From 990470a76594192671d358cf0a505bfb8432524a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 10:41:45 -0400 Subject: [PATCH 01/69] Add initial analyst install option to so-setup --- setup/so-functions | 42 +++++++++++++++++++++++++++++++----------- setup/so-setup | 30 ++++++++++++++++++++++++++---- setup/so-whiptail | 17 +++++++++++++++++ 3 files changed, 74 insertions(+), 15 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 5b4914941..be3113485 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -138,6 +138,26 @@ analyze_system() { logCmd "ip a" } +analyst_workstation_pillar() { + + local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls + + # Create the analyst workstation pillar + printf '%s\n'\ + "host:"\ + " mainint: '$INTERFACE'"\ + "patch:"\ + " os:"\ + " source: $source"\ + " enabled: true"\ + " schedule_name: '$PATCHSCHEDULENAME'"\ + " splay: 300"\ + "workstation:"\ + " gui:"\ + " enabled: true" >> "$pillar_file" + +} + calculate_useable_cores() { # Calculate reasonable core usage @@ -1108,6 +1128,7 @@ detect_os() { echo "Detecting Base OS" >> "$log" 2>&1 if [ -f /etc/redhat-release ]; then OS=centos + is_centos=true if grep -q "CentOS Linux release 7" /etc/redhat-release; then OSVER=7 elif grep -q "CentOS Linux release 8" /etc/redhat-release; then @@ -1207,7 +1228,7 @@ disable_ipv6() { docker_install() { - if [ $OS = 'centos' ]; then + if [[ $is_centos ]]; then logCmd "yum clean expire-cache" if [[ ! $is_iso ]]; then logCmd "yum -y install docker-ce-20.10.5-3.el7 docker-ce-cli-20.10.5-3.el7 docker-ce-rootless-extras-20.10.5-3.el7 containerd.io-1.4.4-3.1.el7" @@ -1759,7 +1780,7 @@ manager_global() { " rules: 1" >> "$global_pillar" if [[ $is_airgap ]]; then printf '%s\n'\ - " repos:"\ + " repos:"\'$PATCHSCHEDULENAME' " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$global_pillar" else printf '%s\n'\ @@ -1785,7 +1806,7 @@ manager_global() { printf '%s\n'\ " replicas: 0"\ - " discovery_nodes: 1"\ + " discovery_nodes: 1"\'$PATCHSCHEDULENAME' " hot_warm_enabled: False"\ " cluster_routing_allocation_disk.threshold_enabled: true"\ " cluster_routing_allocation_disk_watermark_low: '95%'"\ @@ -1805,8 +1826,7 @@ manager_global() { " index_template:"\ " template:"\ " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " index:"\'$PATCHSCHEDULENAME' " warm: 7"\ " close: 30"\ " delete: 365"\ @@ -2178,7 +2198,7 @@ reset_proxy() { [[ -f /etc/gitconfig ]] && rm -f /etc/gitconfig - if [[ $OS == 'centos' ]]; then + if [[ $is_centos ]]; then sed -i "/proxy=/d" /etc/yum.conf else [[ -f /etc/apt/apt.conf.d/00-proxy.conf ]] && rm -f /etc/apt/apt.conf.d/00-proxy.conf @@ -2206,7 +2226,7 @@ backup_dir() { remove_package() { local package_name=$1 - if [ $OS = 'centos' ]; then + if [[ $is_centos ]]; then if rpm -qa | grep -q "$package_name"; then logCmd "yum remove -y $package_name" fi @@ -2371,7 +2391,7 @@ secrets_pillar(){ securityonion_repo() { # Remove all the current repos - if [[ "$OS" == "centos" ]]; then + if [[ $is_centos ]]; then if [[ "$INTERWEBS" == "AIRGAP" ]]; then echo "This is airgap I don't need to add this repo" else @@ -2462,7 +2482,7 @@ set_proxy() { "}" > /root/.docker/config.json # Set proxy for package manager - if [ "$OS" = 'centos' ]; then + if [[ $is_centos ]]; then echo "proxy=$so_proxy" >> /etc/yum.conf else # Set it up so the updates roll through the manager @@ -2741,7 +2761,7 @@ set_redirect() { set_updates() { if [ "$MANAGERUPDATES" = '1' ]; then - if [ "$OS" = 'centos' ]; then + if [[ $is_centos ]]; then if [[ ! $is_airgap ]] && ! ( grep -q "$MSRV" /etc/yum.conf); then if grep -q "proxy=" /etc/yum.conf; then sed -i "s/proxy=.*/proxy=http:\/\/$MSRV:3142/" /etc/yum.conf @@ -2808,7 +2828,7 @@ update_sudoers() { } update_packages() { - if [ "$OS" = 'centos' ]; then + if [[ $is_centos ]]; then logCmd "yum repolist" logCmd "yum -y update --exclude=salt*,wazuh*,docker*,containerd*" else diff --git a/setup/so-setup b/setup/so-setup index deca4b0d6..cef614112 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -72,15 +72,37 @@ done detect_os +if [ "$setup_type" = 'analyst' ]; then + is_analyst=true +fi + if [[ "$setup_type" == 'iso' ]]; then - if [[ "$OS" == 'centos' ]]; then - is_iso=true + if [[ $is_centos ]]; then + is_iso=true else echo "Only use 'so-setup iso' for an ISO install on CentOS. Please run 'so-setup network' instead." exit 1 fi fi +# Check to see if this is an analyst install. If it is let's run things differently + +if [[ $is_analyst ]]; then + + # Make sure it's CentOS + if [[ ! $is_centos ]]; then + echo "Analyst Workstation is only supported on CentOS 7" + exit 1 + fi + + whiptail_analyst_install + + exit 0 + +fi + + + if ! [ -f $install_opt_file ] && [ -d /root/manager_setup/securityonion ] && [[ $(pwd) != /root/manager_setup/securityonion/setup ]]; then exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}" fi @@ -674,7 +696,7 @@ echo "1" > /root/accept_changes # Import the gpg keys gpg_rpm_import >> $setup_log 2>&1 info "Disabling fastestmirror" - [[ $OS == 'centos' ]] && disable_fastestmirror + [[ $is_centos ]] && disable_fastestmirror if [[ ! $is_airgap ]]; then securityonion_repo >> $setup_log 2>&1 update_packages >> $setup_log 2>&1 @@ -817,7 +839,7 @@ echo "1" > /root/accept_changes set_progress_str 61 "$(print_salt_state_apply 'firewall')" salt-call state.apply -l info firewall >> $setup_log 2>&1 - if [ $OS = 'centos' ]; then + if [[ $is_centos ]]; then set_progress_str 61 'Installing Yum utilities' salt-call state.apply -l info yum.packages >> $setup_log 2>&1 fi diff --git a/setup/so-whiptail b/setup/so-whiptail index c39ec4ff7..d5c0aafef 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -33,6 +33,23 @@ whiptail_airgap() { INTERWEBS=$(echo "${INTERWEBS^^}" | tr -d ' ') } +whiptail_analyst_install() { + + [ -n "$TESTING" ] && return + + read -r -d '' message <<- EOM + + Welcome to the Security Onion Anaylst Workstation install! + + You can choose to use join this workstation to an existing grid for managemnt or make it standalone. + EOM + + whiptail --title "$whiptail_title" \ + --yesno "$message" 11 75 \ + --yes-button "Join" --no-button "Standalone" --defaultno + +} + whiptail_avoid_default_hostname() { [ -n "$TESTING" ] && return From 80af497f95f35624475c7d145e5eca0448fa751a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 12:43:20 -0400 Subject: [PATCH 02/69] Add initial analyst install code --- setup/so-functions | 25 ++++++++++++++++++++++--- setup/so-setup | 36 +++++++++++------------------------- setup/so-whiptail | 4 ++-- 3 files changed, 35 insertions(+), 30 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index be3113485..53e475b71 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -169,6 +169,13 @@ calculate_useable_cores() { export lb_procs } +catch() { + info "Fatal error occurred at $1 in so-setup, failing setup." + grep --color=never "ERROR" "$setup_log" > "$error_log" + whiptail_setup_failed + exit 1 +} + check_admin_pass() { check_pass_match "$ADMINPASS1" "$ADMINPASS2" "APMATCH" } @@ -1780,13 +1787,14 @@ manager_global() { " rules: 1" >> "$global_pillar" if [[ $is_airgap ]]; then printf '%s\n'\ - " repos:"\'$PATCHSCHEDULENAME' + " repos: '$PATCHSCHEDULENAME'"\ " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$global_pillar" else printf '%s\n'\ " repos:"\ " - 'https://github.com/Neo23x0/signature-base'" >> "$global_pillar" fi + printf '%s\n'\ "curator:"\ " hot_warm: False"\ @@ -1806,7 +1814,7 @@ manager_global() { printf '%s\n'\ " replicas: 0"\ - " discovery_nodes: 1"\'$PATCHSCHEDULENAME' + " discovery_nodes: 1"\ " hot_warm_enabled: False"\ " cluster_routing_allocation_disk.threshold_enabled: true"\ " cluster_routing_allocation_disk_watermark_low: '95%'"\ @@ -1826,7 +1834,8 @@ manager_global() { " index_template:"\ " template:"\ " settings:"\ - " index:"\'$PATCHSCHEDULENAME' + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ @@ -2058,6 +2067,16 @@ print_salt_state_apply() { echo "Applying $state Salt state" } +progress() { + local msg=${1:-'Please wait while installing...'} + + if [ $automated == no ]; then + whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text + else + cat >> $setup_log 2>&1 + fi +} + proxy_validate() { echo "Testing proxy..." local test_url="https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS" diff --git a/setup/so-setup b/setup/so-setup index cef614112..9598a566a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -99,6 +99,9 @@ if [[ $is_analyst ]]; then exit 0 + # If you got this far then you want to join the grid + is_minion=true + fi @@ -128,23 +131,9 @@ fi # Set up handler for setup to exit early (use `kill -SIGUSR1 "$setup_proc"; exit 1` in child scripts) trap 'catch $LINENO' SIGUSR1 setup_proc="$$" -catch() { - info "Fatal error occurred at $1 in so-setup, failing setup." - grep --color=never "ERROR" "$setup_log" > "$error_log" - whiptail_setup_failed - exit 1 -} - +catch automated=no -progress() { - local msg=${1:-'Please wait while installing...'} - - if [ $automated == no ]; then - whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text - else - cat >> $setup_log 2>&1 - fi -} +progress if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1 @@ -178,11 +167,11 @@ if [[ -f automation/$automation && $(basename $automation) == $automation ]]; th fi case "$setup_type" in - iso | network) # Accepted values + iso | network | analyst) # Accepted values echo "Beginning Security Onion $setup_type install" >> $setup_log 2>&1 ;; *) - echo "Invalid install type, must be 'iso' or 'network'" | tee -a $setup_log + echo "Invalid install type, must be 'iso', 'network' or 'analyst'." | tee -a $setup_log exit 1 ;; esac @@ -291,7 +280,7 @@ elif [ "$install_type" = 'RECEIVER' ]; then is_receiver=true elif [ "$install_type" = 'ANALYST' ]; then cd .. || exit 255 - exec bash so-analyst-install + exec bash so-setup analyst fi if [[ $is_manager || $is_import ]]; then @@ -311,7 +300,7 @@ if ! [[ -f $install_opt_file ]]; then check_requirements "dist" "idh" elif [[ $is_sensor && ! $is_eval ]]; then check_requirements "dist" "sensor" - elif [[ $is_distmanager || $is_minion ]] && [[ ! $is_import ]]; then + elif [[ $is_distmanager || $is_minion ]] && [[ ! ( $is_import || $is_analyst ) ]]; then check_requirements "dist" elif [[ $is_import ]]; then check_requirements "import" @@ -342,9 +331,6 @@ if ! [[ -f $install_opt_file ]]; then if [[ $is_minion ]]; then collect_mngr_hostname add_mngr_ip_to_hosts - fi - - if [[ $is_minion ]]; then whiptail_ssh_key_copy_notice copy_ssh_key >> $setup_log 2>&1 fi @@ -355,7 +341,7 @@ if ! [[ -f $install_opt_file ]]; then if [[ "$INTERWEBS" == 'AIRGAP' ]]; then is_airgap=true fi - elif [[ $is_minion && $is_iso ]]; then + elif [[ $is_minion && ( $is_iso || $is_analyst ) ]]; then $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" [[ -f /etc/yum.repos.d/airgap_repo.repo ]] >> $setup_log 2>&1 airgap_check=$? [[ $airgap_check == 0 ]] && is_airgap=true >> $setup_log 2>&1 @@ -584,7 +570,7 @@ if [[ $is_sensor && ! $is_eval ]]; then fi fi -[[ $is_iso ]] && collect_ntp_servers +[[ ( $is_iso || $is_analyst ) ]] && collect_ntp_servers if [[ ($is_node || $is_receiver) && ! $is_eval ]]; then whiptail_node_advanced diff --git a/setup/so-whiptail b/setup/so-whiptail index d5c0aafef..36d4493d8 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -39,9 +39,9 @@ whiptail_analyst_install() { read -r -d '' message <<- EOM - Welcome to the Security Onion Anaylst Workstation install! + Welcome to the Security Onion Analyst Workstation install! - You can choose to use join this workstation to an existing grid for managemnt or make it standalone. + You can choose to join this workstation to an existing grid for managemnt or make it standalone. EOM whiptail --title "$whiptail_title" \ From 0d23688aa0e0aea6c9d326df124f8bbb8b96a4f1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 12:46:45 -0400 Subject: [PATCH 03/69] Add initial analyst install code --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 53e475b71..d4a97db9f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1787,7 +1787,7 @@ manager_global() { " rules: 1" >> "$global_pillar" if [[ $is_airgap ]]; then printf '%s\n'\ - " repos: '$PATCHSCHEDULENAME'"\ + " repos:"\ " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$global_pillar" else printf '%s\n'\ From 102d2507cbb7698343b967c5432b086d1df0853e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 12:48:52 -0400 Subject: [PATCH 04/69] Add initial analyst install code --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index d4a97db9f..24b2c0fef 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1835,7 +1835,7 @@ manager_global() { " template:"\ " settings:"\ " index:"\ - " number_of_shards: 1"\ + " numbber_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ From 3ace55dfe50b8978ea253d93d0eda14c68fae4cf Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 12:49:30 -0400 Subject: [PATCH 05/69] Add initial analyst install code --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 24b2c0fef..d4a97db9f 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -1835,7 +1835,7 @@ manager_global() { " template:"\ " settings:"\ " index:"\ - " numbber_of_shards: 1"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ From afb918d79c307620d5a665da514e4974c9421118 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:08:03 -0400 Subject: [PATCH 06/69] Set standalone to load Xwindows --- setup/so-setup | 8 +++++++- setup/so-whiptail | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 9598a566a..f08a95415 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -97,7 +97,13 @@ if [[ $is_analyst ]]; then whiptail_analyst_install - exit 0 + if [[ $AWORK != "Join" ]]; then + # Lets make this a standalone + echo "Enabling X Windows and setting it to load at boot" + systemctl set-default graphical.target + startx + exit 0 + fi # If you got this far then you want to join the grid is_minion=true diff --git a/setup/so-whiptail b/setup/so-whiptail index 36d4493d8..9ecd00b04 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -44,9 +44,9 @@ whiptail_analyst_install() { You can choose to join this workstation to an existing grid for managemnt or make it standalone. EOM - whiptail --title "$whiptail_title" \ + AWORK=$(whiptail --title "$whiptail_title" \ --yesno "$message" 11 75 \ - --yes-button "Join" --no-button "Standalone" --defaultno + --yes-button "Join" --no-button "Standalone" --defaultno) } From 853235ca9b2a9ca70c8304fb3bbe73936662604a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:11:19 -0400 Subject: [PATCH 07/69] Set standalone to load Xwindows --- setup/so-whiptail | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 9ecd00b04..37164268e 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -43,10 +43,10 @@ whiptail_analyst_install() { You can choose to join this workstation to an existing grid for managemnt or make it standalone. EOM - + echo "whiptail" AWORK=$(whiptail --title "$whiptail_title" \ --yesno "$message" 11 75 \ - --yes-button "Join" --no-button "Standalone" --defaultno) + --yes-button "Join" --no-button "Standalone" --defaultno ) } From 053ec812857c7222da2f1b834cca2736a4e8eaf8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:12:25 -0400 Subject: [PATCH 08/69] Set standalone to load Xwindows --- setup/so-whiptail | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 37164268e..2c6b7092b 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -46,7 +46,7 @@ whiptail_analyst_install() { echo "whiptail" AWORK=$(whiptail --title "$whiptail_title" \ --yesno "$message" 11 75 \ - --yes-button "Join" --no-button "Standalone" --defaultno ) + --yes-button "Join" --no-button "Standalone" --defaultno 3>&1 1>&2 2>&3 ) } From 86e32f3e6c45e2491476152b070ef03e0023942f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:13:47 -0400 Subject: [PATCH 09/69] Set standalone to load Xwindows --- setup/so-setup | 1 + 1 file changed, 1 insertion(+) diff --git a/setup/so-setup b/setup/so-setup index f08a95415..6aa95c0e6 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -96,6 +96,7 @@ if [[ $is_analyst ]]; then fi whiptail_analyst_install + echo "$AWORK" if [[ $AWORK != "Join" ]]; then # Lets make this a standalone From 67582be5758c969661ebbbc39a190e001b84732b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:23:38 -0400 Subject: [PATCH 10/69] Set standalone to load Xwindows --- setup/so-setup | 5 +---- setup/so-whiptail | 9 +++++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 6aa95c0e6..ca3403bee 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -95,10 +95,7 @@ if [[ $is_analyst ]]; then exit 1 fi - whiptail_analyst_install - echo "$AWORK" - - if [[ $AWORK != "Join" ]]; then + if ! whiptail_analyst_install; then # Lets make this a standalone echo "Enabling X Windows and setting it to load at boot" systemctl set-default graphical.target diff --git a/setup/so-whiptail b/setup/so-whiptail index 2c6b7092b..f028af323 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -41,12 +41,13 @@ whiptail_analyst_install() { Welcome to the Security Onion Analyst Workstation install! - You can choose to join this workstation to an existing grid for managemnt or make it standalone. + You can choose to join this workstation to an existing grid? + + NOTE: Selecting "no" will enable X Windows and set it to load at boot. EOM echo "whiptail" - AWORK=$(whiptail --title "$whiptail_title" \ - --yesno "$message" 11 75 \ - --yes-button "Join" --no-button "Standalone" --defaultno 3>&1 1>&2 2>&3 ) + whiptail --title "$whiptail_title" \ + --yesno "$message" 11 75 --defaultno } From 45161b2a3906ac4ab46c46fea5a545e28598ca10 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:28:32 -0400 Subject: [PATCH 11/69] Set standalone to load Xwindows --- setup/so-functions | 7 ------- setup/so-setup | 7 ++++++- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index d4a97db9f..736f2e15b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -169,13 +169,6 @@ calculate_useable_cores() { export lb_procs } -catch() { - info "Fatal error occurred at $1 in so-setup, failing setup." - grep --color=never "ERROR" "$setup_log" > "$error_log" - whiptail_setup_failed - exit 1 -} - check_admin_pass() { check_pass_match "$ADMINPASS1" "$ADMINPASS2" "APMATCH" } diff --git a/setup/so-setup b/setup/so-setup index ca3403bee..5f4329750 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -135,7 +135,12 @@ fi # Set up handler for setup to exit early (use `kill -SIGUSR1 "$setup_proc"; exit 1` in child scripts) trap 'catch $LINENO' SIGUSR1 setup_proc="$$" -catch +catch() { + info "Fatal error occurred at $1 in so-setup, failing setup." + grep --color=never "ERROR" "$setup_log" > "$error_log" + whiptail_setup_failed + exit 1 +} automated=no progress From c4a4e9737b2e5f7952880138a3af814621563f5e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:31:53 -0400 Subject: [PATCH 12/69] Set standalone to load Xwindows --- setup/so-functions | 10 ---------- setup/so-setup | 10 +++++++++- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 736f2e15b..8a51a8b31 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2060,16 +2060,6 @@ print_salt_state_apply() { echo "Applying $state Salt state" } -progress() { - local msg=${1:-'Please wait while installing...'} - - if [ $automated == no ]; then - whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text - else - cat >> $setup_log 2>&1 - fi -} - proxy_validate() { echo "Testing proxy..." local test_url="https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS" diff --git a/setup/so-setup b/setup/so-setup index 5f4329750..88a4daa5a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -142,7 +142,15 @@ catch() { exit 1 } automated=no -progress +progress() { + local msg=${1:-'Please wait while installing...'} + + if [ $automated == no ]; then + whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text + else + cat >> $setup_log 2>&1 + fi +} if [[ -f automation/$automation && $(basename $automation) == $automation ]]; then echo "Preselecting variable values based on automated setup: $automation" >> $setup_log 2>&1 From 816d0b1075d8b982b63bd51c90a1843bbea4d69a Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 29 Mar 2022 17:35:13 -0400 Subject: [PATCH 13/69] Don't prompt for install type since we know its analyst --- setup/so-setup | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 88a4daa5a..8d01089e0 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -247,7 +247,9 @@ if ! [[ -f $install_opt_file ]]; then true fi fi - whiptail_install_type + if [[ ! $is_analyst ]]; then + whiptail_install_type + fi else source $install_opt_file fi From dceb46888f1c49d6600c93127fbe9493918facf1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 30 Mar 2022 11:06:59 -0400 Subject: [PATCH 14/69] Add analyst install network stack --- setup/so-setup | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/setup/so-setup b/setup/so-setup index 8d01089e0..fb0472ebf 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -74,6 +74,10 @@ detect_os if [ "$setup_type" = 'analyst' ]; then is_analyst=true + # Check to see if this is an ISO + if [ -d /root/SecurityOnion ]; then + is_analyst_iso=true + fi fi if [[ "$setup_type" == 'iso' ]]; then @@ -230,6 +234,38 @@ if ! [[ -f $install_opt_file ]]; then echo "User cancelled setup." | tee -a "$setup_log" whiptail_cancel fi + if [[ $is_analyst ]]; then + collect_hostname + if [[ $is_analyst_iso ]]; then + # Prompt Network Setup + whiptail_management_nic + whiptail_dhcp_or_static + + if [ "$address_type" != 'DHCP' ]; then + collect_int_ip_mask + collect_gateway + collect_dns + collect_dns_domain + fi + + fi + if [[ ! $is_analyst_iso ]]; then + # This should be a network install + whiptail_network_notice + whiptail_dhcp_warn + whiptail_management_nic + fi + whiptail_network_init_notice + network_init + printf '%s\n' \ + "MNIC=$MNIC" \ + "HOSTNAME=$HOSTNAME" > "$net_init_file" + set_main_ip >> $setup_log 2>&1 + compare_main_nic_ip + whiptail_net_setup_complete + + fi + if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then whiptail_first_menu_iso if [[ $option == "CONFIGURENETWORK" ]]; then From c3d3806f651d343484450ac76c7e911c0522c7f8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 30 Mar 2022 11:14:35 -0400 Subject: [PATCH 15/69] Add analyst install network stack --- setup/so-setup | 1 - 1 file changed, 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index fb0472ebf..7e82abe12 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -278,7 +278,6 @@ if ! [[ -f $install_opt_file ]]; then "HOSTNAME=$HOSTNAME" > "$net_init_file" set_main_ip >> $setup_log 2>&1 compare_main_nic_ip - whiptail_net_setup_complete else true fi From f43a6757e0d7aa4b8512290ea57956f925231aea Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 30 Mar 2022 11:16:00 -0400 Subject: [PATCH 16/69] Add analyst install network stack --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 7e82abe12..ba9125f31 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -262,7 +262,6 @@ if ! [[ -f $install_opt_file ]]; then "HOSTNAME=$HOSTNAME" > "$net_init_file" set_main_ip >> $setup_log 2>&1 compare_main_nic_ip - whiptail_net_setup_complete fi @@ -278,6 +277,7 @@ if ! [[ -f $install_opt_file ]]; then "HOSTNAME=$HOSTNAME" > "$net_init_file" set_main_ip >> $setup_log 2>&1 compare_main_nic_ip + whiptail_net_setup_complete else true fi From a049e458c6bd0f8cc29dd60a5b146d22285e15e5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Wed, 30 Mar 2022 14:03:52 -0400 Subject: [PATCH 17/69] Add workstation to the salt config --- setup/so-functions | 64 +++++++++++++++++++++++++++------------------- setup/so-setup | 7 ++++- 2 files changed, 43 insertions(+), 28 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 8a51a8b31..6ad0510a5 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -155,7 +155,8 @@ analyst_workstation_pillar() { "workstation:"\ " gui:"\ " enabled: true" >> "$pillar_file" - + "sensoroni:"\ + " node_description: '${NODE_DESCRIPTION//\'/''}'" } calculate_useable_cores() { @@ -786,6 +787,9 @@ collect_zeek() { configure_minion() { local minion_type=$1 + if [[ $is_analyst ]]; then + minion_type=workstation + fi echo "Configuring minion type as $minion_type" >> "$setup_log" 2>&1 echo "role: so-$minion_type" > /etc/salt/grains @@ -794,6 +798,9 @@ configure_minion() { echo "id: '$MINION_ID'" > "$minion_config" case "$minion_type" in + 'workstation') + echo "master: '$HOSTNAME'" >> "$minion_config" + ;; 'helix') cp -f ../salt/ca/files/signing_policies.conf /etc/salt/minion.d/signing_policies.conf echo "master: '$HOSTNAME'" >> "$minion_config" @@ -2249,38 +2256,41 @@ remove_package() { saltify() { # Install updates and Salt - if [ $OS = 'centos' ]; then + if [[ $is_centos ]]; then set_progress_str 6 'Installing various dependencies' - if [[ ! $is_iso ]]; then + if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then logCmd "yum -y install wget nmap-ncat" - fi - case "$install_type" in - 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') - reserve_group_ids - if [[ ! $is_iso ]]; then - logCmd "yum -y install sqlite curl mariadb-devel" - fi - # Download Ubuntu Keys in case manager updates = 1 - logCmd "mkdir -vp /opt/so/gpg" - if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004/SALTSTACK-GPG-KEY.pub" - logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" - logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" - fi - set_progress_str 7 'Installing salt-master' - if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004" - fi - logCmd "systemctl enable salt-master" - ;; - *) - ;; - esac + fi + + if [[ ! is_analyst ]]; then + case "$install_type" in + 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') + reserve_group_ids + if [[ ! $is_iso ]]; then + logCmd "yum -y install sqlite curl mariadb-devel" + fi + # Download Ubuntu Keys in case manager updates = 1 + logCmd "mkdir -vp /opt/so/gpg" + if [[ ! $is_airgap ]]; then + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" + logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" + fi + set_progress_str 7 'Installing salt-master' + if [[ ! $is_iso ]]; then + logCmd "yum -y install salt-master-3004" + fi + logCmd "systemctl enable salt-master" + ;; + *) + ;; + esac + fi if [[ ! $is_airgap ]]; then logCmd "yum clean expire-cache" fi set_progress_str 8 'Installing salt-minion & python modules' - if [[ ! $is_iso ]]; then + if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then logCmd "yum -y install salt-minion-3004 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" fi diff --git a/setup/so-setup b/setup/so-setup index ba9125f31..8d146d00f 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -461,7 +461,12 @@ detect_cloud short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}') -MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') +if [[ $is_analyst ]]; then + MINION_ID=$(echo "${short_name}_workstation" | tr '[:upper:]' '[:lower:]') +fi +if [[ ! $is_analyst ]]; then + MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') +fi export MINION_ID echo "MINION_ID = $MINION_ID" >> $setup_log 2>&1 From 179aa5e29caeb47f95b164600aceec28ce37d0c3 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 31 Mar 2022 10:49:38 -0400 Subject: [PATCH 18/69] Add firewall rules for Analyst workstation --- setup/so-functions | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/setup/so-functions b/setup/so-functions index 6ad0510a5..5badeb08a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2722,6 +2722,13 @@ set_initial_firewall_policy() { # TODO: implement ;; esac + + # Add some firewall rules for analyst workstations that get added to the grid + if [[ $ is_analyst ]]; then + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost analyst "$MAINIP" + fi + } # Set up the management interface on the ISO From ad833965a0d1bfa7e63e030c999ea2c4ebc9a5ac Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 31 Mar 2022 11:12:10 -0400 Subject: [PATCH 19/69] Fix extra space --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 5badeb08a..78b860a87 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2724,7 +2724,7 @@ set_initial_firewall_policy() { esac # Add some firewall rules for analyst workstations that get added to the grid - if [[ $ is_analyst ]]; then + if [[ $is_analyst ]]; then $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost analyst "$MAINIP" fi From c9eb188a799920555910e88c4788188895814004 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 31 Mar 2022 12:01:55 -0400 Subject: [PATCH 20/69] Only run specific states during install for AW --- setup/so-setup | 47 ++++++++++++++++++++++++++++++----------------- 1 file changed, 30 insertions(+), 17 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 8d146d00f..8bc2c687a 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -765,17 +765,22 @@ echo "1" > /root/accept_changes set_progress_str 5 'Installing Salt and dependencies' saltify 2>> $setup_log + + if [[ ! $is_analyst ]]; then + set_progress_str 6 'Installing Docker and dependencies' + docker_install >> $setup_log 2>&1 + fi - set_progress_str 6 'Installing Docker and dependencies' - docker_install >> $setup_log 2>&1 - set_progress_str 7 'Generating patch pillar' patch_pillar >> $setup_log 2>&1 set_progress_str 8 'Initializing Salt minion' configure_minion "$minion_type" >> $setup_log 2>&1 - check_sos_appliance >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + check_sos_appliance >> $setup_log 2>&1 + fi + update_sudoers_for_testing >> $setup_log 2>&1 if [[ $is_manager || $is_helix || $is_import ]]; then @@ -853,8 +858,10 @@ echo "1" > /root/accept_changes generate_ca >> $setup_log 2>&1 fi - set_progress_str 24 'Generating SSL' - generate_ssl >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + set_progress_str 24 'Generating SSL' + generate_ssl >> $setup_log 2>&1 + fi if [[ $is_manager || $is_helix || $is_import ]]; then set_progress_str 25 'Configuring firewall' @@ -881,18 +888,22 @@ echo "1" > /root/accept_changes echo "Finished so-elastic-auth..." >> $setup_log 2>&1 fi - set_progress_str 61 "$(print_salt_state_apply 'firewall')" - salt-call state.apply -l info firewall >> $setup_log 2>&1 - + if [[ ! $is_analyst ]]; then + set_progress_str 61 "$(print_salt_state_apply 'firewall')" + salt-call state.apply -l info firewall >> $setup_log 2>&1 + fi + if [[ $is_centos ]]; then set_progress_str 61 'Installing Yum utilities' salt-call state.apply -l info yum.packages >> $setup_log 2>&1 fi - set_progress_str 62 "$(print_salt_state_apply 'common')" - salt-call state.apply -l info common >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + set_progress_str 62 "$(print_salt_state_apply 'common')" + salt-call state.apply -l info common >> $setup_log 2>&1 + fi - if [[ ! $is_helix && ! $is_receiver && ! $is_idh ]]; then + if [[ ! $is_helix && ! $is_receiver && ! $is_idh && ! $is_analyst ]]; then set_progress_str 62 "$(print_salt_state_apply 'nginx')" salt-call state.apply -l info nginx >> $setup_log 2>&1 fi @@ -1035,11 +1046,13 @@ echo "1" > /root/accept_changes salt-call state.apply -l info filebeat >> $setup_log 2>&1 fi - set_progress_str 85 'Applying finishing touches' - filter_unused_nics >> $setup_log 2>&1 - network_setup >> $setup_log 2>&1 - so-ssh-harden >> $setup_log 2>&1 - + if [[ ! $is_analyst ]]; then + set_progress_str 85 'Applying finishing touches' + filter_unused_nics >> $setup_log 2>&1 + network_setup >> $setup_log 2>&1 + so-ssh-harden >> $setup_log 2>&1 + fi + if [[ $is_manager || $is_import ]]; then set_progress_str 87 'Adding user to SOC' add_web_user >> $setup_log 2>&1 From 5264526ff1b11f9adfc33429aaed1b702ce7779c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 31 Mar 2022 12:05:59 -0400 Subject: [PATCH 21/69] Fix salt master declaration --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 78b860a87..e03962f47 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -799,7 +799,7 @@ configure_minion() { case "$minion_type" in 'workstation') - echo "master: '$HOSTNAME'" >> "$minion_config" + echo "master: '$MSRV'" >> "$minion_config" ;; 'helix') cp -f ../salt/ca/files/signing_policies.conf /etc/salt/minion.d/signing_policies.conf From 63eb15aa6dc9ab3001e9f4dfd5280041c84c6dea Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 31 Mar 2022 13:35:30 -0400 Subject: [PATCH 22/69] Run anayst Pillar --- setup/so-setup | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 8bc2c687a..0e3749bce 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -717,8 +717,12 @@ echo "1" > /root/accept_changes if [[ $is_manager && ! $is_eval ]]; then add_soremote_user_manager >> $setup_log 2>&1 fi - - host_pillar >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + host_pillar >> $setup_log 2>&1 + fi + if [[ $is_analyst ]]; then + analyst_workstation_pillar + fi ntp_pillar >> $setup_log 2>&1 From edc6a461ec721e69b9292cc9e4243506b99d38c6 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 31 Mar 2022 13:57:37 -0400 Subject: [PATCH 23/69] Fix analyst pillar --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index e03962f47..d00eb7962 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -154,7 +154,7 @@ analyst_workstation_pillar() { " splay: 300"\ "workstation:"\ " gui:"\ - " enabled: true" >> "$pillar_file" + " enabled: true" >> "$pillar_file"\ "sensoroni:"\ " node_description: '${NODE_DESCRIPTION//\'/''}'" } From 64e480714af43467e400dc8031d7b47884f72ac1 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 09:10:38 -0400 Subject: [PATCH 24/69] Fix the analyst pillar --- setup/so-functions | 4 ++-- setup/so-setup | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index d00eb7962..f0adf595a 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -145,7 +145,7 @@ analyst_workstation_pillar() { # Create the analyst workstation pillar printf '%s\n'\ "host:"\ - " mainint: '$INTERFACE'"\ + " mainint: '$MNIC'"\ "patch:"\ " os:"\ " source: $source"\ @@ -156,7 +156,7 @@ analyst_workstation_pillar() { " gui:"\ " enabled: true" >> "$pillar_file"\ "sensoroni:"\ - " node_description: '${NODE_DESCRIPTION//\'/''}'" + " node_description: '${NODE_DESCRIPTION//\'/''}'" > $pillar_file } calculate_useable_cores() { diff --git a/setup/so-setup b/setup/so-setup index 0e3749bce..8365eff79 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -687,7 +687,7 @@ echo "1" > /root/accept_changes [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 - reserve_ports + if [[ ! $is_analyst ]]; then reserve_ports fi set_path From cb2044cee9aaad8823b8b8d4273b74696208ee15 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 09:29:29 -0400 Subject: [PATCH 25/69] Fix the analyst pillar --- setup/so-setup | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index 8365eff79..c233c3069 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -687,7 +687,9 @@ echo "1" > /root/accept_changes [[ ${#ntp_servers[@]} -gt 0 ]] && configure_ntp >> $setup_log 2>&1 - if [[ ! $is_analyst ]]; then reserve_ports fi + if [[ ! $is_analyst ]]; then + reserve_ports + fi set_path From 02a96c409e7b957e22fdeb4d0328e39fd4bfa8a5 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 09:52:57 -0400 Subject: [PATCH 26/69] Update HOTFIX --- HOTFIX | 1 + 1 file changed, 1 insertion(+) diff --git a/HOTFIX b/HOTFIX index e69de29bb..6711b0853 100644 --- a/HOTFIX +++ b/HOTFIX @@ -0,0 +1 @@ +04012022 From d95391505fb215cea276e900bc4ef53b64fcfc46 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 1 Apr 2022 09:55:03 -0400 Subject: [PATCH 27/69] Update minion.defaults.yaml --- salt/salt/minion.defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index ef7bfe37c..68e044db8 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,6 +2,6 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3004 + version: 3004.1 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default service_start_delay: 30 # in seconds. From f71fcdaed7fc05fa6104dc3024f724be97cc5225 Mon Sep 17 00:00:00 2001 From: Josh Patterson Date: Fri, 1 Apr 2022 09:55:55 -0400 Subject: [PATCH 28/69] salt 3004.1 --- salt/salt/master.defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index 8d5e85e15..a07f22865 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: master: - version: 3004 + version: 3004.1 From d524f3833b43e89dbaf4932086fad5f3e62127f8 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 10:09:55 -0400 Subject: [PATCH 29/69] Let the patch pillar do its work --- setup/so-functions | 6 ------ 1 file changed, 6 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index f0adf595a..45a6fe0ab 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -146,12 +146,6 @@ analyst_workstation_pillar() { printf '%s\n'\ "host:"\ " mainint: '$MNIC'"\ - "patch:"\ - " os:"\ - " source: $source"\ - " enabled: true"\ - " schedule_name: '$PATCHSCHEDULENAME'"\ - " splay: 300"\ "workstation:"\ " gui:"\ " enabled: true" >> "$pillar_file"\ From 45dd7d47582fa55134dd046b6d6d2921618b1207 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 1 Apr 2022 11:17:38 -0400 Subject: [PATCH 30/69] salt 3004.1 in setup --- setup/so-functions | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index b71648fbe..0047fe4a2 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2277,13 +2277,13 @@ saltify() { # Download Ubuntu Keys in case manager updates = 1 logCmd "mkdir -vp /opt/so/gpg" if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004" + logCmd "yum -y install salt-master-3004.1" fi logCmd "systemctl enable salt-master" ;; @@ -2295,7 +2295,7 @@ saltify() { fi set_progress_str 8 'Installing salt-minion & python modules' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-minion-3004 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" fi logCmd "systemctl enable salt-minion" @@ -2334,8 +2334,8 @@ saltify() { 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR') # Add saltstack repo(s) - wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 + echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 @@ -2343,7 +2343,7 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 @@ -2356,7 +2356,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' retry 50 10 "apt-get -y install sqlite3 libssl-dev" >> "$setup_log" 2>&1 || exit 1 set_progress_str 7 'Installing salt-master' - retry 50 10 "apt-get -y install salt-master=3004+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-master=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 ;; *) @@ -2367,14 +2367,14 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 set_progress_str 8 'Installing salt-minion & python modules' - retry 50 10 "apt-get -y install salt-minion=3004+ds-1 salt-common=3004+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-minion=3004.1+ds-1 salt-common=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" >> "$setup_log" 2>&1 || exit 1 fi From 2782c9b464f1daece99debc634019c89843d9bfc Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 11:26:58 -0400 Subject: [PATCH 31/69] Update salt versions --- salt/salt/master.defaults.yaml | 2 +- salt/salt/minion.defaults.yaml | 2 +- setup/so-functions | 18 +++++++++--------- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/salt/salt/master.defaults.yaml b/salt/salt/master.defaults.yaml index 8d5e85e15..a07f22865 100644 --- a/salt/salt/master.defaults.yaml +++ b/salt/salt/master.defaults.yaml @@ -2,4 +2,4 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: master: - version: 3004 + version: 3004.1 diff --git a/salt/salt/minion.defaults.yaml b/salt/salt/minion.defaults.yaml index ef7bfe37c..68e044db8 100644 --- a/salt/salt/minion.defaults.yaml +++ b/salt/salt/minion.defaults.yaml @@ -2,6 +2,6 @@ # When updating the salt version, also update the version in securityonion-builds/images/iso-task/Dockerfile and saltify function in so-functions salt: minion: - version: 3004 + version: 3004.1 check_threshold: 3600 # in seconds, threshold used for so-salt-minion-check. any value less than 600 seconds may cause a lot of salt-minion restarts since the job to touch the file occurs every 5-8 minutes by default service_start_delay: 30 # in seconds. diff --git a/setup/so-functions b/setup/so-functions index 45a6fe0ab..9cb191912 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2266,13 +2266,13 @@ saltify() { # Download Ubuntu Keys in case manager updates = 1 logCmd "mkdir -vp /opt/so/gpg" if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004" + logCmd "yum -y install salt-master-3004.1" fi logCmd "systemctl enable salt-master" ;; @@ -2285,7 +2285,7 @@ saltify() { fi set_progress_str 8 'Installing salt-minion & python modules' if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then - logCmd "yum -y install salt-minion-3004 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" fi logCmd "systemctl enable salt-minion" @@ -2324,8 +2324,8 @@ saltify() { 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR') # Add saltstack repo(s) - wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 + echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 @@ -2333,7 +2333,7 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 @@ -2346,7 +2346,7 @@ saltify() { set_progress_str 6 'Installing various dependencies' retry 50 10 "apt-get -y install sqlite3 libssl-dev" >> "$setup_log" 2>&1 || exit 1 set_progress_str 7 'Installing salt-master' - retry 50 10 "apt-get -y install salt-master=3004+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-master=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-master" >> "$setup_log" 2>&1 || exit 1 ;; *) @@ -2357,14 +2357,14 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac retry 50 10 "apt-get update" "" "Err:" >> "$setup_log" 2>&1 || exit 1 set_progress_str 8 'Installing salt-minion & python modules' - retry 50 10 "apt-get -y install salt-minion=3004+ds-1 salt-common=3004+ds-1" >> "$setup_log" 2>&1 || exit 1 + retry 50 10 "apt-get -y install salt-minion=3004.1+ds-1 salt-common=3004.1+ds-1" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-mark hold salt-minion salt-common" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y install python3-pip python3-dateutil python3-m2crypto python3-mysqldb python3-packaging python3-influxdb python3-lxml" >> "$setup_log" 2>&1 || exit 1 fi From 97fc652a97de8bcede7827a448266e68da0fdb09 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 11:54:55 -0400 Subject: [PATCH 32/69] fix the yum commands --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 9cb191912..f05b4c756 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2272,7 +2272,7 @@ saltify() { fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004.1" + logCmd "yum -y install salt-master-3004" fi logCmd "systemctl enable salt-master" ;; @@ -2285,7 +2285,7 @@ saltify() { fi set_progress_str 8 'Installing salt-minion & python modules' if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then - logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" fi logCmd "systemctl enable salt-minion" From 8e9386fcd4548b6c85ae2c551034d83c01673938 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 13:17:13 -0400 Subject: [PATCH 33/69] fix the yum commands --- setup/so-functions | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index f05b4c756..9cb191912 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2272,7 +2272,7 @@ saltify() { fi set_progress_str 7 'Installing