From bdfec5176d99e663ccde2464610e69b5a37e7a45 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 24 Feb 2021 13:22:06 -0500 Subject: [PATCH 01/24] Dont disable unused interfaces during setup --- setup/so-functions | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 4410e7443..4bb6289b0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1223,7 +1223,7 @@ filter_unused_nics() { fi # Finally, set filtered_nics to any NICs we aren't using (and ignore interfaces that aren't of use) - filtered_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|tun|wg|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string" | sed 's/ //g') + filtered_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string" | sed 's/ //g') readarray -t filtered_nics <<< "$filtered_nics" nic_list=() @@ -1712,8 +1712,8 @@ network_setup() { echo "... Verifying all network devices are managed by Network Manager"; check_network_manager_conf; - echo "... Disabling unused NICs"; - disable_misc_network_features; + #echo "... Disabling unused NICs"; + #disable_misc_network_features; echo "... Setting ONBOOT for management interface"; command -v netplan &> /dev/null || nmcli con mod "$MNIC" connection.autoconnect "yes" From 6058400aad6e36c2c643593a3a82fc0f450a284f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 24 Feb 2021 15:52:50 -0500 Subject: [PATCH 02/24] Bypass route check --- setup/so-functions | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 4bb6289b0..c0a1209ed 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -751,14 +751,18 @@ check_sos_appliance() { } compare_main_nic_ip() { - if [[ "$MAINIP" != "$MNIC_IP" ]]; then - read -r -d '' message <<- EOM - The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC). + if [[ "$MNIC" =~ tun || "$MNIC" =~ wg || "$MNIC" =~ vpn]]; then + echo "This is a VPN" + else + if [[ "$MAINIP" != "$MNIC_IP" ]]; then + read -r -d '' message <<- EOM + The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC). This is not a supported configuration, please remediate and rerun setup. EOM - whiptail --title "Security Onion Setup" --msgbox "$message" 10 75 - kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 + whiptail --title "Security Onion Setup" --msgbox "$message" 10 75 + kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 + fi fi } From 5949119cb5b6e9a403e87220a40b4e77ad699bc6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 24 Feb 2021 15:53:55 -0500 Subject: [PATCH 03/24] Bypass route check --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index c0a1209ed..68d4ed01f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -751,7 +751,7 @@ check_sos_appliance() { } compare_main_nic_ip() { - if [[ "$MNIC" =~ tun || "$MNIC" =~ wg || "$MNIC" =~ vpn]]; then + if [[ "$MNIC" =~ tun || "$MNIC" =~ wg || "$MNIC" =~ vpn ]]; then echo "This is a VPN" else if [[ "$MAINIP" != "$MNIC_IP" ]]; then From 8f3ba7633c129baf850360db11ca369425fdea6e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 24 Feb 2021 15:57:18 -0500 Subject: [PATCH 04/24] Fix Syntax --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 68d4ed01f..9dd6bc1e7 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -751,7 +751,7 @@ check_sos_appliance() { } compare_main_nic_ip() { - if [[ "$MNIC" =~ tun || "$MNIC" =~ wg || "$MNIC" =~ vpn ]]; then + if [[ "$MNIC" =~ ^('tun'|'vpn'|'wg')$ ]]; then echo "This is a VPN" else if [[ "$MAINIP" != "$MNIC_IP" ]]; then From ab66f175c51cd75ff6755d7cb04ab48efd924097 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 24 Feb 2021 16:01:18 -0500 Subject: [PATCH 05/24] Fix Syntax --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 9dd6bc1e7..f53e3debf 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -751,7 +751,7 @@ check_sos_appliance() { } compare_main_nic_ip() { - if [[ "$MNIC" =~ ^('tun'|'vpn'|'wg')$ ]]; then + if [[ "$MNIC" == "tun*" ]] || if [[ "$MNIC" == "wg*" ]] || if [[ "$MNIC" == "vpn*" ]]; then echo "This is a VPN" else if [[ "$MAINIP" != "$MNIC_IP" ]]; then From ae17a3aeb879b3170cd7da8430926e9031b63d92 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 24 Feb 2021 16:02:36 -0500 Subject: [PATCH 06/24] Fix Syntax try 3 --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index f53e3debf..966743c4e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -751,7 +751,7 @@ check_sos_appliance() { } compare_main_nic_ip() { - if [[ "$MNIC" == "tun*" ]] || if [[ "$MNIC" == "wg*" ]] || if [[ "$MNIC" == "vpn*" ]]; then + if [[ "$MNIC" == "tun*" ]] || [[ "$MNIC" == "wg*" ]] || [[ "$MNIC" == "vpn*" ]]; then echo "This is a VPN" else if [[ "$MAINIP" != "$MNIC_IP" ]]; then From 262bf03595d7a4aecb8a3d520041f9c74cd16001 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 24 Feb 2021 16:04:53 -0500 Subject: [PATCH 07/24] Testing capitals --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 966743c4e..81d7b4fe6 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -751,7 +751,7 @@ check_sos_appliance() { } compare_main_nic_ip() { - if [[ "$MNIC" == "tun*" ]] || [[ "$MNIC" == "wg*" ]] || [[ "$MNIC" == "vpn*" ]]; then + if [[ "$MNIC" == "TUN*" ]] || [[ "$MNIC" == "wg*" ]] || [[ "$MNIC" == "vpn*" ]]; then echo "This is a VPN" else if [[ "$MAINIP" != "$MNIC_IP" ]]; then From b30f964974e2657039610bb188ecdf7a3206665e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 24 Feb 2021 16:09:37 -0500 Subject: [PATCH 08/24] Moving the wildcard --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 81d7b4fe6..e0b96f896 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -751,7 +751,7 @@ check_sos_appliance() { } compare_main_nic_ip() { - if [[ "$MNIC" == "TUN*" ]] || [[ "$MNIC" == "wg*" ]] || [[ "$MNIC" == "vpn*" ]]; then + if [[ "$MNIC" == "tun"* ]] || [[ "$MNIC" == "wg"* ]] || [[ "$MNIC" == "vpn"* ]]; then echo "This is a VPN" else if [[ "$MAINIP" != "$MNIC_IP" ]]; then From 4a6ad7c87ede23add22d8dcf6463b92626829807 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 24 Feb 2021 16:31:45 -0500 Subject: [PATCH 09/24] Set MAINIP to MNIC_IP when using a VPN --- setup/so-functions | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index e0b96f896..07c53100d 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -751,9 +751,7 @@ check_sos_appliance() { } compare_main_nic_ip() { - if [[ "$MNIC" == "tun"* ]] || [[ "$MNIC" == "wg"* ]] || [[ "$MNIC" == "vpn"* ]]; then - echo "This is a VPN" - else + if ! [[ $MNIC =~ ^(tun|wg|vpn).*$ ]]; then if [[ "$MAINIP" != "$MNIC_IP" ]]; then read -r -d '' message <<- EOM The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC). @@ -763,7 +761,12 @@ compare_main_nic_ip() { whiptail --title "Security Onion Setup" --msgbox "$message" 10 75 kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 fi + else + # Setup uses MAINIP, but since we ignore the equality condition when using a VPN + # just set the variable to the IP of the VPN interface + MAINIP=$MNIC_IP fi + } compare_versions() { From ef1e2964155c32d7bd58b8fa41bf08178fdd886a Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 25 Feb 2021 08:52:34 -0500 Subject: [PATCH 10/24] Improve Hunt queries for ssh and tunnel #3128 --- salt/soc/files/soc/hunt.queries.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/hunt.queries.json b/salt/soc/files/soc/hunt.queries.json index edd0397c9..9b5a42678 100644 --- a/salt/soc/files/soc/hunt.queries.json +++ b/salt/soc/files/soc/hunt.queries.json @@ -53,10 +53,10 @@ { "name": "SMTP", "description": "SMTP grouped by subject", "query": "event.dataset:smtp | groupby smtp.subject"}, { "name": "SNMP", "description": "SNMP grouped by version and string", "query": "event.dataset:snmp | groupby snmp.community snmp.version"}, { "name": "Software", "description": "List of software seen on the network", "query": "event.dataset:software | groupby software.type software.name"}, - { "name": "SSH", "description": "SSH grouped by version", "query": "event.dataset:ssh | groupby ssh.version"}, + { "name": "SSH", "description": "SSH grouped by version", "query": "event.dataset:ssh | groupby ssh.version ssh.client"}, { "name": "SSL", "description": "SSL grouped by version and server name", "query": "event.dataset:ssl | groupby ssl.version ssl.server_name"}, { "name": "SYSLOG", "description": "SYSLOG grouped by severity and facility ", "query": "event.dataset:syslog | groupby syslog.severity syslog.facility"}, - { "name": "Tunnel", "description": "Tunnels grouped by action", "query": "event.dataset:tunnel | groupby event.action"}, + { "name": "Tunnel", "description": "Tunnels grouped by action", "query": "event.dataset:tunnel | groupby tunnel.type event.action"}, { "name": "Weird", "description": "Zeek weird log grouped by name", "query": "event.dataset:weird | groupby weird.name"}, { "name": "x509", "description": "x.509 grouped by key length and name", "query": "event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns"}, { "name": "x509", "description": "x.509 grouped by name and issuer", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer"}, From c18c8657645454175ce171604c52f34309b852d7 Mon Sep 17 00:00:00 2001 From: Doug Burks Date: Thu, 25 Feb 2021 09:23:19 -0500 Subject: [PATCH 11/24] Improve Hunt queries for ssh and tunnel #3128 --- salt/soc/files/soc/hunt.queries.