#!/bin/bash # Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . SCRIPTDIR=$(dirname "$0") source $SCRIPTDIR/so-whiptail SOVERSION=1.2.1 accept_salt_key_local() { echo "Accept the key locally on the master" >> $SETUPLOG 2>&1 # Accept the key locally on the master salt-key -ya $MINION_ID } accept_salt_key_remote() { echo "Accept the key remotely on the master" >> $SETUPLOG 2>&1 # Delete the key just in case. ssh -i /root/.ssh/so.key soremote@$MSRV sudo salt-key -d $MINION_ID -y salt-call state.apply ca ssh -i /root/.ssh/so.key soremote@$MSRV sudo salt-key -a $MINION_ID -y } add_admin_user() { # Add an admin user with full sudo rights if this is an ISO install. useradd $ADMINUSER && echo $ADMINUSER:$ADMINPASS1 | chpasswd --crypt-method=SHA512 usermod -aG wheel $ADMINUSER } add_master_hostfile() { echo "Checking if I can resolve master. If not add to hosts file" >> $SETUPLOG 2>&1 # Pop up an input to get the IP address MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \ "Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3) local exitstatus=$? whiptail_check_exitstatus $exitstatus } add_socore_user_master() { echo "Add socore on the master" >>~/sosetup.log 2>&1 # Add user "socore" to the master. This will be for things like accepting keys. if [ $OS == 'centos' ]; then local ADDUSER=adduser else local ADDUSER=useradd fi groupadd --gid 939 socore $ADDUSER --uid 939 --gid 939 --home-dir /opt/so socore } add_soremote_user_master() { echo "Add soremote on the master" >>~/sosetup.log 2>&1 # Add user "soremote" to the master. This will be for things like accepting keys. if [ $OS == 'centos' ]; then local ADDUSER=adduser else local ADDUSER=useradd fi groupadd --gid 947 soremote $ADDUSER --uid 947 --gid 947 soremote # Set the password for soremote that we got during setup echo soremote:$SOREMOTEPASS1 | chpasswd --crypt-method=SHA512 } add_socore_user_notmaster() { echo "Add socore user on non master" >> $SETUPLOG 2>&1 # Add socore user to the non master system. Probably not a bad idea to make system user groupadd --gid 939 socore $ADDUSER --uid 939 --gid 939 --home-dir /opt/so --no-create-home socore } wait_for_identity_db_to_exist() { MAXATTEMPTS=30 attempts=0 while [[ $attempts -lt $MAXATTEMPTS ]]; do # Check and see if the DB file is in there if [ -f /opt/so/conf/kratos/db/db.sqlite ]; then echo "Database file exists at $(date)" attempts=$MAXATTEMPTS else echo "Identity database does not yet exist; waiting 5 seconds and will check again ($attempts/$MAXATTEMPTS)..." sleep 5 attempts=$((attempts+1)) fi done } add_web_user() { wait_for_identity_db_to_exist echo "Attempting to add administrator user for web interface..." echo "$WEBPASSWD1" | /usr/sbin/so-user add $WEBUSER echo "Add user result: $?" } # Create an secrets pillar so that passwords survive re-install secrets_pillar(){ if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then echo "Creating Secrets Pillar" >> $SETUPLOG 2>&1 mkdir -p /opt/so/saltstack/pillar echo "secrets:" >> /opt/so/saltstack/pillar/secrets.sls echo " mysql: $MYSQLPASS" >> /opt/so/saltstack/pillar/secrets.sls echo " fleet: $FLEETPASS" >> /opt/so/saltstack/pillar/secrets.sls echo " fleet_jwt: $FLEETJWT" >> /opt/so/saltstack/pillar/secrets.sls echo " fleet_enroll-secret: False" >> /opt/so/saltstack/pillar/secrets.sls fi } # Enable Bro Logs bro_logs_enabled() { echo "Enabling Bro Logs" >> $SETUPLOG 2>&1 echo "brologs:" > pillar/brologs.sls echo " enabled:" >> pillar/brologs.sls if [ $MASTERADV == 'ADVANCED' ]; then for BLOG in ${BLOGS[@]}; do echo " - $BLOG" | tr -d '"' >> pillar/brologs.sls done else echo " - conn" >> pillar/brologs.sls echo " - dce_rpc" >> pillar/brologs.sls echo " - dhcp" >> pillar/brologs.sls echo " - dhcpv6" >> pillar/brologs.sls echo " - dnp3" >> pillar/brologs.sls echo " - dns" >> pillar/brologs.sls echo " - dpd" >> pillar/brologs.sls echo " - files" >> pillar/brologs.sls echo " - ftp" >> pillar/brologs.sls echo " - http" >> pillar/brologs.sls echo " - intel" >> pillar/brologs.sls echo " - irc" >> pillar/brologs.sls echo " - kerberos" >> pillar/brologs.sls echo " - modbus" >> pillar/brologs.sls echo " - mqtt" >> pillar/brologs.sls echo " - notice" >> pillar/brologs.sls echo " - ntlm" >> pillar/brologs.sls echo " - openvpn" >> pillar/brologs.sls echo " - pe" >> pillar/brologs.sls echo " - radius" >> pillar/brologs.sls echo " - rfb" >> pillar/brologs.sls echo " - rdp" >> pillar/brologs.sls echo " - signatures" >> pillar/brologs.sls echo " - sip" >> pillar/brologs.sls echo " - smb_files" >> pillar/brologs.sls echo " - smb_mapping" >> pillar/brologs.sls echo " - smtp" >> pillar/brologs.sls echo " - snmp" >> pillar/brologs.sls echo " - software" >> pillar/brologs.sls echo " - ssh" >> pillar/brologs.sls echo " - ssl" >> pillar/brologs.sls echo " - syslog" >> pillar/brologs.sls echo " - telnet" >> pillar/brologs.sls echo " - tunnel" >> pillar/brologs.sls echo " - weird" >> pillar/brologs.sls echo " - mysql" >> pillar/brologs.sls echo " - socks" >> pillar/brologs.sls echo " - x509" >> pillar/brologs.sls fi } calculate_useable_cores() { # Calculate reasonable core usage local CORES4BRO=$(( $CPUCORES/2 - 1 )) LBPROCSROUND=$(printf "%.0f\n" $CORES4BRO) # We don't want it to be 0 if [ "$LBPROCSROUND" -lt 1 ]; then LBPROCS=1 else LBPROCS=$LBPROCSROUND fi } check_admin_pass() { if [ $ADMINPASS1 == $ADMINPASS2 ]; then APMATCH=yes else whiptail_passwords_dont_match fi } check_hive_init_then_reboot() { WAIT_STEP=0 MAX_WAIT=100 until [ -f /opt/so/state/thehive.txt ] ; do WAIT_STEP=$(( ${WAIT_STEP} + 1 )) echo "Waiting on the_hive to init...Attempt #$WAIT_STEP" if [ ${WAIT_STEP} -gt ${MAX_WAIT} ]; then echo "ERROR: We waited ${MAX_WAIT} seconds but the_hive is not working." exit 5 fi sleep 1s; done docker stop so-thehive docker rm so-thehive shutdown -r now } check_network_manager_conf() { local gmdconf="/usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf" local nmconf="/etc/NetworkManager/NetworkManager.conf" local preupdir="/etc/NetworkManager/dispatcher.d/pre-up.d" if test -f "$gmdconf"; then if ! test -f "${gmdconf}.bak"; then { mv "$gmdconf" "${gmdconf}.bak" touch "$gmdconf" systemctl restart NetworkManager } >> "$SETUPLOG" 2>&1 fi fi if test -f "$nmconf"; then sed -i 's/managed=false/managed=true/g' "$nmconf" >> $SETUPLOG 