diff --git a/salt/manager/init.sls b/salt/manager/init.sls index 908ef4502..1d21c95d3 100644 --- a/salt/manager/init.sls +++ b/salt/manager/init.sls @@ -18,7 +18,6 @@ {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} -{% set managerproxy = salt['pillar.get']('global:managerupdate', '0') %} {% set STRELKA_RULES = salt['pillar.get']('strelka:rules', '1') %} socore_own_saltstack: @@ -35,8 +34,6 @@ socore_own_saltstack: - mode: 750 - replace: False -{% if managerproxy == 1 %} - # Create the directories for apt-cacher-ng aptcacherconfdir: file.directory: @@ -60,7 +57,6 @@ aptcacherlogdir: - makedirs: true # Copy the config - acngcopyconf: file.managed: - name: /opt/so/conf/aptcacher-ng/etc/acng.conf @@ -84,8 +80,6 @@ append_so-aptcacherng_so-status.conf: - name: /opt/so/conf/so-status/so-status.conf - text: so-aptcacherng -{% endif %} - strelka_yara_update_old_1: cron.absent: - user: root diff --git a/setup/automation/distributed-airgap-manager b/setup/automation/distributed-airgap-manager index 3ed1a34f8..ddf44c100 100644 --- a/setup/automation/distributed-airgap-manager +++ b/setup/automation/distributed-airgap-manager @@ -42,7 +42,6 @@ INTERWEBS=AIRGAP # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/distributed-ami-manager b/setup/automation/distributed-ami-manager index 793e07ceb..6f5fb93dc 100644 --- a/setup/automation/distributed-ami-manager +++ b/setup/automation/distributed-ami-manager @@ -41,7 +41,6 @@ install_type=MANAGER # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/distributed-iso-manager b/setup/automation/distributed-iso-manager index 72cedb75e..07a22b588 100644 --- a/setup/automation/distributed-iso-manager +++ b/setup/automation/distributed-iso-manager @@ -41,7 +41,6 @@ install_type=MANAGER # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/distributed-net-centos-manager b/setup/automation/distributed-net-centos-manager index 72cedb75e..07a22b588 100644 --- a/setup/automation/distributed-net-centos-manager +++ b/setup/automation/distributed-net-centos-manager @@ -41,7 +41,6 @@ install_type=MANAGER # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/distributed-net-ubuntu-manager b/setup/automation/distributed-net-ubuntu-manager index 104bf4df4..712db3020 100644 --- a/setup/automation/distributed-net-ubuntu-manager +++ b/setup/automation/distributed-net-ubuntu-manager @@ -41,7 +41,6 @@ install_type=MANAGER # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/distributed-net-ubuntu-suricata-manager b/setup/automation/distributed-net-ubuntu-suricata-manager index d1fdf158d..30aebc122 100644 --- a/setup/automation/distributed-net-ubuntu-suricata-manager +++ b/setup/automation/distributed-net-ubuntu-suricata-manager @@ -41,7 +41,6 @@ install_type=MANAGER # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/eval-airgap b/setup/automation/eval-airgap index 095075a6b..e8deebe69 100644 --- a/setup/automation/eval-airgap +++ b/setup/automation/eval-airgap @@ -42,7 +42,6 @@ INTERWEBS=AIRGAP # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/eval-ami b/setup/automation/eval-ami index 1efab191d..ac8e42728 100644 --- a/setup/automation/eval-ami +++ b/setup/automation/eval-ami @@ -41,7 +41,6 @@ install_type=EVAL # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/eval-iso b/setup/automation/eval-iso index 880b3cc0c..d8a8c800a 100644 --- a/setup/automation/eval-iso +++ b/setup/automation/eval-iso @@ -41,7 +41,6 @@ install_type=EVAL # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/eval-net-centos b/setup/automation/eval-net-centos index 82d2cc9ec..5c0ea36a3 100644 --- a/setup/automation/eval-net-centos +++ b/setup/automation/eval-net-centos @@ -41,7 +41,6 @@ install_type=EVAL # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/eval-net-ubuntu b/setup/automation/eval-net-ubuntu index 132b8766e..4dc0eceda 100644 --- a/setup/automation/eval-net-ubuntu +++ b/setup/automation/eval-net-ubuntu @@ -41,7 +41,6 @@ install_type=EVAL # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-airgap b/setup/automation/import-airgap index 9c394ef2f..dc524e0c3 100644 --- a/setup/automation/import-airgap +++ b/setup/automation/import-airgap @@ -42,7 +42,6 @@ INTERWEBS=AIRGAP # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-ami