From 50fa0dc81ae9e948d67ad09979fadd0b0372806b Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 22 Mar 2021 11:32:37 -0400 Subject: [PATCH 01/29] Allow user to enter a description during setup Resolves #2404 --- setup/so-setup | 10 ++++++++-- setup/so-whiptail | 10 ++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 82e414ca4..f20828b85 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -291,8 +291,13 @@ if ! [[ -f $install_opt_file ]]; then [[ -f $net_init_file ]] && whiptail_net_reinit && reinit_networking=true - if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then collect_hostname + fi + + whiptail_node_description + + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then network_init_whiptail else source "$net_init_file" @@ -334,7 +339,8 @@ if ! [[ -f $install_opt_file ]]; then "MNIC=$MNIC" \ "HOSTNAME=$HOSTNAME" \ "MSRV=$MSRV" \ - "MSRVIP=$MSRVIP" > "$install_opt_file" + "MSRVIP=$MSRVIP" \ + "NODE_DESCRIPTION=$NODE_DESCRIPTION" > "$install_opt_file" [[ -n $so_proxy ]] && echo "so_proxy=$so_proxy" >> "$install_opt_file" download_repo_tarball exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" diff --git a/setup/so-whiptail b/setup/so-whiptail index a0425b5af..bc002085c 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1044,6 +1044,16 @@ whiptail_node_advanced() { } +whiptail_node_description() { + [ -n "$TESTING" ] && return + + NODE_DESCRIPTION=$(whiptail --title "Security Onion Setup" \ + --inputbox "Enter a short description for the node or press ENTER to leave blank:" 10 75 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + whiptail_node_es_heap() { [ -n "$TESTING" ] && return From 449e0d853ce36c2fb31fd3e35a8bc5cee0306f01 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 22 Mar 2021 15:52:51 -0400 Subject: [PATCH 02/29] Initial support for ntp service via chronyd --- setup/so-functions | 57 ++++++++++++++++++++++++++++++++++++++++++++-- setup/so-setup | 5 ++++ setup/so-variables | 3 +++ setup/so-whiptail | 18 +++++++++++++++ 4 files changed, 81 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 29a58e718..d5e8c0a6e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -486,6 +486,17 @@ collect_node_ls_pipeline_worker_count() { done } +collect_ntp_servers() { + if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' ]]; then + if whiptail_ntp_ask; then + [[ $is_airgap ]] && ntp_servers="" + whiptail_ntp_servers "$ntp_servers" + else + ntp_servers="" + fi + fi +} + collect_oinkcode() { whiptail_oinkcode @@ -702,6 +713,38 @@ configure_minion() { } >> "$setup_log" 2>&1 } +configure_ntp() { + local chrony_conf=/etc/chrony.conf + + # Install chrony if it isn't already installed + if command -v chronyc &> /dev/null; then + if [ "$OS" == centos ]; then + yum -y install chrony + else + retry 50 10 "apt-get -y install chrony" || exit 1 + fi + fi + + [[ -f $chrony_conf ]] && rm -f $chrony_conf + + # Build list of servers + for addr in "${ntp_servers[@]}"; do + echo "server $addr iburst" >> $chrony_conf + done + + printf '%s\n' \ + 'driftfile /var/lib/chrony/drift' \ + 'makestep 1.0 3' \ + 'rtcsync' \ + 'logdir /var/log/chrony' >> $chrony_conf + + systemctl enable chronyd + systemctl start chronyd + + # Sync time + chronyc -a makestep +} + checkin_at_boot() { local minion_config=/etc/salt/minion @@ -709,6 +752,12 @@ checkin_at_boot() { echo "startup_states: highstate" >> "$minion_config" } +check_ntp_configured() { + if systemctl is-active --quiet chronyd || systemctl is-active --quiet ntpd; then + ntp_configured=true + fi +} + check_requirements() { local standalone_or_dist=$1 local node_type=$2 # optional @@ -1564,12 +1613,16 @@ manager_global() { "global:"\ " soversion: '$SOVERSION'"\ " hnmanager: '$HNMANAGER'"\ - " ntpserver: '$NTPSERVER'"\ " dockernet: '$DOCKERNET'"\ " mdengine: '$ZEEKVERSION'"\ " ids: '$NIDS'"\ " url_base: '$REDIRECTIT'"\ - " managerip: '$MAINIP'" > "$global_pillar" + " managerip: '$MAINIP'" + " ntp_servers:" > "$global_pillar" + + for addr in "${ntp_servers[@]}"; do + echo " - '$addr'" >> "$global_pillar" + done if [[ $is_airgap ]]; then printf '%s\n'\ diff --git a/setup/so-setup b/setup/so-setup index 82e414ca4..2082653c5 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -534,6 +534,9 @@ if [[ $is_sensor && ! $is_eval ]]; then fi fi +check_ntp_configured +[[ -z $ntp_configured ]] || collect_ntp_servers + if [[ $is_node && ! $is_eval ]]; then whiptail_node_advanced if [ "$NODESETUP" == 'NODEADVANCED' ]; then @@ -581,6 +584,8 @@ set_redirect >> $setup_log 2>&1 # Show initial progress message set_progress_str 0 'Running initial configuration steps' + [[ -z $ntp_configured ]] || [[ -n $ntp_servers ]] && configure_ntp >> $setup_log 2>&1 + reserve_ports set_path diff --git a/setup/so-variables b/setup/so-variables index a2fdf03c6..0a07fc79d 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -72,3 +72,6 @@ export install_opt_file net_init_file=/root/net_init export net_init_file + +ntp_servers="0.pool.ntp.org,1.pool.ntp.org" +export ntp_servers diff --git a/setup/so-whiptail b/setup/so-whiptail index a0425b5af..1ccdf6a90 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1105,6 +1105,24 @@ whiptail_node_ls_pipeline_worker() { } +whiptail_ntp_ask() { + [ -n "$TESTING" ] && return + + whiptail --title "Security Onion Setup" --yesno "Would you like to configure ntp servers?" 7 44 +} + +whiptail_ntp_servers() { + [ -n "$TESTING" ] && return + + ntp_string=$(whiptail --title "Security Onion Setup" \ + --inputbox "Input the NTP server(s) you would like to use, separated by commas:" 8 75 "$1" 3>&1 1>&2 2>&3) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + + IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array +} + whiptail_oinkcode() { [ -n "$TESTING" ] && return From b3f558a1f8481a9144c2d96a50cb3ad8b0c147c9 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 09:14:34 -0400 Subject: [PATCH 03/29] [fix] Also check if proxy is set before asking for ntp servers --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index d5e8c0a6e..fd998da14 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -487,7 +487,7 @@ collect_node_ls_pipeline_worker_count() { } collect_ntp_servers() { - if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' ]]; then + if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' || -n $so_proxy ]]; then if whiptail_ntp_ask; then [[ $is_airgap ]] && ntp_servers="" whiptail_ntp_servers "$ntp_servers" From ace30c07ea5bb75489add30067bb802244764eca Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 09:22:09 -0400 Subject: [PATCH 04/29] [fix] Also sync time before updating system clock --- setup/so-functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index fd998da14..a7a596abe 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -741,7 +741,8 @@ configure_ntp() { systemctl enable chronyd systemctl start chronyd - # Sync time + # Sync time & update the system time + chronyc -a 'burst 4/4' chronyc -a makestep } From 184c763b02d36e78024417cc31edfbe1b181d05f Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 09:36:08 -0400 Subject: [PATCH 05/29] [fix] Export correct variable to check later in setup --- setup/so-functions | 2 +- setup/so-whiptail | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index a7a596abe..a346128e1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -592,7 +592,7 @@ collect_proxy_details() { else so_proxy="$proxy_addr" fi - export proxy + export so_proxy fi } diff --git a/setup/so-whiptail b/setup/so-whiptail index 1ccdf6a90..2743ab65b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1289,11 +1289,7 @@ whiptail_proxy_auth_pass() { [ -n "$TESTING" ] && return - if [[ $arg != 'confirm' ]]; then - proxy_pass=$(whiptail --title "Security Onion Setup" --passwordbox "Please input the proxy password:" 8 60 3>&1 1>&2 2>&3) - else - proxy_pass_confirm=$(whiptail --title "Security Onion Setup" --passwordbox "Please confirm the proxy password:" 8 60 3>&1 1>&2 2>&3) - fi + proxy_pass=$(whiptail --title "Security Onion Setup" --passwordbox "Please input the proxy password:" 8 60 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus From 0e9c81c145b1229bf82fc4976b55630b4a77e0aa Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 09:44:44 -0400 Subject: [PATCH 06/29] Fix logic around ntp prompt --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 2082653c5..6ed3fa344 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -535,7 +535,7 @@ if [[ $is_sensor && ! $is_eval ]]; then fi check_ntp_configured -[[ -z $ntp_configured ]] || collect_ntp_servers +[[ -z $ntp_configured ]] && collect_ntp_servers if [[ $is_node && ! $is_eval ]]; then whiptail_node_advanced From 2d873b92fa3c19b43b5850220d65270536901a13 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 10:22:41 -0400 Subject: [PATCH 07/29] Fix ntp logic elsewhere --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 6ed3fa344..07eb49500 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -584,7 +584,7 @@ set_redirect >> $setup_log 2>&1 # Show initial progress message set_progress_str 0 'Running initial configuration steps' - [[ -z $ntp_configured ]] || [[ -n $ntp_servers ]] && configure_ntp >> $setup_log 2>&1 + [[ -z $ntp_configured ]] && [[ -n $ntp_servers ]] && configure_ntp >> $setup_log 2>&1 reserve_ports From 9f0afd90f1852d28ad42d126f3cee187d3ef2115 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 11:27:37 -0400 Subject: [PATCH 08/29] [fix] Add missing backslash --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index a346128e1..dbc92aabc 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1618,7 +1618,7 @@ manager_global() { " mdengine: '$ZEEKVERSION'"\ " ids: '$NIDS'"\ " url_base: '$REDIRECTIT'"\ - " managerip: '$MAINIP'" + " managerip: '$MAINIP'"\ " ntp_servers:" > "$global_pillar" for addr in "${ntp_servers[@]}"; do From 3287a777a2203a775265c25ca85d9b34ab1acaf7 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 23 Mar 2021 11:41:12 -0400 Subject: [PATCH 09/29] [fix] Pre-fill hostname re-enter on default --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index dbc92aabc..ffaa079c1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -400,7 +400,7 @@ collect_hostname() { if [[ $HOSTNAME == 'securityonion' ]]; then # Will only check HOSTNAME=securityonion once if ! (whiptail_avoid_default_hostname); then - whiptail_set_hostname + whiptail_set_hostname "$HOSTNAME" fi fi From 08f46a779ac6b1ae2f5754b078a7238f4eb3b9aa Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 23 Mar 2021 21:16:17 -0400 Subject: [PATCH 10/29] Remove freqserver, minio, and domainstats from image list --- salt/common/tools/sbin/so-image-common | 3 --- 1 file changed, 3 deletions(-) diff --git a/salt/common/tools/sbin/so-image-common b/salt/common/tools/sbin/so-image-common index 402ae97f3..be5a327f0 100755 --- a/salt/common/tools/sbin/so-image-common +++ b/salt/common/tools/sbin/so-image-common @@ -47,20 +47,17 @@ container_list() { TRUSTED_CONTAINERS=( "so-acng" "so-curator" - "so-domainstats" "so-elastalert" "so-elasticsearch" "so-filebeat" "so-fleet" "so-fleet-launcher" - "so-freqserver" "so-grafana" "so-idstools" "so-influxdb" "so-kibana" "so-kratos" "so-logstash" - "so-minio" "so-mysql" "so-nginx" "so-pcaptools" From 150e724a4a52f0e58a224f3d1f82311964118abb Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 25 Mar 2021 13:37:54 -0400 Subject: [PATCH 11/29] Fix chrony install logic + add sleep for chrony to finish sync --- setup/so-functions | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index ffaa079c1..c2ddb2125 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -717,7 +717,7 @@ configure_ntp() { local chrony_conf=/etc/chrony.conf # Install chrony if it isn't already installed - if command -v chronyc &> /dev/null; then + if ! command -v chronyc &> /dev/null; then if [ "$OS" == centos ]; then yum -y install chrony else @@ -743,6 +743,7 @@ configure_ntp() { # Sync time & update the system time chronyc -a 'burst 4/4' + sleep 20 # Wait for chrony to sync chronyc -a makestep } From eb674b3b938b3769ab5ae0886b80d7a6a462c29d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Thu, 25 Mar 2021 14:45:33 -0400 Subject: [PATCH 12/29] Validate list of ntp servers (ip4, hostname, or fqdn) --- salt/common/tools/sbin/so-common | 14 ++++++++++++++ setup/so-functions | 13 ++++++++++--- setup/so-setup | 2 +- setup/so-variables | 4 ++-- setup/so-whiptail | 2 -- 5 files changed, 27 insertions(+), 8 deletions(-) diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 676b908ce..340525272 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -419,6 +419,20 @@ valid_proxy() { [[ $has_prefix == true ]] && [[ $valid_url == true ]] && return 0 || return 1 } +valid_ntp_list() { + local string=$1 + local ntp_arr + IFS="," read -r -a ntp_arr <<< "$string" + + for ntp in "${ntp_arr[@]}"; do + if ! valid_ip4 "$ntp" && ! valid_hostname "$ntp" && ! valid_fqdn "$ntp"; then + return 1 + fi + done + + return 0 +} + valid_string() { local str=$1 local min_length=${2:-1} diff --git a/setup/so-functions b/setup/so-functions index c2ddb2125..6dd10096b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -489,10 +489,17 @@ collect_node_ls_pipeline_worker_count() { collect_ntp_servers() { if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' || -n $so_proxy ]]; then if whiptail_ntp_ask; then - [[ $is_airgap ]] && ntp_servers="" - whiptail_ntp_servers "$ntp_servers" + [[ $is_airgap ]] && ntp_servers=() + whiptail_ntp_servers "$ntp_string" + + while ! valid_ntp_list "$ntp_string"; do + whiptail_invalid_input + whiptail_ntp_servers "$ntp_string" + done + + IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array else - ntp_servers="" + ntp_servers=() fi fi } diff --git a/setup/so-setup b/setup/so-setup index 07eb49500..d9e64105a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -584,7 +584,7 @@ set_redirect >> $setup_log 2>&1 # Show initial progress message set_progress_str 0 'Running initial configuration steps' - [[ -z $ntp_configured ]] && [[ -n $ntp_servers ]] && configure_ntp >> $setup_log 2>&1 + [[ -z $ntp_configured ]] && [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 reserve_ports diff --git a/setup/so-variables b/setup/so-variables index 0a07fc79d..676cba4f0 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -73,5 +73,5 @@ export install_opt_file net_init_file=/root/net_init export net_init_file -ntp_servers="0.pool.ntp.org,1.pool.ntp.org" -export ntp_servers +ntp_string="0.pool.ntp.org,1.pool.ntp.org" +export ntp_string diff --git a/setup/so-whiptail b/setup/so-whiptail index 2743ab65b..00397a6fa 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1119,8 +1119,6 @@ whiptail_ntp_servers() { local exitstatus=$? whiptail_check_exitstatus $exitstatus - - IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array } whiptail_oinkcode() { From 2ff790699fc9960c85d1566a3558f9ca5840e87c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 29 Mar 2021 09:36:24 -0400 Subject: [PATCH 13/29] [fix] Set ntp_string to empty, not ntp_servers --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 6dd10096b..533a77a92 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -489,7 +489,7 @@ collect_node_ls_pipeline_worker_count() { collect_ntp_servers() { if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' || -n $so_proxy ]]; then if whiptail_ntp_ask; then - [[ $is_airgap ]] && ntp_servers=() + [[ $is_airgap ]] && ntp_string="" whiptail_ntp_servers "$ntp_string" while ! valid_ntp_list "$ntp_string"; do From 0e9ffe033d86ce9ab78df1d6c1d157692ef6e40c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Mar 2021 09:30:06 -0400 Subject: [PATCH 14/29] Show message about setting up network earlier during setup --- setup/so-setup | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index d9e64105a..982195703 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -298,6 +298,10 @@ if ! [[ -f $install_opt_file ]]; then source "$net_init_file" fi + if [[ $is_minion ]] || [[ $reinit_networking ]] || [[ $is_iso ]] && ! [[ -f $net_init_file ]]; then + whiptail_management_interface_setup + fi + if [[ $reinit_networking ]] || ! [[ -f $net_init_file ]]; then network_init fi @@ -315,10 +319,6 @@ if ! [[ -f $install_opt_file ]]; then [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 fi - if [[ $is_minion ]] || [[ $reinit_networking ]] || [[ $is_iso ]] && ! [[ -f $net_init_file ]]; then - whiptail_management_interface_setup - fi - if [[ $is_minion ]]; then add_mngr_ip_to_hosts fi From 25eca39428a585557183535c3424b0cda00d9479 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Mar 2021 09:54:21 -0400 Subject: [PATCH 15/29] Always ask for ntp setup on iso installs, don't ask on network installs --- setup/so-functions | 48 ++++++++++++++++++---------------------------- setup/so-setup | 5 ++--- 2 files changed, 21 insertions(+), 32 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 533a77a92..5c69b817a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -487,20 +487,18 @@ collect_node_ls_pipeline_worker_count() { } collect_ntp_servers() { - if [[ $is_airgap || "$NSMSETUP" = 'ADVANCED' || "$MANAGERADV" = 'ADVANCED' || -n $so_proxy ]]; then - if whiptail_ntp_ask; then - [[ $is_airgap ]] && ntp_string="" + if whiptail_ntp_ask; then + [[ $is_airgap ]] && ntp_string="" + whiptail_ntp_servers "$ntp_string" + + while ! valid_ntp_list "$ntp_string"; do + whiptail_invalid_input whiptail_ntp_servers "$ntp_string" + done - while ! valid_ntp_list "$ntp_string"; do - whiptail_invalid_input - whiptail_ntp_servers "$ntp_string" - done - - IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array - else - ntp_servers=() - fi + IFS="," read -r -a ntp_servers <<< "$ntp_string" # Split string on commas into array + else + ntp_servers=() fi } @@ -725,21 +723,19 @@ configure_ntp() { # Install chrony if it isn't already installed if ! command -v chronyc &> /dev/null; then - if [ "$OS" == centos ]; then - yum -y install chrony - else - retry 50 10 "apt-get -y install chrony" || exit 1 - fi + yum -y install chrony fi - [[ -f $chrony_conf ]] && rm -f $chrony_conf + [[ -f $chrony_conf ]] && mv $chrony_conf "$chrony_conf.bak" + + echo "# Config created by Security Onion" > $chrony_conf # Build list of servers for addr in "${ntp_servers[@]}"; do echo "server $addr iburst" >> $chrony_conf done - printf '%s\n' \ + printf '%s\n\n' \ 'driftfile /var/lib/chrony/drift' \ 'makestep 1.0 3' \ 'rtcsync' \ @@ -748,10 +744,10 @@ configure_ntp() { systemctl