2>&1 fi if [[ ! -d "$preupdir" ]]; then mkdir "$preupdir" >> $SETUPLOG 2>&1 fi } check_soremote_pass() { if [ $SOREMOTEPASS1 == $SOREMOTEPASS2 ]; then SCMATCH=yes else whiptail_passwords_dont_match fi } check_web_pass() { if [ $WEBPASSWD1 == $WEBPASSWD2 ]; then WPMATCH=yes else whiptail_passwords_dont_match fi } checkin_at_boot() { echo "Enabling checkin at boot" >> $SETUPLOG 2>&1 echo "startup_states: highstate" >> /etc/salt/minion } chown_salt_master() { echo "Chown the salt dirs on the master for socore" >> $SETUPLOG 2>&1 chown -R socore:socore /opt/so } clear_master() { # Clear out the old master public key in case this is a re-install. # This only happens if you re-install the master. if [ -f /etc/salt/pki/minion/minion_master.pub ]; then echo "Clearing old master key" >> $SETUPLOG 2>&1 rm /etc/salt/pki/minion/minion_master.pub service salt-minion restart fi } configure_minion() { # You have to pass the TYPE to this function so it knows if its a master or not local TYPE=$1 echo "Configuring minion type as $TYPE" >> $SETUPLOG 2>&1 touch /etc/salt/grains echo "role: so-$TYPE" > /etc/salt/grains if [ $TYPE == 'master' ] || [ $TYPE == 'eval' ] || [ $TYPE == 'mastersearch' ]; then echo "master: $HOSTNAME" > /etc/salt/minion echo "id: $MINION_ID" >> /etc/salt/minion echo "mysql.host: '$MAINIP'" >> /etc/salt/minion echo "mysql.port: 3306" >> /etc/salt/minion echo "mysql.user: 'root'" >> /etc/salt/minion if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then echo "mysql.pass: '$MYSQLPASS'" >> /etc/salt/minion else OLDPASS=$(cat /opt/so/saltstack/pillar/secrets.sls | grep mysql | awk {'print $2'}) echo "mysql.pass: '$OLDPASS'" >> /etc/salt/minion fi elif [ $TYPE == 'helix' ]; then echo "master: $HOSTNAME" > /etc/salt/minion echo "id: $MINION_ID" >> /etc/salt/minion elif [ $TYPE == 'fleet' ]; then echo "master: $MSRV" > /etc/salt/minion echo "id: $MINION_ID" >> /etc/salt/minion else echo "master: $MSRV" > /etc/salt/minion echo "id: $MINION_ID" >> /etc/salt/minion fi echo "use_superseded:" >> /etc/salt/minion echo " - module.run" >> /etc/salt/minion echo "log_file: /opt/so/log/salt/minion" >> /etc/salt/minion service salt-minion restart } copy_master_config() { # Copy the master config template to the proper directory if [ $INSTALLMETHOD == 'iso' ]; then cp /root/SecurityOnion/files/master /etc/salt/master else cp $SCRIPTDIR/../files/master /etc/salt/master fi # Restart the service so it picks up the changes -TODO Enable service on CentOS service salt-master restart } copy_minion_tmp_files() { if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then echo "Copying pillar and salt files in $TMP to /opt/so/saltstack" cp -Rv $TMP/pillar/ /opt/so/saltstack/ >> $SETUPLOG 2>&1 if [ -d $TMP/salt ] ; then cp -Rv $TMP/salt/ /opt/so/saltstack/ >> $SETUPLOG 2>&1 fi else echo "scp pillar and salt files in $TMP to master /opt/so/saltstack" ssh -i /root/.ssh/so.key soremote@$MSRV mkdir -p /tmp/$MINION_ID/pillar >> $SETUPLOG 2>&1 ssh -i /root/.ssh/so.key soremote@$MSRV mkdir -p /tmp/$MINION_ID/schedules >> $SETUPLOG 2>&1 scp -prv -i /root/.ssh/so.key $TMP/pillar/minions/* soremote@$MSRV:/tmp/$MINION_ID/pillar/ >> $SETUPLOG 2>&1 scp -prv -i /root/.ssh/so.key $TMP/salt/patch/os/schedules/* soremote@$MSRV:/tmp/$MINION_ID/schedules >> $SETUPLOG 2>&1 ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/salt/master/files/add_minion.sh $MINION_ID >> $SETUPLOG 2>&1 fi } copy_ssh_key() { echo "Generating SSH key" # Generate SSH key mkdir -p /root/.ssh cat /dev/zero | ssh-keygen -f /root/.ssh/so.key -t rsa -q -N "" chown -R $SUDO_USER:$SUDO_USER /root/.ssh echo "Copying the SSH key to the master" #Copy the key over to the master ssh-copy-id -f -i /root/.ssh/so.key soremote@$MSRV } create_sensor_bond() { echo "Setting up sensor bond" >> $SETUPLOG 2>&1 local nic_error=0 check_network_manager_conf >> $SETUPLOG 2>&1 # Set the MTU if [[ $NSMSETUP != 'ADVANCED' ]]; then MTU=1500 fi # Create the bond interface only if it doesn't already exist if ! [[ $(nmcli -f name,uuid -p con | sed -n 's/bond0 //p' | tr -d ' ') ]]; then nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \ ipv4.method disabled \ ipv6.method ignore \ ethernet.mtu $MTU \ connection.autoconnect "yes" >> "$SETUPLOG" 2>&1 fi for BNIC in ${BNICS[@]}; do BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" # Strip the quotes from the NIC names # Check if specific offload features are able to be disabled for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do if ethtool -k "$BONDNIC" | grep $string | grep -q "on [fixed]"; then echo "The hardware or driver for interface ${BONDNIC} is not supported, packet capture may not work as expected." >> "$SETUPLOG" 2>&1 nic_error=1 break fi done # Turn off various offloading settings for the interface for i in rx tx sg tso ufo gso gro lro; do ethtool -K $BONDNIC $i off >> $SETUPLOG 2>&1 done # Check if the bond slave connection has already been created if ! [[ $(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BONDNIC //p" | tr -d ' ') ]]; then # Create the slave interface and assign it to the bond nmcli con add type ethernet ifname "$BONDNIC" con-name "bond0-slave-$BONDNIC" master bond0 -- \ ethernet.mtu $MTU \ connection.autoconnect "yes" >> "$SETUPLOG" 2>&1 fi nmcli con up "bond0-slave-$BONDNIC" >> "$SETUPLOG" 2>&1 # Bring the slave interface up done if [ $nic_error != 0 ]; then return 1 fi } detect_os() { # Detect Base OS echo "Detecting Base OS" >> $SETUPLOG 2>&1 if [ -f /etc/redhat-release ]; then OS=centos if grep -q "CentOS Linux release 7" /etc/redhat-release; then OSVER=7 elif grep -q "CentOS Linux release 8" /etc/redhat-release; then OSVER=8 echo "We currently do not support CentOS $OSVER but we are working on it!" exit else echo "We do not support the version of CentOS you are trying to use" exit fi # Install bind-utils so the host command exists yum -y install bind-utils elif [ -f /etc/os-release ]; then OS=ubuntu if grep -q "UBUNTU_CODENAME=bionic" /etc/os-release; then OSVER=bionic elif grep -q "UBUNTU_CODENAME=xenial" /etc/os-release; then OSVER=xenial else echo "We do not support your current version of Ubuntu" exit fi # Install network manager so we can do interface stuff apt-get install -y network-manager /bin/systemctl enable NetworkManager /bin/systemctl start NetworkManager else echo "We were unable to determine if you are using a supported OS." >> $SETUPLOG 2>&1 exit fi echo "Found OS: $OS $OSVER" >> $SETUPLOG 2>&1 } #disable_dnsmasq() { # if [ -f /etc/NetworkManager/NetworkManager.conf ]; then # echo "Disabling dnsmasq in /etc/NetworkManager/NetworkManager.conf" # sed -e 's/^dns=dnsmasq/#dns=dnsmasq/g' -i /etc/NetworkManager/NetworkManager.conf # fi #} disable_onion_user() { # Disable the default account cause security. usermod -L onion } disable_misc_network_features() { for UNUSED_NIC in ${FNICS[@]}; do # Disable DHCPv4/v6 and autoconnect nmcli con mod "$UNUSED_NIC" \ ipv4.method disabled \ ipv6.method ignore \ connection.autoconnect "no" >> $SETUPLOG 2>&1 # Flush any existing IPs ip addr flush "$UNUSED_NIC" >> "$SETUPLOG" 2>&1 done # Disable IPv6 { echo "net.ipv6.conf.all.disable_ipv6 = 1" echo "net.ipv6.conf.default.disable_ipv6 = 1" echo "net.ipv6.conf.lo.disable_ipv6 = 1" } >> /etc/sysctl.conf } docker_install() { if [ $OS == 'centos' ]; then yum clean expire-cache yum -y install yum-utils device-mapper-persistent-data lvm2 openssl yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo yum -y update yum -y install docker-ce python36-docker if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ]; then docker_registry echo "Restarting Docker" >> $SETUPLOG 2>&1 systemctl restart docker systemctl enable docker else docker_registry echo "Restarting Docker" >> $SETUPLOG 2>&1 systemctl restart docker systemctl enable docker fi else if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ]; then apt-get update >> $SETUPLOG 2>&1 if [ $OSVER != "xenial" ]; then apt-get -y install docker-ce python3-docker >> $SETUPLOG 2>&1 else apt-get -y install docker-ce python-docker >> $SETUPLOG 2>&1 fi docker_registry >> $SETUPLOG 2>&1 echo "Restarting Docker" >> $SETUPLOG 2>&1 systemctl restart docker >> $SETUPLOG 2>&1 else apt-key add $TMP/gpg/docker.pub >> $SETUPLOG 2>&1 add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" >> $SETUPLOG 2>&1 apt-get update >> $SETUPLOG 2>&1 if [ $OSVER != "xenial" ]; then apt-get -y install docker-ce python3-docker >> $SETUPLOG 2>&1 else apt-get -y install docker-ce python-docker >> $SETUPLOG 2>&1 fi docker_registry >> $SETUPLOG 2>&1 echo "Restarting Docker" >> $SETUPLOG 2>&1 systemctl restart docker >> $SETUPLOG 2>&1 fi fi } docker_registry() { echo "Setting up Docker Registry" >> $SETUPLOG 2>&1 mkdir -p /etc/docker >> $SETUPLOG 2>&1 # Make the host use the master docker registry echo "{" > /etc/docker/daemon.json echo " \"registry-mirrors\": [\"https://$MSRV:5000\"]" >> /etc/docker/daemon.json echo "}" >> /etc/docker/daemon.json echo "Docker Registry Setup - Complete" >> $SETUPLOG 2>&1 } docker_seed_registry() { VERSION="HH$SOVERSION" if [ $INSTALLTYPE != 'HELIXSENSOR' ]; then TRUSTED_CONTAINERS=( \ "so-acng:$VERSION" \ "so-core:$VERSION" \ "so-thehive-cortex:$VERSION" \ "so-curator:$VERSION" \ "so-domainstats:$VERSION" \ "so-elastalert:$VERSION" \ "so-elasticsearch:$VERSION" \ "so-filebeat:$VERSION" \ "so-fleet:$VERSION" \ "so-fleet-launcher:$VERSION" \ "so-freqserver:$VERSION" \ "so-grafana:$VERSION" \ "so-idstools:$VERSION" \ "so-influxdb:$VERSION" \ "so-kibana:$VERSION" \ "so-logstash:$VERSION" \ "so-mysql:$VERSION" \ "so-navigator:$VERSION" \ "so-playbook:$VERSION" \ "so-redis:$VERSION" \ "so-soc:$VERSION" \ "so-kratos:$VERSION" \ "so-soctopus:$VERSION" \ "so-steno:$VERSION" \ #"so-strelka:$VERSION" \ "so-suricata:$VERSION" \ "so-telegraf:$VERSION" \ "so-thehive:$VERSION" \ "so-thehive-es:$VERSION" \ "so-wazuh:$VERSION" \ "so-zeek:$VERSION" ) else TRUSTED_CONTAINERS=( \ "so-core:$VERSION" \ "so-filebeat:$VERSION" \ "so-idstools:$VERSION" \ "so-logstash:$VERSION" \ "so-redis:$VERSION" \ #"so-sensoroni:$VERSION" \ "so-steno:$VERSION" \ "so-suricata:$VERSION" \ "so-telegraf:$VERSION" \ "so-zeek:$VERSION" ) fi if [ ! -f /nsm/docker-registry/docker/so-dockers-$VERSION.tar ]; then # Download the container from the interwebs for i in "${TRUSTED_CONTAINERS[@]}" do # Pull down the trusted docker image echo "Downloading $i" docker pull --disable-content-trust=false docker.io/soshybridhunter/$i # Tag it with the new registry destination docker tag soshybridhunter/$i $HOSTNAME:5000/soshybridhunter/$i docker push $HOSTNAME:5000/soshybridhunter/$i done for i in "${TRUSTED_CONTAINERS[@]}" do echo "Removing $i locally" docker rmi soshybridhunter/$i done else # We already have the goods son rm /nsm/docker-registry/docker/so-dockers-$VERSION.tar fi } es_heapsize() { # Determine ES Heap Size if [ $TOTAL_MEM -lt 8000 ] ; then ES_HEAP_SIZE="600m" elif [ $TOTAL_MEM -ge 100000 ]; then # Set a max of 25GB for heap size # https://www.elastic.co/guide/en/elasticsearch/guide/current/heap-sizing.html ES_HEAP_SIZE="25000m" else # Set heap size to 25% of available memory ES_HEAP_SIZE=$(($TOTAL_MEM / 4))"m" fi } filter_unused_nics() { # Set the main NIC as the default grep search string grep_string=$MNIC # If we call this function and NICs have already been assigned to the bond interface then add them to the grep search string if [[ $BNICS ]]; then for BONDNIC in ${BNICS[@]}; do grep_string="$grep_string\|$BONDNIC" done fi # Finally, set FNICS to any NICs we aren't using (and ignore interfaces that aren't of use) FNICS=$(ip link | grep -vwe $grep_string | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}') } fireeye_pillar() { FIREEYEPILLARPATH=/opt/so/saltstack/pillar/fireeye mkdir -p $FIREEYEPILLARPATH echo "" >> $FIREEYEPILLARPATH/init.sls echo "fireeye:" >> $FIREEYEPILLARPATH/init.sls echo " helix:" >> $FIREEYEPILLARPATH/init.sls echo " api_key: $HELIXAPIKEY" >> $FIREEYEPILLARPATH/init.sls } fleet_pillar() { PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls # Create the fleet pillar touch $PILLARFILE echo "fleet:" >> $PILLARFILE echo " mainip: $MAINIP" >> $PILLARFILE echo " master: $MSRV" >> $PILLARFILE echo "" >> $PILLARFILE } generate_passwords(){ # Generate Random Passwords for Things MYSQLPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) FLEETPASS=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) FLEETJWT=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) HIVEKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) CORTEXKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) CORTEXORGUSERKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) SENSORONIKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) KRATOSKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 