Merge pull request #3144 from Security-Onion-Solutions/interfaces

Don't disable NICs
2025-12-07 17:52:46 +01:00 · 2021-02-25 17:28:47 -05:00
parent a47a3d51c9 b024dae72e
commit e06ca75677
3 changed files with 171 additions and 134 deletions
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -86,10 +86,82 @@ add_interface_bond0() {
 	fi
 }

+check_container() {
+	docker ps | grep "$1:" > /dev/null 2>&1
+	return $?
+}
+
+check_password() {
+	local password=$1
+	echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1
+	return $?
+}
+
+fail() {
+	msg=$1
+	echo "ERROR: $msg"
+	echo "Exiting."
+	exit 1
+}
+
+get_random_value() {
+	length=${1:-20}
+	head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1
+}
+
 header() {
 	printf '%s\n' "" "$banner" " $*" "$banner" 
 }

+init_monitor() {
+	MONITORNIC=$1
+	
+	if [[ $MONITORNIC == "bond0" ]]; then 
+	  BIFACES=$(lookup_bond_interfaces)
+	else
+	  BIFACES=$MONITORNIC
+	fi
+
+	for DEVICE_IFACE in $BIFACES; do
+	  for i in rx tx sg tso ufo gso gro lro; do
+	    ethtool -K "$DEVICE_IFACE" "$i" off;
+  	  done
+	  ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on
+	done
+}
+
+is_manager_node() {
+	# Check to see if this is a manager node
+	role=$(lookup_role)
+	is_single_node_grid && return 0
+	[ $role == 'manager' ] && return 0
+	[ $role == 'managersearch' ] && return 0
+	[ $role == 'helix' ] && return 0
+	return 1
+}
+
+is_sensor_node() {
+	# Check to see if this is a sensor (forward) node
+	role=$(lookup_role)
+	is_single_node_grid && return 0
+	[ $role == 'sensor' ] && return 0
+	[ $role == 'heavynode' ] && return 0
+	[ $role == 'helix' ] && return 0
+	return 1
+}
+
+is_single_node_grid() {
+	role=$(lookup_role)
+	[ $role == 'eval' ] && return 0
+	[ $role == 'standalone' ] && return 0
+	[ $role == 'import' ] && return 0
+	return 1
+}
+
+lookup_bond_interfaces() {
+	cat /proc/net/bonding/bond0 | grep "Slave Interface:" | sed -e "s/Slave Interface: //g"
+}
+
 lookup_salt_value() {
 	key=$1
 	group=$2
@@ -129,15 +201,41 @@ lookup_role() {
 	echo ${pieces[1]}
 }

-check_container() {
-	docker ps | grep "$1:" > /dev/null 2>&1
-	return $?
+require_manager() {
+	if is_manager_node; then
+		echo "This is a manager, We can proceed."
+	else
+		echo "Please run this command on the manager; the manager controls the grid."
+		exit 1
+	fi
 }

-check_password() {
-	local password=$1
-	echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1
-	return $?
+retry() {
+	maxAttempts=$1
+	sleepDelay=$2
+	cmd=$3
+	expectedOutput=$4
+	attempt=0
+	while [[ $attempt -lt $maxAttempts ]]; do			
+		attempt=$((attempt+1))
+		echo "Executing command with retry support: $cmd"
+		output=$(eval "$cmd")
+		exitcode=$?
+		echo "Results: $output ($exitcode)"
+		if [ -n "$expectedOutput" ]; then
+			if [[ "$output" =~ "$expectedOutput" ]]; then
+				return $exitCode
+			else
+				echo "Expected '$expectedOutput' but got '$output'"
+			fi
+		elif [[ $exitcode -eq 0 ]]; then
+			return $exitCode
+		fi
+		echo "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..."
+		sleep $sleepDelay
+	done
+	echo "Command continues to fail; giving up."
+	return 1
 }

