Merge branch '2.4/dev' into kilo

2025-12-06 17:22:49 +01:00 · 2023-07-28 14:15:14 -04:00
parent a5c4783564 bc09b418ca
commit f4907a5b5c
5 changed files with 133 additions and 373 deletions
--- a/salt/common/tools/sbin/so-common
+++ b/salt/common/tools/sbin/so-common
@@ -210,7 +210,7 @@ gpg_rpm_import() {
    	        rpm --import $RPMKEYSLOC/$RPMKEY
 	        echo "Imported $RPMKEY"
 	    done
-	else
+	elif [[ $is_rpm ]]; then
 		info "Importing the security onion GPG key"
 		rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub
 	fi
--- a/salt/desktop/packages.sls
+++ b/salt/desktop/packages.sls
@@ -46,10 +46,9 @@ desktop_packages:
      - cairo-gobject
      - cairomm
      - checkpolicy
-      - cheese
-      - cheese-libs
      - chkconfig
      - chrome-gnome-shell
+      - chromium
      - clutter
      - clutter-gst3
      - clutter-gtk
@@ -72,9 +71,11 @@ desktop_packages:
      - dejavu-sans-mono-fonts
      - dejavu-serif-fonts
      - desktop-file-utils
+      - dsniff
+      - ethtool
      - evolution-data-server
      - evolution-data-server-langpacks
-      - firefox
+      - file
      - flac-libs
      - flashrom
      - flatpak
@@ -282,6 +283,8 @@ desktop_packages:
      - lohit-odia-fonts
      - lohit-tamil-fonts
      - lohit-telugu-fonts
+      - lshw
+      - lsof
      - mesa-dri-drivers
      - mesa-filesystem
      - mesa-libEGL
@@ -292,17 +295,20 @@ desktop_packages:
      - mesa-vulkan-drivers
      - microcode_ctl
      - mobile-broadband-provider-info
-      - mozilla-filesystem
      - mpfr
      - mpg123-libs
      - mtdev
      - mtr
      - nautilus
      - nautilus-extensions
+      - net-tools
+      - nvme-cli
+      - open-vm-tools-desktop
      - oracle-backgrounds
      - oracle-indexhtml
      - oracle-logos
      - pcaudiolib
+      - pciutils
      - pinentry
      - pinentry-gnome3
      - pinfo
@@ -351,6 +357,7 @@ desktop_packages:
      - system-config-printer-udev
      - taglib
      - tcpdump
+      - tcpflow
      - thai-scalable-fonts-common
      - thai-scalable-waree-fonts
      - totem
@@ -393,9 +400,11 @@ desktop_packages:
      - webkit2gtk3
      - webkit2gtk3-jsc
      - webrtc-audio-processing
+      - whois
      - wireless-regdb
      - wireplumber
      - wireplumber-libs
+      - wireshark
      - woff2
      - words
      - wpa_supplicant
@@ -422,310 +431,8 @@ desktop_packages:
      - xorg-x11-xauth
      - xorg-x11-xinit
      - xorg-x11-xinit-session
-#
-#      - aajohan-comfortaa-fonts
-#      - abattis-cantarell-fonts
-#      - acl
-#      - alsa-ucm
-#      - alsa-utils
-#      - anaconda
-#      - anaconda-install-env-deps
-#      - at
-#      - attr
-#      - audit
-#      - authselect
-#      - basesystem
-#      - bash
-#      - bash-completion
-#      - bc
-#      - blktrace
-#      - bluez
-#      - bolt
-#      - bpftool
-#      - bzip2
-#      - chkconfig
-#      - chromium
-#      - chrony
-#      - cockpit
-#      - coreutils
-#      - cpio
-#      - cronie
-#      - crontabs
-#      - crypto-policies
-#      - crypto-policies-scripts
-#      - cryptsetup
-#      - curl
-#      - cyrus-sasl-plain
-#      - dbus
-#      - dejavu-sans-fonts
-#      - dejavu-sans-mono-fonts
-#      - dejavu-serif-fonts
-#      - dnf
-#      - dnf-plugins-core
-#      - dos2unix
-#      - dosfstools
-#      - dracut-config-rescue
-#      - dracut-live
-#      - dsniff
-#      - e2fsprogs
-#      - ed
-#      - efibootmgr
-#      - efi-filesystem
-#      - efivar-libs
-#      - eom
-#      - ethtool
-#      - file
-#      - filesystem
-#      - firewall-config
-#      - firewalld
-#      - fprintd-pam
-#      - gdm
-#      - git
-#      - glibc
-#      - glibc-all-langpacks
-#      - gnome-autoar
-#      - gnome-bluetooth
-#      - gnome-bluetooth-libs
-#      - gnome-calculator
-#      - gnome-characters
-#      - gnome-color-manager
-#      - gnome-control-center
-#      - gnome-desktop3
-#      - gnome-disk-utility
-#      - gnome-font-viewer
-#      - gnome-initial-setup
-#      - gnome-keyring
-#      - gnome-keyring-pam
-#      - gnome-logs
-#      - gnome-menus
-#      - gnome-online-accounts
-#      - gnome-remote-desktop
-#      - gnome-screenshot
-#      - gnome-session
-#      - gnome-session-wayland-session
-#      - gnome-session-xsession
-#      - gnome-settings-daemon
-#      - gnome-shell
-#      - gnome-software
-#      - gnome-system-monitor
-#      - gnome-terminal
-#      - gnome-terminal-nautilus
-#      - gnome-tour
-#      - gnupg2
-#      - google-noto-emoji-color-fonts
-#      - google-noto-sans-cjk-ttc-fonts
-#      - google-noto-sans-gurmukhi-fonts
-#      - google-noto-sans-sinhala-vf-fonts
-#      - google-noto-serif-cjk-ttc-fonts
-#      - grub2-common
-#      - grub2-pc-modules
-#      - grub2-tools
-#      - grub2-tools-efi