salt-master' if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004" + logCmd "yum -y install salt-master-3004.1" fi logCmd "systemctl enable salt-master" ;; @@ -2285,7 +2285,7 @@ saltify() { fi set_progress_str 8 'Installing salt-minion & python modules' if [[ ! ( $is_iso || $is_analyst_iso ) ]]; then - logCmd "yum -y install salt-minion-3004 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" + logCmd "yum -y install salt-minion-3004.1 httpd-tools python3 python36-docker python36-dateutil python36-m2crypto python36-mysql python36-packaging python36-lxml yum-utils device-mapper-persistent-data lvm2 openssl jq" logCmd "yum -y update --exclude=salt*" fi logCmd "systemctl enable salt-minion" From 7c39559787e5d9a70a2caebd7856b3d237307362 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 14:19:17 -0400 Subject: [PATCH 34/69] fix so salt master gets installed --- setup/so-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-setup b/setup/so-setup index c233c3069..47977a90b 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -71,7 +71,7 @@ while [[ $# -gt 0 ]]; do done detect_os - +is_analyst=false if [ "$setup_type" = 'analyst' ]; then is_analyst=true # Check to see if this is an ISO From 76f43380d9ddc948a9ed96b2430f58848f530904 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 14:29:24 -0400 Subject: [PATCH 35/69] fix so salt master gets installed --- setup/so-functions | 2 +- setup/so-setup | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 9cb191912..5224a5b90 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2256,7 +2256,7 @@ saltify() { logCmd "yum -y install wget nmap-ncat" fi - if [[ ! is_analyst ]]; then + if [[ ! $is_analyst ]]; then case "$install_type" in 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') reserve_group_ids diff --git a/setup/so-setup b/setup/so-setup index 47977a90b..af822c64c 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -71,7 +71,7 @@ while [[ $# -gt 0 ]]; do done detect_os -is_analyst=false +is_analyst= if [ "$setup_type" = 'analyst' ]; then is_analyst=true # Check to see if this is an ISO From a449a91f38b1aaf913ad499dde93980d40a031ce Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 15:52:38 -0400 Subject: [PATCH 36/69] fix formatting --- setup/so-setup | 42 +++++++++++++++++++++--------------------- setup/so-whiptail | 1 - 2 files changed, 21 insertions(+), 22 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index af822c64c..9aaba8052 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -234,36 +234,36 @@ if ! [[ -f $install_opt_file ]]; then echo "User cancelled setup." | tee -a "$setup_log" whiptail_cancel fi - if [[ $is_analyst ]]; then - collect_hostname - if [[ $is_analyst_iso ]]; then - # Prompt Network Setup - whiptail_management_nic - whiptail_dhcp_or_static + if [[ $is_analyst ]]; then + collect_hostname + if [[ $is_analyst_iso ]]; then + # Prompt Network Setup + whiptail_management_nic + whiptail_dhcp_or_static - if [ "$address_type" != 'DHCP' ]; then - collect_int_ip_mask - collect_gateway - collect_dns - collect_dns_domain - fi + if [ "$address_type" != 'DHCP' ]; then + collect_int_ip_mask + collect_gateway + collect_dns + collect_dns_domain + fi - fi - if [[ ! $is_analyst_iso ]]; then + fi + if [[ ! $is_analyst_iso ]]; then # This should be a network install - whiptail_network_notice - whiptail_dhcp_warn - whiptail_management_nic - fi + whiptail_network_notice + whiptail_dhcp_warn + whiptail_management_nic + fi whiptail_network_init_notice network_init printf '%s\n' \ - "MNIC=$MNIC" \ - "HOSTNAME=$HOSTNAME" > "$net_init_file" + "MNIC=$MNIC" \ + "HOSTNAME=$HOSTNAME" > "$net_init_file" set_main_ip >> $setup_log 2>&1 compare_main_nic_ip - fi + fi if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then whiptail_first_menu_iso diff --git a/setup/so-whiptail b/setup/so-whiptail index f028af323..5d98a5199 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -45,7 +45,6 @@ whiptail_analyst_install() { NOTE: Selecting "no" will enable X Windows and set it to load at boot. EOM - echo "whiptail" whiptail --title "$whiptail_title" \ --yesno "$message" 11 75 --defaultno From 48e40513ff3b0cc5de9f734aba9fdccb625b268c Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 1 Apr 2022 15:53:48 -0400 Subject: [PATCH 37/69] remove influx patch state files --- salt/salt/minion.sls | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/salt/salt/minion.sls b/salt/salt/minion.sls index cf26c1249..a35746db7 100644 --- a/salt/salt/minion.sls +++ b/salt/salt/minion.sls @@ -31,6 +31,22 @@ install_salt_minion: exec 1>&- # close stdout exec 2>&- # close stderr nohup /bin/sh -c '{{ UPGRADECOMMAND }}' & + + {# if we are the salt master #} + {% if grains.id.split('_')|first == grains.master %} +remove_influxdb_continuous_query_state_file: + file.absent: + - name: /opt/so/state/influxdb_continuous_query.py.patched + +remove_influxdbmod_state_file: + file.absent: + - name: /opt/so/state/influxdbmod.py.patched + +remove_influxdb_retention_policy_state_file: + file.absent: + - name: /opt/so/state/influxdb_retention_policy.py.patched + {% endif %} + {% endif %} {% if INSTALLEDSALTVERSION|string == SALTVERSION|string %} From d20a07bb5f810e80d5fda62e0607c4ad948b90bb Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 16:00:44 -0400 Subject: [PATCH 38/69] fix formatting --- setup/so-setup | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 9aaba8052..22840831e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -720,8 +720,8 @@ echo "1" > /root/accept_changes add_soremote_user_manager >> $setup_log 2>&1 fi if [[ ! $is_analyst ]]; then - host_pillar >> $setup_log 2>&1 - fi + host_pillar >> $setup_log 2>&1 + fi if [[ $is_analyst ]]; then analyst_workstation_pillar fi @@ -783,8 +783,8 @@ echo "1" > /root/accept_changes set_progress_str 8 'Initializing Salt minion' configure_minion "$minion_type" >> $setup_log 2>&1 - if [[ ! $is_analyst ]]; then - check_sos_appliance >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + check_sos_appliance >> $setup_log 2>&1 fi update_sudoers_for_testing >> $setup_log 2>&1 @@ -864,9 +864,9 @@ echo "1" > /root/accept_changes generate_ca >> $setup_log 2>&1 fi - if [[ ! $is_analyst ]]; then - set_progress_str 24 'Generating SSL' - generate_ssl >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + set_progress_str 24 'Generating SSL' + generate_ssl >> $setup_log 2>&1 fi if [[ $is_manager || $is_helix || $is_import ]]; then @@ -894,9 +894,9 @@ echo "1" > /root/accept_changes echo "Finished so-elastic-auth..." >> $setup_log 2>&1 fi - if [[ ! $is_analyst ]]; then - set_progress_str 61 "$(print_salt_state_apply 'firewall')" - salt-call state.apply -l info firewall >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + set_progress_str 61 "$(print_salt_state_apply 'firewall')" + salt-call state.apply -l info firewall >> $setup_log 2>&1 fi if [[ $is_centos ]]; then @@ -1052,11 +1052,11 @@ echo "1" > /root/accept_changes salt-call state.apply -l info filebeat >> $setup_log 2>&1 fi - if [[ ! $is_analyst ]]; then - set_progress_str 85 'Applying finishing touches' - filter_unused_nics >> $setup_log 2>&1 - network_setup >> $setup_log 2>&1 - so-ssh-harden >> $setup_log 2>&1 + if [[ ! $is_analyst ]]; then + set_progress_str 85 'Applying finishing touches' + filter_unused_nics >> $setup_log 2>&1 + network_setup >> $setup_log 2>&1 + so-ssh-harden >> $setup_log 2>&1 fi if [[ $is_manager || $is_import ]]; then From 277c7d9d33ceb6a544574ebea585a1a336e9a930 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 16:05:37 -0400 Subject: [PATCH 39/69] fix formatting --- setup/so-setup | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 22840831e..375682a08 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -97,11 +97,11 @@ if [[ $is_analyst ]]; then if [[ ! $is_centos ]]; then echo "Analyst Workstation is only supported on CentOS 7" exit 1 - fi + fi if ! whiptail_analyst_install; then # Lets make this a standalone - echo "Enabling X Windows and setting it to load at boot" + echo "Enabling graphical interface and setting it to load at boot" systemctl set-default graphical.target startx exit 0 @@ -722,9 +722,9 @@ echo "1" > /root/accept_changes if [[ ! $is_analyst ]]; then host_pillar >> $setup_log 2>&1 fi - if [[ $is_analyst ]]; then - analyst_workstation_pillar - fi + if [[ $is_analyst ]]; then + analyst_workstation_pillar + fi ntp_pillar >> $setup_log 2>&1 From 5974279ed7fa4e8af4141e6973ff900b1e65a39b Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 16:17:22 -0400 Subject: [PATCH 40/69] fix formatting --- setup/so-setup | 138 ++++++++++++++++++++++++------------------------- 1 file changed, 69 insertions(+), 69 deletions(-) diff --git a/setup/so-setup b/setup/so-setup index 375682a08..58671a729 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -74,15 +74,15 @@ detect_os is_analyst= if [ "$setup_type" = 'analyst' ]; then is_analyst=true - # Check to see if this is an ISO - if [ -d /root/SecurityOnion ]; then - is_analyst_iso=true - fi + # Check to see if this is an ISO + if [ -d /root/SecurityOnion ]; then + is_analyst_iso=true + fi fi if [[ "$setup_type" == 'iso' ]]; then if [[ $is_centos ]]; then - is_iso=true + is_iso=true else echo "Only use 'so-setup iso' for an ISO install on CentOS. Please run 'so-setup network' instead." exit 1 @@ -93,17 +93,17 @@ fi if [[ $is_analyst ]]; then - # Make sure it's CentOS - if [[ ! $is_centos ]]; then - echo "Analyst Workstation is only supported on CentOS 7" - exit 1 - fi + # Make sure it's CentOS + if [[ ! $is_centos ]]; then + echo "Analyst Workstation is only supported on CentOS 7" + exit 1 + fi - if ! whiptail_analyst_install; then - # Lets make this a standalone + if ! whiptail_analyst_install; then + # Lets make this a standalone echo "Enabling graphical interface and setting it to load at boot" systemctl set-default graphical.target - startx + startx exit 0 fi @@ -234,37 +234,37 @@ if ! [[ -f $install_opt_file ]]; then echo "User cancelled setup." | tee -a "$setup_log" whiptail_cancel fi - if [[ $is_analyst ]]; then - collect_hostname - if [[ $is_analyst_iso ]]; then - # Prompt Network Setup - whiptail_management_nic - whiptail_dhcp_or_static - - if [ "$address_type" != 'DHCP' ]; then - collect_int_ip_mask - collect_gateway - collect_dns - collect_dns_domain - fi + if [[ $is_analyst ]]; then + collect_hostname + if [[ $is_analyst_iso ]]; then + # Prompt Network Setup + whiptail_management_nic + whiptail_dhcp_or_static + + if [ "$address_type" != 'DHCP' ]; then + collect_int_ip_mask + collect_gateway + collect_dns + collect_dns_domain + fi - fi - if [[ ! $is_analyst_iso ]]; then - # This should be a network install - whiptail_network_notice - whiptail_dhcp_warn - whiptail_management_nic - fi + fi + if [[ ! $is_analyst_iso ]]; then + # This should be a network install + whiptail_network_notice + whiptail_dhcp_warn + whiptail_management_nic + fi whiptail_network_init_notice network_init printf '%s\n' \ - "MNIC=$MNIC" \ - "HOSTNAME=$HOSTNAME" > "$net_init_file" + "MNIC=$MNIC" \ + "HOSTNAME=$HOSTNAME" > "$net_init_file" set_main_ip >> $setup_log 2>&1 compare_main_nic_ip - fi - + fi + if [[ $setup_type == 'iso' ]] && [ "$automated" == no ]; then whiptail_first_menu_iso if [[ $option == "CONFIGURENETWORK" ]]; then @@ -283,7 +283,7 @@ if ! [[ -f $install_opt_file ]]; then fi fi if [[ ! $is_analyst ]]; then - whiptail_install_type + whiptail_install_type fi else source $install_opt_file @@ -462,10 +462,10 @@ detect_cloud short_name=$(echo "$HOSTNAME" | awk -F. '{print $1}') if [[ $is_analyst ]]; then - MINION_ID=$(echo "${short_name}_workstation" | tr '[:upper:]' '[:lower:]') + MINION_ID=$(echo "${short_name}_workstation" | tr '[:upper:]' '[:lower:]') fi if [[ ! $is_analyst ]]; then - MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') + MINION_ID=$(echo "${short_name}_${install_type}" | tr '[:upper:]' '[:lower:]') fi export MINION_ID @@ -749,10 +749,10 @@ echo "1" > /root/accept_changes info "Disabling fastestmirror" [[ $is_centos ]] && disable_fastestmirror if [[ ! $is_airgap ]]; then - securityonion_repo >> $setup_log 2>&1 - update_packages >> $setup_log 2>&1 + securityonion_repo >> $setup_log 2>&1 + update_packages >> $setup_log 2>&1 else - airgap_repo >> $setup_log 2>&1 + airgap_repo >> $setup_log 2>&1 fi if [[ $is_sensor || $is_helix || $is_import ]]; then @@ -773,8 +773,8 @@ echo "1" > /root/accept_changes saltify 2>> $setup_log if [[ ! $is_analyst ]]; then - set_progress_str 6 'Installing Docker and dependencies' - docker_install >> $setup_log 2>&1 + set_progress_str 6 'Installing Docker and dependencies' + docker_install >> $setup_log 2>&1 fi set_progress_str 7 'Generating patch pillar' @@ -783,9 +783,9 @@ echo "1" > /root/accept_changes set_progress_str 8 'Initializing Salt minion' configure_minion "$minion_type" >> $setup_log 2>&1 - if [[ ! $is_analyst ]]; then - check_sos_appliance >> $setup_log 2>&1 - fi + if [[ ! $is_analyst ]]; then + check_sos_appliance >> $setup_log 2>&1 + fi update_sudoers_for_testing >> $setup_log 2>&1 @@ -864,10 +864,10 @@ echo "1" > /root/accept_changes generate_ca >> $setup_log 2>&1 fi - if [[ ! $is_analyst ]]; then - set_progress_str 24 'Generating SSL' - generate_ssl >> $setup_log 2>&1 - fi + if [[ ! $is_analyst ]]; then + set_progress_str 24 'Generating SSL' + generate_ssl >> $setup_log 2>&1 + fi if [[ $is_manager || $is_helix || $is_import ]]; then set_progress_str 25 'Configuring firewall' @@ -894,20 +894,20 @@ echo "1" > /root/accept_changes echo "Finished so-elastic-auth..." >> $setup_log 2>&1 fi - if [[ ! $is_analyst ]]; then - set_progress_str 61 "$(print_salt_state_apply 'firewall')" - salt-call state.apply -l info firewall >> $setup_log 2>&1 - fi - + if [[ ! $is_analyst ]]; then + set_progress_str 61 "$(print_salt_state_apply 'firewall')" + salt-call state.apply -l info firewall >> $setup_log 2>&1 + fi + if [[ $is_centos ]]; then set_progress_str 61 'Installing Yum utilities' salt-call state.apply -l info yum.packages >> $setup_log 2>&1 fi if [[ ! $is_analyst ]]; then - set_progress_str 62 "$(print_salt_state_apply 'common')" - salt-call state.apply -l info common >> $setup_log 2>&1 - fi + set_progress_str 62 "$(print_salt_state_apply 'common')" + salt-call state.apply -l info common >> $setup_log 2>&1 + fi if [[ ! $is_helix && ! $is_receiver && ! $is_idh && ! $is_analyst ]]; then set_progress_str 62 "$(print_salt_state_apply 'nginx')" @@ -1052,12 +1052,12 @@ echo "1" > /root/accept_changes salt-call state.apply -l info filebeat >> $setup_log 2>&1 fi - if [[ ! $is_analyst ]]; then - set_progress_str 85 'Applying finishing touches' - filter_unused_nics >> $setup_log 2>&1 - network_setup >> $setup_log 2>&1 - so-ssh-harden >> $setup_log 2>&1 - fi + if [[ ! $is_analyst ]]; then + set_progress_str 85 'Applying finishing touches' + filter_unused_nics >> $setup_log 2>&1 + network_setup >> $setup_log 2>&1 + so-ssh-harden >> $setup_log 2>&1 + fi if [[ $is_manager || $is_import ]]; then set_progress_str 87 'Adding user to SOC' @@ -1111,9 +1111,9 @@ else fi if [[ -n $ENDGAMEHOST ]]; then - set_progress_str 99 'Configuring firewall for Endgame SMP' - so-firewall --apply includehost endgame $ENDGAMEHOST >> $setup_log 2>&1 - fi + set_progress_str 99 'Configuring firewall for Endgame SMP' + so-firewall --apply includehost endgame $ENDGAMEHOST >> $setup_log 2>&1 + fi } | whiptail_gauge_post_setup "Running post-installation steps..." From 07783713e6a786cc726f1b591f8747ea15f89c5f Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 16:22:40 -0400 Subject: [PATCH 41/69] fix formatting --- setup/so-whiptail | 83 +++++++++++++++++++++++------------------------ 1 file changed, 40 insertions(+), 43 deletions(-) diff --git a/setup/so-whiptail b/setup/so-whiptail index 5d98a5199..1ae07c443 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -41,7 +41,7 @@ whiptail_analyst_install() { Welcome to the Security Onion Analyst Workstation install! - You can choose to join this workstation to an existing grid? + Would you like to join this workstation to an existing grid? NOTE: Selecting "no" will enable X Windows and set it to load at boot. EOM @@ -451,9 +451,9 @@ whiptail_end_settings() { if [[ $is_idh ]]; then __append_end_msg "IDH Services Enabled:" - for service in ${idh_services[@]}; do + for service in ${idh_services[@]}; do __append_end_msg "- $service" - done + done fi @@ -1562,40 +1562,37 @@ whiptail_patch_schedule_select_hours() { [ -n "$TESTING" ] && return - # Select the hours to patch - PATCHSCHEDULEHOURS=$(whiptail --title "$whiptail_title" --checklist \ - "At which time, UTC, do you want to apply OS patches on the selected days?" 22 75 13 \ - 00:00 "" OFF \ - 01:00 "" OFF \ - 02:00 "" ON \ - 03:00 "" OFF \ - 04:00 "" OFF \ - 05:00 "" OFF \ - 06:00 "" OFF \ - 07:00 "" OFF \ - 08:00 "" OFF \ - 09:00 "" OFF \ - 10:00 "" OFF \ - 11:00 "" OFF \ - 12:00 "" OFF \ - 13:00 "" OFF \ - 14:00 "" OFF \ - 15:00 "" OFF \ - 16:00 "" OFF \ - 17:00 "" OFF \ - 18:00 "" OFF \ - 19:00 "" OFF \ - 20:00 "" OFF \ - 21:00 "" OFF \ - 22:00 "" OFF \ - 23:00 "" OFF 3>&1 1>&2 2>&3) - - local exitstatus=$? - whiptail_check_exitstatus $exitstatus - - PATCHSCHEDULEHOURS=$(echo "$PATCHSCHEDULEHOURS" | tr -d '"') - - IFS=' ' read -ra PATCHSCHEDULEHOURS <<< "$PATCHSCHEDULEHOURS" + # Select the hours to patch + PATCHSCHEDULEHOURS=$(whiptail --title "$whiptail_title" --checklist \ + "At which time, UTC, do you want to apply OS patches on the selected days?" 22 75 13 \ + 00:00 "" OFF \ + 01:00 "" OFF \ + 02:00 "" ON \ + 03:00 "" OFF \ + 04:00 "" OFF \ + 05:00 "" OFF \ + 06:00 "" OFF \ + 07:00 "" OFF \ + 08:00 "" OFF \ + 09:00 "" OFF \ + 10:00 "" OFF \ + 11:00 "" OFF \ + 12:00 "" OFF \ + 13:00 "" OFF \ + 14:00 "" OFF \ + 15:00 "" OFF \ + 16:00 "" OFF \ + 17:00 "" OFF \ + 18:00 "" OFF \ + 19:00 "" OFF \ + 20:00 "" OFF \ + 21:00 "" OFF \ + 22:00 "" OFF \ + 23:00 "" OFF 3>&1 1>&2 2>&3) + local exitstatus=$? + whiptail_check_exitstatus $exitstatus + PATCHSCHEDULEHOURS=$(echo "$PATCHSCHEDULEHOURS" | tr -d '"') + IFS=' ' read -ra PATCHSCHEDULEHOURS <<< "$PATCHSCHEDULEHOURS" } @@ -1940,10 +1937,10 @@ whiptail_suricata_pins() { done if [[ $is_node && $is_sensor && ! $is_eval ]]; then - local PROCS=$(expr $lb_procs / 2) - if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi + local PROCS=$(expr $lb_procs / 2) + if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi else - local PROCS=$lb_procs + local PROCS=$lb_procs fi SURIPINS=$(whiptail --noitem --title "$whiptail_title" --checklist "Please select $PROCS cores to pin Suricata to:" 20 75 12 "${filtered_core_str[@]}" 3>&1 1>&2 2>&3 ) @@ -2023,10 +2020,10 @@ whiptail_zeek_pins() { done if [[ $is_smooshed ]]; then - local PROCS=$(expr $lb_procs / 2) - if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi + local PROCS=$(expr $lb_procs / 2) + if [ "$PROCS" -lt 1 ]; then PROCS=1; else PROCS=$PROCS; fi else - local PROCS=$lb_procs + local PROCS=$lb_procs fi ZEEKPINS=$(whiptail --noitem --title "$whiptail_title" --checklist "Please select $PROCS cores to pin Zeek to:" 20 75 12 "${cpu_core_list_whiptail[@]}" 3>&1 1>&2 2>&3 ) From 5387caf6f4c6946494074be1de43e9f9b3692232 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Fri, 1 Apr 2022 16:50:55 -0400 Subject: [PATCH 42/69] fix formatting --- setup/so-functions | 212 ++++++++++++++++++++++----------------------- 1 file changed, 106 insertions(+), 106 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 5224a5b90..351b9a30b 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -49,14 +49,14 @@ airgap_repo() { rm -rf /etc/yum.repos.d/* echo "[airgap_repo]" > /etc/yum.repos.d/airgap_repo.repo if $is_manager; then - echo "baseurl=https://$HOSTNAME/repo" >> /etc/yum.repos.d/airgap_repo.repo + echo "baseurl=https://$HOSTNAME/repo" >> /etc/yum.repos.d/airgap_repo.repo else - echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/airgap_repo.repo + echo "baseurl=https://$MSRV/repo" >> /etc/yum.repos.d/airgap_repo.repo fi - echo "gpgcheck=1" >> /etc/yum.repos.d/airgap_repo.repo - echo "sslverify=0" >> /etc/yum.repos.d/airgap_repo.repo - echo "name=Airgap Repo" >> /etc/yum.repos.d/airgap_repo.repo - echo "enabled=1" >> /etc/yum.repos.d/airgap_repo.repo + echo "gpgcheck=1" >> /etc/yum.repos.d/airgap_repo.repo + echo "sslverify=0" >> /etc/yum.repos.d/airgap_repo.repo + echo "name=Airgap Repo" >> /etc/yum.repos.d/airgap_repo.repo + echo "enabled=1" >> /etc/yum.repos.d/airgap_repo.repo } airgap_rules() { @@ -144,11 +144,11 @@ analyst_workstation_pillar() { # Create the analyst workstation pillar printf '%s\n'\ - "host:"\ - " mainint: '$MNIC'"\ - "workstation:"\ + "host:"\ + " mainint: '$MNIC'"\ + "workstation:"\ " gui:"\ - " enabled: true" >> "$pillar_file"\ + " enabled: true" >> "$pillar_file"\ "sensoroni:"\ " node_description: '${NODE_DESCRIPTION//\'/''}'" > $pillar_file } @@ -782,7 +782,7 @@ collect_zeek() { configure_minion() { local minion_type=$1 if [[ $is_analyst ]]; then - minion_type=workstation + minion_type=workstation fi echo "Configuring minion type as $minion_type" >> "$setup_log" 2>&1 echo "role: so-$minion_type" > /etc/salt/grains @@ -792,9 +792,9 @@ configure_minion() { echo "id: '$MINION_ID'" > "$minion_config" case "$minion_type" in - 'workstation') - echo "master: '$MSRV'" >> "$minion_config" - ;; + 'workstation') + echo "master: '$MSRV'" >> "$minion_config" + ;; 'helix') cp -f ../salt/ca/files/signing_policies.conf /etc/salt/minion.d/signing_policies.conf echo "master: '$HOSTNAME'" >> "$minion_config" @@ -1251,15 +1251,15 @@ docker_install() { ;; esac if [ $OSVER == "bionic" ]; then - service docker stop + service docker stop apt -y purge docker-ce docker-ce-cli docker-ce-rootless-extras retry 50 10 "apt-get -y install --allow-downgrades docker-ce=5:20.10.5~3-0~ubuntu-bionic docker-ce-cli=5:20.10.5~3-0~ubuntu-bionic docker-ce-rootless-extras=5:20.10.5~3-0~ubuntu-bionic python3-docker" >> "$setup_log" 2>&1 || exit 1 - apt-mark hold docker-ce docker-ce-cli docker-ce-rootless-extras + apt-mark hold docker-ce docker-ce-cli docker-ce-rootless-extras elif [ $OSVER == "focal" ]; then - service docker stop + service docker stop apt -y purge docker-ce docker-ce-cli docker-ce-rootless-extras retry 50 10 "apt-get -y install --allow-downgrades docker-ce=5:20.10.8~3-0~ubuntu-focal docker-ce-cli=5:20.10.8~3-0~ubuntu-focal docker-ce-rootless-extras=5:20.10.8~3-0~ubuntu-focal python3-docker" >> "$setup_log" 2>&1 || exit 1 - apt-mark hold docker-ce docker-ce-cli docker-ce-rootless-extras + apt-mark hold docker-ce docker-ce-cli docker-ce-rootless-extras fi fi docker_registry @@ -1390,9 +1390,9 @@ es_heapsize() { # Set heap size to 33% of available memory ES_HEAP_SIZE=$(( total_mem / 3 )) if [ "$ES_HEAP_SIZE" -ge 25001 ] ; then - ES_HEAP_SIZE="25000m" + ES_HEAP_SIZE="25000m" else - ES_HEAP_SIZE=$ES_HEAP_SIZE"m" + ES_HEAP_SIZE=$ES_HEAP_SIZE"m" fi fi export ES_HEAP_SIZE @@ -1750,7 +1750,7 @@ manager_global() { " managerip: '$MAINIP'" > "$global_pillar" if [[ $HIGHLANDER == 'True' ]]; then - printf '%s\n'\ + printf '%s\n'\ " highlander: True"\ >> "$global_pillar" fi if [[ $is_airgap ]]; then @@ -1780,14 +1780,14 @@ manager_global() { " enabled: $STRELKA"\ " rules: 1" >> "$global_pillar" if [[ $is_airgap ]]; then - printf '%s\n'\ - " repos:"\ - " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$global_pillar" - else - printf '%s\n'\ - " repos:"\ - " - 'https://github.com/Neo23x0/signature-base'" >> "$global_pillar" - fi + printf '%s\n'\ + " repos:"\ + " - 'https://$HOSTNAME/repo/rules/strelka'" >> "$global_pillar" + else + printf '%s\n'\ + " repos:"\ + " - 'https://github.com/Neo23x0/signature-base'" >> "$global_pillar" + fi printf '%s\n'\ "curator:"\ @@ -1816,101 +1816,101 @@ manager_global() { " cluster_routing_allocation_disk_watermark_flood_stage: '98%'"\ " index_settings:"\ " so-beats:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-endgame:"\ - " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " index_template:"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-firewall:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-flow:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-ids:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-import:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 73000"\ " delete: 73001"\ " so-osquery:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-ossec:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-strelka:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-syslog:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 30"\ " delete: 365"\ " so-zeek:"\ " index_template:"\ - " template:"\ - " settings:"\ - " index:"\ - " number_of_shards: 1"\ + " template:"\ + " settings:"\ + " index:"\ + " number_of_shards: 1"\ " warm: 7"\ " close: 45"\ " delete: 365"\ @@ -2257,28 +2257,28 @@ saltify() { fi if [[ ! $is_analyst ]]; then - case "$install_type" in - 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') - reserve_group_ids - if [[ ! $is_iso ]]; then - logCmd "yum -y install sqlite curl mariadb-devel" - fi - # Download Ubuntu Keys in case manager updates = 1 - logCmd "mkdir -vp /opt/so/gpg" - if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub" - logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" - logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" - fi - set_progress_str 7 'Installing salt-master' - if [[ ! $is_iso ]]; then - logCmd "yum -y install salt-master-3004.1" - fi - logCmd "systemctl enable salt-master" - ;; - *) - ;; - esac + case "$install_type" in + 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'FLEET' | 'HELIXSENSOR' | 'STANDALONE'| 'IMPORT') + reserve_group_ids + if [[ ! $is_iso ]]; then + logCmd "yum -y install sqlite curl mariadb-devel" + fi + # Download Ubuntu Keys in case manager updates = 1 + logCmd "mkdir -vp /opt/so/gpg" + if [[ ! $is_airgap ]]; then + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" + logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" + fi + set_progress_str 7 'Installing salt-master' + if [[ ! $is_iso ]]; then + logCmd "yum -y install salt-master-3004.1" + fi + logCmd "systemctl enable salt-master" + ;; + *) + ;; + esac fi if [[ ! $is_airgap ]]; then logCmd "yum clean expire-cache" @@ -2659,8 +2659,8 @@ set_initial_firewall_policy() { 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT') $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall includehost sensor "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost search_node "$MAINIP" case "$install_type" in 'EVAL') $default_salt_dir/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$num_cpu_cores" "$random_uid" "$MNIC" "$filesystem_root" "$filesystem_nsm" "$INTERFACE" True @@ -2676,7 +2676,7 @@ set_initial_firewall_policy() { 'HELIXSENSOR') $default_salt_dir/salt/common/tools/sbin/so-firewall includehost manager "$MAINIP" $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" - $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" + $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost sensor "$MAINIP" ;; 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET' | 'IDH' | 'RECEIVER') $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" @@ -2719,9 +2719,9 @@ set_initial_firewall_policy() { # Add some firewall rules for analyst workstations that get added to the grid if [[ $is_analyst ]]; then - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" - $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost analyst "$MAINIP" - fi + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall includehost minion "$MAINIP" + $sshcmd -i /root/.ssh/so.key soremote@"$MSRV" sudo $default_salt_dir/salt/common/tools/sbin/so-firewall --apply includehost analyst "$MAINIP" + fi } @@ -2842,8 +2842,8 @@ update_sudoers() { update_packages() { if [[ $is_centos ]]; then - logCmd "yum repolist" - logCmd "yum -y update --exclude=salt*,wazuh*,docker*,containerd*" + logCmd "yum repolist" + logCmd "yum -y update --exclude=salt*,wazuh*,docker*,containerd*" else retry 50 10 "apt-get -y update" >> "$setup_log" 2>&1 || exit 1 retry 50 10 "apt-get -y upgrade" >> "$setup_log" 2>&1 || exit 1 @@ -2903,7 +2903,7 @@ write_out_idh_services() { " services:" >> "$pillar_file" for service in ${idh_services[@]}; do echo " - $service" | tr '[:upper:]' '[:lower:]' >> "$pillar_file" - done + done } # Enable Zeek Logs From 127420b4725576702b3d7c3ee3e398d5cdf5aa68 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 4 Apr 2022 10:39:44 -0400 Subject: [PATCH 43/69] hotfix function for 2.3.10 hotfix 1 --- salt/common/tools/sbin/soup | 55 ++++++++++++++++++++++++++----------- 1 file changed, 39 insertions(+), 16 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 42c7b43bf..72777831e 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -889,11 +889,27 @@ upgrade_salt() { apt-mark hold "salt-master" apt-mark hold "salt-minion" fi + + echo "Checking if Salt was upgraded." + echo "" + # Check that Salt was upgraded + SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}') + if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then + echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." + echo "Once the issue is resolved, run soup again." + echo "Exiting." + echo "" + exit 0 + else + echo "Salt upgrade success." + echo "" + fi + } update_repo() { - echo "Performing repo changes." if [[ "$OS" == "centos" ]]; then + echo "Performing repo changes." # Import GPG Keys gpg_rpm_import echo "Disabling fastestmirror." @@ -945,6 +961,8 @@ verify_latest_update_script() { apply_hotfix() { if [[ "$INSTALLEDVERSION" == "2.3.90" ]] ; then fix_wazuh + elif [[ "$INSTALLEDVERSION" == "2.3.110" ]] ; then + 2_3_10_hotfix_1 else echo "No actions required. ($INSTALLEDVERSION/$HOTFIXVERSION)" fi @@ -966,6 +984,26 @@ fix_wazuh() { fi } +#upgrade salt to 3004.1 +2_3_10_hotfix_1() { + systemctl_func "stop" "$cron_service_name" + # update mine items prior to stopping salt-minion and salt-master + update_salt_mine + stop_salt_minion + stop_salt_master + update_repo + # Does salt need upgraded. If so update it. + if [[ $UPGRADESALT -eq 1 ]]; then + echo "Upgrading Salt" + # Update the repo files so it can actually upgrade + upgrade_salt + fi + systemctl_func "start" "salt-master" + systemctl_func "start" "salt-minion" + systemctl_func "start" "$cron_service_name" + +} + main() { trap 'check_err $?' EXIT @@ -1080,21 +1118,6 @@ main() { echo "Upgrading Salt" # Update the repo files so it can actually upgrade upgrade_salt - - echo "Checking if Salt was upgraded." - echo "" - # Check that Salt was upgraded - SALTVERSIONPOSTUPGRADE=$(salt --versions-report | grep Salt: | awk '{print $2}') - if [[ "$SALTVERSIONPOSTUPGRADE" != "$NEWSALTVERSION" ]]; then - echo "Salt upgrade failed. Check of indicators of failure in $SOUP_LOG." - echo "Once the issue is resolved, run soup again." - echo "Exiting." - echo "" - exit 0 - else - echo "Salt upgrade success." - echo "" - fi fi preupgrade_changes From 1e955e0d38b9e09a4584ded2e7a2a9bfaa85e39e Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 4 Apr 2022 11:28:03 -0400 Subject: [PATCH 44/69] enable highstate before highstate run for hotfix --- salt/common/tools/sbin/soup | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 72777831e..9d8329b03 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -93,8 +93,7 @@ check_err() { fi set +e systemctl_func "start" "$cron_service_name" - echo "Ensuring highstate is enabled." - salt-call state.enable highstate --local + enable_highstate exit $exit_code fi @@ -366,6 +365,12 @@ clone_to_tmp() { fi } +enable_highstate() { + echo "Enabling highstate." + salt-call state.enable highstate -l info --local + echo "" +} + generate_and_clean_tarballs() { local new_version new_version=$(cat $UPDATE_DIR/VERSION) @@ -1079,6 +1084,7 @@ main() { apply_hotfix echo "Hotfix applied" update_version + enable_highstate salt-call state.highstate -l info queue=True else echo "" @@ -1173,9 +1179,7 @@ main() { echo "" fi - echo "Enabling highstate." - salt-call state.enable highstate -l info --local - echo "" + enable_highstate echo "" echo "Running a highstate. This could take several minutes." From b7aff4f4dfe36343fa905d0cfe672b6e032c5cb6 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 4 Apr 2022 12:28:23 -0400 Subject: [PATCH 45/69] remove influxdb state files --- salt/common/tools/sbin/soup | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 9d8329b03..673d4c1f9 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -497,10 +497,10 @@ stop_salt_master() { set +e echo "" echo "Killing all Salt jobs across the grid." - salt \* saltutil.kill_all_jobs + salt \* saltutil.kill_all_jobs >> $SOUP_LOG 2>&1 echo "" echo "Killing any queued Salt jobs on the manager." - pkill -9 -ef "/usr/bin/python3 /bin/salt" + pkill -9 -ef "/usr/bin/python3 /bin/salt" >> $SOUP_LOG 2>&1 set -e echo "" @@ -1003,6 +1003,7 @@ fix_wazuh() { # Update the repo files so it can actually upgrade upgrade_salt fi + rm -f /opt/so/state/influxdb_continuous_query.py.patched /opt/so/state/influxdbmod.py.patched /opt/so/state/influxdb_retention_policy.py.patched systemctl_func "start" "salt-master" systemctl_func "start" "salt-minion" systemctl_func "start" "$cron_service_name" From f9563b2dc4589bcbcbbc12e44ebd1b10e455133d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Mon, 4 Apr 2022 12:57:36 -0400 Subject: [PATCH 46/69] patch influxdb modules --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 673d4c1f9..5e813c2c8 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1005,6 +1005,7 @@ fix_wazuh() { fi rm -f /opt/so/state/influxdb_continuous_query.py.patched /opt/so/state/influxdbmod.py.patched /opt/so/state/influxdb_retention_policy.py.patched systemctl_func "start" "salt-master" + salt-call state.apply salt.python3-influxdb -l info systemctl_func "start" "salt-minion" systemctl_func "start" "$cron_service_name" From 04370a04ceefbe23fc2cb62d884d4cebbc524886 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Mon, 4 Apr 2022 16:06:20 -0400 Subject: [PATCH 47/69] 2.3.110 hotfix 0401 --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.110-20220404.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.110-20220404.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 300428636..08e02da0f 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.110-20220309 ISO image built on 2022/03/09 +### 2.3.110-20220401 ISO image built on 2022/04/04 ### Download and Verify -2.3.110-20220309 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220309.iso +2.3.110-20220401 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220401.iso -MD5: 537564F8B56633E2D46E5E7C4E2BF18A -SHA1: 1E1B42EDB711AC8B5963B3460056770B91AE6BFC -SHA256: 4D73E5BE578DA43DCFD3C1B5F9AF07A7980D8DF90ACDDFEF6CEA177F872EECA0 +MD5: 17625039D4ED23EC217589A1681C4FDA +SHA1: 8244A7BE12F27E71721ADC699950BB27C5C03BF2 +SHA256: 76C135C3FDA8A28C13A142B944BE72E67192AC7C4BC85838230EFF45E8978BD1 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220309.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220401.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220309.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220401.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220309.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220401.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.110-20220309.iso.sig securityonion-2.3.110-20220309.iso +gpg --verify securityonion-2.3.110-20220401.iso.sig securityonion-2.3.110-20220401.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Wed 09 Mar 2022 10:20:47 AM EST using RSA key ID FE507013 +gpg: Signature made Mon 04 Apr 2022 02:08:59 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.110-20220404.iso.sig b/sigs/securityonion-2.3.110-20220404.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..bd821595356bc64607342e647f969113028eb4aa GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;DAG&=wa2@re`V7LBIa1+w)5CEJ0nU#eP2}|H9Z~~i% z?IIOFN;8&0C|C@MHDB}Zz)@*6BNN9a)FA%q36hL`=C$0uOEHAz*Llt;{%>Xgf+p9gM2%u+hGyJVY^ z?`aH_EBL2g89zvEkI*;#9$ORHpQ9Q_m3nZqGU(t}9063xmV*@!Z#8yt!6yKaJ2FU# z%GqMUdSA{w8xEmdiIRfZfVQu4*a^Gf)nSL9nWg0QrLEDf2oV#!MBhje(a@D>U;p;# z&cvxs4JjdXN+MCMbJR!twvstN9X4mc`hjXu<(6C#cS7M4!J3s`+# h-{176JTXYmstMrD&!uB^(fcr)*joI30fL^>7Hg7r0>S_Q literal 0 HcmV?d00001 From 7906c053b1ae0639cc39e43638cddcac48be1d39 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Mon, 4 Apr 2022 16:46:05 -0400 Subject: [PATCH 48/69] Initial support for restricting IDH services on MGT IP --- salt/idh/init.sls | 27 ++++++++++++++++++++++++++- salt/top.sls | 2 +- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 089ecc4df..5f5307b08 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -19,11 +19,36 @@ {% set VERSION = salt['pillar.get']('global:soversion', 'HH1.2.2') %} {% set IMAGEREPO = salt['pillar.get']('global:imagerepo') %} {% set MANAGER = salt['grains.get']('master') %} +{% set MAININT = salt['pillar.get']('host:mainint') %} +{% set MAINIP = salt['grains.get']('ip_interfaces').get(MAININT)[0] %} +{% set RESTRICTIDHSERVICES = salt['pillar.get']('idh:restrict_management_ip', False) %} include: - idh.openssh.config -# IDH State + +# If True, block IDH Services from accepting connections on Managment IP +{% if RESTRICTIDHSERVICES %} + {% from 'idh/opencanary_config.map.jinja' import OPENCANARYCONFIG %} + {% set idh_services = salt['pillar.get']('idh:services', []) %} + + {% for service in idh_services %} + {% if service in ["smnp","ntp", "tftp"] %} + {% set proto = 'udp' %} + {% else %} + {% set proto = 'tcp' %} + {% endif %} +block_mgt_ip_idh_services_{{ proto }}_{{ OPENCANARYCONFIG[service~'.port'] }} : + iptables.insert: + - table: filter + - chain: INPUT + - jump: DROP + - position: 1 + - proto: {{ proto }} + - dport: {{ OPENCANARYCONFIG[service~'.port'] }} + - destination: {{ MAINIP }} + {% endfor %} +{% endif %} # Create a config directory temp: diff --git a/salt/top.sls b/salt/top.sls index dd41ff9fe..5f8e56c7f 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -499,7 +499,7 @@ base: - ssl - sensoroni - telegraf - - firewall + - firewall # It's important that this state runs before the IDH state, since the IDH state (optionally) inserts BLOCK rules at position 1 {%- if WAZUH != 0 %} - wazuh {%- endif %} From e08b13629ae971d446005241a011e0f3d96136d2 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Apr 2022 13:41:26 -0400 Subject: [PATCH 49/69] manage repo conf for ubuntu --- salt/common/tools/sbin/soup | 3 + salt/repo/client/centos.sls | 98 +++++++++++++++++ .../client/files/ubuntu/18.04/saltstack.list | 1 + .../client/files/ubuntu/20.04/saltstack.list | 1 + salt/repo/client/init.sls | 100 +----------------- salt/repo/client/ubuntu.sls | 4 + salt/salt/map.jinja | 2 +- salt/top.sls | 3 +- setup/so-functions | 10 +- 9 files changed, 116 insertions(+), 106 deletions(-) create mode 100644 salt/repo/client/centos.sls create mode 100644 salt/repo/client/files/ubuntu/18.04/saltstack.list create mode 100644 salt/repo/client/files/ubuntu/20.04/saltstack.list create mode 100644 salt/repo/client/ubuntu.sls diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 5e813c2c8..a46938da9 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -934,6 +934,9 @@ update_repo() { yum clean all yum repolist fi + elif [[ "$OS" == "ubuntu" ]]; then + cp $UPDATE_DIR/salt/repo/client/files/ubuntu/$ubuntu_version/* /etc/apt/sources.list.d/ + apt-get update fi } diff --git a/salt/repo/client/centos.sls b/salt/repo/client/centos.sls new file mode 100644 index 000000000..160782267 --- /dev/null +++ b/salt/repo/client/centos.sls @@ -0,0 +1,98 @@ +{% from 'repo/client/map.jinja' import ABSENTFILES with context %} +{% from 'repo/client/map.jinja' import REPOPATH with context %} +{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} +{% set managerupdates = salt['pillar.get']('global:managerupdate', 0) %} +{% set role = grains.id.split('_') | last %} + +# from airgap state +{% if ISAIRGAP and grains.os == 'CentOS' %} +{% set MANAGER = salt['grains.get']('master') %} +airgapyum: + file.managed: + - name: /etc/yum/yum.conf + - source: salt://repo/client/files/centos/airgap/yum.conf + +airgap_repo: + pkgrepo.managed: + - humanname: Airgap Repo + - baseurl: https://{{ MANAGER }}/repo + - gpgcheck: 0 + - sslverify: 0 + +{% endif %} + +# from airgap and common +{% if ABSENTFILES|length > 0%} + {% for file in ABSENTFILES %} +{{ file }}: + file.absent: + - name: {{ REPOPATH }}{{ file }} + - onchanges_in: + - cmd: cleanyum + {% endfor %} +{% endif %} + +# from common state +# Remove default Repos +{% if grains['os'] == 'CentOS' %} +repair_yumdb: + cmd.run: + - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all' + - onlyif: + - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"' + +crsynckeys: + file.recurse: + - name: /etc/pki/rpm_gpg + - source: salt://repo/client/files/centos/keys/ + +{% if not ISAIRGAP %} + {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} +remove_securityonionrepocache: + file.absent: + - name: /etc/yum.repos.d/securityonioncache.repo + {% endif %} + + {% if role not in ['eval', 'standalone', 'import', 'manager', 'managersearch'] and managerupdates == 1 %} +remove_securityonionrepo: + file.absent: + - name: /etc/yum.repos.d/securityonion.repo + {% endif %} + +crsecurityonionrepo: + file.managed: + {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} + - name: /etc/yum.repos.d/securityonion.repo + - source: salt://repo/client/files/centos/securityonion.repo + {% else %} + - name: /etc/yum.repos.d/securityonioncache.repo + - source: salt://repo/client/files/centos/securityonioncache.repo + {% endif %} + - mode: 644 + +yumconf: + file.managed: + - name: /etc/yum.conf + - source: salt://repo/client/files/centos/yum.conf.jinja + - mode: 644 + - template: jinja + - show_changes: False + +cleanairgap: + file.absent: + - name: /etc/yum.repos.d/airgap_repo.repo +{% endif %} + +cleanyum: + cmd.run: + - name: 'yum clean metadata' + - onchanges: +{% if ISAIRGAP %} + - file: airgapyum + - pkgrepo: airgap_repo +{% else %} + - file: crsecurityonionrepo + - file: yumconf +{% endif %} + +{% endif %} diff --git a/salt/repo/client/files/ubuntu/18.04/saltstack.list b/salt/repo/client/files/ubuntu/18.04/saltstack.list new file mode 100644 index 000000000..b41f03856 --- /dev/null +++ b/salt/repo/client/files/ubuntu/18.04/saltstack.list @@ -0,0 +1 @@ +deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/18.04/amd64/salt/ bionic main diff --git a/salt/repo/client/files/ubuntu/20.04/saltstack.list b/salt/repo/client/files/ubuntu/20.04/saltstack.list new file mode 100644 index 000000000..bc7236d82 --- /dev/null +++ b/salt/repo/client/files/ubuntu/20.04/saltstack.list @@ -0,0 +1 @@ +deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt/ focal main diff --git a/salt/repo/client/init.sls b/salt/repo/client/init.sls index 160782267..154867caf 100644 --- a/salt/repo/client/init.sls +++ b/salt/repo/client/init.sls @@ -1,98 +1,2 @@ -{% from 'repo/client/map.jinja' import ABSENTFILES with context %} -{% from 'repo/client/map.jinja' import REPOPATH with context %} -{% set ISAIRGAP = salt['pillar.get']('global:airgap', False) %} -{% set managerupdates = salt['pillar.get']('global:managerupdate', 0) %} -{% set role = grains.id.split('_') | last %} - -# from airgap state -{% if ISAIRGAP and