b/setup/automation/import-ami index 10758be9a..039e9caee 100644 --- a/setup/automation/import-ami +++ b/setup/automation/import-ami @@ -41,7 +41,6 @@ install_type=IMPORT # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-iso b/setup/automation/import-iso index fbfdd364b..6cc3106fd 100644 --- a/setup/automation/import-iso +++ b/setup/automation/import-iso @@ -41,7 +41,6 @@ install_type=IMPORT # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-net-centos b/setup/automation/import-net-centos index f6394bde1..2536c8516 100644 --- a/setup/automation/import-net-centos +++ b/setup/automation/import-net-centos @@ -41,7 +41,6 @@ install_type=IMPORT # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=0 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/import-net-ubuntu b/setup/automation/import-net-ubuntu index ded17d09f..dc72c8184 100644 --- a/setup/automation/import-net-ubuntu +++ b/setup/automation/import-net-ubuntu @@ -41,7 +41,6 @@ install_type=IMPORT # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/standalone-airgap b/setup/automation/standalone-airgap index 649b51e3c..99b003e05 100644 --- a/setup/automation/standalone-airgap +++ b/setup/automation/standalone-airgap @@ -42,7 +42,6 @@ INTERWEBS=AIRGAP # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/standalone-ami b/setup/automation/standalone-ami index 7200d3637..c006b28fb 100644 --- a/setup/automation/standalone-ami +++ b/setup/automation/standalone-ami @@ -41,7 +41,6 @@ install_type=STANDALONE # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/standalone-iso b/setup/automation/standalone-iso index dd0edb67f..ec972b066 100644 --- a/setup/automation/standalone-iso +++ b/setup/automation/standalone-iso @@ -41,7 +41,6 @@ install_type=STANDALONE # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/standalone-iso-suricata b/setup/automation/standalone-iso-suricata index f4697f308..d6dbc73d2 100644 --- a/setup/automation/standalone-iso-suricata +++ b/setup/automation/standalone-iso-suricata @@ -41,7 +41,6 @@ install_type=STANDALONE # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/standalone-net-centos b/setup/automation/standalone-net-centos index 6b7a7ebac..a711ba878 100644 --- a/setup/automation/standalone-net-centos +++ b/setup/automation/standalone-net-centos @@ -41,7 +41,6 @@ install_type=STANDALONE # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/standalone-net-centos-proxy b/setup/automation/standalone-net-centos-proxy index ee2504a98..1fc245cba 100644 --- a/setup/automation/standalone-net-centos-proxy +++ b/setup/automation/standalone-net-centos-proxy @@ -41,7 +41,6 @@ install_type=STANDALONE # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/automation/standalone-net-ubuntu b/setup/automation/standalone-net-ubuntu index fafb98cd4..a30e2a444 100644 --- a/setup/automation/standalone-net-ubuntu +++ b/setup/automation/standalone-net-ubuntu @@ -41,7 +41,6 @@ install_type=STANDALONE # LSPIPELINEBATCH= # LSPIPELINEWORKERS= MANAGERADV=BASIC -MANAGERUPDATES=1 # MDNS= # MGATEWAY= # MIP= diff --git a/setup/so-functions b/setup/so-functions index a37867b5a..7dd5511fb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -480,6 +480,21 @@ collect_mtu() { done } +collect_net_method() { + whiptail_net_method + + [[ -n $network_traffic ]] && collect_proxy + + if [[ "$network_traffic" == *"_MANAGER" ]]; then + whiptail_manager_updates_warning + MANAGERUPDATES=1 + fi + + if [[ "$network_traffic" == "PROXY"* ]]; then + collect_proxy no_ask + fi +} + collect_node_es_heap() { whiptail_node_es_heap "$ES_HEAP_SIZE" } @@ -582,7 +597,9 @@ collect_patch_schedule_name_import() { collect_proxy() { [[ -n $TESTING ]] && return - collect_proxy_details || return + local ask=${1:-true} + + collect_proxy_details "$ask" || return while ! proxy_validate; do if whiptail_invalid_proxy; then collect_proxy_details no_ask @@ -2671,10 +2688,10 @@ set_redirect() { set_updates() { if [ "$MANAGERUPDATES" = '1' ]; then if [ "$OS" = 'centos' ]; then - if [[ ! $is_airgap ]]; then - if ! grep -q "$MSRV" /etc/yum.conf; then - echo "proxy=http://$MSRV:3142" >> /etc/yum.conf - fi + if [[ ! $is_airgap ]]; then + if ! grep -q "$MSRV" /etc/yum.conf; then + echo "proxy=http://$MSRV:3142" >> /etc/yum.conf + fi fi else # Set it up so the updates roll through the manager diff --git a/setup/so-setup b/setup/so-setup index ad210048a..0667c99db 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -211,7 +211,7 @@ if ! [[ -f $install_opt_file ]]; then set_main_ip >> $setup_log 2>&1 compare_main_nic_ip reset_proxy - collect_proxy + collect_net_method [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 whiptail_net_setup_complete else @@ -319,7 +319,7 @@ if ! [[ -f $install_opt_file ]]; then reset_proxy if [[ -z $is_airgap ]]; then - collect_proxy + collect_net_method [[ -n "$so_proxy" ]] && set_proxy >> $setup_log 2>&1 fi @@ -499,13 +499,6 @@ if [[ $is_manager || $is_import ]]; then get_redirect fi -if [[ ! $is_airgap && ( $is_distmanager || ( $is_sensor || $is_node || $is_fleet_standalone ) && ! $is_eval ) ]]; then - whiptail_manager_updates - if [[ $setup_type == 'network' && $MANAGERUPDATES == 1 ]]; then - whiptail_manager_updates_warning - fi -fi - if [[ $is_distmanager ]]; then collect_soremote_inputs fi diff --git a/setup/so-whiptail b/setup/so-whiptail index 6127a174a..06a1afec1 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1027,6 +1027,68 @@ whiptail_management_interface_setup() { whiptail_check_exitstatus $exitstatus } +whiptail_net_method() { + [ -n "$TESTING" ] && return + + [[ $is_airgap ]] && return + + local pkg_mngr + if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi + + read -r -d '' options_msg <<- EOM + "Direct" - Internet requests connect directly to the Internet. + + EOM + local options=( + " Direct" "" + ) + local proxy_desc="proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment." + + if [[ $is_minion ]]; then + local mngr_article + if [[ $is_distmanager ]]; then mngr_article="this"; else mngr_article="the"; fi + + read -r -d '' options_msg <<- EOM + ${options_msg} + + "Direct + Manager" - all traffic passes to the Internet normally, but ${pkg_mngr} updates will instead be pulled from ${mngr_article} manager. + + "Proxy" - ${proxy_desc} + + "Proxy + Manager" - proxy all traffic from the "Proxy" option except ${pkg_mngr} updates, which will instead pull from the manager. + EOM + + options+=( + " Direct + Manager" "" + " Proxy" "" + " Proxy + Manager" "" + ) + local height=25 + else + read -r -d '' options_msg <<- EOM + ${options_msg} + + "Proxy" - ${proxy_desc} + EOM + options+=( + " Proxy" "" + ) + local height=17 + fi + + local msg + read -r -d '' msg <<- EOM + How would you like to connect to the Internet? + + $options_msg + EOM + + local option_count=$(( ${#options[@]} / 2 )) + + network_traffic=$(whiptail --title "Security Onion Setup" --menu "$msg" $height 75 $option_count "${options[@]}" 3>&1 1>&2 2>&3) + network_traffic=$(echo "${network_traffic^^}" | tr -d ' ' | tr '+' '_') +} + whiptail_net_setup_complete() { [ -n "$TESTING" ] && return @@ -1161,29 +1223,6 @@ whiptail_manager_error() { whiptail --title "Security Onion Setup" --yesno "$msg" 13 75 || whiptail_check_exitstatus 1 } -whiptail_manager_updates() { - - [ -n "$TESTING" ] && return - - local update_string - update_string=$(whiptail --title "Security Onion Setup" --radiolist \ - "How would you like to download OS package updates for your grid?" 20 75 4 \ - "MANAGER" "Manager node is proxy for updates" ON \ - "OPEN" "Each node connects to the Internet for updates" OFF 3>&1 1>&2 2>&3 ) - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - case "$update_string" in - 'MANAGER') - export MANAGERUPDATES='1' - ;; - *) - export MANAGERUPDATES='0' - ;; - esac - -} - whiptail_manager_updates_warning() { [ -n "$TESTING" ] && return @@ -1485,7 +1524,9 @@ whiptail_patch_schedule_select_hours() { whiptail_proxy_ask() { [ -n "$TESTING" ] && return - whiptail --title "Security Onion Setup" --yesno "Do you want to set a proxy server for this installation?" 7 60 --defaultno + local pkg_mngr + if [[ $OS = 'centos' ]]; then pkg_mngr="yum"; else pkg_mngr='apt'; fi + whiptail --title "Security Onion Setup" --yesno "Do you want to proxy the traffic for git, docker client, wget, curl, ${pkg_mngr}, and various other SO components through a separate server in your environment?" 9 65 --defaultno } whiptail_proxy_addr() {