Merge branch 'dev' into kilo

2025-12-06 17:22:49 +01:00 · 2021-04-08 18:43:37 -04:00
parent 5ef336fed2 0ea57b4848
commit d5bc7ec627
4 changed files with 242 additions and 8 deletions
--- a/salt/telegraf/etc/telegraf.conf
+++ b/salt/telegraf/etc/telegraf.conf
@@ -663,6 +663,15 @@
 # # Read metrics from one or more commands that can output to stdout
 [[inputs.exec]]
   commands = [
      "/scripts/sostatus.sh"
   ]
   data_format = "influx"
   timeout = "15s"
   interval = "180s"
 #   ## Commands array
 {% if grains['role'] in ['so-manager', 'so-managersearch'] %}
 [[inputs.exec]]
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -563,7 +563,7 @@ collect_patch_schedule_name_import() {
 collect_proxy() {
 	[[ -n $TESTING ]] && return
-	collect_proxy_details
+	collect_proxy_details || return
 	while ! proxy_validate; do
 		if whiptail_invalid_proxy; then
 			collect_proxy_details no_ask
@@ -608,6 +608,8 @@ collect_proxy_details() {
 			so_proxy="$proxy_addr"
 		fi
 		export so_proxy
 	else
 		return 1
 	fi
 }
@@ -1870,12 +1872,13 @@ print_salt_state_apply() {
 }
 proxy_validate() {
 	echo "Testing proxy..."
 	local test_url="https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS"
-	proxy_test_err=$(curl -sS "$test_url" --proxy "$so_proxy" 2>&1)
+	proxy_test_err=$(curl -sS "$test_url" --proxy "$so_proxy" --connect-timeout 5 2>&1) # set short connection timeout so user doesn't sit waiting for proxy test to timeout
 	local ret=$?
 	if [[ $ret != 0 ]]; then
-		error "Could not reach $test_url using proxy $so_proxy"
+		error "Could not reach $test_url using proxy provided"
 		error "Received error: $proxy_test_err"
 		if [[ -n $TESTING ]]; then
 			error "Exiting setup"
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -558,7 +558,6 @@ if [[ $is_node && ! $is_eval ]]; then
 		LSPIPELINEWORKERS=$num_cpu_cores
 		LSPIPELINEBATCH=125
 		LSINPUTTHREADS=1
 		LSPIPELINEBATCH=125
 	fi
 fi
@@ -572,14 +571,14 @@ fi
 if [[ $is_manager || $is_import ]]; then collect_so_allow; fi
-whiptail_make_changes
+# This block sets REDIRECTIT which is used by a function outside the below subshell
 set_redirect >> $setup_log 2>&1
 whiptail_end_settings
 # From here on changes will be made.
 echo "1" > /root/accept_changes
 # This block sets REDIRECTIT which is used by a function outside the below subshell
 set_redirect >> $setup_log 2>&1
 # Begin install
 {
@@ -962,6 +961,7 @@ else
 	} | whiptail_gauge_post_setup "Running post-installation steps..."
 	whiptail_setup_complete
 	[[ $setup_type != 'iso' ]] && whitpail_ssh_warning
 	echo "Post-installation steps have completed." >> $setup_log 2>&1
 fi
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -391,6 +391,7 @@ whiptail_dockernet_net() {
 	whiptail_check_exitstatus $exitstatus
 }
 whiptail_enable_components() {
 	[ -n "$TESTING" ] && return
@@ -423,6 +424,211 @@ whiptail_enable_components() {
 	done
 }
 whiptail_end_settings() {
 	[ -n "$TESTING" ] && return
 	# BASIC INFO (NETWORK, HOSTNAME, DESCRIPTION, ETC)
 	read -r -d '' end_msg <<- EOM
 	Node Type: $install_type
 	Hostname: $HOSTNAME
 	EOM
 	[[ -n $NODE_DESCRIPTION ]] && __append_end_msg "Description: $NODE_DESCRIPTION"
 	[[ $is_airgap ]] && __append_end_msg "Airgap: True"
