diff --git a/salt/common/tools/sbin/so-common b/salt/common/tools/sbin/so-common index 3cf1f5e88..a706831fa 100755 --- a/salt/common/tools/sbin/so-common +++ b/salt/common/tools/sbin/so-common @@ -86,10 +86,82 @@ add_interface_bond0() { fi } +check_container() { + docker ps | grep "$1:" > /dev/null 2>&1 + return $? +} + +check_password() { + local password=$1 + echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1 + return $? +} + +fail() { + msg=$1 + echo "ERROR: $msg" + echo "Exiting." + exit 1 +} + +get_random_value() { + length=${1:-20} + head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 +} + header() { printf '%s\n' "" "$banner" " $*" "$banner" } +init_monitor() { + MONITORNIC=$1 + + if [[ $MONITORNIC == "bond0" ]]; then + BIFACES=$(lookup_bond_interfaces) + else + BIFACES=$MONITORNIC + fi + + for DEVICE_IFACE in $BIFACES; do + for i in rx tx sg tso ufo gso gro lro; do + ethtool -K "$DEVICE_IFACE" "$i" off; + done + ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on + done +} + +is_manager_node() { + # Check to see if this is a manager node + role=$(lookup_role) + is_single_node_grid && return 0 + [ $role == 'manager' ] && return 0 + [ $role == 'managersearch' ] && return 0 + [ $role == 'helix' ] && return 0 + return 1 +} + +is_sensor_node() { + # Check to see if this is a sensor (forward) node + role=$(lookup_role) + is_single_node_grid && return 0 + [ $role == 'sensor' ] && return 0 + [ $role == 'heavynode' ] && return 0 + [ $role == 'helix' ] && return 0 + return 1 +} + +is_single_node_grid() { + role=$(lookup_role) + [ $role == 'eval' ] && return 0 + [ $role == 'standalone' ] && return 0 + [ $role == 'import' ] && return 0 + return 1 +} + +lookup_bond_interfaces() { + cat /proc/net/bonding/bond0 | grep "Slave Interface:" | sed -e "s/Slave Interface: //g" +} + lookup_salt_value() { key=$1 group=$2 @@ -129,15 +201,41 @@ lookup_role() { echo ${pieces[1]} } -check_container() { - docker ps | grep "$1:" > /dev/null 2>&1 - return $? +require_manager() { + if is_manager_node; then + echo "This is a manager, We can proceed." + else + echo "Please run this command on the manager; the manager controls the grid." + exit 1 + fi } -check_password() { - local password=$1 - echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1 - return $? +retry() { + maxAttempts=$1 + sleepDelay=$2 + cmd=$3 + expectedOutput=$4 + attempt=0 + while [[ $attempt -lt $maxAttempts ]]; do + attempt=$((attempt+1)) + echo "Executing command with retry support: $cmd" + output=$(eval "$cmd") + exitcode=$? + echo "Results: $output ($exitcode)" + if [ -n "$expectedOutput" ]; then + if [[ "$output" =~ "$expectedOutput" ]]; then + return $exitCode + else + echo "Expected '$expectedOutput' but got '$output'" + fi + elif [[ $exitcode -eq 0 ]]; then + return $exitCode + fi + echo "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..." + sleep $sleepDelay + done + echo "Command continues to fail; giving up." + return 1 } set_os() { @@ -171,83 +269,6 @@ set_version() { fi } -require_manager() { - if is_manager_node; then - echo "This is a manager, We can proceed." - else - echo "Please run this command on the manager; the manager controls the grid." - exit 1 - fi -} - -is_manager_node() { - # Check to see if this is a manager node - role=$(lookup_role) - is_single_node_grid && return 0 - [ $role == 'manager' ] && return 0 - [ $role == 'managersearch' ] && return 0 - [ $role == 'helix' ] && return 0 - return 1 -} - -is_sensor_node() { - # Check to see if this is a sensor (forward) node - role=$(lookup_role) - is_single_node_grid && return 0 - [ $role == 'sensor' ] && return 0 - [ $role == 'heavynode' ] && return 0 - [ $role == 'helix' ] && return 0 - return 1 -} - -is_single_node_grid() { - role=$(lookup_role) - [ $role == 'eval' ] && return 0 - [ $role == 'standalone' ] && return 0 - [ $role == 'import' ] && return 0 - return 1 -} - -fail() { - msg=$1 - echo "ERROR: $msg" - echo "Exiting." - exit 1 -} - -get_random_value() { - length=${1:-20} - head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 -} - -retry() { - maxAttempts=$1 - sleepDelay=$2 - cmd=$3 - expectedOutput=$4 - attempt=0 - while [[ $attempt -lt $maxAttempts ]]; do - attempt=$((attempt+1)) - echo "Executing command with retry support: $cmd" - output=$(eval "$cmd") - exitcode=$? - echo "Results: $output ($exitcode)" - if [ -n "$expectedOutput" ]; then - if [[ "$output" =~ "$expectedOutput" ]]; then - return $exitCode - else - echo "Expected '$expectedOutput' but got '$output'" - fi - elif [[ $exitcode -eq 0 ]]; then - return $exitCode - fi - echo "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..." - sleep $sleepDelay - done - echo "Command continues to fail; giving up." - return 1 -} - valid_cidr() { # Verify there is a backslash in the string echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1 diff --git a/setup/install_scripts/99-so-checksum-offload-disable b/setup/install_scripts/99-so-checksum-offload-disable index e12049301..63f9c0a4c 100755 --- a/setup/install_scripts/99-so-checksum-offload-disable +++ b/setup/install_scripts/99-so-checksum-offload-disable @@ -1,8 +1,20 @@ #!