CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2026-06-14 14:18:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Remove support for non-Oracle Linux 9 operating systems

Browse Source 
Security Onion now exclusively supports Oracle Linux 9. This removes
detection, setup, and update logic for Ubuntu, Debian, CentOS, Rocky,
AlmaLinux, and RHEL.
This commit is contained in:
Mike Reeves
2026-03-16 16:44:07 -04:00
parent 5b2def6fdd
commit d2cee468a0
6 changed files with 182 additions and 625 deletions
Download Patch File Download Diff File Expand all files Collapse all files
salt/common/tools/sbin/so-common
+1 -56
View File
@@ -349,7 +349,6 @@ get_random_value() {
} }
gpg_rpm_import() { gpg_rpm_import() {
if [[ $is_oracle ]]; then
if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then
local RPMKEYSLOC="../salt/repo/client/files/$OS/keys" local RPMKEYSLOC="../salt/repo/client/files/$OS/keys"
else else
@@ -360,10 +359,6 @@ gpg_rpm_import() {
rpm --import $RPMKEYSLOC/$RPMKEY rpm --import $RPMKEYSLOC/$RPMKEY
echo "Imported $RPMKEY" echo "Imported $RPMKEY"
done done
elif [[ $is_rpm ]]; then
echo "Importing the security onion GPG key"
rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
fi
} }
header() { header() {
@@ -615,69 +610,19 @@ salt_minion_count() {
} }
set_os() { set_os() {
if [ -f /etc/redhat-release ]; then if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
if grep -q "Rocky Linux release 9" /etc/redhat-release; then
OS=rocky
OSVER=9
is_rocky=true
is_rpm=true
elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
OS=centos
OSVER=9
is_centos=true
is_rpm=true
elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
OS=alma
OSVER=9
is_alma=true
is_rpm=true
elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
if [ -f /etc/oracle-release ]; then
OS=oracle OS=oracle
OSVER=9 OSVER=9
is_oracle=true is_oracle=true
is_rpm=true is_rpm=true
else
OS=rhel
OSVER=9
is_rhel=true
is_rpm=true
fi
fi fi
cron_service_name="crond" cron_service_name="crond"
elif [ -f /etc/os-release ]; then
if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
OSVER=focal
UBVER=20.04
OS=ubuntu
is_ubuntu=true
is_deb=true
elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
OSVER=jammy
UBVER=22.04
OS=ubuntu
is_ubuntu=true
is_deb=true
elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
OSVER=bookworm
DEBVER=12
is_debian=true
OS=debian
is_deb=true
fi
cron_service_name="cron"
fi
} }
set_minionid() { set_minionid() {
MINIONID=$(lookup_grain id) MINIONID=$(lookup_grain id)
} }
set_palette() {
if [[ $is_deb ]]; then
update-alternatives --set newt-palette /etc/newt/palette.original
fi
}
set_version() { set_version() {
CURRENTVERSION=0.0.0 CURRENTVERSION=0.0.0
salt/manager/tools/sbin/soup
+5 -41
View File
@@ -576,8 +576,6 @@ upgrade_check_salt() {
upgrade_salt() { upgrade_salt() {
echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION." echo "Performing upgrade of Salt from $INSTALLEDSALTVERSION to $NEWSALTVERSION."
echo "" echo ""
# If rhel family
if [[ $is_rpm ]]; then
# Check if salt-cloud is installed # Check if salt-cloud is installed
if rpm -q salt-cloud &>/dev/null; then if rpm -q salt-cloud &>/dev/null; then
SALT_CLOUD_INSTALLED=true SALT_CLOUD_INSTALLED=true
@@ -599,9 +597,7 @@ upgrade_salt() {
echo "Updating Salt packages." echo "Updating Salt packages."
echo "" echo ""
set +e set +e
# if oracle run with -r to ignore repos set by bootstrap # Run with -r to ignore repos set by bootstrap
if [[ $OS == 'oracle' ]]; then
# Add -L flag only if salt-cloud is already installed
if [[ $SALT_CLOUD_INSTALLED == true ]]; then if [[ $SALT_CLOUD_INSTALLED == true ]]; then
run_check_net_err \ run_check_net_err \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -L -F -M stable \"$NEWSALTVERSION\"" \
@@ -611,12 +607,6 @@ upgrade_salt() {
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \ "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M stable \"$NEWSALTVERSION\"" \
"Could not update salt, please check $SOUP_LOG for details." "Could not update salt, please check $SOUP_LOG for details."
