#!/bin/bash # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . cd "$(dirname "$0")" || exit 255 source "./so-whiptail" source "./so-variables" source "./so-common-functions" so_version=1.2.1 accept_salt_key_local() { echo "Accept the key locally on the master" >> "$setup_log" 2>&1 # Accept the key locally on the master salt-key -ya "$MINION_ID" } accept_salt_key_remote() { echo "Accept the key remotely on the master" >> "$setup_log" 2>&1 # Delete the key just in case. ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -d "$MINION_ID" -y salt-call state.apply ca ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -a "$MINION_ID" -y } add_admin_user() { # Add an admin user with full sudo rights if this is an ISO install. useradd "$ADMINUSER" echo "$ADMINUSER":"$ADMINPASS1" | chpasswd --crypt-method=SHA512 usermod -aG wheel "$ADMINUSER" } add_master_hostfile() { echo "Checking if I can resolve master. If not add to hosts file" >> "$setup_log" 2>&1 # Pop up an input to get the IP address MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus } # $1 => username # $2 => uid # $3 => gid # $4 => home dir # $5 => (optional) password variable so_add_user() { local username=$1 local uid=$2 local gid=$3 local home_dir=$4 if [ "$5" ]; then local pass=$5; fi echo "Add $username user" >> "$setup_log" 2>&1 groupadd --gid "$gid" "$username" useradd --uid "$uid" --gid "$gid" --home-dir "$home_dir" "$username" # If a password has been passed in, set the password if [ "$pass" ]; then echo "$username":"$pass" | chpasswd --crypt-method=SHA512 fi } add_socore_user_master() { so_add_user "socore" "939" "939" "/opt/so" } add_soremote_user_master() { so_add_user "soremote" "947" "947" "/home/soremote" "$SOREMOTEPASS1" } # $1 => file to wait for # $2 => max attempts # $3 => wait interval wait_for_file() { local max_attempts=$2 local cur_attempts=0 local filename=$1 local wait_interval=$3 local total_time=$(( max_attempts * wait_interval )) local date date=$(date) while [[ $cur_attempts < $max_attempts ]]; do if [ -f "$filename" ]; then echo "File $filename already exists at $date" return else echo "File $filename does not exist; waiting ${wait_interval}s then checking again ($cur_attempts/$max_attempts)..." ((cur_attempts++)) sleep "$wait_interval" fi done echo "Could not find $filename after waiting ${total_time}s" return 1 } add_web_user() { wait_for_file /opt/so/conf/kratos/db/db.sqlite 30 5 echo "Attempting to add administrator user for web interface..." echo "$WEBPASSWD1" | /usr/sbin/so-user add "$WEBUSER" echo "Add user result: $?" } # Create an secrets pillar so that passwords survive re-install secrets_pillar(){ if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then echo "Creating Secrets Pillar" >> "$setup_log" 2>&1 mkdir -p /opt/so/saltstack/pillar printf '%s\n'\ "secrets:"\ " mysql: $MYSQLPASS"\ " fleet: $FLEETPASS"\ " fleet_jwt: $FLEETJWT"\ " fleet_enroll-secret: False" > /opt/so/saltstack/pillar/secrets.sls fi } # Enable Bro Logs bro_logs_enabled() { echo "Enabling Bro Logs" >> "$setup_log" 2>&1 local brologs_pillar="$./pillar/brologs.sls" printf '%s\n'\ "brologs:"\ " enabled:" > "$brologs_pillar" if [ "$MASTERADV" = 'ADVANCED' ]; then for BLOG in "${BLOGS[@]}"; do echo " - $BLOG" | tr -d '"' >> "$brologs_pillar" done else printf '%s\n'\ " - conn"\ " - dce_rpc"\ " - dhcp"\ " - dhcpv6"\ " - dnp3"\ " - dns"\ " - dpd"\ " - files"\ " - ftp"\ " - http"\ " - intel"\ " - irc"\ " - kerberos"\ " - modbus"\ " - mqtt"\ " - notice"\ " - ntlm"\ " - openvpn"\ " - pe"\ " - radius"\ " - rfb"\ " - rdp"\ " - signatures"\ " - sip"\ " - smb_files"\ " - smb_mapping"\ " - smtp"\ " - snmp"\ " - software"\ " - ssh"\ " - ssl"\ " - syslog"\ " - telnet"\ " - tunnel"\ " - weird"\ " - mysql"\ " - socks"\ " - x509" >> "$brologs_pillar" fi } check_admin_pass() { check_pass_match "$ADMINPASS1" "$ADMINPASS2" "APMATCH" } check_hive_init_then_reboot() { local return_val return_val="$(wait_for_file /opt/so/state/thehive.txt 20 5)" if [ "$return_val" != 0 ]; then return "$return_val" fi docker stop so-thehive docker rm so-thehive shutdown -r now } check_network_manager_conf() { local gmdconf="/usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf" local nmconf="/etc/NetworkManager/NetworkManager.conf" local preupdir="/etc/NetworkManager/dispatcher.d/pre-up.d" if test -f "$gmdconf"; then if ! test -f "${gmdconf}.bak"; then { mv "$gmdconf" "${gmdconf}.bak" touch "$gmdconf" systemctl restart NetworkManager } >> "$setup_log" 2>&1 fi fi if test -f "$nmconf"; then sed -i 's/managed=false/managed=true/g' "$nmconf" >> "$setup_log" 2>&1 fi if [[ ! -d "$preupdir" ]]; then mkdir "$preupdir" >> "$setup_log" 2>&1 fi } # $1 => password # $2 => confirm password # $3 => variable to set check_pass_match() { local pass=$1 local confirm_pass=$2 local var=$3 if [ "$pass" = "$confirm_pass" ]; then eval "$var"="\"yes\"" else whiptail_passwords_dont_match fi } check_soremote_pass() { check_pass_match "$SOREMOTEPASS1" "$SOREMOTEPASS2" "SCMATCH" } check_web_pass() { check_pass_match "$WEBPASSWD1" "$WEBPASSWD2" "WPMATCH" } clear_master() { # Clear out the old master public key in case this is a re-install. # This only happens if you re-install the master. if [ -f /etc/salt/pki/minion/minion_master.pub ]; then echo "Clearing old master key" >> "$setup_log" 2>&1 rm /etc/salt/pki/minion/minion_master.pub service salt-minion restart fi } collect_webuser_inputs() { # Get a password for the web admin user local VALIDUSER=no while [ $VALIDUSER != yes ]; do whiptail_create_web_user if so-user valemail "$WEBUSER"; then VALIDUSER=yes else whiptail_invalid_user_warning fi done WPMATCH=no while [ $WPMATCH != yes ]; do whiptail_create_web_user_password1 if echo "$WEBPASSWD1" | so-user valpass; then whiptail_create_web_user_password2 check_web_pass else whiptail_invalid_pass_warning fi done } # $1 => minion type configure_minion() { local minion_type=$1 echo "Configuring minion type as $minion_type" >> "$setup_log" 2>&1 echo "role: so-$minion_type" > /etc/salt/grains local minion_config=/etc/salt/minion echo "id: $MINION_ID" > "$minion_config" case "$minion_type" in 'helix') echo "master: $HOSTNAME" >> "$minion_config" ;; 'master' | 'eval' | 'mastersearch') printf '%s\n'\ "master: $HOSTNAME"\ "mysql.host: '$MAINIP'"\ "mysql.port: 3306"\ "mysql.user: 'root'" >> "$minion_config" if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then echo "mysql.pass: '$MYSQLPASS'" >> "$minion_config" else OLDPASS=$(grep "mysql" /opt/so/saltstack/pillar/secrets.sls | awk '{print $2}') echo "mysql.pass: '$OLDPASS'" >> "$minion_config" fi ;; *) echo "master: $MSRV" >> "$minion_config" ;; esac printf '%s\n'\ "use_superseded:"\ " - module.run" >> "$minion_config" service salt-minion restart echo "Enabling checkin at boot" >> "$setup_log" 2>&1 echo "startup_states: highstate" >> "$minion_config" } copy_master_config() { # Copy the master config template to the proper directory if [ "$INSTALLMETHOD" = 'iso' ]; then cp /root/SecurityOnion/files/master /etc/salt/master else cp "../files/master" /etc/salt/master fi # Restart the service so it picks up the changes systemctl restart salt-master } copy_minion_tmp_files() { case "$install_type" in 'MASTER' | 'EVAL' | 'HELIXSENSOR' | 'MASTERSEARCH') echo "Copying pillar and salt files in $temp_install_dir to /opt/so/saltstack" cp -Rv "$temp_install_dir"/pillar/ /opt/so/saltstack/ >> "$setup_log" 2>&1 if [ -d "$temp_install_dir"/salt ] ; then cp -Rv "$temp_install_dir"/salt/ /opt/so/saltstack/ >> "$setup_log" 2>&1 fi ;; *) { echo "scp pillar and salt files in $temp_install_dir to master /opt/so/saltstack"; ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar; ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules; scp -prv -i /root/.ssh/so.key "$temp_install_dir"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/; scp -prv -i /root/.ssh/so.key "$temp_install_dir"/salt/patch/os/schedules/* soremote@"$MSRV":/tmp/"$MINION_ID"/schedules; ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/salt/master/files/add_minion.sh "$MINION_ID"; } >> "$setup_log" 2>&1 ;; esac } copy_ssh_key() { echo "Generating SSH key" # Generate SSH key mkdir -p /root/.ssh ssh-keygen -f /root/.ssh/so.key -t rsa -q -N "" < /dev/zero chown -R "$SUDO_USER":"$SUDO_USER" /root/.ssh echo "Copying the SSH key to the master" #Copy the key over to the master ssh-copy-id -f -i /root/.ssh/so.key soremote@"$MSRV" } create_sensor_bond() { echo "Setting up sensor bond" >> "$setup_log" 2>&1 local nic_error=0 check_network_manager_conf >> "$setup_log" 2>&1 # Set the MTU if [[ $NSMSETUP != 'ADVANCED' ]]; then MTU=1500 fi # Create the bond interface only if it doesn't already exist if ! [[ $(nmcli -f name,uuid -p con | sed -n 's/bond0 //p' | tr -d ' ') ]]; then nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \ ipv4.method disabled \ ipv6.method ignore \ ethernet.mtu $MTU \ connection.autoconnect "yes" >> "$setup_log" 2>&1 fi for BNIC in "${BNICS[@]}"; do BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" # Strip the quotes from the NIC names # Check if specific offload features are able to be disabled for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do if ethtool -k "$BONDNIC" | grep $string | grep -q "on [fixed]"; then echo "The hardware or driver for interface ${BONDNIC} is not supported, packet capture may not work as expected." >> "$setup_log" 2>&1 nic_error=1 break fi done # Turn off various offloading settings for the interface for i in rx tx sg tso ufo gso gro lro; do ethtool -K "$BONDNIC" $i off >> "$setup_log" 2>&1 done # Check if the bond slave connection has already been created if ! [[ $(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BONDNIC //p" | tr -d ' ') ]]; then # Create the slave interface and assign it to the bond nmcli con add type ethernet ifname "$BONDNIC" con-name "bond0-slave-$BONDNIC" master bond0 -- \ ethernet.mtu $MTU \ connection.autoconnect "yes" >> "$setup_log" 2>&1 fi nmcli con up "bond0-slave-$BONDNIC" >> "$setup_log" 2>&1 # Bring the slave interface up done if [ $nic_error != 0 ]; then return 1 fi } # keep ">> $setup_log" syntax detect_os() { # Detect Base OS echo "Detecting Base OS" >> "$setup_log" 2>&1 if [ -f /etc/redhat-release ]; then OS=centos if grep -q "CentOS Linux release 7" /etc/redhat-release; then OSVER=7 elif grep -q "CentOS Linux release 8" /etc/redhat-release; then OSVER=8 echo "We currently do not support CentOS $OSVER but we are working on it!" exit 1 else echo "We do not support the version of CentOS you are trying to use." exit 1 fi # Install bind-utils so the host command exists yum -y install bind-utils >> "$setup_log" 2>&1 elif [ -f /etc/os-release ]; then OS=ubuntu if grep -q "UBUNTU_CODENAME=bionic" /etc/os-release; then OSVER=bionic elif grep -q "UBUNTU_CODENAME=xenial" /etc/os-release; then OSVER=xenial else echo "We do not support your current version of Ubuntu." exit 1 fi # Install network manager so we can do interface stuff { apt-get install -y network-manager; systemctl enable NetworkManager; systemctl start NetworkManager; } >> "$setup_log" 2<&1 else echo "We were unable to determine if you are using a supported OS." exit 1 fi echo "Found OS: $OS $OSVER" >> "$setup_log" 2>&1 } disable_onion_user() { # Disable the default account cause security. usermod -L onion } disable_misc_network_features() { for unused_nic in "${filtered_nics[@]}"; do # Disable DHCPv4/v6 and autoconnect nmcli con mod "$unused_nic" \ ipv4.method disabled \ ipv6.method ignore \ connection.autoconnect "no" >> "$setup_log" 2>&1 # Flush any existing IPs ip addr flush "$unused_nic" >> "$setup_log" 2>&1 done # Disable IPv6 { echo "net.ipv6.conf.all.disable_ipv6 = 1" echo "net.ipv6.conf.default.disable_ipv6 = 1" echo "net.ipv6.conf.lo.disable_ipv6 = 1" } >> /etc/sysctl.conf } docker_install() { if [ $OS = 'centos' ]; then yum clean expire-cache yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo yum -y update yum -y install docker-ce else case "$install_type" in 'MASTER' | 'EVAL') apt-get update >> "$setup_log" 2>&1 ;; *) { apt-key add "$temp_install_dir"/gpg/docker.pub; add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"; apt-get update; } >> "$setup_log" 2>&1 ;; esac if [ $OSVER != "xenial" ]; then apt-get -y install docker-ce python3-docker >> "$setup_log" 2>&1 else apt-get -y install docker-ce python-docker >> "$setup_log" 2>&1 fi fi docker_registry { echo "Restarting Docker"; systemctl restart docker; systemctl enable docker; } >> "$setup_log" 2>&1 } docker_registry() { echo "Setting up Docker Registry" >> "$setup_log" 2>&1 mkdir -p /etc/docker >> "$setup_log" 2>&1 # Make the host use the master docker registry printf '%s\n'\ "{"\ " \"registry-mirrors\": [\"https://$MSRV:5000\"]"\ "}" > /etc/docker/daemon.json echo "Docker Registry Setup - Complete" >> "$setup_log" 2>&1 } docker_seed_registry() { local VERSION="HH$so_version" if [ ! -f /nsm/docker-registry/docker/so-dockers-"$VERSION".tar ]; then local TRUSTED_CONTAINERS=(\ "so-core:$VERSION" \ "so-filebeat:$VERSION" \ "so-logstash:$VERSION" \ "so-idstools:$VERSION" \ "so-redis:$VERSION" \ "so-steno:$VERSION" \ "so-suricata:$VERSION" \ "so-telegraf:$VERSION" \ "so-zeek:$VERSION" ) if [ "$install_type" != 'HELIXSENSOR' ]; then TRUSTED_CONTAINERS=("${TRUSTED_CONTAINERS[@]}" \ "so-acng:$VERSION" \ "so-thehive-cortex:$VERSION" \ "so-curator:$VERSION" \ "so-domainstats:$VERSION" \ "so-elastalert:$VERSION" \ "so-elasticsearch:$VERSION" \ "so-fleet:$VERSION" \ "so-fleet-launcher:$VERSION" \ "so-freqserver:$VERSION" \ "so-grafana:$VERSION" \ "so-influxdb:$VERSION" \ "so-kibana:$VERSION" \ "so-mysql:$VERSION" \ "so-navigator:$VERSION" \ "so-playbook:$VERSION" \ "so-soc:$VERSION" \ "so-kratos:$VERSION" \ "so-soctopus:$VERSION" \ "so-thehive:$VERSION" \ "so-thehive-es:$VERSION" \ "so-wazuh:$VERSION" \ ) fi for i in "${TRUSTED_CONTAINERS[@]}"; do # Pull down the trusted docker image echo "Downloading $i" docker pull --disable-content-trust=false docker.io/soshybridhunter/"$i" # Tag it with the new registry destination docker tag soshybridhunter/"$i" "$HOSTNAME":5000/soshybridhunter/"$i" docker push "$HOSTNAME":5000/soshybridhunter/"$i" done # Prune any images that aren't used by containers docker image prune -af else rm /nsm/docker-registry/docker/so-dockers-$VERSION.tar fi } es_heapsize() { # Determine ES Heap Size if [ "$total_mem" -lt 8000 ] ; then ES_HEAP_SIZE="600m" elif [ "$total_mem" -ge 100000 ]; then # Set a max of 25GB for heap size # https://www.elastic.co/guide/en/elasticsearch/guide/current/heap-sizing.html ES_HEAP_SIZE="25000m" else # Set heap size to 25% of available memory ES_HEAP_SIZE=$(( total_mem / 4 ))"m" fi } fireeye_pillar() { local fireeye_pillar_path=/opt/so/saltstack/pillar/fireeye mkdir -p "$fireeye_pillar_path" printf '%s\n'\ "fireeye:"\ " helix:"\ " api_key: $HELIXAPIKEY" "" > "$fireeye_pillar_path"/init.sls } fleet_pillar() { local pillar_file="$temp_install_dir"/pillar/minions/"$MINION_ID".sls # Create the fleet pillar printf '%s\n'\ "fleet:"\ " mainip: $MAINIP"\ " master: $MSRV"\ "" > "$pillar_file" } generate_passwords(){ # Generate Random Passwords for Things MYSQLPASS=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) FLEETPASS=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) FLEETJWT=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) HIVEKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) CORTEXKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) CORTEXORGUSERKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) SENSORONIKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) KRATOSKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1) } get_main_ip() { # Get the main IP address the box is using # FIXME: find a way to get the ip of MNIC instead # Add some logic because Bubntu 18.04 like to be different if [ $OSVER = 'bionic' ]; then MAINIP=$(ip route get 1 | awk '{print $7;exit}') else MAINIP=$(ip route get 1 | awk '{print $NF;exit}') fi # FIXME: should MAININT be MNIC? MAININT=$(ip route get 1 | awk '{print $5;exit}') } get_redirect() { whiptail_set_redirect_info whiptail_set_redirect if [ "$REDIRECTINFO" = "OTHER" ]; then whiptail_set_redirect_host fi } got_root() { # Make sure you are root if [ "$(id -u)" -ne 0 ]; then echo "This script must be run using sudo!" exit 1 fi } install_cleanup() { echo "Installer removing the following files:" ls -lR "$temp_install_dir" # Clean up after ourselves rm -rf "$temp_install_dir" } # TODO: figure out