From 03dfece9af3f8266caba7687d32a2ddf720dde92 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 10 Jun 2020 14:18:25 -0400 Subject: [PATCH 01/22] [feat] Fail setup early if "ERROR" is found in setup log --- setup/so-functions | 5 +++-- setup/so-setup | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 70c96f794..3fb98cd23 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1241,8 +1241,9 @@ salt_checkin() { cat /etc/pki/ca.crt echo " Applyng a mine hack"; salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt; - echo " Confirming salt mine now contain the certificate" - salt \* mine.get \* x509.get_pem_entries + salt '*' mine.update; + echo " Confirming salt mine now contain the certificate"; + salt '*' mine.get '*' x509.get_pem_entries; echo " Applying SSL state"; salt-call state.apply ssl; } >> "$setup_log" 2>&1 diff --git a/setup/so-setup b/setup/so-setup index 478151def..54b5a03e4 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -52,10 +52,14 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { if [ $automated == no ]; then + if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + whiptail_setup_failed + fi whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 else cat >> $setup_log 2>&1 fi + } if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then @@ -389,7 +393,6 @@ fi set_progress_str 9 'Initializing Salt minion' configure_minion "$minion_type" >> $setup_log 2>&1 - if [[ $is_master || $is_helix ]]; then set_progress_str 10 'Configuring Salt master' create_local_directories >> $setup_log 2>&1 From 379a5445e88dbcb61ce53f097d2958018c85e0fe Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 10 Jun 2020 14:27:18 -0400 Subject: [PATCH 02/22] [feat] Also exit with non-zero status for automated installs --- setup/so-setup | 3 +++ 1 file changed, 3 insertions(+) diff --git a/setup/so-setup b/setup/so-setup index 54b5a03e4..86d3b5e5c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -57,6 +57,9 @@ function progress() { fi whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 else + if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + exit 1 + fi cat >> $setup_log 2>&1 fi From 7de02752e5d9c44e294714ca74aede5ceb62f870 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 10 Jun 2020 15:29:54 -0400 Subject: [PATCH 03/22] [fix] Reboot on early failure too, better if statements --- setup/so-setup | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 86d3b5e5c..495e92637 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -51,18 +51,17 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { - if [ $automated == no ]; then - if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then - whiptail_setup_failed - fi - whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 + if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + if [[ $automated == no ]]; then whiptail_setup_failed; else exit 1; fi + + if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; fi else - if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then - exit 1 + if [ $automated == no ]; then + whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 + else + cat >> $setup_log 2>&1 fi - cat >> $setup_log 2>&1 fi - } if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then @@ -368,10 +367,10 @@ fi # Set initial percentage to 0 export percentage=0 - if [[ $is_minion ]]; then - set_progress_str 1 'Configuring firewall' - set_initial_firewall_policy >> $setup_log 2>&1 - fi + if [[ $is_minion ]]; then + set_progress_str 1 'Configuring firewall' + set_initial_firewall_policy >> $setup_log 2>&1 + fi set_progress_str 2 'Updating packages' update_packages >> $setup_log 2>&1 @@ -599,10 +598,12 @@ fi success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') if [[ "$success" = 0 ]]; then whiptail_setup_complete + if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then export IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi + if [[ $THEHIVE == 1 ]]; then check_hive_init fi From 07b2f2885cce4935a99269ee0add4037b2b502af Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 10 Jun 2020 15:32:46 -0400 Subject: [PATCH 04/22] [fix] Always exit on early failure --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 495e92637..8c1ffe6a1 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -54,7 +54,7 @@ function progress() { if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then if [[ $automated == no ]]; then whiptail_setup_failed; else exit 1; fi - if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; fi + if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit 1; fi else if [ $automated == no ]; then whiptail --title "Security Onion Install" --gauge 'Please wait while