Replaced auth system with new identity management system.

2026-02-01 04:43:32 +01:00 · 2020-03-30 19:27:56 -04:00
parent 9758563967
commit cbd710bcf2
15 changed files with 329 additions and 226 deletions
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -78,6 +78,29 @@ add_socore_user_notmaster() {

 }

+wait_for_identity_db_to_exist() {
+  MAXATTEMPTS=30
+  attempts=0
+  while [[ $attempts -lt $MAXATTEMPTS ]]; do
+    # Check and see if the DB file is in there
+    if [ -f /opt/so/conf/kratos/db/db.sqlite ]; then
+      echo "Database file exists at $(date)"
+      attempts=$MAXATTEMPTS
+    else
+      echo "Identity database does not yet exist; waiting 5 seconds and will check again ($attempts/$MAXATTEMPTS)..."
+      sleep 5
+      attempts=$((attempts+1))      
+    fi
+  done
+}
+
+add_web_user() {
+  wait_for_identity_db_to_exist
+  echo "Attempting to add administrator user for web interface..."
+  echo "$WEBPASSWD1" | /usr/sbin/so-user add $WEBUSER
+  echo "Add user result: $?"
+}
+
 # Create an auth pillar so that passwords survive re-install
 auth_pillar(){

@@ -219,6 +242,16 @@ check_socore_pass() {

 }

+check_web_pass() {
+
+  if [ $WEBPASSWD1 == $WEBPASSWD2 ]; then
+    WPMATCH=yes
+  else
+    whiptail_passwords_dont_match
+  fi
+
+}
+
 checkin_at_boot() {
 	echo "Enabling checkin at boot" >> $SETUPLOG 2>&1
 	echo "startup_states: highstate" >> /etc/salt/minion
@@ -539,7 +572,8 @@ docker_seed_registry() {
    "so-navigator:$VERSION" \
    "so-playbook:$VERSION" \
    "so-redis:$VERSION" \
-    "so-sensoroni:$VERSION" \
+    "so-soc:$VERSION" \
+    "so-kratos:$VERSION" \
    "so-soctopus:$VERSION" \
    "so-steno:$VERSION" \
    #"so-strelka:$VERSION" \
@@ -556,7 +590,7 @@ docker_seed_registry() {
    "so-idstools:$VERSION" \
    "so-logstash:$VERSION" \
    "so-redis:$VERSION" \
-    "so-sensoroni:$VERSION" \
+    #"so-sensoroni:$VERSION" \
    "so-steno:$VERSION" \
    "so-suricata:$VERSION" \
    "so-telegraf:$VERSION" \
@@ -651,6 +685,7 @@ generate_passwords(){
  CORTEXKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
  CORTEXORGUSERKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
  SENSORONIKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
+  KRATOSKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1)
 }

 get_filesystem_nsm(){
@@ -690,6 +725,14 @@ get_main_ip() {

 }

+get_redirect() {
+  whiptail_set_redirect_info
+  whiptail_set_redirect
+  if [ $REDIRECTINFO == 'OTHER' ]; then
+    whiptail_set_redirect_host
+  fi
+}
+
 got_root() {

 	# Make sure you are root
@@ -801,6 +844,18 @@ master_pillar() {
  echo "  thehive: $THEHIVE" >> $PILLARFILE
  echo "  playbook: $PLAYBOOK" >> $PILLARFILE
  echo "" >> $PILLARFILE
+  echo "kratos:" >> $PILLARFILE
+  if [[ $REDIRECTINFO == 'OTHER' ]]; then
+    REDIRECTIT=$REDIRECT
+  elif [[ $REDIRECTINFO == 'IP' ]]; then
+    REDIRECTIT=$MAINIP
+  elif [[ $REDIRECTINFO == 'HOSTNAME' ]]; then
+    REDIRECTIT=$HOSTNAME
+  fi    
+  echo "  kratoskey: $KRATOSKEY" >> $PILLARFILE
+  echo "  redirect: $REDIRECTIT" >> $PILLARFILE
+  echo "" >> $PILLARFILE
+