-#      - grub2-tools-extra
-#      - grub2-tools-minimal
-#      - grubby
-#      - gstreamer1-plugins-bad-free
-#      - gstreamer1-plugins-good
-#      - gstreamer1-plugins-ugly-free
-#      - gvfs-gphoto2
-#      - gvfs-mtp
-#      - gvfs-smb
-#      - hostname
-#      - hyperv-daemons
-#      - ibus-anthy
-#      - ibus-hangul
-#      - ibus-libpinyin
-#      - ibus-libzhuyin
-#      - ibus-m17n
-#      - ibus-typing-booster
-#      - imsettings-systemd
-#      - initial-setup-gui
-#      - initscripts
-#      - initscripts-rename-device
-#      - iproute
-#      - iproute-tc
-#      - iprutils
-#      - iputils
-#      - irqbalance
-#      - iwl1000-firmware
-#      - iwl100-firmware
-#      - iwl105-firmware
-#      - iwl135-firmware
-#      - iwl2000-firmware
-#      - iwl2030-firmware
-#      - iwl3160-firmware
-#      - iwl5000-firmware
-#      - iwl5150-firmware
-#      - iwl6000g2a-firmware
-#      - iwl6000g2b-firmware
-#      - iwl6050-firmware
-#      - iwl7260-firmware
-#      - jomolhari-fonts
-#      - julietaula-montserrat-fonts
-#      - kbd
-#      - kernel
-#      - kernel-modules
-#      - kernel-modules-extra
-#      - kernel-tools
-#      - kexec-tools
-#      - khmer-os-system-fonts
-#      - kmod-kvdo
-#      - ledmon
-#      - less
-#      - liberation-mono-fonts
-#      - liberation-sans-fonts
-#      - liberation-serif-fonts
-#      - libertas-sd8787-firmware
-#      - libstoragemgmt
-#      - libsysfs
-#      - lightdm
-#      - linux-firmware
-#      - logrotate
-#      - lohit-assamese-fonts
-#      - lohit-bengali-fonts
-#      - lohit-devanagari-fonts
-#      - lohit-gujarati-fonts
-#      - lohit-kannada-fonts
-#      - lohit-odia-fonts
-#      - lohit-tamil-fonts
-#      - lohit-telugu-fonts
-#      - lshw
-#      - lsof
-#      - lsscsi
-#      - lvm2
-#      - mailcap
-#      - man-db
-#      - man-pages
-#      - mcelog
-#      - mdadm
-#      - memtest86+
-#      - metacity
-#      - microcode_ctl
-#      - mlocate
-#      - mtr
-#      - nano
-#      - ncurses
-#      - netronome-firmware
-#      - net-tools
-#      - NetworkManager
-#      - NetworkManager-adsl
-#      - NetworkManager-bluetooth
-#      - NetworkManager-l2tp-gnome
-#      - NetworkManager-libreswan-gnome
-#      - NetworkManager-openconnect-gnome
-#      - NetworkManager-openvpn-gnome
-#      - NetworkManager-ppp
-#      - NetworkManager-pptp-gnome
-#      - NetworkManager-team
-#      - NetworkManager-tui
-#      - NetworkManager-wifi
-#      - NetworkManager-wwan
-#      - ngrep
-#      - nmap-ncat
-#      - nm-connection-editor
-#      - nvme-cli
-#      - openssh-clients
-#      - openssh-server
-#      - open-vm-tools-desktop
-#      - p11-kit
-#      - PackageKit-gstreamer-plugin
-#      - paktype-naskh-basic-fonts
-#      - parole
-#      - parted
-#      - passwd
-#      - pciutils
-#      - pinfo
-#      - pipewire
-#      - pipewire-alsa
-#      - pipewire-gstreamer
-#      - pipewire-jack-audio-connection-kit
-#      - pipewire-pulseaudio
-#      - pipewire-utils
-#      - plymouth
-#      - policycoreutils
-#      - powerline
-#      - ppp
-#      - prefixdevname
-#      - procps-ng
-#      - psacct
-#      - pt-sans-fonts
-#      - python3-libselinux
-#      - python3-scapy
-#      - qemu-guest-agent
-#      - quota
-#      - realmd
-#      - redshift-gtk
-#      - rootfiles
-#      - rpm
-#      - rpm-plugin-audit
-#      - rsync
-#      - rsyslog
-#      - rsyslog-gnutls
-#      - rsyslog-gssapi
-#      - rsyslog-relp
-#      - salt-minion
-#      - sane-backends-drivers-scanners
-#      - selinux-policy-targeted
-#      - setroubleshoot
-#      - setup
-#      - sg3_utils
-#      - sg3_utils-libs
-#      - shadow-utils
-#      - sil-abyssinica-fonts
-#      - sil-nuosu-fonts
-#      - sil-padauk-fonts
-#      - slick-greeter
-#      - slick-greeter-cinnamon
-#      - smartmontools
-#      - smc-meera-fonts
-#      - sos
-#      - spice-vdagent
-#      - ssldump
-#      - sssd
-#      - sssd-common
-#      - sssd-kcm
-#      - stix-fonts
-#      - strace
-#      - sudo
-#      - symlinks
-#      - syslinux
-#      - systemd
-#      - systemd-udev
-#      - tar
-#      - tcpdump
-#      - tcpflow
-#      - teamd
-#      - thai-scalable-waree-fonts
-#      - time
-#      - tmux
-#      - tmux-powerline
-#      - transmission
-#      - tree
-#      - tuned
-#      - unzip
-#      - usb_modeswitch
-#      - usbutils
-#      - util-linux
-#      - util-linux-user
-#      - vdo
-#      - vim-enhanced
-#      - vim-minimal
-#      - vim-powerline
-#      - virt-what
-#      - wget
-#      - which
-#      - whois
-#      - wireplumber
-#      - wireshark
-#      - words
-#      - xdg-user-dirs-gtk
-#      - xed
-#      - xfsdump
-#      - xfsprogs
-#      - xreader
-#      - yum
-#      - zip
-#
+      - zip
+
 {% else %}

