CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #142 from rwwiv/master

Browse Source 
Network setup fixes
This commit is contained in:
Mike Reeves
2019-11-26 11:38:26 -05:00
committed by GitHub
parent aafa99ec4e d5a2c23ed5
commit bfb1dd2704
1 changed files with 75 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

102
so-setup-network.sh
View File

@@ -277,11 +277,11 @@ copy_ssh_key() {
} }
network_setup() { create_sensor_bond() {
echo "Setting up Bond" >> $SETUPLOG 2>&1 echo "Setting up sensor bond" >> $SETUPLOG 2>&1
# Set the MTU # Set the MTU
if [ "$NSMSETUP" != 'ADVANCED' ]; then if [[ $NSMSETUP != 'ADVANCED' ]]; then
MTU=1500 MTU=1500
fi fi
@@ -306,10 +306,6 @@ network_setup() {
# Bring the slave interface up # Bring the slave interface up
nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1 nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1
done done
# Replace the variable string in the network script
sed -i "s/\$MAININT/${MAININT}/g" ./install_scripts/disable-checksum-offload.sh >> $SETUPLOG 2>&1
# Copy the checksum offload script to prevent issues with packet capture
cp ./install_scripts/disable-checksum-offload.sh /etc/NetworkManager/dispatcher.d/disable-checksum-offload.sh >> $SETUPLOG 2>&1
} }
detect_os() { detect_os() {
@@ -341,6 +337,19 @@ disable_dnsmasq() {
} }
disable_unused_nics() {
for UNUSED_NIC in ${FNICS[@]}; do
# Disable DHCPv4/v6 and autoconnect
nmcli con mod $UNUSED_NIC \
ipv4.method disabled \
ipv6.method link-local \
connection.autoconnect "no" >> $SETUPLOG 2>&1
# Flush any existing IPs
ip addr flush $UNUSED_NIC >> $SETUPLOG 2>&1
done
}
docker_install() { docker_install() {
if [ $OS == 'centos' ]; then if [ $OS == 'centos' ]; then
@@ -412,11 +421,19 @@ eval_mode_hostsfile() {
} }
filter_nics() { filter_unused_nics() {
# Set the main NIC as the default grep search string
grep_string=$MNIC
# Filter the NICs that we don't want to see in setup # If we call this function and NICs have already been assigned to the bond interface then add them to the grep search string
FNICS=$(ip link | grep -vw $MNIC | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}') if [[ $BNICS ]]; then
for BONDNIC in ${BNICS[@]}; do
grep_string="$grep_string\|$BONDNIC"
done
fi
# Finally, set FNICS to any NICs we aren't using (and ignore interfaces that aren't of use)
FNICS=$(ip link | grep -vwe $grep_string | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}')
} }
generate_passwords(){ generate_passwords(){
@@ -614,6 +631,22 @@ minio_generate_keys() {
} }
network_setup() {
echo "Finishing up network setup" >> $SETUPLOG 2>&1
echo "... Disabling unused NICs" >> $SETUPLOG 2>&1
disable_unused_nics >> $SETUPLOG 2>&1
echo "... Setting ONBOOT for management interface" >> $SETUPLOG 2>&1
nmcli con mod $MAININT connection.autoconnect "yes" >> $SETUPLOG 2>&1
echo "... Copying disable-checksum-offload.sh" >> $SETUPLOG 2>&1
cp ./install_scripts/disable-checksum-offload.sh /etc/NetworkManager/dispatcher.d/disable-checksum-offload.sh >> $SETUPLOG 2>&1
echo "... Modifying disable-checksum-offload.sh" >> $SETUPLOG 2>&1
sed -i "s/\$MAININT/${MAININT}/g" /etc/NetworkManager/dispatcher.d/disable-checksum-offload.sh >> $SETUPLOG 2>&1
}
node_pillar() { node_pillar() {
NODEPILLARPATH=$TMP/pillar/nodes NODEPILLARPATH=$TMP/pillar/nodes
@@ -674,7 +707,7 @@ patch_schedule_os_new() {
mkdir -p $OSPATCHSCHEDULEDIR mkdir -p $OSPATCHSCHEDULEDIR
fi fi
echo "patch:" > $OSPATCHSCHEDULE echo "patch:" > $OSPATCHSCHEDULE
echo " os:" >> $OSPATCHSCHEDULE echo " os:" >> $OSPATCHSCHEDULE
echo " schedule:" >> $OSPATCHSCHEDULE echo " schedule:" >> $OSPATCHSCHEDULE
for psd in "${PATCHSCHEDULEDAYS[@]}" for psd in "${PATCHSCHEDULEDAYS[@]}"
@@ -1224,11 +1257,16 @@ whiptail_bro_version() {
whiptail_bond_nics() { whiptail_bond_nics() {
BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${FNICS[@]} 3>&1 1>&2 2>&3 ) local nic_list=()
for FNIC in ${FNICS[@]}; do
nic_list+=($FNIC "Interface" "OFF")
done
BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${nic_list[@]} 3>&1 1>&2 2>&3 )
while [ -z "$BNICS" ] while [ -z "$BNICS" ]
do do
BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${FNICS[@]} 3>&1 1>&2 2>&3 ) BNICS=$(whiptail --title "NIC Setup" --checklist "Please add NICs to the Monitor Interface" 20 78 12 ${nic_list[@]} 3>&1 1>&2 2>&3 )
done done
local exitstatus=$? local exitstatus=$?
