CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-11 11:42:50 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'mkrmerge' into escluster

Browse Source
This commit is contained in:
Mike Reeves
2020-11-24 10:29:57 -05:00
committed by GitHub
parent 57d8f25422 1e32a01657
commit ddca9563e5
171 changed files with 2613 additions and 3181 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
setup/so-common-functions
View File

@@ -2,6 +2,7 @@
source ./so-variables
source ../salt/common/tools/sbin/so-common
source ../salt/common/tools/sbin/so-image-common
# Helper functions
@@ -18,12 +19,22 @@ filter_unused_nics() {
fi
# Finally, set filtered_nics to any NICs we aren't using (and ignore interfaces that aren't of use)
filtered_nics=$(ip link| awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string" | sed 's/ //g')
filtered_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string" | sed 's/ //g')
readarray -t filtered_nics <<< "$filtered_nics"
nic_list=()
for nic in "${filtered_nics[@]}"; do
nic_list+=("$nic" "" "OFF")
case $(cat "/sys/class/net/${nic}/carrier" 2>/dev/null) in
1)
nic_list+=("$nic" "Link UP " "OFF")
;;
0)
nic_list+=("$nic" "Link DOWN " "OFF")
;;
*)
nic_list+=("$nic" "Link UNKNOWN " "OFF")
;;
esac
done
export nic_list

291
setup/so-functions
View File

@@ -19,6 +19,8 @@ source ./so-whiptail
source ./so-variables
source ./so-common-functions
CONTAINER_REGISTRY=quay.io
SOVERSION=$(cat ../VERSION)
log() {
@@ -105,6 +107,10 @@ add_manager_hostfile() {
whiptail_check_exitstatus $exitstatus
}
add_mngr_ip_to_hosts() {
echo "$MSRVIP $MSRV" >> /etc/hosts
}
addtotab_generate_templates() {
local addtotab_path=$local_salt_dir/pillar/data
@@ -173,7 +179,7 @@ add_web_user() {
echo "Attempting to add administrator user for web interface...";
echo "$WEBPASSWD1" | /usr/sbin/so-user add "$WEBUSER";
echo "Add user result: $?";
} >> "$setup_log" 2>&1
} >> "/root/so-user-add.log" 2>&1
}
# Create an secrets pillar so that passwords survive re-install
@@ -264,6 +270,7 @@ check_service_status() {
check_salt_master_status() {
echo "Checking if we can talk to the salt master" >> "$setup_log" 2>&1
salt-call saltutil.kill_all_jobs > /dev/null 2>&1
salt-call state.show_top > /dev/null 2>&1
local status=$?
#true if there is an issue talking to salt master
@@ -430,8 +437,6 @@ configure_minion() {
{
systemctl restart salt-minion;
printf '%s\n' '----';
cat "$minion_config";
} >> "$setup_log" 2>&1
}
@@ -462,15 +467,15 @@ check_requirements() {
if [[ "$node_type" == 'sensor' ]]; then req_nics=2; else req_nics=1; fi
if [[ "$node_type" == 'fleet' ]]; then req_mem=4; fi
elif [[ "$standalone_or_dist" == 'import' ]]; then
req_mem=4
req_cores=2
req_mem=4
req_cores=2
req_nics=1
fi
if [[ $setup_type == 'network' ]] ; then
if [[ -n $nsm_mount ]]; then
if [[ "$standalone_or_dist" == 'import' ]]; then
req_storage=50
req_storage=50
else
req_storage=100
fi
@@ -482,7 +487,7 @@ check_requirements() {
fi
else
if [[ "$standalone_or_dist" == 'import' ]]; then
req_storage=50
req_storage=50
else
req_storage=200
fi
@@ -493,11 +498,20 @@ check_requirements() {
fi
if [[ $num_nics -lt $req_nics ]]; then
whiptail_requirements_error "NICs" "$num_nics" "$req_nics"
if [[ $num_nics -eq 1 ]]; then
whiptail_requirements_error "NIC" "$num_nics" "$req_nics"
else
whiptail_requirements_error "NICs" "$num_nics" "$req_nics"
fi
fi
if [[ $num_cpu_cores -lt $req_cores ]]; then
whiptail_requirements_error "cores" "$num_cpu_cores" "$req_cores"
if [[ $num_cpu_cores -eq 1 ]]; then
whiptail_requirements_error "core" "$num_cpu_cores" "$req_cores"
else
whiptail_requirements_error "cores" "$num_cpu_cores" "$req_cores"
fi
fi
if [[ $total_mem_hr -lt $req_mem ]]; then
@@ -638,6 +652,10 @@ copy_ssh_key() {
mkdir -p /root/.ssh
ssh-keygen -f /root/.ssh/so.key -t rsa -q -N "" < /dev/zero
chown -R "$SUDO_USER":"$SUDO_USER" /root/.ssh
echo "Removing old entry for manager from known_hosts if it exists"
sed -i "/${MSRV}/d" /root/.ssh/known_hosts
echo "Copying the SSH key to the manager"
#Copy the key over to the manager
ssh-copy-id -f -i /root/.ssh/so.key soremote@"$MSRV"
@@ -691,7 +709,8 @@ detect_os() {
exit 1
fi
echo "Installing required packages to run installer..." >> "$setup_log" 2>&1
# Print message to stdout so the user knows setup is doing something
echo "Installing required packages to run installer..."