 desktop_packages_os_fail:
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -1054,12 +1054,8 @@ installer_prereq_packages() {
 		if ! command -v nmcli > /dev/null 2>&1; then
 			info "Installing network-manager"
 			retry 150 10 "apt-get -y install network-manager ethtool" >> "$setup_log" 2>&1 || fail_setup
-			if [[ $is_debian ]]; then
-				info "Enabling network manager for the main interface"
-				logCmd "sed -i 's/managed=false/managed=true/g' /etc/NetworkManager/NetworkManager.conf" 
-			fi
-			logCmd systemctl enable NetworkManager
-			logCmd systemctl start NetworkManager			
+			logCmd "systemctl enable NetworkManager"
+			logCmd "systemctl start NetworkManager"
 		fi
 		if ! command -v curl > /dev/null 2>&1; then
 			retry 150 10 "apt-get -y install curl"  >> "$setup_log" 2>&1 || fail_setup
@@ -1902,14 +1898,42 @@ securityonion_repo() {
 		logCmd "dnf -v clean all"
 		logCmd "mkdir -vp /root/oldrepos"
 		logCmd "mv -v /etc/yum.repos.d/* /root/oldrepos/"
-		if [[ ! $waitforstate ]]; then
+		if [[ $is_desktop_iso ]]; then
+			gpg_rpm_import
+			if [[ ! $is_airgap ]]; then
+				echo "https://repo.securityonion.net/file/so-repo/prod/2.4/oracle/9" > /etc/yum/mirror.txt
+				echo "https://so-repo-east.s3.us-east-005.backblazeb2.com/prod/2.4/oracle/9" >> /etc/yum/mirror.txt
+				echo "[main]" > /etc/yum.repos.d/securityonion.repo
+				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
+				echo "installonly_limit=3" >> /etc/yum.repos.d/securityonion.repo
+				echo "clean_requirements_on_remove=True" >> /etc/yum.repos.d/securityonion.repo
+				echo "best=True" >> /etc/yum.repos.d/securityonion.repo
+				echo "skip_if_unavailable=False" >> /etc/yum.repos.d/securityonion.repo
+				echo "cachedir=/opt/so/conf/reposync/cache" >> /etc/yum.repos.d/securityonion.repo
+				echo "keepcache=0" >> /etc/yum.repos.d/securityonion.repo
+				echo "[securityonionsync]" >> /etc/yum.repos.d/securityonion.repo
+				echo "name=Security Onion Repo repo" >> /etc/yum.repos.d/securityonion.repo
+				echo "mirrorlist=file:///etc/yum/mirror.txt" >> /etc/yum.repos.d/securityonion.repo
+				echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
+				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
+				logCmd "dnf repolist"
+			else
 				echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
 				echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
 				echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo
 				echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
 				echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
 				echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo
-		else
+				logCmd "dnf repolist"
+			fi
+		elif [[ ! $waitforstate ]]; then
+			echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
+			echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
+			echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/securityonion.repo
+			echo "enabled=1" >> /etc/yum.repos.d/securityonion.repo
+			echo "gpgcheck=1" >> /etc/yum.repos.d/securityonion.repo
+			echo "sslverify=0" >> /etc/yum.repos.d/securityonion.repo		
+		elif [[ $waitforstate ]]; then
 			echo "[securityonion]" > /etc/yum.repos.d/securityonion.repo
 			echo "name=Security Onion Repo" >> /etc/yum.repos.d/securityonion.repo
 			echo "baseurl=file:///nsm/repo/" >> /etc/yum.repos.d/securityonion.repo
@@ -1973,7 +1997,7 @@ repo_sync_local() {
 				logCmd "dnf -y install https://dl.fedoraproject.org/pub/epel/epel-next-release-latest-9.noarch.rpm"
 			else  
 				logCmd "dnf config-manager --set-enabled crb"
-				logCmd "dnf -y install epel-release epel-next"
+				logCmd "dnf -y install epel-release"
 			fi
 			dnf install -y yum-utils device-mapper-persistent-data lvm2
 			curl -fsSL https://repo.securityonion.net/file/so-repo/prod/2.4/so/so.repo | tee /etc/yum.repos.d/so.repo
--- a/setup/so-setup
+++ b/setup/so-setup
@@ -86,6 +86,16 @@ if [[ $not_supported ]]; then
 	fi
 fi

+# we need to upgrade packages on debian prior to install and reboot if there are due to iptables-restore not running properly
+# if packages are updated and the box isn't rebooted
+if [[ $is_debian ]]; then
+	update_packages
+	if [[ -f "/var/run/reboot-required" ]]; then
+		whiptail_debian_reboot_required
+		reboot
+	fi
+fi
+
 # Check to see if this is the setup type of "desktop".
 is_desktop=
 if [ "$setup_type" = 'desktop' ]; then
@@ -107,52 +117,6 @@ if [[ "$setup_type" == 'iso' ]]; then
 	fi
 fi

-# Check to see if this is an desktop install. If it is let's run things differently
-if [[ $is_desktop ]]; then
-	title "This is a desktop install"
-
-	# Make sure it's CentOS or Rocky Linux
-	if [[ $is_rpm ]]; then
-		info "Security Onion Desktop is supported on this OS."
-	else
-		info "Security Onion Desktop is not supported on this OS."
-		exit 1
-	fi
-
-	if ! whiptail_desktop_install; then
-		if [[ $is_desktop_iso ]]; then
-			if whiptail_desktop_nongrid_iso; then
-				# Remove setup from auto launching
-				parse_install_username
-				sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1
-				info "Enabling graphical interface and setting it to load at boot"
-				systemctl set-default graphical.target
-				startx
-				exit 0
-			else
-				# Abort!
-				exit 0
-			fi
-		else
-			if whiptail_desktop_nongrid_network; then
-				info ""
-				info ""
-				info "Kicking off the automated setup of the Security Onion Desktop. This can take a while depending on your network connection."
-				info ""
-				info ""
-				desktop_salt_local
-			else
-				# Abort!
-				exit 0
-			fi
-		fi
-	fi
-
-	# If you got this far then you want to join the grid
-	is_minion=true
-
-fi
-
 if ! [ -f $install_opt_file ] && [ -d /root/manager_setup/securityonion ] && [[ $(pwd) != /root/manager_setup/securityonion/setup ]]; then
 	exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}"
 fi
@@ -356,6 +320,57 @@ fi
 # Process the install type
 process_installtype