@@ -2008,7 +2046,9 @@ if (whiptail_you_sure); then
checkin_at_boot >> $SETUPLOG 2>&1 checkin_at_boot >> $SETUPLOG 2>&1
echo -e "XXX\n95\nVerifying Install... \nXXX" echo -e "XXX\n95\nVerifying Install... \nXXX"
salt-call state.highstate >> $SETUPLOG 2>&1 salt-call state.highstate >> $SETUPLOG 2>&1
echo -e "XX\n99\nFinishing touches... \nXXX"
filter_unused_nics >> $SETUPLOG 2>&1
network_setup >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}') GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then if [[ $GOODSETUP == '0' ]]; then
@@ -2031,7 +2071,7 @@ if (whiptail_you_sure); then
if [ $INSTALLTYPE == 'SENSORONLY' ]; then if [ $INSTALLTYPE == 'SENSORONLY' ]; then
whiptail_management_nic whiptail_management_nic
filter_nics filter_unused_nics
whiptail_bond_nics whiptail_bond_nics
whiptail_management_server whiptail_management_server
whiptail_master_updates whiptail_master_updates
@@ -2062,7 +2102,7 @@ if (whiptail_you_sure); then
#echo -e "XXX\n1\nInstalling pip3... \nXXX" #echo -e "XXX\n1\nInstalling pip3... \nXXX"
#install_pip3 >> $SETUPLOG 2>&1 #install_pip3 >> $SETUPLOG 2>&1
echo -e "XXX\n3\nCreating Bond Interface... \nXXX" echo -e "XXX\n3\nCreating Bond Interface... \nXXX"
network_setup >> $SETUPLOG 2>&1 create_sensor_bond >> $SETUPLOG 2>&1
echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX" echo -e "XXX\n4\nGenerating Sensor Pillar... \nXXX"
sensor_pillar >> $SETUPLOG 2>&1 sensor_pillar >> $SETUPLOG 2>&1
echo "** Generating the patch pillar **" >> $SETUPLOG echo "** Generating the patch pillar **" >> $SETUPLOG
@@ -2093,6 +2133,9 @@ if (whiptail_you_sure); then
echo -e "XXX\n80\nVerifying Install... \nXXX" echo -e "XXX\n80\nVerifying Install... \nXXX"
salt-call state.highstate >> $SETUPLOG 2>&1 salt-call state.highstate >> $SETUPLOG 2>&1
checkin_at_boot >> $SETUPLOG 2>&1 checkin_at_boot >> $SETUPLOG 2>&1
echo -e "XX\n99\nFinishing touches... \nXXX"
filter_unused_nics >> $SETUPLOG 2>&1
network_setup >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}') GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then if [[ $GOODSETUP == '0' ]]; then
@@ -2113,7 +2156,7 @@ if (whiptail_you_sure); then
whiptail_management_nic whiptail_management_nic
# Filter out the management NIC # Filter out the management NIC
filter_nics filter_unused_nics
# Select which NICs are in the bond # Select which NICs are in the bond
whiptail_bond_nics whiptail_bond_nics
@@ -2160,15 +2203,16 @@ if (whiptail_you_sure); then
{ {
sleep 0.5 sleep 0.5
echo -e "XXX\n0\nCreating Bond Interface... \nXXX" echo -e "XXX\n0\nCreating Bond Interface... \nXXX"
network_setup >> $SETUPLOG 2>&1 create_sensor_bond >> $SETUPLOG 2>&1
echo -e "XXX\n1\nInstalling Python 3... \nXXX"
install_python3 >> $SETUPLOG 2>&1 install_python3 >> $SETUPLOG 2>&1
echo -e "XXX\n1\nInstalling saltstack... \nXXX" echo -e "XXX\n2\nInstalling saltstack... \nXXX"
saltify >> $SETUPLOG 2>&1 saltify >> $SETUPLOG 2>&1
echo -e "XXX\n3\nInstalling docker... \nXXX" echo -e "XXX\n3\nInstalling docker... \nXXX"
docker_install >> $SETUPLOG 2>&1 docker_install >> $SETUPLOG 2>&1