# Install bind-utils so the host command exists
if [[ ! $is_iso ]]; then
if ! command -v host > /dev/null 2>&1; then
@@ -725,6 +744,7 @@ detect_os() {
exit 1
fi
# Print message to stdout so the user knows setup is doing something
echo "Installing required packages to run installer..."
# Install network manager so we can do interface stuff
if ! command -v nmcli > /dev/null 2>&1; then
@@ -734,7 +754,7 @@ detect_os() {
systemctl start NetworkManager;
} >> "$setup_log" 2<&1
fi
apt-get install -y bc >> "$setup_log" 2>&1
apt-get install -y bc curl >> "$setup_log" 2>&1
else
echo "We were unable to determine if you are using a supported OS."
@@ -747,7 +767,7 @@ detect_os() {
disable_auto_start() {
if crontab -l 2>&1 | grep so-setup > /dev/null 2>&1; then
if crontab -l -u $INSTALLUSERNAME 2>&1 | grep so-setup > /dev/null 2>&1; then
# Remove the automated setup script from crontab, if it exists
logCmd "crontab -u $INSTALLUSERNAME -r"
fi
@@ -840,96 +860,53 @@ docker_registry() {
echo "Setting up Docker Registry" >> "$setup_log" 2>&1
mkdir -p /etc/docker >> "$setup_log" 2>&1
if [ -z "$DOCKERNET" ]; then
DOCKERNET=172.17.0.0
fi
# Make the host use the manager docker registry
DNETBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
if [ -n "$TURBO" ]; then local proxy="$TURBO"; else local proxy="https://$MSRV"; fi
printf '%s\n'\
"{"\
" \"registry-mirrors\": [ \"$proxy:5000\" ]"\
" \"registry-mirrors\": [ \"$proxy:5000\" ],"\
" \"bip\": \"$DNETBIP\","\
" \"default-address-pools\": ["\
" {"\
" \"base\" : \"$DOCKERNET\","\
" \"size\" : 24"\
" }"\
" ]"\
"}" > /etc/docker/daemon.json
echo "Docker Registry Setup - Complete" >> "$setup_log" 2>&1
}
docker_seed_update() {
local name=$1
local percent_delta=1
if [ "$install_type" == 'HELIXSENSOR' ]; then
percent_delta=6
fi
((docker_seed_update_percent=docker_seed_update_percent+percent_delta))
set_progress_str "$docker_seed_update_percent" "Downloading $name"
}
docker_seed_registry() {
local VERSION="$SOVERSION"
if ! [ -f /nsm/docker-registry/docker/registry.tar ]; then
if [ "$install_type" == 'IMPORT' ]; then
local TRUSTED_CONTAINERS=(\
"so-idstools:$VERSION" \
"so-nginx:$VERSION" \
"so-filebeat:$VERSION" \
"so-suricata:$VERSION" \
"so-soc:$VERSION" \
"so-steno:$VERSION" \
"so-elasticsearch:$VERSION" \
"so-kibana:$VERSION" \
"so-kratos:$VERSION" \
"so-suricata:$VERSION" \
"so-pcaptools:$VERSION" \
"so-zeek:$VERSION"
)
if [ "$install_type" == 'IMPORT' ]; then
container_list 'so-import'
elif [ "$install_type" == 'HELIXSENSOR' ]; then
container_list 'so-helix'
else
local TRUSTED_CONTAINERS=(\
"so-nginx:$VERSION" \
"so-filebeat:$VERSION" \
"so-logstash:$VERSION" \
"so-idstools:$VERSION" \
"so-redis:$VERSION" \
"so-steno:$VERSION" \
"so-suricata:$VERSION" \
"so-telegraf:$VERSION" \
"so-zeek:$VERSION"
)
container_list
fi
if [ "$install_type" != 'HELIXSENSOR' ] && [ "$install_type" != 'IMPORT' ]; then
TRUSTED_CONTAINERS=("${TRUSTED_CONTAINERS[@]}" \
"so-acng:$VERSION" \
"so-thehive-cortex:$VERSION" \
"so-curator:$VERSION" \
"so-domainstats:$VERSION" \
"so-elastalert:$VERSION" \
"so-elasticsearch:$VERSION" \
"so-fleet:$VERSION" \
"so-fleet-launcher:$VERSION" \
"so-freqserver:$VERSION" \
"so-grafana:$VERSION" \
"so-influxdb:$VERSION" \
"so-kibana:$VERSION" \
"so-minio:$VERSION" \
"so-mysql:$VERSION" \
"so-pcaptools:$VERSION" \
"so-playbook:$VERSION" \
"so-soc:$VERSION" \
"so-kratos:$VERSION" \
"so-soctopus:$VERSION" \
"so-steno:$VERSION" \
"so-strelka-frontend:$VERSION" \
"so-strelka-manager:$VERSION" \
"so-strelka-backend:$VERSION" \
"so-strelka-filestream:$VERSION" \
"so-thehive:$VERSION" \
"so-thehive-es:$VERSION" \
"so-wazuh:$VERSION"
)
fi
local percent=25
for i in "${TRUSTED_CONTAINERS[@]}"; do
if [ "$install_type" != 'HELIXSENSOR' ]; then ((percent=percent+1)); else ((percent=percent+6)); fi
# Pull down the trusted docker image
set_progress_str "$percent" "Downloading $i"
{