enable chronyd systemctl start chronyd - # Sync time & update the system time - chronyc -a 'burst 4/4' - sleep 20 # Wait for chrony to sync - chronyc -a makestep + # Tell the chrony daemon to sync time & update the system time + # Since these commands only make a call to chronyd, wait after each command to make sure the changes are made + chronyc -a 'burst 4/4' && sleep 30 + chronyc -a makestep && sleep 30 } checkin_at_boot() { @@ -761,12 +757,6 @@ checkin_at_boot() { echo "startup_states: highstate" >> "$minion_config" } -check_ntp_configured() { - if systemctl is-active --quiet chronyd || systemctl is-active --quiet ntpd; then - ntp_configured=true - fi -} - check_requirements() { local standalone_or_dist=$1 local node_type=$2 # optional diff --git a/setup/so-setup b/setup/so-setup index 982195703..37121c4fb 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -534,8 +534,7 @@ if [[ $is_sensor && ! $is_eval ]]; then fi fi -check_ntp_configured -[[ -z $ntp_configured ]] && collect_ntp_servers +[[ $is_iso ]] && collect_ntp_servers if [[ $is_node && ! $is_eval ]]; then whiptail_node_advanced @@ -584,7 +583,7 @@ set_redirect >> $setup_log 2>&1 # Show initial progress message set_progress_str 0 'Running initial configuration steps' - [[ -z $ntp_configured ]] && [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 + [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 reserve_ports From 679925ebd967160aa3242405127e3ce5b829c07b Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Tue, 30 Mar 2021 13:29:56 -0400 Subject: [PATCH 16/29] Fix sensor cleanup & playbook sync scripts --- salt/common/tools/sbin/so-playbook-sync | 4 ++++ salt/common/tools/sbin/so-sensor-clean | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/so-playbook-sync b/salt/common/tools/sbin/so-playbook-sync index 250e4a3ad..a76d398cb 100755 --- a/salt/common/tools/sbin/so-playbook-sync +++ b/salt/common/tools/sbin/so-playbook-sync @@ -17,4 +17,8 @@ . /usr/sbin/so-common +# Check to see if we are already running +IS_RUNNING=$(ps aux | pgrep -f "so-playbook-sync" | wc -l) +[ "$IS_RUNNING" -gt 2 ] && echo "$(date) - Multiple Playbook Sync processes already running...exiting." && exit 0 + docker exec so-soctopus python3 playbook_play-sync.py diff --git a/salt/common/tools/sbin/so-sensor-clean b/salt/common/tools/sbin/so-sensor-clean index 63f102f0c..e62c3c4da 100755 --- a/salt/common/tools/sbin/so-sensor-clean +++ b/salt/common/tools/sbin/so-sensor-clean @@ -115,7 +115,7 @@ clean() { } # Check to see if we are already running -IS_RUNNING=$(ps aux | grep "so-sensor-clean" | grep -v grep | wc -l) +IS_RUNNING=$(ps aux | pgrep -f "so-sensor-clean" | wc -l) [ "$IS_RUNNING" -gt 2 ] && echo "$(date) - $IS_RUNNING sensor clean script processes running...exiting." >>$LOG && exit 0 if [ "$CUR_USAGE" -gt "$CRIT_DISK_USAGE" ]; then From be6eb3ed6c91495a79c8e760f0cf15372a5eee16 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Mar 2021 14:17:05 -0400 Subject: [PATCH 17/29] Restart chrony in case it's already running --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 5c69b817a..87c9b4885 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -742,7 +742,7 @@ configure_ntp() { 'logdir /var/log/chrony' >> $chrony_conf systemctl enable chronyd - systemctl start chronyd + systemctl restart chronyd # Tell the chrony daemon to sync time & update the system time # Since these commands only make a call to chronyd, wait after each command to make sure the changes are made From fd51b327ee1d860221c88dbb30c7c16a9cd105c5 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Mar 2021 15:23:57 -0400 Subject: [PATCH 18/29] Add messaging to explain chronyc output to log --- setup/so-functions | 2 ++ 1 file changed, 2 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index 87c9b4885..d31eb28a3 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -746,7 +746,9 @@ configure_ntp() { # Tell the chrony daemon to sync time & update the system time # Since these commands only make a call to chronyd, wait after each command to make sure the changes are made + printf "Syncing chrony time to server: " chronyc -a 'burst 4/4' && sleep 30 + printf "Forcing chrony to update the time: " chronyc -a makestep && sleep 30 } From 177989269fda48a1fa833cbf3e75e2379e07ed1b Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 30 Mar 2021 15:50:37 -0400 Subject: [PATCH 19/29] Better formatting of chrony.conf --- setup/so-functions | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index d31eb28a3..862854c69 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -728,14 +728,16 @@ configure_ntp() { [[ -f $chrony_conf ]] && mv $chrony_conf "$chrony_conf.bak" - echo "# Config created by Security Onion" > $chrony_conf + printf '%s\n' "# NTP server list" > $chrony_conf # Build list of servers for addr in "${ntp_servers[@]}"; do echo "server $addr iburst" >> $chrony_conf done - printf '%s\n\n' \ + printf '\n%s\n' "# Config options" >> $chrony_conf + + printf '%s\n' \ 'driftfile /var/lib/chrony/drift' \ 'makestep 1.0 3' \ 'rtcsync' \ From c03e2b2c11279bb3fc7b1c53815b01207a252cfa Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 31 Mar 2021 09:14:40 -0400 Subject: [PATCH 20/29] Move ntp server array to its own pillar in the minion sls file --- setup/so-functions | 24 +++++++++++++++--------- setup/so-setup | 1 + 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 862854c69..702ccece3 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1591,8 +1591,7 @@ manager_pillar() { printf '%s\n'\ " kratoskey: '$KRATOSKEY'"\ "" >> "$pillar_file" - - } +} manager_global() { local global_pillar="$local_salt_dir/pillar/global.sls" @@ -1620,12 +1619,7 @@ manager_global() { " mdengine: '$ZEEKVERSION'"\ " ids: '$NIDS'"\ " url_base: '$REDIRECTIT'"\ - " managerip: '$MAINIP'"\ - " ntp_servers:" > "$global_pillar" - - for addr in "${ntp_servers[@]}"; do - echo " - '$addr'" >> "$global_pillar" - done + " managerip: '$MAINIP'" > "$global_pillar" if [[ $is_airgap ]]; then printf '%s\n'\ @@ -1774,7 +1768,6 @@ manager_global() { " bip: '$DOCKERBIP'"\ "redis_settings:"\ " redis_maxmemory: 812" >> "$global_pillar" - printf '%s\n' '----' >> "$setup_log" 2>&1 } @@ -1837,6 +1830,19 @@ network_setup() { } >> "$setup_log" 2>&1 } +ntp_pillar() { + local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls + + if [[ ${#ntp_servers[@]} -gt 0 ]]; then + printf '%s\n'\ + "ntp:"\ + " servers:" >> "$global_pillar" + for addr in "${ntp_servers[@]}"; do + printf '%s\n' " - '$addr'" >> "$pillar_file" + done + fi +} + parse_install_username() { # parse out the install username so things copy correctly INSTALLUSERNAME=${SUDO_USER:-${USER}} diff --git a/setup/so-setup b/setup/so-setup index 37121c4fb..65be15dc1 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -584,6 +584,7 @@ set_redirect >> $setup_log 2>&1 set_progress_str 0 'Running initial configuration steps' [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 + ntp_pillar >> $setup_log 2>&1 reserve_ports From 1c4ba28336423c6164c671615e2d90d52e4fd4c4 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 31 Mar 2021 13:28:42 -0400 Subject: [PATCH 21/29] [fix] host_pillar overwrites the file, so run ntp_pillar after it --- setup/so-setup | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 84e94e780..e2c866964 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -585,7 +585,6 @@ set_redirect >> $setup_log 2>&1 set_progress_str 0 'Running initial configuration steps' [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 - ntp_pillar >> $setup_log 2>&1 reserve_ports @@ -619,6 +618,8 @@ set_redirect >> $setup_log 2>&1 fi host_pillar >> $setup_log 2>&1 + ntp_pillar >> $setup_log 2>&1 + if [[ $is_minion || $is_import ]]; then set_updates >> $setup_log 2>&1 From 761a12ebbb6a95f8414f7b6e07b074a46ae025c2 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 31 Mar 2021 13:32:49 -0400 Subject: [PATCH 22/29] Fix variable name --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 6b4f693e3..2732a0ee9 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1802,7 +1802,7 @@ ntp_pillar() { if [[ ${#ntp_servers[@]} -gt 0 ]]; then printf '%s\n'\ "ntp:"\ - " servers:" >> "$global_pillar" + " servers:" >> "$pillar_file" for addr in "${ntp_servers[@]}"; do printf '%s\n' " - '$addr'" >> "$pillar_file" done From 820b01405f428307aa23286ed7c9e9ef0c5f8a24 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 31 Mar 2021 14:57:36 -0400 Subject: [PATCH 23/29] For hunt quick actions, pipe value to 'escape' operator to escape backslashes and double quotes --- salt/soc/files/soc/alerts.actions.json | 2 +- salt/soc/files/soc/hunt.actions.