 	if [[ $is_minion ]]; then 
 		__append_end_msg "Manager Hostname: $MSRV"
 		__append_end_msg "Manager IP: $MSRVIP"
 	fi
 	[[ $is_iso ]] && __append_end_msg "Network: $address_type"
 	__append_end_msg "Management NIC: $MNIC"
 	__append_end_msg "Management IP: $MAINIP"
 	if [[ $address_type == 'STATIC' ]]; then
 		__append_end_msg "Gateway: $MGATEWAY"
 		__append_end_msg "DNS: $MDNS"
 		__append_end_msg "DNS Domain: $MSEARCH"
 	fi
 	if [[ -n $so_proxy ]]; then
 		__append_end_msg "Proxy:"
 		__append_end_msg "  Server URL: $proxy_addr"
 		[[ -n $proxy_user ]] && __append_end_msg "  User: $proxy_user"
 	else
 		__append_end_msg "Proxy: N/A"
 	fi
 	if [[ $is_sensor ]]; then
 		__append_end_msg "Bond NIC(s):"
 		for nic in "${BNICS[@]}"; do
 			__append_end_msg "  - $nic"
 		done
 		[[ -n $MTU ]] && __append_end_msg "MTU: $MTU"
 	fi
 	local homenet_arr
 	if [[ -n $HNMANAGER ]]; then
 		__append_end_msg "Home Network(s):"
 		IFS="," read -r -a homenet_arr <<< "$HNMANAGER"
 		for net in "${homenet_arr[@]}"; do
 			__append_end_msg "  - $net"
 		done
 	elif [[ -n $HNSENSOR ]]; then
 		__append_end_msg "Home Network(s):"
 		IFS="," read -r -a homenet_arr <<< "$HNSENSOR"
 		for net in "${homenet_arr[@]}"; do
 			__append_end_msg "  - $net"
 		done
 	fi
 	[[ -n $REDIRECTIT ]] && __append_end_msg "Access URL: https://${REDIRECTIT}"
 	[[ -n $ALLOW_CIDR ]] && __append_end_msg "Allowed IP or Subnet: $ALLOW_CIDR"
 	[[ -n $WEBUSER ]] && __append_end_msg "Web User: $WEBUSER"
 	[[ -n $FLEETNODEUSER ]] && __append_end_msg "Fleet User: $FLEETNODEUSER"
 	if [[ $is_manager ]]; then
 		__append_end_msg "Enabled Optional Components:"
 		for component in "${COMPONENTS[@]}"; do
 			__append_end_msg "  - $component"
 		done
 	fi
 	# METADATA / IDS
 	if [[ -n $ZEEKVERSION ]]; then
 		local md_tool_string=${ZEEKVERSION,;}
 		md_tool_string=${md_tool_string^}
 		__append_end_msg "Metadata Tool: $md_tool_string"
 	fi
 	[[ -n $RULESETUP ]] && __append_end_msg "IDS Ruleset: $RULESETUP"
 	[[ -n $OINKCODE ]] && __append_end_msg "Oinkcode: $OINKCODE"
 	# PATCH SCHEDULE
 	if [[ -n $PATCHSCHEDULENAME ]]; then
 		__append_end_msg "Patch Schedule:"
 		if [[ $PATCHSCHEDULENAME == 'auto'|| $PATCHSCHEDULENAME == 'manual' ]]; then
 			__append_end_msg "  Type: $PATCHSCHEDULENAME"
 		else
 			__append_end_msg "  Name: $PATCHSCHEDULENAME"
 		fi
 		if [[ ${#PATCHSCHEDULEDAYS[@]} -gt 0 ]]; then
 			__append_end_msg "  Day(s):"
 			for day in "${PATCHSCHEDULEDAYS[@]}"; do
 				__append_end_msg "    - $day"
 			done
 		fi
 		if [[ ${#PATCHSCHEDULEHOURS[@]} -gt 0 ]]; then
 			__append_end_msg "  Hours(s):"
 			for hour in "${PATCHSCHEDULEHOURS[@]}"; do
 				__append_end_msg "    - $hour"
 			done
 		fi
 	fi
 	# MISC
 	[[ $is_helix ]] && __append_end_msg "Helix API key: $HELIXAPIKEY"
 	[[ -n $DOCKERNET ]] && __append_end_msg "Docker network: $DOCKERNET"
 	if [[ -n $MANAGERUPDATES ]]; then
 		__append_end_msg "OS Package Updates: Manager"
 	else
 		__append_end_msg "OS Package Updates: Open"
 	fi
 	if [[ ${#ntp_servers[@]} -gt 0 ]]; then
 		__append_end_msg "NTP Servers:"
 		for server in "${ntp_servers[@]}"; do
 			__append_end_msg "  - $server"
 		done
 	fi
 	if [[ $NSMSETUP != 'ADVANCED' ]]; then