if ! docker pull --disable-content-trust=false docker.io/$IMAGEREPO/"$i"; then
sleep 5
docker pull --disable-content-trust=false docker.io/$IMAGEREPO/"$i"
fi
# Tag it with the new registry destination
docker tag $IMAGEREPO/"$i" "$HOSTNAME":5000/$IMAGEREPO/"$i"
docker push "$HOSTNAME":5000/$IMAGEREPO/"$i"
#docker rmi $IMAGEREPO/"$i"
} >> "$setup_log" 2>&1
done
docker_seed_update_percent=25
update_docker_containers 'netinstall' '' 'docker_seed_update' "$setup_log"
else
tar xvf /nsm/docker-registry/docker/registry.tar -C /nsm/docker-registry/docker >> "$setup_log" 2>&1
rm /nsm/docker-registry/docker/registry.tar >> "$setup_log" 2>&1
@@ -956,10 +933,10 @@ firewall_generate_templates() {
local firewall_pillar_path=$local_salt_dir/salt/firewall
mkdir -p "$firewall_pillar_path"
cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/ >> "$setup_log" 2>&1
cp ../files/firewall/* /opt/so/saltstack/local/salt/firewall/ >> "$setup_log" 2>&1
for i in analyst beats_endpoint sensor manager minion osquery_endpoint search_node wazuh_endpoint; do
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost "$i" 127.0.0.1
for i in analyst beats_endpoint sensor manager minion osquery_endpoint search_node wazuh_endpoint; do
$default_salt_dir/salt/common/tools/sbin/so-firewall includehost "$i" 127.0.0.1
done
}
@@ -1003,15 +980,6 @@ get_redirect() {
fi
}
got_root() {
# Make sure you are root
uid="$(id -u)"
if [ "$uid" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
}
get_minion_type() {
local minion_type
case "$install_type" in
@@ -1053,6 +1021,10 @@ install_cleanup() {
# If Mysql is running stop it
/usr/sbin/so-mysql-stop
if [[ $setup_type == 'iso' ]]; then
info "Removing so-setup permission entry from sudoers file"
sed -i '/so-setup/d' /etc/sudoers
fi
}
import_registry_docker() {
@@ -1139,12 +1111,17 @@ manager_global() {
fi
fi
if [ -z "$DOCKERNET" ]; then
DOCKERNET=172.17.0.0
fi
# Create a global file for global values
printf '%s\n'\
"global:"\
" soversion: '$SOVERSION'"\
" hnmanager: '$HNMANAGER'"\
" ntpserver: '$NTPSERVER'"\
" dockernet: '$DOCKERNET'"\
" proxy: '$PROXY'"\
" mdengine: '$ZEEKVERSION'"\
" ids: '$NIDS'"\
@@ -1418,14 +1395,74 @@ reserve_group_ids() {
groupadd -g 946 cyberchef
}
reinstall_init() {
info "Putting system in state to run setup again"
{
# Kill any salt processes
pkill -9 -ef /usr/bin/salt
# Remove all salt configs
rm -rf /etc/salt/global /etc/salt/minion /etc/salt/master /etc/salt/pki/*
if command -v docker &> /dev/null; then
# Stop and remove all so-* containers so files can be changed with more safety
docker stop $(docker ps -a -q --filter "name=so-")
docker rm -f $(docker ps -a -q --filter "name=so-")
fi
local date_string
date_string=$(date +%s)
# Backup /opt/so since we'll be rebuilding this directory during setup
backup_dir /opt/so "$date_string"
# Backup directories in /nsm to prevent app errors
backup_dir /nsm/mysql "$date_string"
backup_dir /nsm/wazuh "$date_string"
# Remove the old launcher package in case the config changes
remove_package launcher-final
} >> $setup_log 2>&1
}
backup_dir() {
dir=$1
backup_suffix=$2
if [[ -d $dir ]]; then
mv "$dir" "${dir}_old_${backup_suffix}"
fi
}
remove_package() {
local package_name=$1
if [ $OS = 'centos' ]; then
if rpm -qa | grep -q "$package_name"; then
yum remove -y "$package_name"
fi
else
if dpkg -l | grep -q "$package_name"; then
apt purge -y "$package_name"
fi
fi
}
# When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and salt/salt/master.defaults.yaml and salt/salt/minion.defaults.yaml
# CAUTION! SALT VERSION UDDATES - READ BELOW
# When updating the salt version, also update the version in:
# - securityonion-builds/iso-resources/build.sh
# - securityonion-builds/iso-resources/packages.lst
# - securityonion/salt/salt/master.defaults.yaml
# - securityonion/salt/salt/minion.defaults.yaml
saltify() {
# Install updates and Salt
if [ $OS = 'centos' ]; then
set_progress_str 5 'Installing Salt repo'
{
sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3001.1/SALTSTACK-GPG-KEY.pub;
sudo rpm --import https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.2/SALTSTACK-GPG-KEY.pub;
cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo;
} >> "$setup_log" 2>&1
set_progress_str 6 'Installing various dependencies'
@@ -1442,14 +1479,14 @@ saltify() {
# Download Ubuntu Keys in case manager updates = 1
mkdir -p /opt/so/gpg >> "$setup_log" 2>&1
if [[ ! $is_airgap ]]; then
logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3001.1/SALTSTACK-GPG-KEY.pub"
logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3002.2/SALTSTACK-GPG-KEY.pub"
logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg"
logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH"
logCmd "cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo"
fi
set_progress_str 7 'Installing salt-master'
if [[ ! $is_iso ]]; then
logCmd "yum -y install salt-master-3001.1"
logCmd "yum -y install salt-master-3002.2"
fi
systemctl enable salt-master >> "$setup_log" 2>&1
;;
@@ -1477,7 +1514,7 @@ saltify() {
{
if [[ ! $is_iso ]]; then
yum -y install epel-release
yum -y install salt-minion-3001.1\
yum -y install salt-minion-3002.2\
python3\
python36-docker\
python36-dateutil\
@@ -1521,8 +1558,8 @@ saltify() {
'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') # TODO: should this also be HELIXSENSOR?
# Add saltstack repo(s)
wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3001.1/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1
echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3001.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
wget -q --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/archive/3002.2/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1
echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.2 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
# Add Docker repo
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1
@@ -1530,7 +1567,7 @@ saltify() {
# Get gpg keys
mkdir -p /opt/so/gpg >> "$setup_log" 2>&1
wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/archive/3001.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com$py_ver_url_path/ubuntu/"$ubuntu_version"/amd64/archive/3002.2/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1
wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1
@@ -1543,7 +1580,7 @@ saltify() {
set_progress_str 6 'Installing various dependencies'
apt-get -y install sqlite3 argon2 libssl-dev >> "$setup_log" 2>&1
set_progress_str 7 'Installing salt-master'
apt-get -y install salt-master=3001.1+ds-1 >> "$setup_log" 2>&1
apt-get -y install salt-master=3002.2+ds-1 >> "$setup_log" 2>&1
apt-mark hold salt-master >> "$setup_log" 2>&1
;;
*)
@@ -1554,26 +1591,25 @@ saltify() {
echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1
apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1
echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3001.1/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
echo "deb http://repo.saltstack.com$py_ver_url_path/ubuntu/$ubuntu_version/amd64/archive/3002.2/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log"
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log"
;;
esac
apt-get update >> "$setup_log" 2>&1
set_progress_str 8 'Installing salt-minion & python modules'
apt-get -y install salt-minion=3001.1+ds-1\
salt-common=3001.1+ds-1 >> "$setup_log" 2>&1
apt-get -y install salt-minion=3002.2+ds-1\
salt-common=3002.2+ds-1 >> "$setup_log" 2>&1
apt-mark hold salt-minion salt-common >> "$setup_log" 2>&1
if [ "$OSVER" != 'xenial' ]; then
apt-get -y install python3-dateutil python3-m2crypto python3-mysqldb >> "$setup_log" 2>&1
apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb >> "$setup_log" 2>&1
else
apt-get -y install python-dateutil python-m2crypto python-mysqldb >> "$setup_log" 2>&1
apt-get -y install python-pip python-dateutil python-m2crypto python-mysqldb >> "$setup_log" 2>&1
