From ff25cecd5444044e561bc89015ef7adbacf9a0bd Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 15 Jul 2021 13:53:31 -0400 Subject: [PATCH 1/5] Remove unused function --- setup/so-whiptail | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index afd691632..0a2e5c53a 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1844,19 +1844,6 @@ whiptail_suricata_pins() { } -whiptail_node_updates() { - - [ -n "$TESTING" ] && return - - NODEUPDATES=$(whiptail --title "$whiptail_title" --radiolist \ - "How would you like to download OS package updates for your grid?" 20 75 4 \ - "MANAGER" "Manager node is proxy for updates." ON \ - "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - -} whiptail_you_sure() { From 33f396bdaeb53c711645f5a5e07a756dae8c07e0 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 15 Jul 2021 13:53:57 -0400 Subject: [PATCH 2/5] Add uppercase warning function --- setup/so-whiptail | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index 0a2e5c53a..693d0554b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1844,6 +1844,36 @@ whiptail_suricata_pins() { } +# shellcheck disable=2120 +whiptail_uppercase_warning() { + local type=${1:-hostname} + + local HOSTNAME='TestHostname' + local REDIRECTIT='my.TestDomain.com' + + local msg + if [[ $type == 'hostname' ]]; then + read -r -d '' msg <<- EOM + The value "$HOSTNAME" contains non-lowercase characters. + + Continuing with this hostname could render the system unusable in certain cases, and will also disable the option later in setup to access Security Onion's web interface via the hostname. + EOM + else + read -r -d '' msg <<- EOM + The value "$REDIRECTIT" contains non-lowercase characters. + + Continuing with this value could render the system unusable in certain cases. + EOM + fi + + read -r -d '' msg <<- EOM + $msg + + For best results, it is recommended to only use lowercase ${type}s with Security Onion. For more information see https://docs.securityonion.com/uppercase (URL TBD) + EOM + + whiptail --title "$whiptail_title" --yesno "$msg" --yes-button "Continue anyway" --no-button "Go back" 16 75 +} whiptail_you_sure() { From ac98e1fd0f55900693e9b20293d6ca0a8d80d758 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 15 Jul 2021 16:36:24 -0400 Subject: [PATCH 3/5] Remove testing default values, change wording, set default option to no --- setup/so-whiptail | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 693d0554b..e404152e5 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1846,21 +1846,19 @@ whiptail_suricata_pins() { # shellcheck disable=2120 whiptail_uppercase_warning() { - local type=${1:-hostname} - - local HOSTNAME='TestHostname' - local REDIRECTIT='my.TestDomain.com' + local type=$1 local msg - if [[ $type == 'hostname' ]]; then + if [[ -z $type ]]; then + type="hostname" read -r -d '' msg <<- EOM - The value "$HOSTNAME" contains non-lowercase characters. + The value "$HOSTNAME" contains uppercase characters. Continuing with this hostname could render the system unusable in certain cases, and will also disable the option later in setup to access Security Onion's web interface via the hostname. EOM else read -r -d '' msg <<- EOM - The value "$REDIRECTIT" contains non-lowercase characters. + The value "$REDIRECTHOST" contains uppercase characters. Continuing with this value could render the system unusable in certain cases. EOM @@ -1872,7 +1870,7 @@ whiptail_uppercase_warning() { For best results, it is recommended to only use lowercase ${type}s with Security Onion. For more information see https://docs.securityonion.com/uppercase (URL TBD) EOM - whiptail --title "$whiptail_title" --yesno "$msg" --yes-button "Continue anyway" --no-button "Go back" 16 75 + whiptail --title "$whiptail_title" --yesno "$msg" --yes-button "Continue anyway" --no-button "Go back" --defaultno 16 75 } whiptail_you_sure() { From b552973e004dab7fc35cd62a01f8d22fd1557d62 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 15 Jul 2021 16:36:46 -0400 Subject: [PATCH 4/5] Add logic to show uppercase warning message when appropriate --- salt/common/tools/sbin/so-common | 14 +++++++++++++ setup/so-functions | 34 ++++++++++++++++++++++++++++++-- setup/so-whiptail | 13 ++++++++---- 3 files changed, 55 insertions(+), 6 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index c4f6aca30..ce59c64db 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -160,6 +160,14 @@ fail() { exit 1 } +fqdn_lowercase() { + local fqdn=$1 + + echo "$fqdn" | grep -qP '(?=^.{4,253}$)(^((?!-)[a-z0-9-]{0,62}[a-z0-9]\.)