fi fi
# if another rhel family variant we want to run without -r to allow the bootstrap script to manage repos
else
run_check_net_err \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
"Could not update salt, please check $SOUP_LOG for details."
fi
set -e set -e
echo "Applying yum versionlock for Salt." echo "Applying yum versionlock for Salt."
echo "" echo ""
@@ -627,28 +617,6 @@ upgrade_salt() {
if [[ $SALT_CLOUD_INSTALLED == true ]]; then if [[ $SALT_CLOUD_INSTALLED == true ]]; then
yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*" yum versionlock add "salt-cloud-0:$NEWSALTVERSION-0.*"
fi fi
# Else do Ubuntu things
elif [[ $is_deb ]]; then
# ensure these files don't exist when upgrading from 3006.9 to 3006.16
rm -f /etc/apt/keyrings/salt-archive-keyring-2023.pgp /etc/apt/sources.list.d/salt.list
echo "Removing apt hold for Salt."
echo ""
apt-mark unhold "salt-common"
apt-mark unhold "salt-master"
apt-mark unhold "salt-minion"
echo "Updating Salt packages."
echo ""
set +e
run_check_net_err \
"sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M stable \"$NEWSALTVERSION\"" \
"Could not update salt, please check $SOUP_LOG for details."
set -e
echo "Applying apt hold for Salt."
echo ""
apt-mark hold "salt-common"
apt-mark hold "salt-master"
apt-mark hold "salt-minion"
fi
echo "Checking if Salt was upgraded." echo "Checking if Salt was upgraded."
echo "" echo ""
@@ -1084,6 +1052,10 @@ main() {
echo "" echo ""
set_os set_os
if [[ ! $is_oracle ]]; then
fail "This OS is not supported. Security Onion requires Oracle Linux 9."
fi
check_salt_master_status 1 || fail "Could not talk to salt master: Please run 'systemctl status salt-master' to ensure the salt-master service is running and check the log at /opt/so/log/salt/master." check_salt_master_status 1 || fail "Could not talk to salt master: Please run 'systemctl status salt-master' to ensure the salt-master service is running and check the log at /opt/so/log/salt/master."
echo "Checking to see if this is a manager." echo "Checking to see if this is a manager."
@@ -1193,14 +1165,6 @@ main() {
echo "Upgrading Salt" echo "Upgrading Salt"
# Update the repo files so it can actually upgrade # Update the repo files so it can actually upgrade
upgrade_salt upgrade_salt
# for Debian based distro, we need to stop salt again after upgrade output below is from bootstrap-salt
# * WARN: Not starting daemons on Debian based distributions
# is not working mostly because starting them is the default behaviour.
if [[ $is_deb ]]; then
stop_salt_minion
stop_salt_master
fi
fi fi
preupgrade_changes preupgrade_changes
setup/so-functions
+5 -197
View File
@@ -852,74 +852,14 @@ detect_cloud() {
detect_os() { detect_os() {
title "Detecting Base OS" title "Detecting Base OS"
if [ -f /etc/redhat-release ]; then if [ -f /etc/redhat-release ] && grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release && [ -f /etc/oracle-release ]; then
if grep -q "Rocky Linux release 9" /etc/redhat-release; then
OS=rocky
OSVER=9
is_rocky=true
is_rpm=true
not_supported=true
unset is_supported
elif grep -q "CentOS Stream release 9" /etc/redhat-release; then
OS=centos
OSVER=9
is_centos=true
is_rpm=true
not_supported=true
unset is_supported
elif grep -q "AlmaLinux release 9" /etc/redhat-release; then
OS=alma
OSVER=9
is_alma=true
is_rpm=true
not_supported=true
unset is_supported
elif grep -q "Red Hat Enterprise Linux release 9" /etc/redhat-release; then
if [ -f /etc/oracle-release ]; then
OS=oracle OS=oracle
OSVER=9 OSVER=9
is_oracle=true is_oracle=true
is_rpm=true is_rpm=true
is_supported=true is_supported=true
else else
OS=rhel info "This OS is not supported. Security Onion requires Oracle Linux 9."