fi
fi
}
salt_checkin() {
case "$install_type" in
'MANAGER' | 'EVAL' | 'HELIXSENSOR' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') # Fix Mine usage
{
@@ -1643,12 +1679,17 @@ salt_checkin() {
done
echo " Confirming existence of the CA certificate"
cat /etc/pki/ca.crt
openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates
echo " Applyng a mine hack";
salt "$MINION_ID" mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt;
salt "$MINION_ID" mine.update;
echo " Confirming salt mine now contain the certificate";
salt "$MINION_ID" mine.get '*' x509.get_pem_entries;
echo "Confirming salt mine now contains the certificate";
salt "$MINION_ID" mine.get '*' x509.get_pem_entries | grep -E 'BEGIN CERTIFICATE|END CERTIFICATE';
if [ $? -eq 0 ]; then
echo "CA in mine"
else
echo "CA not in mine"
fi
echo " Applying SSL state";
salt-call state.apply ssl;
} >> "$setup_log" 2>&1
@@ -1663,6 +1704,7 @@ salt_checkin() {
{
salt-call state.apply ca;
salt-call state.apply ssl;
salt-call saltutil.sync_modules;
} >> "$setup_log" 2>&1
}
@@ -1701,10 +1743,12 @@ setup_salt_master_dirs() {
if [ "$setup_type" = 'iso' ]; then
rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
mkdir -p $local_salt_dir/salt/zeek/policy/intel >> "$setup_log" 2>&1
cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
else
cp -Rv ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
cp -Rv ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
mkdir -p $local_salt_dir/salt/zeek/policy/intel >> "$setup_log" 2>&1
cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
fi
@@ -1798,25 +1842,12 @@ set_default_log_size() {
set_hostname() {
set_hostname_iso
if [[ ! $install_type =~ ^(MANAGER|EVAL|HELIXSENSOR|MANAGERSEARCH|STANDALONE|IMPORT)$ ]]; then
if ! getent hosts "$MSRV"; then
echo "$MSRVIP $MSRV" >> /etc/hosts
fi
fi
}
set_hostname_iso() {
hostnamectl set-hostname --static "$HOSTNAME"
echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts
echo "::1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts
echo "$HOSTNAME" > /etc/hostname
hostname -F /etc/hostname
}
set_initial_firewall_policy() {
@@ -1952,7 +1983,7 @@ set_updates() {
fi
}
set_version() {
mark_version() {
# Drop a file with the current version
echo "$SOVERSION" > /etc/soversion
}

86
setup/so-setup
View File

@@ -15,7 +15,15 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
# Make sure you are root before doing anything
uid="$(id -u)"
if [ "$uid" -ne 0 ]; then
echo "This script must be run using sudo!"
exit 1
fi
cd "$(dirname "$0")" || exit 255
source ./so-functions
source ./so-common-functions
source ./so-whiptail
@@ -46,6 +54,13 @@ while [[ $# -gt 0 ]]; do
esac
done
if [[ -f /root/accept_changes ]]; then
is_reinstall=true
# Move last setup log to backup
mv "$setup_log" "$setup_log.bak"
fi
# Begin Installation pre-processing
parse_install_username
@@ -106,9 +121,8 @@ case "$setup_type" in
esac
# Allow execution of SO tools during setup
export PATH=$PATH:../salt/common/tools/sbin
got_root
local_sbin="$(pwd)/../salt/common/tools/sbin"
export PATH=$PATH:$local_sbin
detect_os && detect_cloud
set_network_dev_status_list
@@ -185,6 +199,10 @@ elif [ "$install_type" = 'HELIXSENSOR' ]; then
is_helix=true
elif [ "$install_type" = 'IMPORT' ]; then
is_import=true
elif [ "$install_type" = 'ANALYST' ]; then
cd .. || exit 255
./so-analyst-install
exit 0
fi
# Say yes to the dress if its an ISO install
@@ -299,7 +317,6 @@ if [[ $is_import ]]; then
PLAYBOOK=0
fi
# Start user prompts
if [[ $is_helix || $is_sensor ]]; then
@@ -310,9 +327,8 @@ if [[ $is_helix || $is_sensor || $is_import ]]; then
calculate_useable_cores
fi
if [[ $is_helix || $is_manager || $is_import ]]; then
whiptail_homenet_manager
fi
whiptail_homenet_manager
whiptail_dockernet_check
if [[ $is_helix || $is_manager || $is_node || $is_import ]]; then
set_base_heapsizes
@@ -415,6 +431,11 @@ if [[ $is_manager || $is_import ]]; then whiptail_so_allow; fi
whiptail_make_changes
# From here on changes will be made.
echo "1" > /root/accept_changes
if [[ $is_reinstall ]]; then
reinstall_init
fi
if [[ -n "$TURBO" ]]; then
use_turbo_proxy
@@ -422,16 +443,23 @@ fi
if [[ "$setup_type" == 'iso' ]]; then
# Init networking so rest of install works
set_hostname_iso
set_hostname
set_management_interface
fi
disable_ipv6
disable_auto_start
if [[ "$setup_type" != 'iso' ]]; then
set_hostname
fi
if [[ $is_minion ]]; then
add_mngr_ip_to_hosts
fi
{
set_hostname;
set_version;
mark_version;
clear_manager;
} >> $setup_log 2>&1
@@ -567,19 +595,20 @@ fi
set_progress_str 25 'Configuring firewall'
set_initial_firewall_policy >> $setup_log 2>&1
# create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf
mkdir -p /opt/so/conf/so-status/ >> $setup_log 2>&1
touch /opt/so/conf/so-status/so-status.conf >> $setup_log 2>&1
if [[ "$setup_type" == 'iso' ]]; then
set_progress_str 26 'Copying containers from iso'
else
set_progress_str 26 'Downloading containers from the internet'
fi
import_registry_docker >> $setup_log 2>&1
import_registry_docker >> $setup_log 2>&1
salt-call state.apply -l info registry >> $setup_log 2>&1
docker_seed_registry 2>> "$setup_log" # ~ 60% when finished
docker_seed_registry # ~ 60% when finished
set_progress_str 60 "$(print_salt_state_apply 'manager')"
if [[ "$STRELKARULES" == 1 ]]; then
/usr/sbin/so-yara-update >> $setup_log 2>&1
fi
salt-call state.apply -l info manager >> $setup_log 2>&1
set_progress_str 61 "$(print_salt_state_apply 'idstools')"
@@ -615,12 +644,14 @@ fi
salt-call state.apply -l info pcap >> $setup_log 2>&1
fi
if [[ $is_sensor || $is_import ]]; then
if [[ $is_sensor || $is_import || $is_helix ]]; then
set_progress_str 66 "$(print_salt_state_apply 'suricata')"
salt-call state.apply -l info suricata >> $setup_log 2>&1
set_progress_str 67 "$(print_salt_state_apply 'zeek')"
salt-call state.apply -l info zeek >> $setup_log 2>&1
if [[ $ZEEKVERSION == 'ZEEK' ]]; then
set_progress_str 67 "$(print_salt_state_apply 'zeek')"
salt-call state.apply -l info zeek >> $setup_log 2>&1
fi
fi
if [[ $is_node ]]; then
@@ -661,12 +692,9 @@ fi
fi
if [[ "$OSQUERY" = 1 ]]; then
if [[ "$PLAYBOOK" != 1 ]]; then
set_progress_str 74 "$(print_salt_state_apply 'mysql')"
salt-call state.apply -l info mysql >> $setup_log 2>&1
fi
set_progress_str 75 "$(print_salt_state_apply 'fleet')"
salt-call state.apply fleet.event_enable-fleet # enable fleet in the global pillar
salt-call state.apply -l info fleet >> $setup_log 2>&1
set_progress_str 76 "$(print_salt_state_apply 'redis')"
@@ -678,24 +706,24 @@ fi
salt-call state.apply -l info fleet.event_update-custom-hostname pillar="$pillar_override" >> $setup_log 2>&1
fi
set_progress_str 74 "$(print_salt_state_apply 'so-fleet-setup')"
set_progress_str 78 "$(print_salt_state_apply 'so-fleet-setup')"
so-fleet-setup "$FLEETNODEUSER" "$FLEETNODEPASSWD1" >> $setup_log 2>&1
fi
if [[ "$WAZUH" = 1 ]]; then
set_progress_str 78 "$(print_salt_state_apply 'wazuh')"
set_progress_str 79 "$(print_salt_state_apply 'wazuh')"
salt-call state.apply -l info wazuh >> $setup_log 2>&1
fi
if [[ "$THEHIVE" = 1 ]]; then
set_progress_str 79 "$(print_salt_state_apply 'thehive')"
set_progress_str 80 "$(print_salt_state_apply 'thehive')"
salt-call state.apply -l info thehive >> $setup_log 2>&1
fi
if [[ "$STRELKA" = 1 ]]; then
if [[ $is_sensor ]]; then
set_progress_str 80 "$(print_salt_state_apply 'strelka')"
set_progress_str 81 "$(print_salt_state_apply 'strelka')"
salt-call state.apply -l info strelka >> $setup_log 2>&1
fi
if [[ $STRELKARULES == 1 ]]; then
@@ -704,15 +732,15 @@ fi
fi
if [[ $is_manager || $is_helix || $is_import ]]; then
set_progress_str 81 "$(print_salt_state_apply 'utility')"
set_progress_str 82 "$(print_salt_state_apply 'utility')"
salt-call state.apply -l info utility >> $setup_log 2>&1
fi
if [[ ( $is_helix || $is_manager || $is_node ) && ! $is_eval ]]; then
set_progress_str 82 "$(print_salt_state_apply 'logstash')"
set_progress_str 83 "$(print_salt_state_apply 'logstash')"
salt-call state.apply -l info logstash >> $setup_log 2>&1
set_progress_str 83 "$(print_salt_state_apply 'filebeat')"
set_progress_str 84 "$(print_salt_state_apply 'filebeat')"
salt-call state.apply -l info filebeat >> $setup_log 2>&1
fi

204
setup/so-whiptail
View File

@@ -61,8 +61,22 @@ whiptail_basic_zeek() {
local PROCS=$lb_procs
fi
BASICZEEK=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter the number of zeek processes:" 10 75 "$PROCS" 3>&1 1>&2 2>&3)
ZEEKPINS=$(whiptail --noitem --title "Pin Zeek CPUS" --checklist "Please select $PROCS cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 )
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
ZEEKPINS=$(echo "$ZEEKPINS" | tr -d '"')
IFS=' ' read -ra ZEEKPINS <<< "$ZEEKPINS"
}
whiptail_zeek_version() {
[ -n "$TESTING" ] && return
ZEEKVERSION=$(whiptail --title "Security Onion Setup" --radiolist "What tool would you like to use to generate metadata?" 20 75 4 \
"ZEEK" "Zeek (formerly known as Bro)" ON \
"SURICATA" "Suricata" OFF 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
@@ -91,8 +105,10 @@ whiptail_cancel() {
echo "/root/installtmp removed";
} >> $setup_log 2>&1
fi
exit
title "User cancelled setup, no changes made."