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/hunt.queries.json b/salt/soc/files/soc/hunt.queries.json index 9b5a42678..b8dc5eb21 100644 --- a/salt/soc/files/soc/hunt.queries.json +++ b/salt/soc/files/soc/hunt.queries.json @@ -53,10 +53,10 @@ { "name": "SMTP", "description": "SMTP grouped by subject", "query": "event.dataset:smtp | groupby smtp.subject"}, { "name": "SNMP", "description": "SNMP grouped by version and string", "query": "event.dataset:snmp | groupby snmp.community snmp.version"}, { "name": "Software", "description": "List of software seen on the network", "query": "event.dataset:software | groupby software.type software.name"}, - { "name": "SSH", "description": "SSH grouped by version", "query": "event.dataset:ssh | groupby ssh.version ssh.client"}, + { "name": "SSH", "description": "SSH grouped by version and client", "query": "event.dataset:ssh | groupby ssh.version ssh.client"}, { "name": "SSL", "description": "SSL grouped by version and server name", "query": "event.dataset:ssl | groupby ssl.version ssl.server_name"}, { "name": "SYSLOG", "description": "SYSLOG grouped by severity and facility ", "query": "event.dataset:syslog | groupby syslog.severity syslog.facility"}, - { "name": "Tunnel", "description": "Tunnels grouped by action", "query": "event.dataset:tunnel | groupby tunnel.type event.action"}, + { "name": "Tunnel", "description": "Tunnels grouped by type and action", "query": "event.dataset:tunnel | groupby tunnel.type event.action"}, { "name": "Weird", "description": "Zeek weird log grouped by name", "query": "event.dataset:weird | groupby weird.name"}, { "name": "x509", "description": "x.509 grouped by key length and name", "query": "event.dataset:x509 | groupby x509.certificate.key.length x509.san_dns"}, { "name": "x509", "description": "x.509 grouped by name and issuer", "query": "event.dataset:x509 | groupby x509.san_dns x509.certificate.issuer"}, From d52abcbcbdfcd29b0d29ce2bbe39a3bdef26cdaf Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 25 Feb 2021 09:58:07 -0500 Subject: [PATCH 12/24] ensure zeekctl is run as user zeek https://github.com/Security-Onion-Solutions/securityonion/issues/3130 --- salt/common/tools/sbin/so-zeek-stats | 4 ++-- salt/zeek/cron/packetloss.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-zeek-stats b/salt/common/tools/sbin/so-zeek-stats index ff89c6506..9ebef1217 100755 --- a/salt/common/tools/sbin/so-zeek-stats +++ b/salt/common/tools/sbin/so-zeek-stats @@ -24,11 +24,11 @@ show_stats() { echo echo "Average throughput:" echo - docker exec -it so-zeek /opt/zeek/bin/zeekctl capstats + docker exec -it so-zeek "runuser -l zeek '/opt/zeek/bin/zeekctl capstats'" echo echo "Average packet loss:" echo - docker exec -it so-zeek /opt/zeek/bin/zeekctl netstats + docker exec -it so-zeek "runuser -l zeek '/opt/zeek/bin/zeekctl netstats'" echo } diff --git a/salt/zeek/cron/packetloss.sh b/salt/zeek/cron/packetloss.sh index c8750dd92..a083895d7 100755 --- a/salt/zeek/cron/packetloss.sh +++ b/salt/zeek/cron/packetloss.sh @@ -1,2 +1,2 @@ #!/bin/bash -/usr/bin/docker exec so-zeek /opt/zeek/bin/zeekctl netstats | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 +/usr/bin/docker exec so-zeek "runuser -l zeek '/opt/zeek/bin/zeekctl netstats'" | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 From 6a097beafff00504e3c4253bbf69e3d54498273f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 25 Feb 2021 10:47:29 -0500 Subject: [PATCH 13/24] Show log_size_limit message at end of soup instead of during --- salt/common/tools/sbin/soup | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 1ea63b70b..6eb01a694 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -121,17 +121,13 @@ check_sudoers() { } check_log_size_limit() { - local wait_for_enter=false local num_minion_pillars num_minion_pillars=$(find /opt/so/saltstack/local/pillar/minions/ -type f | wc -l) if [[ $num_minion_pillars -gt 1 ]]; then if find /opt/so/saltstack/local/pillar/minions/ -type f | grep -q "_heavynode"; then - wait_for_enter=true - echo "[INFO] The value of log_size_limit in any heavy node minion pillars may be incorrect." - echo " -> We recommend checking and adjusting the values as necessary." - echo " -> Minion pillar directory: /opt/so/saltstack/local/pillar/minions/" + lsl_msg='distributed' fi else local minion_id @@ -172,16 +168,8 @@ check_log_size_limit() { new_limit=$( echo "$disk_size_gb" "$percent" | awk '{printf("%.0f", $1 * ($2/100))}') if [[ $current_limit != "$new_limit" ]]; then - wait_for_enter=true - echo "[WARNING] The value of log_size_limit (${current_limit}) does not match the recommended value of ${new_limit}." - echo " -> We recommend checking and adjusting the value as necessary." - echo " -> File: /opt/so/saltstack/local/pillar/minions/${minion_id}.sls" - fi - - if [[ $wait_for_enter == true ]]; then - echo "" - read -n 1 -s -r -p "Press any key to continue..." - echo "" # Since read doesn't print a newline, print one for it + lsl_msg='single-node' + lsl_details=( "$current_limit" "$new_limit" "$minion_id" ) fi fi } @@ -742,7 +730,21 @@ fi check_sudoers - +if [[ -n $lsl_msg ]]; then + case $lsl_msg