fi + +if [[ $is_minion ]]; then + whiptail_ssh_key_copy_notice + copy_ssh_key >> $setup_log 2>&1 +fi + percentage=0 { installer_progress_loop & # Run progress bar to 98 in ~8 minutes while waiting for package installs From eee612e73da33b9028a0e34e21cc7323c3970fca Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 27 Oct 2021 11:43:09 -0400 Subject: [PATCH 06/12] Make folder/file states explicit Rather than using /nsm/zeek (max_depth: 1) create explicit states for /nsm/zeek/spool and /nsm/zeek/spool/state.db that set correct ownership --- salt/zeek/init.sls | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/salt/zeek/init.sls b/salt/zeek/init.sls index 5f5adfaa6..f83293742 100644 --- a/salt/zeek/init.sls +++ b/salt/zeek/init.sls @@ -90,11 +90,14 @@ zeekpolicysync: # Ensure the zeek spool tree (and state.db) ownership is correct zeekspoolownership: file.directory: - - name: /nsm/zeek + - name: /nsm/zeek/spool - user: 937 - - max_depth: 1 - - recurse: - - user +zeekstatedbownership: + file.managed: + - name: /nsm/zeek/spool/state.db + - user: 937 + - replace: False + - create: False # Sync Intel zeekintelloadsync: @@ -247,4 +250,4 @@ delete_so-zeek_so-status.disabled: test.fail_without_changes: - name: {{sls}}_state_not_allowed -{% endif %} \ No newline at end of file +{% endif %} From 75490a253639c9685dc8cc85f67a3e7e94ce4d2f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 27 Oct 2021 14:59:24 -0400 Subject: [PATCH 07/12] Fix typo --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 982ce5f05..58059567c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -326,7 +326,7 @@ if [[ ( $is_manager || $is_import) && $is_iso ]]; then if [[ "$INTERWEBS" == 'AIRGAP' ]]; then is_airgap=true fi -el [[ $is_minion ]] +elif [[ $is_minion ]]; then airgap_mngr_str=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /opt/so/saltstack/local/pillar/global.sls | grep airgap: | awk '{print $2}') >> $setup_log 2>&1 [[ $airgap_mngr_str == "True" ]] && is_airgap=true >> $setup_log 2>&1 fi From d6eeb0b735aae8ef6c642e107893e038d65d2b34 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 28 Oct 2021 10:04:03 -0400 Subject: [PATCH 08/12] Gen ssh key sooner --- setup/so-setup | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 58059567c..e9d510270 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -304,6 +304,11 @@ if ! [[ -f $install_opt_file ]]; then add_mngr_ip_to_hosts fi + if [[ $is_minion ]]; then + whiptail_ssh_key_copy_notice + copy_ssh_key >> $setup_log 2>&1 + fi + if [[ $is_minion ]] && ! (compare_versions); then info "Installer version mismatch, downloading correct version from manager" printf '%s\n' \ @@ -337,11 +342,6 @@ if [[ -z $is_airgap ]]; then [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 fi -if [[ $is_minion ]]; then - whiptail_ssh_key_copy_notice - copy_ssh_key >> $setup_log 2>&1 -fi - percentage=0 { installer_progress_loop & # Run progress bar to 98 in ~8 minutes while waiting for package installs From 6b480a5ba448569c7a024dbbb18afd13dab16441 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 28 Oct 2021 11:51:50 -0400 Subject: [PATCH 09/12] Change airgap check to something that doesn't require root --- setup/so-setup | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index e9d510270..b423160c8 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -332,8 +332,9 @@ if [[ ( $is_manager || $is_import) && $is_iso ]]; then is_airgap=true fi elif [[ $is_minion ]]; then - airgap_mngr_str=$($sshcmd -i /root/.ssh/so.key soremote@"$MSRV" cat /opt/so/saltstack/local/pillar/global.sls | grep airgap: | awk '{print $2}') >> $setup_log 2>&1 - [[ $airgap_mngr_str == "True" ]] && is_airgap=true >> $setup_log 2>&1 + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1 + airgap_check=$? + [[ $airgap_check ]] && is_airgap=true >> $setup_log 2>&1 fi reset_proxy From c2b18efdbbd1658b3a3ec1a1da77eafc32444cf6 