exit
}
whiptail_check_exitstatus() {
@@ -244,6 +260,88 @@ whiptail_create_web_user_password2() {
}
whiptail_fleet_custom_hostname() {
[ -n "$TESTING" ] && return
FLEETCUSTOMHOSTNAME=$(whiptail --title "Security Onion Install" --inputbox \
"What FQDN should osquery clients use for connections to this Fleet node? Leave blank if the local system hostname will be used." 10 60 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_requirements_error() {
local requirement_needed=$1
local current_val=$2
local needed_val=$3
[ -n "$TESTING" ] && return
if [[ $(echo "$requirement_needed" | tr '[:upper:]' '[:lower:]') == 'nics' ]]; then
whiptail --title "Security Onion Setup" \
--msgbox "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press OK to exit setup and reconfigure the machine." 10 75
# Same as whiptail_cancel, but changed the wording to exit instead of cancel.
whiptail --title "Security Onion Setup" --msgbox "Exiting Setup. No changes have been made." 8 75
if [ -d "/root/installtmp" ]; then
{
echo "/root/installtmp exists";
install_cleanup;
echo "/root/installtmp removed";
} >> $setup_log 2>&1
fi
exit
else
whiptail --title "Security Onion Setup" \
--yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press YES to continue anyway, or press NO to cancel." 10 75
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
fi
}
whiptail_storage_requirements() {
local mount=$1
local current_val=$2
local needed_val=$3
[ -n "$TESTING" ] && return
read -r -d '' message <<- EOM
Free space on mount point '${mount}' is currently ${current_val}.
You need ${needed_val} to meet minimum requirements.
Visit https://docs.securityonion.net/en/2.1/hardware.html for more information.
Press YES to continue anyway, or press NO to cancel.
EOM
whiptail \
--title "Security Onion Setup" \
--yesno "$message" \
14 75
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_invalid_pass_warning() {
[ -n "$TESTING" ] && return
whiptail --title "Security Onion Setup" --msgbox "Please choose a more secure password." 8 75
}
whiptail_invalid_pass_characters_warning() {
[ -n "$TESTING" ] && return
whiptail --title "Security Onion Setup" --msgbox "Password is invalid. Please exclude single quotes, double quotes, dollar signs, and backslashes from the password." 8 75
}
whiptail_cur_close_days() {
[ -n "$TESTING" ] && return
@@ -314,6 +412,31 @@ whiptail_dhcp_warn() {
}
whiptail_dockernet_check(){
[ -n "$TESTING" ] && return
whiptail --title "Security Onion Setup" --yesno \
"Do you want to keep the default Docker IP range? \n \n(Choose yes if you don't know what this means)" 10 75
local exitstatus=$?