OSVER=9
is_rhel=true
is_rpm=true
not_supported=true
unset is_supported
fi
fi
elif [ -f /etc/os-release ]; then
if grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then
OSVER=focal
UBVER=20.04
OS=ubuntu
is_ubuntu=true
is_deb=true
not_supported=true
unset is_supported
elif grep -q "UBUNTU_CODENAME=jammy" /etc/os-release; then
OSVER=jammy
UBVER=22.04
OS=ubuntu
is_ubuntu=true
is_deb=true
not_supported=true
unset is_supported
elif grep -q "VERSION_CODENAME=bookworm" /etc/os-release; then
OSVER=bookworm
DEBVER=12
is_debian=true
OS=debian
is_deb=true
not_supported=true
unset is_supported
fi
installer_prereq_packages
else
info "We were unable to determine if you are using a supported OS."
fail_setup fail_setup
fi fi
@@ -932,23 +872,6 @@ download_elastic_agent_artifacts() {
fi fi
} }
installer_prereq_packages() {
if [[ $is_deb ]]; then
# Print message to stdout so the user knows setup is doing something
info "Running apt-get update"
retry 150 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup
# Install network manager so we can do interface stuff
if ! command -v nmcli > /dev/null 2>&1; then
info "Installing network-manager"
retry 150 10 "apt-get -y install network-manager ethtool" >> "$setup_log" 2>&1 || fail_setup
logCmd "systemctl enable NetworkManager"
logCmd "systemctl start NetworkManager"
fi
if ! command -v curl > /dev/null 2>&1; then
retry 150 10 "apt-get -y install curl" >> "$setup_log" 2>&1 || fail_setup
fi
fi
}
disable_auto_start() { disable_auto_start() {
@@ -1460,7 +1383,7 @@ network_init() {
title "Initializing Network" title "Initializing Network"
disable_ipv6 disable_ipv6
set_hostname set_hostname
if [[ ( $is_iso || $is_desktop_iso || $is_debian ) ]]; then if [[ ( $is_iso || $is_desktop_iso ) ]]; then
set_management_interface set_management_interface
fi fi
} }
@@ -1694,11 +1617,6 @@ reinstall_init() {
# Uninstall local Elastic Agent, if installed # Uninstall local Elastic Agent, if installed
elastic-agent uninstall -f elastic-agent uninstall -f
if [[ $is_deb ]]; then
echo "Unholding previously held packages."
apt-mark unhold $(apt-mark showhold)
fi
} >> "$setup_log" 2>&1 } >> "$setup_log" 2>&1
info "System reinstall init has been completed." info "System reinstall init has been completed."
@@ -1715,11 +1633,7 @@ reset_proxy() {
[[ -f /etc/gitconfig ]] && rm -f /etc/gitconfig [[ -f /etc/gitconfig ]] && rm -f /etc/gitconfig
if [[ $is_rpm ]]; then
sed -i "/proxy=/d" /etc/dnf/dnf.conf sed -i "/proxy=/d" /etc/dnf/dnf.conf
else
[[ -f /etc/apt/apt.conf.d/00-proxy.conf ]] && rm -f /etc/apt/apt.conf.d/00-proxy.conf
fi
} }
restore_file() { restore_file() {
@@ -1765,15 +1679,9 @@ drop_install_options() {
remove_package() { remove_package() {
local package_name=$1 local package_name=$1
if [[ $is_rpm ]]; then
if rpm -qa | grep -q "$package_name"; then if rpm -qa | grep -q "$package_name"; then
logCmd "dnf remove -y $package_name" logCmd "dnf remove -y $package_name"
fi fi
else
if dpkg -l | grep -q "$package_name"; then
retry 150 10 "apt purge -y \"$package_name\""
fi
fi
} }
# When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and salt/salt/master.defaults.yaml and salt/salt/minion.defaults.yaml # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and salt/salt/master.defaults.yaml and salt/salt/minion.defaults.yaml
@@ -1786,7 +1694,6 @@ remove_package() {
securityonion_repo() { securityonion_repo() {
# Remove all the current repos # Remove all the current repos
if [[ $is_oracle ]]; then
logCmd "dnf -v clean all" logCmd "dnf -v clean all"
logCmd "mkdir -vp /root/oldrepos" logCmd "mkdir -vp /root/oldrepos"
if [ -n "$(ls -A /etc/yum.repos.d/ 2>/dev/null)" ]; then if [ -n "$(ls -A /etc/yum.repos.d/ 2>/dev/null)" ]; then
@@ -1834,23 +1741,18 @@ securityonion_repo() {
echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
fi fi
fi logCmd "dnf repolist all"
if [[ $is_rpm ]]; then logCmd "dnf repolist all"; fi
if [[ $waitforstate ]]; then if [[ $waitforstate ]]; then
if [[ $is_rpm ]]; then
# Build the repo locally so we can use it # Build the repo locally so we can use it
echo "Syncing Repos" echo "Syncing Repos"
repo_sync_local repo_sync_local
fi fi
fi
} }
repo_sync_local() { repo_sync_local() {
SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+") SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
info "Repo Sync" info "Repo Sync"
if [[ $is_supported ]]; then # Sync the repo from the SO repo locally.
