CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

[fix] Networking fixes

Browse Source
This commit is contained in:
William Wernert
2020-04-08 14:43:14 -04:00
parent b293c3dd2c
commit bc99903885
1 changed files with 52 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
setup/so-functions
View File

@@ -230,12 +230,14 @@ check_network_manager_conf() {
local nmconf="/etc/NetworkManager/NetworkManager.conf" local nmconf="/etc/NetworkManager/NetworkManager.conf"
local preupdir="/etc/NetworkManager/dispatcher.d/pre-up.d" local preupdir="/etc/NetworkManager/dispatcher.d/pre-up.d"
if ! test -f "${gmdconf}.bak"; then if test -f "$gmdconf"; then
{ if ! test -f "${gmdconf}.bak"; then
mv "$gmdconf" "${gmdconf}.bak" {
touch "$gmdconf" mv "$gmdconf" "${gmdconf}.bak"
systemctl restart NetworkManager touch "$gmdconf"
} >> $SETUPLOG 2>&1 systemctl restart NetworkManager
} >> "$SETUPLOG" 2>&1
fi
fi fi
if test -f "$nmconf"; then if test -f "$nmconf"; then
@@ -388,20 +390,23 @@ create_sensor_bond() {
MTU=1500 MTU=1500
fi fi
# Create the bond interface # Create the bond interface only if it doesn't already exist
nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \ if ! [[ $(nmcli -f name,uuid -p con | sed -n 's/bond0 //p' | tr -d ' ') ]]; then
ipv4.method disabled \ nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \
ipv6.method ignore \ ipv4.method disabled \
ethernet.mtu $MTU \ ipv6.method ignore \
connection.autoconnect "yes" >> $SETUPLOG 2>&1 ethernet.mtu $MTU \
connection.autoconnect "yes" >> "$SETUPLOG" 2>&1
fi
for BNIC in ${BNICS[@]}; do for BNIC in ${BNICS[@]}; do
BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" # Strip the quotes from the NIC names BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" # Strip the quotes from the NIC names
# Check if specific offload features are able to be disabled # Check if specific offload features are able to be disabled
for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do
if ethtool -k $BONDNIC | egrep $string | egrep -q "on [fixed]"; then if ethtool -k "$BONDNIC" | grep $string | grep -q "on [fixed]"; then
echo "The hardware or driver for interface ${BONDNIC} is not supported, packet capture may not work as expected." >> $SETUPLOG 2>&1 echo "The hardware or driver for interface ${BONDNIC} is not supported, packet capture may not work as expected." >> "$SETUPLOG" 2>&1
nic_error=1 nic_error=1
break break
fi fi
@@ -412,12 +417,16 @@ create_sensor_bond() {
ethtool -K $BONDNIC $i off >> $SETUPLOG 2>&1 ethtool -K $BONDNIC $i off >> $SETUPLOG 2>&1
done done
# Create the slave interface and assign it to the bond # Check if the bond slave connection has already been created
nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0 -- \ if ! [[ $(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BONDNIC //p" | tr -d ' ') ]]; then
ethernet.mtu $MTU \ # Create the slave interface and assign it to the bond
connection.autoconnect "yes" >> $SETUPLOG 2>&1
nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1 # Bring the slave interface up nmcli con add type ethernet ifname "$BONDNIC" con-name "bond0-slave-$BONDNIC" master bond0 -- \
ethernet.mtu $MTU \
connection.autoconnect "yes" >> "$SETUPLOG" 2>&1
fi
nmcli con up "bond0-slave-$BONDNIC" >> "$SETUPLOG" 2>&1 # Bring the slave interface up
done done
if [ $nic_error != 0 ]; then if [ $nic_error != 0 ]; then
@@ -494,15 +503,14 @@ disable_misc_network_features() {
connection.autoconnect "no" >> $SETUPLOG 2>&1 connection.autoconnect "no" >> $SETUPLOG 2>&1
# Flush any existing IPs # Flush any existing IPs
ip addr flush "$UNUSED_NIC" >> $SETUPLOG 2>&1 ip addr flush "$UNUSED_NIC" >> "$SETUPLOG" 2>&1
# Disable IPv6
{
echo "net.ipv6.conf.all.disable_ipv6 = 1"
echo "net.ipv6.conf.default.disable_ipv6 = 1"
echo "net.ipv6.conf.lo.disable_ipv6 = 1"
} >> /etc/sysctl.conf
done done
# Disable IPv6
{
echo "net.ipv6.conf.all.disable_ipv6 = 1"
echo "net.ipv6.conf.default.disable_ipv6 = 1"
echo "net.ipv6.conf.lo.disable_ipv6 = 1"
} >> /etc/sysctl.conf
} }
docker_install() { docker_install() {
@@ -924,22 +932,26 @@ minio_generate_keys() {
} }
network_setup() { network_setup() {
echo "Finishing up network setup" >> $SETUPLOG 2>&1 {
echo "Finishing up network setup";
echo "... Verifying all network devices are managed by Network Manager" >> $SETUPLOG 2>&1 echo "... Verifying all network devices are managed by Network Manager";
check_network_manager_conf >> $SETUPLOG 2>&1 check_network_manager_conf;
echo "... Disabling unused NICs" >> $SETUPLOG 2>&1 echo "... Disabling unused NICs";
disable_misc_network_features >> $SETUPLOG 2>&1 disable_misc_network_features;
echo "... Setting ONBOOT for management interface" >> $SETUPLOG 2>&1 echo "... Setting ONBOOT for management interface";
nmcli con mod $MAININT connection.autoconnect "yes" >> $SETUPLOG 2>&1 if ! netplan > /dev/null 2>&1; then
nmcli con mod "$MAININT" connection.autoconnect "yes";
fi
echo "... Copying 99-so-checksum-offload-disable" >> $SETUPLOG 2>&1 echo "... Copying 99-so-checksum-offload-disable";
cp $SCRIPTDIR/install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable >> $SETUPLOG 2>&1 cp "$SCRIPTDIR/install_scripts/99-so-checksum-offload-disable" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable ;
echo "... Modifying 99-so-checksum-offload-disable" >> $SETUPLOG 2>&1 echo "... Modifying 99-so-checksum-offload-disable";
sed -i "s/\$MAININT/${MAININT}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable >> $SETUPLOG 2>&1 sed -i "s/\$MAININT/${MAININT}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable;
} >> "$SETUPLOG" 2>&1
} }
node_pillar() { node_pillar() {