From 8a8885e14f439579d360e638d1c53130b0c42457 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 30 Nov 2020 16:53:02 -0500 Subject: [PATCH 01/31] [feat] Verify that main ip = mngmt ip * Add a check to check whether the src ip in the routing table is also the ip assigned to the management nic --- setup/so-functions | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index 4ba639fa5..e685d6940 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1710,6 +1710,17 @@ set_network_dev_status_list() { set_main_ip() { MAINIP=$(ip route get 1 | awk '{print $7;exit}') + MNIC_IP=$(ip a s "$MNIC" | grep -oE 'inet [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d' ' -f) + + if [[ $MAINIP != $MNIC_IP ]]; then + read -r -d '' message <<- EOM + The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC). + + This is not a supported configuration, please remediate and rerun setup. + EOM + whiptail --title "Security Onion Setup" --msgbox "$message" 10 75 + exit 1 + fi } # Add /usr/sbin to everyone's path From 9517cb2a582cc9897363f35216b8db04bac5f2a5 Mon Sep 17 00:00:00 2001 From: weslambert Date: Tue, 1 Dec 2020 11:25:51 -0500 Subject: [PATCH 02/31] Remove ScanMmbot --- salt/strelka/files/backend/backend.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/salt/strelka/files/backend/backend.yaml b/salt/strelka/files/backend/backend.yaml index 53c29e3fa..b71e8ac74 100644 --- a/salt/strelka/files/backend/backend.yaml +++ b/salt/strelka/files/backend/backend.yaml @@ -215,14 +215,6 @@ scanners: priority: 5 options: tmp_directory: '/dev/shm/' - 'ScanMmbot': - - positive: - flavors: - - 'vb_file' - - 'vbscript' - priority: 5 - options: - server: 'strelka_mmrpc_1:33907' 'ScanOcr': - positive: flavors: From 141d7a35c9f161a20dcd0bd79d93ac6e51a3a9a4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 1 Dec 2020 15:38:09 -0500 Subject: [PATCH 03/31] if true cluster enabled allow search nodes to talk to each other https://github.com/Security-Onion-Solutions/securityonion/issues/2079 --- salt/firewall/assigned_hostgroups.map.yaml | 27 ++++++++++++++++++++++ setup/so-functions | 2 +- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/salt/firewall/assigned_hostgroups.map.yaml b/salt/firewall/assigned_hostgroups.map.yaml index cb2de370c..30a6117aa 100644 --- a/salt/firewall/assigned_hostgroups.map.yaml +++ b/salt/firewall/assigned_hostgroups.map.yaml @@ -1,6 +1,7 @@ {% set ISAIRGAP = salt['pillar.get']('global:airgap', 'False') %} {% import_yaml 'firewall/portgroups.yaml' as portgroups %} {% set portgroups = portgroups.firewall.aliases.ports %} +{% set TRUE_CLUSTER = salt['pillar.get']('elasticsearch:true_cluster', False) %} role: eval: @@ -42,6 +43,11 @@ role: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} + heavy_node: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.minio }} + - {{ portgroups.elasticsearch_node }} self: portgroups: - {{ portgroups.syslog}} @@ -135,6 +141,12 @@ role: - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} - {{ portgroups.beats_5644 }} + heavy_node: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.minio }} + - {{ portgroups.elasticsearch_node }} + - {{ portgroups.beats_5644 }} self: portgroups: - {{ portgroups.syslog}} @@ -219,6 +231,11 @@ role: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} + heavy_node: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.minio }} + - {{ portgroups.elasticsearch_node }} self: portgroups: - {{ portgroups.syslog}} @@ -303,6 +320,11 @@ role: - {{ portgroups.redis }} - {{ portgroups.minio }} - {{ portgroups.elasticsearch_node }} + heavy_node: + portgroups: + - {{ portgroups.redis }} + - {{ portgroups.minio }} + - {{ portgroups.elasticsearch_node }} self: portgroups: - {{ portgroups.syslog}} @@ -425,6 +447,11 @@ role: elasticsearch_rest: portgroups: - {{ portgroups.elasticsearch_rest }} + {% if TRUE_CLUSTER %} + search_node: + portgroups: + - {{ portgroups.elasticsearch_node }} + {% endif %} self: portgroups: - {{ portgroups.syslog}} diff --git a/setup/so-functions b/setup/so-functions index 4ba639fa5..3cf268869 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1883,7 +1883,7 @@ set_initial_firewall_policy() { ;; 'HEAVYNODE') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" - ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" + ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost heavy_node "$MAINIP" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" ;; From 81b86bf7f2c04ace34514b7cb656a5b77838481d Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 1 Dec 2020 16:04:46 -0500 Subject: [PATCH 04/31] Switch PCAP quick actions to support alternative lookup link when a single event ID is not available --- salt/soc/files/soc/alerts.actions.json | 2 +- salt/soc/files/soc/hunt.actions.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/soc/files/soc/alerts.actions.json b/salt/soc/files/soc/alerts.actions.json index b825c0131..e453a84b7 100644 --- a/salt/soc/files/soc/alerts.actions.json +++ b/salt/soc/files/soc/alerts.actions.json @@ -1,6 +1,6 @@ [ { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, - { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" }, + { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "links": ["/joblookup?esid={:soc_id}", "/joblookup?ncid={:network.community_id}"], "target": "" }, { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } ] \ No newline at end of file diff --git a/salt/soc/files/soc/hunt.actions.json b/salt/soc/files/soc/hunt.actions.json index b825c0131..e453a84b7 100644 --- a/salt/soc/files/soc/hunt.actions.json +++ b/salt/soc/files/soc/hunt.actions.json @@ -1,6 +1,6 @@ [ { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, - { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "link": "/joblookup?esid={eventId}", "target": "" }, + { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "links": ["/joblookup?esid={:soc_id}", "/joblookup?ncid={:network.community_id}"], "target": "" }, { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } ] \ No newline at end of file From b7bc8db3b2228e4dba288217c990507ea54bb518 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Tue, 1 Dec 2020 17:37:44 -0500 Subject: [PATCH 05/31] Modify PCAP quick action to work off of network community ID; Add new Correlate quick action --- salt/soc/files/soc/alerts.actions.json | 31 ++++++++++++++++++++++---- salt/soc/files/soc/hunt.actions.json | 31 ++++++++++++++++++++++---- 2 files changed, 54 insertions(+), 8 deletions(-) diff --git a/salt/soc/files/soc/alerts.actions.json b/salt/soc/files/soc/alerts.actions.json index e453a84b7..46c4ea68d 100644 --- a/salt/soc/files/soc/alerts.actions.json +++ b/salt/soc/files/soc/alerts.actions.json @@ -1,6 +1,29 @@ [ - { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, - { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "links": ["/joblookup?esid={:soc_id}", "/joblookup?ncid={:network.community_id}"], "target": "" }, - { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, - { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } + { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", + "links": [ + "/#/hunt?q=\"{value}\" | groupby event.module event.dataset" + ]}, + { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", + "links": [ + "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset" + ]}, + { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "target": "", + "links": [ + "/joblookup?esid={:soc_id}", + "/joblookup?ncid={:network.community_id}" + ]}, + { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "target": "_blank", + "links": [ + "https://www.google.com/search?q={value}" + ]}, + { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank", + "links": [ + "https://www.virustotal.com/gui/search/{value}" + ]} ] \ No newline at end of file diff --git a/salt/soc/files/soc/hunt.actions.json b/salt/soc/files/soc/hunt.actions.json index e453a84b7..46c4ea68d 100644 --- a/salt/soc/files/soc/hunt.actions.json +++ b/salt/soc/files/soc/hunt.actions.json @@ -1,6 +1,29 @@ [ - { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "link": "/#/hunt?q=\"{value}\" | groupby event.module event.dataset", "target": "" }, - { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "links": ["/joblookup?esid={:soc_id}", "/joblookup?ncid={:network.community_id}"], "target": "" }, - { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "link": "https://www.google.com/search?q={value}", "target": "_blank" }, - { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "link": "https://www.virustotal.com/gui/search/{value}", "target": "_blank" } + { "name": "actionHunt", "description": "actionHuntHelp", "icon": "fa-crosshairs", "target": "", + "links": [ + "/#/hunt?q=\"{value}\" | groupby event.module event.dataset" + ]}, + { "name": "actionCorrelate", "description": "actionCorrelateHelp", "icon": "fab fa-searchengin", "target": "", + "links": [ + "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:log.id.uid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.fuid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.uid}\" OR \"{:network.community_id}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.fuid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:log.id.uid}\" | groupby event.module event.dataset", + "/#/hunt?q=\"{:network.community_id}\" | groupby event.module event.dataset" + ]}, + { "name": "actionPcap", "description": "actionPcapHelp", "icon": "fa-stream", "target": "", + "links": [ + "/joblookup?esid={:soc_id}", + "/joblookup?ncid={:network.community_id}" + ]}, + { "name": "actionGoogle", "description": "actionGoogleHelp", "icon": "fab fa-google", "target": "_blank", + "links": [ + "https://www.google.com/search?q={value}" + ]}, + { "name": "actionVirusTotal", "description": "actionVirusTotalHelp", "icon": "fa-external-link-alt", "target": "_blank", + "links": [ + "https://www.virustotal.com/gui/search/{value}" + ]} ] \ No newline at end of file From c819729cd65b2da9ae7e0dfa84ae2c4ad100e2c5 Mon Sep 17 00:00:00 2001 From: weslambert Date: Wed, 2 Dec 2020 13:17:19 -0500 Subject: [PATCH 06/31] Don't use max_files or time_to_live for shutdown params --- salt/strelka/files/backend/backend.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/strelka/files/backend/backend.yaml b/salt/strelka/files/backend/backend.yaml index b71e8ac74..db6ce0560 100644 --- a/salt/strelka/files/backend/backend.yaml +++ b/salt/strelka/files/backend/backend.yaml @@ -6,8 +6,8 @@ {%- endif -%} logging_cfg: '/etc/strelka/logging.yaml' limits: - max_files: 5000 - time_to_live: 900 + max_files: 0 + time_to_live: 0 max_depth: 15 distribution: 600 scanner: 150 From cf0ec2f78f717056daf6573778a5ce726e24b83b Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Wed, 2 Dec 2020 16:38:33 -0500 Subject: [PATCH 07/31] Default to the node's primary IP for the description field --- salt/sensoroni/files/sensoroni.json | 4 +++- setup/so-functions | 9 +++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index cc5be34ea..b9275239a 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -1,12 +1,14 @@ {% set URLBASE = salt['pillar.get']('global:url_base') -%} +{% set DESCRIPTION = salt['pillar.get']('sensoroni:node_description') -%} {% set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') -%} -{% set CHECKININTERVALMS = salt['pillar.get']('sensoroni:sensor_checkin_interval_ms', 10000) -%} +{% set CHECKININTERVALMS = salt['pillar.get']('sensoroni:node_checkin_interval_ms', 10000) -%} {% set STENOENABLED = salt['pillar.get']('steno:enabled', False) -%} { "logFilename": "/opt/sensoroni/logs/sensoroni.log", "logLevel":"info", "agent": { "role": "{{ grains.role }}", + "description": "{{ DESCRIPTION }}", "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }}, "serverUrl": "https://{{ URLBASE }}/sensoroniagents", "verifyCert": false, diff --git a/setup/so-functions b/setup/so-functions index 3cf268869..816834fb8 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1104,10 +1104,10 @@ manager_pillar() { manager_global() { local global_pillar="$local_salt_dir/pillar/global.sls" - if [ -z "$SENSOR_CHECKIN_INTERVAL_MS" ]; then - SENSOR_CHECKIN_INTERVAL_MS=10000 + if [ -z "$NODE_CHECKIN_INTERVAL_MS" ]; then + NODE_CHECKIN_INTERVAL_MS=10000 if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'STANDALONE' ] || [ "$install_type" = 'IMPORT' ]; then - SENSOR_CHECKIN_INTERVAL_MS=1000 + NODE_CHECKIN_INTERVAL_MS=1000 fi fi @@ -1167,7 +1167,8 @@ manager_global() { " imagerepo: '$IMAGEREPO'"\ " pipeline: 'redis'"\ "sensoroni:"\ - " sensor_checkin_interval_ms: $SENSOR_CHECKIN_INTERVAL_MS"\ + " node_description: '$MAINIP'"\ + " node_checkin_interval_ms: $NODE_CHECKIN_INTERVAL_MS"\ "strelka:"\ " enabled: $STRELKA"\ " rules: 1"\ From f96365baba9c62cb66de67f3e291790e80340359 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 3 Dec 2020 14:17:32 +0000 Subject: [PATCH 08/31] Add intial grouped Elastic start/stop/restart scripts --- salt/common/tools/sbin/so-elastic-restart | 43 +++++++++++++++++++++++ salt/common/tools/sbin/so-elastic-start | 43 +++++++++++++++++++++++ salt/common/tools/sbin/so-elastic-stop | 43 +++++++++++++++++++++++ 3 files changed, 129 insertions(+) create mode 100644 salt/common/tools/sbin/so-elastic-restart create mode 100644 