grains.os == 'CentOS' %} -{% set MANAGER = salt['grains.get']('master') %} -airgapyum: - file.managed: - - name: /etc/yum/yum.conf - - source: salt://repo/client/files/centos/airgap/yum.conf - -airgap_repo: - pkgrepo.managed: - - humanname: Airgap Repo - - baseurl: https://{{ MANAGER }}/repo - - gpgcheck: 0 - - sslverify: 0 - -{% endif %} - -# from airgap and common -{% if ABSENTFILES|length > 0%} - {% for file in ABSENTFILES %} -{{ file }}: - file.absent: - - name: {{ REPOPATH }}{{ file }} - - onchanges_in: - - cmd: cleanyum - {% endfor %} -{% endif %} - -# from common state -# Remove default Repos -{% if grains['os'] == 'CentOS' %} -repair_yumdb: - cmd.run: - - name: 'mv -f /var/lib/rpm/__db* /tmp && yum clean all' - - onlyif: - - 'yum check-update 2>&1 | grep "Error: rpmdb open failed"' - -crsynckeys: - file.recurse: - - name: /etc/pki/rpm_gpg - - source: salt://repo/client/files/centos/keys/ - -{% if not ISAIRGAP %} - {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} -remove_securityonionrepocache: - file.absent: - - name: /etc/yum.repos.d/securityonioncache.repo - {% endif %} - - {% if role not in ['eval', 'standalone', 'import', 'manager', 'managersearch'] and managerupdates == 1 %} -remove_securityonionrepo: - file.absent: - - name: /etc/yum.repos.d/securityonion.repo - {% endif %} - -crsecurityonionrepo: - file.managed: - {% if role in ['eval', 'standalone', 'import', 'manager', 'managersearch'] or managerupdates == 0 %} - - name: /etc/yum.repos.d/securityonion.repo - - source: salt://repo/client/files/centos/securityonion.repo - {% else %} - - name: /etc/yum.repos.d/securityonioncache.repo - - source: salt://repo/client/files/centos/securityonioncache.repo - {% endif %} - - mode: 644 - -yumconf: - file.managed: - - name: /etc/yum.conf - - source: salt://repo/client/files/centos/yum.conf.jinja - - mode: 644 - - template: jinja - - show_changes: False - -cleanairgap: - file.absent: - - name: /etc/yum.repos.d/airgap_repo.repo -{% endif %} - -cleanyum: - cmd.run: - - name: 'yum clean metadata' - - onchanges: -{% if ISAIRGAP %} - - file: airgapyum - - pkgrepo: airgap_repo -{% else %} - - file: crsecurityonionrepo - - file: yumconf -{% endif %} - -{% endif %} +include: + - repo.client.{{grains.os | lower}} diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls new file mode 100644 index 000000000..449b4ae14 --- /dev/null +++ b/salt/repo/client/ubuntu.sls @@ -0,0 +1,4 @@ +ubuntu_repo_files: + - file.recurse: + - name: /etc/apt/sources.list.d/ + - source: salt://repo/client/files/ubuntu/{{grains.osrelease}}/ diff --git a/salt/salt/map.jinja b/salt/salt/map.jinja index b66ec23eb..eb9f5ae89 100644 --- a/salt/salt/map.jinja +++ b/salt/salt/map.jinja @@ -29,7 +29,7 @@ {% if grains.os|lower in ['centos', 'redhat'] %} {% set UPGRADECOMMAND = 'yum clean all ; /usr/sbin/bootstrap-salt.sh -s 120 -r -F -x python3 stable ' ~ SALTVERSION %} {% elif grains.os|lower == 'ubuntu' %} - {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -s 120 -F -x python3 stable ' ~ SALTVERSION %} + {% set UPGRADECOMMAND = '/usr/sbin/bootstrap-salt.sh -s 120 -r -F -x python3 stable ' ~ SALTVERSION %} {% endif %} {% else %} {% set UPGRADECOMMAND = 'echo Already running Salt Minion version ' ~ SALTVERSION %} diff --git a/salt/top.sls b/salt/top.sls index 67d717d3b..c20bf33b7 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -21,16 +21,15 @@ base: '*': - cron.running + - repo.client 'not G@saltversion:{{saltversion}}': - match: compound - salt.minion-state-apply-test - - repo.client - salt.minion 'G@os:CentOS and G@saltversion:{{saltversion}}': - match: compound - - repo.client - yum.packages '* and G@saltversion:{{saltversion}}': diff --git a/setup/so-functions b/setup/so-functions index 0047fe4a2..9d09e78a0 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2277,7 +2277,7 @@ saltify() { # Download Ubuntu Keys in case manager updates = 1 logCmd "mkdir -vp /opt/so/gpg" if [[ ! $is_airgap ]]; then - logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/18.04/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub" + logCmd "wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/SALTSTACK-GPG-KEY.pub" logCmd "wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg" logCmd "wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH" fi @@ -2334,8 +2334,8 @@ saltify() { 'MANAGER' | 'EVAL' | 'MANAGERSEARCH' | 'STANDALONE' | 'IMPORT' | 'HELIXSENSOR') # Add saltstack repo(s) - wget -q --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + wget -q --inet4-only -O - https://repo.securityonion.net/file/securityonion-repo/ubuntu/"$ubuntu_version"/amd64/salt/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 + echo "https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 @@ -2343,7 +2343,7 @@ saltify() { # Get gpg keys mkdir -p /opt/so/gpg >> "$setup_log" 2>&1 - wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/py3/ubuntu/"$ubuntu_version"/amd64/archive/3004.1/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 + wget -q --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.securityonion.net/file/securityonion-repo/ubuntu/"$ubuntu_version"/amd64/salt/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg >> "$setup_log" 2>&1 wget -q --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH >> "$setup_log" 2>&1 @@ -2367,7 +2367,7 @@ saltify() { echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub >> "$setup_log" 2>&1 apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH >> "$setup_log" 2>&1 - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" echo "deb https://packages.wazuh.com/3.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list 2>> "$setup_log" ;; esac From 020871ef61aacc94158841c5c96fe5149a0d82b0 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Apr 2022 13:49:28 -0400 Subject: [PATCH 50/69] update hotfix version --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 6711b0853..e4a42e6ac 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -04012022 +04012022 04052022 From b467cde9ad4ae0cdb69103f6291c4ae5d453686b Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Apr 2022 14:42:36 -0400 Subject: [PATCH 51/69] add deb to saltstack.list --- setup/so-functions | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/setup/so-functions b/setup/so-functions index 9d09e78a0..2c3d2a649 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2335,7 +2335,7 @@ saltify() { # Add saltstack repo(s) wget -q --inet4-only -O - https://repo.securityonion.net/file/securityonion-repo/ubuntu/"$ubuntu_version"/amd64/salt/SALTSTACK-GPG-KEY.pub | apt-key add - >> "$setup_log" 2>&1 - echo "https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" + echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt/ $OSVER main" > /etc/apt/sources.list.d/saltstack.list 2>> "$setup_log" # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add - >> "$setup_log" 2>&1 From 1248ba892400369d5092cb1b3441b124b8cb9e79 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Apr 2022 15:40:39 -0400 Subject: [PATCH 52/69] update update_repo function --- salt/common/tools/sbin/soup | 15 +++++++++++++-- .../repo/client/files/ubuntu/18.04/saltstack.list | 1 - .../repo/client/files/ubuntu/20.04/saltstack.list | 1 - salt/repo/client/ubuntu.sls | 9 +++++---- 4 files changed, 18 insertions(+), 8 deletions(-) delete mode 100644 salt/repo/client/files/ubuntu/18.04/saltstack.list delete mode 100644 salt/repo/client/files/ubuntu/20.04/saltstack.list diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index a46938da9..b64a778ea 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -935,8 +935,19 @@ update_repo() { yum repolist fi elif [[ "$OS" == "ubuntu" ]]; then - cp $UPDATE_DIR/salt/repo/client/files/ubuntu/$ubuntu_version/* /etc/apt/sources.list.d/ - apt-get update + ubuntu_version=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}') + + if grep -q "UBUNTU_CODENAME=bionic" /etc/os-release; then + OSVER=bionic + elif grep -q "UBUNTU_CODENAME=focal" /etc/os-release; then + OSVER=focal + else + echo "We do not support your current version of Ubuntu." + exit 1 + fi + + echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list + apt-get update fi } diff --git a/salt/repo/client/files/ubuntu/18.04/saltstack.list b/salt/repo/client/files/ubuntu/18.04/saltstack.list deleted file mode 100644 index b41f03856..000000000 --- a/salt/repo/client/files/ubuntu/18.04/saltstack.list +++ /dev/null @@ -1 +0,0 @@ -deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/18.04/amd64/salt/ bionic main diff --git a/salt/repo/client/files/ubuntu/20.04/saltstack.list b/salt/repo/client/files/ubuntu/20.04/saltstack.list deleted file mode 100644 index bc7236d82..000000000 --- a/salt/repo/client/files/ubuntu/20.04/saltstack.list +++ /dev/null @@ -1 +0,0 @@ -deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/20.04/amd64/salt/ focal main diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls index 449b4ae14..a7b7a90af 100644 --- a/salt/repo/client/ubuntu.sls +++ b/salt/repo/client/ubuntu.sls @@ -1,4 +1,5 @@ -ubuntu_repo_files: - - file.recurse: - - name: /etc/apt/sources.list.d/ - - source: salt://repo/client/files/ubuntu/{{grains.osrelease}}/ +saltstack.list: + - file.managed: + - name: /etc/apt/sources.list.d/saltstack.list + - contents: + - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt/ {{grains.oscodename}} main From 89518b59397e50924f5aff70d5bdf0ee7c579bff Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Apr 2022 15:44:06 -0400 Subject: [PATCH 53/69] proper salt format --- salt/repo/client/ubuntu.sls | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls index a7b7a90af..efc06b24a 100644 --- a/salt/repo/client/ubuntu.sls +++ b/salt/repo/client/ubuntu.sls @@ -1,5 +1,5 @@ saltstack.list: - - file.managed: - - name: /etc/apt/sources.list.d/saltstack.list - - contents: - - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt/ {{grains.oscodename}} main + file.managed: + - name: /etc/apt/sources.list.d/saltstack.list + - contents: + - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt/ {{grains.oscodename}} main From 89c7f5b356512bac2cb8d77eb10a4c3b1e7dbbb4 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Apr 2022 17:28:47 -0400 Subject: [PATCH 54/69] point to so repo --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index b64a778ea..99074c6d4 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -946,7 +946,7 @@ update_repo() { exit 1 fi - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/archive/3004.1 $OSVER main" > /etc/apt/sources.list.d/saltstack.list + echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt $OSVER main" > /etc/apt/sources.list.d/saltstack.list apt-get update fi } From cf68aeb36e4223cbe3f30583807892ab567be70d Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Tue, 5 Apr 2022 17:35:03 -0400 Subject: [PATCH 55/69] use -r for bootstrap-salt for ubuntu --- salt/common/tools/sbin/soup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 99074c6d4..8a6132898 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -885,7 +885,7 @@ upgrade_salt() { echo "" set +e run_check_net_err \ - "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -F -M -x python3 stable \"$NEWSALTVERSION\"" \ + "sh $UPDATE_DIR/salt/salt/scripts/bootstrap-salt.sh -X -r -F -M -x python3 stable \"$NEWSALTVERSION\"" \ "Could not update salt, please check $SOUP_LOG for details." set -e echo "Applying apt hold for Salt." From 79175b57fa2d3add592c58235fed3594bbaf727c Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Tue, 5 Apr 2022 19:15:20 -0400 Subject: [PATCH 56/69] 2.3.110 hotfix 0405 --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.110-20220405.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.110-20220405.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 08e02da0f..13999abee 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.110-20220401 ISO image built on 2022/04/04 +### 2.3.110-20220405 ISO image built on 2022/04/05 ### Download and Verify -2.3.110-20220401 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220401.iso +2.3.110-20220405 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220405.iso -MD5: 17625039D4ED23EC217589A1681C4FDA -SHA1: 8244A7BE12F27E71721ADC699950BB27C5C03BF2 -SHA256: 76C135C3FDA8A28C13A142B944BE72E67192AC7C4BC85838230EFF45E8978BD1 +MD5: 9CE982FE45DC2957A3A6D376E6DCC048 +SHA1: 10E3FF28A69F9617D4CCD2F5061AA2DC062B8F94 +SHA256: 0C178A422ABF7B61C08728E32CE20A9F9C1EC65807EB67D06F1C23F7D1EA51A7 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220401.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220405.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220401.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220405.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220401.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220405.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.110-20220401.iso.sig securityonion-2.3.110-20220401.iso +gpg --verify securityonion-2.3.110-20220405.iso.sig securityonion-2.3.110-20220405.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Mon 04 Apr 2022 02:08:59 PM EDT using RSA key ID FE507013 +gpg: Signature made Tue 05 Apr 2022 06:37:40 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.110-20220405.iso.sig b/sigs/securityonion-2.3.110-20220405.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..bc4648f170e208b09d018af200ca617a16cce98d GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;DB#Iyhk2@re`V7LBIa1#Rj5CD~~Z->xQCzGa%Q&QYU zG@wSy)a|Rp*fF%|6wbDlkN7BwzP}X6&p6WG32IZ(`sdfDG)%EMk=(8{1p1S7fM$oD z#csC--TYuGG^&h7X69T!