 set_os() {
@@ -171,83 +269,6 @@ set_version() {
 	fi
 }

-require_manager() {
-	if is_manager_node; then
-		echo "This is a manager, We can proceed."
-	else
-		echo "Please run this command on the manager; the manager controls the grid."
-		exit 1
-	fi
-}
-
-is_manager_node() {
-	# Check to see if this is a manager node
-	role=$(lookup_role)
-	is_single_node_grid && return 0
-	[ $role == 'manager' ] && return 0
-	[ $role == 'managersearch' ] && return 0
-	[ $role == 'helix' ] && return 0
-	return 1
-}
-
-is_sensor_node() {
-	# Check to see if this is a sensor (forward) node
-	role=$(lookup_role)
-	is_single_node_grid && return 0
-	[ $role == 'sensor' ] && return 0
-	[ $role == 'heavynode' ] && return 0
-	[ $role == 'helix' ] && return 0
-	return 1
-}
-
-is_single_node_grid() {
-	role=$(lookup_role)
-	[ $role == 'eval' ] && return 0
-	[ $role == 'standalone' ] && return 0
-	[ $role == 'import' ] && return 0
-	return 1
-}
-
-fail() {
-	msg=$1
-	echo "ERROR: $msg"
-	echo "Exiting."
-	exit 1
-}
-
-get_random_value() {
-	length=${1:-20}
-	head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1
-}
-
-retry() {
-	maxAttempts=$1
-	sleepDelay=$2
-	cmd=$3
-	expectedOutput=$4
-	attempt=0
-	while [[ $attempt -lt $maxAttempts ]]; do			
-		attempt=$((attempt+1))
-		echo "Executing command with retry support: $cmd"
-		output=$(eval "$cmd")
-		exitcode=$?
-		echo "Results: $output ($exitcode)"
-		if [ -n "$expectedOutput" ]; then
-			if [[ "$output" =~ "$expectedOutput" ]]; then
-				return $exitCode
-			else
-				echo "Expected '$expectedOutput' but got '$output'"
-			fi
-		elif [[ $exitcode -eq 0 ]]; then
-			return $exitCode
-		fi
-		echo "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..."
-		sleep $sleepDelay
-	done
-	echo "Command continues to fail; giving up."
-	return 1
-}
-
 valid_cidr() {
 	# Verify there is a backslash in the string
 	echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1
--- a/setup/install_scripts/99-so-checksum-offload-disable
+++ b/setup/install_scripts/99-so-checksum-offload-disable
@@ -1,8 +1,20 @@
 #!/bin/bash
+#
+# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.

-if [[ "$DEVICE_IFACE" != "$MNIC" && "$DEVICE_IFACE" != *"docker"* && "$DEVICE_IFACE" != *"tun"* && "DEVICE_IFACE" != *"wg"* ]]; then
-	for i in rx tx sg tso ufo gso gro lro; do
-		ethtool -K "$DEVICE_IFACE" "$i" off;
-  	done
-	ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on
-fi
+. /usr/sbin/so-common
+
+init_monitor $MNIC
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -160,10 +160,10 @@ check_network_manager_conf() {
 		} >> "$setup_log" 2>&1
 	fi
 	
-	if test -f "$nmconf"; then
-		sed -i 's/managed=false/managed=true/g' "$nmconf" >> "$setup_log" 2>&1
-		systemctl restart NetworkManager >> "$setup_log" 2>&1
-	fi
+	#if test -f "$nmconf"; then
+#		sed -i 's/managed=false/managed=true/g' "$nmconf" >> "$setup_log" 2>&1
+#		systemctl restart NetworkManager >> "$setup_log" 2>&1
+#	fi

 	if [[ ! -d "$preupdir" ]]; then
 		mkdir "$preupdir" >> "$setup_log" 2>&1
@@ -751,15 +751,22 @@ check_sos_appliance() {
 }

 compare_main_nic_ip() {
-	if [[ "$MAINIP" != "$MNIC_IP" ]]; then
-		read -r -d '' message <<- EOM
-			The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC).
+	if ! [[ $MNIC =~ ^(tun|wg|vpn).*$ ]]; then
+	  if [[ "$MAINIP" != "$MNIC_IP" ]]; then
+		  read -r -d '' message <<- EOM
+		  	The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC).

