CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-10 11:12:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2979 from Security-Onion-Solutions/foxtrot

Browse Source 
Setup fixes/improvements
This commit is contained in:
William Wernert
2021-02-16 17:14:59 -05:00
committed by GitHub
parent 8016511414 0bd5ddf6a6
commit cda36f178b
5 changed files with 106 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
setup/automation/eval-net-centos
View File

@@ -34,7 +34,7 @@ GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit
HOSTNAME=standalone HOSTNAME=eval
install_type=EVAL install_type=EVAL
# LSINPUTBATCHCOUNT= # LSINPUTBATCHCOUNT=
# LSINPUTTHREADS= # LSINPUTTHREADS=

4
setup/automation/eval-net-ubuntu
View File

@@ -34,8 +34,8 @@ GRAFANA=1
# HELIXAPIKEY= # HELIXAPIKEY=
HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12 HNMANAGER=10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
HNSENSOR=inherit HNSENSOR=inherit
HOSTNAME=standalone HOSTNAME=eval
install_type=STANDALONE install_type=EVAL
# LSINPUTBATCHCOUNT= # LSINPUTBATCHCOUNT=
# LSINPUTTHREADS= # LSINPUTTHREADS=
# LSPIPELINEBATCH= # LSPIPELINEBATCH=

128
setup/so-functions
View File

@@ -398,6 +398,13 @@ collect_hostname() {
whiptail_set_hostname "$HOSTNAME" whiptail_set_hostname "$HOSTNAME"
if [[ $HOSTNAME == 'securityonion' ]]; then # Will only check HOSTNAME=securityonion once
if ! (whiptail_avoid_default_hostname); then
whiptail_set_hostname
fi
fi
while ! valid_hostname "$HOSTNAME"; do while ! valid_hostname "$HOSTNAME"; do
whiptail_invalid_hostname whiptail_invalid_hostname
whiptail_set_hostname "$HOSTNAME" whiptail_set_hostname "$HOSTNAME"
@@ -963,15 +970,16 @@ installer_prereq_packages() {
elif [ "$OS" == ubuntu ]; then elif [ "$OS" == ubuntu ]; then
# Print message to stdout so the user knows setup is doing something # Print message to stdout so the user knows setup is doing something
echo "Installing required packages to run installer..." echo "Installing required packages to run installer..."
retry 50 10 "apt-get update" >> "$setup_log" 2>&1 || exit 1
# Install network manager so we can do interface stuff # Install network manager so we can do interface stuff
if ! command -v nmcli > /dev/null 2>&1; then if ! command -v nmcli > /dev/null 2>&1; then
retry 50 10 "apt-get install -y network-manager" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y install network-manager" >> "$setup_log" 2>&1 || exit 1
{ {
systemctl enable NetworkManager systemctl enable NetworkManager
systemctl start NetworkManager systemctl start NetworkManager
} >> "$setup_log" 2<&1 } >> "$setup_log" 2<&1
fi fi
retry 50 10 "apt-get install -y bc curl" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y install bc curl" >> "$setup_log" 2>&1 || exit 1
fi fi
} }
@@ -1487,50 +1495,50 @@ manager_global() {
fi fi
if [ -z "$DOCKERNET" ]; then if [ -z "$DOCKERNET" ]; then
DOCKERNET=172.17.0.0 DOCKERNET=172.17.0.0
DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
else else
DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24 DOCKERBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
fi fi
# Create a global file for global values # Create a global file for global values
printf '%s\n'\ printf '%s\n'\
"global:"\ "global:"\
" soversion: '$SOVERSION'"\ " soversion: '$SOVERSION'"\
" hnmanager: '$HNMANAGER'"\ " hnmanager: '$HNMANAGER'"\
" ntpserver: '$NTPSERVER'"\ " ntpserver: '$NTPSERVER'"\
" dockernet: '$DOCKERNET'"\ " dockernet: '$DOCKERNET'"\
" proxy: '$PROXY'"\ " proxy: '$PROXY'"\
" mdengine: '$ZEEKVERSION'"\ " mdengine: '$ZEEKVERSION'"\
" ids: '$NIDS'"\ " ids: '$NIDS'"\
" url_base: '$REDIRECTIT'"\ " url_base: '$REDIRECTIT'"\
" managerip: '$MAINIP'" > "$global_pillar" " managerip: '$MAINIP'" > "$global_pillar"
if [[ $is_airgap ]]; then if [[ $is_airgap ]]; then
printf '%s\n'\ printf '%s\n'\
" airgap: True"\ >> "$global_pillar" " airgap: True"\ >> "$global_pillar"
else else
printf '%s\n'\ printf '%s\n'\
" airgap: False"\ >> "$global_pillar" " airgap: False"\ >> "$global_pillar"
fi fi
# Check if TheHive is enabled. If so, add creds and other details # Check if TheHive is enabled. If so, add creds and other details
if [[ "$THEHIVE" == "1" ]]; then if [[ "$THEHIVE" == "1" ]]; then
