From 3cf79995a24a3e2342dafa5e19406963004ebe6e Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 1 Jul 2020 17:32:43 +0000 Subject: [PATCH 1/3] Modify Whiptail menu for EC2 NIC --- setup/so-whiptail | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index 008d24e1f..a96cbcc83 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -107,6 +107,28 @@ whiptail_bond_nics_mtu() { } +whiptail_ec2_nic() { + + [ -n "$TESTING" ] && return + + filter_unused_nics + + BNICS=$(whiptail --title "NIC Setup" --radiolist "Please select NIC for the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + + while [ -z "$BNICS" ] + do + BNICS=$(whiptail --title "NIC Setup" --radiolist "Please select NIC for the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + done + + BNICS=$(echo "$BNICS" | tr -d '"') + + IFS=' ' read -ra BNICS <<< "$BNICS" +} + whiptail_cancel() { whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75 From 26b0daf2dadc3a29d89bac0fc337fc917b963118 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 1 Jul 2020 17:42:51 +0000 Subject: [PATCH 2/3] Add other setup-related items for EC2 interface --- setup/so-functions | 55 +++++++++++++++++++++++++++++++++++++++++----- setup/so-setup | 17 ++++++++++---- 2 files changed, 63 insertions(+), 9 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 1359ad66d..efccdedd5 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -498,6 +498,7 @@ create_local_directories() { create_sensor_bond() { echo "Setting up sensor bond" >> "$setup_log" 2>&1 + INTERFACE="bond0" local nic_error=0 check_network_manager_conf >> "$setup_log" 2>&1 @@ -1317,7 +1318,7 @@ sensor_pillar() { # Create the sensor pillar printf '%s\n'\ "sensor:"\ - " interface: bond0"\ + " interface: $INTERFACE"\ " mainip: $MAINIP"\ " mainint: $MNIC" >> "$pillar_file" @@ -1428,13 +1429,13 @@ set_initial_firewall_policy() { $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" case "$install_type" in 'EVAL') - $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 True + $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE True ;; 'MASTERSEARCH') $default_salt_dir/pillar/data/addtotab.sh mastersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'STANDALONE') - $default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + $default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE ;; esac ;; @@ -1448,7 +1449,7 @@ set_initial_firewall_policy() { case "$install_type" in 'SENSOR') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE ;; 'SEARCHNODE') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" @@ -1457,7 +1458,7 @@ set_initial_firewall_policy() { 'HEAVYNODE') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'FLEET') @@ -1620,3 +1621,47 @@ es_heapsize() { export NODE_ES_HEAP_SIZE fi } + +is_ec2() { + # Check if EC2 + if curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null;then + is_ec2=1 + else + is_ec2=0 + fi +} + +create_ec2_sniffing() { + echo "Setting up sensor sniffing interface" >> "$setup_log" 2>&1 + + local nic_error=0 + + check_network_manager_conf >> "$setup_log" 2>&1 + + # Set the MTU + if [[ $NSMSETUP != 'ADVANCED' ]]; then + MTU=1575 + fi + + for BNIC in "${BNICS[@]}"; do + # Check if specific offload features are able to be disabled + for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do + if ethtool -k "$BNIC" | grep $string | grep -q "on [fixed]"; then + echo "The hardware or driver for interface ${BNIC} is not supported, packet capture may not work as expected." >> "$setup_log" 2>&1 + nic_error=1 + break + fi + done + + # Turn off various offloading settings for the interface + for i in rx tx sg tso ufo gso gro lro; do + ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1 + done + done + + INTERFACE=$BNIC + + if [ $nic_error != 0 ]; then + return 1 + fi +} diff --git a/setup/so-setup b/setup/so-setup index a5b57f13d..69b9c3c32 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -100,6 +100,8 @@ got_root detect_os +is_ec2 + if [ "$OS" == ubuntu ]; then update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1 fi @@ -225,7 +227,11 @@ fi # Start user