installing' 6 60 0 From ce86dbfac0b11366ab04bc352f74a86c3feefe30 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 11 Jun 2020 09:24:23 -0400 Subject: [PATCH 05/22] [feat] Add message about root mail spool growing --- setup/so-setup | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/setup/so-setup b/setup/so-setup index 8c1ffe6a1..3b5653cbc 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -52,6 +52,10 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + if [[ -s /var/spool/mail/root ]]; then + echo '[ ERROR ] /var/spool/mail/root grew unexpectedly' >> $setup_log 2>&1 + fi + if [[ $automated == no ]]; then whiptail_setup_failed; else exit 1; fi if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit 1; fi From 53c3b1579bc30d7ebe4bb7d0d36e0b55cc20d3a8 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 29 Jun 2020 15:20:17 -0400 Subject: [PATCH 06/22] [feat] Reformat install type menu --- setup/so-whiptail | 42 ++++++++++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 2aa7bf10c..2af8db7e3 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -430,27 +430,37 @@ whiptail_install_type() { # What kind of install are we doing? install_type=$(whiptail --title "Security Onion Setup" --radiolist \ - "Choose Install Type:" 20 75 13 \ - "SENSOR" "Create a forward only sensor" ON \ - "SEARCHNODE" "Add a Search Node with parsing" OFF \ - "MASTER" "Start a new grid" OFF \ - "EVAL" "Evaluate all the things" OFF \ - "STANDALONE" "Standalone full install of everything" OFF \ - "MASTERSEARCH" "Master + Search Node" OFF \ - "HEAVYNODE" "Sensor + Search Node" OFF \ - "HELIXSENSOR" "Connect this sensor to FireEye Helix" OFF \ - "FLEET" "Dedicated Fleet Osquery Node" OFF \ - "HOTNODE" "TODO Add Hot Node (Uses Elastic Clustering)" OFF \ - "WARMNODE" "TODO Add Warm Node to existing Hot or Search node" OFF \ - "WAZUH" "TODO Stand Alone Wazuh Server" OFF \ - "STRELKA" "TODO Stand Alone Strelka Node" OFF 3>&1 1>&2 2>&3 ) + "Choose install type:" 10 65 3 \ + "EVAL" "Evaluation mode (not for production) " ON \ + "STANDALONE" "Standalone production install " OFF \ + "DISTRIBUTED" "Distributed install submenu " OFF \ + 3>&1 1>&2 2>&3 + ) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + + if [[ $install_type == "DISTRIBUTED" ]]; then + install_type=$(whiptail --title "Security Onion Setup" --radiolist \ + "Choose distributed node type:" 13 60 6 \ + "MASTER" "Start a new grid " ON \ + "SENSOR" "Create a forward only sensor " OFF \ + "SEARCHNODE" "Add a search node with parsing " OFF \ + "MASTERSEARCH" "Master + search node " OFF \ + "FLEET" "Dedicated Fleet Osquery Node " OFF \ + "HEAVYNODE" "Sensor + Search Node " OFF \ + 3>&1 1>&2 2>&3 + # "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO + # "WARMNODE" "Add Warm Node to existing Hot or Search node" OFF \ # TODO + # "WAZUH" "Stand Alone Wazuh Server" OFF \ # TODO + # "STRELKA" "Stand Alone Strelka Node" OFF \ # TODO + ) + fi local exitstatus=$? whiptail_check_exitstatus $exitstatus export install_type - - } whiptail_log_size_limit() { From 0a97328acca543f5538cfb77063d001bcff74f26 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 29 Jun 2020 15:53:21 -0400 Subject: [PATCH 07/22] [fix] Apply regex filter to hostname input --- setup/so-whiptail | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 2af8db7e3..e5ebb8827 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -961,16 +961,23 @@ whiptail_set_hostname() { HOSTNAME=$(cat /etc/hostname) + if [[ "$HOSTNAME" == *'localhost'* ]]; then HOSTNAME=securityonion; fi + HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter the Hostname you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) + "Enter the hostname (not FQDN) you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus - while [[ "$HOSTNAME" == *'localhost'* ]] ; do - whiptail --title "Security Onion Setup" --msgbox "Please choose a hostname that doesn't contain localhost." 8 75 + while [[ $HOSTNAME == *'localhost'* || ! ( $HOSTNAME =~ ^[a-zA-Z0-9\-]*$ ) ]] ; do + local error_message + error_message=$(echo "Please choose a valid hostname. It cannot contain localhost; and must contain only \ + the ASCII letters 'a' through 'z' (case-insensitive), the digits '0' through '9', \ + and hyphen ('-')" | tr -d '\t') + whiptail --title "Security Onion Setup" \ + --msgbox "$error_message" 10 75 HOSTNAME=$(whiptail --title "Security Onion Setup" --inputbox \ - "Enter the Hostname you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) + "Enter the hostname (not FQDN) you would like to set." 10 75 "$HOSTNAME" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus done From