  }

@@ -974,6 +1029,7 @@ saltify() {
      yum -y install wget https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest-2.el7.noarch.rpm
      cp /etc/yum.repos.d/salt-py3-latest.repo /etc/yum.repos.d/salt-py3-2019-2.repo
      sed -i 's/latest/2019.2/g' /etc/yum.repos.d/salt-py3-2019-2.repo
+      yum -y install sqlite3 argon2 curl jq openssl
      # Download Ubuntu Keys in case master updates = 1
      mkdir -p /opt/so/gpg
      wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub
@@ -1191,11 +1247,11 @@ EOF
      # Initialize the new repos
      apt-get update >> $SETUPLOG 2>&1
      if [ $OSVER != "xenial" ]; then
-        apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python3-dateutil python3-m2crypto >> $SETUPLOG 2>&1
+        apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python3-dateutil python3-m2crypto sqlite3 argon2 curl jq openssl >> $SETUPLOG 2>&1
        apt-mark hold salt-minion salt-common
      else
        # Need to add python packages here
-        apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto >> $SETUPLOG 2>&1
+        apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto sqlite3 argon2 curl jq openssl >> $SETUPLOG 2>&1
        apt-mark hold salt-minion salt-common
      fi
    else
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -300,6 +300,15 @@ if (whiptail_you_sure) ; then
      check_socore_pass
    done

+    # Get a password for the web admin user
+    whiptail_create_web_user
+    WPMATCH=no
+    while [ $WPMATCH != yes ]; do
+      whiptail_create_web_user_password1
+      whiptail_create_web_user_password2
+      check_web_pass
+    done
+    get_redirect
    # Last Chance to back out
    whiptail_make_changes
    set_hostname
@@ -376,21 +385,23 @@ if (whiptail_you_sure) ; then
      docker_seed_registry >> $SETUPLOG 2>&1
      echo -e "XXX\n43\nInstalling Common Components... \nXXX"
      salt-call state.apply common >> $SETUPLOG 2>&1
+      echo -e "XXX\n44\nInstalling SOC... \nXXX"
+      salt-call state.apply soc >> $SETUPLOG 2>&1
      echo -e "XXX\n45\nApplying firewall rules... \nXXX"
      salt-call state.apply firewall >> $SETUPLOG 2>&1
      salt-call state.apply master >> $SETUPLOG 2>&1
      salt-call state.apply idstools >> $SETUPLOG 2>&1
-      echo -e "XXX\n40\nInstalling Redis... \nXXX"
+      echo -e "XXX\n46\nInstalling Redis... \nXXX"
      salt-call state.apply redis >> $SETUPLOG 2>&1
      if [[ $OSQUERY == '1' ]]; then
-        echo -e "XXX\n41\nInstalling MySQL... \nXXX"
+        echo -e "XXX\n48\nInstalling MySQL... \nXXX"
        salt-call state.apply mysql >> $SETUPLOG 2>&1
      fi
      if [[ $WAZUH == '1' ]]; then
-        echo -e "XXX\n68\nInstalling Wazuh... \nXXX"
+        echo -e "XXX\n48\nInstalling Wazuh... \nXXX"
        salt-call state.apply wazuh >> $SETUPLOG 2>&1
      fi
-      echo -e "XXX\n45\nInstalling Elastic Components... \nXXX"
+      echo -e "XXX\n49\nInstalling Elastic Components... \nXXX"
      salt-call state.apply elasticsearch >> $SETUPLOG 2>&1
      salt-call state.apply logstash >> $SETUPLOG 2>&1
      salt-call state.apply kibana >> $SETUPLOG 2>&1
@@ -419,7 +430,9 @@ if (whiptail_you_sure) ; then
      echo -e "XX\n97\nFinishing touches... \nXXX"
      filter_unused_nics >> $SETUPLOG 2>&1
      network_setup >> $SETUPLOG 2>&1
-      echo -e "XXX\n98\nVerifying Setup... \nXXX"
+      echo -e "XXX\n98\nAdding user to SOC... \nXXX"
+      add_web_user >> $SETUPLOG 2>&1
+      echo -e "XXX\n99\nVerifying Setup... \nXXX"
      salt-call state.highstate >> $SETUPLOG 2>&1
    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
    GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
@@ -570,6 +583,15 @@ if (whiptail_you_sure) ; then
        check_socore_pass
      done
    fi
+    # Get a password for the web admin user
+    whiptail_create_web_user
+    WPMATCH=no
+    while [ $WPMATCH != yes ]; do
+      whiptail_create_web_user_password1
+      whiptail_create_web_user_password2
+      check_web_pass
+    done
+    get_redirect
    whiptail_make_changes
    set_hostname
    set_version
@@ -616,14 +638,10 @@ if (whiptail_you_sure) ; then
      master_pillar >> $SETUPLOG 2>&1
      echo "** Generating the patch pillar **" >> $SETUPLOG
      patch_pillar >> $SETUPLOG 2>&1
-
-
      echo -e "XXX\n7\nConfiguring minion... \nXXX"
      configure_minion $TYPE >> $SETUPLOG 2>&1
      echo -e "XXX\n7\nSetting the node type to $TYPE... \nXXX"
      set_node_type >> $SETUPLOG 2>&1
-
-
      echo -e "XXX\n7\nSearch node pillar... \nXXX"
      node_pillar >> $SETUPLOG 2>&1
      echo -e "XXX\n8\nCreating firewall policies... \nXXX"
@@ -650,12 +668,13 @@ if (whiptail_you_sure) ; then
      echo -e "XXX\n25\nInstalling master components... \nXXX"
      salt-call state.apply master >> $SETUPLOG 2>&1
      salt-call state.apply idstools >> $SETUPLOG 2>&1
-
+      echo -e "XXX\n26\nInstalling SOC... \nXXX"
+      salt-call state.apply soc >> $SETUPLOG 2>&1
      if [[ $OSQUERY == '1' ]]; then
        salt-call state.apply mysql >> $SETUPLOG 2>&1
      fi
      if [[ $WAZUH == '1' ]]; then
-        echo -e "XXX\n65\nInstalling Wazuh components... \nXXX"
+        echo -e "XXX\n27\nInstalling Wazuh components... \nXXX"
        salt-call state.apply wazuh >> $SETUPLOG 2>&1
      fi
      echo -e "XXX\n35\nInstalling ElasticSearch... \nXXX"
@@ -700,10 +719,11 @@ if (whiptail_you_sure) ; then
      echo -e "XXX\n95\nSetting checkin to run on boot... \nXXX"
      checkin_at_boot >> $SETUPLOG 2>&1
      echo -e "XX\n97\nFinishing touches... \nXXX"
-      salt-call state.apply auth >> $SETUPLOG 2>&1
      filter_unused_nics >> $SETUPLOG 2>&1
      network_setup >> $SETUPLOG 2>&1
-      echo -e "XXX\n98\nVerifying Setup... \nXXX"
+      echo -e "XXX\n98\nAdding user to SOC... \nXXX"
+      add_web_user >> $SETUPLOG 2>&1
+      echo -e "XXX\n99\nVerifying Setup... \nXXX"
      salt-call state.highstate >> $SETUPLOG 2>&1
    } |whiptail --title "Hybrid Hunter Install" --gauge "Please wait while installing" 6 60 0
    GOODSETUP=$(tail -10 $SETUPLOG | grep Failed | awk '{ print $2}')
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -158,6 +158,34 @@ whiptail_create_socore_user_password2() {

