#!/bin/bash # # Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one # or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at # https://securityonion.net/license; you may not use this file except in compliance with the # Elastic License 2.0. # Elastic agent is not managed by salt. Because of this we must store this base information in a # script that accompanies the soup system. Since so-common is one of those special soup files, # and since this same logic is required during installation, it's included in this file. ELASTIC_AGENT_TARBALL_VERSION="8.8.2" ELASTIC_AGENT_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" ELASTIC_AGENT_MD5_URL="https://repo.securityonion.net/file/so-repo/prod/2.4/elasticagent/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" ELASTIC_AGENT_FILE="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.tar.gz" ELASTIC_AGENT_MD5="/nsm/elastic-fleet/artifacts/elastic-agent_SO-$ELASTIC_AGENT_TARBALL_VERSION.md5" ELASTIC_AGENT_EXPANSION_DIR=/nsm/elastic-fleet/artifacts/beats/elastic-agent DEFAULT_SALT_DIR=/opt/so/saltstack/default DOC_BASE_URL="https://docs.securityonion.net/en/2.4" if [ -z $NOROOT ]; then # Check for prerequisites if [ "$(id -u)" -ne 0 ]; then echo "This script must be run using sudo!" exit 1 fi fi # Ensure /usr/sbin is in path if ! echo "$PATH" | grep -q "/usr/sbin"; then export PATH="$PATH:/usr/sbin" fi # Define a banner to separate sections banner="=========================================================================" add_interface_bond0() { local BNIC=$1 if [[ -z $MTU ]]; then local MTU MTU=$(lookup_pillar "mtu" "sensor") fi local nic_error=0 # Check if specific offload features are able to be disabled for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do if ethtool -k "$BNIC" | grep $string | grep -q "on [fixed]"; then echo "The hardware or driver for interface ${BNIC} is not supported, packet capture may not work as expected." ((nic_error++)) break fi done case "$2" in -v|--verbose) local verbose=true ;; esac for i in rx tx sg tso ufo gso gro lro; do if [[ $verbose == true ]]; then ethtool -K "$BNIC" $i off else ethtool -K "$BNIC" $i off &>/dev/null fi done if ! [[ $is_cloud ]]; then # Check if the bond slave connection has already been created nmcli -f name,uuid -p con | grep -q "bond0-slave-$BNIC" local found_int=$? if [[ $found_int != 0 ]]; then # Create the slave interface and assign it to the bond nmcli con add type ethernet ifname "$BNIC" con-name "bond0-slave-$BNIC" master bond0 -- \ ethernet.mtu "$MTU" \ connection.autoconnect "yes" else local int_uuid int_uuid=$(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BNIC //p" | tr -d ' ') nmcli con mod "$int_uuid" \ ethernet.mtu "$MTU" \ connection.autoconnect "yes" fi fi ip link set dev "$BNIC" arp off multicast off allmulticast off promisc on if ! [[ $is_cloud ]]; then # Bring the slave interface up if [[ $verbose == true ]]; then nmcli con up "bond0-slave-$BNIC" else nmcli con up "bond0-slave-$BNIC" &>/dev/null fi fi if [ "$nic_error" != 0 ]; then return "$nic_error" fi } check_container() { docker ps | grep "$1:" > /dev/null 2>&1 return $? } check_password() { local password=$1 echo "$password" | egrep -v "'|\"|\\$|\\\\" > /dev/null 2>&1 return $? } check_password_and_exit() { local password=$1 if ! check_password "$password"; then echo "Password is invalid. Do not include single quotes, double quotes, dollar signs, and backslashes in the password." exit 2 fi return 0 } check_elastic_license() { [ -n "$TESTING" ] && return # See if the user has already accepted the license if [ ! -f /opt/so/state/yeselastic.txt ]; then elastic_license else echo "Elastic License has already been accepted" fi } check_salt_master_status() { local timeout=$1 echo "Checking if we can talk to the salt master" salt-call state.show_top concurrent=true return } check_salt_minion_status() { local timeout=$1 echo "Checking if the salt minion will respond to jobs" >> "$setup_log" 2>&1 salt "$MINION_ID" test.ping -t $timeout > /dev/null 2>&1 local status=$? if [ $status -gt 0 ]; then echo " Minion did not respond" >> "$setup_log" 2>&1 else echo " Received job response from salt minion" >> "$setup_log" 2>&1 fi return $status } copy_new_files() { # Copy new files over to the salt dir cd $UPDATE_DIR rsync -a salt $DEFAULT_SALT_DIR/ rsync -a pillar $DEFAULT_SALT_DIR/ chown -R socore:socore $DEFAULT_SALT_DIR/ chmod 755 $DEFAULT_SALT_DIR/pillar/firewall/addfirewall.sh cd /tmp } disable_fastestmirror() { sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf } download_and_verify() { source_url=$1 source_md5_url=$2 dest_file=$3 md5_file=$4 expand_dir=$5 if [[ -n "$expand_dir" ]]; then mkdir -p "$expand_dir" fi if ! verify_md5_checksum "$dest_file" "$md5_file"; then retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_url' --output '$dest_file'" "" "" retry 15 10 "curl --fail --retry 5 --retry-delay 15 -L '$source_md5_url' --output '$md5_file'" "" "" if verify_md5_checksum "$dest_file" "$md5_file"; then echo "Source file and checksum are good." else echo "Unable to download and verify the source file and checksum." return 1 fi fi if [[ -n "$expand_dir" ]]; then tar -xf "$dest_file" -C "$expand_dir" fi } elastic_license() { read -r -d '' message <<- EOM \n Elastic Stack binaries and Security Onion components are only available under the Elastic License version 2 (ELv2): https://securityonion.net/license/ Do you agree to the terms of ELv2? If so, type AGREE to accept ELv2 and continue. Otherwise, press Enter to exit this program without making any changes. EOM AGREED=$(whiptail --title "$whiptail_title" --inputbox \ "$message" 20 75 3>&1 1>&2 2>&3) if [ "${AGREED^^}" = 'AGREE' ]; then mkdir -p /opt/so/state touch /opt/so/state/yeselastic.txt else echo "Starting in 2.3.40 you must accept the Elastic license if you want to run Security Onion." exit 1 fi } fail() { msg=$1 echo "ERROR: $msg" echo "Exiting." exit 1 } get_random_value() { length=${1:-20} head -c 5000 /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w $length | head -n 1 } gpg_rpm_import() { if [[ $is_oracle ]]; then if [[ "$WHATWOULDYOUSAYYAHDOHERE" == "setup" ]]; then local RPMKEYSLOC="../salt/repo/client/files/$OS/keys" else local RPMKEYSLOC="$UPDATE_DIR/salt/repo/client/files/$OS/keys" fi RPMKEYS=('RPM-GPG-KEY-oracle' 'RPM-GPG-KEY-EPEL-9' 'SALT-PROJECT-GPG-PUBKEY-2023.pub' 'docker.pub' 'securityonion.pub' 'MariaDB-Server-GPG-KEY') for RPMKEY in "${RPMKEYS[@]}"; do rpm --import $RPMKEYSLOC/$RPMKEY