From 5f6770925d0ede70182da4c510f244d3793e3b14 Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Mon, 5 Apr 2021 16:52:12 -0400 Subject: [PATCH 01/28] speculative commit --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 018bdfac7..e889c64d0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1008,7 +1008,7 @@ create_repo() { detect_cloud() { echo "Testing if setup is running on a cloud instance..." | tee -a "$setup_log" - if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null); then export is_cloud="true"; fi + if ( curl --fail -s -m 5 http://169.254.169.254/latest/meta-data/instance-id > /dev/null ) || ( dmidecode -s bios-vendor | grep -q Google > /dev/null) || [ -f /var/log/waagent.log ]; then export is_cloud="true"; fi } detect_os() { From b70d9c089275206daa36f35b0837a07f534a19a5 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 6 Apr 2021 13:20:46 -0400 Subject: [PATCH 02/28] Add end summary and warning about SSH host key change --- setup/so-setup | 9 +- setup/so-whiptail | 203 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 208 insertions(+), 4 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 48322f246..509ad419d 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -572,14 +572,14 @@ fi if [[ $is_manager || $is_import ]]; then collect_so_allow; fi -whiptail_make_changes +# This block sets REDIRECTIT which is used by a function outside the below subshell +set_redirect >> $setup_log 2>&1 + +whiptail_end_settings # From here on changes will be made. echo "1" > /root/accept_changes -# This block sets REDIRECTIT which is used by a function outside the below subshell -set_redirect >> $setup_log 2>&1 - # Begin install { @@ -962,6 +962,7 @@ else } | whiptail_gauge_post_setup "Running post-installation steps..." whiptail_setup_complete + [[ $setup_type != 'iso' ]] && whitpail_ssh_warning echo "Post-installation steps have completed." >> $setup_log 2>&1 fi diff --git a/setup/so-whiptail b/setup/so-whiptail index c71db9508..45b263f96 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -423,6 +423,193 @@ whiptail_enable_components() { done } +whiptail_end_settings() { + [ -n "$TESTING" ] && return + + # BASIC INFO (NETWORK, HOSTNAME, DESCRIPTION, ETC) + + read -r -d '' end_msg <<- EOM + The following options have been set, would you like to proceed? + + Node Type: $install_type + Hostname: $HOSTNAME + EOM + + [[ -n $NODE_DESCRIPTION ]] && __append_end_msg "Description: $NODE_DESCRIPTION" + + [[ $is_airgap ]] && __append_end_msg "Airgap: True" + + if [[ $is_minion ]]; then + __append_end_msg "Manager Hostname: $MSRV" + __append_end_msg "Manager IP: $MSRVIP" + fi + + + [[ $is_iso ]] && __append_end_msg "Network: $address_type" + + __append_end_msg "Management NIC: $MNIC" + __append_end_msg "Management IP: $MAINIP" + + if [[ $address_type == 'STATIC' ]]; then + __append_end_msg "Gateway: $MGATEWAY" + __append_end_msg "DNS: $MDNS" + __append_end_msg "DNS Domain: $MSEARCH" + fi + + if [[ $is_sensor ]]; then + __append_end_msg "Bond NIC(s):" + for nic in "${BNICS[@]}"; do + __append_end_msg " - $nic" + done + fi + + local homenet_arr + if [[ -n $HNMANAGER ]]; then + __append_end_msg "Home Network(s):" + IFS="," read -r -a homenet_arr <<< "$HNMANAGER" + for net in "${homenet_arr[@]}"; do + __append_end_msg " - $net" + done + elif [[ -n $HNSENSOR ]]; then + __append_end_msg "Home Network(s):" + IFS="," read -r -a homenet_arr <<< "$HNSENSOR" + for net in "${homenet_arr[@]}"; do + __append_end_msg " - $net" + done + fi + + [[ -n $REDIRECTIT ]] && __append_end_msg "Access URL: https://${REDIRECTIT}" + + [[ -n $ALLOW_CIDR ]] && __append_end_msg "Allowed IP or Subnet: $ALLOW_CIDR" + + [[ -n $WEBUSER ]] && __append_end_msg "Web User: $WEBUSER" + + [[ -n $FLEETNODEUSER ]] && __append_end_msg "Fleet User: $FLEETNODEUSER" + + if [[ $is_manager ]]; then + __append_end_msg "Enabled Optional Components:" + for component in "${COMPONENTS[@]}"; do + __append_end_msg " - $component" + done + fi + + # METADATA / IDS + + if [[ -n $ZEEKVERSION ]]; then + local md_tool_string=${ZEEKVERSION,;} + md_tool_string=${md_tool_string^} + + __append_end_msg "Metadata Tool: $md_tool_string" + fi + + [[ -n $RULESETUP ]] && __append_end_msg "IDS Ruleset: $RULESETUP" + [[ -n $OINKCODE ]] && __append_end_msg "Oinkcode: $OINKCODE" + + # PATCH SCHEDULE + + [[ -n $PATCHSCHEDULENAME ]] && __append_end_msg "Patch schedule: $PATCHSCHEDULENAME" + + if [[ ${#PATCHSCHEDULEDAYS[@]} -gt 0 ]]; then + __append_end_msg "Day(s):" + for day in "${PATCHSCHEDULEDAYS[@]}"; do + __append_end_msg " - $day" + done + fi + + if [[ ${#PATCHSCHEDULEHOURS[@]} -gt 0 ]]; then + __append_end_msg "Hours(s):" + for hour in "${PATCHSCHEDULEHOURS[@]}"; do + __append_end_msg " - $hour" + done + fi + + # MISC + + [[ $is_helix ]] && __append_end_msg "Helix API key: $HELIXAPIKEY" + [[ -n $DOCKERNET ]] && __append_end_msg "Docker network: $DOCKERNET" + if [[ -n $MANAGERUPDATES ]]; then + __append_end_msg "OS Package Updates: Manager" + else + __append_end_msg "OS Package Updates: Open" + fi + if [[ ${#ntp_servers[@]} -gt 0 ]]; then + __append_end_msg "NTP Servers:" + for server in "${ntp_servers[@]}"; do + __append_end_msg " - $server" + done + fi + + # ADVANCED OR REGULAR + + if [[ $NODESETUP == 'NODEADVANCED' ]]; then + __append_end_msg "Advanced Node Settings:" + __append_end_msg " Elasticsearch Heap Size: $NODE_ES_HEAP_SIZE" + __append_end_msg " Logstash Heap Size: $NODE_LS_HEAP_SIZE" + __append_end_msg " Logstash Worker Count: $LSPIPELINEWORKERS" + __append_end_msg " Logstash Batch Size: $LSPIPELINEBATCH" + __append_end_msg " Logstash Input Threads: $LSINPUTTHREADS" + __append_end_msg " Curator Day Cutoff: $CURCLOSEDAYS days" + __append_end_msg " Elasticsearch Storage Space: ${log_size_limit}GB" + else + __append_end_msg "Elasticsearch Heap Size: $NODE_ES_HEAP_SIZE" + __append_end_msg "Logstash Heap Size: $NODE_LS_HEAP_SIZE" + __append_end_msg "Logstash Worker Count: $LSPIPELINEWORKERS" + __append_end_msg "Logstash Batch Size: $LSPIPELINEBATCH" + __append_end_msg "Logstash Input Threads: $LSINPUTTHREADS" + __append_end_msg "Curator Close After: $CURCLOSEDAYS days" + __append_end_msg "Elasticsearch Storage Space: ${log_size_limit}GB" + fi + + + # ADVANCED + if [[ $MANAGERADV == 'ADVANCED' ]]; then + __append_end_msg "Advanced Manager Settings:" + __append_end_msg " ES Cluster Name: $ESCLUSTERNAME" + if [[ ${#BLOGS[@]} -gt 0 ]]; then + __append_end_msg " Zeek Logs Enabled:" + for log in "${BLOGS[@]}"; do + __append_end_msg " - $log" + done + fi + fi + + if [[ $NSMSETUP == 'ADVANCED' ]]; then + __append_end_msg "Advanced NSM Settings:" + if [[ ${#ZEEKPINS[@]} -gt 0 ]]; then + local zeek_pin_str + for core in "${ZEEKPINS[@]}"; do + zeek_pin_str="${zeek_pin_str}${core}," + done + zeek_pin_str=${zeek_pin_str%,} + __append_end_msg " Zeek Pinned Cores: ${zeek_pin_str}" + fi + if [[ ${#SURIPINS[@]} -gt 0 ]]; then + local suri_pin_str + for core in "${SURIPINS[@]}"; do + suri_pin_str="${suri_pin_str}${core}," + done + suri_pin_str=${suri_pin_str%,} + __append_end_msg " Suricata Pinned Cores: ${suri_pin_str}" + fi + else + [[ -n $BASICZEEK ]] && __append_end_msg " Zeek Processes: $BASICZEEK" + [[ -n $BASICSURI ]] && __append_end_msg " Suricata Processes: $BASICSURI" + fi + + whiptail --yesno "$end_msg" 24 75 --scrolltext + local exitstatus=$? + whiptail_check_exitstatus +} + +__append_end_msg() { + local newline=$1 + + read -r -d '' end_msg <<- EOM + $end_msg + $newline + EOM +} + whiptail_eval_adv() { [ -n "$TESTING" ] && return @@ -1491,6 +1678,22 @@ whiptail_so_allow() { whiptail_check_exitstatus $exitstatus } +whitpail_ssh_warning() { + [ -n "$TESTING" ] && return + + local msg + + read -r -d '' msg <<- EOM + NOTE: You will recceive a warning upon SSH reconnect that the host key has changed. + + This is expected due to hardening of the OpenSSH server config. + + The host key algorithm will now be ED25519, follow the instructions given by your SSH client to remove the old key fingerprint then retry the connection. + EOM + + whiptail --msgbox "$msg" 14 75 +} + whiptail_storage_requirements() { local mount=$1 local current_val=$2 From 6d6829ba340a86d9ef2150c34765c305dd1d1558 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Tue, 6 Apr 2021 13:21:07 -0400 Subject: [PATCH 03/28] Remove duplicate variable assignment --- setup/so-setup | 1 - 1 file changed, 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 509ad419d..5b1a7417c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -558,7 +558,6 @@ if [[ $is_node && ! $is_eval ]]; then LSPIPELINEWORKERS=$num_cpu_cores LSPIPELINEBATCH=125 LSINPUTTHREADS=1 - LSPIPELINEBATCH=125 fi fi From 099ac2ff19a86d2ffbf658a60b42266ba8e868aa Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 7 Apr 2021 09:06:22 -0400 Subject: [PATCH 04/28] Minor formatting changes to whiptail end screen --- setup/so-whiptail | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 45b263f96..e81c0be7c 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -429,8 +429,6 @@ whiptail_end_settings() { # BASIC INFO (NETWORK, HOSTNAME, DESCRIPTION, ETC) read -r -d '' end_msg <<- EOM - The following options have been set, would you like to proceed? - Node Type: $install_type Hostname: $HOSTNAME EOM @@ -539,6 +537,11 @@ whiptail_end_settings() { done fi + if [[ $NSMSETUP != 'ADVANCED' ]]; then + [[ -n $BASICZEEK ]] && __append_end_msg "Zeek Processes: $BASICZEEK" + [[ -n $BASICSURI ]] && __append_end_msg "Suricata Processes: $BASICSURI" + fi + # ADVANCED OR REGULAR if [[ $NODESETUP == 'NODEADVANCED' ]]; then @@ -591,14 +594,12 @@ whiptail_end_settings() { suri_pin_str=${suri_pin_str%,} __append_end_msg " Suricata Pinned Cores: ${suri_pin_str}" fi - else - [[ -n $BASICZEEK ]] && __append_end_msg " Zeek Processes: $BASICZEEK" - [[ -n $BASICSURI ]] && __append_end_msg " Suricata Processes: $BASICSURI" fi - whiptail --yesno "$end_msg" 24 75 --scrolltext + whiptail --title "The following options have been set, would you like to proceed?" --yesno "$end_msg" 24 75 --scrolltext + local exitstatus=$? - whiptail_check_exitstatus + whiptail_check_exitstatus $exitstatus } __append_end_msg() { From 5cd7d65b3f9c3d00115d4a181f86a4901abd1eff Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Apr 2021 10:03:33 -0400 Subject: [PATCH 05/28] Fix Logic for Airgap distributed --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 214896572..9fef19875 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2285,7 +2285,7 @@ secrets_pillar(){ securityonion_repo() { # Remove all the current repos - if [[ "$OS" == "centos" ]]; then + if [[ "$OS" == "centos" && ! $is_airgap ]]; then mkdir -p /root/oldrepos mv /etc/yum.repos.d/* /root/oldrepos/ rm -f /etc/yum.repos.d/* From 88c565feae5934fe5a327201ec570188c802559c Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 7 Apr 2021 10:14:16 -0400 Subject: [PATCH 06/28] Fix proxy test logic --- setup/so-functions | 4 +++- setup/so-whiptail | 1 + 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 8a751a4ad..e2e779775 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -563,7 +563,7 @@ collect_patch_schedule_name_import() { collect_proxy() { [[ -n $TESTING ]] && return - collect_proxy_details + collect_proxy_details || return while ! proxy_validate; do if whiptail_invalid_proxy; then collect_proxy_details no_ask @@ -608,6 +608,8 @@ collect_proxy_details() { so_proxy="$proxy_addr" fi export so_proxy + else + return 1 fi } diff --git a/setup/so-whiptail b/setup/so-whiptail index e81c0be7c..fddf3b0fa 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -391,6 +391,7 @@ whiptail_dockernet_net() { whiptail_check_exitstatus $exitstatus } + whiptail_enable_components() { [ -n "$TESTING" ] && return From 5b3014496bdd493211bfd376f26dc91cddb1eece Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 7 Apr 2021 10:35:59 -0400 Subject: [PATCH 07/28] Proxy fixes * Adjust proxy test timeout * Don't show proxy on error * Add echo statement so user knows what setup is doing --- setup/so-functions | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index e2e779775..0724f5851 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1872,12 +1872,13 @@ print_salt_state_apply() { } proxy_validate() { + echo "Testing proxy..." local test_url="https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS" - proxy_test_err=$(curl -sS "$test_url" --proxy "$so_proxy" 2>&1) + proxy_test_err=$(curl -sS "$test_url" --proxy "$so_proxy" --connect-timeout 5 2>&1) # set short connection timeout so user doesn't sit waiting for proxy test to timeout local ret=$? if [[ $ret != 0 ]]; then - error "Could not reach $test_url using proxy $so_proxy" + error "Could not reach $test_url using proxy provided" error "Received error: $proxy_test_err" if [[ -n $TESTING ]]; then error "Exiting setup" From ed0cd97de5af75600c3a4a2b2d95539de6378bca Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Apr 2021 12:34:23 -0400 Subject: [PATCH 08/28] Fix Logic for Airgap distributed --- setup/so-functions | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 9fef19875..2e7a21797 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2285,15 +2285,17 @@ secrets_pillar(){ securityonion_repo() { # Remove all the current repos - if [[ "$OS" == "centos" && ! $is_airgap ]]; then - mkdir -p /root/oldrepos - mv /etc/yum.repos.d/* /root/oldrepos/ - rm -f /etc/yum.repos.d/* - if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then - cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ - else - cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ - fi + if [[ "$OS" == "centos" ]]; then + if [[ ! $is_airgap ]]; then + mkdir -p /root/oldrepos + mv /etc/yum.repos.d/* /root/oldrepos/ + rm -f /etc/yum.repos.d/* + if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then + cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ + else + cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ + fi + fi else echo "This is Ubuntu" fi From c8c1553247d6c07e441e5c62c6c8bced81f021dd Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Apr 2021 12:36:50 -0400 Subject: [PATCH 09/28] Fix Logic for Airgap distributed --- setup/so-functions | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 2e7a21797..9aca9ca54 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2285,17 +2285,15 @@ secrets_pillar(){ securityonion_repo() { # Remove all the current repos - if [[ "$OS" == "centos" ]]; then - if [[ ! $is_airgap ]]; then - mkdir -p /root/oldrepos - mv /etc/yum.repos.d/* /root/oldrepos/ - rm -f /etc/yum.repos.d/* - if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then - cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ - else - cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ - fi - fi + if [[ "$OS" == "centos" && $is_airgap ]]; then + mkdir -p /root/oldrepos + mv /etc/yum.repos.d/* /root/oldrepos/ + rm -f /etc/yum.repos.d/* + if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then + cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ + else + cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ + fi else echo "This is Ubuntu" fi From ceb1ea61dcf25f3e9dfc021b11d0ff3e53240b40 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 7 Apr 2021 13:15:49 -0400 Subject: [PATCH 10/28] Summary screen changes --- setup/so-whiptail | 34 ++++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 14 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index fddf3b0fa..eccf8c69c 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -460,6 +460,7 @@ whiptail_end_settings() { for nic in "${BNICS[@]}"; do __append_end_msg " - $nic" done + __append_end_msg "MTU: $MTU" fi local homenet_arr @@ -506,20 +507,25 @@ whiptail_end_settings() { # PATCH SCHEDULE - [[ -n $PATCHSCHEDULENAME ]] && __append_end_msg "Patch schedule: $PATCHSCHEDULENAME" - - if [[ ${#PATCHSCHEDULEDAYS[@]} -gt 0 ]]; then - __append_end_msg "Day(s):" - for day in "${PATCHSCHEDULEDAYS[@]}"; do - __append_end_msg " - $day" - done - fi - - if [[ ${#PATCHSCHEDULEHOURS[@]} -gt 0 ]]; then - __append_end_msg "Hours(s):" - for hour in "${PATCHSCHEDULEHOURS[@]}"; do - __append_end_msg " - $hour" - done + if [[ -n $PATCHSCHEDULENAME ]]; then + __append_end_msg "Patch Schedule:" + if [[ $PATCHSCHEDULENAME != 'auto' && $PATCHSCHEDULENAME != 'manual' ]]; then + __append_end_msg " Type: $PATCHSCHEDULENAME" + else + __append_end_msg " Name: $PATCHSCHEDULENAME" + fi + if [[ ${#PATCHSCHEDULEDAYS[@]} -gt 0 ]]; then + __append_end_msg " Day(s):" + for day in "${PATCHSCHEDULEDAYS[@]}"; do + __append_end_msg " - $day" + done + fi + if [[ ${#PATCHSCHEDULEHOURS[@]} -gt 0 ]]; then + __append_end_msg " Hours(s):" + for hour in "${PATCHSCHEDULEHOURS[@]}"; do + __append_end_msg " - $hour" + done + fi fi # MISC From 377b14ccb1dab47eb8d6743cf626d047551f99fa Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 7 Apr 2021 13:20:55 -0400 Subject: [PATCH 11/28] ESCLUSTERNAME is empty for standalone, so check if it's set before listing --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index eccf8c69c..2522e65f9 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -574,7 +574,7 @@ whiptail_end_settings() { # ADVANCED if [[ $MANAGERADV == 'ADVANCED' ]]; then __append_end_msg "Advanced Manager Settings:" - __append_end_msg " ES Cluster Name: $ESCLUSTERNAME" + [[ -n $ESCLUSTERNAME ]] && __append_end_msg " ES Cluster Name: $ESCLUSTERNAME" if [[ ${#BLOGS[@]} -gt 0 ]]; then __append_end_msg " Zeek Logs Enabled:" for log in "${BLOGS[@]}"; do From f83ac5a2788089946ab5dc79a5bdb06e712bce04 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 7 Apr 2021 13:38:47 -0400 Subject: [PATCH 12/28] Print install summary to file and setup log after user confirms --- setup/so-whiptail | 3 +++ 1 file changed, 3 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index 2522e65f9..3e4a79a91 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -607,6 +607,9 @@ whiptail_end_settings() { local exitstatus=$? whiptail_check_exitstatus $exitstatus + + echo "$end_msg" > /root/install_summary + printf '%s\n' 'Install summary:' "$end_msg" >> "$setup_log" } __append_end_msg() { From ec076bba4ae58d11a92974b39d84cf44b80783e4 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 7 Apr 2021 13:42:18 -0400 Subject: [PATCH 13/28] MTU is not always set by the user, so don't always show in summary --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 3e4a79a91..7c2665363 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -460,7 +460,7 @@ whiptail_end_settings() { for nic in "${BNICS[@]}"; do __append_end_msg " - $nic" done - __append_end_msg "MTU: $MTU" + [[ -n $MTU ]] && __append_end_msg "MTU: $MTU" fi local homenet_arr From 3a4cf8aa269cc1dee056f27a4d54eb784fb5d1ae Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 7 Apr 2021 13:54:01 -0400 Subject: [PATCH 14/28] Add proxy url/user to summary --- setup/so-whiptail | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/setup/so-whiptail b/setup/so-whiptail index 7c2665363..000aa2ba4 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -449,6 +449,14 @@ whiptail_end_settings() { __append_end_msg "Management NIC: $MNIC" __append_end_msg "Management IP: $MAINIP" + if [[ -n $so_proxy ]]; then + __append_end_msg "Proxy:" + __append_end_msg " Server URL: $proxy_addr" + [[ -n $proxy_user ]] && __append_end_msg " User: $proxy_user" + else + __append_end_msg "Proxy: N/A" + fi + if [[ $address_type == 'STATIC' ]]; then __append_end_msg "Gateway: $MGATEWAY" __append_end_msg "DNS: $MDNS" From 3c69c0c24cbb501e628dc40ab00cf50092589298 Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 7 Apr 2021 14:15:02 -0400 Subject: [PATCH 15/28] Correct patch schedule name logic in summary --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 000aa2ba4..33053a273 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -517,7 +517,7 @@ whiptail_end_settings() { if [[ -n $PATCHSCHEDULENAME ]]; then __append_end_msg "Patch Schedule:" - if [[ $PATCHSCHEDULENAME != 'auto' && $PATCHSCHEDULENAME != 'manual' ]]; then + if [[ $PATCHSCHEDULENAME == 'auto'|| $PATCHSCHEDULENAME == 'manual' ]]; then __append_end_msg " Type: $PATCHSCHEDULENAME" else __append_end_msg " Name: $PATCHSCHEDULENAME" From 9baa9767cafb722fb864bfd90e27e2622f6b497d Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Apr 2021 16:12:51 -0400 Subject: [PATCH 16/28] Add raid bind --- salt/telegraf/init.sls | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index 2814eb159..c4871a0b3 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -72,6 +72,7 @@ so-telegraf: - /opt/so/conf/telegraf/scripts:/scripts:ro - /opt/so/log/stenographer:/var/log/stenographer:ro - /opt/so/log/suricata:/var/log/suricata:ro + - /opt/so/log/raid:/var/log/raid:ro - watch: - file: tgrafconf - file: tgrafsyncscripts From 8ab4dd10d42ac97b522abb2345d45e00ba36f43c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Apr 2021 16:29:44 -0400 Subject: [PATCH 17/28] Add sostatus for telegraf --- salt/common/init.sls | 19 +++++++++++++++++++ salt/telegraf/init.sls | 1 + 2 files changed, 20 insertions(+) diff --git a/salt/common/init.sls b/salt/common/init.sls index 0ada77e1a..9ee126ac1 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -297,6 +297,25 @@ commonlogrotateconf: - month: '*' - dayweek: '*' +# Create the status directory +sostatusdir: + file.directory: + - name: /opt/so/log/sostatus + - user: 0 + - group: 0 + - makedirs: True + +# Install sostatus check cron +/usr/sbin/so-status -q && echo $? > /opt/so/log/sostatus/status.log 2>&1: + cron.present: + - user: root + - minute: '*/15' + - hour: '*' + - daymonth: '*' + - month: '*' + - dayweek: '*' + + {% if role in ['eval', 'manager', 'managersearch', 'standalone'] %} # Lock permissions on the backup directory backupdir: diff --git a/salt/telegraf/init.sls b/salt/telegraf/init.sls index c4871a0b3..cea4d3f45 100644 --- a/salt/telegraf/init.sls +++ b/salt/telegraf/init.sls @@ -73,6 +73,7 @@ so-telegraf: - /opt/so/log/stenographer:/var/log/stenographer:ro - /opt/so/log/suricata:/var/log/suricata:ro - /opt/so/log/raid:/var/log/raid:ro + - /opt/so/log/sostatus:/var/log/sostatus:ro - watch: - file: tgrafconf - file: tgrafsyncscripts From 3caaf0682043074b1576d175f3ec1ba94f95b6bb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 7 Apr 2021 16:30:16 -0400 Subject: [PATCH 18/28] Add sostatus for telegraf --- salt/telegraf/scripts/sostatus.sh | 33 +++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 salt/telegraf/scripts/sostatus.sh diff --git a/salt/telegraf/scripts/sostatus.sh b/salt/telegraf/scripts/sostatus.sh new file mode 100644 index 000000000..23096d903 --- /dev/null +++ b/salt/telegraf/scripts/sostatus.sh @@ -0,0 +1,33 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018,2019,2020,2021 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +APP=sostatus +lf=/tmp/$APP-pidLockFile +# create empty lock file if none exists +cat /dev/null >> $lf +read lastPID < $lf +# if lastPID is not null and a process with that pid exists , exit +[ ! -z "$lastPID" -a -d /proc/$lastPID ] && exit +echo $$ > $lf +SOSTATUSLOG=/var/log/sostatus/status.log +SOSTATUSSTATUS=$(cat /var/log/sostatus/status.log) + +if [ -f "$SOSTATUSLOG" ]; then + echo "sostatus status=$SOSTATUSSTATUS" +else + exit 0 +fi From a5f5888913e00ab59d3459701d01f37e6e357b1e Mon Sep 17 00:00:00 2001 From: William Wernert Date: Wed, 7 Apr 2021 17:03:08 -0400 Subject: [PATCH 19/28] Summary order change --- setup/so-whiptail | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 33053a273..493ae7a68 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -449,6 +449,12 @@ whiptail_end_settings() { __append_end_msg "Management NIC: $MNIC" __append_end_msg "Management IP: $MAINIP" + if [[ $address_type == 'STATIC' ]]; then + __append_end_msg "Gateway: $MGATEWAY" + __append_end_msg "DNS: $MDNS" + __append_end_msg "DNS Domain: $MSEARCH" + fi + if [[ -n $so_proxy ]]; then __append_end_msg "Proxy:" __append_end_msg " Server URL: $proxy_addr" @@ -457,12 +463,6 @@ whiptail_end_settings() { __append_end_msg "Proxy: N/A" fi - if [[ $address_type == 'STATIC' ]]; then - __append_end_msg "Gateway: $MGATEWAY" - __append_end_msg "DNS: $MDNS" - __append_end_msg "DNS Domain: $MSEARCH" - fi - if [[ $is_sensor ]]; then __append_end_msg "Bond NIC(s):" for nic in "${BNICS[@]}"; do From d4a3bc455071b90b36b9233fb7392b8fdbd4cfa9 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Apr 2021 08:43:20 -0400 Subject: [PATCH 20/28] Fix so repo for salt --- salt/common/yum_repos/securityonion.repo | 7 +++++++ salt/common/yum_repos/securityonioncache.repo | 7 +++++++ 2 files changed, 14 insertions(+) diff --git a/salt/common/yum_repos/securityonion.repo b/salt/common/yum_repos/securityonion.repo index e61829380..0f39d5a3f 100644 --- a/salt/common/yum_repos/securityonion.repo +++ b/salt/common/yum_repos/securityonion.repo @@ -47,6 +47,13 @@ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub +[saltstack3003] +name=SaltStack repo for RHEL/CentOS $releasever PY3 +baseurl=https://repo.securityonion.net/file/securityonion-repo/saltstack3003/ +enabled=1 +gpgcheck=1 +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub + [wazuh_repo] gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH diff --git a/salt/common/yum_repos/securityonioncache.repo b/salt/common/yum_repos/securityonioncache.repo index 6d5058337..def6f8a40 100644 --- a/salt/common/yum_repos/securityonioncache.repo +++ b/salt/common/yum_repos/securityonioncache.repo @@ -47,6 +47,13 @@ enabled=1 gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub +[saltstack3003] +name=SaltStack repo for RHEL/CentOS $releasever PY3 +baseurl=http://repocache.securityonion.net/file/securityonion-repo/saltstack3003/ +enabled=1 +gpgcheck=1 +gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/SALTSTACK-GPG-KEY.pub + [wazuh_repo] gpgcheck=1 gpgkey=https://repo.securityonion.net/file/securityonion-repo/keys/GPG-KEY-WAZUH From 725320ebc8880629f3c2550a21e55b1ba3785e52 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Apr 2021 10:02:11 -0400 Subject: [PATCH 21/28] Fix Repo Logic --- salt/common/init.sls | 2 +- setup/so-functions | 18 +++++++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/salt/common/init.sls b/salt/common/init.sls index 9ee126ac1..93f76c3b3 100644 --- a/salt/common/init.sls +++ b/salt/common/init.sls @@ -309,7 +309,7 @@ sostatusdir: /usr/sbin/so-status -q && echo $? > /opt/so/log/sostatus/status.log 2>&1: cron.present: - user: root - - minute: '*/15' + - minute: '*/5' - hour: '*' - daymonth: '*' - month: '*' diff --git a/setup/so-functions b/setup/so-functions index 9aca9ca54..54f8d2abf 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2285,14 +2285,18 @@ secrets_pillar(){ securityonion_repo() { # Remove all the current repos - if [[ "$OS" == "centos" && $is_airgap ]]; then - mkdir -p /root/oldrepos - mv /etc/yum.repos.d/* /root/oldrepos/ - rm -f /etc/yum.repos.d/* - if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then - cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ + if [[ "$OS" == "centos" ]]; then + if [[ "$INTERWEBS" == "AIRGAP" ]]; then + echo "This is airgap I don't need to add this repo" else - cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ + mkdir -p /root/oldrepos + mv /etc/yum.repos.d/* /root/oldrepos/ + rm -f /etc/yum.repos.d/* + if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then + cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ + else + cp -f ../salt/common/yum_repos/securityonion.repo /etc/yum.repos.d/ + fi fi else echo "This is Ubuntu" From ce9f781d81ea51ad265b630e5f79f1959db161ab Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Apr 2021 10:24:04 -0400 Subject: [PATCH 22/28] Fix Repo Logic --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 