printf '%s\n'\ printf '%s\n'\
" hiveuser: '$WEBUSER'"\ " hiveuser: '$WEBUSER'"\
" hivepassword: '$WEBPASSWD1'"\ " hivepassword: '$WEBPASSWD1'"\
" hivekey: '$HIVEKEY'"\ " hivekey: '$HIVEKEY'"\
" hiveplaysecret: '$HIVEPLAYSECRET'"\ " hiveplaysecret: '$HIVEPLAYSECRET'"\
" cortexuser: '$WEBUSER'"\ " cortexuser: '$WEBUSER'"\
" cortexpassword: '$WEBPASSWD1'"\ " cortexpassword: '$WEBPASSWD1'"\
" cortexkey: '$CORTEXKEY'"\ " cortexkey: '$CORTEXKEY'"\
" cortexorgname: 'SecurityOnion'"\ " cortexorgname: 'SecurityOnion'"\
" cortexorguser: 'soadmin'"\ " cortexorguser: 'soadmin'"\
" cortexorguserkey: '$CORTEXORGUSERKEY'"\ " cortexorguserkey: '$CORTEXORGUSERKEY'"\
" cortexplaysecret: '$CORTEXPLAYSECRET'" >> "$global_pillar" " cortexplaysecret: '$CORTEXPLAYSECRET'" >> "$global_pillar"
fi fi
# Continue adding other details # Continue adding other details
printf '%s\n'\ printf '%s\n'\
" fleet_custom_hostname: "\ " fleet_custom_hostname: "\
" fleet_manager: False"\ " fleet_manager: False"\
@@ -1541,7 +1549,7 @@ manager_global() {
" fleet_ip: 'N/A'"\ " fleet_ip: 'N/A'"\
" sensoronikey: '$SENSORONIKEY'"\ " sensoronikey: '$SENSORONIKEY'"\
" wazuh: $WAZUH"\ " wazuh: $WAZUH"\
" managerupdate: $MANAGERUPDATES"\ " managerupdate: $MANAGERUPDATES"\
" imagerepo: '$IMAGEREPO'"\ " imagerepo: '$IMAGEREPO'"\
" pipeline: 'redis'"\ " pipeline: 'redis'"\
"sensoroni:"\ "sensoroni:"\
@@ -1557,22 +1565,22 @@ manager_global() {
" features: False"\ " features: False"\
"elasticsearch:"\ "elasticsearch:"\
" replicas: 0" >> "$global_pillar" " replicas: 0" >> "$global_pillar"
if [ -n "$ESCLUSTERNAME" ]; then if [ -n "$ESCLUSTERNAME" ]; then
printf '%s\n'\
" true_cluster: True"\
" true_cluster_name: '$ESCLUSTERNAME'" >> "$global_pillar"
else
printf '%s\n'\
" true_cluster: False"\
" true_cluster_name: 'so'" >> "$global_pillar"
fi
printf '%s\n'\ printf '%s\n'\
" true_cluster: True"\
" true_cluster_name: '$ESCLUSTERNAME'" >> "$global_pillar"
else
printf '%s\n'\
" true_cluster: False"\
" true_cluster_name: 'so'" >> "$global_pillar"
fi
printf '%s\n'\
" discovery_nodes: 1"\ " discovery_nodes: 1"\
" hot_warm_enabled: False"\ " hot_warm_enabled: False"\
" cluster_routing_allocation_disk.threshold_enabled: true"\ " cluster_routing_allocation_disk.threshold_enabled: true"\
" cluster_routing_allocation_disk_watermark_low: '95%'"\ " cluster_routing_allocation_disk_watermark_low: '95%'"\
" cluster_routing_allocation_disk_watermark_high: '98%'"\ " cluster_routing_allocation_disk_watermark_high: '98%'"\
" cluster_routing_allocation_disk_watermark_flood_stage: '98%'"\ " cluster_routing_allocation_disk_watermark_flood_stage: '98%'"\
" index_settings:"\ " index_settings:"\
" so-beats:"\ " so-beats:"\
" shards: 1"\ " shards: 1"\
@@ -1633,10 +1641,10 @@ manager_global() {
" upload_queue_size: 4"\ " upload_queue_size: 4"\
" encoding: 'gzip'"\ " encoding: 'gzip'"\
" interval: 5"\ " interval: 5"\
"backup:"\ "backup:"\
" locations:"\ " locations:"\
" - /opt/so/saltstack/local"\ " - /opt/so/saltstack/local"\
"soctopus:"\ "soctopus:"\
" playbook:"\ " playbook:"\
" rulesets:"\ " rulesets:"\
" - windows"\ " - windows"\
@@ -1790,7 +1798,7 @@ reinstall_init() {
local service_retry_count=20 local service_retry_count=20
{ {
if command -v salt-call &> /dev/null; then if command -v salt-call &> /dev/null && grep -q "master:" /etc/salt/minion 2> /dev/null; then
# Disable schedule so highstate doesn't start running during the install # Disable schedule so highstate doesn't start running during the install
salt-call -l info schedule.disable salt-call -l info schedule.disable
@@ -1950,9 +1958,7 @@ saltify() {
} >> "$setup_log" 2>&1 } >> "$setup_log" 2>&1
yum versionlock salt* yum versionlock salt*
else else
if ! (DEBIAN_FRONTEND=noninteractive retry 50 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1); then DEBIAN_FRONTEND=noninteractive retry 50 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || exit 1
exit 1
fi
if [ $OSVER != "xenial" ]; then if [ $OSVER != "xenial" ]; then
# Switch to Python 3 as default if this is not xenial # Switch to Python 3 as default if this is not xenial