 }

+whiptail_create_web_user() {
+
+  WEBUSER=$(whiptail --title "Security Onion Install" --inputbox \
+  "Please enter an email address to create an administrator account for the web interface." 10 60 3>&1 1>&2 2>&3)
+
+}
+
+
+whiptail_create_web_user_password1() {
+
+  WEBPASSWD1=$(whiptail --title "Security Onion Install" --passwordbox \
+  "Enter a password for $WEBUSER" 10 60 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+}
+
+whiptail_create_web_user_password2() {
+
+  WEBPASSWD2=$(whiptail --title "Security Onion Install" --passwordbox \
+  "Re-enter a password for $WEBUSER" 10 60 3>&1 1>&2 2>&3)
+
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+
+}
+
+
 whiptail_cur_close_days() {

  CURCLOSEDAYS=$(whiptail --title "Security Onion Setup" --inputbox \
@@ -683,6 +711,28 @@ whiptail_set_hostname() {

 }

+whiptail_set_redirect() {
+  REDIRECTINFO=$(whiptail --title "Security Onion Setup" --radiolist \
+  "Choose the access method for the web interface:" 20 75 4 \
+  "IP" "Use IP to access the web interface" ON  \
+  "HOSTNAME" "Use Hostname ($HOSTNAME) to access the web interface" OFF \
+  "OTHER" "Use a different name like a FQDN or Load Balancer" OFF 3>&1 1>&2 2>&3 )
+  local exitstatus=$?
+  whiptail_check_exitstatus $exitstatus
+}
+
+whiptail_set_redirect_host() {
+  REDIRECTHOST=$(whiptail --title "Security Onion Setup" --inputbox \
+    "Enter the Hostname or IP you would like to use for the web interface." 10 75 $HOSTNAME 3>&1 1>&2 2>&3)
+    local exitstatus=$?
+    whiptail_check_exitstatus $exitstatus
+}
+
+whiptail_set_redirect_info() {
+  whiptail --title "Security Onion Setup" --msgbox "The following selection refers to accessing the web interface. \n
+For security reasons, we use strict cookie enforcement." 10 75
+}
+
 whiptail_setup_complete() {

  whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. Press Enter to reboot." 8 75