Merge branch 'dev' into patch_2.3.3

2025-12-10 03:02:58 +01:00 · 2020-11-05 09:58:43 -05:00
parent 6b144903fc 8d5c29340e
commit fea6e6f4f9
71 changed files with 526 additions and 2155 deletions
--- a/setup/so-functions
+++ b/setup/so-functions
@@ -173,7 +173,7 @@ add_web_user() {
 		echo "Attempting to add administrator user for web interface...";
 		echo "$WEBPASSWD1" | /usr/sbin/so-user add "$WEBUSER";
 		echo "Add user result: $?";
-	} >> "$setup_log" 2>&1
+	} >> "/root/so-user-add.log" 2>&1
 }

 # Create an secrets pillar so that passwords survive re-install
@@ -430,8 +430,6 @@ configure_minion() {

 	{
 		systemctl restart salt-minion;
-		printf '%s\n'  '----';
-		cat "$minion_config";
 	} >> "$setup_log" 2>&1
 }

@@ -747,7 +745,7 @@ detect_os() {

 disable_auto_start() {
 	
-	if crontab -l 2>&1 | grep so-setup > /dev/null 2>&1; then
+	if crontab -l -u $INSTALLUSERNAME 2>&1 | grep so-setup > /dev/null 2>&1; then
 		# Remove the automated setup script from crontab, if it exists
 		logCmd "crontab -u $INSTALLUSERNAME -r"
 	fi
@@ -840,11 +838,22 @@ docker_registry() {

 	echo "Setting up Docker Registry" >> "$setup_log" 2>&1
 	mkdir -p /etc/docker >> "$setup_log" 2>&1
+	if [ -z "$DOCKERNET" ]; then
+            DOCKERNET=172.17.0.0
+	fi
 	# Make the host use the manager docker registry
+	DNETBIP=$(echo $DOCKERNET | awk -F'.' '{print $1,$2,$3,1}' OFS='.')/24
 	if [ -n "$TURBO" ]; then local proxy="$TURBO"; else local proxy="https://$MSRV"; fi
 	printf '%s\n'\
 		"{"\
-		"  \"registry-mirrors\": [ \"$proxy:5000\" ]"\
+		"  \"registry-mirrors\": [ \"$proxy:5000\" ],"\
+		"  \"bip\": \"$DNETBIP\","\
+		"  \"default-address-pools\": ["\
+		"    {"\
+		"      \"base\" : \"$DOCKERNET\","\
+		"      \"size\" : 24"\
+		"    }"\
+		"  ]"\
 		"}" > /etc/docker/daemon.json
 	echo "Docker Registry Setup - Complete" >> "$setup_log" 2>&1

@@ -1003,15 +1012,6 @@ get_redirect() {
 	fi
 }

-got_root() {
-	# Make sure you are root
-	uid="$(id -u)"
-	if [ "$uid" -ne 0 ]; then
-		echo "This script must be run using sudo!"
-		exit 1
-	fi
-}
-
 get_minion_type() {
 	local minion_type
 	case "$install_type" in
@@ -1139,12 +1139,17 @@ manager_global() {
 		fi
 	fi

+	if [ -z "$DOCKERNET" ]; then
+        DOCKERNET=172.17.0.0
+	fi
+
 	# Create a global file for global values
        printf '%s\n'\
                "global:"\
                "  soversion: '$SOVERSION'"\
                "  hnmanager: '$HNMANAGER'"\
                "  ntpserver: '$NTPSERVER'"\
+				"  dockernet: '$DOCKERNET'"\
                "  proxy: '$PROXY'"\
                "  mdengine: '$ZEEKVERSION'"\
                "  ids: '$NIDS'"\
@@ -1633,12 +1638,17 @@ salt_checkin() {
 				done