cab232ae9f94c4267a319566fe20514ead9ddedf Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Jun 2020 10:11:02 -0400 Subject: [PATCH 08/22] [feat] Add check for disk space during setup --- setup/so-functions | 30 ++++++++++++++++++++++-------- setup/so-variables | 4 ++++ setup/so-whiptail | 2 +- 3 files changed, 27 insertions(+), 9 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 1359ad66d..3703a3338 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -388,8 +388,6 @@ configure_minion() { printf '%s\n' '----'; cat "$minion_config"; } >> "$setup_log" 2>&1 - - } checkin_at_boot() { @@ -399,27 +397,33 @@ checkin_at_boot() { echo "startup_states: highstate" >> "$minion_config" } - check_requirements() { local eval_or_dist=$1 local node_type=$2 # optional local req_mem local req_cores + local req_storage local nic_list readarray -t nic_list <<< "$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "bond0" | sed 's/ //g')" local num_nics=${#nic_list[@]} - + if [[ "$eval_or_dist" == 'eval' ]]; then req_mem=12 req_cores=4 req_nics=2 + req_storage=100 elif [[ "$eval_or_dist" == 'dist' ]]; then req_mem=8 req_cores=4 + req_storage=40 if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi fi + if (( $(echo "$free_space_root < $req_storage" | bc -l) )); then + whiptail_requirements_error "disk space" "${free_space_root} GB" "${req_storage} GB" + fi + if [[ $num_nics -lt $req_nics ]]; then whiptail_requirements_error "NICs" "$num_nics" "$req_nics" fi @@ -429,7 +433,7 @@ check_requirements() { fi if [[ $total_mem_hr -lt $req_mem ]]; then - whiptail_requirements_error "memory" "${total_mem_hr}GB" "${req_mem}GB" + whiptail_requirements_error "memory" "${total_mem_hr} GB" "${req_mem} GB" fi } @@ -565,11 +569,19 @@ detect_os() { exit 1 fi + echo "Installing required packages to run installer" # Install bind-utils so the host command exists if ! command -v host > /dev/null 2>&1; then - echo "Installing required packages to run installer" - yum -y install bind-utils yum-plugin-versionlock >> "$setup_log" 2>&1 + yum -y install bind-utils >> "$setup_log" 2>&1 fi + if ! command -v nmcli > /dev/null 2>&1; then + { + yum -y install NetworkManager; + systemctl enable NetworkManager; + systemctl start NetworkManager; + } >> "$setup_log" 2<&1 + fi + yum -y install yum-plugin-versionlock bc >> "$setup_log" 2>&1 elif [ -f /etc/os-release ]; then @@ -582,15 +594,17 @@ detect_os() { echo "We do not support your current version of Ubuntu." exit 1 fi + + echo "Installing required packages to run installer" # Install network manager so we can do interface stuff if ! command -v nmcli > /dev/null 2>&1; then - echo "Installing required packages to run installer" { apt-get install -y network-manager; systemctl enable NetworkManager; systemctl start NetworkManager; } >> "$setup_log" 2<&1 fi + apt-get install -y bc >> "$setup_log" 2>&1 else echo "We were unable to determine if you are using a supported OS." diff --git a/setup/so-variables b/setup/so-variables index e14a955ab..4e08b2fef 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -28,6 +28,9 @@ mkdir -p /nsm filesystem_nsm=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }') export filesystem_nsm +free_space_root=$(df -Pk / | sed 1d | grep -v used | awk '{ print $4 / 1048576 }' | awk '{ printf("%.0f", $1) }') +export free_space_root + mkdir -p /root/installtmp/pillar/minions export temp_install_dir=/root/installtmp @@ -36,6 +39,7 @@ export percentage_str='Getting started' export DEBIAN_FRONTEND=noninteractive export default_salt_dir=/opt/so/saltstack/default + export local_salt_dir=/opt/so/saltstack/local export SCRIPTDIR=$(cd `dirname $0` && pwd) diff --git a/setup/so-whiptail b/setup/so-whiptail index e5ebb8827..de27b691b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -292,7 +292,7 @@ whiptail_requirements_error() { [ -n "$TESTING" ] && return whiptail --title "Security Onion Setup" \ - --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press YES to continue anyway, or press NO to cancel." 8 75 + --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press YES to continue anyway, or press NO to cancel." 