# Sync the repo from the the SO repo locally.
# Check for reposync
info "Adding Repo Download Configuration" info "Adding Repo Download Configuration"
mkdir -p /nsm/repo mkdir -p /nsm/repo
mkdir -p /opt/so/conf/reposync/cache mkdir -p /opt/so/conf/reposync/cache
@@ -1878,81 +1780,13 @@ repo_sync_local() {
# After the download is complete run createrepo # After the download is complete run createrepo
create_repo create_repo
fi fi
else
# Add the proper repos for unsupported stuff
echo "Adding Repos"
if [[ $is_rpm ]]; then
if [[ $is_rhel ]]; then
logCmd "subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms"
info "Install epel for rhel"
logCmd "dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm"
logCmd "dnf -y install https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm"
else
logCmd "dnf config-manager --set-enabled crb"
logCmd "dnf -y install epel-release"
fi
dnf install -y yum-utils device-mapper-persistent-data lvm2
curl -fsSL https://repo.securityonion.net/file/so-repo/prod/3/so/so.repo | tee /etc/yum.repos.d/so.repo
rpm --import https://packages.broadcom.com/artifactory/api/security/keypair/SaltProjectKey/public
dnf config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
curl -fsSL "https://github.com/saltstack/salt-install-guide/releases/latest/download/salt.repo" | tee /etc/yum.repos.d/salt.repo
dnf repolist
curl --retry 5 --retry-delay 60 -A "netinstall/$SOVERSION/$OS/$(uname -r)/1" https://sigs.securityonion.net/checkup --output /tmp/install
else
echo "Not sure how you got here."
exit 1
fi
fi
} }
saltify() { saltify() {
SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+") SALTVERSION=$(grep "version:" ../salt/salt/master.defaults.yaml | grep -o "[0-9]\+\.[0-9]\+")
info "Installing Salt $SALTVERSION" info "Installing Salt $SALTVERSION"
chmod u+x ../salt/salt/scripts/bootstrap-salt.sh chmod u+x ../salt/salt/scripts/bootstrap-salt.sh
if [[ $is_deb ]]; then
DEBIAN_FRONTEND=noninteractive retry 30 10 "apt-get -y -o Dpkg::Options::=\"--force-confdef\" -o Dpkg::Options::=\"--force-confold\" upgrade" >> "$setup_log" 2>&1 || fail_setup
if [ $OSVER == "focal" ]; then update-alternatives --install /usr/bin/python python /usr/bin/python3.10 10; fi
local pkg_arr=(
'apache2-utils'
'ca-certificates'
'curl'
'software-properties-common'
'apt-transport-https'
'openssl'
'netcat-openbsd'
'jq'
'gnupg'
)
retry 30 10 "apt-get -y install ${pkg_arr[*]}" || fail_setup
logCmd "mkdir -vp /etc/apt/keyrings"
logCmd "wget -q --inet4-only -O /etc/apt/keyrings/docker.pub https://download.docker.com/linux/ubuntu/gpg"
if [[ $is_ubuntu ]]; then
# Add Docker Repo
add-apt-repository -y "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
else
# Add Docker Repo
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $OSVER stable" > /etc/apt/sources.list.d/docker.list
fi
logCmd "apt-key add /etc/apt/keyrings/docker.pub"
retry 30 10 "apt-get update" "" "Err:" || fail_setup
if [[ $waitforstate ]]; then
retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -M -X stable $SALTVERSION" || fail_setup
retry 30 10 "apt-mark hold salt-minion salt-common salt-master" || fail_setup
retry 30 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-packaging python3-influxdb python3-lxml" || exit 1
else
retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -X stable $SALTVERSION" || fail_setup