in + 'distributed') + echo "[INFO] The value of log_size_limit in any heavy node minion pillars may be incorrect." + echo " -> We recommend checking and adjusting the values as necessary." + echo " -> Minion pillar directory: /opt/so/saltstack/local/pillar/minions/" + ;; + 'single-node') + # We can assume the lsl_details array has been set if lsl_msg has this value + echo "[WARNING] The value of log_size_limit (${lsl_details[0]}) does not match the recommended value of ${lsl_details[1]}." + echo " -> We recommend checking and adjusting the value as necessary." + echo " -> File: /opt/so/saltstack/local/pillar/minions/${lsl_details[2]}.sls" + ;; + esac +fi } From add66e750ec95980bafca9bea078b97f82c8a378 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 25 Feb 2021 10:49:09 -0500 Subject: [PATCH 14/24] forgot to add -c --- salt/common/tools/sbin/so-zeek-stats | 4 ++-- salt/zeek/cron/packetloss.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-zeek-stats b/salt/common/tools/sbin/so-zeek-stats index 9ebef1217..e5eb90b61 100755 --- a/salt/common/tools/sbin/so-zeek-stats +++ b/salt/common/tools/sbin/so-zeek-stats @@ -24,11 +24,11 @@ show_stats() { echo echo "Average throughput:" echo - docker exec -it so-zeek "runuser -l zeek '/opt/zeek/bin/zeekctl capstats'" + docker exec -it so-zeek "runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats'" echo echo "Average packet loss:" echo - docker exec -it so-zeek "runuser -l zeek '/opt/zeek/bin/zeekctl netstats'" + docker exec -it so-zeek "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" echo } diff --git a/salt/zeek/cron/packetloss.sh b/salt/zeek/cron/packetloss.sh index a083895d7..581246971 100755 --- a/salt/zeek/cron/packetloss.sh +++ b/salt/zeek/cron/packetloss.sh @@ -1,2 +1,2 @@ #!/bin/bash -/usr/bin/docker exec so-zeek "runuser -l zeek '/opt/zeek/bin/zeekctl netstats'" | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 +/usr/bin/docker exec so-zeek "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 From c8213fa3d4a2f5c42da1fc1b677514664026b094 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 25 Feb 2021 11:07:54 -0500 Subject: [PATCH 15/24] change docker exec --- salt/common/tools/sbin/so-zeek-stats | 4 ++-- salt/zeek/cron/packetloss.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-zeek-stats b/salt/common/tools/sbin/so-zeek-stats index e5eb90b61..1fdffda48 100755 --- a/salt/common/tools/sbin/so-zeek-stats +++ b/salt/common/tools/sbin/so-zeek-stats @@ -24,11 +24,11 @@ show_stats() { echo echo "Average throughput:" echo - docker exec -it so-zeek "runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats'" + docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin "runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats'" echo echo "Average packet loss:" echo - docker exec -it so-zeek "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" + docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" echo } diff --git a/salt/zeek/cron/packetloss.sh b/salt/zeek/cron/packetloss.sh index 581246971..5991c4d23 100755 --- a/salt/zeek/cron/packetloss.sh +++ b/salt/zeek/cron/packetloss.sh @@ -1,2 +1,2 @@ #!/bin/bash -/usr/bin/docker exec so-zeek "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 +/usr/bin/docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 From fcd3f81400b93b87dedf0f6bf3955ef5300f052e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 25 Feb 2021 11:16:53 -0500 Subject: [PATCH 16/24] fix quotes --- salt/common/tools/sbin/so-zeek-stats | 4 ++-- salt/zeek/cron/packetloss.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/so-zeek-stats b/salt/common/tools/sbin/so-zeek-stats index 1fdffda48..d3e9b40a6 100755 --- a/salt/common/tools/sbin/so-zeek-stats +++ b/salt/common/tools/sbin/so-zeek-stats @@ -24,11 +24,11 @@ show_stats() { echo echo "Average throughput:" echo - docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin "runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats'" + docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin runuser -l zeek -c '/opt/zeek/bin/zeekctl capstats' echo echo "Average packet loss:" echo - docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" + docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats' echo } diff --git a/salt/zeek/cron/packetloss.sh b/salt/zeek/cron/packetloss.sh index 5991c4d23..0a3df7a18 100755 --- a/salt/zeek/cron/packetloss.sh +++ b/salt/zeek/cron/packetloss.sh @@ -1,2 +1,2 @@ #!/bin/bash -/usr/bin/docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin "runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats'" | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 +/usr/bin/docker exec so-zeek env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin:/opt/bin:/usr/local/bin:/usr/local/sbin runuser -l zeek -c '/opt/zeek/bin/zeekctl netstats' | awk '{print $(NF-2),$(NF-1),$NF}' | awk -F '[ =]' '{RCVD += $2;DRP += $4;TTL += $6} END { print "rcvd: " RCVD, "dropped: " DRP, "total: " TTL}' >> /nsm/zeek/logs/packetloss.log 2>&1 From 51e8839daf621ec8612760a0959f8bb3921fc86e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 25 Feb 2021 11:46:00 -0500 Subject: [PATCH 17/24] Inverse NIC offload --- salt/common/tools/sbin/so-common | 189 ++++++++++-------- .../99-so-checksum-offload-disable | 24 ++- 2 files changed, 123 insertions(+), 90 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 3cf1f5e88..a706831fa 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -86,10 +86,82 @@ add_interface_bond0() { fi } +check_container() { + docker ps | grep "$1:" > /dev/null 2>&1 + return $? +} + +check_password() { + local password=$1 + echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1 + return $? +} + +fail() { + msg=$1 + echo "ERROR: $msg" + echo "Exiting." + exit 1 +} + +get_random_value() { + length=${1:-20} + head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 +} + header() { printf '%s\n' "" "$banner" " $*" "$banner" } +init_monitor() { + MONITORNIC=$1 + + if [[ $MONITORNIC == "bond0" ]]; then + BIFACES=$(lookup_bond_interfaces) + else + BIFACES=$MONITORNIC + fi + + for DEVICE_IFACE in $BIFACES; do + for i in rx tx sg tso ufo gso gro lro; do + ethtool -K "$DEVICE_IFACE" "$i" off; + done + ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on + done +} + +is_manager_node() { + # Check to see if this is a manager node + role=$(lookup_role) + is_single_node_grid && return 0 + [ $role == 'manager' ] && return 0 + [ $role == 'managersearch' ] && return 0 + [ $role == 'helix' ] && return 0 + return 1 +} + +is_sensor_node() { + # Check to see if this is a sensor (forward) node + role=$(lookup_role) + is_single_node_grid && return 0 + [ $role == 'sensor' ] && return 0 + [ $role == 'heavynode' ] && return 0 + [ $role == 'helix' ] && return 0 + return 1 +} + +is_single_node_grid() { + role=$(lookup_role) + [ $role == 'eval' ] && return 0 + [ $role == 'standalone' ] && return 0 + [ $role == 'import' ] && return 0 + return 1 +} + +lookup_bond_interfaces() { + cat /proc/net/bonding/bond0 | grep "Slave Interface:" | sed -e "s/Slave Interface: //g" +} + lookup_salt_value() { key=$1 group=$2 @@ -129,15 +201,41 @@ lookup_role() { echo ${pieces[1]} } -check_container() { - docker ps | grep "$1:" > /dev/null 2>&1 - return $? +require_manager() { + if is_manager_node; then + echo "This is a manager, We can proceed." + else + echo "Please run this command on the manager; the manager controls the grid." + exit 1 + fi } -check_password() { - local password=$1 - echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1 - return $? +retry() { + maxAttempts=$1 + sleepDelay=$2 + cmd=$3 + expectedOutput=$4 + attempt=0 + while [[ $attempt -lt $maxAttempts ]]; do + attempt=$((attempt+1)) + echo "Executing command with retry support: $cmd" + output=$(eval "$cmd") + exitcode=$? + echo "Results: $output ($exitcode)" + if [ -n "$expectedOutput" ]; then + if [[ "$output" =~ "$expectedOutput" ]]; then + return $exitCode + else + echo "Expected '$expectedOutput' but got '$output'" + fi + elif [[ $exitcode -eq 0 ]]; then + return $exitCode + fi + echo "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..." + sleep $sleepDelay + done + echo "Command continues to fail; giving up." + return 1 } set_os() { @@ -171,83 +269,6 @@ set_version() { fi } -require_manager() { - if is_manager_node; then - echo "This is a manager, We can proceed." - else - echo "Please run this command on the manager; the manager controls the grid." - exit 1 - fi -} - -is_manager_node() { - # Check to see if this is a manager node - role=$(lookup_role) - is_single_node_grid && return 0 - [ $role == 'manager' ] && return 0 - [ $role == 'managersearch' ] && return 0 - [ $role == 'helix' ] && return 0 - return 1 -} - -is_sensor_node() { - # Check to see if this is a sensor (forward) node - role=$(lookup_role) - is_single_node_grid && return 0 - [ $role == 'sensor' ] && return 0 - [ $role == 'heavynode' ] && return 0 - [ $role == 'helix' ] && return 0 - return 1 -} - -is_single_node_grid() { - role=$(lookup_role) - [ $role == 'eval' ] && return 0 - [ $role == 'standalone' ] && return 0 - [ $role == 'import' ] && return 0 - return 1 -} - -fail() { - msg=$1 - echo "ERROR: $msg" - echo "Exiting." - exit 1 -} - -get_random_value() { - length=${1:-20} - head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 -} - -retry() { - maxAttempts=$1 - sleepDelay=$2 - cmd=$3 - expectedOutput=$4 - attempt=0 - while [[ $attempt -lt $maxAttempts ]]; do - attempt=$((attempt+1)) - echo "Executing command with retry support: $cmd" - output=$(eval "$cmd") - exitcode=$? - echo "Results: $output ($exitcode)" - if [ -n "$expectedOutput" ]; then - if [[ "$output" =~ "$expectedOutput" ]]; then - return $exitCode - else - echo "Expected '$expectedOutput' but got '$output'" - fi - elif [[ $exitcode -eq 0 ]]; then - return $exitCode - fi - echo "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..." - sleep $sleepDelay - done - echo "Command continues to fail; giving up." - return 1 -} - valid_cidr() { # Verify there is a backslash in the string echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1 diff --git a/setup/install_scripts/99-so-checksum-offload-disable b/setup/install_scripts/99-so-checksum-offload-disable index e12049301..63f9c0a4c 100755 --- a/setup/install_scripts/99-so-checksum-offload-disable +++ b/setup/install_scripts/99-so-checksum-offload-disable @@ -1,8 +1,20 @@ #!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . -if [[ "$DEVICE_IFACE" != "$MNIC" && "$DEVICE_IFACE" != *"docker"* && "$DEVICE_IFACE" != *"tun"* && "DEVICE_IFACE" != *"wg"* ]]; then - for i in rx tx sg tso ufo gso gro lro; do - ethtool -K "$DEVICE_IFACE" "$i" off; - done - ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on -fi +. /usr/sbin/so-common + +init_monitor $MNIC From 37c13362df3c3580c99133edae10832945c125ea Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 25 Feb 2021 13:20:29 -0500 Subject: [PATCH 18/24] Netowrk Manager needs to chill --- setup/so-functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 07c53100d..2a8cfe8d1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -160,10 +160,10 @@ check_network_manager_conf() { } >> "$setup_log" 2>&1 fi - if test -f "$nmconf"; then - sed -i 's/managed=false/managed=true/g' "$nmconf" >> "$setup_log" 2>&1 - systemctl restart NetworkManager >> "$setup_log" 2>&1 - fi + #if test -f "$nmconf"; then +# sed -i 's/managed=false/managed=true/g' "$nmconf" >> "$setup_log" 2>&1 +# systemctl restart NetworkManager >> "$setup_log" 2>&1 +# fi if [[ ! -d "$preupdir" ]]; then mkdir "$preupdir" >> "$setup_log" 2>&1 From 2c8bc16c8f1830788364fe36c7b5883fab6ae965 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 25 Feb 2021 13:43:02 -0500 Subject: [PATCH 19/24] Remove some nmcli business --- setup/so-functions | 63 +++++++++++++++++++++++----------------------- 1 file changed, 31 insertions(+), 32 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 2a8cfe8d1..f996bae12 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1012,33 +1012,38 @@ disable_ipv6() { sysctl -w net.ipv6.conf.all.disable_ipv6=1 sysctl -w net.ipv6.conf.default.disable_ipv6=1 } >> "$setup_log" 2>&1 + { + echo "net.ipv6.conf.all.disable_ipv6 = 1" + echo "net.ipv6.conf.default.disable_ipv6 = 1" + echo "net.ipv6.conf.lo.disable_ipv6 = 1" + } >> /etc/sysctl.conf } -disable_misc_network_features() { - filter_unused_nics - if [ ${#filtered_nics[@]} -ne 0 ]; then - for unused_nic in "${filtered_nics[@]}"; do - if [ -n "$unused_nic" ]; then - echo "Disabling unused NIC: $unused_nic" >> "$setup_log" 2>&1 - - # Disable DHCPv4/v6 and autoconnect - nmcli con mod "$unused_nic" \ - ipv4.method disabled \ - ipv6.method ignore \ - connection.autoconnect "no" >> "$setup_log" 2>&1 - - # Flush any existing IPs - ip addr flush "$unused_nic" >> "$setup_log" 2>&1 - fi - done - fi - # Disable IPv6 - { - echo "net.ipv6.conf.all.disable_ipv6 = 1" - echo "net.ipv6.conf.default.disable_ipv6 = 1" - echo "net.ipv6.conf.lo.disable_ipv6 = 1" - } >> /etc/sysctl.conf -} +#disable_misc_network_features() { +# filter_unused_nics +# if [ ${#filtered_nics[@]} -ne 0 ]; then +# for unused_nic in "${filtered_nics[@]}"; do +# if [ -n "$unused_nic" ]; then +# echo "Disabling unused NIC: $unused_nic" >> "$setup_log" 2>&1 +# +# # Disable DHCPv4/v6 and autoconnect +# nmcli con mod "$unused_nic" \ +# ipv4.method disabled \ +# ipv6.method ignore \ +# connection.autoconnect "no" >> "$setup_log" 2>&1 +# +# # Flush any existing IPs +# ip addr flush "$unused_nic" >> "$setup_log" 2>&1 +# fi +# done +# fi +# # Disable IPv6 +# { +# echo "net.ipv6.conf.all.disable_ipv6 = 1" +# echo "net.ipv6.conf.default.disable_ipv6 = 1" +# echo "net.ipv6.conf.lo.disable_ipv6 = 1" +# } >> /etc/sysctl.conf +#} docker_install() { @@ -1719,17 +1724,11 @@ network_setup() { echo "... Verifying all network devices are managed by Network Manager"; check_network_manager_conf; - #echo "... Disabling unused NICs"; - #disable_misc_network_features; - - echo "... Setting ONBOOT for management interface"; - command -v netplan &> /dev/null || nmcli con mod "$MNIC" connection.autoconnect "yes" - echo "... Copying 99-so-checksum-offload-disable"; cp ./install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable ; echo "... Modifying 99-so-checksum-offload-disable"; - sed -i "s/\$MNIC/${MNIC}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable; + sed -i "s/\$MNIC/${INTERFACE}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable; } >> "$setup_log" 2>&1 } From b024dae72ebb5c3fd77fb4305540a64bdb062417 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 25 Feb 2021 15:19:28 -0500 Subject: [PATCH 20/24] [fix] Don't call `set_main_ip` a second time --- setup/so-functions | 2 -- 1 file changed, 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index f996bae12..515dc79c7 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2327,8 +2327,6 @@ set_hostname() { set_initial_firewall_policy() { - set_main_ip - if [ -f $default_salt_dir/pillar/data/addtotab.sh ]; then chmod +x $default_salt_dir/pillar/data/addtotab.sh; fi if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi From 9fa625189f520bbbdc4ced14606c3beafb39677d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 25 Feb 2021 20:07:29 -0500 Subject: [PATCH 21/24] upgrade to salt 3002.5 https://github.com/Security-Onion-Solutions/securityonion/issues/3147 --- salt/salt/master.defaults.yaml | 2 +- salt/salt/minion.defaults.yaml | 2 +- setup/so-functions | 20 ++++++++++---------- setup/so-preflight | 6 +++--- setup/yum_repos/saltstack.repo | 4 ++-- 5 files changed, 17 insertions(+), 17 deletions(-) diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index e774a2c7d..2b50b517b 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: master: - version: 3002.2 \ No newline at end of file + version: 3002.5 \ No newline at end of file diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index baaaff411..e6b1303ed 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,5 +2,5 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3002.2 + version: 3002.5 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default \ No newline at end of file diff --git a/setup/so-functions b/setup/so-functions index 18718d7e9..52865b5f1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1905,7 +1905,7 @@ saltify() { if [ $OS = 'centos' ]; then set_progress_str 5 'Installing Salt repo' { - sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.2/SALTSTACK-GPG-KEY.pub; + sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.5/SALTSTACK-GPG-KEY.pub; cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo; } >> "$setup_log" 2>&1 set_progress_str 6 'Installing various dependencies' @@ -1922,14 +1922,14 @@ saltify() { # Download Ubuntu Keys in case manager updates = 1 mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3002.2/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3002.5/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" logCmd "cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo" fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3002.2" + logCmd "yum -y install salt-master-3002.5" fi systemctl enable salt-master >> "$setup_log" 2>&1 ;; @@ -1957,7 +1957,7 @@ saltify() { { if [[ ! $is_iso ]]; then yum -y install epel-release - yum -y install salt-minion-3002.2\ + yum -y install salt-minion-3002.5\ python3\ python36-docker\ python36-dateutil\ @@ -2008,8 +2008,8 @@ saltify() { 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR') # Add saltstack repo(s) - wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3002.2/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.2 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3002.5/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.5 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 @@ -2017,7 +2017,7 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/archive/3002.2/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/archive/3002.5/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 @@ -2030,7 +2030,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' retry 50 10 "apt-get -y install sqlite3 argon2 libssl-dev" >> "$setup_log" 2>&1 || exit 1 set_progress_str 7 'Installing salt-master' - retry 50 10 "apt-get -y install salt-master=3002.2+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-master=3002.5+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 ;; *) @@ -2041,14 +2041,14 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.2/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.5/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || exit 1 set_progress_str 8 'Installing salt-minion & python modules' - retry 50 10 "apt-get -y install salt-minion=3002.2+ds-1 salt-common=3002.2+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-minion=3002.5+ds-1 salt-common=3002.5+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 if [[ $OSVER != 'xenial' ]]; then retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb" >> "$setup_log" 2>&1 || exit 1 diff --git a/setup/so-preflight b/setup/so-preflight index 69435446a..da25e6775 100644 --- a/setup/so-preflight +++ b/setup/so-preflight @@ -46,8 +46,8 @@ check_new_repos() { if [[ $OS == 'centos' ]]; then local repo_arr=( "https://download.docker.com/linux/centos/docker-ce.repo" - "https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.2/SALTSTACK-GPG-KEY.pub" - "https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3002.2/SALTSTACK-GPG-KEY.pub" + "https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.5/SALTSTACK-GPG-KEY.pub" + "https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3002.5/SALTSTACK-GPG-KEY.pub" "https://download.docker.com/linux/ubuntu/gpg" "https://packages.wazuh.com/key/GPG-KEY-WAZUH" "https://packages.wazuh.com/3.x/yum/" @@ -59,7 +59,7 @@ check_new_repos() { local repo_arr=( "https://download.docker.com/linux/ubuntu/gpg" "https://download.docker.com/linux/ubuntu" - "https://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.2/SALTSTACK-GPG-KEY.pub" + "https://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.5/SALTSTACK-GPG-KEY.pub" "https://packages.wazuh.com/key/GPG-KEY-WAZUH" "https://packages.wazuh.com" ) diff --git a/setup/yum_repos/saltstack.repo b/setup/yum_repos/saltstack.repo index 856d4d80c..0430a62b8 100644 --- a/setup/yum_repos/saltstack.repo +++ b/setup/yum_repos/saltstack.repo @@ -1,6 +1,6 @@ [saltstack] name=SaltStack repo for RHEL/CentOS $releasever PY3 -baseurl=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.2/ +baseurl=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.5/ enabled=1 gpgcheck=1 -gpgkey=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.2/SALTSTACK-GPG-KEY.pub \ No newline at end of file +gpgkey=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.5/SALTSTACK-GPG-KEY.pub \ No newline at end of file From 5678e66b399c86af9b126492ead664bcf611ff73 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Fri, 26 Feb 2021 08:33:24 -0500 Subject: [PATCH 22/24] Fix so-playbook-sigma-refresh --- salt/common/tools/sbin/so-playbook-sigma-refresh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-playbook-sigma-refresh b/salt/common/tools/sbin/so-playbook-sigma-refresh index 10697bc2f..7445786f9 100644 --- a/salt/common/tools/sbin/so-playbook-sigma-refresh +++ b/salt/common/tools/sbin/so-playbook-sigma-refresh @@ -17,4 +17,11 @@ . /usr/sbin/so-common -docker exec so-soctopus python3 playbook_play-update.py \ No newline at end of file +# Regenerate ElastAlert & update Plays +docker exec so-soctopus python3 playbook_play-update.py + +# Delete current Elastalert Rules +rm /opt/so/rules/elastalert/playbook/*.yaml + +# Regenerate Elastalert Rules +so-playbook-sync \ No newline at end of file From 333a7e6173bd763158df1ff3ff3e01ff2ed308a2 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 26 Feb 2021 09:14:30 -0500 Subject: [PATCH 23/24] [fix] Change logic for collecting fleet custom hostname --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 52865b5f1..8213cd516 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -331,7 +331,7 @@ collect_es_space_limit() { collect_fleet_custom_hostname_inputs() { whiptail_fleet_custom_hostname - while ! valid_fqdn "$FLEETCUSTOMHOSTNAME" || [[ $FLEETCUSTOMHOSTNAME != "" ]]; do + while [[ -n $FLEETCUSTOMHOSTNAME ]] && ! valid_fqdn "$FLEETCUSTOMHOSTNAME"; do whiptail_invalid_input whiptail_fleet_custom_hostname "$FLEETCUSTOMHOSTNAME" done From be1f641bf0e5dd93178521874568f6904ba86405 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 26 Feb 2021 10:27:14 -0500 Subject: [PATCH 24/24] [refactor] Make default route message a warning Don't force users to exit setup if the default route and management NIC's IP don't match, just warn them --- setup/so-functions | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 8213cd516..5d4dff0fc 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -754,19 +754,23 @@ compare_main_nic_ip() { if ! [[ $MNIC =~ ^(tun|wg|vpn).*$ ]]; then if [[ "$MAINIP" != "$MNIC_IP" ]]; then read -r -d '' message <<- EOM - The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC). + The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC). - This is not a supported configuration, please remediate and rerun setup. - EOM - whiptail --title "Security Onion Setup" --msgbox "$message" 10 75 - kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 - fi + This has been known to cause installs to fail in some scenarios. + + Please select whether to continue the install or exit setup to remediate any potential issues. + EOM + whiptail --title "Security Onion Setup" \ + --yesno "$message" 10 75 \ + --yes-button "Continue" --no-button "Exit" --defaultno + + kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 + fi else # Setup uses MAINIP, but since we ignore the equality condition when using a VPN # just set the variable to the IP of the VPN interface MAINIP=$MNIC_IP fi - } compare_versions() {