echo -e "XXX\n5\nInstalling master code... \nXXX" echo -e "XXX\n5\nInstalling master code... \nXXX"
install_master >> $SETUPLOG 2>&1 install_master >> $SETUPLOG 2>&1
echo -e "XXX\n1\nInstalling mysql dependencies for saltstack... \nXXX" echo -e "XXX\n5\nInstalling mysql dependencies for saltstack... \nXXX"
salt_install_mysql_deps >> $SETUPLOG 2>&1 salt_install_mysql_deps >> $SETUPLOG 2>&1
echo -e "XXX\n6\nCopying salt code... \nXXX" echo -e "XXX\n6\nCopying salt code... \nXXX"
salt_master_directories >> $SETUPLOG 2>&1 salt_master_directories >> $SETUPLOG 2>&1
@@ -2239,22 +2283,24 @@ if (whiptail_you_sure); then
echo -e "XXX\n85\nInstalling filebeat... \nXXX" echo -e "XXX\n85\nInstalling filebeat... \nXXX"
salt-call state.apply filebeat >> $SETUPLOG 2>&1 salt-call state.apply filebeat >> $SETUPLOG 2>&1
salt-call state.apply utility >> $SETUPLOG 2>&1 salt-call state.apply utility >> $SETUPLOG 2>&1
echo -e "XXX\n95\nInstalling misc components... \nXXX" echo -e "XXX\n90\nInstalling misc components... \nXXX"
salt-call state.apply schedule >> $SETUPLOG 2>&1 salt-call state.apply schedule >> $SETUPLOG 2>&1
salt-call state.apply soctopus >> $SETUPLOG 2>&1 salt-call state.apply soctopus >> $SETUPLOG 2>&1
if [[ $THEHIVE == '1' ]]; then if [[ $THEHIVE == '1' ]]; then
echo -e "XXX\n96\nInstalling The Hive... \nXXX" echo -e "XXX\n91\nInstalling The Hive... \nXXX"
salt-call state.apply hive >> $SETUPLOG 2>&1 salt-call state.apply hive >> $SETUPLOG 2>&1
fi fi
if [[ $PLAYBOOK == '1' ]]; then if [[ $PLAYBOOK == '1' ]]; then
echo -e "XXX\n97\nInstalling Playbook... \nXXX" echo -e "XXX\n93\nInstalling Playbook... \nXXX"
salt-call state.apply playbook >> $SETUPLOG 2>&1 salt-call state.apply playbook >> $SETUPLOG 2>&1
fi fi
echo -e "XXX\n98\nSetting checkin to run on boot... \nXXX" echo -e "XXX\n95\nSetting checkin to run on boot... \nXXX"
checkin_at_boot >> $SETUPLOG 2>&1 checkin_at_boot >> $SETUPLOG 2>&1
echo -e "XXX\n99\nVerifying Setup... \nXXX" echo -e "XXX\n98\nVerifying Setup... \nXXX"
salt-call state.highstate >> $SETUPLOG 2>&1 salt-call state.highstate >> $SETUPLOG 2>&1
echo -e "XX\n99\nFinishing touches... \nXXX"
filter_unused_nics >> $SETUPLOG 2>&1
network_setup >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}') GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [ $OS == 'centos' ]; then if [ $OS == 'centos' ]; then
@@ -2358,7 +2404,9 @@ if (whiptail_you_sure); then
echo -e "XXX\n90\nVerifying Install... \nXXX" echo -e "XXX\n90\nVerifying Install... \nXXX"
salt-call state.highstate >> $SETUPLOG 2>&1 salt-call state.highstate >> $SETUPLOG 2>&1
checkin_at_boot >> $SETUPLOG 2>&1 checkin_at_boot >> $SETUPLOG 2>&1
echo -e "XX\n99\nFinishing touches... \nXXX"
filter_unused_nics >> $SETUPLOG 2>&1
network_setup >> $SETUPLOG 2>&1
} |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0 } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}') GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
if [[ $GOODSETUP == '0' ]]; then if [[ $GOODSETUP == '0' ]]; then