mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
Merge branch 'feature/ec2_setup' into feature/setup-changes
This commit is contained in:
William Wernert
@@ -4,5 +4,5 @@ if [[ "$DEVICE_IFACE" != "$MNIC" && "$DEVICE_IFACE" != *"docker"* ]]; then
|
||||
for i in rx tx sg tso ufo gso gro lro; do
|
||||
ethtool -K "$DEVICE_IFACE" "$i" off;
|
||||
done
|
||||
ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off
|
||||
ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on
|
||||
fi
|
||||
@@ -499,28 +499,45 @@ create_local_directories() {
|
||||
|
||||
}
|
||||
|
||||
create_sensor_bond() {
|
||||
echo "Setting up sensor bond" >> "$setup_log" 2>&1
|
||||
|
||||
configure_network_sensor() {
|
||||
echo "Setting up sensor interface" >> "$setup_log" 2>&1
|
||||
local nic_error=0
|
||||
|
||||
check_network_manager_conf >> "$setup_log" 2>&1
|
||||
|
||||
# Set the MTU
|
||||
if [[ $NSMSETUP != 'ADVANCED' ]]; then
|
||||
MTU=1500
|
||||
if [[ $is_ec2 ]]; then MTU=1575; else MTU=1500; fi
|
||||
fi
|
||||
|
||||
if [[ $is_ec2 ]]; then
|
||||
INTERFACE=${BNICS[0]}
|
||||
local nmcli_con_arg="type ethernet"
|
||||
else
|
||||
INTERFACE='bond0'
|
||||
local nmcli_con_arg="type bond mode 0"
|
||||
fi
|
||||
|
||||
# Create the bond interface only if it doesn't already exist
|
||||
if ! [[ $(nmcli -f name,uuid -p con | sed -n 's/bond0 //p' | tr -d ' ') ]]; then
|
||||
nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \
|
||||
|
||||
nmcli -f name,uuid -p con | grep -q "$INTERFACE"
|
||||
local found_int=$?
|
||||
|
||||
if [[ ! $found_int ]]; then
|
||||
nmcli con add ifname "$INTERFACE" con-name "$INTERFACE" $nmcli_con_arg -- \
|
||||
ipv4.method disabled \
|
||||
ipv6.method ignore \
|
||||
ethernet.mtu $MTU \
|
||||
connection.autoconnect "yes" >> "$setup_log" 2>&1
|
||||
else
|
||||
local int_uuid
|
||||
int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/$INTERFACE //p" | tr -d ' ')
|
||||
|
||||
nmcli con mod "$int_uuid" \
|
||||
ipv4.method disabled \
|
||||
ipv6.method ignore \
|
||||
ethernet.mtu $MTU \
|
||||
connection.autoconnect "yes" >> "$setup_log" 2>&1
|
||||
fi
|
||||
|
||||
|
||||
for BNIC in "${BNICS[@]}"; do
|
||||
# Check if specific offload features are able to be disabled
|
||||
for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do
|
||||
@@ -536,15 +553,29 @@ create_sensor_bond() {
|
||||
ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1
|
||||
done
|
||||
|
||||
# Check if the bond slave connection has already been created
|
||||
if ! [[ $(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') ]]; then
|
||||
# Create the slave interface and assign it to the bond
|
||||
nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \
|
||||
ethernet.mtu $MTU \
|
||||
connection.autoconnect "yes" >> "$setup_log" 2>&1
|
||||
fi
|
||||
if [[ $is_ec2 ]]; then
|
||||
nmcli con up "$BNIC" >> "$setup_log" 2>&1
|
||||
else
|
||||
# Check if the bond slave connection has already been created
|
||||
nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC"
|
||||
local found_int=$?
