Merge pull request #2023 from Security-Onion-Solutions/bugfix/bug-hunt

Bugfix/bug hunt

salt/common/tools/sbin/so-ssh-harden

@@ -2,15 +2,40 @@
 
 . /usr/sbin/so-common
 
-if [[ $1 =~ ^(q|--quiet) ]]; then
+if [[ $1 =~ ^(-q|--quiet) ]]; then
 	quiet=true
 fi
 
+before=
+after=
+reload_required=false
+
 print_sshd_t() {
 	local string=$1
 	local state=$2
 	echo "${state}:"
-    sshd -T | grep "^${string}"
+
+	local grep_out
+	grep_out=$(sshd -T | grep "^${string}")
+
+	if [[ $state == "Before" ]]; then
+		before=$grep_out
+	else
+		after=$grep_out
+	fi
+
+	echo $grep_out
+}
+
+print_msg() {
+	local msg=$1
+	if ! [[ $quiet ]]; then
+	printf "%s\n" \
+		"----" \
+		"$msg" \
+		"----" \
+		""
+	fi
 }
 
 if ! [[ $quiet ]]; then print_sshd_t "ciphers" "Before"; fi
@@ -20,6 +45,10 @@ if ! [[ $quiet ]]; then
 	echo ""
 fi
 
+if [[ $before != $after ]]; then
+	reload_required=true
+fi
+
 if ! [[ $quiet ]]; then print_sshd_t "kexalgorithms" "Before"; fi
 sshd -T | grep "^kexalgorithms" | sed -e "s/\(diffie-hellman-group14-sha1\|ecdh-sha2-nistp256\|diffie-hellman-group-exchange-sha256\|diffie-hellman-group1-sha1\|diffie-hellman-group-exchange-sha1\|ecdh-sha2-nistp521\|ecdh-sha2-nistp384\)\,\?//g" >> /etc/ssh/sshd_config
 if ! [[ $quiet ]]; then
@@ -27,6 +56,10 @@ if ! [[ $quiet ]]; then
 	echo ""
 fi
 
+if [[ $before != $after ]]; then
+	reload_required=true
+fi
+
 if ! [[ $quiet ]]; then print_sshd_t "macs" "Before"; fi
 sshd -T | grep "^macs" | sed -e "s/\(hmac-sha2-512,\|umac-128@openssh.com,\|hmac-sha2-256,\|umac-64@openssh.com,\|hmac-sha1,\|hmac-sha1-etm@openssh.com,\|umac-64-etm@openssh.com,\|hmac-sha1\)//g" >> /etc/ssh/sshd_config
 if ! [[ $quiet ]]; then
@@ -34,6 +67,10 @@ if ! [[ $quiet ]]; then
 	echo ""
 fi
 
+if [[ $before != $after ]]; then
+	reload_required=true
+fi
+
 if ! [[ $quiet ]]; then print_sshd_t "hostkeyalgorithms" "Before"; fi
 sshd -T | grep "^hostkeyalgorithms" | sed "s|ecdsa-sha2-nistp256,||g" | sed "s|ssh-rsa,||g" >> /etc/ssh/sshd_config
 if ! [[ $quiet ]]; then
@@ -41,9 +78,16 @@ if ! [[ $quiet ]]; then
 	echo ""
 fi
 
+if [[ $before != $after ]]; then
+	reload_required=true
+fi
+
+if [[ $reload_required == true ]]; then
+	print_msg "Reloading sshd to load config changes..."
+	systemctl reload sshd
+fi
+
 {% if grains['os'] != 'CentOS' %}
-echo "----"
-echo "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting."
-echo "----"
+print_msg "[ WARNING ] Any new ssh sessions will need to remove and reaccept the ECDSA key for this server before reconnecting."
 {% endif %}
 

setup/so-setup

@@ -639,13 +639,15 @@ fi
 		salt-call state.apply -l info pcap >> $setup_log 2>&1
 	fi
 
-	if [[ $is_sensor || $is_import ]]; then
+	if [[ $is_sensor || $is_import || $is_helix ]]; then
 		set_progress_str 66 "$(print_salt_state_apply 'suricata')"
 		salt-call state.apply -l info suricata >> $setup_log 2>&1
 
+		if [[ $ZEEKVERSION == 'ZEEK' ]]; then
 			set_progress_str 67 "$(print_salt_state_apply 'zeek')"
 			salt-call state.apply -l info zeek >> $setup_log 2>&1
 		fi
+	fi
 
 	if [[ $is_node ]]; then
 		set_progress_str 68 "$(print_salt_state_apply 'curator')"

setup/so-whiptail

@@ -97,7 +97,8 @@ whiptail_zeek_version() {
 
 	[ -n "$TESTING" ] && return
 
-	ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 "ZEEK" "Zeek (formerly known as Bro)"  ON \
+	ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 \
+	"ZEEK" "Zeek (formerly known as Bro)"  ON \
 	"SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3)
 
 	local exitstatus=$?
@@ -697,6 +698,8 @@ whiptail_management_interface_dns() {
 	MDNS=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Enter your DNS servers separated by a space:" 10 60 8.8.8.8 8.8.4.4 3>&1 1>&2 2>&3)
 
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
 }
 
 whiptail_management_interface_dns_search() {
@@ -706,6 +709,8 @@ whiptail_management_interface_dns_search() {
 	MSEARCH=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Enter your DNS search domain:" 10 60 searchdomain.local 3>&1 1>&2 2>&3)
 
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
 }
 
 whiptail_management_interface_gateway() {
@@ -715,6 +720,8 @@ whiptail_management_interface_gateway() {
 	MGATEWAY=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Enter your gateway:" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
 
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
 }
 
 whiptail_management_interface_ip() {
@@ -724,6 +731,8 @@ whiptail_management_interface_ip() {
 	MIP=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Enter your IP address:" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
 
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
 }
 
 whiptail_management_interface_mask() {
@@ -733,6 +742,8 @@ whiptail_management_interface_mask() {
 	MMASK=$(whiptail --title "Security Onion Setup" --inputbox \
 	"Enter the bit mask for your subnet:" 10 60 24 3>&1 1>&2 2>&3)
 
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
 }
 
 whiptail_management_nic() {