CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 17:22:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

[fix] Networking config fixes + 18.04 changes

Browse Source 
* Add code to allow 18.04 to use Network Manager
* Disable ipv6 on all interfaces to prevent multicast traffic on sniffing interface (revisit later)
* Rename and modify checksum disable script for 18.04 compatibility

Fixes #387
Fixes #413
This commit is contained in:
William Wernert
2020-03-25 16:02:07 -04:00
parent 83c2edb0d9
commit f02808aaa7
3 changed files with 88 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
setup/install_scripts/00-so-checksum-offload-disable
View File

@@ -1,9 +0,0 @@
#!/bin/bash
if [[ "$NM_DISPATCHER_ACTION" == "pre-up" ]]; then
if [[ "$DEVICE_IFACE" != "$MAININT" ]]; then
for i in rx tx sg tso ufo gso gro lro; do
ethtool -K "$DEVICE_IFACE" "$i" off;
done
fi
fi

8
setup/install_scripts/99-so-checksum-offload-disable Executable file
View File

@@ -0,0 +1,8 @@
#!/bin/bash
if [[ "$DEVICE_IFACE" != "ens33" && "$DEVICE_IFACE" != *"docker"* ]]; then
for i in rx tx sg tso ufo gso gro lro; do
ethtool -K "$DEVICE_IFACE" "$i" off;
done
ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off
fi

128
setup/so-functions
View File

@@ -187,11 +187,12 @@ check_hive_init_then_reboot() {
check_network_manager_conf() { check_network_manager_conf() {
local gmdconf="/usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf" local gmdconf="/usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf"
local nmconf="/etc/NetworkManager/NetworkManager.conf" local nmconf="/etc/NetworkManager/NetworkManager.conf"
local preupdir="/etc/NetworkManager/dispatcher.d/pre-up.d"
if ! test -f "${gmdconf}.bak"; then if ! test -f "${gmdconf}.bak"; then
{ {
mv "$gmdconf" "${gmdconf}.bak", mv "$gmdconf" "${gmdconf}.bak"
touch "$gmdconf", touch "$gmdconf"
systemctl restart network-manager systemctl restart network-manager
} >> $SETUPLOG 2>&1 } >> $SETUPLOG 2>&1
fi fi
@@ -199,6 +200,10 @@ check_network_manager_conf() {
if test -f "$nmconf"; then if test -f "$nmconf"; then
sed -i 's/managed=false/managed=true/g' "$nmconf" >> $SETUPLOG 2>&1 sed -i 's/managed=false/managed=true/g' "$nmconf" >> $SETUPLOG 2>&1
fi fi
if [[ ! -d "$preupdir" ]]; then
mkdir "$preupdir" >> $SETUPLOG 2>&1
fi
} }
check_socore_pass() { check_socore_pass() {
@@ -299,8 +304,6 @@ copy_minion_tmp_files() {
} }
}
copy_ssh_key() { copy_ssh_key() {
echo "Generating SSH key" echo "Generating SSH key"
@@ -314,35 +317,54 @@ copy_ssh_key() {
} }
create_sensor_bond() { create_sensor_bond() {
echo "Setting up sensor bond" >> $SETUPLOG 2>&1 echo "Setting up sensor bond" >> $SETUPLOG 2>&1
# Set the MTU local nic_error=0
if [[ $NSMSETUP != 'ADVANCED' ]]; then
MTU=1500
fi
# Create the bond interface check_network_manager_conf >> $SETUPLOG 2>&1
nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \
ipv4.method disabled \ # Set the MTU
ipv6.method link-local \ if [[ $NSMSETUP != 'ADVANCED' ]]; then
ethernet.mtu $MTU \ MTU=1500
connection.autoconnect "yes" >> $SETUPLOG 2>&1 fi
for BNIC in ${BNICS[@]}; do # Create the bond interface
# Strip the quotes from the NIC names nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \
BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" ipv4.method disabled \
# Turn off various offloading settings for the interface ipv6.method ignore \
for i in rx tx sg tso ufo gso gro lro; do ethernet.mtu $MTU \
ethtool -K $BONDNIC $i off >> $SETUPLOG 2>&1 connection.autoconnect "yes" >> $SETUPLOG 2>&1
done
# Create the slave interface and assign it to the bond for BNIC in "${BNICS[@]}"; do
nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0 -- \ BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" # Strip the quotes from the NIC names
ethernet.mtu $MTU \
connection.autoconnect "yes" >> $SETUPLOG 2>&1 # Check if specific offload features are able to be disabled
# Bring the slave interface up for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do
nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1 if ethtool -k $BONDNIC | egrep $string | egrep -q "on [fixed]"; then
done echo "The hardware or driver for interface ${BONDNIC} is not supported, packet capture may not work as expected." >> $SETUPLOG 2>&1
nic_error=1
break
fi
done
# Turn off various offloading settings for the interface
for i in rx tx sg tso ufo gso gro lro; do
ethtool -K $BONDNIC $i off >> $SETUPLOG 2>&1
done
# Create the slave interface and assign it to the bond
nmcli con add type ethernet ifname $BONDNIC con-name "bond0-slave-$BONDNIC" master bond0 -- \
ethernet.mtu $MTU \
connection.autoconnect "yes" >> $SETUPLOG 2>&1
nmcli con up bond0-slave-$BONDNIC >> $SETUPLOG 2>&1 # Bring the slave interface up
done
if [ $nic_error != 0 ]; then
return 1
fi
} }
detect_os() { detect_os() {
@@ -405,17 +427,24 @@ disable_onion_user() {
} }
disable_unused_nics() { disable_misc_network_features() {
for UNUSED_NIC in ${FNICS[@]}; do for UNUSED_NIC in "${FNICS[@]}"; do
# Disable DHCPv4/v6 and autoconnect # Disable DHCPv4/v6 and autoconnect
nmcli con mod $UNUSED_NIC \ nmcli con mod "$UNUSED_NIC" \
ipv4.method disabled \ ipv4.method disabled \
ipv6.method link-local \ ipv6.method ignore \
connection.autoconnect "no" >> $SETUPLOG 2>&1 connection.autoconnect "no" >> $SETUPLOG 2>&1
# Flush any existing IPs # Flush any existing IPs
ip addr flush $UNUSED_NIC >> $SETUPLOG 2>&1 ip addr flush "$UNUSED_NIC" >> $SETUPLOG 2>&1
done
# Disable IPv6
{
echo "net.ipv6.conf.all.disable_ipv6 = 1"
echo "net.ipv6.conf.default.disable_ipv6 = 1"
echo "net.ipv6.conf.lo.disable_ipv6 = 1"
} >> /etc/sysctl.conf
done
} }
docker_install() { docker_install() {
@@ -799,19 +828,22 @@ minio_generate_keys() {
} }
network_setup() { network_setup() {
echo "Finishing up network setup" >> $SETUPLOG 2>&1 echo "Finishing up network setup" >> $SETUPLOG 2>&1
echo "... Disabling unused NICs" >> $SETUPLOG 2>&1 echo "... Verifying all network devices are managed by Network Manager" >> $SETUPLOG 2>&1
disable_unused_nics >> $SETUPLOG 2>&1 check_network_manager_conf >> $SETUPLOG 2>&1
echo "... Setting ONBOOT for management interface" >> $SETUPLOG 2>&1 echo "... Disabling unused NICs" >> $SETUPLOG 2>&1
nmcli con mod $MAININT connection.autoconnect "yes" >> $SETUPLOG 2>&1 disable_misc_network_features >> $SETUPLOG 2>&1
echo "... Copying 00-so-checksum-offload-disable" >> $SETUPLOG 2>&1 echo "... Setting ONBOOT for management interface" >> $SETUPLOG 2>&1
cp $SCRIPTDIR/install_scripts/00-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/00-so-checksum-offload-disable >> $SETUPLOG 2>&1 nmcli con mod $MAININT connection.autoconnect "yes" >> $SETUPLOG 2>&1
echo "... Modifying 00-so-checksum-offload-disable" >> $SETUPLOG 2>&1 echo "... Copying 99-so-checksum-offload-disable" >> $SETUPLOG 2>&1
sed -i "s/\$MAININT/${MAININT}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/00-so-checksum-offload-disable >> $SETUPLOG 2>&1 cp $SCRIPTDIR/install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable >> $SETUPLOG 2>&1
echo "... Modifying 99-so-checksum-offload-disable" >> $SETUPLOG 2>&1
sed -i "s/\$MAININT/${MAININT}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable >> $SETUPLOG 2>&1
} }
node_pillar() { node_pillar() {