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . -if [[ "$DEVICE_IFACE" != "$MNIC" && "$DEVICE_IFACE" != *"docker"* && "$DEVICE_IFACE" != *"tun"* && "DEVICE_IFACE" != *"wg"* ]]; then - for i in rx tx sg tso ufo gso gro lro; do - ethtool -K "$DEVICE_IFACE" "$i" off; - done - ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on -fi +. /usr/sbin/so-common + +init_monitor $MNIC diff --git a/setup/so-functions b/setup/so-functions index 0ad993d3d..18718d7e9 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -160,10 +160,10 @@ check_network_manager_conf() { } >> "$setup_log" 2>&1 fi - if test -f "$nmconf"; then - sed -i 's/managed=false/managed=true/g' "$nmconf" >> "$setup_log" 2>&1 - systemctl restart NetworkManager >> "$setup_log" 2>&1 - fi + #if test -f "$nmconf"; then +# sed -i 's/managed=false/managed=true/g' "$nmconf" >> "$setup_log" 2>&1 +# systemctl restart NetworkManager >> "$setup_log" 2>&1 +# fi if [[ ! -d "$preupdir" ]]; then mkdir "$preupdir" >> "$setup_log" 2>&1 @@ -751,15 +751,22 @@ check_sos_appliance() { } compare_main_nic_ip() { - if [[ "$MAINIP" != "$MNIC_IP" ]]; then - read -r -d '' message <<- EOM - The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC). + if ! [[ $MNIC =~ ^(tun|wg|vpn).*$ ]]; then + if [[ "$MAINIP" != "$MNIC_IP" ]]; then + read -r -d '' message <<- EOM + The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC). This is not a supported configuration, please remediate and rerun setup. EOM - whiptail --title "Security Onion Setup" --msgbox "$message" 10 75 - kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 + whiptail --title "Security Onion Setup" --msgbox "$message" 10 75 + kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 + fi + else + # Setup uses MAINIP, but since we ignore the equality condition when using a VPN + # just set the variable to the IP of the VPN interface + MAINIP=$MNIC_IP fi + } compare_versions() { @@ -1005,33 +1012,38 @@ disable_ipv6() { sysctl -w net.ipv6.conf.all.disable_ipv6=1 sysctl -w net.ipv6.conf.default.disable_ipv6=1 } >> "$setup_log" 2>&1 + { + echo "net.ipv6.conf.all.disable_ipv6 = 1" + echo "net.ipv6.conf.default.disable_ipv6 = 1" + echo "net.ipv6.conf.lo.disable_ipv6 = 1" + } >> /etc/sysctl.conf } -disable_misc_network_features() { - filter_unused_nics - if [ ${#filtered_nics[@]} -ne 0 ]; then - for unused_nic in "${filtered_nics[@]}"; do - if [ -n "$unused_nic" ]; then - echo "Disabling unused NIC: $unused_nic" >> "$setup_log" 2>&1 - - # Disable DHCPv4/v6 and autoconnect - nmcli con mod "$unused_nic" \ - ipv4.method disabled \ - ipv6.method ignore \ - connection.autoconnect "no" >> "$setup_log" 2>&1 - - # Flush any existing IPs - ip addr flush "$unused_nic" >> "$setup_log" 2>&1 - fi - done - fi - # Disable IPv6 - { - echo "net.ipv6.conf.all.disable_ipv6 = 1" - echo "net.ipv6.conf.default.disable_ipv6 = 1" - echo "net.ipv6.conf.lo.disable_ipv6 = 1" - } >> /etc/sysctl.conf -} +#disable_misc_network_features() { +# filter_unused_nics +# if [ ${#filtered_nics[@]} -ne 0 ]; then +# for unused_nic in "${filtered_nics[@]}"; do +# if [ -n "$unused_nic" ]; then +# echo "Disabling unused NIC: $unused_nic" >> "$setup_log" 2>&1 +# +# # Disable DHCPv4/v6 and autoconnect +# nmcli con mod "$unused_nic" \ +# ipv4.method disabled \ +# ipv6.method ignore \ +# connection.autoconnect "no" >> "$setup_log" 2>&1 +# +# # Flush any existing IPs +# ip addr flush "$unused_nic" >> "$setup_log" 2>&1 +# fi +# done +# fi +# # Disable IPv6 +# { +# echo "net.ipv6.conf.all.disable_ipv6 = 1" +# echo "net.ipv6.conf.default.disable_ipv6 = 1" +# echo "net.ipv6.conf.lo.disable_ipv6 = 1" +# } >> /etc/sysctl.conf +#} docker_install() { @@ -1223,7 +1235,7 @@ filter_unused_nics() { fi # Finally, set filtered_nics to any NICs we aren't using (and ignore interfaces that aren't of use) - filtered_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|tun|wg|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string" | sed 's/ //g') + filtered_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string" | sed 's/ //g') readarray -t filtered_nics <<< "$filtered_nics" nic_list=() @@ -1720,17 +1732,11 @@ network_setup() { echo "... Verifying all network devices are managed by Network Manager"; check_network_manager_conf; - echo "... Disabling unused NICs"; - disable_misc_network_features; - - echo "... Setting ONBOOT for management interface"; - command -v netplan &> /dev/null || nmcli con mod "$MNIC" connection.autoconnect "yes" - echo "... Copying 99-so-checksum-offload-disable"; cp ./install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable ; echo "... Modifying 99-so-checksum-offload-disable"; - sed -i "s/\$MNIC/${MNIC}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable; + sed -i "s/\$MNIC/${INTERFACE}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable; } >> "$setup_log" 2>&1 } @@ -2333,8 +2339,6 @@ set_hostname() { set_initial_firewall_policy() { - set_main_ip - if [ -f $default_salt_dir/pillar/data/addtotab.sh ]; then chmod +x $default_salt_dir/pillar/data/addtotab.sh; fi if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi