CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-07 09:42:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Setup Script - update formatting and added comments

Browse Source
This commit is contained in:
Mike Reeves
2018-04-10 17:11:36 -04:00
parent 3625b4557a
commit ee4ff2fa4d
1 changed files with 98 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
so-setup-network.sh
View File

@@ -27,50 +27,60 @@ LISTCORES=$(cat /proc/cpuinfo | grep processor | awk '{print $3 " \"" "core" "\"
# Functions # Functions
calculate_useable_cores() { calculate_useable_cores() {
#Calculate total lbprocs for basic install
# Calculate reasonable core usage
local CORES4BRO=$(( $CPUCORES/2 - 1 )) local CORES4BRO=$(( $CPUCORES/2 - 1 ))
LBPROCSROUND=$(printf "%.0f\n" $CORES4BRO) LBPROCSROUND=$(printf "%.0f\n" $CORES4BRO)
# We don't want it to be 0
if [ "$LBPROCSROUND" -lt 1 ]; then if [ "$LBPROCSROUND" -lt 1 ]; then
LBPROCS=1 LBPROCS=1
else else
LBPROCS=$LBPROCSROUND LBPROCS=$LBPROCSROUND
fi fi
}
bro_pins(){
echo "Bro Pins will go here"
} }
accept_salt_key_local() { accept_salt_key_local() {
# Accept the key
# Accept the key locally on the master
salt-key -ya $HOSTNAME salt-key -ya $HOSTNAME
} }
accept_salt_key_remote() { accept_salt_key_remote() {
# Accept the key # Accept the key remotely so the device can check in
ssh -i ~/.ssh/so.key socore@$MSRV sudo salt-key -a $HOSTNAME -y ssh -i ~/.ssh/so.key socore@$MSRV sudo salt-key -a $HOSTNAME -y
} }
add_socore_user_master() { add_socore_user_master() {
# Add user "socore" to the master. This will be for things like accepting keys.
groupadd --gid 939 socore groupadd --gid 939 socore
$ADDUSER --uid 939 --gid 939 --home-dir /opt/so socore $ADDUSER --uid 939 --gid 939 --home-dir /opt/so socore
# Prompt the user to set a password for the user
passwd socore passwd socore
} }
add_socore_user_notmaster() { add_socore_user_notmaster() {
# Add socore user to the system. Probably not a bad idea to make system user
# Add socore user to the non master system. Probably not a bad idea to make system user
groupadd --gid 939 socore groupadd --gid 939 socore
$ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore $ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore
} }
chown_salt_master() { chown_salt_master() {
# Chown the salt dirs
# Chown the salt dirs on the master for socore
chown -R socore:socore /opt/so chown -R socore:socore /opt/so
} }
configure_minion() { configure_minion() {
# You have to pass the TYPE to this function so it knows if its a master or not
local TYPE=$1 local TYPE=$1
touch /etc/salt/grains touch /etc/salt/grains
@@ -82,14 +92,21 @@ configure_minion() {
fi fi
service salt-minion restart service salt-minion restart
} }
copy_master_config() { copy_master_config() {
# Copy the master config template to the proper directory
cp files/master /etc/salt/master cp files/master /etc/salt/master
# Restart the service so it picks up the changes -TODO Enable service on CentOS
service salt-master restart service salt-master restart
} }
copy_minion_pillar() { copy_minion_pillar() {
# Pass the type so it knows where to copy the pillar
local TYPE=$1 local TYPE=$1
if [ $TYPE = 'STORAGENODE' ]; then if [ $TYPE = 'STORAGENODE' ]; then
@@ -104,43 +121,38 @@ copy_minion_pillar() {
} }
configure_sensor_pillar() {
# Create the pillar file for the sensor
touch /tmp/$HOSTNAME.sls
echo "sensors:" > /tmp/$HOSTNAME.sls
echo " interface: bond0" >> /tmp/$HOSTNAME.sls
# Need to add logic here to determine if you are pinning or not or standalone
echo " bro_lbprocs: $LBPROCS" >> /tmp/$HOSTNAME.sls
# Need to add pins loop
}
copy_ssh_key() { copy_ssh_key() {
# Generate and copy SSH key
# Generate SSH key
mkdir -p ~/.ssh mkdir -p ~/.ssh
cat /dev/zero | ssh-keygen -f ~/.ssh/so.key -t rsa -q -N "" cat /dev/zero | ssh-keygen -f ~/.ssh/so.key -t rsa -q -N ""
chown -R $SUDO_USER:$SUDO_USER ~/.ssh chown -R $SUDO_USER:$SUDO_USER ~/.ssh