54f8d2abf..1633d0901 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2291,7 +2291,7 @@ securityonion_repo() { else mkdir -p /root/oldrepos mv /etc/yum.repos.d/* /root/oldrepos/ - rm -f /etc/yum.repos.d/* + rm -rf /etc/yum.repos.d/* if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ else From 951369c2d698cbd9a7a738c839c099ffae55d430 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Apr 2021 10:25:36 -0400 Subject: [PATCH 23/28] Fix Repo Logic --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 1633d0901..0771567b2 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2290,7 +2290,7 @@ securityonion_repo() { echo "This is airgap I don't need to add this repo" else mkdir -p /root/oldrepos - mv /etc/yum.repos.d/* /root/oldrepos/ + mv -v /etc/yum.repos.d/* /root/oldrepos/ rm -rf /etc/yum.repos.d/* if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ From fdaf251ba02111b21244524018d7dd6a1b13c6a4 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Apr 2021 10:36:52 -0400 Subject: [PATCH 24/28] Fix Repo Logic --- setup/so-functions | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 0771567b2..b8cd2cae2 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2291,7 +2291,9 @@ securityonion_repo() { else mkdir -p /root/oldrepos mv -v /etc/yum.repos.d/* /root/oldrepos/ - rm -rf /etc/yum.repos.d/* + ls -la /etc/yum.repos.d/ + rm -rf /etc/yum.repos.d + mkdir -p /etc/yum.repos.d if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ else From 4c5f373ffa2c3e5f3532d32e42c1d50c1e88e6a7 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Apr 2021 10:37:44 -0400 Subject: [PATCH 25/28] Fix Repo Logic --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index b8cd2cae2..f2face572 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2293,6 +2293,7 @@ securityonion_repo() { mv -v /etc/yum.repos.d/* /root/oldrepos/ ls -la /etc/yum.repos.d/ rm -rf /etc/yum.repos.d + yum clean all mkdir -p /etc/yum.repos.d if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ From 09b14e6a863ede8568d0b0622f3a18dd41af9eb1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Apr 2021 10:38:50 -0400 Subject: [PATCH 26/28] Fix Repo Logic --- setup/so-functions | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-functions b/setup/so-functions index f2face572..9cbad1cfb 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2294,6 +2294,7 @@ securityonion_repo() { ls -la /etc/yum.repos.d/ rm -rf /etc/yum.repos.d yum clean all + yum repolist all mkdir -p /etc/yum.repos.d if [[ ! $is_manager && "$MANAGERUPDATES" == "1" ]]; then cp -f ../salt/common/yum_repos/securityonioncache.repo /etc/yum.repos.d/ From b53815d04af3731f59fdf466653f040715d10f7f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 8 Apr 2021 11:42:41 -0400 Subject: [PATCH 27/28] Fix Telegraf sostatus --- salt/telegraf/etc/telegraf.conf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/salt/telegraf/etc/telegraf.conf b/salt/telegraf/etc/telegraf.conf index f6bcbdaf5..1b172485b 100644 --- a/salt/telegraf/etc/telegraf.conf +++ b/salt/telegraf/etc/telegraf.conf @@ -663,6 +663,15 @@ # # Read metrics from one or more commands that can output to stdout +[[inputs.exec]] + commands = [ + "/scripts/sostatus.sh" + ] + data_format = "influx" + timeout = "15s" + interval = "180s" + + # ## Commands array {% if grains['role'] in ['so-manager', 'so-managersearch'] %} [[inputs.exec]] From c9feda116853bf91d5160c8205dc4602268c6afe Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 9 Apr 2021 08:48:29 -0400 Subject: [PATCH 28/28] Do not upgrade salt on ISO installs --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index b7acf7cb1..ba815e57f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2718,7 +2718,7 @@ update_sudoers() { update_packages() { if [ "$OS" = 'centos' ]; then yum repolist >> /dev/null - yum -y update >> "$setup_log" + yum -y update --exclude=salt* >> "$setup_log" else retry 50 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1