 			This is not a supported configuration, please remediate and rerun setup.
 		EOM
-		whiptail --title "Security Onion Setup" --msgbox "$message" 10 75
-		kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1
+		  whiptail --title "Security Onion Setup" --msgbox "$message" 10 75
+		  kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1
+	  fi
+	else
+		# Setup uses MAINIP, but since we ignore the equality condition when using a VPN 
+		# just set the variable to the IP of the VPN interface
+		MAINIP=$MNIC_IP
 	fi
+	
 }

 compare_versions() {
@@ -1005,33 +1012,38 @@ disable_ipv6() {
 		sysctl -w net.ipv6.conf.all.disable_ipv6=1
 		sysctl -w net.ipv6.conf.default.disable_ipv6=1
 	}  >> "$setup_log" 2>&1
+        {
+        echo "net.ipv6.conf.all.disable_ipv6 = 1"
+        echo "net.ipv6.conf.default.disable_ipv6 = 1"
+        echo "net.ipv6.conf.lo.disable_ipv6 = 1" 
+        } >> /etc/sysctl.conf
 }

-disable_misc_network_features() {
-	filter_unused_nics
-	if [ ${#filtered_nics[@]} -ne 0 ]; then
-		for unused_nic in "${filtered_nics[@]}"; do
-			if [ -n "$unused_nic" ]; then
-				echo "Disabling unused NIC: $unused_nic" >> "$setup_log" 2>&1
-
-				# Disable DHCPv4/v6 and autoconnect
-				nmcli con mod "$unused_nic" \
-					ipv4.method disabled \
-					ipv6.method ignore \
-					connection.autoconnect "no" >> "$setup_log" 2>&1
-
-				# Flush any existing IPs
-				ip addr flush "$unused_nic" >> "$setup_log" 2>&1
-			fi
-		done
-	fi
-	# Disable IPv6
-	{ 
-		echo "net.ipv6.conf.all.disable_ipv6 = 1"
-		echo "net.ipv6.conf.default.disable_ipv6 = 1"
-		echo "net.ipv6.conf.lo.disable_ipv6 = 1" 
-	} >> /etc/sysctl.conf
-}
+#disable_misc_network_features() {
+#	filter_unused_nics
+#	if [ ${#filtered_nics[@]} -ne 0 ]; then
+#		for unused_nic in "${filtered_nics[@]}"; do
+#			if [ -n "$unused_nic" ]; then
+#				echo "Disabling unused NIC: $unused_nic" >> "$setup_log" 2>&1
+#
+#				# Disable DHCPv4/v6 and autoconnect
+#				nmcli con mod "$unused_nic" \
+#					ipv4.method disabled \
+#					ipv6.method ignore \
+#					connection.autoconnect "no" >> "$setup_log" 2>&1
+#
+#				# Flush any existing IPs
+#				ip addr flush "$unused_nic" >> "$setup_log" 2>&1
+#			fi
+#		done
+#	fi
+#	# Disable IPv6
+#	{ 
+#		echo "net.ipv6.conf.all.disable_ipv6 = 1"
+#		echo "net.ipv6.conf.default.disable_ipv6 = 1"
+#		echo "net.ipv6.conf.lo.disable_ipv6 = 1" 
+#	} >> /etc/sysctl.conf
+#}

 docker_install() {

@@ -1223,7 +1235,7 @@ filter_unused_nics() {
 	fi

 	# Finally, set filtered_nics to any NICs we aren't using (and ignore interfaces that aren't of use)
-	filtered_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|tun|wg|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string"  | sed 's/ //g')
+	filtered_nics=$(ip link | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}' | grep -vwe "$grep_string"  | sed 's/ //g')
 	readarray -t filtered_nics <<< "$filtered_nics"
 	
 	nic_list=()
@@ -1720,17 +1732,11 @@ network_setup() {
 		echo "... Verifying all network devices are managed by Network Manager";
 		check_network_manager_conf;

-		echo "... Disabling unused NICs";
-		disable_misc_network_features;
-
-		echo "... Setting ONBOOT for management interface";
-		command -v netplan &> /dev/null || nmcli con mod "$MNIC" connection.autoconnect "yes"
-
 		echo "... Copying 99-so-checksum-offload-disable";
 		cp ./install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable ;

 		echo "... Modifying 99-so-checksum-offload-disable";
-		sed -i "s/\$MNIC/${MNIC}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable;
+		sed -i "s/\$MNIC/${INTERFACE}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable;
 	} >> "$setup_log" 2>&1
 }

@@ -2333,8 +2339,6 @@ set_hostname() {

 set_initial_firewall_policy() {

-  set_main_ip
-
  if [ -f $default_salt_dir/pillar/data/addtotab.sh ]; then chmod +x $default_salt_dir/pillar/data/addtotab.sh; fi
  if [ -f $default_salt_dir/salt/common/tools/sbin/so-firewall ]; then chmod +x $default_salt_dir/salt/common/tools/sbin/so-firewall; fi