20 | head -n 1) } get_filesystem_nsm(){ FSNSM=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }') } get_log_size_limit() { case $INSTALLTYPE in EVAL | HEAVYNODE) PERCENTAGE=50 ;; *) PERCENTAGE=80 ;; esac DISK_DIR="/" if [ -d /nsm ]; then DISK_DIR="/nsm" fi DISK_SIZE_K=`df $DISK_DIR |grep -v "^Filesystem" | awk '{print $2}'` DISK_SIZE=DISK_SIZE_K*1000 PERCENTAGE_DISK_SPACE=`echo $(($DISK_SIZE*$PERCENTAGE/100))` LOG_SIZE_LIMIT=$(($PERCENTAGE_DISK_SPACE/1000000000)) } get_filesystem_root(){ FSROOT=$(df / | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }') } get_main_ip() { # Get the main IP address the box is using # Add some logic because Bubntu 18.04 like to be different if [ $OSVER == 'bionic' ]; then MAINIP=$(ip route get 1 | awk '{print $7;exit}') else MAINIP=$(ip route get 1 | awk '{print $NF;exit}') fi MAININT=$(ip route get 1 | awk '{print $5;exit}') } get_redirect() { whiptail_set_redirect_info whiptail_set_redirect if [ "$REDIRECTINFO" == "OTHER" ]; then whiptail_set_redirect_host fi } got_root() { # Make sure you are root if [ "$(id -u)" -ne 0 ]; then echo "This script must be run using sudo!" exit 1 fi } install_cleanup() { echo "install_cleanup removing the following files:" ls -lR $TMP # Clean up after ourselves rm -rf /root/installtmp } install_prep() { # Create a tmp space that isn't in /tmp mkdir /root/installtmp mkdir /root/installtmp/pillar mkdir /root/installtmp/pillar/minions TMP=/root/installtmp } install_master() { # Install the salt master package if [ $OS == 'centos' ]; then #yum -y install wget salt-common salt-master python36-mysql python36-dateutil python36-m2crypto >> $SETUPLOG 2>&1 echo "" # Create a place for the keys for Ubuntu minions #mkdir -p /opt/so/gpg #wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub #wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg #wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH else if [ $OSVER != "xenial" ]; then apt-get install -y salt-common=2019.2.3+ds-1 salt-master=2019.2.3+ds-1 salt-minion=2019.2.3+ds-1 libssl-dev python-m2crypto apt-mark hold salt-common salt-master salt-minion else apt-get install -y salt-common=2019.2.3+ds-1 salt-master=2019.2.3+ds-1 salt-minion=2019.2.3+ds-1 libssl-dev python-m2crypto apt-mark hold salt-common salt-master salt-minion fi fi copy_master_config } ls_heapsize() { # Determine LS Heap Size if [ $TOTAL_MEM -ge 32000 ] || [ $INSTALLTYPE == 'MASTERSEARCH' ] || [ $INSTALLTYPE == 'HEAVYNODE' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ]; then LS_HEAP_SIZE="1000m" elif [ $INSTALLTYPE == 'EVAL' ]; then LS_HEAP_SIZE="700m" else # If minimal RAM, then set minimal heap LS_HEAP_SIZE="500m" fi } master_pillar() { PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls # Create the master pillar echo "master:" >> $PILLARFILE echo " mainip: $MAINIP" >> $PILLARFILE echo " mainint: $MAININT" >> $PILLARFILE echo " esheap: $ES_HEAP_SIZE" >> $PILLARFILE echo " esclustername: {{ grains.host }}" >> $PILLARFILE if [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then echo " freq: 0" >> $PILLARFILE echo " domainstats: 0" >> $PILLARFILE echo " ls_pipeline_batch_size: 125" >> $PILLARFILE echo " ls_input_threads: 1" >> $PILLARFILE echo " ls_batch_count: 125" >> $PILLARFILE echo " mtu: 1500" >> $PILLARFILE else echo " freq: 0" >> $PILLARFILE echo " domainstats: 0" >> $PILLARFILE fi echo " lsheap: $LS_HEAP_SIZE" >> $PILLARFILE echo " lsaccessip: 127.0.0.1" >> $PILLARFILE echo " elastalert: 1" >> $PILLARFILE echo " ls_pipeline_workers: $CPUCORES" >> $PILLARFILE echo " nids_rules: $RULESETUP" >> $PILLARFILE echo " oinkcode: $OINKCODE" >> $PILLARFILE #echo " access_key: $ACCESS_KEY" >> $PILLARFILE #echo " access_secret: $ACCESS_SECRET" >> $PILLARFILE echo " es_port: $NODE_ES_PORT" >> $PILLARFILE echo " log_size_limit: $LOG_SIZE_LIMIT" >> $PILLARFILE echo " cur_close_days: $CURCLOSEDAYS" >> $PILLARFILE #echo " mysqlpass: $MYSQLPASS" >> $PILLARFILE #echo " fleetpass: $FLEETPASS" >> $PILLARFILE echo " grafana: $GRAFANA" >> $PILLARFILE echo " osquery: $OSQUERY" >> $PILLARFILE echo " thehive: $THEHIVE" >> $PILLARFILE echo " playbook: $PLAYBOOK" >> $PILLARFILE echo "" >> $PILLARFILE echo "kratos:" >> $PILLARFILE if [[ $REDIRECTINFO == 'OTHER' ]]; then REDIRECTIT=$REDIRECT elif [[ $REDIRECTINFO == 'IP' ]]; then REDIRECTIT=$MAINIP elif [[ $REDIRECTINFO == 'HOSTNAME' ]]; then REDIRECTIT=$HOSTNAME fi echo " kratoskey: $KRATOSKEY" >> $PILLARFILE echo " redirect: $REDIRECTIT" >> $PILLARFILE echo "" >> $PILLARFILE } master_static() { # Create a static file for global values touch /opt/so/saltstack/pillar/static.sls echo "static:" > /opt/so/saltstack/pillar/static.sls echo " soversion: HH$SOVERSION" >> /opt/so/saltstack/pillar/static.sls echo " hnmaster: $HNMASTER" >> /opt/so/saltstack/pillar/static.sls echo " ntpserver: $NTPSERVER" >> /opt/so/saltstack/pillar/static.sls echo " proxy: $PROXY" >> /opt/so/saltstack/pillar/static.sls echo " broversion: $BROVERSION" >> /opt/so/saltstack/pillar/static.sls echo " ids: $NIDS" >> /opt/so/saltstack/pillar/static.sls echo " masterip: $MAINIP" >> /opt/so/saltstack/pillar/static.sls echo " hiveuser: hiveadmin" >> /opt/so/saltstack/pillar/static.sls echo " hivepassword: hivechangeme" >> /opt/so/saltstack/pillar/static.sls echo " hivekey: $HIVEKEY" >> /opt/so/saltstack/pillar/static.sls echo " cortexuser: cortexadmin" >> /opt/so/saltstack/pillar/static.sls echo " cortexpassword: cortexchangeme" >> /opt/so/saltstack/pillar/static.sls echo " cortexkey: $CORTEXKEY" >> /opt/so/saltstack/pillar/static.sls echo " cortexorgname: SecurityOnion" >> /opt/so/saltstack/pillar/static.sls echo " cortexorguser: soadmin" >> /opt/so/saltstack/pillar/static.sls echo " cortexorguserkey: $CORTEXORGUSERKEY" >> /opt/so/saltstack/pillar/static.sls echo " fleet_master: False" >> /opt/so/saltstack/pillar/static.sls echo " fleet_node: False" >> /opt/so/saltstack/pillar/static.sls echo " fleet_packages-timestamp: N/A" >> /opt/so/saltstack/pillar/static.sls echo " fleet_hostname: N/A" >> /opt/so/saltstack/pillar/static.sls echo " fleet_ip: N/A" >> /opt/so/saltstack/pillar/static.sls echo " sensoronikey: $SENSORONIKEY" >> /opt/so/saltstack/pillar/static.sls echo " strelka: $STRELKA" >> /opt/so/saltstack/pillar/static.sls echo " wazuh: $WAZUH" >> /opt/so/saltstack/pillar/static.sls if [[ $MASTERUPDATES == 'MASTER' ]]; then echo " masterupdate: 1" >> /opt/so/saltstack/pillar/static.sls else echo " masterupdate: 0" >> /opt/so/saltstack/pillar/static.sls fi echo "elastic:" >> /opt/so/saltstack/pillar/static.sls echo " features: False" >> /opt/so/saltstack/pillar/static.sls } minio_generate_keys() { local charSet="[:graph:]" ACCESS_KEY=$(cat /dev/urandom | tr -cd "$charSet" | tr -d \' | tr -d \" | head -c 20) ACCESS_SECRET=$(cat /dev/urandom | tr -cd "$charSet" | tr -d \' | tr -d \" | head -c 40) } network_setup() { { echo "Finishing up network setup"; echo "... Verifying all network devices are managed by Network Manager"; check_network_manager_conf; echo "... Disabling unused NICs"; disable_misc_network_features; echo "... Setting ONBOOT for management interface"; if ! netplan > /dev/null 2>&1; then nmcli con mod "$MAININT" connection.autoconnect "yes"; fi echo "... Copying 99-so-checksum-offload-disable"; cp "$SCRIPTDIR"/install_scripts/99-so-checksum-offload-disable /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable ; echo "... Modifying 99-so-checksum-offload-disable"; sed -i "s/\$MAININT/${MAININT}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable; } >> "$SETUPLOG" 2>&1 } node_pillar() { PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls # Create the node pillar echo "node:" >> $PILLARFILE echo " mainip: $MAINIP" >> $PILLARFILE echo " mainint: $MAININT" >> $PILLARFILE echo " esheap: $NODE_ES_HEAP_SIZE" >> $PILLARFILE echo " esclustername: {{ grains.host }}" >> $PILLARFILE echo " lsheap: $NODE_LS_HEAP_SIZE" >> $PILLARFILE echo " ls_pipeline_workers: $LSPIPELINEWORKERS" >> $PILLARFILE echo " ls_pipeline_batch_size: $LSPIPELINEBATCH" >> $PILLARFILE echo " ls_input_threads: $LSINPUTTHREADS" >> $PILLARFILE echo " ls_batch_count: $LSINPUTBATCHCOUNT" >> $PILLARFILE echo " es_shard_count: $SHARDCOUNT" >> $PILLARFILE echo " node_type: $NODETYPE" >> $PILLARFILE echo " es_port: $NODE_ES_PORT" >> $PILLARFILE echo " log_size_limit: $LOG_SIZE_LIMIT" >> $PILLARFILE echo " cur_close_days: $CURCLOSEDAYS" >> $PILLARFILE echo "" >> $PILLARFILE } patch_pillar() { PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls echo "" >> $PILLARFILE echo "patch:" >> $PILLARFILE echo " os:" >> $PILLARFILE echo " schedule_name: $PATCHSCHEDULENAME" >> $PILLARFILE echo " enabled: True" >> $PILLARFILE echo " splay: 300" >> $PILLARFILE echo "" >> $PILLARFILE } patch_schedule_os_new() { OSPATCHSCHEDULEDIR="$TMP/salt/patch/os/schedules" OSPATCHSCHEDULE="$OSPATCHSCHEDULEDIR/$PATCHSCHEDULENAME.yml" if [ ! -d $OSPATCHSCHEDULEDIR ] ; then mkdir -p $OSPATCHSCHEDULEDIR fi echo "patch:" > $OSPATCHSCHEDULE echo " os:" >> $OSPATCHSCHEDULE echo " schedule:" >> $OSPATCHSCHEDULE for psd in "${PATCHSCHEDULEDAYS[@]}" do psd=$(echo $psd | sed 's/"//g') echo " - $psd:" >> $OSPATCHSCHEDULE for psh in "${PATCHSCHEDULEHOURS[@]}" do psh=$(echo $psh | sed 's/"//g') echo " - '$psh'" >> $OSPATCHSCHEDULE done done } process_components() { CLEAN=${COMPONENTS//\"} GRAFANA=0 OSQUERY=0 WAZUH=0 THEHIVE=0 PLAYBOOK=0 STRELKA=0 IFS=$' ' for item in $(echo "$CLEAN"); do let $item=1 done unset IFS } reserve_group_ids() { # This is a hack to fix CentOS from taking group IDs that we need groupadd -g 928 kratos groupadd -g 930 elasticsearch groupadd -g 931 logstash groupadd -g 932 kibana groupadd -g 933 elastalert groupadd -g 934 curator groupadd -g 937 zeek groupadd -g 939 socore groupadd -g 940 suricata groupadd -g 941 stenographer groupadd -g 945 ossec groupadd -g 946 cyberchef groupadd -g 947 soremote } saltify() { # Install updates and Salt if [ $OS == 'centos' ]; then ADDUSER=adduser if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then reserve_group_ids yum -y install epel-release yum -y install wget https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest-2.el7.noarch.rpm cp /etc/yum.repos.d/salt-py3-latest.repo /etc/yum.repos.d/salt-py3-2019-2.repo sed -i 's/latest/2019.2/g' /etc/yum.repos.d/salt-py3-2019-2.repo yum -y install sqlite3 argon2 curl jq openssl # Download Ubuntu Keys in case master updates = 1 mkdir -p /opt/so/gpg wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=https://packages.wazuh.com/key/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF else if [ $MASTERUPDATES == 'MASTER' ]; then # Create the GPG Public Key for the Salt Repo echo "-----BEGIN PGP PUBLIC KEY BLOCK-----" > /etc/pki/rpm-gpg/saltstack-signing-key echo "Version: GnuPG v2.0.22 (GNU/Linux)" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "mQENBFOpvpgBCADkP656H41i8fpplEEB8IeLhugyC2rTEwwSclb8tQNYtUiGdna9" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "m38kb0OS2DDrEdtdQb2hWCnswxaAkUunb2qq18vd3dBvlnI+C4/xu5ksZZkRj+fW" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "tArNR18V+2jkwcG26m8AxIrT+m4M6/bgnSfHTBtT5adNfVcTHqiT1JtCbQcXmwVw" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "WbqS6v/LhcsBE//SHne4uBCK/GHxZHhQ5jz5h+3vWeV4gvxS3Xu6v1IlIpLDwUts" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "kT1DumfynYnnZmWTGc6SYyIFXTPJLtnoWDb9OBdWgZxXfHEcBsKGha+bXO+m2tHA" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "gNneN9i5f8oNxo5njrL8jkCckOpNpng18BKXABEBAAG0MlNhbHRTdGFjayBQYWNr" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "YWdpbmcgVGVhbSA8cGFja2FnaW5nQHNhbHRzdGFjay5jb20+iQE4BBMBAgAiBQJT" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "qb6YAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAOCKFJ3le/vhkqB/0Q" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "WzELZf4d87WApzolLG+zpsJKtt/ueXL1W1KA7JILhXB1uyvVORt8uA9FjmE083o1" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "yE66wCya7V8hjNn2lkLXboOUd1UTErlRg1GYbIt++VPscTxHxwpjDGxDB1/fiX2o" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "nK5SEpuj4IeIPJVE/uLNAwZyfX8DArLVJ5h8lknwiHlQLGlnOu9ulEAejwAKt9CU" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "4oYTszYM4xrbtjB/fR+mPnYh2fBoQO4d/NQiejIEyd9IEEMd/03AJQBuMux62tjA" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "/NwvQ9eqNgLw9NisFNHRWtP4jhAOsshv1WW+zPzu3ozoO+lLHixUIz7fqRk38q8