Merge pull request #1186 from Security-Onion-Solutions/feature/airgap

Airgap round 1

setup/so-functions

@@ -655,6 +655,7 @@ detect_os() {
 
 		echo "Installing required packages to run installer..." >> "$setup_log" 2>&1
 		# Install bind-utils so the host command exists
+		if [[ ! $is_iso ]]; then
 		  if ! command -v host > /dev/null 2>&1; then
 			yum -y install bind-utils >> "$setup_log" 2>&1
 		  fi
@@ -671,8 +672,10 @@ detect_os() {
 		  if ! yum versionlock > /dev/null 2>&1; then
 			yum -y install yum-plugin-versionlock >> "$setup_log" 2>&1
 		  fi
-
+        else
-
+		  logCmd "systemctl enable NetworkManager"
+		  logCmd "systemctl start NetworkManager"
+        fi
 	elif [ -f /etc/os-release ]; then
 		OS=ubuntu
 		if grep -q "UBUNTU_CODENAME=bionic" /etc/os-release; then
@@ -745,8 +748,12 @@ docker_install() {
 	if [ $OS = 'centos' ]; then
 		{
 			yum clean expire-cache;
+			if [[ ! $is_airgap ]]; then
 			  yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo;
+			fi
+			if [[ ! $is_iso ]]; then
 			  yum -y install docker-ce-19.03.11-3.el7 containerd.io-1.2.13-3.2.el7;
+			fi
 			yum versionlock docker-ce-19.03.11-3.el7;
 			yum versionlock containerd.io-1.2.13-3.2.el7
 		} >> "$setup_log" 2>&1
@@ -990,10 +997,10 @@ install_cleanup() {
 
 import_registry_docker() {
 	if [ -f /nsm/docker-registry/docker/registry_image.tar ]; then
-	  service docker start
+	  logCmd "service docker start"
-	  docker import /nsm/docker-registry/docker/registry_image.tar registry:2
+	  logCmd "docker import /nsm/docker-registry/docker/registry_image.tar registry:2" 
 	else
-	  echo "Need to download registry"
+	  info "Need to download registry"
 	fi
 }
 
@@ -1342,38 +1349,53 @@ saltify() {
 			cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo;
 		} >> "$setup_log" 2>&1
 		set_progress_str 6 'Installing various dependencies'
-		yum -y install wget nmap-ncat >> "$setup_log" 2>&1
+		if [[ ! $is_iso ]]; then
+		  logCmd "yum -y install wget nmap-ncat"
+		fi 
 		case "$install_type" in
 			'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT')
 				reserve_group_ids >> "$setup_log" 2>&1
-				yum -y install epel-release >> "$setup_log" 2>&1
+				if [[ ! $is_iso ]]; then
-				yum -y install sqlite argon2 curl mariadb-devel >> "$setup_log" 2>&1
+				  logCmd "yum -y install epel-release"
+				  logCmd "yum -y install sqlite argon2 curl mariadb-devel"
+				fi 
 				# Download Ubuntu Keys in case manager updates = 1
 				mkdir -p /opt/so/gpg >> "$setup_log" 2>&1
-				wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3001.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1
+				if [[ ! $is_airgap ]]; then
-				wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1
+				  logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3001.1/SALTSTACK-GPG-KEY.pub"
-				wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1
+				  logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg"
-				cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1
+				  logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH"
+				  logCmd "cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo"
+				fi
 				set_progress_str 7 'Installing salt-master'
-				yum -y install salt-master-3001.1 >> "$setup_log" 2>&1
+				if [[ ! $is_iso ]]; then
+				  logCmd "yum -y install salt-master-3001.1"
+				fi
 				systemctl enable salt-master >> "$setup_log" 2>&1
 				;;
 			*)
 				if [ "$MANAGERUPDATES" = '1' ]; then
 					{
+						if [[ ! $is_airgap ]]; then
 						  # Create the GPG Public Key for the Salt Repo
 						  cp ./public_keys/salt.pem /etc/pki/rpm-gpg/saltstack-signing-key;
 
 						  # Copy repo files over
 						  cp ./yum_repos/saltstack.repo /etc/yum.repos.d/saltstack.repo;
+						else
+						  info "This is airgap"
+						fi
 					} >> "$setup_log" 2>&1
 				fi
 				;;
 		esac
+		if [[ ! $is_airgap ]]; then
 		  cp ./yum_repos/wazuh.repo /etc/yum.repos.d/wazuh.repo >> "$setup_log" 2>&1
 		  yum clean expire-cache >> "$setup_log" 2>&1
+		fi
 		set_progress_str 8 'Installing salt-minion & python modules'
 		{
+			if [[ ! $is_iso ]]; then
 			  yum -y install epel-release
 			  yum -y install salt-minion-3001.1\
 			   	python3\
@@ -1387,6 +1409,7 @@ saltify() {
 				openssl\
 				jq;
 			  yum -y update --exclude=salt*;
+			fi
 			systemctl enable salt-minion;
 		} >> "$setup_log" 2>&1
 		yum versionlock salt*

setup/so-setup

@@ -182,6 +182,22 @@ elif [ "$install_type" = 'IMPORT' ]; then
 	is_import=true
 fi
 
+# Say yes to the dress if its an ISO install
+if [[ "$setup_type" == 'iso' ]]; then
+  is_iso=true
+fi
+
+#Check if this is an airgap install
+
+if [[ $is_manager ]]; then
+    if [[ $is_iso ]]; then
+      whiptail_airgap
+      if [[ "$INTERWEBS" == 'AIRGAP' ]]; then
+        is_airgap=true
+      fi
+    fi
+fi
+
 if [[ $is_manager && $is_sensor ]]; then
 	check_requirements "standalone"
 elif [[ $is_fleet_standalone ]]; then

setup/so-whiptail

@@ -18,6 +18,18 @@
 source ./so-variables
 source ./so-common-functions
 
+whiptail_airgap() {
+
+	[ -n "$TESTING" ] && return
+
+	INTERWEBS=$(whiptail --title "Security Onion Setup" --radiolist \
+	"Choose your install conditions:" 20 75 4 \
+	"STANDARD" "This manager has internet accesss" ON  \
+	"AIRGAP" "This manager does not have internet access" OFF 3>&1 1>&2 2>&3 )
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+}
 
 whiptail_basic_zeek() {