prompts if [[ $is_helix || $is_sensor ]]; then - whiptail_bond_nics + if [ $is_ec2 -eq 1 ]; then + whiptail_ec2_nic + else + whiptail_bond_nics + fi calculate_useable_cores fi @@ -373,9 +379,12 @@ fi update_packages >> $setup_log 2>&1 if [[ $is_sensor || $is_helix ]]; then - set_progress_str 3 'Creating bond interface' - create_sensor_bond >> $setup_log 2>&1 - + set_progress_str 3 'Creating bond/sniffing interface' + if [ $is_ec2 -eq 1 ]; then + create_ec2_sniffing >> $setup_log 2>&1 + else + create_sensor_bond >> $setup_log 2>&1 + fi set_progress_str 4 'Generating sensor pillar' sensor_pillar >> $setup_log 2>&1 fi From 54c33272402012b1aceaeec053623ed3b7ca6b16 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 16:23:38 -0400 Subject: [PATCH 3/3] [refactor] Simplify ec2 detection + handling --- .../99-so-checksum-offload-disable | 2 +- setup/so-functions | 111 ++++++++---------- setup/so-setup | 26 ++-- setup/so-whiptail | 34 ++---- 4 files changed, 71 insertions(+), 102 deletions(-) diff --git a/setup/install_scripts/99-so-checksum-offload-disable b/setup/install_scripts/99-so-checksum-offload-disable index b8c21a299..917c0f72b 100755 --- a/setup/install_scripts/99-so-checksum-offload-disable +++ b/setup/install_scripts/99-so-checksum-offload-disable @@ -4,5 +4,5 @@ if [[ "$DEVICE_IFACE" != "$MNIC" && "$DEVICE_IFACE" != *"docker"* ]]; then for i in rx tx sg tso ufo gso gro lro; do ethtool -K "$DEVICE_IFACE" "$i" off; done - ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off + ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on fi \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index efccdedd5..79ef25a3c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -495,29 +495,45 @@ create_local_directories() { } -create_sensor_bond() { - echo "Setting up sensor bond" >> "$setup_log" 2>&1 - - INTERFACE="bond0" +configure_network_sensor() { + echo "Setting up sensor interface" >> "$setup_log" 2>&1 local nic_error=0 - check_network_manager_conf >> "$setup_log" 2>&1 - # Set the MTU if [[ $NSMSETUP != 'ADVANCED' ]]; then - MTU=1500 + if [[ $is_ec2 ]]; then MTU=1575; else MTU=1500; fi + fi + + if [[ $is_ec2 ]]; then + INTERFACE=${BNICS[0]} + local nmcli_con_arg="type ethernet" + else + INTERFACE='bond0' + local nmcli_con_arg="type bond mode 0" fi # Create the bond interface only if it doesn't already exist - if ! [[ $(nmcli -f name,uuid -p con | sed -n 's/bond0 //p' | tr -d ' ') ]]; then - nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \ + + nmcli -f name,uuid -p con | grep -q "$INTERFACE" + local found_int=$? + + if [[ ! $found_int ]]; then + nmcli con add ifname "$INTERFACE" con-name "$INTERFACE" $nmcli_con_arg -- \ + ipv4.method disabled \ + ipv6.method ignore \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> "$setup_log" 2>&1 + else + local int_uuid + int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/$INTERFACE //p" | tr -d ' ') + + nmcli con mod "$int_uuid" \ ipv4.method disabled \ ipv6.method ignore \ ethernet.mtu $MTU \ connection.autoconnect "yes" >> "$setup_log" 2>&1 fi - for BNIC in "${BNICS[@]}"; do # Check if specific offload features are able to be disabled for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do @@ -533,15 +549,29 @@ create_sensor_bond() { ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1 done - # Check if the bond slave connection has already been created - if ! [[ $(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') ]]; then - # Create the slave interface and assign it to the bond - nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \ - ethernet.mtu $MTU \ - connection.autoconnect "yes" >> "$setup_log" 2>&1 - fi + if [[ $is_ec2 ]]; then + nmcli con up "$BNIC" >> "$setup_log" 2>&1 + else + # Check if the bond slave connection has already been created + nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC" + local found_int=$? + + if [[ ! $found_int ]]; then + # Create the slave interface and assign it to the bond + nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> "$setup_log" 2>&1 + else + local int_uuid + int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') - nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up + nmcli con mod "$int_uuid" \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> "$setup_log" 2>&1 + fi + + nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up + fi done if [ $nic_error != 0 ]; then @@ -1622,46 +1652,9 @@ es_heapsize() { fi } -is_ec2() { +detect_ec2() { # Check if EC2 - if curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null;then - is_ec2=1 - else - is_ec2=0 - fi -} - -create_ec2_sniffing() { - echo "Setting up sensor sniffing interface" >> "$setup_log" 2>&1 - - local nic_error=0 - - check_network_manager_conf >> "$setup_log" 2>&1 - - # Set the MTU - if [[ $NSMSETUP != 'ADVANCED' ]]; then - MTU=1575 - fi - - for BNIC in "${BNICS[@]}"; do - # Check if specific offload features are able to be disabled - for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do - if ethtool -k "$BNIC" | grep $string | grep -q "on [fixed]"; then - echo "The hardware or driver for interface ${BNIC} is not supported, packet capture may not work as expected." >> "$setup_log" 2>&1 - nic_error=1 - break - fi - done - - # Turn off various offloading settings for the interface - for i in rx tx sg tso ufo gso gro lro; do - ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1 - done - done - - INTERFACE=$BNIC - - if [ $nic_error != 0 ]; then - return 1 - fi + curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null + is_ec2=$? + export is_ec2 } diff --git a/setup/so-setup b/setup/so-setup index 69b9c3c32..733496a95 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -98,9 +98,7 @@ export PATH=$PATH:../salt/common/tools/sbin got_root -detect_os - -is_ec2 +detect_os && detect_ec2 if [ "$OS" == ubuntu ]; then update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1 @@ -227,11 +225,7 @@ fi # Start user prompts if [[ $is_helix || $is_sensor ]]; then - if [ $is_ec2 -eq 1 ]; then - whiptail_ec2_nic - else - whiptail_bond_nics - fi + whiptail_sensor_nics calculate_useable_cores fi @@ -370,21 +364,17 @@ fi # Set initial percentage to 0 export percentage=0 - if [[ $is_minion ]]; then - set_progress_str 1 'Configuring firewall' - set_initial_firewall_policy >> $setup_log 2>&1 - fi + if [[ $is_minion ]]; then + set_progress_str 1 'Configuring firewall' + set_initial_firewall_policy >> $setup_log 2>&1 + fi set_progress_str 2 'Updating packages' update_packages >> $setup_log 2>&1 if [[ $is_sensor || $is_helix ]]; then - set_progress_str 3 'Creating bond/sniffing interface' - if [ $is_ec2 -eq 1 ]; then - create_ec2_sniffing >> $setup_log 2>&1 - else - create_sensor_bond >> $setup_log 2>&1 - fi + set_progress_str 3 'Configuring sensor interface' + configure_network_sensor >> $setup_log 2>&1 set_progress_str 4 'Generating sensor pillar' sensor_pillar >> $setup_log 2>&1 fi diff --git a/setup/so-whiptail b/setup/so-whiptail index a96cbcc83..a8a263f78 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -78,13 +78,21 @@ whiptail_bond_nics() { filter_unused_nics - BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) + if [[ $is_ec2 ]]; then + local menu_text="Please select NIC for the Monitor Interface" + local list_type="radiolist" + else + local menu_text="Please add NICs to the Monitor Interface" + local list_type="checklist" + fi + + BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus while [ -z "$BNICS" ] do - BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) + BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus done @@ -107,28 +115,6 @@ whiptail_bond_nics_mtu() { } -whiptail_ec2_nic() { - - [ -n "$TESTING" ] && return - - filter_unused_nics - - BNICS=$(whiptail --title "NIC Setup" --radiolist "Please select NIC for the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - while [ -z "$BNICS" ] - do - BNICS=$(whiptail --title "NIC Setup" --radiolist "Please select NIC for the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - done - - BNICS=$(echo "$BNICS" | tr -d '"') - - IFS=' ' read -ra BNICS <<< "$BNICS" -} - whiptail_cancel() { whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75