retry 30 10 "apt-mark hold salt-minion salt-common" || fail_setup
fi
fi
if [[ $is_rpm ]]; then
if [[ $waitforstate ]]; then if [[ $waitforstate ]]; then
# install all for a manager # install all for a manager
retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -M -X stable $SALTVERSION" || fail_setup
@@ -1960,7 +1794,6 @@ saltify() {
# just a minion # just a minion
retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup retry 30 10 "bash ../salt/salt/scripts/bootstrap-salt.sh -r -X stable $SALTVERSION" || fail_setup
fi fi
fi
salt_install_module_deps salt_install_module_deps
salt_patch_x509_v2 salt_patch_x509_v2
@@ -2105,14 +1938,7 @@ set_proxy() {
"}" > /root/.docker/config.json "}" > /root/.docker/config.json
# Set proxy for package manager # Set proxy for package manager
if [[ $is_rpm ]]; then
echo "proxy=$so_proxy" >> /etc/yum.conf echo "proxy=$so_proxy" >> /etc/yum.conf
else
# Set it up so the updates roll through the manager
printf '%s\n'\
"Acquire::http::Proxy \"$so_proxy\";"\
"Acquire::https::Proxy \"$so_proxy\";" > /etc/apt/apt.conf.d/00-proxy.conf
fi
# Set global git proxy # Set global git proxy
printf '%s\n'\ printf '%s\n'\
@@ -2302,7 +2128,6 @@ update_sudoers_for_testing() {
} }
update_packages() { update_packages() {
if [[ $is_oracle ]]; then
logCmd "dnf repolist" logCmd "dnf repolist"
logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*" logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo") RMREPOFILES=("oracle-linux-ol9.repo" "uek-ol9.repo" "virt-ol9.repo")
@@ -2310,15 +2135,6 @@ update_packages() {
for FILE in ${RMREPOFILES[@]}; do for FILE in ${RMREPOFILES[@]}; do
logCmd "rm -f /etc/yum.repos.d/$FILE" logCmd "rm -f /etc/yum.repos.d/$FILE"
done done
elif [[ $is_deb ]]; then
info "Running apt-get update"
retry 150 10 "apt-get -y update" "" "Err:" >> "$setup_log" 2>&1 || fail_setup
info "Running apt-get upgrade"
retry 150 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || fail_setup
else
info "Updating packages"
logCmd "dnf -y update --allowerasing --exclude=salt*,docker*,containerd*"
fi
} }
# This is used for development to speed up network install tests. # This is used for development to speed up network install tests.
@@ -2328,15 +2144,7 @@ use_turbo_proxy() {
return return
fi fi
if [[ $OS == 'centos' ]]; then
printf '%s\n' "proxy=${TURBO}:3142" >> /etc/yum.conf printf '%s\n' "proxy=${TURBO}:3142" >> /etc/yum.conf
else
printf '%s\n'\
"Acquire {"\
" HTTP::proxy \"${TURBO}:3142\";"\
" HTTPS::proxy \"${TURBO}:3142\";"\
"}" > /etc/apt/apt.conf.d/proxy.conf
fi
} }
wait_for_file() { wait_for_file() {
setup/so-preflight
-35
View File
@@ -34,7 +34,6 @@ check_default_repos() {
printf '%s' "$repo_str" | tee -a "$preflight_log" printf '%s' "$repo_str" | tee -a "$preflight_log"
fi fi
if [[ $OS == 'centos' ]]; then
if [[ $script_run == true ]]; then if [[ $script_run == true ]]; then
printf '%s' 'yum update.' printf '%s' 'yum update.'
else else
@@ -49,18 +48,6 @@ check_default_repos() {
else else
printf '%s\n' ' FAILURE' printf '%s\n' ' FAILURE'
fi fi
else
if [[ $script_run == true ]]; then
printf '%s' 'apt update.'
else
printf '%s' 'apt update.' | tee -a "$preflight_log"
fi
echo "" >> "$preflight_log"
retry 150 10 "apt-get -y update" >> $preflight_log 2>&1
ret_code=$?