 		[[ -n $BASICZEEK ]] && __append_end_msg "Zeek Processes: $BASICZEEK"
 		[[ -n $BASICSURI ]] && __append_end_msg "Suricata Processes: $BASICSURI"
 	fi
 	# ADVANCED OR REGULAR
 	if [[ $NODESETUP == 'NODEADVANCED' ]]; then
 		__append_end_msg "Advanced Node Settings:"
 		__append_end_msg "  Elasticsearch Heap Size: $NODE_ES_HEAP_SIZE"
 		__append_end_msg "  Logstash Heap Size: $NODE_LS_HEAP_SIZE"
 		__append_end_msg "  Logstash Worker Count: $LSPIPELINEWORKERS"
 		__append_end_msg "  Logstash Batch Size: $LSPIPELINEBATCH"
 		__append_end_msg "  Logstash Input Threads: $LSINPUTTHREADS"
 		__append_end_msg "  Curator Day Cutoff: $CURCLOSEDAYS days"
 		__append_end_msg "  Elasticsearch Storage Space: ${log_size_limit}GB"
 	else
 		__append_end_msg "Elasticsearch Heap Size: $NODE_ES_HEAP_SIZE"
 		__append_end_msg "Logstash Heap Size: $NODE_LS_HEAP_SIZE"
 		__append_end_msg "Logstash Worker Count: $LSPIPELINEWORKERS"
 		__append_end_msg "Logstash Batch Size: $LSPIPELINEBATCH"
 		__append_end_msg "Logstash Input Threads: $LSINPUTTHREADS"
 		__append_end_msg "Curator Close After: $CURCLOSEDAYS days"
 		__append_end_msg "Elasticsearch Storage Space: ${log_size_limit}GB"
 	fi
 	# ADVANCED
 	if [[ $MANAGERADV == 'ADVANCED' ]]; then
 		__append_end_msg "Advanced Manager Settings:"
 		[[ -n $ESCLUSTERNAME ]] && __append_end_msg "  ES Cluster Name: $ESCLUSTERNAME"
 		if [[ ${#BLOGS[@]} -gt 0 ]]; then
 			__append_end_msg "  Zeek Logs Enabled:"
 			for log in "${BLOGS[@]}"; do
 				__append_end_msg "    - $log"
 			done
 		fi
 	fi
 	if [[ $NSMSETUP == 'ADVANCED' ]]; then
 		__append_end_msg "Advanced NSM Settings:"
 		if [[ ${#ZEEKPINS[@]} -gt 0 ]]; then
 			local zeek_pin_str
 			for core in "${ZEEKPINS[@]}"; do
 				zeek_pin_str="${zeek_pin_str}${core},"
 			done
 			zeek_pin_str=${zeek_pin_str%,}
 			__append_end_msg "  Zeek Pinned Cores: ${zeek_pin_str}"
 		fi
 		if [[ ${#SURIPINS[@]} -gt 0 ]]; then
 			local suri_pin_str
 			for core in "${SURIPINS[@]}"; do
 				suri_pin_str="${suri_pin_str}${core},"
 			done
 			suri_pin_str=${suri_pin_str%,}
 			__append_end_msg "  Suricata Pinned Cores: ${suri_pin_str}"
 		fi
 	fi
 	whiptail --title "The following options have been set, would you like to proceed?" --yesno "$end_msg" 24 75 --scrolltext
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus
 	echo "$end_msg" > /root/install_summary
 	printf '%s\n' 'Install summary:' "$end_msg" >> "$setup_log"
 }
 __append_end_msg() {
 	local newline=$1
 	read -r -d '' end_msg <<- EOM
 	$end_msg
 	$newline
 	EOM
 }
 whiptail_eval_adv() {
 	[ -n "$TESTING" ] && return
@@ -1491,6 +1697,22 @@ whiptail_so_allow() {
 	whiptail_check_exitstatus $exitstatus
 }
 whitpail_ssh_warning() {
 	[ -n "$TESTING" ] && return
 	local msg
 	read -r -d '' msg <<- EOM
 	NOTE: You will recceive a warning upon SSH reconnect that the host key has changed.
 	This is expected due to hardening of the OpenSSH server config.
 	The host key algorithm will now be ED25519, follow the instructions given by your SSH client to remove the old key fingerprint then retry the connection.
 	EOM
 	whiptail --msgbox "$msg" 14 75
 }
 whiptail_storage_requirements() {
 	local mount=$1
 	local current_val=$2