echo "Imported $RPMKEY" done elif [[ $is_rpm ]]; then echo "Importing the security onion GPG key" rpm --import ../salt/repo/client/files/oracle/keys/securityonion.pub fi } header() { printf '%s\n' "" "$banner" " $*" "$banner" } init_monitor() { MONITORNIC=$1 if [[ $MONITORNIC == "bond0" ]]; then BIFACES=$(lookup_bond_interfaces) for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do ethtool -K "$MONITORNIC" "$i" off; done else BIFACES=$MONITORNIC fi for DEVICE_IFACE in $BIFACES; do for i in rx tx sg tso ufo gso gro lro rx-vlan-offload tx-vlan-offload generic-receive-offload generic-segmentation-offload tcp-segmentation-offload; do ethtool -K "$DEVICE_IFACE" "$i" off; done ip link set dev "$DEVICE_IFACE" arp off multicast off allmulticast off promisc on done } is_manager_node() { grep "role: so-" /etc/salt/grains | grep -E "manager|eval|managersearch|standalone|import" &> /dev/null } is_sensor_node() { # Check to see if this is a sensor (forward) node is_single_node_grid && return 0 grep "role: so-" /etc/salt/grains | grep -E "sensor|heavynode" &> /dev/null } is_single_node_grid() { grep "role: so-" /etc/salt/grains | grep -E "eval|standalone|import" &> /dev/null } lookup_bond_interfaces() { cat /proc/net/bonding/bond0 | grep "Slave Interface:" | sed -e "s/Slave Interface: //g" } lookup_salt_value() { key=$1 group=$2 kind=$3 output=${4:-newline_values_only} local=$5 if [ -z "$kind" ]; then kind=pillar fi if [ -n "$group" ]; then group=${group}: fi if [[ "$local" == "--local" ]] || [[ "$local" == "local" ]]; then local="--local" else local="" fi salt-call --no-color ${kind}.get ${group}${key} --out=${output} ${local} } lookup_pillar() { key=$1 pillar=$2 if [ -z "$pillar" ]; then pillar=global fi lookup_salt_value "$key" "$pillar" "pillar" } lookup_pillar_secret() { lookup_pillar "$1" "secrets" } lookup_grain() { lookup_salt_value "$1" "" "grains" } lookup_role() { id=$(lookup_grain id) pieces=($(echo $id | tr '_' ' ')) echo ${pieces[1]} } is_feature_enabled() { feature=$1 enabled=$(lookup_salt_value features) for cur in $enabled; do if [[ "$feature" == "$cur" ]]; then return 0 fi done return 1 } require_manager() { if is_manager_node; then echo "This is a manager, so we can proceed." else echo "Please run this command on the manager; the manager controls the grid." exit 1 fi } retry() { maxAttempts=$1 sleepDelay=$2 cmd=$3 expectedOutput=$4 failedOutput=$5 attempt=0 local exitcode=0 while [[ $attempt -lt $maxAttempts ]]; do attempt=$((attempt+1)) echo "Executing command with retry support: $cmd" output=$(eval "$cmd") exitcode=$? echo "Results: $output ($exitcode)" if [ -n "$expectedOutput" ]; then if [[ "$output" =~ "$expectedOutput" ]]; then return $exitcode else echo "Did not find expectedOutput: '$expectedOutput' in the output below from running the command: '$cmd'" echo "" echo "$output" echo "" fi elif [ -n "$failedOutput" ]; then if [[ "$output" =~ "$failedOutput" ]]; then echo "Found failedOutput: '$failedOutput' in the output below from running the command: '$cmd'" echo "" echo "$output" echo "" if [[ $exitcode -eq 0 ]]; then echo "The exitcode was 0, but we are setting to 1 since we found $failedOutput in the output." exitcode=1 fi else return $exitcode fi elif [[ $exitcode -eq 0 ]]; then return $exitcode fi echo "Command failed with exit code $exitcode; will retry in $sleepDelay seconds ($attempt / $maxAttempts)..." sleep $sleepDelay done echo "Command continues to fail; giving up." return $exitcode } run_check_net_err() { local cmd=$1 local err_msg=${2:-"Unknown error occured, please check /root/$WHATWOULDYOUSAYYAHDOHERE.log for details."} # Really need to rename that variable local no_retry=$3 local exit_code if [[ -z $no_retry ]]; then retry 5 60 "$cmd" exit_code=$? else eval "$cmd" exit_code=$? fi if [[ $exit_code -ne 0 ]]; then ERR_HANDLED=true [[ -z $no_retry ]] || echo "Command failed with error $exit_code" echo "$err_msg" exit $exit_code fi } salt_minion_count() { local MINIONDIR="/opt/so/saltstack/local/pillar/minions" MINIONCOUNT=$(ls -la $MINIONDIR/*.sls | grep -v adv_ | wc -l) } set_os() { if [ -f /etc/redhat-release ]; then if grep -q "Rocky Linux release 9" /etc/redhat-release; then OS=rocky OSVER=9 is_rocky=true elif grep -q "CentOS Stream release 9" /etc/redhat-release; then OS=centos OSVER=9 is_centos=true fi cron_service_name="crond" else OS=ubuntu is_ubuntu=true cron_service_name="cron" fi } set_minionid() { MINIONID=$(lookup_grain id) } set_palette() { if [[ $is_deb ]]; then update-alternatives --set newt-palette /etc/newt/palette.original fi } set_version() { CURRENTVERSION=0.0.0 if [ -f /etc/soversion ]; then CURRENTVERSION=$(cat /etc/soversion) fi if [ -z "$VERSION" ]; then if [ -z "$NEWVERSION" ]; then if [ "$CURRENTVERSION" == "0.0.0" ]; then echo "ERROR: Unable to detect Security Onion version; terminating script." exit 1 else VERSION=$CURRENTVERSION fi else VERSION="$NEWVERSION" fi fi } systemctl_func() { local action=$1 local echo_action=$1 local service_name=$2 if [[ "$echo_action" == "stop" ]]; then echo_action="stopp" fi echo "" echo "${echo_action^}ing $service_name service at $(date +"%T.%6N")" systemctl $action $service_name && echo "Successfully ${echo_action}ed $service_name." || echo "Failed to $action $service_name." echo "" } has_uppercase() { local string=$1 echo "$string" | grep -qP '[A-Z]' \ && return 0 \ || return 1 } update_elastic_agent() { echo "Checking if Elastic Agent update is necessary..." download_and_verify "$ELASTIC_AGENT_URL" "$ELASTIC_AGENT_MD5_URL" "$ELASTIC_AGENT_FILE" "$ELASTIC_AGENT_MD5" "$ELASTIC_AGENT_EXPANSION_DIR" } valid_cidr() { # Verify there is a backslash in the string echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1 valid_ip4_cidr_mask "$1" && return 0 || return 1 local cidr="$1" local ip ip=$(echo "$cidr" | sed 's/\/.*//' ) if valid_ip4 "$ip"; then local ip1 ip2 ip3 ip4 N IFS="./" read -r ip1 ip2 ip3 ip4 N <<< "$cidr" ip_total=$((ip1 * 256 ** 3 + ip2 * 256 ** 2 + ip3 * 256 + ip4)) [[ $((ip_total % 2**(32-N))) == 0 ]] && return 0 || return 1 else return 1 fi } valid_cidr_list() { local all_valid=0 IFS="," read -r -a net_arr <<< "$1" for net in "${net_arr[@]}"; do valid_cidr "$net" || all_valid=1 done return $all_valid } valid_dns_list() { local all_valid=0 IFS="," read -r -a dns_arr <<< "$1" for addr in "${dns_arr[@]}"; do valid_ip4 "$addr" || all_valid=1 done return $all_valid } valid_fqdn() { local fqdn=$1 echo "$fqdn" | grep -qP '(?=^.{4,253}$)(^((?!-)[a-zA-Z0-9-]{0,62}[a-zA-Z0-9]\.)