Q" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "9oNR31KvrkSNrFbA3D89uQENBFOpvpgBCADJ79iH10AfAfpTBEQwa6vzUI3Eltqb" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "9aZ0xbZV8V/8pnuU7rqM7Z+nJgldibFk4gFG2bHCG1C5aEH/FmcOMvTKDhJSFQUx" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "uhgxttMArXm2c22OSy1hpsnVG68G32Nag/QFEJ++3hNnbyGZpHnPiYgej3FrerQJ" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "zv456wIsxRDMvJ1NZQB3twoCqwapC6FJE2hukSdWB5yCYpWlZJXBKzlYz/gwD/Fr" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "GL578WrLhKw3UvnJmlpqQaDKwmV2s7MsoZogC6wkHE92kGPG2GmoRD3ALjmCvN1E" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "PsIsQGnwpcXsRpYVCoW7e2nW4wUf7IkFZ94yOCmUq6WreWI4NggRcFC5ABEBAAGJ" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "AR8EGAECAAkFAlOpvpgCGwwACgkQDgihSd5Xv74/NggA08kEdBkiWWwJZUZEy7cK" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "WWcgjnRuOHd4rPeT+vQbOWGu6x4bxuVf9aTiYkf7ZjVF2lPn97EXOEGFWPZeZbH4" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "vdRFH9jMtP+rrLt6+3c9j0M8SIJYwBL1+CNpEC/BuHj/Ra/cmnG5ZNhYebm76h5f" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "T9iPW9fFww36FzFka4VPlvA4oB7ebBtquFg3sdQNU/MmTVV4jPFWXxh4oRDDR+8N" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "1bcPnbB11b5ary99F/mqr7RgQ+YFF0uKRE3SKa7a+6cIuHEZ7Za+zhPaQlzAOZlx" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "fuBmScum8uQTrEF5+Um5zkwC7EXTdH1co/+/V/fpOtxIg4XO4kcugZefVm5ERfVS" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "MA==" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "=dtMN" >> /etc/pki/rpm-gpg/saltstack-signing-key echo "-----END PGP PUBLIC KEY BLOCK-----" >> /etc/pki/rpm-gpg/saltstack-signing-key # Add the Wazuh Key cat > /etc/pki/rpm-gpg/GPG-KEY-WAZUH <<\EOF -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1 mQINBFeeyYwBEACyf4VwV8c2++J5BmCl6ofLCtSIW3UoVrF4F+P19k/0ngnSfjWb 8pSWB11HjZ3Mr4YQeiD7yY06UZkrCXk+KXDlUjMK3VOY7oNPkqzNaP6+8bDwj4UA hADMkaXBvWooGizhCoBtDb1bSbHKcAnQ3PTdiuaqF5bcyKk8hv939CHulL2xH+BP mmTBi+PM83pwvR+VRTOT7QSzf29lW1jD79v4rtXHJs4KCz/amT/nUm/tBpv3q0sT 9M9rH7MTQPdqvzMl122JcZST75GzFJFl0XdSHd5PAh2mV8qYak5NYNnwA41UQVIa +xqhSu44liSeZWUfRdhrQ/Nb01KV8lLAs11Sz787xkdF4ad25V/Rtg/s4UXt35K3 klGOBwDnzPgHK/OK2PescI5Ve1z4x1C2bkGze+gk/3IcfGJwKZDfKzTtqkZ0MgpN 7RGghjkH4wpFmuswFFZRyV+s7jXYpxAesElDSmPJ0O07O4lQXQMROE+a2OCcm0eF 3+Cr6qxGtOp1oYMOVH0vOLYTpwOkAM12/qm7/fYuVPBQtVpTojjV5GDl2uGq7p0o h9hyWnLeNRbAha0px6rXcF9wLwU5n7mH75mq5clps3sP1q1/VtP/Fr84Lm7OGke4 9eD+tPNCdRx78RNWzhkdQxHk/b22LCn1v6p1Q0qBco9vw6eawEkz1qwAjQARAQAB tDFXYXp1aC5jb20gKFdhenVoIFNpZ25pbmcgS2V5KSA8c3VwcG9ydEB3YXp1aC5j b20+iQI9BBMBCAAnBQJXnsmMAhsDBQkFo5qABQsJCAcDBRUKCQgLBRYCAwEAAh4B AheAAAoJEJaz7l8pERFFHEsQAIaslejcW2NgjgOZuvn1Bht4JFMbCIPOekg4Z5yF binRz0wmA7JNaawDHTBYa6L+A2Xneu/LmuRjFRMesqopUukVeGQgHBXbGMzY46eI rqq/xgvgWzHSbWweiOX0nn+exbEAM5IyW+efkWNz0e8xM1LcxdYZxkVOqFqkp3Wv J9QUKw6z9ifUOx++G8UO307O3hT2f+x4MUoGZeOF4q1fNy/VyBS2lMg2HF7GWy2y kjbSe0p2VOFGEZLuu2f5tpPNth9UJiTliZKmgSk/zbKYmSjiVY2eDqNJ4qjuqes0 vhpUaBjA+DgkEWUrUVXG5yfQDzTiYIF84LknjSJBYSLZ4ABsMjNO+GApiFPcih+B Xc9Kx7E9RNsNTDqvx40y+xmxDOzVIssXeKqwO8r5IdG3K7dkt2Vkc/7oHOpcKwE5 8uASMPiqqMo+t1RVa6Spckp3Zz8REILbotnnVwDIwo2HmgASirMGUcttEJzubaIa Mv43GKs8RUH9s5NenC02lfZG7D8WQCz5ZH7yEWrt5bCaQRNDXjhsYE17SZ/ToHi3 OpWu050ECWOHdxlXNG3dOWIdFDdBJM7UfUNSSOe2Y5RLsWfwvMFGbfpdlgJcMSDV X+ienkrtXhBteTu0dwPu6HZTFOjSftvtAo0VIqGQrKMvKelkkdNGdDFLQw2mUDcw EQj6uQINBFeeyYwBEADD1Y3zW5OrnYZ6ghTd5PXDAMB8Z1ienmnb2IUzLM+i0yE2 TpKSP/XYCTBhFa390rYgFO2lbLDVsiz7Txd94nHrdWXGEQfwrbxsvdlLLWk7iN8l Fb4B60OfRi3yoR96a/kIPNa0x26+n79LtDuWZ/DTq5JSHztdd9F1sr3h8i5zYmtv luj99ZorpwYejbBVUm0+gP0ioaXM37uO56UFVQk3po9GaS+GtLnlgoE5volgNYyO rkeIua4uZVsifREkHCKoLJip6P7S3kTyfrpiSLhouEZ7kV1lbMbFgvHXyjm+/AIx HIBy+H+e+HNt5gZzTKUJsuBjx44+4jYsOR67EjOdtPOpgiuJXhedzShEO6rbu/O4 wM1rX45ZXDYa2FGblHCQ/VaS0ttFtztk91xwlWvjTR8vGvp5tIfCi+1GixPRQpbN Y/oq8Kv4A7vB3JlJscJCljvRgaX0gTBzlaF6Gq0FdcWEl5F1zvsWCSc/Fv5WrUPY 5mG0m69YUTeVO6cZS1aiu9Qh3QAT/7NbUuGXIaAxKnu+kkjLSz+nTTlOyvbG7BVF a6sDmv48Wqicebkc/rCtO4g8lO7KoA2xC/K/6PAxDrLkVyw8WPsAendmezNfHU+V 32pvWoQoQqu8ysoaEYc/j9fN4H3mEBCN3QUJYCugmHP0pu7VtpWwwMUqcGeUVwAR AQABiQIlBBgBCAAPBQJXnsmMAhsMBQkFo5qAAAoJEJaz7l8pERFFz8IP/jfBxJSB iOw+uML+C4aeYxuHSdxmSsrJclYjkw7Asha/fm4Kkve00YAW8TGxwH2kgS72ooNJ 1Q7hUxNbVyrJjQDSMkRKwghmrPnUM3UyHmE0dq+G2NhaPdFo8rKifLOPgwaWAfSV wgMTK86o0kqRbGpXgVIG5eRwv2FcxM3xGfy7sub07J2VEz7Ba6rYQ3NTbPK42AtV +wRJDXcgS7y6ios4XQtSbIB5f6GI56zVlwfRd3hovV9ZAIJQ6DKM31wD6Kt/pRun DjwMZu0/82JMoqmxX/00sNdDT1S13guCfl1WhBu7y1ja9MUX5OpUzyEKg5sxme+L iY2Rhs6CjmbTm8ER4Uj8ydKyVTy8zbumbB6T8IwCAbEMtPxm6pKh/tgLpoJ+Bj0y AsGjmhV7R6PKZSDXg7/qQI98iC6DtWc9ibC/QuHLcvm3hz40mBgXAemPJygpxGst mVtU7O3oHw9cIUpkbMuVqSxgPFmSSq5vEYkka1CYeg8bOz6aCTuO5J0GDlLrpjtx 6lyImbZAF/8zKnW19aq5lshT2qJlTQlZRwwDZX5rONhA6T8IEUnUyD4rAIQFwfJ+ gsXa4ojD/tA9NLdiNeyEcNfyX3FZwXWCtVLXflzdRN293FKamcdnMjVRjkCnp7iu 7eO7nMgcRoWddeU+2aJFqCoQtKCp/5EKhFey =UIVm -----END PGP PUBLIC KEY BLOCK----- EOF # Proxy is hating on me.. Lets just set it manually echo "[salt-latest]" > /etc/yum.repos.d/salt-latest.repo echo "name=SaltStack Latest Release Channel for RHEL/Centos \$releasever" >> /etc/yum.repos.d/salt-latest.repo echo "baseurl=https://repo.saltstack.com/py3/redhat/7/\$basearch/latest" >> /etc/yum.repos.d/salt-latest.repo echo "failovermethod=priority" >> /etc/yum.repos.d/salt-latest.repo echo "enabled=1" >> /etc/yum.repos.d/salt-latest.repo echo "gpgcheck=1" >> /etc/yum.repos.d/salt-latest.repo echo "gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key" >> /etc/yum.repos.d/salt-latest.repo # Proxy is hating on me.. Lets just set it manually echo "[salt-2019.2]" > /etc/yum.repos.d/salt-2019-2.repo echo "name=SaltStack Latest Release Channel for RHEL/Centos \$releasever" >> /etc/yum.repos.d/salt-2019-2.repo echo "baseurl=https://repo.saltstack.com/py3/redhat/7/\$basearch/2019.2" >> /etc/yum.repos.d/salt-2019-2.repo echo "failovermethod=priority" >> /etc/yum.repos.d/salt-2019-2.repo echo "enabled=1" >> /etc/yum.repos.d/salt-2019-2.repo echo "gpgcheck=1" >> /etc/yum.repos.d/salt-2019-2.repo echo "gpgkey=file:///etc/pki/rpm-gpg/saltstack-signing-key" >> /etc/yum.repos.d/salt-2019-2.repo cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF else yum -y install https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest-2.el7.noarch.rpm cp /etc/yum.repos.d/salt-py3-latest.repo /etc/yum.repos.d/salt-2019-2.repo sed -i 's/latest/2019.2/g' /etc/yum.repos.d/salt-2019-2.repo cat > /etc/yum.repos.d/wazuh.repo <<\EOF [wazuh_repo] gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/GPG-KEY-WAZUH enabled=1 name=Wazuh repository baseurl=https://packages.wazuh.com/3.x/yum/ protect=1 EOF fi fi yum clean expire-cache yum -y install epel-release salt-minion-2019.2.3 yum-utils device-mapper-persistent-data lvm2 openssl jq yum -y update exclude=salt* systemctl enable salt-minion if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then yum -y install salt-master-2019.2.3 python3 python36-m2crypto salt-minion-2019.2.3 python36-dateutil python36-mysql python36-docker systemctl enable salt-master elif [ $INSTALLTYPE == 'FLEET' ]; then yum -y install salt-minion-2019.2.3 python3 python36-m2crypto python36-dateutil python36-docker python36-mysql else yum -y install salt-minion-2019.2.3 python3 python36-m2crypto python36-dateutil python36-docker fi echo "exclude=salt*" >> /etc/yum.conf # Our OS is not CentOS else ADDUSER=useradd DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade if [ $OSVER != "xenial" ]; then # Switch to Python 3 as default is this is not xenial update-alternatives --install /usr/bin/python python /usr/bin/python3.6 10 fi # Add the pre-requisites for installing docker-ce apt-get -y install ca-certificates curl software-properties-common apt-transport-https openssl jq >> $SETUPLOG 2>&1 # Grab the version from the os-release file UVER=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}') # Nasty hack but required for now if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then if [ $OSVER != "xenial" ]; then # Install the repo for salt py3 edition wget --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/$UVER/amd64/3000/SALTSTACK-GPG-KEY.pub | apt-key add - wget --inet4-only -O - https://repo.saltstack.com/py3/ubuntu/$UVER/amd64/2019.2/SALTSTACK-GPG-KEY.pub | apt-key add - echo "deb http://repo.saltstack.com/py3/ubuntu/$UVER/amd64/latest $OSVER main" > /etc/apt/sources.list.d/saltstack.list echo "deb http://repo.saltstack.com/py3/ubuntu/$UVER/amd64/2019.2 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list else # Install the repo for salt wget --inet4-only -O - https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest/SALTSTACK-GPG-KEY.pub | apt-key add - wget --inet4-only -O - https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2019.2/SALTSTACK-GPG-KEY.pub | apt-key add - echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest $OSVER main" > /etc/apt/sources.list.d/saltstack.list echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2019.2 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list fi # Lets get the docker repo added curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" # Create a place for the keys mkdir -p /opt/so/gpg wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/$UVER/amd64/latest/SALTSTACK-GPG-KEY.pub wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH # Get key and install wazuh curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add - # Add repo echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list # Initialize the new repos apt-get update >> $SETUPLOG 2>&1 if [ $OSVER != "xenial" ]; then apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python3-dateutil python3-m2crypto sqlite3 argon2 curl jq openssl >> $SETUPLOG 2>&1 apt-mark hold salt-minion salt-common else # Need to add python packages here apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto sqlite3 argon2 curl jq openssl >> $SETUPLOG 2>&1 apt-mark hold salt-minion salt-common fi else # Copy down the gpg keys and install them from the master mkdir $TMP/gpg echo "scp the gpg keys and install them from the master" scp -v -i /root/.ssh/so.key soremote@$MSRV:/opt/so/gpg/* $TMP/gpg echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH" apt-key add $TMP/gpg/SALTSTACK-GPG-KEY.pub apt-key add $TMP/gpg/GPG-KEY-WAZUH echo "deb http://repo.saltstack.com/apt/ubuntu/$UVER/amd64/2019.2 $OSVER main" > /etc/apt/sources.list.d/saltstack.list echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list # Initialize the new repos apt-get update >> $SETUPLOG 2>&1 if [ $OSVER != "xenial" ]; then apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python3-dateutil python3-m2crypto >> $SETUPLOG 2>&1 apt-mark hold salt-minion salt-common else # Need to add python packages here apt-get -y install salt-minion=2019.2.3+ds-1 salt-common=2019.2.3+ds-1 python-dateutil python-m2crypto >> $SETUPLOG 2>&1 apt-mark hold salt-minion salt-common fi fi fi } salt_checkin() { # Master State to Fix Mine Usage if [ $INSTALLTYPE == 'MASTER' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'HELIXSENSOR' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then echo "Building Certificate Authority" salt-call state.apply ca >> $SETUPLOG 2>&1 echo " *** Restarting Salt to fix any SSL errors. ***" service salt-master restart >> $SETUPLOG 2>&1 sleep 5 service salt-minion restart >> $SETUPLOG 2>&1 sleep 15 echo " Applyng a mine hack " salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt >> $SETUPLOG 2>&1 echo " Applying SSL state " salt-call state.apply ssl >> $SETUPLOG 2>&1 echo "Still Working... Hang in there" #salt-call state.highstate else # Run Checkin salt-call state.apply ca >> $SETUPLOG 2>&1 salt-call state.apply ssl >> $SETUPLOG 2>&1 #salt-call state.highstate >> $SETUPLOG 2>&1 fi } salt_firstcheckin() { #First Checkin salt-call state.highstate >> $SETUPLOG 2>&1 } salt_master_directories() { # Create salt paster directories mkdir -p /opt/so/saltstack/salt mkdir -p /opt/so/saltstack/pillar # Copy over the salt code and templates if [ $INSTALLMETHOD == 'iso' ]; then rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/pillar/* /opt/so/saltstack/pillar/ rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/salt/* /opt/so/saltstack/salt/ else cp -R $SCRIPTDIR/../pillar/* /opt/so/saltstack/pillar/ cp -R $SCRIPTDIR/../salt/* /opt/so/saltstack/salt/ fi chmod +x /opt/so/saltstack/pillar/firewall/addfirewall.sh chmod +x /opt/so/saltstack/pillar/data/addtotab.sh } salt_install_mysql_deps() { if [ $OS == 'centos' ]; then yum -y install mariadb-devel elif [ $OS == 'ubuntu' ]; then if [ $OSVER != "xenial" ]; then apt-get -y install python3-mysqldb >> $SETUPLOG 2>&1 else apt-get -y install python-mysqldb fi fi } sensor_pillar() { PILLARFILE=$TMP/pillar/minions/$MINION_ID.sls # Create the sensor pillar touch $PILLARFILE echo "sensor:" >> $PILLARFILE echo " interface: bond0" >> $PILLARFILE echo " mainip: $MAINIP" >> $PILLARFILE echo " mainint: $MAININT" >> $PILLARFILE if [ $NSMSETUP == 'ADVANCED' ]; then echo " bro_pins:" >> $PILLARFILE for PIN in $BROPINS; do PIN=$(echo $PIN | cut -d\" -f2) echo " - $PIN" >> $PILLARFILE done echo " suripins:" >> $PILLARFILE for SPIN in $SURIPINS; do SPIN=$(echo $SPIN | cut -d\" -f2) echo " - $SPIN" >> $PILLARFILE done elif [ $INSTALLTYPE == 'HELIXSENSOR' ]; then echo " bro_lbprocs: $LBPROCS" >> $PILLARFILE echo " suriprocs: $LBPROCS" >> $PILLARFILE else echo " bro_lbprocs: $BASICBRO" >> $PILLARFILE echo " suriprocs: $BASICSURI" >> $PILLARFILE fi echo " brobpf:" >> $PILLARFILE echo " pcapbpf:" >> $PILLARFILE echo " nidsbpf:" >> $PILLARFILE echo " master: $MSRV" >> $PILLARFILE echo " mtu: $MTU" >> $PILLARFILE echo " uniqueid: $(date '+%s')" >> $PILLARFILE if [ $HNSENSOR != 'inherit' ]; then echo " hnsensor: $HNSENSOR" >> $PILLARFILE fi echo " access_key: $ACCESS_KEY" >> $PILLARFILE echo " access_secret: $ACCESS_SECRET" >> $PILLARFILE echo "" >> $PILLARFILE } set_environment_var() { echo "Setting environment variable: $1" export "$1" echo "$1" >> /etc/environment } set_hostname() { echo 'set_hostname called' >> $SETUPLOG 2>&1 echo $TESTHOST >> $SETUPLOG 2>&1 echo $INSTALLTYPE >> $SETUPLOG 2>&1 hostnamectl set-hostname --static $HOSTNAME echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts echo "::1 localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts echo $HOSTNAME > /etc/hostname HOSTNAME=$(cat /etc/hostname) if [[ ! $INSTALLTYPE =~ ^(MASTER|EVAL|HELIXSENSOR|MASTERSEARCH)$ ]]; then if [[ $TESTHOST = *"not found"* ]] || [ -z $TESTHOST ] || [[ $TESTHOST = *"connection timed out"* ]]; then if ! grep -q $MSRVIP /etc/hosts; then echo "$MSRVIP $MSRV" >> /etc/hosts fi fi fi } set_hostname_iso() { hostnamectl set-hostname --static $HOSTNAME echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts echo "::1 localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts echo $HOSTNAME > /etc/hostname } set_initial_firewall_policy() { get_main_ip if [ $INSTALLTYPE == 'MASTER' ]; then printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/minions.sls printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/masterfw.sls /opt/so/saltstack/pillar/data/addtotab.sh mastertab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM fi if [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ]; then printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/minions.sls printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/masterfw.sls printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/forward_nodes.sls printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/search_nodes.sls if [ $INSTALLTYPE == 'EVAL' ]; then /opt/so/saltstack/pillar/data/addtotab.sh evaltab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0 elif [ $INSTALLTYPE == 'MASTERSEARCH' ]; then /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM fi fi if [ $INSTALLTYPE == 'HELIXSENSOR' ]; then printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/minions.sls printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/masterfw.sls printf " - $MAINIP\n" >> /opt/so/saltstack/pillar/firewall/forward_nodes.sls fi if [ $INSTALLTYPE == 'SENSOR' ]; then ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0 fi if [ $INSTALLTYPE == 'SEARCHNODE' ]; then ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes $MAINIP ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM fi if [ $INSTALLTYPE == 'HEAVYNODE' ]; then ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes $MAINIP ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes $MAINIP ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM bond0 ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab $MINION_ID $MAINIP $CPUCORES $RANDOMUID $MAININT $FSROOT $FSNSM fi if [ $INSTALLTYPE == 'FLEET' ]; then ssh -i /root/.ssh/so.key soremote@$MSRV sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions $MAINIP fi if [ $INSTALLTYPE == 'PARSINGNODE' ]; then echo "blah" fi if [ $INSTALLTYPE == 'HOTNODE' ]; then echo "blah" fi if [ $INSTALLTYPE == 'WARMNODE' ]; then echo "blah" fi } # Set up the management interface on the ISO set_management_interface() { if [ $ADDRESSTYPE == 'DHCP' ]; then /usr/bin/nmcli con up $MNIC /usr/bin/nmcli con mod $MNIC connection.autoconnect yes else # Set Static IP /usr/bin/nmcli con mod $MNIC ipv4.addresses $MIP/$MMASK ipv4.gateway $MGATEWAY \ ipv4.dns $MDNS ipv4.dns-search $MSEARCH ipv4.method manual /usr/bin/nmcli con up $MNIC /usr/bin/nmcli con mod $MNIC connection.autoconnect yes fi } set_node_type() { # Determine the node type based on whiplash choice if [ $INSTALLTYPE == 'SEARCHNODE' ] || [ $INSTALLTYPE == 'EVAL' ] || [ $INSTALLTYPE == 'MASTERSEARCH' ] || [ $INSTALLTYPE == 'HEAVYNODE' ] ; then NODETYPE='search' fi if [ $INSTALLTYPE == 'PARSINGNODE' ]; then NODETYPE='parser' fi if [ $INSTALLTYPE == 'HOTNODE' ]; then NODETYPE='hot' fi if [ $INSTALLTYPE == 'WARMNODE' ]; then NODETYPE='warm' fi } set_updates() { echo "MASTERUPDATES is $MASTERUPDATES" if [ $MASTERUPDATES == 'MASTER' ]; then if [ $OS == 'centos' ]; then if ! grep -q $MSRV /etc/yum.conf; then echo "proxy=http://$MSRV:3142" >> /etc/yum.conf fi else # Set it up so the updates roll through the master echo "Acquire::http::Proxy \"http://$MSRV:3142\";" > /etc/apt/apt.conf.d/00Proxy echo "Acquire::https::Proxy \"http://$MSRV:3142\";" >> /etc/apt/apt.conf.d/00Proxy fi fi } set_version() { # Drop a file with the current version echo "$SOVERSION" > /etc/soversion } update_sudoers() { if ! grep -qE '^soremote\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then # Update Sudoers so that soremote can accept keys without a password echo "soremote ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/data/addtotab.sh" | tee -a /etc/sudoers echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/salt/master/files/add_minion.sh" | tee -a /etc/sudoers else echo "User soremote already granted sudo privileges" fi }