if this is necessary install_master() { # Install the salt master package if [ $OS != 'centos' ]; then if [ $OSVER != "xenial" ]; then apt-get install -y salt-common=2019.2.3+ds-1 salt-master=2019.2.3+ds-1 salt-minion=2019.2.3+ds-1 libssl-dev python-m2crypto apt-mark hold salt-common salt-master salt-minion else apt-get install -y salt-common=2019.2.3+ds-1 salt-master=2019.2.3+ds-1 salt-minion=2019.2.3+ds-1 libssl-dev python-m2crypto apt-mark hold salt-common salt-master salt-minion fi fi copy_master_config } master_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls # Create the master pillar printf '%s\n'\ "master:"\ " mainip: $MAINIP"\ " esheap: $ES_HEAP_SIZE"\ " esclustername: {{ grains.host }}"\ " freq: 0"\ " domainstats: 0" >> "$pillar_file" if [ "$install_type" = 'EVAL' ] || [ "$install_type" = 'HELIXSENSOR' ] || [ "$install_type" = 'MASTERSEARCH' ]; then printf '%s\n'\ " ls_pipeline_batch_size: 125"\ " ls_input_threads: 1"\ " ls_batch_count: 125"\ " mtu: $MTU" >> "$pillar_file" fi printf '%s\n'\ " lsheap: $LS_HEAP_SIZE"\ " lsaccessip: 127.0.0.1"\ " elastalert: 1"\ " ls_pipeline_workers: $CPUCORES"\ " nids_rules: $RULESETUP"\ " oinkcode: $OINKCODE"\ " es_port: $node_es_port"\ " log_size_limit: $log_size_limit"\ " cur_close_days: $CURCLOSEDAYS"\ " grafana: $GRAFANA"\ " osquery: $OSQUERY"\ " wazuh: $WAZUH"\ " thehive: $THEHIVE"\ " playbook: $PLAYBOOK"\ " strelka: $STRELKA"\ ""\ "kratos:" >> "$pillar_file" case $REDIRECTINFO in 'IP') REDIRECTIT="$MAINIP" ;; 'HOSTNAME') REDIRECTIT=$HOSTNAME ;; *) REDIRECTIT="$REDIRECTHOST" ;; esac printf '%s\n'\ " kratoskey: $KRATOSKEY"\ " redirect: $REDIRECTIT"\ "" >> "$pillar_file" } master_static() { local static_pillar="/opt/so/saltstack/pillar/static.sls" # Create a static file for global values printf '%s\n'\ "static:"\ " soversion: HH$so_version"\ " hnmaster: $HNMASTER"\ " ntpserver: $NTPSERVER"\ " proxy: $PROXY"\ " broversion: $BROVERSION"\ " ids: $NIDS"\ " masterip: $MAINIP"\ " hiveuser: hiveadmin"\ " hivepassword: hivechangeme"\ " hivekey: $HIVEKEY"\ " cortexuser: cortexadmin"\ " cortexpassword: cortexchangeme"\ " cortexkey: $CORTEXKEY"\ " cortexorgname: SecurityOnion"\ " cortexorguser: soadmin"\ " cortexorguserkey: $CORTEXORGUSERKEY"\ " fleet_master: False"\ " fleet_node: False"\ " fleet_packages-timestamp: N/A"\ " fleet_hostname: N/A"\ " fleet_ip: N/A"\ " sensoronikey: $SENSORONIKEY" " masterupdate: $MASTERUPDATES" > "$static_pillar" echo "elastic:" >> /opt/so/saltstack/pillar/static.sls echo " features: False" >> /opt/so/saltstack/pillar/static.sls } minio_generate_keys() { local charSet="[:graph:]" ACCESS_KEY=$(tr -cd "$charSet" < /dev/urandom | tr -d \' | tr -d \" | head -c 20) ACCESS_SECRET=$(tr -cd "$charSet" < /dev/urandom | tr -d \' | tr -d \" | head -c 40) } network_setup() { { echo "Finishing up network setup"; echo "... Verifying all network devices are managed by Network Manager"; check_network_manager_conf; echo "... Disabling unused NICs"; disable_misc_network_features; echo "... Setting ONBOOT for management interface"; if ! netplan > /dev/null 2>&1; then nmcli con mod "$MAININT" connection.autoconnect "yes"; fi echo "... Copying 99-so-checksum-offload-disable"; cp "$SCRIPTDIR"/install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable ; echo "... Modifying 99-so-checksum-offload-disable"; sed -i "s/\$MAININT/${MAININT}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable; } >> "$setup_log" 2>&1 } node_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls # Create the node pillar printf '%s\n'\ "node:"\ " mainip: $MAINIP"\ " mainint: $MAININT"\ " esheap: $NODE_ES_HEAP_SIZE"\ " esclustername: {{ grains.host }}"\ " lsheap: $NODE_LS_HEAP_SIZE"\ " ls_pipeline_workers: $LSPIPELINEWORKERS"\ " ls_pipeline_batch_size: $LSPIPELINEBATCH"\ " ls_input_threads: $LSINPUTTHREADS"\ " ls_batch_count: $LSINPUTBATCHCOUNT"\ " es_shard_count: $SHARDCOUNT"\ " node_type: $NODETYPE"\ " es_port: $node_es_port"\ " log_size_limit: $log_size_limit"\ " cur_close_days: $CURCLOSEDAYS"\ "" >> "$pillar_file" } patch_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls printf '%s\n'\ ""\ "patch:"\ " os:"\ " schedule_name: $PATCHSCHEDULENAME"\ " enabled: True"\ " splay: 300"\ "" >> "$pillar_file" } patch_schedule_os_new() { local OSPATCHSCHEDULEDIR="$temp_install_dir/salt/patch/os/schedules" local OSPATCHSCHEDULE="$OSPATCHSCHEDULEDIR/$PATCHSCHEDULENAME.yml" mkdir -p $OSPATCHSCHEDULEDIR printf '%s\n'\ "patch:"\ " os:"\ " schedule:"> "$OSPATCHSCHEDULE" for psd in "${PATCHSCHEDULEDAYS[@]}";do psd="${psd//\"/}" echo " - $psd:" >> "$OSPATCHSCHEDULE" for psh in "${PATCHSCHEDULEHOURS[@]}" do psh="${psh//\"/}" echo " - '$psh'" >> "$OSPATCHSCHEDULE" done done } reserve_group_ids() { # This is a hack to fix CentOS from taking group IDs that we need groupadd -g 928 kratos groupadd -g 930 elasticsearch groupadd -g 931 logstash groupadd -g 932 kibana groupadd -g 933 elastalert groupadd -g 934 curator groupadd -g 937 zeek groupadd -g 940 suricata groupadd -g 941 stenographer groupadd -g 945 ossec groupadd -g 946 cyberchef } saltify() { # Install updates and Salt if [ $OS = 'centos' ]; then case "$install_type" in 'MASTER' | 'EVAL' | 'MASTERSEARCH' | 'FLEET') # FIXME: should this be separate? yum instal -y mariadb-devel ;; 'HELIXSENSOR') reserve_group_ids yum -y install epel-release yum -y install wget https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest-2.el7.noarch.rpm cp /etc/yum.repos.d/salt-py3-latest.repo /etc/yum.repos.d/salt-py3-2019-2.repo sed -i 's/latest/2019.2/g' /etc/yum.repos.d/salt-py3-2019-2.repo yum -y install sqlite3 argon2 curl jq openssl # Download Ubuntu Keys in case master updates = 1 mkdir -p /opt/so/gpg wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH cp "$./yum_repos/wazuh.repo" /etc/yum.repos.d/wazuh.repo yum -y install salt-master-2019.2.3 systemctl enable salt-master ;; *) if [ "$MASTERUPDATES" -eq 1 ]; then # Create the GPG Public Key for the Salt Repo cp "$./public_keys/salt.pem" /etc/pki/rpm-gpg/saltstack-signing-key # Add the Wazuh Key cp "$./public_keys/wazuh.pem" /etc/pki/rpm-gpg/GPG-KEY-WAZUH # Copy repo files over cp "$./yum_repos/salt-latest.repo" /etc/yum.repos.d/salt-latest.repo cp "$./yum_repos/salt-2019-2.repo" /etc/yum.repos.d/salt-2019-2.repo else yum -y install https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest-2.el7.noarch.rpm cp /etc/yum.repos.d/salt-py3-latest.repo /etc/yum.repos.d/salt-2019-2.repo sed -i 's/latest/2019.2/g' /etc/yum.repos.d/salt-2019-2.repo fi ;; esac cp "$./yum_repos/wazuh.repo" /etc/yum.repos.d/wazuh.repo yum clean expire-cache yum -y install epel-release\ salt-minion-2019.2.3\ python3\ python36-docker\ python36-dateutil\ python36-m2crypto\ python36-mysql\ yum-utils\ device-mapper-persistent-data\ lvm2\ openssl\ jq yum -y update exclude=salt* systemctl enable salt-minion echo "exclude=salt*" >> /etc/yum.conf else DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade if [ $OSVER != "xenial" ]; then # Switch to Python 3 as default if this is not xenial update-alternatives --install /usr/bin/python python /usr/bin/python3.6 10 fi # Add the pre-requisites for installing docker-ce apt-get -y install ca-certificates\ curl\ software-properties-common\ apt-transport-https\ openssl\ jq >> "$setup_log" 2>&1 # Grab the version from the os-release file local ubuntu_version ubuntu_version=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}') case "$install_type" in 'FLEET') if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-mysqldb >> "$setup_log" 2>&1; else apt-get -y install python-mysqldb >> "$setup_log" 2>&1; fi ;; 'MASTER' | 'EVAL' | 'MASTERSEARCH') # TODO: should this also be HELIXSENSOR? if [ "$OSVER" != "xenial" ]; then local py_ver_url_path="/py3"; else local py_ver_url_path="/apt"; fi # Add saltstack repo(s) wget --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/3000/SALTSTACK-GPG-KEY.pub | apt-key add - wget --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/2019.2/SALTSTACK-GPG-KEY.pub | apt-key add - echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/latest $OSVER main" > /etc/apt/sources.list.d/saltstack.list echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/2019.2 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list # Add Docker repo curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" # Get gpg keys mkdir -p /opt/so/gpg wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/"$ubuntu_version"/amd64/latest/SALTSTACK-GPG-KEY.pub wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH # Get key and install wazuh curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - # Add repo echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list # Initialize the new repos apt-get update >> "$setup_log" 2>&1 # FIXME: Install salt-master on Ubuntu? apt-get -y install sqlite3 argon2 openssl >> "$setup_log" 2>&1 if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-mysqldb >> "$setup_log" 2>&1; else apt-get -y install python-mysqldb >> "$setup_log" 2>&1; fi ;; *) # Copy down the gpg keys and install them from the master mkdir "$temp_install_dir"/gpg echo "scp the gpg keys and install them from the master" scp -v -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/gpg/* "$temp_install_dir"/gpg echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" apt-key add "$temp_install_dir"/gpg/SALTSTACK-GPG-KEY.pub apt-key add "$temp_install_dir"/gpg/GPG-KEY-WAZUH echo "deb http://repo.saltstack.com/apt/ubuntu/$ubuntu_version/amd64/2019.2 $OSVER main" > /etc/apt/sources.list.d/saltstack.list echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list ;; esac apt-get update >> "$setup_log" 2>&1 apt-get -y install salt-minion=2019.2.3+ds-1\ salt-common=2019.2.3+ds-1 >> "$setup_log" 2>&1 apt-mark hold salt-minion salt-common if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-dateutil python3-m2crypto >> "$setup_log" 2>&1; else apt-get -y install python-dateutil python-m2crypto >> "$setup_log" 2>&1; fi fi } salt_checkin() { case "$install_type" in 'MASTER' | 'EVAL' | 'HELIXSENSOR' | 'MASTERSEARCH') # Fix Mine usage { echo "Building Certificate Authority"; salt-call state.apply ca; echo " *** Restarting Salt to fix any SSL errors. ***"; service salt-master restart; sleep 5; service salt-minion restart; sleep 15; echo " Applyng a mine hack"; salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt; echo " Applying SSL state"; salt-call state.apply ssl; } >> "$setup_log" 2>&1 ;; *) salt-call state.apply ca >> "$setup_log" 2>&1 salt-call state.apply ssl >> "$setup_log" 2>&1 ;; esac } # FIXME: should this be a function? salt_firstcheckin() { #First Checkin salt-call state.highstate >> "$setup_log" 2>&1 } setup_salt_master_dirs() { # Create salt paster directories mkdir -p /opt/so/saltstack/salt mkdir -p /opt/so/saltstack/pillar # Copy over the salt code and templates if [ "$INSTALLMETHOD" = 'iso' ]; then rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/pillar/* /opt/so/saltstack/pillar/ rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/salt/* /opt/so/saltstack/salt/ else cp -R ../pillar/* /opt/so/saltstack/pillar/ cp -R ../salt/* /opt/so/saltstack/salt/ fi echo "Chown the salt dirs on the master for socore" >> "$setup_log" 2>&1 chown -R socore:socore /opt/so } sensor_pillar() { local pillar_file=$temp_install_dir/pillar/minions/$MINION_ID.sls # Create the sensor pillar printf '%s\n'\ "sensor"\ " interface: bond0"\ " mainip: $MAINIP"\ " mainint: $MAININT" > "$pillar_file" if [ "$NSMSETUP" = 'ADVANCED' ]; then echo " bro_pins:" >> "$pillar_file" for PIN in $BROPINS; do PIN=$(echo "$PIN" | cut -d\" -f2) echo " - $PIN" >> "$pillar_file" done echo " suripins:" >> "$pillar_file" for SPIN in $SURIPINS; do SPIN=$(echo "$SPIN" | cut -d\" -f2) echo " - $SPIN" >> "$pillar_file" done elif [ "$install_type" = 'HELIXSENSOR' ]; then echo " bro_lbprocs: $lb_procs" >> "$pillar_file" echo " suriprocs: $lb_procs" >> "$pillar_file" else echo " bro_lbprocs: $BASICBRO" >> "$pillar_file" echo " suriprocs: $BASICSURI" >> "$pillar_file" fi printf '%s\n'\ " brobpf:"\ " pcapbpf:"\ " nidsbpf:"\ " master: $MSRV"\ " mtu: $MTU"\ " uniqueid: $(date '+%s')" >> "$pillar_file" if [ "$home_network_sensor" != 'inherit' ]; then echo " home_network_sensor: $home_network_sensor" >> "$pillar_file" fi printf '%s\n'\ " access_key: $ACCESS_KEY"\ " access_secret: $ACCESS_SECRET"\ "" >> "$pillar_file" } set_hostname() { set_hostname_iso HOSTNAME=$(cat /etc/hostname) if [[ ! $install_type =~ ^(MASTER|EVAL|HELIXSENSOR|MASTERSEARCH)$ ]]; then if [[ $TESTHOST = *"not found"* ]] || [ -z "$TESTHOST" ] || [[ $TESTHOST = *"connection timed out"* ]]; then if ! grep -q "$MSRVIP" /etc/hosts; then echo "$MSRVIP $MSRV" >> /etc/hosts fi fi fi } set_hostname_iso() { hostnamectl set-hostname --static "$HOSTNAME" echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts echo "::1 $HOSTNAME $HOSTNAME localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts echo "$HOSTNAME" > /etc/hostname } set_initial_firewall_policy() { get_main_ip case "$install_type" in 'MASTER') printf " - %s\n" "$MAINIP" | tee /opt/so/saltstack/pillar/firewall/minions.sls /opt/so/saltstack/pillar/firewall/masterfw.sls /opt/so/saltstack/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$CPUCORES" "$random_uid" "$MAININT" "$FSROOT" "$FSNSM" ;; 'EVAL' | 'MASTERSEARCH') printf " - %s\n" "$MAINIP" | tee /opt/so/saltstack/pillar/firewall/minions.sls\ /opt/so/saltstack/pillar/firewall/masterfw.sls\ /opt/so/saltstack/pillar/firewall/forward_nodes.sls\ /opt/so/saltstack/pillar/firewall/search_nodes.sls case "$install_type" in 'EVAL') /opt/so/saltstack/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$CPUCORES" "$random_uid" "$MAININT" "$FSROOT" "$FSNSM" bond0 ;; 'MASTERSEARCH') /opt/so/saltstack/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$CPUCORES" "$random_uid" "$MAININT" "$FSROOT" "$FSNSM" ;; esac ;; 'HELIXSENSOR') printf " - %s\n" "$MAINIP" | tee /opt/so/saltstack/pillar/firewall/minions.sls\ /opt/so/saltstack/pillar/firewall/masterfw.sls\ /opt/so/saltstack/pillar/firewall/forward_nodes.sls ;; 'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions "$MAINIP" case "$INSTALLERTYPE" in 'SENSOR') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$CPUCORES" "$random_uid" "$MAININT" "$FSROOT" "$FSNSM" bond0 ;; 'SEARCHNODE') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes "$MAINIP" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$CPUCORES" "$random_uid" "$MAININT" "$FSROOT" "$FSNSM" ;; 'HEAVYNODE') ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes "$MAINIP" ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$CPUCORES" "$random_uid" "$MAININT" "$FSROOT" "$FSNSM" bond0 ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$CPUCORES" "$random_uid" "$MAININT" "$FSROOT" "$FSNSM" ;; esac ;; 'PARSINGNODE') # TODO: implement ;; 'HOTNODE') # TODO: implement ;; 'WARMNODE') # TODO: implement ;; esac } # Set up the management interface on the ISO set_management_interface() { if [ "$ADDRESSTYPE" = 'DHCP' ]; then nmcli con mod "$MNIC" connection.autoconnect yes nmcli con up "$MNIC" else # Set Static IP nmcli con mod "$MNIC" ipv4.addresses "$MIP"/"$MMASK"\ ipv4.gateway "$MGATEWAY" \ ipv4.dns "$MDNS"\ ipv4.dns-search "$MSEARCH"\ connection.autoconnect yes\ ipv4.method manual nmcli con up "$MNIC" fi } set_node_type() { case "$install_type" in 'SEARCHNODE' | 'EVAL' | 'MASTERSEARCH' | 'HEAVYNODE') NODETYPE='search' ;; 'PARSINGNODE') NODETYPE='parser' ;; 'HOTNODE') NODETYPE='hot' ;; 'WARMNODE') NODETYPE='warm' ;; esac } set_updates() { if [ "$MASTERUPDATES" -eq 1 ]; then if [ "$OS" = 'centos' ]; then if ! grep -q "$MSRV" /etc/yum.conf; then echo "proxy=http://$MSRV:3142" >> /etc/yum.conf fi else # Set it up so the updates roll through the master printf '%s\n'\ "Acquire::http::Proxy \"http://$MSRV:3142\";"\ "Acquire::https::Proxy \"http://$MSRV:3142\";" > /etc/apt/apt.conf.d/00Proxy fi fi } # FIXME: should this be a function? set_version() { # Drop a file with the current version echo "$so_version" > /etc/soversion } update_sudoers() { if ! grep -qE '^soremote\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then # Update Sudoers so that soremote can accept keys without a password echo "soremote ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/data/addtotab.sh" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/salt/master/files/add_minion.sh" | tee -a /etc/sudoers else echo "User soremote already granted sudo privileges" fi }