+[a-zA-Z]{2,63}$)' \ && return 0 \ || return 1 } valid_hostname() { local hostname=$1 [[ $hostname =~ ^[a-zA-Z0-9\-]+$ ]] && [[ $hostname != 'localhost' ]] && return 0 || return 1 } verify_ip4() { local ip=$1 # Is this an IP or CIDR? if grep -qP "^[^/]+/[^/]+$" <<< $ip; then # Looks like a CIDR valid_ip4_cidr_mask "$ip" else # We know this is not a CIDR - Is it an IP? valid_ip4 "$ip" fi } valid_ip4() { local ip=$1 echo "$ip" | grep -qP '^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$' && return 0 || return 1 } valid_ip4_cidr_mask() { # Verify there is a backslash in the string echo "$1" | grep -qP "^[^/]+/[^/]+$" || return 1 local cidr local ip cidr=$(echo "$1" | sed 's/.*\///') ip=$(echo "$1" | sed 's/\/.*//' ) if valid_ip4 "$ip"; then [[ $cidr =~ ^([0-9]|[1-2][0-9]|3[0-2])$ ]] && return 0 || return 1 else return 1 fi } valid_int() { local num=$1 local min=${2:-1} local max=${3:-1000000000} [[ $num =~ ^[0-9]*$ ]] && [[ $num -ge $min ]] && [[ $num -le $max ]] && return 0 || return 1 } # {% raw %} valid_proxy() { local proxy=$1 local url_prefixes=( 'http://' 'https://' ) local has_prefix=false for prefix in "${url_prefixes[@]}"; do echo "$proxy" | grep -q "$prefix" && has_prefix=true && proxy=${proxy#"$prefix"} && break done local url_arr mapfile -t url_arr <<< "$(echo "$proxy" | tr ":" "\n")" local valid_url=true if ! valid_ip4 "${url_arr[0]}" && ! valid_fqdn "${url_arr[0]}" && ! valid_hostname "${url_arr[0]}"; then valid_url=false fi [[ $has_prefix == true ]] && [[ $valid_url == true ]] && return 0 || return 1 } valid_ntp_list() { local string=$1 local ntp_arr IFS="," read -r -a ntp_arr <<< "$string" for ntp in "${ntp_arr[@]}"; do if ! valid_ip4 "$ntp" && ! valid_hostname "$ntp" && ! valid_fqdn "$ntp"; then return 1 fi done return 0 } valid_string() { local str=$1 local min_length=${2:-1} local max_length=${3:-64} echo "$str" | grep -qP '^\S+$' && [[ ${#str} -ge $min_length ]] && [[ ${#str} -le $max_length ]] && return 0 || return 1 } # {% endraw %} valid_username() { local user=$1 echo "$user" | grep -qP '^[a-z_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$)$' && return 0 || return 1 } verify_md5_checksum() { data_file=$1 md5_file=${2:-${data_file}.md5} if [[ ! -f "$dest_file" || ! -f "$md5_file" ]]; then return 2 fi SOURCEHASH=$(md5sum "$data_file" | awk '{ print $1 }') HASH=$(cat "$md5_file") if [[ "$HASH" == "$SOURCEHASH" ]]; then return 0 fi return 1 } wait_for_web_response() { url=$1 expected=$2 maxAttempts=${3:-300} curlcmd=${4:-curl} logfile=/root/wait_for_web_response.log truncate -s 0 "$logfile" attempt=0 while [[ $attempt -lt $maxAttempts ]]; do attempt=$((attempt+1)) echo "Waiting for value '$expected' at '$url' ($attempt/$maxAttempts)" result=$($curlcmd -ks -L $url) exitcode=$? echo "--------------------------------------------------" >> $logfile echo "$(date) - Checking web URL: $url ($attempt/$maxAttempts)" >> $logfile echo "$result" >> $logfile echo "exit code=$exitcode" >> $logfile echo "" >> $logfile if [[ $exitcode -eq 0 && "$result" =~ $expected ]]; then echo "Received expected response; proceeding." return 0 fi echo "Server is not ready" sleep 1 done echo "Server still not ready after $maxAttempts attempts; giving up." return 1 }