10 75 local exitstatus=$? whiptail_check_exitstatus $exitstatus From ce8a59243c18af9dfa9b5ffd562601c49fc92197 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Jun 2020 14:26:48 -0400 Subject: [PATCH 09/22] [feat] Add grep for "Error" to fail if nmcli fails --- setup/so-setup | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 3b5653cbc..f2f92cf93 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -51,7 +51,7 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { - if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then + if grep -q "ERROR" $setup_log || grep -q "Error" $setup_log || [[ -s /var/spool/mail/root ]]; then if [[ -s /var/spool/mail/root ]]; then echo '[ ERROR ] /var/spool/mail/root grew unexpectedly' >> $setup_log 2>&1 fi @@ -341,14 +341,19 @@ if [[ "$setup_type" == 'iso' ]]; then disable_onion_user fi -set_hostname >> $setup_log 2>&1 -set_version >> $setup_log 2>&1 -clear_master >> $setup_log 2>&1 +{ + set_hostname; + set_version; + clear_master; +} >> $setup_log 2>&1 + if [[ $is_master ]]; then - generate_passwords >> $setup_log 2>&1 - secrets_pillar >> $setup_log 2>&1 - add_socore_user_master >> $setup_log 2>&1 + { + generate_passwords; + secrets_pillar; + add_socore_user_master; + } >> $setup_log 2>&1 fi if [[ $is_master && ! $is_eval ]]; then @@ -401,11 +406,13 @@ fi if [[ $is_master || $is_helix ]]; then set_progress_str 10 'Configuring Salt master' - create_local_directories >> $setup_log 2>&1 - addtotab_generate_templates >> $setup_log 2>&1 - copy_master_config >> $setup_log 2>&1 - setup_salt_master_dirs >> $setup_log 2>&1 - firewall_generate_templates >> $setup_log 2>&1 + { + create_local_directories; + addtotab_generate_templates; + copy_master_config; + setup_salt_master_dirs; + firewall_generate_templates; + } >> $setup_log 2>&1 set_progress_str 11 'Updating sudoers file for soremote user' update_sudoers >> $setup_log 2>&1 @@ -540,7 +547,7 @@ fi fi set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')" - so-fleet-setup $FLEETNODEUSER $FLEETNODEPASSWD1 >> $setup_log 2>&1 + so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1 fi @@ -605,7 +612,7 @@ if [[ "$success" = 0 ]]; then if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then export IP=$ALLOW_CIDR - so-allow -$ALLOW_ROLE >> $setup_log 2>&1 + so-allow -"$ALLOW_ROLE" >> $setup_log 2>&1 fi if [[ $THEHIVE == 1 ]]; then From 3a9d252af3d0d0796023f75d547de1931bc9926e Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 09:42:07 -0400 Subject: [PATCH 10/22] [fix] Correct indent in create_local_directories() --- setup/so-functions | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 3703a3338..f8a5230f0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -485,17 +485,17 @@ copy_ssh_key() { } create_local_directories() { - echo "Creating local pillar and salt directories" - PILLARSALTDIR=${SCRIPTDIR::-5} - for i in "pillar" "salt"; do - for d in `find $PILLARSALTDIR/$i -type d`; do - suffixdir=${d//$PILLARSALTDIR/} - if [ ! -d "$local_salt_dir/$suffixdir" ]; then - mkdir -v "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1 - fi - done - chown -R socore:socore "$local_salt_dir/$i" - done + echo "Creating local pillar and salt directories" + PILLARSALTDIR=${SCRIPTDIR::-5} + for i in "pillar" "salt"; do + for d in $(find $PILLARSALTDIR/$i -type d); do + suffixdir=${d//$PILLARSALTDIR/} + if [ ! -d "$local_salt_dir/$suffixdir" ]; then + mkdir -v "$local_salt_dir$suffixdir" >> "$setup_log" 2>&1 + fi + done + chown -R socore:socore "$local_salt_dir/$i" + done } From c97798b57db036272473f5ea8cd246ab111bd53f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 09:43:39 -0400 Subject: [PATCH 11/22] [feat] Add check to see if bond nics are managed by Network Manager --- setup/so-variables | 6 +++++- setup/so-whiptail | 14 ++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/setup/so-variables b/setup/so-variables index 4e08b2fef..bd5f8869d 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -42,4 +42,8 @@ export default_salt_dir=/opt/so/saltstack/default export local_salt_dir=/opt/so/saltstack/local -export SCRIPTDIR=$(cd `dirname $0` && pwd) +SCRIPTDIR=$(cd "$(dirname "$0")" && pwd) +export SCRIPTDIR + +readarray -t nmcli_dev_status_list <<< "$(nmcli -t -f DEVICE,STATE -c no dev status)" +export nmcli_dev_status_list diff --git a/setup/so-whiptail b/setup/so-whiptail index de27b691b..d047f3253 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -92,6 +92,20 @@ whiptail_bond_nics() { BNICS=$(echo "$BNICS" | tr -d '"') IFS=' ' read -ra BNICS <<< "$BNICS" + + local unmanaged_bond=0 + for bond_nic in "${BNICS[@]}"; do + if [[ ! "${nmcli_dev_status_list}" =~ $bond_nic\:unmanaged ]]; then + unmanaged_bond=1 + fi + if [[ "$unmanaged_bond" == 1 ]]; then + whiptail \ + --title "Security Onion Setup" \ + --msgbox "$bond_nic is unmanaged by Network Manager. Please remove it from other network management tools then re-run setup." \ + 8 75 + exit + fi + done } whiptail_bond_nics_mtu() { From 90f4b8e04378749f7edb8711f59f008297b777dd Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 11:03:18 -0400 Subject: [PATCH 12/22] [feat] Add welcome/instruction wording to initial menu --- setup/so-whiptail | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index d047f3253..202053cc0 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -295,8 +295,6 @@ whiptail_fleet_custom_hostname() { whiptail_check_exitstatus $exitstatus } - - whiptail_requirements_error() { local requirement_needed=$1 @@ -1152,7 +1150,20 @@ whiptail_you_sure() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --yesno "Are you sure you want to continue a network install of Security Onion?" 