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 28 Oct 2021 11:59:42 -0400 Subject: [PATCH 10/12] Minions still need to be ISO installs to be airgap --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index b423160c8..a2ffdf339 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -331,7 +331,7 @@ if [[ ( $is_manager || $is_import) && $is_iso ]]; then if [[ "$INTERWEBS" == 'AIRGAP' ]]; then is_airgap=true fi -elif [[ $is_minion ]]; then +elif [[ $is_minion && $is_iso ]]; then $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1 airgap_check=$? [[ $airgap_check ]] && is_airgap=true >> $setup_log 2>&1 From d08149f728b27dcff5b1833465922ab9667b6629 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 29 Oct 2021 10:11:47 -0400 Subject: [PATCH 11/12] Don't set `INTERWEBS` variable on automated minions --- setup/automation/distributed-airgap-search | 1 - setup/automation/distributed-airgap-sensor | 1 - 2 files changed, 2 deletions(-) diff --git a/setup/automation/distributed-airgap-search b/setup/automation/distributed-airgap-search index 1acee9b1a..7a0888fee 100644 --- a/setup/automation/distributed-airgap-search +++ b/setup/automation/distributed-airgap-search @@ -35,7 +35,6 @@ ADMINPASS2=onionuser HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit HOSTNAME=distributed-search -INTERWEBS=AIRGAP install_type=SEARCHNODE # LSINPUTBATCHCOUNT= # LSINPUTTHREADS= diff --git a/setup/automation/distributed-airgap-sensor b/setup/automation/distributed-airgap-sensor index c8186bf8a..91b9c24a9 100644 --- a/setup/automation/distributed-airgap-sensor +++ b/setup/automation/distributed-airgap-sensor @@ -35,7 +35,6 @@ ZEEKVERSION=ZEEK HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNSENSOR=inherit HOSTNAME=distributed-sensor -INTERWEBS=AIRGAP install_type=SENSOR # LSINPUTBATCHCOUNT= # LSINPUTTHREADS= From b1c67f696e9a261e85e4c079cd4af3330931c0a1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 29 Oct 2021 10:47:05 -0400 Subject: [PATCH 12/12] Re-order logic to maintain backwards compatibility --- setup/so-setup | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index a2ffdf339..2cef6d876 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -309,6 +309,24 @@ if ! [[ -f $install_opt_file ]]; then copy_ssh_key >> $setup_log 2>&1 fi + # Check if this is an airgap install + if [[ ( $is_manager || $is_import) && $is_iso ]]; then + whiptail_airgap + if [[ "$INTERWEBS" == 'AIRGAP' ]]; then + is_airgap=true + fi + elif [[ $is_minion && $is_iso ]]; then + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1 + airgap_check=$? + [[ $airgap_check ]] && is_airgap=true >> $setup_log 2>&1 + fi + + reset_proxy + if [[ -z $is_airgap ]]; then + collect_net_method + [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 + fi + if [[ $is_minion ]] && ! (compare_versions); then info "Installer version mismatch, downloading correct version from manager" printf '%s\n' \ @@ -317,7 +335,9 @@ if ! [[ -f $install_opt_file ]]; then "HOSTNAME=$HOSTNAME" \ "MSRV=$MSRV" \ "MSRVIP=$MSRVIP" \ + "is_airgap=$is_airgap" \ "NODE_DESCRIPTION=\"$NODE_DESCRIPTION\"" > "$install_opt_file" + [[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file" download_repo_tarball exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" fi @@ -325,24 +345,6 @@ else rm -rf $install_opt_file >> "$setup_log" 2>&1 fi -# Check if this is an airgap install -if [[ ( $is_manager || $is_import) && $is_iso ]]; then - whiptail_airgap - if [[ "$INTERWEBS" == 'AIRGAP' ]]; then - is_airgap=true - fi -elif [[ $is_minion && $is_iso ]]; then - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1 - airgap_check=$? - [[ $airgap_check ]] && is_airgap=true >> $setup_log 2>&1 -fi - -reset_proxy -if [[ -z $is_airgap ]]; then - collect_net_method - [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 -fi - percentage=0 { installer_progress_loop & # Run progress bar to 98 in ~8 minutes while waiting for package installs