 				echo " Confirming existence of the CA certificate"
-				cat /etc/pki/ca.crt
+				openssl x509 -in /etc/pki/ca.crt -noout -subject -issuer -dates
 				echo " Applyng a mine hack";
 				salt "$MINION_ID" mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt;
 				salt "$MINION_ID" mine.update;
-				echo " Confirming salt mine now contain the certificate";
-				salt "$MINION_ID" mine.get '*' x509.get_pem_entries;
+				echo "Confirming salt mine now contains the certificate";
+				salt "$MINION_ID" mine.get '*' x509.get_pem_entries | grep -E 'BEGIN CERTIFICATE|END CERTIFICATE';
+				if [ $? -eq 0 ]; then
+					echo "CA in mine"
+				else
+					echo "CA not in mine"
+				fi
 				echo " Applying SSL state";
 				salt-call state.apply ssl;
 			} >> "$setup_log" 2>&1
@@ -1691,10 +1701,12 @@ setup_salt_master_dirs() {
 	if [ "$setup_type" = 'iso' ]; then
 		rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
 		rsync -avh --exclude 'TRANS.TBL' /home/$INSTALLUSERNAME/SecurityOnion/salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
+		mkdir -p $local_salt_dir/salt/zeek/policy/intel >> "$setup_log" 2>&1
 		cp -Rv /home/$INSTALLUSERNAME/SecurityOnion/files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
 	else
 		cp -Rv ../pillar/* $default_salt_dir/pillar/ >> "$setup_log" 2>&1
 		cp -Rv ../salt/* $default_salt_dir/salt/ >> "$setup_log" 2>&1
+		mkdir -p $local_salt_dir/salt/zeek/policy/intel >> "$setup_log" 2>&1
 		cp -Rv files/intel.dat $local_salt_dir/salt/zeek/policy/intel/ >> "$setup_log" 2>&1
 	fi

--- a/setup/so-setup
+++ b/setup/so-setup
@@ -15,7 +15,15 @@
 #    You should have received a copy of the GNU General Public License
 #    along with this program.  If not, see <http://www.gnu.org/licenses/>.

+# Make sure you are root before doing anything
+uid="$(id -u)"
+if [ "$uid" -ne 0 ]; then
+	echo "This script must be run using sudo!"
+	exit 1
+fi
+
 cd "$(dirname "$0")" || exit 255
+
 source ./so-functions
 source ./so-common-functions
 source ./so-whiptail
@@ -108,8 +116,6 @@ esac
 # Allow execution of SO tools during setup
 export PATH=$PATH:../salt/common/tools/sbin

-got_root
-
 detect_os && detect_cloud
 set_network_dev_status_list

@@ -185,6 +191,10 @@ elif [ "$install_type" = 'HELIXSENSOR' ]; then
 	is_helix=true
 elif [ "$install_type" = 'IMPORT' ]; then
 	is_import=true
+elif [ "$install_type" = 'ANALYST' ]; then
+	cd .. || exit 255
+	./so-analyst-install
+	exit 0
 fi

 # Say yes to the dress if its an ISO install
@@ -310,9 +320,8 @@ if [[ $is_helix || $is_sensor || $is_import ]]; then
 	calculate_useable_cores
 fi

-if [[ $is_helix ||  $is_manager || $is_import ]]; then
-	whiptail_homenet_manager
-fi
+whiptail_homenet_manager
+whiptail_dockernet_check

 if [[ $is_helix || $is_manager || $is_node || $is_import ]]; then
 	set_base_heapsizes
--- a/setup/so-whiptail
+++ b/setup/so-whiptail
@@ -384,7 +384,7 @@ whiptail_invalid_pass_characters_warning() {

 	[ -n "$TESTING" ] && return

-	whiptail --title "Security Onion Setup" --msgbox "Password is invalid. Please exclude single quotes, double quotes and backslashes from the password." 8 75
+	whiptail --title "Security Onion Setup" --msgbox "Password is invalid. Please exclude single quotes, double quotes, dollar signs, and backslashes from the password." 8 75
 }

 whiptail_cur_close_days() {
@@ -457,6 +457,31 @@ whiptail_dhcp_warn() {
 	
 }

+whiptail_dockernet_check(){
+
+	[ -n "$TESTING" ] && return
+
+	whiptail --title "Security Onion Setup" --yesno \
+	"Do you want to keep the default Docker IP range? \n \n(Choose yes if you don't know what this means)" 10 75
+
+	local exitstatus=$?
+
+	if [[ $exitstatus == 1 ]]; then
+	whiptail_dockernet_net
+	fi
+}
+
+whiptail_dockernet_net() {
+
+	[ -n "$TESTING" ] && return
+
+	DOCKERNET=$(whiptail --title "Security Onion Setup" --inputbox \
+	"\nEnter a /24 network range for docker to use: \nThe same range MUST be used on ALL nodes \n(Default value is pre-populated.)" 10 75 172.17.0.0 3>&1 1>&2 2>&3)
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+
+}
 whiptail_enable_components() {