8 75 + read -r -d '' you_sure_text <<- EOM + Welcome to Security Onion Setup! + + You can use Setup for lots of different use cases from a small standalone installation to a large distributed deployment for your enterprise. + + Setup uses keyboard navigation and you can use arrow keys to move around. Certain screens may provide a list and ask you to select one or more items from that list. You can use [SPACE] to select items and [ENTER] to proceed to the next screen. + + Would you like to continue? + EOM + + whiptail \ + --title "Security Onion Setup" \ + --yesno "$you_sure_text" \ + 20 75 local exitstatus=$? return $exitstatus From db764902c77ea9f06081543cadc6b419ce089406 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 13:05:11 -0400 Subject: [PATCH 13/22] [fix] Change if condition when checking nmcli status --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 202053cc0..0ec48f2ae 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -95,7 +95,7 @@ whiptail_bond_nics() { local unmanaged_bond=0 for bond_nic in "${BNICS[@]}"; do - if [[ ! "${nmcli_dev_status_list}" =~ $bond_nic\:unmanaged ]]; then + if [[ "${nmcli_dev_status_list}" =~ $bond_nic\:unmanaged ]]; then unmanaged_bond=1 fi if [[ "$unmanaged_bond" == 1 ]]; then From 3cf79995a24a3e2342dafa5e19406963004ebe6e Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 1 Jul 2020 17:32:43 +0000 Subject: [PATCH 14/22] Modify Whiptail menu for EC2 NIC --- setup/so-whiptail | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index 008d24e1f..a96cbcc83 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -107,6 +107,28 @@ whiptail_bond_nics_mtu() { } +whiptail_ec2_nic() { + + [ -n "$TESTING" ] && return + + filter_unused_nics + + BNICS=$(whiptail --title "NIC Setup" --radiolist "Please select NIC for the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + + while [ -z "$BNICS" ] + do + BNICS=$(whiptail --title "NIC Setup" --radiolist "Please select NIC for the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + done + + BNICS=$(echo "$BNICS" | tr -d '"') + + IFS=' ' read -ra BNICS <<< "$BNICS" +} + whiptail_cancel() { whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75 From 26b0daf2dadc3a29d89bac0fc337fc917b963118 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Wed, 1 Jul 2020 17:42:51 +0000 Subject: [PATCH 15/22] Add other setup-related items for EC2 interface --- setup/so-functions | 55 +++++++++++++++++++++++++++++++++++++++++----- setup/so-setup | 17 ++++++++++---- 2 files changed, 63 insertions(+), 9 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 1359ad66d..efccdedd5 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -498,6 +498,7 @@ create_local_directories() { create_sensor_bond() { echo "Setting up sensor bond" >> "$setup_log" 2>&1 + INTERFACE="bond0" local nic_error=0 check_network_manager_conf >> "$setup_log" 2>&1 @@ -1317,7 +1318,7 @@ sensor_pillar() { # Create the sensor pillar printf '%s\n'\ "sensor:"\ - " interface: bond0"\ + " interface: $INTERFACE"\ " mainip: $MAINIP"\ " mainint: $MNIC" >> "$pillar_file" @@ -1428,13 +1429,13 @@ set_initial_firewall_policy() { $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" case "$install_type" in 'EVAL') - $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 True + $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE True ;; 'MASTERSEARCH') $default_salt_dir/pillar/data/addtotab.sh mastersearchtab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'STANDALONE') - $default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + $default_salt_dir/pillar/data/addtotab.sh standalonetab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE ;; esac ;; @@ -1448,7 +1449,7 @@ set_initial_firewall_policy() { case "$install_type" in 'SENSOR') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE ;; 'SEARCHNODE') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" @@ -1457,7 +1458,7 @@ set_initial_firewall_policy() { 'HEAVYNODE') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" bond0 + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" $INTERFACE ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; 'FLEET') @@ -1620,3 +1621,47 @@ es_heapsize() { export NODE_ES_HEAP_SIZE fi } + +is_ec2() { + # Check if EC2 + if curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null;then + is_ec2=1 + else + is_ec2=0 + fi +} + +create_ec2_sniffing() { + echo "Setting up sensor sniffing interface" >> "$setup_log" 2>&1 + + local nic_error=0 + + check_network_manager_conf >> "$setup_log" 2>&1 + + # Set the MTU + if [[ $NSMSETUP != 'ADVANCED' ]]; then + MTU=1575 + fi + + for BNIC in "${BNICS[@]}"; do + # Check if specific offload features are able to be disabled + for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do + if ethtool -k "$BNIC" | grep $string | grep -q "on [fixed]"; then + echo "The hardware or driver for interface ${BNIC} is not supported, packet capture may not work as expected." >> "$setup_log" 2>&1 + nic_error=1 + break + fi + done + + # Turn off various offloading settings for the interface + for i in rx tx sg tso ufo gso gro lro; do + ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1 + done + done + + INTERFACE=$BNIC + + if [ $nic_error != 0 ]; then + return 1 + fi +} diff --git a/setup/so-setup b/setup/so-setup index a5b57f13d..69b9c3c32 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -100,6 +100,8 @@ got_root detect_os +is_ec2 + if [ "$OS" == ubuntu ]; then update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1 fi @@ -225,7 +227,11 @@ fi # Start user prompts if [[ $is_helix || $is_sensor ]]; then - whiptail_bond_nics + if [ $is_ec2 -eq 1 ]; then + whiptail_ec2_nic + else + whiptail_bond_nics + fi calculate_useable_cores fi @@ -373,9 +379,12 @@ fi update_packages >> $setup_log 2>&1 if [[ $is_sensor || $is_helix ]]; then - set_progress_str 3 'Creating bond interface' - create_sensor_bond >> $setup_log 2>&1 - + set_progress_str 3 'Creating bond/sniffing interface' + if [ $is_ec2 -eq 1 ]; then + create_ec2_sniffing >> $setup_log 2>&1 + else + create_sensor_bond >> $setup_log 2>&1 + fi set_progress_str 4 'Generating sensor pillar' sensor_pillar >> $setup_log 2>&1 fi From 44890edc79180b67a6196c3ec926b4d140331b66 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 13:51:54 -0400 Subject: [PATCH 16/22] [refactor] Use regex in error check for setup log --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 769e7e50a..31d894b2e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -51,7 +51,7 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { - if grep -q "ERROR" $setup_log || grep -q "Error" $setup_log || [[ -s /var/spool/mail/root ]]; then + if grep -qE "(ERROR|Error)" $setup_log || [[ -s /var/spool/mail/root ]]; then if [[ -s /var/spool/mail/root ]]; then echo '[ ERROR ] /var/spool/mail/root grew unexpectedly' >> $setup_log 2>&1 fi From 4b5571a8d684d88b6619001347ed233c6aff9e22 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 13:56:15 -0400 Subject: [PATCH 17/22] [refactor][fix] Remove unnecessary variable --- setup/so-whiptail | 4 ---- 1 file changed, 4 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 0ec48f2ae..c157d5257 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -93,12 +93,8 @@ whiptail_bond_nics() { IFS=' ' read -ra BNICS <<< "$BNICS" - local unmanaged_bond=0 for bond_nic in "${BNICS[@]}"; do if [[ "${nmcli_dev_status_list}" =~ $bond_nic\:unmanaged ]]; then - unmanaged_bond=1 - fi - if [[ "$unmanaged_bond" == 1 ]]; then whiptail \ --title "Security Onion Setup" \ --msgbox "$bond_nic is unmanaged by Network Manager. Please remove it from other network management tools then re-run setup." \ From 54c33272402012b1aceaeec053623ed3b7ca6b16 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 16:23:38 -0400 Subject: [PATCH 18/22] [refactor] Simplify ec2 detection + handling --- .../99-so-checksum-offload-disable | 2 +- setup/so-functions | 111 ++++++++---------- setup/so-setup | 26 ++-- setup/so-whiptail | 34 ++---- 4 files changed, 71 insertions(+), 102 deletions(-) diff --git a/setup/install_scripts/99-so-checksum-offload-disable b/setup/install_scripts/99-so-checksum-offload-disable index b8c21a299..917c0f72b 100755 --- a/setup/install_scripts/99-so-checksum-offload-disable +++ b/setup/install_scripts/99-so-checksum-offload-disable @@ -4,5 +4,5 @@ if [[ "$DEVICE_IFACE" != "$MNIC" && "$DEVICE_IFACE" != *"docker"* ]]; then for i in rx tx sg tso ufo gso gro lro; do ethtool -K "$DEVICE_IFACE" "$i" off; done - ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off + ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on fi \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index efccdedd5..79ef25a3c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -495,29 +495,45 @@ create_local_directories() { } -create_sensor_bond() { - echo "Setting up sensor bond" >> "$setup_log" 2>&1 - - INTERFACE="bond0" +configure_network_sensor() { + echo "Setting up sensor interface" >> "$setup_log" 2>&1 local