salt/common/tools/sbin/so-elastic-start create mode 100644 salt/common/tools/sbin/so-elastic-stop diff --git a/salt/common/tools/sbin/so-elastic-restart b/salt/common/tools/sbin/so-elastic-restart new file mode 100644 index 000000000..0e3c5937d --- /dev/null +++ b/salt/common/tools/sbin/so-elastic-restart @@ -0,0 +1,43 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + + +{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-import']%} +/usr/sbin/so-restart elasticsearch $1 +{%- endif %} + +{%- if grains['role'] in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone', 'so-import']%} +/usr/sbin/so-restart kibana $1 +{%- endif %} + +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +/usr/sbin/so-restart logstash $1 +{%- endif %} + +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-sensor']%} +/usr/sbin/so-restart filebeat $1 +{%- endif %} + +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +/usr/sbin/so-restart curator $1 +{%- endif %} + +{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone']%} +/usr/sbin/so-restart elastalert $1 +{%- endif %} diff --git a/salt/common/tools/sbin/so-elastic-start b/salt/common/tools/sbin/so-elastic-start new file mode 100644 index 000000000..51657ff54 --- /dev/null +++ b/salt/common/tools/sbin/so-elastic-start @@ -0,0 +1,43 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + + +{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-import']%} +/usr/sbin/so-start elasticsearch $1 +{%- endif %} + +{%- if grains['role'] in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone', 'so-import']%} +/usr/sbin/so-start kibana $1 +{%- endif %} + +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +/usr/sbin/so-start logstash $1 +{%- endif %} + +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-sensor']%} +/usr/sbin/so-start filebeat $1 +{%- endif %} + +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +/usr/sbin/so-start curator $1 +{%- endif %} + +{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone']%} +/usr/sbin/so-start elastalert $1 +{%- endif %} diff --git a/salt/common/tools/sbin/so-elastic-stop b/salt/common/tools/sbin/so-elastic-stop new file mode 100644 index 000000000..2f6c46082 --- /dev/null +++ b/salt/common/tools/sbin/so-elastic-stop @@ -0,0 +1,43 @@ +#!/bin/bash + +# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + + +{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-import']%} +/usr/sbin/so-stop elasticsearch $1 +{%- endif %} + +{%- if grains['role'] in ['so-eval', 'so-manager', 'so-managersearch', 'so-standalone', 'so-import']%} +/usr/sbin/so-stop kibana $1 +{%- endif %} + +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +/usr/sbin/so-stop logstash $1 +{%- endif %} + +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node', 'so-sensor']%} +/usr/sbin/so-stop filebeat $1 +{%- endif %} + +{%- if grains['role'] in ['so-manager', 'so-managersearch', 'so-standalone', 'so-heavynode', 'so-node']%} +/usr/sbin/so-stop curator $1 +{%- endif %} + +{%- if grains['role'] in ['so-eval','so-manager', 'so-managersearch', 'so-standalone']%} +/usr/sbin/so-stop elastalert $1 +{%- endif %} From 4ce3ec75826ed8b47c7faa498878031cc6749402 Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 3 Dec 2020 14:18:22 +0000 Subject: [PATCH 09/31] Make scripts executable --- salt/common/tools/sbin/so-elastic-restart | 0 salt/common/tools/sbin/so-elastic-start | 0 salt/common/tools/sbin/so-elastic-stop | 0 salt/common/tools/sbin/so-salt-minion-check | 0 4 files changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 salt/common/tools/sbin/so-elastic-restart mode change 100644 => 100755 salt/common/tools/sbin/so-elastic-start mode change 100644 => 100755 salt/common/tools/sbin/so-elastic-stop mode change 100644 => 100755 salt/common/tools/sbin/so-salt-minion-check diff --git a/salt/common/tools/sbin/so-elastic-restart b/salt/common/tools/sbin/so-elastic-restart old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-elastic-start b/salt/common/tools/sbin/so-elastic-start old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-elastic-stop b/salt/common/tools/sbin/so-elastic-stop old mode 100644 new mode 100755 diff --git a/salt/common/tools/sbin/so-salt-minion-check b/salt/common/tools/sbin/so-salt-minion-check old mode 100644 new mode 100755 From 95570976a81d9bd0ddeb2d8d33e0431c4adbd8e6 Mon Sep 17 00:00:00 2001 From: weslambert Date: Thu, 3 Dec 2020 09:29:44 -0500 Subject: [PATCH 10/31] Add indices.query.bool.max_clause_count to allow for wildcard searches targeting more than 1024 fields --- salt/elasticsearch/files/elasticsearch.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/elasticsearch/files/elasticsearch.yml b/salt/elasticsearch/files/elasticsearch.yml index acad465d1..18d1c9c81 100644 --- a/salt/elasticsearch/files/elasticsearch.yml +++ b/salt/elasticsearch/files/elasticsearch.yml @@ -44,3 +44,4 @@ cluster.routing.allocation.disk.watermark.flood_stage: 98% node.attr.box_type: {{ NODE_ROUTE_TYPE }} node.name: {{ ESCLUSTERNAME }} script.max_compilations_rate: 1000/1m +indices.query.bool.max_clause_count: 1500 From 967111decc4b59fda561620fb7c6a2cafbed693c Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 3 Dec 2020 11:24:38 -0500 Subject: [PATCH 11/31] Add node address to sensoroni pillar --- salt/sensoroni/files/sensoroni.json | 2 ++ setup/so-functions | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/salt/sensoroni/files/sensoroni.json b/salt/sensoroni/files/sensoroni.json index b9275239a..55b928ef0 100644 --- a/salt/sensoroni/files/sensoroni.json +++ b/salt/sensoroni/files/sensoroni.json @@ -1,5 +1,6 @@ {% set URLBASE = salt['pillar.get']('global:url_base') -%} {% set DESCRIPTION = salt['pillar.get']('sensoroni:node_description') -%} +{% set ADDRESS = salt['pillar.get']('sensoroni:node_address') -%} {% set SENSORONIKEY = salt['pillar.get']('global:sensoronikey', '') -%} {% set CHECKININTERVALMS = salt['pillar.get']('sensoroni:node_checkin_interval_ms', 10000) -%} {% set STENOENABLED = salt['pillar.get']('steno:enabled', False) -%} @@ -9,6 +10,7 @@ "agent": { "role": "{{ grains.role }}", "description": "{{ DESCRIPTION }}", + "address": "{{ ADDRESS }}", "pollIntervalMs": {{ CHECKININTERVALMS if CHECKININTERVALMS else 10000 }}, "serverUrl": "https://{{ URLBASE }}/sensoroniagents", "verifyCert": false, diff --git a/setup/so-functions b/setup/so-functions index 816834fb8..4821605f7 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1167,7 +1167,8 @@ manager_global() { " imagerepo: '$IMAGEREPO'"\ " pipeline: 'redis'"\ "sensoroni:"\ - " node_description: '$MAINIP'"\ + " node_address: '$MAINIP'"\ + " node_description: '$NODE_DESCRIPTION'"\ " node_checkin_interval_ms: $NODE_CHECKIN_INTERVAL_MS"\ "strelka:"\ " enabled: $STRELKA"\ From fca50660a26864a65381312acc561b34f3c8ade1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Fri, 4 Dec 2020 09:33:28 -0500 Subject: [PATCH 12/31] [fix] Trap argument off by one --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 8dcce0e9b..1ea238a38 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -432,7 +432,7 @@ echo "1" > /root/accept_changes trap 'catch $LINENO' SIGUSR1 catch() { - info "Fatal error occurred at $2 in so-setup, failing setup." + info "Fatal error occurred at $1 in so-setup, failing setup." whiptail_setup_failed exit } From 3136c6678030d0626bea2835fc32d26d098dc6fa Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 7 Dec 2020 08:50:53 -0500 Subject: [PATCH 13/31] [fix] Bring back network setup before setting MAINIP var --- setup/so-setup | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 1ea238a38..8ee236bf1 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -437,6 +437,26 @@ catch() { exit } +# Init networking so rest of install works +if [[ -n "$TURBO" ]]; then + use_turbo_proxy +fi + +if [[ "$setup_type" == 'iso' ]]; then + set_hostname >> $setup_log 2>&1 + set_management_interface +fi + +disable_ipv6 + +if [[ "$setup_type" != 'iso' ]]; then + set_hostname >> $setup_log 2>&1 +fi + +if [[ $is_minion ]]; then + add_mngr_ip_to_hosts +fi + # This block sets REDIRECTIT which is used by a function outside the below subshell { set_main_ip; @@ -457,27 +477,8 @@ catch() { reinstall_init fi - if [[ -n "$TURBO" ]]; then - use_turbo_proxy - fi - - if [[ "$setup_type" == 'iso' ]]; then - # Init networking so rest of install works - set_hostname >> $setup_log 2>&1 - set_management_interface - fi - - disable_ipv6 disable_auto_start - if [[ "$setup_type" != 'iso' ]]; then - set_hostname >> $setup_log 2>&1 - fi - - if [[ $is_minion ]]; then - add_mngr_ip_to_hosts - fi - { mark_version; clear_manager; From 38324c226eb850662c484b7aeede8f8feeb82bc8 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 7 Dec 2020 10:58:58 -0500 Subject: [PATCH 14/31] [fix] Don't let grep output message on file not found --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index e8360c671..daeb917a0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -771,7 +771,7 @@ disable_auto_start() { logCmd "crontab -u $INSTALLUSERNAME -r" fi - if grep -q so-setup /home/$INSTALLUSERNAME/.bash_profile; then + if grep -s -q so-setup /home/$INSTALLUSERNAME/.bash_profile; then # Truncate last line of the bash profile info "Removing auto-run of setup from bash profile" sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1 From 6fc3232637663c95b442f93215ad8a41bfc7c987 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 7 Dec 2020 14:16:06 -0500 Subject: [PATCH 15/31] [fix] Set INSTALLUSERNAME to the user running the script Resolves #2243 --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index bd16f9cd2..38077269f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1321,7 +1321,7 @@ elasticsearch_pillar() { parse_install_username() { # parse out the install username so things copy correctly - INSTALLUSERNAME=$(pwd | sed -E 's/\// /g' | awk '{ print $2 }') + INSTALLUSERNAME=${SUDO_USER:-${USER}} } patch_pillar() { From 08ab36927d91063f4981162c15a8d610e73e4f3d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 7 Dec 2020 14:16:54 -0500 Subject: [PATCH 16/31] [refactor] Kill parent script on exit --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 38077269f..dffc52b4f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1752,7 +1752,7 @@ set_main_ip() { This is not a supported configuration, please remediate and rerun setup. EOM whiptail --title "Security Onion Setup" --msgbox "$message" 10 75 - exit 1 + kill -SIGKILL "$(ps --pid $$ -oppid=)"; exit 1 fi } From d88364c9fde41a6a3199bcc2e23ed3447c47aeeb Mon Sep 17 00:00:00 2001 From: William Wernert Date: Mon, 7 Dec 2020 14:18:01 -0500 Subject: [PATCH 17/31] [feat] Create error log for easy copy/paste Resolves #2165 --- setup/so-setup | 18 +++++++++--------- setup/so-variables | 3 +++ setup/so-whiptail | 15 ++++++++++++++- 3 files changed, 26 insertions(+), 10 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 8ee236bf1..4260f813e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -59,6 +59,7 @@ if [[ -f /root/accept_changes ]]; then # Move last setup log to backup mv "$setup_log" "$setup_log.bak" + mv "$error_log" "$error_log.bak" fi # Begin Installation pre-processing @@ -72,14 +73,6 @@ analyze_system automated=no function progress() { local title='Security Onion Install' - if grep -q -E "ERROR|Result: False" $setup_log || [[ -s /var/spool/mail/root ]]; then - if [[ -s /var/spool/mail/root ]]; then - echo '[ ERROR ] /var/spool/mail/root grew unexpectedly' >> $setup_log 2>&1 - fi - - export SO_ERROR=1 - title="Error found, please check $setup_log" - fi if [ $automated == no ]; then whiptail --title "$title" --gauge 'Please wait while installing...' 6 60 0 # append to text @@ -433,6 +426,7 @@ trap 'catch $LINENO' SIGUSR1 catch() { info "Fatal error occurred at $1 in so-setup, failing setup." + grep --color=never "ERROR" "$setup_log" > "$error_log" whiptail_setup_failed exit } @@ -780,12 +774,18 @@ success=$(tail -10 $setup_log | grep Failed | awk '{ print $2}') if [[ $success != 0 ]]; then SO_ERROR=1; fi # Check entire setup log for errors or unexpected salt states and ensure cron jobs are not reporting errors to root's mailbox -if grep -q -E "ERROR|Result: False" $setup_log || [[ -s /var/spool/mail/root && "$setup_type" == "iso" ]]; then SO_ERROR=1; fi +if grep -q -E "ERROR|Result: False" $setup_log || [[ -s /var/spool/mail/root && "$setup_type" == "iso" ]]; then + SO_ERROR=1 + + grep --color=never "ERROR" "$setup_log" > "$error_log" +fi if [[ -n $SO_ERROR ]]; then echo "Errors detected during setup; skipping post-setup steps to allow for analysis of failures." >> $setup_log 2>&1 + SKIP_REBOOT=1 whiptail_setup_failed + else echo "Successfully completed setup! Continuing with post-installation steps" >> $setup_log 2>&1 { diff --git a/setup/so-variables b/setup/so-variables index 83b9b4325..2223fe106 100644 --- a/setup/so-variables +++ b/setup/so-variables @@ -21,6 +21,9 @@ export node_es_port setup_log="/root/sosetup.log" export setup_log +error_log="/root/errors.log" +export error_log + filesystem_root=$(df / | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }') export filesystem_root diff --git a/setup/so-whiptail b/setup/so-whiptail index 11d968910..444260907 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1259,7 +1259,20 @@ whiptail_setup_failed() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --msgbox "Install had a problem. Please see $setup_log for details. Press Ok to exit." 8 75 + local check_err_msg + local height + + [ -f "$error_log" ] && check_err_msg="A summary of errors can be found in $error_log.