+[a-z]{2,63}$)' \ + && return 0 \ + || return 1 +} + get_random_value() { length=${1:-20} head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 @@ -186,6 +194,12 @@ header() { printf '%s\n' "" "$banner" " $*" "$banner" } +hostname_lowercase() { + local hostname=$1 + + [[ $hostname =~ ^[a-z0-9\-]+$ ]] && return 0 || return 1 +} + init_monitor() { MONITORNIC=$1 diff --git a/setup/so-functions b/setup/so-functions index ff019953e..98dd007cb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -423,14 +423,28 @@ collect_homenet_snsr() { } collect_hostname() { + collect_hostname_validate + + while ! hostname_lowercase "$HOSTNAME"; do + if ! (whiptail_uppercase_warning); then + collect_hostname_validate + else + no_use_hostname=true + break + fi + done +} + +collect_hostname_validate() { if [[ $automated == no ]] && [[ "$HOSTNAME" == *'localhost'* ]]; then HOSTNAME=securityonion; fi whiptail_set_hostname "$HOSTNAME" - if [[ $HOSTNAME == 'securityonion' ]]; then # Will only check HOSTNAME=securityonion once + if [[ -z $default_hostname_flag ]] && [[ $HOSTNAME == 'securityonion' ]]; then # Will only check HOSTNAME=securityonion once if ! (whiptail_avoid_default_hostname); then whiptail_set_hostname "$HOSTNAME" fi + default_hostname_flag=true fi while ! valid_hostname "$HOSTNAME"; do @@ -648,7 +662,23 @@ collect_proxy_details() { } collect_redirect_host() { - whiptail_set_redirect_host "$HOSTNAME" + collect_redirect_host_validate + + while ! hostname_lowercase "$REDIRECTHOST" && ! fqdn_lowercase "$REDIRECTHOST"; do + local text + ! valid_hostname "$REDIRECTHOST" && text="domain name" || text="hostname" + if ! (whiptail_uppercase_warning "$text"); then + collect_redirect_host_validate "$REDIRECTHOST" + else + break + fi + done +} + +collect_redirect_host_validate() { + local prefill=${1:-$HOSTNAME} + + whiptail_set_redirect_host "$prefill" while ! valid_ip4 "$REDIRECTHOST" && ! valid_hostname "$REDIRECTHOST" && ! valid_fqdn "$REDIRECTHOST"; do whiptail_invalid_input diff --git a/setup/so-whiptail b/setup/so-whiptail index e404152e5..10d86ec2b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1661,11 +1661,16 @@ whiptail_set_redirect() { [ -n "$TESTING" ] && return + local options=() + options+=( "IP" "Use IP address to access the web interface" ON ) + [[ $no_use_hostname != true ]] && options+=( "HOSTNAME" "Use hostname to access the web interface" OFF ) + options+=("OTHER" "Use a different name like a FQDN or Load Balancer" OFF) + REDIRECTINFO=$(whiptail --title "$whiptail_title" --radiolist \ - "How would you like to access the web interface?\n\nSecurity Onion uses strict cookie enforcement, so whatever you choose here will be the only way that you can access the web interface.\n\nIf you choose something other than IP address, then you'll need to ensure that you can resolve the name via DNS or hosts entry. If you are unsure, please select IP." 20 75 4 \ - "IP" "Use IP address to access the web interface" ON \ - "HOSTNAME" "Use hostname to access the web interface" OFF \ - "OTHER" "Use a different name like a FQDN or Load Balancer" OFF 3>&1 1>&2 2>&3 ) + "How would you like to access the web interface?\n\nSecurity Onion uses strict cookie enforcement, so whatever you choose here will be the only way that you can access the web interface.\n\nIf you choose something other than IP address, then you'll need to ensure that you can resolve the name via DNS or hosts entry. If you are unsure, please select IP." 20 75 4 \ + "${options[@]}" \ + 3>&1 1>&2 2>&3 + ) local exitstatus=$? whiptail_check_exitstatus $exitstatus } From 0deb77468fe57484f2c38c7f0be7f2103e378cf1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 16 Jul 2021 15:39:09 -0400 Subject: [PATCH 5/5] Change uppercase regex Check for any uppercase characters rather than revalidating input sans uppercase --- salt/common/tools/sbin/so-common | 22 ++++++++-------------- setup/so-functions | 4 ++-- 2 files changed, 10 insertions(+), 16 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index ce59c64db..7ad74ad49 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -160,14 +160,6 @@ fail() { exit 1 } -fqdn_lowercase() { - local fqdn=$1 - - echo "$fqdn" | grep -qP '(?=^.{4,253}$)(^((?!-)[a-z0-9-]{0,62}[a-z0-9]\.)+[a-z]{2,63}$)' \ - && return 0 \ - || return 1 -} - get_random_value() { length=${1:-20} head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 @@ -194,12 +186,6 @@ header() { printf '%s\n' "" "$banner" " $*" "$banner" } -hostname_lowercase() { - local hostname=$1 - - [[ $hostname =~ ^[a-z0-9\-]+$ ]] && return 0 || return 1 -} - init_monitor() { MONITORNIC=$1 @@ -386,6 +372,14 @@ set_version() { fi } +has_uppercase() { + local string=$1 + + echo "$string" | grep -qP '[A-Z]' \ + && return 0 \ + || return 1 +} + valid_cidr() { # Verify there is a backslash in the string echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1 diff --git a/setup/so-functions b/setup/so-functions index 98dd007cb..7bbaa1fda 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -425,7 +425,7 @@ collect_homenet_snsr() { collect_hostname() { collect_hostname_validate - while ! hostname_lowercase "$HOSTNAME"; do + while has_uppercase "$HOSTNAME"; do if ! (whiptail_uppercase_warning); then collect_hostname_validate else @@ -664,7 +664,7 @@ collect_proxy_details() { collect_redirect_host() { collect_redirect_host_validate - while ! hostname_lowercase "$REDIRECTHOST" && ! fqdn_lowercase "$REDIRECTHOST"; do + while has_uppercase "$REDIRECTHOST"; do local text ! valid_hostname "$REDIRECTHOST" && text="domain name" || text="hostname" if ! (whiptail_uppercase_warning "$text"); then