#Copy the key over to the master #Copy the key over to the master
sudo ssh-copy-id -i ~/.ssh/so.key socore@$MSRV sudo ssh-copy-id -i ~/.ssh/so.key socore@$MSRV
} }
create_bond() { create_bond() {
# Create the bond interface # Create the bond interface
echo "Setting up Bond" echo "Setting up Bond"
# Do something different based on the OS
if [ $OS == 'centos' ]; then if [ $OS == 'centos' ]; then
alias bond0 bonding alias bond0 bonding
mode=0 mode=0
# Create Bond files for the selected monitor interface # Create Bond files for the selected monitor interface - TODO
for BNIC in ${BNICS[@]}; do for BNIC in ${BNICS[@]}; do
echo "blah" echo "blah"
done done
else else
# Need to add 17.04 support still # Need to add 17.04 support still
apt -y install ifenslave apt -y install ifenslave
echo "bonding" >> /etc/modules echo "bonding" >> /etc/modules
modprobe bonding modprobe bonding
# Backup and create a new interface file # Backup and create a new interface file
cp /etc/network/interfaces /etc/network/interfaces.sosetup cp /etc/network/interfaces /etc/network/interfaces.sosetup
@@ -148,11 +160,12 @@ create_bond() {
local MINT=$(awk "/auto $MNIC/,/^$/" /etc/network/interfaces) local MINT=$(awk "/auto $MNIC/,/^$/" /etc/network/interfaces)
# Let's set up the new interface file # Let's set up the new interface file
# Populate lo and the management interface
echo $LBACK > /tmp/interfaces echo $LBACK > /tmp/interfaces
echo $MINT >> /tmp/interfaces echo $MINT >> /tmp/interfaces
cp /tmp/interfaces /etc/network/interfaces cp /tmp/interfaces /etc/network/interfaces
# Create a for loop here # Create entries for each interface that is part of the bond.
for BNIC in ${BNICS[@]}; do for BNIC in ${BNICS[@]}; do
BNIC=$(echo $BNIC | cut -d\" -f2) BNIC=$(echo $BNIC | cut -d\" -f2)
echo "auto $BNIC" >> /etc/network/interfaces echo "auto $BNIC" >> /etc/network/interfaces
@@ -174,9 +187,11 @@ create_bond() {
echo " post-up ethtool -G \$IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces echo " post-up ethtool -G \$IFACE rx 4096; for i in rx tx sg tso ufo gso gro lro; do ethtool -K \$IFACE \$i off; done" >> /etc/network/interfaces
echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces echo " post-up echo 1 > /proc/sys/net/ipv6/conf/\$IFACE/disable_ipv6" >> /etc/network/interfaces
fi fi
} }
detect_os() { detect_os() {
# Detect Base OS # Detect Base OS
if [ -f /etc/redhat-release ]; then if [ -f /etc/redhat-release ]; then
OS=centos OS=centos
@@ -186,38 +201,45 @@ detect_os() {
echo "We were unable to determine if you are using a supported OS." echo "We were unable to determine if you are using a supported OS."
exit exit
fi fi
} }
#disk_space() {
# Give me Disk Space
#}
es_heapsize() { es_heapsize() {
# Determine ES Heap Size # Determine ES Heap Size
if [ $TOTAL_MEM -lt 8000 ] ; then if [ $TOTAL_MEM -lt 8000 ] ; then
ES_HEAP_SIZE="600m" ES_HEAP_SIZE="600m"
elif [ $TOTAL_MEM -ge 124000 ]; then elif [ $TOTAL_MEM -ge 100000 ]; then
# Set a max of 31GB for heap size # Set a max of 25GB for heap size
# https://www.elastic.co/guide/en/elasticsearch/guide/current/heap-sizing.html # https://www.elastic.co/guide/en/elasticsearch/guide/current/heap-sizing.html
ES_HEAP_SIZE="31000m" ES_HEAP_SIZE="25000m"
else else
# Set heap size to 25% of available memory # Set heap size to 25% of available memory
ES_HEAP_SIZE=$(($TOTAL_MEM / 4))"m" ES_HEAP_SIZE=$(($TOTAL_MEM / 4))"m"
fi fi
} }
filter_nics() { filter_nics() {
# Filter the NICs that we don't want to see in setup
FNICS=$(ip link | grep -vw $MNIC | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}') FNICS=$(ip link | grep -vw $MNIC | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2 " \"" "Interface" "\"" " OFF"}')
} }
got_root() { got_root() {
# Make sure you are root
if [ "$(id -u)" -ne 0 ]; then if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run using sudo!" echo "This script must be run using sudo!"