9
setup/so-setup
View File

@@ -379,6 +379,11 @@ if [[ $is_import ]]; then
PLAYBOOK=0 PLAYBOOK=0
fi fi
if [[ $is_airgap ]]; then
PATCHSCHEDULENAME=manual
MANAGERUPDATES=0
fi
# Start user prompts # Start user prompts
if [[ $is_helix ]]; then if [[ $is_helix ]]; then
@@ -393,7 +398,7 @@ if [[ $is_helix || $is_sensor || $is_import ]]; then
calculate_useable_cores calculate_useable_cores
fi fi
if [[ ! $is_import ]]; then if [[ ! $is_airgap && ! $is_import ]]; then
collect_patch_schedule collect_patch_schedule
fi fi
@@ -446,7 +451,7 @@ if [[ $is_manager || $is_import ]]; then
get_redirect get_redirect
fi fi
if [[ $is_distmanager || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ]]; then if [[ ! $is_airgap && ( $is_distmanager || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ) ]]; then
whiptail_manager_updates whiptail_manager_updates
if [[ $setup_type == 'network' && $MANAGERUPDATES == 1 ]]; then if [[ $setup_type == 'network' && $MANAGERUPDATES == 1 ]]; then
whiptail_manager_updates_warning whiptail_manager_updates_warning

32
setup/so-whiptail
View File

@@ -28,6 +28,20 @@ whiptail_airgap() {
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
} }
whiptail_avoid_default_hostname() {
[ -n "$TESTING" ] && return
read -r -d '' message <<- EOM
To prevent hostname conflicts, avoid using the default 'securityonion' hostname in a distributed environment.
You can choose to use this default hostname anyway, or change it to a new hostname.
EOM
whiptail --title "Security Onion Setup" \
--yesno "$message" 11 75 \
--yes-button "Use Anyway" --no-button "Change" --defaultno
}
whiptail_basic_suri() { whiptail_basic_suri() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
@@ -937,13 +951,25 @@ whiptail_metadata_tool() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
read -r -d '' message <<- EOM
What tool would you like to use to generate metadata?
This question is asking specifically about metadata, which would be things like the connection log, DNS log, HTTP log, etc. This does not include NIDS alerts.
If you choose Zeek for metadata, Suricata will still run to generate NIDS alerts.
If you choose Suricata for metadata, it will generate NIDS alerts and metadata, and Zeek will not run at all.
EOM
# Legacy variable naming # Legacy variable naming
ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 \ ZEEKVERSION=$(whiptail --title "Security Onion Setup" --menu "$message" 20 75 2 \
"ZEEK" "Zeek (formerly known as Bro)" ON \ "Zeek " "Use Zeek (Bro) for metadata and Suricata for NIDS alerts" \
"SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3) "Suricata " "Use Suricata for both metadata and NIDS alerts" 3>&1 1>&2 2>&3)
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
ZEEKVERSION=$(echo "${ZEEKVERSION^^}" | tr -d ' ')
} }
whiptail_nids() { whiptail_nids() {