Add script for bond0 channels

2025-12-06 17:22:49 +01:00 · 2025-08-27 09:53:37 -04:00
parent 87fdd90f56
commit ccd79c814d
2 changed files with 176 additions and 0 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -0,0 +1,104 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Overview
+
+Security Onion is an open-source network security monitoring (NSM) platform that combines multiple security tools into a unified solution. It's designed for threat hunting, enterprise security monitoring, and log management. The platform integrates tools for intrusion detection, packet capture, log management, and security analytics in a comprehensive security monitoring solution.
+
+## Architecture
+
+Security Onion uses a microservice architecture with containerized components:
+
+- **Deployment Models**:
+  - Standalone: Single all-in-one instance
+  - Distributed: Manager/sensor architecture with multiple node types
+    - Manager: Central management server
+    - Search Nodes: Data storage and search
+    - Sensor Nodes: Network monitoring and data collection
+    - Heavy Nodes: Combined sensor/search capabilities
+    - IDH (Intrusion Deception Host): Honeypot services
+
+- **Core Components**:
+  - Data Collection: Zeek, Suricata, Steno (PCAP), Elastic Agents
+  - Data Processing: Logstash, Kafka, Strelka (file analysis)
+  - Data Storage: Elasticsearch, InfluxDB, Redis
+  - User Interface: Kibana, SOC (custom Security Onion web UI), Kratos/Hydra (auth)
+  - Management: Salt, Docker, Registry, Nginx
+
+## Development Environment
+
+### Prerequisites
+
+- Linux environment (Oracle Linux or compatible)
+- Git
+- Docker and Docker Compose
+- SaltStack
+
+### Testing
+
+Run validation tests:
+```bash
+cd tests
+./validation.sh
+```
+
+Run Python tests (requires Python 3):
+```bash
+./pyci.sh salt/sensoroni/files/analyzers/urlhaus
+```
+
+### Key Files and Directories
+
+- `/salt`: SaltStack states for all components
+- `/setup`: Installation scripts and utilities
+- `/pillar`: SaltStack pillar data (configuration)
+- `/files`: Additional configuration files
+- `/tests`: Test utilities and validation
+
+## Common Tasks
+
+### Testing Salt States
+
+To test a specific Salt state without applying it:
+```bash
+salt-call state.show_sls <state_name>
+```
+
+To apply a Salt state in test mode:
+```bash
+salt-call state.apply <state_name> test=True
+```
+
+### Working with Docker Containers
+
+View running containers:
+```bash
+so-status
+```
+
+Access container logs:
+```bash
+docker logs <container_name>
+```
+
+### Development Workflow
+
+1. Make code changes
+2. Run validation: `./tests/validation.sh`
+3. Run Python tests if applicable: `./pyci.sh <directory>`
+
+## Code Conventions
+
+- All Bash scripts should pass ShellCheck analysis
+- YAML (Salt states and pillars) should be properly formatted
+- Python code should pass flake8 checks (configured in pytest.ini)
+- Code should match the pre-existing style of Security Onion
+- All commits must be signed with a valid key
+
+## Important Notes
+
+- Security Onion uses Salt for configuration management
+- Most components run as Docker containers
+- The project follows a distributed architecture with different node types
+- Testing should cover both code functionality and deployment scenarios
--- a/salt/sensor/files/so-combine-bond
+++ b/salt/sensor/files/so-combine-bond
@@ -0,0 +1,72 @@
+#!/bin/bash
+
+# Script to find all interfaces of bond0 and set channel parameters
+# Compatible with Oracle Linux 9, Ubuntu, and Debian
+
+. /usr/sbin/so-common
+
+{% set NICCHANNELS = salt['pillar.get']('sensor:channels', '1') %}
+
+# Number of channels to set
+CHANNELS={{ NICCHANNELS }}
+
+# Exit on any error
+set -e
+
+# Check if running as root
+if [[ $EUID -ne 0 ]]; then
+   exit 1
+fi
+
+# Check if bond0 exists
+if ! ip link show bond0 &>/dev/null; then
+    exit 1
+fi
+
+# Function to get slave interfaces - works across distributions
+get_bond_slaves() {
+    local bond_name="$1"
+    local slaves=""
+    
+    # Method 1: Try /sys/class/net first (most reliable)
+    if [ -f "/sys/class/net/$bond_name/bonding/slaves" ]; then
+        slaves=$(cat "/sys/class/net/$bond_name/bonding/slaves" 2>/dev/null)
+    fi
+    
+    # Method 2: Try /proc/net/bonding (older systems)
+    if [ -z "$slaves" ] && [ -f "/proc/net/bonding/$bond_name" ]; then
+        slaves=$(grep "Slave Interface:" "/proc/net/bonding/$bond_name" 2>/dev/null | awk '{print $3}' | tr '\n' ' ')
+    fi
+    
+    # Method 3: Parse ip link output (universal fallback)
+    if [ -z "$slaves" ]; then
+        slaves=$(ip -o link show | grep "master $bond_name" | awk -F': ' '{print $2}' | cut -d'@' -f1 | tr '\n' ' ')
+    fi
+    
+    echo "$slaves"
+}
+
+# Get slave interfaces
+SLAVES=$(get_bond_slaves bond0)
+
+if [ -z "$SLAVES" ]; then
+    exit 1
+fi
+
+# Process each slave interface
+for interface in $SLAVES; do
+    # Skip if interface doesn't exist
+    if ! ip link show "$interface" &>/dev/null; then
+        continue
+    fi
+    
+    # Try combined mode first
+    if ethtool -L "$interface" combined $CHANNELS &>/dev/null; then
+        continue
+    fi
+    
+    # Fall back to separate rx/tx
+    ethtool -L "$interface" rx $CHANNELS tx $CHANNELS &>/dev/null || true
+done
+
+exit 0