\n" + + if [[ -n $check_err_msg ]]; then height=11; else height=10; fi + + read -r -d '' message <<- EOM + Install had a problem. Please see $setup_log for details.\n + $check_err_msg + Press Ok to exit. + EOM + + whiptail --title "Security Onion Setup" --msgbox "$message" $height 75 } whiptail_shard_count() { From 997e2735e3a119b83945af9fd0c4b687360863cb Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 8 Dec 2020 13:59:42 -0500 Subject: [PATCH 18/31] [refactor] Press -> select --- setup/so-whiptail | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 444260907..5bc84eecf 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -345,7 +345,7 @@ whiptail_requirements_error() { if [[ $(echo "$requirement_needed" | tr '[:upper:]' '[:lower:]') == 'nics' ]]; then whiptail --title "Security Onion Setup" \ - --msgbox "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press OK to exit setup and reconfigure the machine." 10 75 + --msgbox "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Select OK to exit setup and reconfigure the machine." 10 75 # Same as whiptail_cancel, but changed the wording to exit instead of cancel. whiptail --title "Security Onion Setup" --msgbox "Exiting Setup. No changes have been made." 8 75 @@ -359,7 +359,7 @@ whiptail_requirements_error() { exit else whiptail --title "Security Onion Setup" \ - --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Press YES to continue anyway, or press NO to cancel." 10 75 + --yesno "This machine currently has $current_val $requirement_needed, but needs $needed_val to meet minimum requirements. Select YES to continue anyway, or select NO to cancel." 10 75 local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -380,7 +380,7 @@ whiptail_storage_requirements() { Visit https://docs.securityonion.net/en/2.1/hardware.html for more information. - Press YES to continue anyway, or press NO to cancel. + Select YES to continue anyway, or select NO to cancel. EOM whiptail \ @@ -441,7 +441,7 @@ whiptail_dhcp_warn() { [ -n "$TESTING" ] && return if [[ $setup_type == "iso" ]]; then - local interaction_text="Press YES to keep DHCP or NO to go back." + local interaction_text="Select YES to keep DHCP or NO to go back." local window_type="yesno" else local interaction_text="Press ENTER to continue." @@ -795,7 +795,7 @@ whiptail_make_changes() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --yesno "We are going to set this machine up as a $install_type. Please press YES to make changes or NO to cancel." 8 75 + whiptail --title "Security Onion Setup" --yesno "We are going to set this machine up as a $install_type. Please select YES to make changes or NO to cancel." 8 75 local exitstatus=$? whiptail_check_exitstatus $exitstatus @@ -909,7 +909,7 @@ whiptail_network_notice() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Press YES to continue." 8 75 + whiptail --title "Security Onion Setup" --yesno "Since this is a network install we assume the management interface, DNS, Hostname, etc are already set up. Select YES to continue." 8 75 local exitstatus=$? whiptail_check_exitstatus $exitstatus From 65d994a2f8ec2a0f784ef198855978d58c14dc65 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 8 Dec 2020 14:02:45 -0500 Subject: [PATCH 19/31] [feat] Generate gzipped tarball of repo during setup and soup --- salt/common/tools/sbin/soup | 9 +++++++++ setup/so-functions | 4 ++++ setup/so-setup | 7 ++++++- 3 files changed, 19 insertions(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 27439a137..da534281e 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -155,6 +155,13 @@ copy_new_files() { cd /tmp } +generate_and_clean_tarballs() { + local new_version + new_version=$(cat $UPDATE_DIR/VERSION) + tar -cxf "/opt/so/repo/$new_version.tar.gz" "$UPDATE_DIR" + find "/opt/so/repo" -type f -not -name "$new_version.tar.gz" -exec rm -rf {} \; +} + highstate() { # Run a highstate. salt-call state.highstate -l info queue=True @@ -417,6 +424,8 @@ else echo "Cloning Security Onion github repo into $UPDATE_DIR." clone_to_tmp fi +echo "Generating new repo archive" +generate_and_clean_tarballs if [ -f /usr/sbin/so-image-common ]; then . /usr/sbin/so-image-common else diff --git a/setup/so-functions b/setup/so-functions index dffc52b4f..a95fe55b1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -972,6 +972,10 @@ generate_passwords(){ KRATOSKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) } +generate_repo_tarball() { + tar -czf /opt/so/repo/"$SOVERSION".tar.gz ../. +} + get_redirect() { whiptail_set_redirect if [ "$REDIRECTINFO" = "OTHER" ]; then diff --git a/setup/so-setup b/setup/so-setup index 4260f813e..b60b99eca 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -791,10 +791,15 @@ else { export percentage=95 # set to last percentage used in previous subshell if [[ -n $ALLOW_ROLE && -n $ALLOW_CIDR ]]; then - set_progress_str 98 "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" + set_progress_str 97 "Running so-allow -${ALLOW_ROLE} for ${ALLOW_CIDR}" IP=$ALLOW_CIDR so-allow -$ALLOW_ROLE >> $setup_log 2>&1 fi + if [[ $is_manager ]]; then + set_progress_str 98 "Generating archive for setup directory" + generate_repo_tarball + fi + if [[ $THEHIVE == 1 ]]; then set_progress_str 99 'Waiting for TheHive to start up' check_hive_init >> $setup_log 2>&1 From 4210d25fae1235a70792d95d73fac7da7fc6c4e9 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 8 Dec 2020 14:03:21 -0500 Subject: [PATCH 20/31] [feat] Init network + soremote key early --- setup/so-setup | 48 ++++++++++++++++++++++++----------------------- setup/so-whiptail | 16 ++++++++++++++++ 2 files changed, 41 insertions(+), 23 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index b60b99eca..f9ae6fe50 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -205,13 +205,11 @@ fi # Check if this is an airgap install -if [[ $is_manager ]]; then - if [[ $is_iso ]]; then - whiptail_airgap - if [[ "$INTERWEBS" == 'AIRGAP' ]]; then - is_airgap=true - fi - fi +if [[ $is_manager && $is_iso ]]; then + whiptail_airgap + if [[ "$INTERWEBS" == 'AIRGAP' ]]; then + is_airgap=true + fi fi if [[ $is_manager && $is_sensor ]]; then @@ -226,10 +224,6 @@ elif [[ $is_import ]]; then check_requirements "import" fi -if [[ ! $is_import ]]; then - whiptail_patch_schedule -fi - case "$setup_type" in 'iso') whiptail_set_hostname @@ -243,8 +237,6 @@ case "$setup_type" in whiptail_management_interface_dns whiptail_management_interface_dns_search fi - - #collect_adminuser_inputs ;; 'network') whiptail_network_notice @@ -254,6 +246,22 @@ case "$setup_type" in ;; esac +if [[ $is_minion ]]; then + whiptail_management_server +fi + +whiptail_management_interface_setup + +if [[ "$setup_type" == 'iso' ]]; then + # Init networking so rest of install works + set_hostname + set_management_interface +fi + +if [[ $is_minion || $is_import ]]; then + [ "$automated" == no ] && copy_ssh_key >> $setup_log 2>&1 +fi + short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}') MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') @@ -320,6 +328,10 @@ if [[ $is_helix || $is_sensor || $is_import ]]; then calculate_useable_cores fi +if [[ ! $is_import ]]; then + whiptail_patch_schedule +fi + whiptail_homenet_manager whiptail_dockernet_check @@ -365,10 +377,6 @@ if [[ $is_distmanager || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! fi fi -if [[ $is_minion ]]; then - whiptail_management_server -fi - if [[ $is_distmanager ]]; then collect_soremote_inputs fi @@ -436,11 +444,6 @@ if [[ -n "$TURBO" ]]; then use_turbo_proxy fi -if [[ "$setup_type" == 'iso' ]]; then - set_hostname >> $setup_log 2>&1 - set_management_interface -fi - disable_ipv6 if [[ "$setup_type" != 'iso' ]]; then @@ -495,7 +498,6 @@ fi if [[ $is_minion || $is_import ]]; then set_updates >> $setup_log 2>&1 - [ "$automated" == no ] && copy_ssh_key >> $setup_log 2>&1 fi if [[ $is_manager && $is_airgap ]]; then diff --git a/setup/so-whiptail b/setup/so-whiptail index 5bc84eecf..edbc19c0b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -765,6 +765,22 @@ whiptail_management_nic() { } +whiptail_management_interface_setup() { + [ -n "$TESTING" ] && return + + local minion_msg + + if [[ $is_minion || $is_import ]]; then + minion_msg=" and copy the ssh key for soremote to the manager" + else + minion_msg="" + fi + + whiptail --title "Security Onion Setup" --yesno "Setup will now initialize networking$minion_msg. Select YES to continue or NO to cancel." 8 75 + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} + whiptail_nids() { [ -n "$TESTING" ] && return From 4899ea23f882eaa900af5286e1790c8013dd37a1 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 8 Dec 2020 14:03:59 -0500 Subject: [PATCH 21/31] [fix] Put conditions in install_cleanup function --- setup/so-functions | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index a95fe55b1..fd7a02858 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1011,18 +1011,22 @@ host_pillar() { } install_cleanup() { - echo "Installer removing the following files:" - ls -lR "$temp_install_dir" + if [ -f "$temp_install_dir" ]; then + echo "Installer removing the following files:" + ls -lR "$temp_install_dir" - # Clean up after ourselves - rm -rf "$temp_install_dir" + # Clean up after ourselves + rm -rf "$temp_install_dir" + fi # All cleanup prior to this statement must be compatible with automated testing. Cleanup # that will disrupt automated tests should be placed beneath this statement. [ -n "$TESTING" ] && return # If Mysql is running stop it - /usr/sbin/so-mysql-stop + if docker ps --format "{{.Names}}" 2>&1 | grep -q "so-mysql"; then + /usr/sbin/so-mysql-stop + fi if [[ $setup_type == 'iso' ]]; then info "Removing so-setup permission entry from sudoers file" From b41ba1ea3ce2b951213d6cbd0d178ce6ee4ba66a Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 8 Dec 2020 15:29:04 -0500 Subject: [PATCH 22/31] [feat] Compare setup version to manager, dl tarball + exec on mismatch --- setup/so-functions | 20 +++++++ setup/so-setup | 132 ++++++++++++++++++++++++++------------------- 2 files changed, 97 insertions(+), 55 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index fd7a02858..5375d725c 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -518,6 +518,14 @@ check_requirements() { fi } +compare_versions() { + manager_ver=$(ssh -i /root/.ssh/so.key soremote@"$MSRV" cat /etc/soversion) + export manager_ver + + [[ "$manager_ver" == "$SOVERSION" ]] + return +} + configure_network_sensor() { echo "Setting up sensor interface" >> "$setup_log" 2>&1 local nic_error=0 @@ -913,6 +921,18 @@ docker_seed_registry() { } +download_repo_tarball() { + scp -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/repo/"$manager_ver".tar.gz /root/new_setup + + # Fail if the file doesn't download + if ! [ -f /root/new_setup/"$manager_ver".tar.gz ]; then + kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 + fi + + tar -xzf /root/new_setup/"$manager_ver".tar.gz -C /root/new_setup/securityonion + rm -rf /root/new_setup/"$manager_ver".tar.gz +} + fireeye_pillar() { local fireeye_pillar_path=$local_salt_dir/pillar/fireeye diff --git a/setup/so-setup b/setup/so-setup index f9ae6fe50..8ea110e96 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -54,6 +54,10 @@ while [[ $# -gt 0 ]]; do esac done +if ! [ -f /root/install_opt ] && [ -d /root/manager_setup/securityonion ] && [[ $(pwd) != /root/manager_setup/securityonion/setup ]]; then + exec bash /root/manager_setup/securityonion/setup/so-setup "$@" +fi + if [[ -f /root/accept_changes ]]; then is_reinstall=true @@ -62,13 +66,16 @@ if [[ -f /root/accept_changes ]]; then mv "$error_log" "$error_log.bak" fi -# Begin Installation pre-processing -parse_install_username -title "Initializing Setup" -info "Installing as the $INSTALLUSERNAME user" +if ! [ -f /root/install_opt ]; then + # Begin Installation pre-processing + parse_install_username -analyze_system + title "Initializing Setup" + info "Installing as the $INSTALLUSERNAME user" + + analyze_system +fi automated=no function progress() { @@ -145,14 +152,18 @@ if [ "$automated" == no ]; then fi fi -if (whiptail_you_sure); then - true -else - echo "User cancelled setup." | tee $setup_log - whiptail_cancel -fi +if ! [ -f /root/install_opt ]; then + if (whiptail_you_sure); then + true + else + echo "User cancelled setup." | tee "$setup_log" + whiptail_cancel + fi -whiptail_install_type + whiptail_install_type +else + install_type=$(cat /root/install_opt) +fi if [ "$install_type" = 'EVAL' ]; then is_node=true @@ -204,7 +215,6 @@ if [[ "$setup_type" == 'iso' ]]; then fi # Check if this is an airgap install - if [[ $is_manager && $is_iso ]]; then whiptail_airgap if [[ "$INTERWEBS" == 'AIRGAP' ]]; then @@ -212,54 +222,66 @@ if [[ $is_manager && $is_iso ]]; then fi fi -if [[ $is_manager && $is_sensor ]]; then - check_requirements "standalone" -elif [[ $is_fleet_standalone ]]; then - check_requirements "dist" "fleet" -elif [[ $is_sensor && ! $is_eval ]]; then - check_requirements "dist" "sensor" -elif [[ $is_distmanager || $is_minion ]] && [[ ! $is_import ]]; then - check_requirements "dist" -elif [[ $is_import ]]; then - check_requirements "import" -fi +if ! [ -f /root/install_opt ]; then + if [[ $is_manager && $is_sensor ]]; then + check_requirements "standalone" + elif [[ $is_fleet_standalone ]]; then + check_requirements "dist" "fleet" + elif [[ $is_sensor && ! $is_eval ]]; then + check_requirements "dist" "sensor" + elif [[ $is_distmanager || $is_minion ]] && [[ ! $is_import ]]; then + check_requirements "dist" + elif [[ $is_import ]]; then + check_requirements "import" + fi -case "$setup_type" in - 'iso') - whiptail_set_hostname - whiptail_management_nic - whiptail_dhcp_or_static + case "$setup_type" in + 'iso') + whiptail_set_hostname + whiptail_management_nic + whiptail_dhcp_or_static - if [ "$address_type" != 'DHCP' ]; then - whiptail_management_interface_ip - whiptail_management_interface_mask - whiptail_management_interface_gateway - whiptail_management_interface_dns - whiptail_management_interface_dns_search - fi - ;; - 'network') - whiptail_network_notice - whiptail_dhcp_warn - whiptail_set_hostname - whiptail_management_nic - ;; -esac + if [ "$address_type" != 'DHCP' ]; then + whiptail_management_interface_ip + whiptail_management_interface_mask + whiptail_management_interface_gateway + whiptail_management_interface_dns + whiptail_management_interface_dns_search + fi + ;; + 'network') + whiptail_network_notice + whiptail_dhcp_warn + whiptail_set_hostname + whiptail_management_nic + ;; + esac -if [[ $is_minion ]]; then - whiptail_management_server -fi + if [[ $is_minion ]]; then + whiptail_management_server + fi -whiptail_management_interface_setup + whiptail_management_interface_setup -if [[ "$setup_type" == 'iso' ]]; then - # Init networking so rest of install works - set_hostname - set_management_interface -fi + if [[ "$setup_type" == 'iso' ]]; then + # Init networking so rest of install works + set_hostname + set_management_interface + fi -if [[ $is_minion || $is_import ]]; then - [ "$automated" == no ] && copy_ssh_key >> $setup_log 2>&1 + if [[ $is_minion ]]; then + [ "$automated" == no ] && copy_ssh_key >> $setup_log 2>&1 + fi + + if [[ $is_minion ]] && ! (compare_versions); then + info "Installer version mismatch, downloading correct version from manager" + echo "$install_type" > /root/install_opt + download_repo_tarball >> "$setup_log" 2>&1 + exec bash /root/manager_setup/securityonion/setup/so-setup "$@" + fi + +else + rm -rf /root/install_opt >> "$setup_log" 2>&1 fi short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}') From 813fe77582e98c56d3d4d41f801eb43861995f09 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 8 Dec 2020 15:29:31 -0500 Subject: [PATCH 23/31] [feat] Run so-analyst-install after network init --- setup/so-setup | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 8ea110e96..17118800a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -204,9 +204,7 @@ elif [ "$install_type" = 'HELIXSENSOR' ]; then elif [ "$install_type" = 'IMPORT' ]; then is_import=true elif [ "$install_type" = 'ANALYST' ]; then - cd .. || exit 255 - ./so-analyst-install - exit 0 + is_analyst=true fi # Say yes to the dress if its an ISO install @@ -280,6 +278,11 @@ if ! [ -f /root/install_opt ]; then exec bash /root/manager_setup/securityonion/setup/so-setup "$@" fi + if [[ $is_analyst ]]; then + cd .. || exit 255 + exec bash so-analyst-install + fi + else rm -rf /root/install_opt >> "$setup_log" 2>&1 fi From a8f1ec37a3ff87cc4c2073be1e43ce942a96d1da Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 8 Dec 2020 15:29:48 -0500 Subject: [PATCH 24/31] [refactor] Remove is_smooshed var --- setup/so-setup | 2 -- setup/so-whiptail | 14 +++++++------- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 17118800a..d0efafc07 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -176,7 +176,6 @@ elif [ "$install_type" = 'STANDALONE' ]; then is_distmanager=true is_node=true is_sensor=true - is_smooshed=true elif [ "$install_type" = 'MANAGERSEARCH' ]; then is_manager=true is_distmanager=true @@ -194,7 +193,6 @@ elif [ "$install_type" = 'HEAVYNODE' ]; then is_node=true is_minion=true is_sensor=true - is_smooshed=true elif [ "$install_type" = 'FLEET' ]; then is_minion=true is_fleet_standalone=true diff --git a/setup/so-whiptail b/setup/so-whiptail index edbc19c0b..fdf318e06 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -35,7 +35,7 @@ whiptail_basic_zeek() { [ -n "$TESTING" ] && return - if [[ $is_smooshed ]]; then + if [[ $is_node && $is_sensor && ! $is_eval ]]; then local PROCS=$(expr $lb_procs / 2) if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi else @@ -53,7 +53,7 @@ whiptail_basic_suri() { [ -n "$TESTING" ] && return - if [[ $is_smooshed ]]; then + if [[ $is_node && $is_sensor && ! $is_eval ]];; then local PROCS=$(expr $lb_procs / 2) if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi else @@ -77,7 +77,7 @@ whiptail_zeek_pins() { cpu_core_list_whiptail+=("$item" "OFF") done - if [[ $is_smooshed ]]; then + if [[ $is_node && $is_sensor && ! $is_eval ]];; then local PROCS=$(expr $lb_procs / 2) if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi else @@ -1354,11 +1354,11 @@ whiptail_suricata_pins() { readarray -t filtered_core_list <<< "$(echo "${cpu_core_list[@]}" "${ZEEKPINS[@]}" | xargs -n1 | sort | uniq -u | awk '{print $1}')" local filtered_core_str=() - for item in "${filtered_core_list[@]}"; do - filtered_core_str+=("$item" "") - done + for item in "${filtered_core_list[@]}"; do + filtered_core_str+=("$item" "") + done - if [[ $is_smooshed ]]; then + if [[ $is_node && $is_sensor && ! $is_eval ]];; then local PROCS=$(expr $lb_procs / 2) if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi else From 652c4d49c90494ce80349fa5c212fe4e2a7ad1d2 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 9 Dec 2020 09:47:10 -0500 Subject: [PATCH 25/31] [fix] Remove extra semicolon --- setup/so-whiptail | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index fdf318e06..68734c1c5 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -53,7 +53,7 @@ whiptail_basic_suri() { [ -n "$TESTING" ] && return - if [[ $is_node && $is_sensor && ! $is_eval ]];; then + if [[ $is_node && $is_sensor && ! $is_eval ]]; then local PROCS=$(expr $lb_procs / 2) if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi else @@ -77,7 +77,7 @@ whiptail_zeek_pins() { cpu_core_list_whiptail+=("$item" "OFF") done - if [[ $is_node && $is_sensor && ! $is_eval ]];; then + if [[ $is_node && $is_sensor && ! $is_eval ]]; then local PROCS=$(expr $lb_procs / 2) if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi else @@ -1358,7 +1358,7 @@ whiptail_suricata_pins() { filtered_core_str+=("$item" "") done - if [[ $is_node && $is_sensor && ! $is_eval ]];; then + if [[ $is_node && $is_sensor && ! $is_eval ]]; then local PROCS=$(expr $lb_procs / 2) if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi else From 950c05e53da9719259909b6f209a6fe486d09469 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 9 Dec 2020 09:50:30 -0500 Subject: [PATCH 26/31] [fix] Only move error log if present --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index d0efafc07..5109365da 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -63,7 +63,7 @@ if [[ -f /root/accept_changes ]]; then # Move last setup log to backup mv "$setup_log" "$setup_log.bak" - mv "$error_log" "$error_log.bak" + [ -f "$error_log" ] && mv "$error_log" "$error_log.bak" fi From 51650147ef1b398d8841512531f08a036bc54d0d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 9 Dec 2020 09:59:44 -0500 Subject: [PATCH 27/31] [fix] Only show network init message if valid --- setup/so-setup | 4 +++- setup/so-whiptail | 15 ++++++++++++--- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 5109365da..fe11d5361 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -257,7 +257,9 @@ if ! [ -f /root/install_opt ]; then whiptail_management_server fi - whiptail_management_interface_setup + if [[ $is_minion || $is_iso ]]; then + whiptail_management_interface_setup + fi if [[ "$setup_type" == 'iso' ]]; then # Init networking so rest of install works diff --git a/setup/so-whiptail b/setup/so-whiptail index 68734c1c5..a37340764 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -769,14 +769,23 @@ whiptail_management_interface_setup() { [ -n "$TESTING" ] && return local minion_msg + local msg - if [[ $is_minion || $is_import ]]; then - minion_msg=" and copy the ssh key for soremote to the manager" + if [[ $is_minion ]]; then + minion_msg="copy the ssh key for soremote to the manager" else minion_msg="" fi - whiptail --title "Security Onion Setup" --yesno "Setup will now initialize networking$minion_msg. Select YES to continue or NO to cancel." 8 75 + if [[ $is_iso ]]; then + if [[ $minion_msg != "" ]]; then + msg="initialize networking and $minion_msg" + else + msg="initialize networking" + fi + fi + + whiptail --title "Security Onion Setup" --yesno "Setup will now $msg. Select YES to continue or NO to cancel." 8 75 local exitstatus=$? whiptail_check_exitstatus $exitstatus } From f3ce2fc71e91b1027956fff51bebafcf6acdc176 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 9 Dec 2020 10:06:02 -0500 Subject: [PATCH 28/31] [fix] new_setup -> manager_setup --- setup/so-functions | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 5375d725c..83fed9c66 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -922,15 +922,15 @@ docker_seed_registry() { } download_repo_tarball() { - scp -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/repo/"$manager_ver".tar.gz /root/new_setup + scp -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/repo/"$manager_ver".tar.gz /root/manager_setup # Fail if the file doesn't download - if ! [ -f /root/new_setup/"$manager_ver".tar.gz ]; then + if ! [ -f /root/manager_setup/"$manager_ver".tar.gz ]; then kill -SIGUSR1 "$(ps --pid $$ -oppid=)"; exit 1 fi - tar -xzf /root/new_setup/"$manager_ver".tar.gz -C /root/new_setup/securityonion - rm -rf /root/new_setup/"$manager_ver".tar.gz + tar -xzf /root/manager_setup/"$manager_ver".tar.gz -C /root/manager_setup/securityonion + rm -rf /root/manager_setup/"$manager_ver".tar.gz } fireeye_pillar() { From 795cacecf3c26fca5329b60afc66f2a0fa39822d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 9 Dec 2020 10:06:14 -0500 Subject: [PATCH 29/31] [fix] Fix cut command options --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 83fed9c66..d143a79ff 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1771,7 +1771,7 @@ set_network_dev_status_list() { set_main_ip() { MAINIP=$(ip route get 1 | awk '{print $7;exit}') - MNIC_IP=$(ip a s "$MNIC" | grep -oE 'inet [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d' ' -f) + MNIC_IP=$(ip a s "$MNIC" | grep -oE 'inet [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d' ' -f2) if [[ $MAINIP != $MNIC_IP ]]; then read -r -d '' message <<- EOM From 223856c0b9d226a80817f54da42833657164064b Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 9 Dec 2020 10:16:42 -0500 Subject: [PATCH 30/31] [fix] Don't redirect whiptail message, use SIGINT instead of SIGKILL --- setup/so-functions | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index d143a79ff..cd9b63ce2 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1772,15 +1772,17 @@ set_network_dev_status_list() { set_main_ip() { MAINIP=$(ip route get 1 | awk '{print $7;exit}') MNIC_IP=$(ip a s "$MNIC" | grep -oE 'inet [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d' ' -f2) +} - if [[ $MAINIP != $MNIC_IP ]]; then +compare_main_nic_ip() { + if [[ "$MAINIP" != "$MNIC_IP" ]]; then read -r -d '' message <<- EOM The IP being routed by Linux is not the IP address assigned to the management interface ($MNIC). This is not a supported configuration, please remediate and rerun setup. EOM whiptail --title "Security Onion Setup" --msgbox "$message" 10 75 - kill -SIGKILL "$(ps --pid $$ -oppid=)"; exit 1 + kill -SIGINT "$(ps --pid $$ -oppid=)"; exit 1 fi } From 282b4090ce3768c8ffdff5b5e2bf0babc5ec3e6d Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 9 Dec 2020 11:51:07 -0500 Subject: [PATCH 31/31] [fix] Actually call nic comparison function, redirect tarball gen to setup_log --- setup/so-setup | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index fe11d5361..5b751d124 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -480,10 +480,9 @@ if [[ $is_minion ]]; then fi # This block sets REDIRECTIT which is used by a function outside the below subshell -{ - set_main_ip; - set_redirect; -} >> $setup_log 2>&1 + set_main_ip >> $setup_log 2>&1 + compare_main_nic_ip + set_redirect >> $setup_log 2>&1 # Begin install { @@ -824,7 +823,7 @@ else if [[ $is_manager ]]; then set_progress_str 98 "Generating archive for setup directory" - generate_repo_tarball + generate_repo_tarball >> "$setup_log" 2>&1 fi if [[ $THEHIVE == 1 ]]; then @@ -837,6 +836,6 @@ else echo "Post-installation steps have completed." >> $setup_log 2>&1 fi -install_cleanup >> $setup_log 2>&1 +install_cleanup >> "$setup_log" 2>&1 if [[ -z $SKIP_REBOOT ]]; then shutdown -r now; else exit; fi