 	[ -n "$TESTING" ] && return
@@ -560,11 +585,12 @@ whiptail_install_type() {

 	# What kind of install are we doing?
 	install_type=$(whiptail --title "Security Onion Setup" --radiolist \
-	"Choose install type:" 10 65 4 \
+	"Choose install type:" 12 65 5 \
 		"EVAL" "Evaluation mode (not for production) " ON \
 		"STANDALONE" "Standalone production install " OFF \
 		"DISTRIBUTED" "Distributed install submenu " OFF \
 		"IMPORT" "Standalone to import PCAP or log files " OFF \
+		"OTHER" "Other install types" OFF \
 		3>&1 1>&2 2>&3
 	)

@@ -572,22 +598,50 @@ whiptail_install_type() {
 	whiptail_check_exitstatus $exitstatus

 	if [[ $install_type == "DISTRIBUTED" ]]; then
-		install_type=$(whiptail --title "Security Onion Setup" --radiolist \
-		"Choose distributed node type:" 13 60 6 \
-			"MANAGER" "Start a new grid " ON \
-			"SENSOR" "Create a forward only sensor " OFF \
-			"SEARCHNODE" "Add a search node with parsing " OFF \
-			"MANAGERSEARCH" "Manager + search node " OFF \
-			"FLEET" "Dedicated Fleet Osquery Node " OFF \
-			"HEAVYNODE" "Sensor + Search Node " OFF \
-			3>&1 1>&2 2>&3
-			# "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO
-			# "WARMNODE" "Add Warm Node to existing Hot or Search node" OFF \ # TODO
-			# "WAZUH" "Stand Alone Wazuh Server" OFF \ # TODO
-			# "STRELKA" "Stand Alone Strelka Node" OFF \ # TODO
-		)
+		whiptail_install_type_dist
+	elif [[ $install_type == "OTHER" ]]; then
+		whiptail_install_type_other
 	fi

+	export install_type
+}
+
+whiptail_install_type_dist() {
+
+	[ -n "$TESTING" ] && return
+	
+	install_type=$(whiptail --title "Security Onion Setup" --radiolist \
+	"Choose distributed node type:" 13 60 6 \
+		"MANAGER" "Start a new grid " ON \
+		"SENSOR" "Create a forward only sensor " OFF \
+		"SEARCHNODE" "Add a search node with parsing " OFF \
+		"MANAGERSEARCH" "Manager + search node " OFF \
+		"FLEET" "Dedicated Fleet Osquery Node " OFF \
+		"HEAVYNODE" "Sensor + Search Node " OFF \
+		3>&1 1>&2 2>&3
+		# "HOTNODE" "Add Hot Node (Uses Elastic Clustering)" OFF \ # TODO
+		# "WARMNODE" "Add Warm Node to existing Hot or Search node" OFF \ # TODO
+		# "WAZUH" "Stand Alone Wazuh Server" OFF \ # TODO
+		# "STRELKA" "Stand Alone Strelka Node" OFF \ # TODO
+	)
+
+	local exitstatus=$?
+	whiptail_check_exitstatus $exitstatus
+
+	export install_type
+}
+
+whiptail_install_type_other() {
+
+	[ -n "$TESTING" ] && return
+
+	install_type=$(whiptail --title "Security Onion Setup" --radiolist \
+	"Choose distributed node type:" 9 65 2 \
+		"ANALYST" "Quit setup and run so-analyst-install " ON \
+		"HELIXSENSOR" "Create a Helix sensor " OFF \
+		3>&1 1>&2 2>&3
+	)
+
 	local exitstatus=$?
 	whiptail_check_exitstatus $exitstatus