|
||||
|
||||
if [[ ! $found_int ]]; then
|
||||
# Create the slave interface and assign it to the bond
|
||||
nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \
|
||||
ethernet.mtu $MTU \
|
||||
connection.autoconnect "yes" >> "$setup_log" 2>&1
|
||||
else
|
||||
local int_uuid
|
||||
int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ')
|
||||
|
||||
nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up
|
||||
nmcli con mod "$int_uuid" \
|
||||
ethernet.mtu $MTU \
|
||||
connection.autoconnect "yes" >> "$setup_log" 2>&1
|
||||
fi
|
||||
|
||||
nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up
|
||||
fi
|
||||
done
|
||||
|
||||
if [ $nic_error != 0 ]; then
|
||||
@@ -1331,7 +1362,7 @@ sensor_pillar() {
|
||||
# Create the sensor pillar
|
||||
printf '%s\n'\
|
||||
"sensor:"\
|
||||
" interface: bond0"\
|
||||
" interface: $INTERFACE"\
|
||||
" mainip: $MAINIP"\
|
||||
" mainint: $MNIC" >> "$pillar_file"
|
||||
|
||||
@@ -1442,13 +1473,13 @@ set_initial_firewall_policy() {
|
||||
$default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP"
|
||||
case "$install_type" in
|
||||
'EVAL')
|
||||
$default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 True
|
||||
$default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE True
|
||||
;;
|
||||
'MASTERSEARCH')
|
||||
$default_salt_dir/pillar/data/addtotab.sh mastersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
|
||||
;;
|
||||
'STANDALONE')
|
||||
$default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
|
||||
$default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
@@ -1462,7 +1493,7 @@ set_initial_firewall_policy() {
|
||||
case "$install_type" in
|
||||
'SENSOR')
|
||||
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP"
|
||||
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
|
||||
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE
|
||||
;;
|
||||
'SEARCHNODE')
|
||||
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP"
|
||||
@@ -1471,7 +1502,7 @@ set_initial_firewall_policy() {
|
||||
'HEAVYNODE')
|
||||
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP"
|
||||
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP"
|
||||
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0
|
||||
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE
|
||||
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm"
|
||||
;;
|
||||
'FLEET')
|
||||
@@ -1634,3 +1665,10 @@ es_heapsize() {
|
||||
export NODE_ES_HEAP_SIZE
|
||||
fi
|
||||
}
|
||||
|
||||
detect_ec2() {
|
||||
# Check if EC2
|
||||
curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null
|
||||
is_ec2=$?
|
||||
export is_ec2
|
||||
}
|
||||
|
||||
@@ -108,7 +108,7 @@ export PATH=$PATH:../salt/common/tools/sbin
|
||||
|
||||
got_root
|
||||
|
||||
detect_os
|
||||
detect_os && detect_ec2
|
||||
|
||||
if [ "$OS" == ubuntu ]; then
|
||||
update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1
|
||||
@@ -235,7 +235,7 @@ fi
|
||||
|
||||
# Start user prompts
|
||||
if [[ $is_helix || $is_sensor ]]; then
|
||||
whiptail_bond_nics
|
||||
whiptail_sensor_nics
|
||||
calculate_useable_cores
|
||||
fi
|
||||
|
||||
@@ -388,9 +388,8 @@ fi
|
||||
update_packages >> $setup_log 2>&1
|
||||
|
||||
if [[ $is_sensor || $is_helix ]]; then
|
||||
set_progress_str 3 'Creating bond interface'
|
||||
create_sensor_bond >> $setup_log 2>&1
|
||||
|
||||
set_progress_str 3 'Configuring sensor interface'
|
||||
configure_network_sensor >> $setup_log 2>&1
|
||||
set_progress_str 4 'Generating sensor pillar'
|
||||
sensor_pillar >> $setup_log 2>&1
|
||||
fi
|
||||
|
||||
@@ -78,13 +78,21 @@ whiptail_bond_nics() {
|
||||
|
||||
filter_unused_nics
|
||||
|
||||
BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3)
|
||||
if [[ $is_ec2 ]]; then
|
||||
local menu_text="Please select NIC for the Monitor Interface"
|
||||
local list_type="radiolist"
|
||||
else
|
||||
local menu_text="Please add NICs to the Monitor Interface"
|
||||
local list_type="checklist"
|
||||
fi
|
||||
|
||||
BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3)
|
||||
local exitstatus=$?
|
||||
whiptail_check_exitstatus $exitstatus
|
||||
|
||||
while [ -z "$BNICS" ]
|
||||
do
|
||||
BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 )
|
||||
BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 )
|
||||
local exitstatus=$?
|
||||
whiptail_check_exitstatus $exitstatus
|
||||
done
|
||||
|
||||
Reference in New Issue
Block a user