+# Check to see if this is an desktop install. If it is let's run things differently
+if [[ $is_desktop ]]; then
+	title "This is a desktop install"
+
+	# Make sure it's oracle
+	if [[ $is_oracle ]]; then
+		info "Security Onion Desktop is supported on this OS."
+	else
+		info "Security Onion Desktop is not supported on this OS."
+		exit 1
+	fi
+
+#	if ! whiptail_desktop_install; then
+	if [[ $is_desktop_iso ]]; then
+		if whiptail_desktop_nongrid_iso; then
+			# Remove setup from auto launching
+			parse_install_username
+			sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1
+			securityonion_repo
+			info "Enabling graphical interface and setting it to load at boot"
+			systemctl set-default graphical.target
+			echo "Desktop Install Complete!"
+			echo ""
+			echo "Please reboot to start graphical interface."
+			exit 0
+		else
+			# Abort!
+			exit 0
+		fi
+	else
+		if whiptail_desktop_nongrid_network; then
+			info ""
+			info ""
+			info "Kicking off the automated setup of the Security Onion Desktop. This can take a while depending on your network connection."
+			info ""
+			info ""
+			desktop_salt_local
+		else
+			# Abort!
+			exit 0
+		fi
+	fi
+#	fi
+
+	# If you got this far then you want to join the grid
+	is_minion=true
+
+fi
+
+
+
 # If this is not an automated install prompt
 if ! [[ -f $install_opt_file ]]; then
 	# If you are a manager ask ALL the manager things here. I know there is code re-use but this makes it easier to add new roles
@@ -459,7 +474,6 @@ if ! [[ -f $install_opt_file ]]; then
 		whiptail_end_settings
 	elif [[ $is_sensor ]]; then
 		info "Setting up as node type sensor"
-		installer_prereq_packages
 		monints=true
 		check_requirements "sensor"
 		calculate_useable_cores
@@ -489,7 +503,6 @@ if ! [[ -f $install_opt_file ]]; then

 	elif [[ $is_searchnode ]]; then
 		info "Setting up as node type searchnode"
-		installer_prereq_packages
 		check_requirements "elasticsearch"
 		networking_needful
 		check_network_manager_conf
@@ -503,7 +516,6 @@ if ! [[ -f $install_opt_file ]]; then

 	elif [[ $is_heavynode ]]; then
 		info "Setting up as node type heavynode"
-		installer_prereq_packages
 		monints=true
 		check_requirements "heavynode"
 		calculate_useable_cores
@@ -520,7 +532,6 @@ if ! [[ -f $install_opt_file ]]; then

 	elif [[ $is_idh ]]; then
 		info "Setting up as node type idh"
-		installer_prereq_packages
 		check_requirements "idh"
 		networking_needful
 		collect_mngr_hostname
@@ -553,7 +564,6 @@ if ! [[ -f $install_opt_file ]]; then

 	elif [[ $is_receiver ]]; then
 		info "Setting up as node type receiver"
-		installer_prereq_packages
 		check_requirements "receiver"
 		networking_needful
 		collect_mngr_hostname
@@ -682,13 +692,15 @@ if ! [[ -f $install_opt_file ]]; then
 		if [[ ! $is_airgap ]]; then
 			title "Downloading IDS Rules"
 			logCmd "so-rule-update"
-			title "Restarting Suricata to pick up the new rules"
-			logCmd "so-suricata-restart"
 			title "Downloading YARA rules"
 			logCmd "su socore -c '/usr/sbin/so-yara-download'"
+			if [[ $monints ]]; then
+				title "Restarting Suricata to pick up the new rules"
+				logCmd "so-suricata-restart"
 				title "Restarting Strelka to use new rules"
 				logCmd "so-strelka-restart"
 			fi
+		fi
 		title "Setting up Kibana Default Space"
 		logCmd "so-kibana-space-defaults"
 		add_web_user
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -27,6 +27,23 @@ whiptail_airgap() {
 	fi
 }

+whiptail_debian_reboot_required() {
+
+	[ -n "$TESTING" ] && return
+
+	read -r -d '' message <<- EOM
+
+	Packages were upgraded and a reboot is required prior to Security Onion installation.
+
+	Once the reboot has completed, rerun Security Onion setup.
+
+	Press TAB and then the ENTER key to reboot the system.
+
+	EOM
+
+	whiptail --title "$whiptail_title" --msgbox "$message" 24 75 --scrolltext
+}
+
 whiptail_desktop_install() {

 	[ -n "$TESTING" ] && return