[[ $ret_code == 0 ]] && printf '%s\n' ' SUCCESS' || printf '%s\n' ' FAILURE'
fi
return $ret_code return $ret_code
} }
@@ -73,21 +60,11 @@ check_new_repos() {
printf '%s' "$repo_url_str" | tee -a "$preflight_log" printf '%s' "$repo_url_str" | tee -a "$preflight_log"
fi fi
if [[ $OS == 'centos' ]]; then
local repo_arr=( local repo_arr=(
"https://download.docker.com/linux/centos/docker-ce.repo" "https://download.docker.com/linux/centos/docker-ce.repo"
"https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub" "https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub"
"https://download.docker.com/linux/ubuntu/gpg" "https://download.docker.com/linux/ubuntu/gpg"
) )
else
local ubuntu_version
ubuntu_version=$(grep VERSION_ID /etc/os-release 2> /dev/null | awk -F '[ "]' '{print $2}')
local repo_arr=(
"https://download.docker.com/linux/ubuntu/gpg"
"https://download.docker.com/linux/ubuntu"
"https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/SALTSTACK-GPG-KEY.pub"
)
fi
__check_url_arr "${repo_arr[@]}" __check_url_arr "${repo_arr[@]}"
local ret_code=$? local ret_code=$?
@@ -155,17 +132,6 @@ __check_url_arr() {
return $ret_code return $ret_code
} }
preflight_prereqs() {
local ret_code=0
if [[ $OS == 'centos' ]]; then
: # no-op to match structure of other checks for $OS var
else
retry 150 10 "apt-get -y install curl" >> "$preflight_log" 2>&1 || ret_code=1
fi
return $ret_code
}
main() { main() {
local intro_str="Beginning pre-flight checks." local intro_str="Beginning pre-flight checks."
@@ -183,7 +149,6 @@ main() {
fi fi
check_default_repos &&\ check_default_repos &&\
preflight_prereqs &&\
check_new_repos &&\ check_new_repos &&\
check_misc_urls check_misc_urls
setup/so-setup
+1 -31
View File
@@ -66,36 +66,6 @@ set_timezone
# Let's see what OS we are dealing with here # Let's see what OS we are dealing with here
detect_os detect_os
# Ubuntu/Debian whiptail pallete to make it look the same as CentOS and Rocky.
set_palette >> $setup_log 2>&1
if [[ $not_supported ]] && [ -z "$test_profile" ]; then
if [[ "$OSVER" == "focal" ]]; then
if (whiptail_focal_warning); then
true
else
info "User cancelled setup."
whiptail_cancel
fi
else
if (whiptail_unsupported_os_warning); then
true
else
info "User cancelled setup."
whiptail_cancel
fi
fi
fi
# we need to upgrade packages on debian prior to install and reboot if there are due to iptables-restore not running properly
# if packages are updated and the box isn't rebooted
if [[ $is_debian ]]; then
update_packages
if [[ -f "/var/run/reboot-required" ]] && [ -z "$test_profile" ]; then
whiptail_debian_reboot_required
reboot
fi
fi
# Check to see if this is the setup type of "desktop". # Check to see if this is the setup type of "desktop".
is_desktop= is_desktop=
@@ -108,7 +78,7 @@ if [ "$setup_type" = 'desktop' ]; then
fi fi
fi fi
# Make sure if ISO is specified that we are dealing with CentOS or Rocky # Make sure if ISO is specified that we are dealing with an RPM-based install
title "Detecting if this is an ISO install" title "Detecting if this is an ISO install"
if [[ "$setup_type" == 'iso' ]]; then if [[ "$setup_type" == 'iso' ]]; then
if [[ $is_rpm ]]; then if [[ $is_rpm ]]; then
setup/so-whiptail
+2 -97
View File
@@ -27,23 +27,6 @@ whiptail_airgap() {
fi fi
} }
whiptail_debian_reboot_required() {
[ -n "$TESTING" ] && return
read -r -d '' message <<- EOM
Packages were upgraded and a reboot is required prior to Security Onion installation.
Once the reboot has completed, rerun Security Onion setup.
Press TAB and then the ENTER key to reboot the system.
EOM
whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext
}
whiptail_desktop_install() { whiptail_desktop_install() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
@@ -496,27 +479,6 @@ __append_end_msg() {
EOM EOM
} }
whiptail_focal_warning() {
[ -n "$TESTING" ] && return
read -r -d '' focal_warning_continue <<- EOM
WARNING: Ubuntu 20.04 is only supported as a minion role.