if [[ $exitstatus == 1 ]]; then
whiptail_dockernet_net
fi
}
whiptail_dockernet_net() {
[ -n "$TESTING" ] && return
DOCKERNET=$(whiptail --title "Security Onion Setup" --inputbox \
"\nEnter a /24 network range for docker to use: \nThe same range MUST be used on ALL nodes \n(Default value is pre-populated.)" 10 75 172.17.0.0 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_enable_components() {
[ -n "$TESTING" ] && return
@@ -432,11 +555,12 @@ whiptail_install_type() {
# What kind of install are we doing?
install_type=$(whiptail --title "Security Onion Setup" --radiolist \
"Choose install type:" 10 65 4 \
"Choose install type:" 12 65 5 \
"EVAL" "Evaluation mode (not for production) " ON \
"STANDALONE" "Standalone production install " OFF \
"DISTRIBUTED" "Distributed install submenu " OFF \
"IMPORT" "Standalone to import PCAP or log files " OFF \
"OTHER" "Other install types" OFF \
3>&1 1>&2 2>&3
)
@@ -444,19 +568,57 @@ whiptail_install_type() {
whiptail_check_exitstatus $exitstatus
if [[ $install_type == "DISTRIBUTED" ]]; then
whiptail_install_type_dist
elif [[ $install_type == "OTHER" ]]; then
whiptail_install_type_other
fi
export install_type
}
whiptail_install_type_dist() {
[ -n "$TESTING" ] && return
install_type=$(whiptail --title "Security Onion Setup" --radiolist \
"Choose distributed node type:" 13 60 6 \
"MANAGER" "Start a new grid " ON \
"SENSOR" "Create a forward only sensor " OFF \
"SEARCHNODE" "Add a search node with parsing " OFF \
"MANAGERSEARCH" "Manager + search node " OFF \
"FLEET" "Dedicated Fleet Osquery Node " OFF \
"HEAVYNODE" "Sensor + Search Node " OFF \
3>&1 1>&2 2>&3
# "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO
# "WARMNODE" "Add Warm Node to existing Hot or Search node" OFF \ # TODO
# "WAZUH" "Stand Alone Wazuh Server" OFF \ # TODO
# "STRELKA" "Stand Alone Strelka Node" OFF \ # TODO
)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
export install_type
}
whiptail_install_type_other() {
[ -n "$TESTING" ] && return
# so-analyst-install will only work with a working network connection
# so only show it on network installs for now
if [[ $setup_type == 'network' ]]; then
install_type=$(whiptail --title "Security Onion Setup" --radiolist \
"Choose distributed node type:" 13 60 6 \
"MANAGER" "Start a new grid " ON \
"SENSOR" "Create a forward only sensor " OFF \
"SEARCHNODE" "Add a search node with parsing " OFF \
"MANAGERSEARCH" "Manager + search node " OFF \
"FLEET" "Dedicated Fleet Osquery Node " OFF \
"HEAVYNODE" "Sensor + Search Node " OFF \
"Choose distributed node type:" 9 65 2 \
"ANALYST" "Quit setup and run so-analyst-install " ON \
"HELIXSENSOR" "Create a Helix sensor " OFF \
3>&1 1>&2 2>&3
)
else
install_type=$(whiptail --title "Security Onion Setup" --radiolist \
"Choose distributed node type:" 8 65 1 \
"HELIXSENSOR" "Create a Helix sensor " ON \
3>&1 1>&2 2>&3
# "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO
# "WARMNODE" "Add Warm Node to existing Hot or Search node" OFF \ # TODO
# "WAZUH" "Stand Alone Wazuh Server" OFF \ # TODO
# "STRELKA" "Stand Alone Strelka Node" OFF \ # TODO
)
fi
@@ -519,6 +681,8 @@ whiptail_management_interface_dns() {
MDNS=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your DNS servers separated by a space:" 10 60 8.8.8.8 8.8.4.4 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_management_interface_dns_search() {
@@ -528,6 +692,8 @@ whiptail_management_interface_dns_search() {
MSEARCH=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your DNS search domain:" 10 60 searchdomain.local 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_management_interface_gateway() {
@@ -537,6 +703,8 @@ whiptail_management_interface_gateway() {
MGATEWAY=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your gateway:" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_management_interface_ip() {
@@ -546,6 +714,8 @@ whiptail_management_interface_ip() {
MIP=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter your IP address:" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_management_interface_mask() {
@@ -555,6 +725,8 @@ whiptail_management_interface_mask() {
MMASK=$(whiptail --title "Security Onion Setup" --inputbox \
"Enter the bit mask for your subnet:" 10 60 24 3>&1 1>&2 2>&3)
local exitstatus=$?
whiptail_check_exitstatus $exitstatus
}
whiptail_management_nic() {
@@ -604,6 +776,8 @@ whiptail_management_server() {
if ! getent hosts "$MSRV"; then
add_manager_hostfile
else
MSRVIP=$(getent hosts "$MSRV" | awk 'NR==1{print $1}')
fi
}

4
setup/yum_repos/saltstack.repo
View File

@@ -1,6 +1,6 @@
[saltstack]
name=SaltStack repo for RHEL/CentOS $releasever PY3
baseurl=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3001.1/
baseurl=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.2/
enabled=1
gpgcheck=1
gpgkey=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3001.1/SALTSTACK-GPG-KEY.pub
gpgkey=https://repo.saltstack.com/py3/redhat/7/x86_64/archive/3002.2/SALTSTACK-GPG-KEY.pub