nic_error=0 - check_network_manager_conf >> "$setup_log" 2>&1 - # Set the MTU if [[ $NSMSETUP != 'ADVANCED' ]]; then - MTU=1500 + if [[ $is_ec2 ]]; then MTU=1575; else MTU=1500; fi + fi + + if [[ $is_ec2 ]]; then + INTERFACE=${BNICS[0]} + local nmcli_con_arg="type ethernet" + else + INTERFACE='bond0' + local nmcli_con_arg="type bond mode 0" fi # Create the bond interface only if it doesn't already exist - if ! [[ $(nmcli -f name,uuid -p con | sed -n 's/bond0 //p' | tr -d ' ') ]]; then - nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \ + + nmcli -f name,uuid -p con | grep -q "$INTERFACE" + local found_int=$? + + if [[ ! $found_int ]]; then + nmcli con add ifname "$INTERFACE" con-name "$INTERFACE" $nmcli_con_arg -- \ + ipv4.method disabled \ + ipv6.method ignore \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> "$setup_log" 2>&1 + else + local int_uuid + int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/$INTERFACE //p" | tr -d ' ') + + nmcli con mod "$int_uuid" \ ipv4.method disabled \ ipv6.method ignore \ ethernet.mtu $MTU \ connection.autoconnect "yes" >> "$setup_log" 2>&1 fi - for BNIC in "${BNICS[@]}"; do # Check if specific offload features are able to be disabled for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do @@ -533,15 +549,29 @@ create_sensor_bond() { ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1 done - # Check if the bond slave connection has already been created - if ! [[ $(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') ]]; then - # Create the slave interface and assign it to the bond - nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \ - ethernet.mtu $MTU \ - connection.autoconnect "yes" >> "$setup_log" 2>&1 - fi + if [[ $is_ec2 ]]; then + nmcli con up "$BNIC" >> "$setup_log" 2>&1 + else + # Check if the bond slave connection has already been created + nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC" + local found_int=$? + + if [[ ! $found_int ]]; then + # Create the slave interface and assign it to the bond + nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> "$setup_log" 2>&1 + else + local int_uuid + int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') - nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up + nmcli con mod "$int_uuid" \ + ethernet.mtu $MTU \ + connection.autoconnect "yes" >> "$setup_log" 2>&1 + fi + + nmcli con up "bond0-slave-$BNIC" >> "$setup_log" 2>&1 # Bring the slave interface up + fi done if [ $nic_error != 0 ]; then @@ -1622,46 +1652,9 @@ es_heapsize() { fi } -is_ec2() { +detect_ec2() { # Check if EC2 - if curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null;then - is_ec2=1 - else - is_ec2=0 - fi -} - -create_ec2_sniffing() { - echo "Setting up sensor sniffing interface" >> "$setup_log" 2>&1 - - local nic_error=0 - - check_network_manager_conf >> "$setup_log" 2>&1 - - # Set the MTU - if [[ $NSMSETUP != 'ADVANCED' ]]; then - MTU=1575 - fi - - for BNIC in "${BNICS[@]}"; do - # Check if specific offload features are able to be disabled - for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do - if ethtool -k "$BNIC" | grep $string | grep -q "on [fixed]"; then - echo "The hardware or driver for interface ${BNIC} is not supported, packet capture may not work as expected." >> "$setup_log" 2>&1 - nic_error=1 - break - fi - done - - # Turn off various offloading settings for the interface - for i in rx tx sg tso ufo gso gro lro; do - ethtool -K "$BNIC" $i off >> "$setup_log" 2>&1 - done - done - - INTERFACE=$BNIC - - if [ $nic_error != 0 ]; then - return 1 - fi + curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null + is_ec2=$? + export is_ec2 } diff --git a/setup/so-setup b/setup/so-setup index 69b9c3c32..733496a95 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -98,9 +98,7 @@ export PATH=$PATH:../salt/common/tools/sbin got_root -detect_os - -is_ec2 +detect_os && detect_ec2 if [ "$OS" == ubuntu ]; then update-alternatives --set newt-palette /etc/newt/palette.original >> $setup_log 2>&1 @@ -227,11 +225,7 @@ fi # Start user prompts if [[ $is_helix || $is_sensor ]]; then - if [ $is_ec2 -eq 1 ]; then - whiptail_ec2_nic - else - whiptail_bond_nics - fi + whiptail_sensor_nics calculate_useable_cores fi @@ -370,21 +364,17 @@ fi # Set initial percentage to 0 export percentage=0 - if [[ $is_minion ]]; then - set_progress_str 1 'Configuring firewall' - set_initial_firewall_policy >> $setup_log 2>&1 - fi + if [[ $is_minion ]]; then + set_progress_str 1 'Configuring firewall' + set_initial_firewall_policy >> $setup_log 2>&1 + fi set_progress_str 2 'Updating packages' update_packages >> $setup_log 2>&1 if [[ $is_sensor || $is_helix ]]; then - set_progress_str 3 'Creating