This node may not install or operate as expected if installed
as a manager, managersearch, standalone, eval, or import.
Would you like to continue the install?
EOM
whiptail --title "$whiptail_title" \
--yesno "$focal_warning_continue" 14 75 --defaultno
local exitstatus=$?
return $exitstatus
}
whiptail_gauge_post_setup() { whiptail_gauge_post_setup() {
@@ -586,7 +548,6 @@ whiptail_install_type() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
# What kind of install are we doing? # What kind of install are we doing?
if [[ "$OSVER" != "focal" ]]; then
install_type=$(whiptail --title "$whiptail_title" --menu \ install_type=$(whiptail --title "$whiptail_title" --menu \
"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \ "What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \
"IMPORT" "Import PCAP or log files " \ "IMPORT" "Import PCAP or log files " \
@@ -596,13 +557,6 @@ whiptail_install_type() {
"DESKTOP" "Security Onion Desktop" \ "DESKTOP" "Security Onion Desktop" \
3>&1 1>&2 2>&3 3>&1 1>&2 2>&3
) )
elif [[ "$OSVER" == "focal" ]]; then
install_type=$(whiptail --title "$whiptail_title" --menu \
"What kind of installation would you like to do?\n\nFor more information, please see:\n$DOC_BASE_URL/architecture" 18 65 5 \
"DISTRIBUTED" "Distributed install submenu " \
3>&1 1>&2 2>&3
)
fi
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
@@ -623,18 +577,11 @@ whiptail_install_type_dist() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
if [[ "$OSVER" != "focal" ]]; then
dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 11 75 2 \ dist_option=$(whiptail --title "$whiptail_title" --menu "Do you want to start a new deployment or join this box to \nan existing deployment?" 11 75 2 \
"New Deployment " "Create a new Security Onion deployment" \ "New Deployment " "Create a new Security Onion deployment" \
"Existing Deployment " "Join to an existing Security Onion deployment " \ "Existing Deployment " "Join to an existing Security Onion deployment " \
3>&1 1>&2 2>&3 3>&1 1>&2 2>&3
) )
elif [[ "$OSVER" == "focal" ]]; then
dist_option=$(whiptail --title "$whiptail_title" --menu "Since this is Ubuntu, this box can only be connected to \nan existing deployment." 11 75 2 \
"Existing Deployment " "Join to an existing Security Onion deployment " \
3>&1 1>&2 2>&3
)
fi
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
@@ -916,7 +863,7 @@ whiptail_net_method() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
local pkg_mngr local pkg_mngr
if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi pkg_mngr="yum"
read -r -d '' options_msg <<- EOM read -r -d '' options_msg <<- EOM
"Direct" - Internet requests connect directly to the Internet. "Direct" - Internet requests connect directly to the Internet.
@@ -1151,7 +1098,7 @@ whiptail_proxy_ask() {
[ -n "$TESTING" ] && return [ -n "$TESTING" ] && return
local pkg_mngr local pkg_mngr
if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi pkg_mngr="yum"
whiptail --title "$whiptail_title" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno whiptail --title "$whiptail_title" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno
} }
@@ -1434,48 +1381,6 @@ whiptail_storage_requirements() {
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
} }
whiptail_ubuntu_notsupported() {
[ -n "$TESTING" ] && return
read -r -d '' message <<- EOM
Ubuntu is not supported for this node type.
Please use a supported OS or install via ISO.
EOM
whiptail --title "$whiptail_title" --msgbox "$message" 14 75
}
whiptail_ubuntu_warning() {
[ -n "$TESTING" ] && return
read -r -d '' message <<- EOM
Ubuntu support for this node type is limited.
Please consider using a fully supported OS or install via ISO.
EOM
whiptail --title "$whiptail_title" --msgbox "$message" 14 75
}
whiptail_unsupported_os_warning() {
[ -n "$TESTING" ] && return
read -r -d '' unsupported_os_continue <<- EOM
WARNING: An unsupported operating system has been detected.
Security Onion may not install or operate as expected.
Would you like to continue the install?
EOM
whiptail --title "$whiptail_title" \
--yesno "$unsupported_os_continue" 14 75 --defaultno
local exitstatus=$?
return $exitstatus
}
whiptail_uppercase_warning() { whiptail_uppercase_warning() {