exit 1 exit 1
fi fi
} }
install_master() { install_master() {
# Install the salt master package
if [ $OS == 'centos' ]; then if [ $OS == 'centos' ]; then
yum -y install salt-master yum -y install salt-master
else else
@@ -225,10 +247,11 @@ install_master() {
fi fi
copy_master_config copy_master_config
# If Centos Enable the service
} }
ls_heapsize() { ls_heapsize() {
# Determine LS Heap Size # Determine LS Heap Size
if [ $TOTAL_MEM -ge 16000 ] ; then if [ $TOTAL_MEM -ge 16000 ] ; then
LS_HEAP_SIZE="4192m" LS_HEAP_SIZE="4192m"
@@ -236,9 +259,11 @@ ls_heapsize() {
# Set a max of 1GB heap if you have less than 16GB RAM # Set a max of 1GB heap if you have less than 16GB RAM
LS_HEAP_SIZE="1g" LS_HEAP_SIZE="1g"
fi fi
} }
master_pillar() { master_pillar() {
# Create the master pillar # Create the master pillar
touch /opt/so/saltstack/pillar/masters/$HOSTNAME.sls touch /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
echo "master:" > /opt/so/saltstack/pillar/masters/$HOSTNAME.sls echo "master:" > /opt/so/saltstack/pillar/masters/$HOSTNAME.sls
@@ -266,6 +291,7 @@ master_pillar() {
} }
node_pillar() { node_pillar() {
# Create the node pillar # Create the node pillar
touch /tmp/$HOSTNAME.sls touch /tmp/$HOSTNAME.sls
echo "node:" > /tmp/$HOSTNAME.sls echo "node:" > /tmp/$HOSTNAME.sls
@@ -279,13 +305,11 @@ node_pillar() {
echo " ls_input_threads: $LSINPUTTHREADS" >> /tmp/$HOSTNAME.sls echo " ls_input_threads: $LSINPUTTHREADS" >> /tmp/$HOSTNAME.sls
echo " ls_batch_count: $LSINPUTBATCHCOUNT" >> /tmp/$HOSTNAME.sls echo " ls_batch_count: $LSINPUTBATCHCOUNT" >> /tmp/$HOSTNAME.sls
echo " es_shard_count: $SHARDCOUNT" >> /tmp/$HOSTNAME.sls echo " es_shard_count: $SHARDCOUNT" >> /tmp/$HOSTNAME.sls
}
#pcap_pin() { }
# Array3=(`echo ${Array1[@]} ${Array2[@]} | tr ' ' '\n' | sort | uniq -u` )
#}
saltify() { saltify() {
# Install updates and Salt # Install updates and Salt
if [ $OS == 'centos' ]; then if [ $OS == 'centos' ]; then
ADDUSER=adduser ADDUSER=adduser
@@ -300,7 +324,7 @@ saltify() {
# Add the pre-requisites for installing docker-ce # Add the pre-requisites for installing docker-ce
apt-get -y install ca-certificates curl software-properties-common apt-transport-https apt-get -y install ca-certificates curl software-properties-common apt-transport-https
# grab the version from the os-release file # Grab the version from the os-release file
UVER=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}') UVER=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}')
# Install the repo for salt # Install the repo for salt
@@ -316,27 +340,38 @@ saltify() {
apt-get -y install salt-minion apt-get -y install salt-minion
fi fi
} }
salt_checkin() { salt_checkin() {
# Run Checkin
salt-call state.highstate salt-call state.highstate
} }
salt_checkin_message() { salt_checkin_message() {
# Wann the user that this might take a while
echo "####################################################" echo "####################################################"
echo "## ##" echo "## ##"
echo "## Applying and Installing everything ##" echo "## Applying and Installing everything ##"
echo "## (This will take a while) ##" echo "## (This will take a while) ##"
echo "## ##" echo "## ##"
echo "####################################################" echo "####################################################"
} }
salt_master_directories() { salt_master_directories() {
# Create salt directories
# Create salt paster directories
mkdir -p /opt/so/saltstack/salt mkdir -p /opt/so/saltstack/salt