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/alerts.actions.json b/salt/soc/files/soc/alerts.actions.json index 364c59d27..c0543d8fc 100644 --- a/salt/soc/files/soc/alerts.actions.json +++ b/salt/soc/files/soc/alerts.actions.json @@ -1,7 +1,7 @@ [ { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", "links": [ - "/#/hunt?q=\"{value}\" | groupby event.module event.dataset" + "/#/hunt?q=\"{value|escape}\" | groupby event.module event.dataset" ]}, { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", "links": [ diff --git a/salt/soc/files/soc/hunt.actions.json b/salt/soc/files/soc/hunt.actions.json index 364c59d27..c0543d8fc 100644 --- a/salt/soc/files/soc/hunt.actions.json +++ b/salt/soc/files/soc/hunt.actions.json @@ -1,7 +1,7 @@ [ { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", "links": [ - "/#/hunt?q=\"{value}\" | groupby event.module event.dataset" + "/#/hunt?q=\"{value|escape}\" | groupby event.module event.dataset" ]}, { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", "links": [ From f7e99b496134345e81ef8f787bb627997773358d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 31 Mar 2021 15:17:15 -0400 Subject: [PATCH 24/29] https://github.com/Security-Onion-Solutions/securityonion/issues/3709 --- salt/firewall/map.jinja | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/salt/firewall/map.jinja b/salt/firewall/map.jinja index 2df668a07..496e6f568 100644 --- a/salt/firewall/map.jinja +++ b/salt/firewall/map.jinja @@ -18,14 +18,18 @@ {# This block translate the portgroups defined in the pillar to what is defined my portgroups.yaml and portgroups.local.yaml #} {% if salt['pillar.get']('firewall:assigned_hostgroups:chain') %} + {% set translated_pillar_assigned_hostgroups = {'chain': {}} %} {% for chain, hg in salt['pillar.get']('firewall:assigned_hostgroups:chain').items() %} {% for pillar_hostgroup, pillar_portgroups in salt['pillar.get']('firewall:assigned_hostgroups:chain')[chain].hostgroups.items() %} - {% do translated_pillar_assigned_hostgroups.update({"chain": {chain: {"hostgroups": {pillar_hostgroup: {"portgroups": []}}}}}) %} + {% if translated_pillar_assigned_hostgroups.chain[chain] is defined %} + {% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups.update({pillar_hostgroup: {"portgroups": []}}) %} + {% else %} + {% do translated_pillar_assigned_hostgroups.chain.update({chain: {"hostgroups": {pillar_hostgroup: {"portgroups": []}}}}) %} + {% endif %} {% for pillar_portgroup in pillar_portgroups.portgroups %} {% set pillar_portgroup = pillar_portgroup.split('.') | last %} {% do translated_pillar_assigned_hostgroups.chain[chain].hostgroups[pillar_hostgroup].portgroups.append(defined_portgroups[pillar_portgroup]) %} - {% endfor %} {% endfor %} {% endfor %} @@ -39,7 +43,6 @@ {% set assigned_hostgroups = default_assigned_hostgroups.role[role] %} {% endif %} - {% if translated_pillar_assigned_hostgroups %} {% do salt['defaults.merge'](assigned_hostgroups, translated_pillar_assigned_hostgroups, merge_lists=True, in_place=True) %} {% endif %} \ No newline at end of file From ef984455605de8b1cb6f1ea7ee7b13d49afa824a Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 31 Mar 2021 15:44:41 -0400 Subject: [PATCH 25/29] Fix Playbook Alert timestamps --- salt/elastalert/files/modules/so/playbook-es.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/elastalert/files/modules/so/playbook-es.py b/salt/elastalert/files/modules/so/playbook-es.py index c10a80f2c..ab2327ab7 100644 --- a/salt/elastalert/files/modules/so/playbook-es.py +++ b/salt/elastalert/files/modules/so/playbook-es.py @@ -17,7 +17,7 @@ class PlaybookESAlerter(Alerter): def alert(self, matches): for match in matches: today = strftime("%Y.%m.%d", gmtime()) - timestamp = strftime("%Y-%m-%d"'T'"%H:%M:%S", gmtime()) + timestamp = strftime("%Y-%m-%d"'T'"%H:%M:%S"'.000Z', gmtime()) headers = {"Content-Type": "application/json"} payload = {"rule": { "name": self.rule['play_title'],"case_template": self.rule['play_id'],"uuid": self.rule['play_id'],"category": self.rule['rule.category']},"event":{ "severity": self.rule['event.severity'],"module": self.rule['event.module'],"dataset": self.rule['event.dataset'],"severity_label": self.rule['sigma_level']},"kibana_pivot": self.rule['kibana_pivot'],"soc_pivot": self.rule['soc_pivot'],"play_url": self.rule['play_url'],"sigma_level": self.rule['sigma_level'],"event_data": match, "@timestamp": timestamp} url = f"https://{self.rule['elasticsearch_host']}/so-playbook-alerts-{today}/_doc/" From bc04cae91896c986575a44bcc0a812cb3d575d24 Mon Sep 17 00:00:00 2001 From: Masaya-A <68965261+Masaya-A@users.noreply.github.com> Date: Thu, 1 Apr 2021 16:59:47 +0900 Subject: [PATCH 26/29] Fix: Connection to ES is "https" from 2.3.40 --- salt/curator/files/bin/so-curator-closed-delete-delete | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/curator/files/bin/so-curator-closed-delete-delete b/salt/curator/files/bin/so-curator-closed-delete-delete index 58433ee1a..9cc94833c 100755 --- a/salt/curator/files/bin/so-curator-closed-delete-delete +++ b/salt/curator/files/bin/so-curator-closed-delete-delete @@ -34,7 +34,7 @@ overlimit() { closedindices() { - INDICES=$(curl -s -k {% if grains['role'] in ['so-node','so-heavynode'] %}https://{% endif %}{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed 2> /dev/null) + INDICES=$(curl -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed 2> /dev/null) [ $? -eq 1 ] && return false echo ${INDICES} | grep -q -E "(logstash-|so-)" } @@ -49,12 +49,12 @@ while overlimit && closedindices; do # First, get the list of closed indices using _cat/indices?h=index\&expand_wildcards=closed. # Then, sort by date by telling sort to use hyphen as delimiter and then sort on the third field. # Finally, select the first entry in that sorted list. - OLDEST_INDEX=$(curl -s -k {% if grains['role'] in ['so-node','so-heavynode'] %}https://{% endif %}{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1) + OLDEST_INDEX=$(curl -s -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/_cat/indices?h=index\&expand_wildcards=closed | grep -E "(logstash-|so-)" | sort -t- -k3 | head -1) # Now that we've determined OLDEST_INDEX, ask Elasticsearch to delete it. - curl -XDELETE -k {% if grains['role'] in ['so-node','so-heavynode'] %}https://{% endif %}{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX} + curl -XDELETE -k https://{{ELASTICSEARCH_HOST}}:{{ELASTICSEARCH_PORT}}/${OLDEST_INDEX} # Finally, write a log entry that says we deleted it. echo "$(date) - Used disk space exceeds LOG_SIZE_LIMIT ({{LOG_SIZE_LIMIT}} GB) - Index ${OLDEST_INDEX} deleted ..." >> ${LOG} -done \ No newline at end of file +done From 0d056123934fb754469191ac3ceb6e63abc04e40 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 1 Apr 2021 10:00:55 -0400 Subject: [PATCH 27/29] Reserve ports for Zeek --- salt/common/files/99-reserved-ports.conf | 2 +- salt/common/init.sls | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/common/files/99-reserved-ports.conf b/salt/common/files/99-reserved-ports.conf index a846341a5..208ef0acc 100644 --- a/salt/common/files/99-reserved-ports.conf +++ b/salt/common/files/99-reserved-ports.conf @@ -1 +1 @@ -net.ipv4.ip_local_reserved_ports=55000,57314 +net.ipv4.ip_local_reserved_ports=55000,57314,47760,47761,47762 diff --git a/salt/common/init.sls b/salt/common/init.sls index 3e6774219..6d0e567c5 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -268,7 +268,7 @@ docker: # Reserve OS ports for Docker proxy in case boot settings are not already applied/present dockerapplyports: cmd.run: - - name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314"; fi + - name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314,47760,47761,47762"; fi # Reserve OS ports for Docker proxy dockerreserveports: From 40313fc2f5fd9b087f89bb1adda7f4ce0269da52 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 1 Apr 2021 10:29:58 -0400 Subject: [PATCH 28/29] Reserve ports for Zeek --- salt/common/files/99-reserved-ports.conf | 2 +- salt/common/init.sls | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/common/files/99-reserved-ports.conf b/salt/common/files/99-reserved-ports.conf index 208ef0acc..ac4391693 100644 --- a/salt/common/files/99-reserved-ports.conf +++ b/salt/common/files/99-reserved-ports.conf @@ -1 +1 @@ -net.ipv4.ip_local_reserved_ports=55000,57314,47760,47761,47762 +net.ipv4.ip_local_reserved_ports=55000,57314,55000,57314,47760-47860 \ No newline at end of file diff --git a/salt/common/init.sls b/salt/common/init.sls index 6d0e567c5..7945a678a 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -266,9 +266,10 @@ docker: - file: docker_daemon # Reserve OS ports for Docker proxy in case boot settings are not already applied/present +# 55000 = Wazuh, 57314 = Strelka, 47760-47860 = Zeek dockerapplyports: cmd.run: - - name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314,47760,47761,47762"; fi + - name: if [ ! -s /etc/sysctl.d/99-reserved-ports.conf ]; then sysctl -w net.ipv4.ip_local_reserved_ports="55000,57314,47760-47860"; fi # Reserve OS ports for Docker proxy dockerreserveports: From 7c6b037ae55ef36727e49b4b3786cc3fd8eff57c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 1 Apr 2021 10:30:52 -0400 Subject: [PATCH 29/29] Reserve ports for Zeek --- salt/common/files/99-reserved-ports.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/files/99-reserved-ports.conf b/salt/common/files/99-reserved-ports.conf index ac4391693..82eb03f79 100644 --- a/salt/common/files/99-reserved-ports.conf +++ b/salt/common/files/99-reserved-ports.conf @@ -1 +1 @@ -net.ipv4.ip_local_reserved_ports=55000,57314,55000,57314,47760-47860 \ No newline at end of file +net.ipv4.ip_local_reserved_ports=55000,57314,47760-47860 \ No newline at end of file