bond/sniffing interface' - if [ $is_ec2 -eq 1 ]; then - create_ec2_sniffing >> $setup_log 2>&1 - else - create_sensor_bond >> $setup_log 2>&1 - fi + set_progress_str 3 'Configuring sensor interface' + configure_network_sensor >> $setup_log 2>&1 set_progress_str 4 'Generating sensor pillar' sensor_pillar >> $setup_log 2>&1 fi diff --git a/setup/so-whiptail b/setup/so-whiptail index a96cbcc83..a8a263f78 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -78,13 +78,21 @@ whiptail_bond_nics() { filter_unused_nics - BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) + if [[ $is_ec2 ]]; then + local menu_text="Please select NIC for the Monitor Interface" + local list_type="radiolist" + else + local menu_text="Please add NICs to the Monitor Interface" + local list_type="checklist" + fi + + BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus while [ -z "$BNICS" ] do - BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) + BNICS=$(whiptail --title "NIC Setup" --$list_type "$menu_text" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) local exitstatus=$? whiptail_check_exitstatus $exitstatus done @@ -107,28 +115,6 @@ whiptail_bond_nics_mtu() { } -whiptail_ec2_nic() { - - [ -n "$TESTING" ] && return - - filter_unused_nics - - BNICS=$(whiptail --title "NIC Setup" --radiolist "Please select NIC for the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - while [ -z "$BNICS" ] - do - BNICS=$(whiptail --title "NIC Setup" --radiolist "Please select NIC for the Monitor Interface" 20 75 12 "${nic_list[@]}" 3>&1 1>&2 2>&3 ) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - done - - BNICS=$(echo "$BNICS" | tr -d '"') - - IFS=' ' read -ra BNICS <<< "$BNICS" -} - whiptail_cancel() { whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 75 From b4f9fe5f542db747186ac956e860da1e2006d78f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 16:24:41 -0400 Subject: [PATCH 19/22] [fix] Remove quotes --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 7143abaee..d5541a5b0 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -612,7 +612,7 @@ if [[ "$success" = 0 ]]; then if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then export IP=$ALLOW_CIDR - so-allow -"$ALLOW_ROLE" >> $setup_log 2>&1 + so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi if [[ $THEHIVE == 1 ]]; then From b671f285621e907858019d83fb0ad73fe5e4fddb Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 16:32:33 -0400 Subject: [PATCH 20/22] [fix] Rename function whiptail_bond_nics to whiptail_sensor_nics --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 2e1a0c375..8c84d5345 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -72,7 +72,7 @@ whiptail_bro_version() { } -whiptail_bond_nics() { +whiptail_sensor_nics() { [ -n "$TESTING" ] && return From 408b5ee32d515563117d9c612d71f1ea6556be4d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 16:53:43 -0400 Subject: [PATCH 21/22] [ix] Fix if conditions --- setup/so-functions | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 46d08cc51..033d6ef3c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -521,7 +521,7 @@ configure_network_sensor() { nmcli -f name,uuid -p con | grep -q "$INTERFACE" local found_int=$? - if [[ ! $found_int ]]; then + if [[ $found_int != 0 ]]; then nmcli con add ifname "$INTERFACE" con-name "$INTERFACE" $nmcli_con_arg -- \ ipv4.method disabled \ ipv6.method ignore \ @@ -560,7 +560,7 @@ configure_network_sensor() { nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC" local found_int=$? - if [[ ! $found_int ]]; then + if [[ $found_int != 0 ]]; then # Create the slave interface and assign it to the bond nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \ ethernet.mtu $MTU \ @@ -1668,7 +1668,5 @@ es_heapsize() { detect_ec2() { # Check if EC2 - curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null - is_ec2=$? - export is_ec2 + if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ); then export is_ec2="true"; fi } From aeda3fde74a5db1632e074db4e8a385c5134a9a9 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 1 Jul 2020 17:39:04 -0400 Subject: [PATCH 22/22] [revert] Remove regex from setup log grep --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index d5541a5b0..7397f3685 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -51,7 +51,7 @@ echo "---- Starting setup at $(date -u) ----" >> $setup_log 2>&1 automated=no function progress() { - if grep -qE "(ERROR|Error)" $setup_log || [[ -s /var/spool/mail/root ]]; then + if grep -q "ERROR" $setup_log || [[ -s /var/spool/mail/root ]]; then if [[ -s /var/spool/mail/root ]]; then echo '[ ERROR ] /var/spool/mail/root grew unexpectedly' >> $setup_log 2>&1 fi