mkdir -p /opt/so/saltstack/pillar mkdir -p /opt/so/saltstack/pillar
# Copy over the salt code and templates
cp -R pillar/* /opt/so/saltstack/pillar/ cp -R pillar/* /opt/so/saltstack/pillar/
cp -R salt/* /opt/so/saltstack/salt/ cp -R salt/* /opt/so/saltstack/salt/
} }
sensor_pillar() { sensor_pillar() {
@@ -362,11 +397,11 @@ sensor_pillar() {
echo " pcapbpf:" >> /tmp/$HOSTNAME.sls echo " pcapbpf:" >> /tmp/$HOSTNAME.sls
echo " nidsbpf:" >> /tmp/$HOSTNAME.sls echo " nidsbpf:" >> /tmp/$HOSTNAME.sls
} }
update_sudoers() { update_sudoers() {
# Update Sudoers # Update Sudoers so that socore can accept keys without a password
echo "socore ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | sudo tee -a /etc/sudoers echo "socore ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | sudo tee -a /etc/sudoers
} }
@@ -428,16 +463,21 @@ whiptail_bond_nics_mtu() {
} }
whiptail_cancel() { whiptail_cancel() {
whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 78 whiptail --title "Security Onion Setup" --msgbox "Cancelling Setup. No changes have been made." 8 78
exit exit
} }
whiptail_check_exitstatus() { whiptail_check_exitstatus() {
if [ $1 == '1' ]; then if [ $1 == '1' ]; then
echo " They hit cancel" echo " They hit cancel"
whiptail_cancel whiptail_cancel
fi fi
} }
whiptail_install_type() { whiptail_install_type() {
# What kind of install are we doing? # What kind of install are we doing?
@@ -450,6 +490,7 @@ whiptail_install_type() {
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
} }
whiptail_management_nic() { whiptail_management_nic() {
@@ -483,10 +524,12 @@ whiptail_oinkcode() {
} }
whiptail_make_changes() { whiptail_make_changes() {
whiptail --title "Security Onion Setup" --yesno "We are going to set this machine up as a $INSTALLTYPE. Please hit YES to make changes or NO to cancel." 8 78 whiptail --title "Security Onion Setup" --yesno "We are going to set this machine up as a $INSTALLTYPE. Please hit YES to make changes or NO to cancel." 8 78
local exitstatus=$? local exitstatus=$?
whiptail_check_exitstatus $exitstatus whiptail_check_exitstatus $exitstatus
} }
whiptail_management_server() { whiptail_management_server() {
@@ -589,8 +632,10 @@ whiptail_sensor_config() {
} }
whiptail_setup_complete() { whiptail_setup_complete() {
whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. A reboot is recommended." 8 78 whiptail --title "Security Onion Setup" --msgbox "Finished installing this as an $INSTALLTYPE. A reboot is recommended." 8 78
exit exit
} }
whiptail_suricata_pins() { whiptail_suricata_pins() {
@@ -608,13 +653,25 @@ whiptail_you_sure() {
whiptail --title "Security Onion Setup" --yesno "Are you sure you want to install Security Onion over the internet?" 8 78 whiptail --title "Security Onion Setup" --yesno "Are you sure you want to install Security Onion over the internet?" 8 78
} }
# End Functions ########################
## ##
## End Functions ##
## ##
########################
#####################
## ##
## Let's Go! ##
## ##
#####################
# Check for prerequisites # Check for prerequisites
echo "Checking for Root" echo "Checking for Root"
got_root got_root
echo "Detecting OS" echo "Detecting OS"
detect_os detect_os
if [ $OS == ubuntu ]; then if [ $OS == ubuntu ]; then
# Override the horrible Ubuntu whiptail color pallete # Override the horrible Ubuntu whiptail color pallete
update-alternatives --set newt-palette /etc/newt/palette.original update-alternatives --set newt-palette /etc/newt/palette.original