*u$Sq#`%>*g%2z%Wo-&8p;nTynq*db-#2?LBH=nV4*8|5 z^w^u5WThDSLA>A@94bp9RD{L~UL;j# znTjw^wlmVW=PEE9L*~-?3u!s6b#Wvh_da`tPb7<{=~(+gqWOnB85FWG=S60P&Y9zY zP#+9VGW`ffhwcTMH`mnK2EQKP;>3~3X?oW2F0Wh=fxcAZJP_7;3pivo(jNMsOHo{i zF_B03Z*0&|OfJtrWt7bg>#l@8#S8MdqSjMCPzCfu)Y z`@vX5KHW8?3Zy;n^j;aB6bvvAQ#8d2SYUP`J2@EuA_)ID96T}I3}P;QH`$zukcxx Date: Wed, 6 Apr 2022 16:53:55 -0400 Subject: [PATCH 57/69] update the centos repo for airgap prior to applying hotfix or standard soup run --- salt/common/tools/sbin/soup | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index 8a6132898..f1b23b3bd 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -1094,6 +1094,12 @@ main() { upgrade_check_salt set -e + if [[ $is_airgap -eq 0 ]]; then + update_centos_repo + yum clean all + check_os_updates + fi + if [ "$is_hotfix" == "true" ]; then echo "Applying $HOTFIXVERSION hotfix" copy_new_files @@ -1115,9 +1121,6 @@ main() { echo "Updating dockers to $NEWVERSION." if [[ $is_airgap -eq 0 ]]; then airgap_update_dockers - update_centos_repo - yum clean all - check_os_updates # if not airgap but -f was used elif [[ ! -z "$ISOLOC" ]]; then airgap_update_dockers From f5e539a05c3c0e8c2466e5188867b77e24480fda Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Wed, 6 Apr 2022 17:16:38 -0400 Subject: [PATCH 58/69] Initial support for restricting IDH services on MGT IP --- setup/so-functions | 8 ++++++++ setup/so-setup | 9 +++++---- setup/so-whiptail | 11 +++++++++++ 3 files changed, 24 insertions(+), 4 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index 5b4914941..b1ebb1aa1 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -435,6 +435,13 @@ collect_hostname_validate() { done } +collect_idh_preferences() { + IDHMGTRESTRICT='False' + whiptail_idh_preferences + + if [[ "$idh_preferences" != "" ]]; then IDHMGTRESTRICT='True'; fi +} + collect_idh_services() { whiptail_idh_services @@ -2867,6 +2874,7 @@ write_out_idh_services() { printf '%s\n'\ "idh:"\ + " restrict_management_ip: $IDHMGTRESTRICT"\ " services:" >> "$pillar_file" for service in ${idh_services[@]}; do echo " - $service" | tr '[:upper:]' '[:lower:]' >> "$pillar_file" diff --git a/setup/so-setup b/setup/so-setup index deca4b0d6..1cb1bdc4e 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -276,10 +276,6 @@ if [[ $is_manager || $is_import ]]; then check_elastic_license fi -if [[ $is_idh ]]; then - collect_idh_services -fi - if ! [[ -f $install_opt_file ]]; then if [[ $is_manager && $is_sensor ]]; then check_requirements "standalone" @@ -327,6 +323,11 @@ if ! [[ -f $install_opt_file ]]; then copy_ssh_key >> $setup_log 2>&1 fi + if [[ $is_idh ]]; then + collect_idh_services + collect_idh_preferences + fi + # Check if this is an airgap install if [[ ( $is_manager || $is_import) && $is_iso ]]; then whiptail_airgap diff --git a/setup/so-whiptail b/setup/so-whiptail index c39ec4ff7..72013b0ac 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -725,6 +725,17 @@ whiptail_homenet_sensor() { export HNSENSOR } + whiptail_idh_preferences() { + + [ -n "$TESTING" ] && return + + idh_preferences=$(whiptail --title "$whiptail_title" --radiolist \ + "\nBy default, the IDH services selected in the previous screen will be bound to all interfaces / IPs on this system.\n\nYou can choose below whether or not to prevent IDH services from being published on this system's management IP." 20 75 5 \ + "$MAINIP" "Disable IDH services on this management IP " OFF 3>&1 1>&2 2>&3 ) + + local exitstatus=$? + whiptail_check_exitstatus $exitstatus +} whiptail_idh_services() { From 08ac696f143196366bb04312a2c076e03d67a444 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Wed, 6 Apr 2022 17:38:06 -0400 Subject: [PATCH 59/69] remove saltstack repo created by bootstrap-salt for ubuntu --- salt/common/tools/sbin/soup | 1 + 1 file changed, 1 insertion(+) diff --git a/salt/common/tools/sbin/soup b/salt/common/tools/sbin/soup index f1b23b3bd..7181b1b9e 100755 --- a/salt/common/tools/sbin/soup +++ b/salt/common/tools/sbin/soup @@ -946,6 +946,7 @@ update_repo() { exit 1 fi + rm -f /etc/apt/sources.list.d/salt.list echo "deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/$ubuntu_version/amd64/salt $OSVER main" > /etc/apt/sources.list.d/saltstack.list apt-get update fi From be3769fd7c1cc1a754c542537d08bf59830ea837 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 7 Apr 2022 08:53:44 -0400 Subject: [PATCH 60/69] run apt-get update if saltstack.list changes --- salt/repo/client/ubuntu.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls index efc06b24a..63980c90e 100644 --- a/salt/repo/client/ubuntu.sls +++ b/salt/repo/client/ubuntu.sls @@ -3,3 +3,8 @@ saltstack.list: - name: /etc/apt/sources.list.d/saltstack.list - contents: - deb https://repo.securityonion.net/file/securityonion-repo/ubuntu/{{grains.osrelease}}/amd64/salt/ {{grains.oscodename}} main + +apt_update: + cmd.run: + - name: apt-get update + - onchanges: saltstack.list From b2a98af18b6a32023e0d59bcc6a74e39c4fbbc99 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 7 Apr 2022 08:55:30 -0400 Subject: [PATCH 61/69] proper formatting --- salt/repo/client/ubuntu.sls | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls index 63980c90e..9f8a3e4ec 100644 --- a/salt/repo/client/ubuntu.sls +++ b/salt/repo/client/ubuntu.sls @@ -7,4 +7,5 @@ saltstack.list: apt_update: cmd.run: - name: apt-get update - - onchanges: saltstack.list + - onchanges: + - file: saltstack.list From 722b200e16d172200e79962f9e10c07b0e10032f Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 7 Apr 2022 08:58:07 -0400 Subject: [PATCH 62/69] add retry to apt_update incase running in background --- salt/repo/client/ubuntu.sls | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls index 9f8a3e4ec..1d61a1007 100644 --- a/salt/repo/client/ubuntu.sls +++ b/salt/repo/client/ubuntu.sls @@ -9,3 +9,7 @@ apt_update: - name: apt-get update - onchanges: - file: saltstack.list + - timeout: 30 + - retry: + attempts: 5 + interval: 30 From 8fbd16f75d580c642da64e4d531116a408cb793a Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Thu, 7 Apr 2022 09:03:51 -0400 Subject: [PATCH 63/69] ensure salt.list is absent --- salt/repo/client/ubuntu.sls | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/salt/repo/client/ubuntu.sls b/salt/repo/client/ubuntu.sls index 1d61a1007..301bdabae 100644 --- a/salt/repo/client/ubuntu.sls +++ b/salt/repo/client/ubuntu.sls @@ -1,3 +1,8 @@ +# this removes the repo file left by bootstrap-salt.sh without -r +remove_salt.list: + file.absent: + - name: /etc/apt/sources.list.d/salt.list + saltstack.list: file.managed: - name: /etc/apt/sources.list.d/saltstack.list From 36b2d78dfe5c83db75965cdd392abd0984d2a279 Mon Sep 17 00:00:00 2001 From: Josh Brower Date: Thu, 7 Apr 2022 14:02:21 -0400 Subject: [PATCH 64/69] Include firewall state --- salt/idh/init.sls | 1 + salt/top.sls | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/salt/idh/init.sls b/salt/idh/init.sls index 5f5307b08..70a5d370d 100644 --- a/salt/idh/init.sls +++ b/salt/idh/init.sls @@ -25,6 +25,7 @@ include: - idh.openssh.config + - firewall # If True, block IDH Services from accepting connections on Managment IP diff --git a/salt/top.sls b/salt/top.sls index 5f8e56c7f..dd41ff9fe 100644 --- a/salt/top.sls +++ b/salt/top.sls @@ -499,7 +499,7 @@ base: - ssl - sensoroni - telegraf - - firewall # It's important that this state runs before the IDH state, since the IDH state (optionally) inserts BLOCK rules at position 1 + - firewall {%- if WAZUH != 0 %} - wazuh {%- endif %} From 93e04850c445f153b5ce3950fe4bfcfa8594881e Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 7 Apr 2022 14:40:54 -0400 Subject: [PATCH 65/69] Update HOTFIX --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index e4a42e6ac..644f9e9ee 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -04012022 04052022 +04012022 04052022 04072022 From 6a28e752f0b658d56b9b489c3d0df4a321080a64 Mon Sep 17 00:00:00 2001 From: Mike Reeves Date: Thu, 7 Apr 2022 16:03:13 -0400 Subject: [PATCH 66/69] 2.3.110 hotfix 0407 --- VERIFY_ISO.md | 22 ++++++++++---------- sigs/securityonion-2.3.110-20220407.iso.sig | Bin 0 -> 543 bytes 2 files changed, 11 insertions(+), 11 deletions(-) create mode 100644 sigs/securityonion-2.3.110-20220407.iso.sig diff --git a/VERIFY_ISO.md b/VERIFY_ISO.md index 13999abee..c8e0158f9 100644 --- a/VERIFY_ISO.md +++ b/VERIFY_ISO.md @@ -1,18 +1,18 @@ -### 2.3.110-20220405 ISO image built on 2022/04/05 +### 2.3.110-20220407 ISO image built on 2022/04/07 ### Download and Verify -2.3.110-20220405 ISO image: -https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220405.iso +2.3.110-20220407 ISO image: +https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220407.iso -MD5: 9CE982FE45DC2957A3A6D376E6DCC048 -SHA1: 10E3FF28A69F9617D4CCD2F5061AA2DC062B8F94 -SHA256: 0C178A422ABF7B61C08728E32CE20A9F9C1EC65807EB67D06F1C23F7D1EA51A7 +MD5: 928D589709731EFE9942CA134A6F4C6B +SHA1: CA588A684586CC0D5BDE5E0E41C935FFB939B6C7 +SHA256: CBF8743838AF2C7323E629FB6B28D5DD00AE6658B0E29E4D0916411D2D526BD2 Signature for ISO image: -https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220405.iso.sig +https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220407.iso.sig Signing key: https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/master/KEYS @@ -26,22 +26,22 @@ wget https://raw.githubusercontent.com/Security-Onion-Solutions/securityonion/ma Download the signature file for the ISO: ``` -wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220405.iso.sig +wget https://github.com/Security-Onion-Solutions/securityonion/raw/master/sigs/securityonion-2.3.110-20220407.iso.sig ``` Download the ISO image: ``` -wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220405.iso +wget https://download.securityonion.net/file/securityonion/securityonion-2.3.110-20220407.iso ``` Verify the downloaded ISO image using the signature file: ``` -gpg --verify securityonion-2.3.110-20220405.iso.sig securityonion-2.3.110-20220405.iso +gpg --verify securityonion-2.3.110-20220407.iso.sig securityonion-2.3.110-20220407.iso ``` The output should show "Good signature" and the Primary key fingerprint should match what's shown below: ``` -gpg: Signature made Tue 05 Apr 2022 06:37:40 PM EDT using RSA key ID FE507013 +gpg: Signature made Thu 07 Apr 2022 03:30:03 PM EDT using RSA key ID FE507013 gpg: Good signature from "Security Onion Solutions, LLC " gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. diff --git a/sigs/securityonion-2.3.110-20220407.iso.sig b/sigs/securityonion-2.3.110-20220407.iso.sig new file mode 100644 index 0000000000000000000000000000000000000000..2ea694428e65f9c571dea027b6398028cafd3da3 GIT binary patch literal 543 zcmV+)0^t3L0vrSY0RjL91p;DEJG%f12@re`V7LBIa1&?<5C2>F$KwVTPphWkRG5e^ zkI4UDI?PgP49EDJeSx(r*qp(EDAKKyO}+20qN9N5NS6MNqwu#M`oigDwVj|MdRsED z?mRwt{^!1<&}n|V75vS0@{^+aR(lf?JOMPP#QI&50uw4Z8U}+G{QRBd9O-_jk*9`~ zgzJTNdPx+apX6VbdV+(ecGf!_6!8{(_rHI3yy)w>>ATpwi0F477~;uvLLjTm_R&mZ zl@HGUc8gBO<44 Date: Fri, 8 Apr 2022 10:23:44 -0400 Subject: [PATCH 67/69] Clearing hotfix --- HOTFIX | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/HOTFIX b/HOTFIX index 644f9e9ee..d3f5a12fa 100644 --- a/HOTFIX +++ b/HOTFIX @@ -1 +1 @@ -04012022 04052022 04072022 + From 3e8c687d61715bf539a7866af0820d52266f8138 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 8 Apr 2022 12:05:38 -0400 Subject: [PATCH 68/69] ensure we can grab management ip and display whiptail if we cant --- setup/so-functions | 24 ++++++++++++++++++++++-- setup/so-setup | 6 +++--- setup/so-whiptail | 8 ++++++++ 3 files changed, 33 insertions(+), 5 deletions(-) diff --git a/setup/so-functions b/setup/so-functions index acc28ea74..06279508e 100755 --- a/setup/so-functions +++ b/setup/so-functions @@ -2438,8 +2438,28 @@ set_network_dev_status_list() { } set_main_ip() { - MAINIP=$(ip route get 1 | awk '{print $7;exit}') - MNIC_IP=$(ip a s "$MNIC" | grep -oE 'inet [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d' ' -f2) + local count=0 + local progress='.' + local c=0 + local m=3.3 + local max_attempts=30 + echo "Gathering the management IP. " + while ! valid_ip4 "$MAINIP" || ! valid_ip4 "$MNIC_IP"; do + MAINIP=$(ip route get 1 | awk '{print $7;exit}') + MNIC_IP=$(ip a s "$MNIC" | grep -oE 'inet [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -d' ' -f2) + ((count=count+1)) + p=$(awk -vp=$m -vq=$count 'BEGIN{printf "%.0f" ,p * q}') + printf "%-*s" $((count+1)) '[' | tr ' ' '#' + printf "%*s%3d%%\r" $((max_attempts-count)) "]" "$p" + if [ $count = $max_attempts ]; then + echo "ERROR: Could not determine MAINIP or MNIC_IP." >> "$setup_log" 2>&1 + echo "MAINIP=$MAINIP" >> "$setup_log" 2>&1 + echo "MNIC_IP=$MNIC_IP" >> "$setup_log" 2>&1 + whiptail_error_message "The management IP could not be determined. Please check the log at /root/sosetup.log and verify the network configuration. Press OK to exit." + exit 1 + fi + sleep 1 + done } # Add /usr/sbin to everyone's path diff --git a/setup/so-setup b/setup/so-setup index 12dd5720b..26f3aaea7 100755 --- a/setup/so-setup +++ b/setup/so-setup @@ -260,7 +260,7 @@ if ! [[ -f $install_opt_file ]]; then printf '%s\n' \ "MNIC=$MNIC" \ "HOSTNAME=$HOSTNAME" > "$net_init_file" - set_main_ip >> $setup_log 2>&1 + set_main_ip compare_main_nic_ip fi @@ -275,7 +275,7 @@ if ! [[ -f $install_opt_file ]]; then printf '%s\n' \ "MNIC=$MNIC" \ "HOSTNAME=$HOSTNAME" > "$net_init_file" - set_main_ip >> $setup_log 2>&1 + set_main_ip compare_main_nic_ip whiptail_net_setup_complete else @@ -375,7 +375,7 @@ if ! [[ -f $install_opt_file ]]; then network_init fi - set_main_ip >> $setup_log 2>&1 + set_main_ip compare_main_nic_ip if [[ $is_minion ]]; then diff --git a/setup/so-whiptail b/setup/so-whiptail index eadc48869..b25ab0fbc 100755 --- a/setup/so-whiptail +++ b/setup/so-whiptail @@ -1501,6 +1501,14 @@ whiptail_oinkcode() { #TODO: helper function to display error message or exit if batch mode # exit_if_batch <"Error string"> +whiptail_error_message() { + + local error_message=$1 # message to be displayed + + whiptail --title "$whiptail_title" --msgbox "$error_message" 10 75 + +} + whiptail_passwords_dont_match() { whiptail --title "$whiptail_title" --msgbox "Passwords don't match. Please re-enter." 8 75 From 59d5be682adcc93831667a333b4d560664dacd57 Mon Sep 17 00:00:00 2001 From: m0duspwnens Date: Fri, 8 Apr 2022 15:01:38 -0400 Subject: [PATCH 69/69] ensure bash is used for influx query --- salt/influxdb/defaults.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/influxdb/defaults.yaml b/salt/influxdb/defaults.yaml index 205c2ba67..c89257c53 100644 --- a/salt/influxdb/defaults.yaml +++ b/salt/influxdb/defaults.yaml @@ -1,4 +1,4 @@ -{% set measurements = salt['cmd.shell']('docker exec -t so-influxdb influx -format json -ssl -unsafeSsl -database telegraf -execute "show measurements" 2> /root/measurement_query.log | jq -r .results[0].series[0].values[]?[0] 2>> /root/measurement_query.log') %} +{% set measurements = salt['cmd.shell']('docker exec -t so-influxdb influx -format json -ssl -unsafeSsl -database telegraf -execute "show measurements" 2> /root/measurement_query.log | jq -r .results[0].series[0].values[]?[0] 2>> /root/measurement_query.log', shell='/bin/bash') %} influxdb: retention_policies: