mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 17:22:49 +01:00
1398 lines
39 KiB
Bash
Executable File
1398 lines
39 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Copyright 2014,2015,2016,2017,2018,2019,2020 Security Onion Solutions, LLC
|
|
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
SCRIPTDIR=$(dirname "$0")
|
|
source "$SCRIPTDIR/so-whiptail"
|
|
SOVERSION=1.2.1
|
|
|
|
accept_salt_key_local() {
|
|
echo "Accept the key locally on the master" >> "$SETUPLOG" 2>&1
|
|
# Accept the key locally on the master
|
|
salt-key -ya "$MINION_ID"
|
|
|
|
}
|
|
|
|
accept_salt_key_remote() {
|
|
echo "Accept the key remotely on the master" >> "$SETUPLOG" 2>&1
|
|
# Delete the key just in case.
|
|
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -d "$MINION_ID" -y
|
|
salt-call state.apply ca
|
|
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo salt-key -a "$MINION_ID" -y
|
|
|
|
}
|
|
|
|
|
|
add_admin_user() {
|
|
# Add an admin user with full sudo rights if this is an ISO install.
|
|
useradd "$ADMINUSER"
|
|
echo "$ADMINUSER":"$ADMINPASS1" | chpasswd --crypt-method=SHA512
|
|
usermod -aG wheel "$ADMINUSER"
|
|
}
|
|
|
|
add_master_hostfile() {
|
|
echo "Checking if I can resolve master. If not add to hosts file" >> "$SETUPLOG" 2>&1
|
|
# Pop up an input to get the IP address
|
|
MSRVIP=$(whiptail --title "Security Onion Setup" --inputbox \
|
|
"Enter your Master Server IP Address" 10 60 X.X.X.X 3>&1 1>&2 2>&3)
|
|
|
|
local exitstatus=$?
|
|
whiptail_check_exitstatus $exitstatus
|
|
}
|
|
|
|
# $1 => username
|
|
# $2 => uid
|
|
# $3 => gid
|
|
# $4 => home dir
|
|
# $5 => create home dir
|
|
# $6 => (optional) password variable
|
|
so_add_user() {
|
|
echo "Add $1 user" >> "$SETUPLOG" 2>&1
|
|
groupadd --gid "$3" "$1"
|
|
|
|
|
|
if [ "$5" = 0 ]; then
|
|
useradd --uid "$2" --gid "$3" --home-dir "$4" --no-create-home "$1"
|
|
else
|
|
useradd --uid "$2" --gid "$3" --home-dir "$4" "$1"
|
|
fi
|
|
|
|
# If a password has been passed in, set the password
|
|
if [ "$6" ]; then
|
|
echo "$1":"$6" | chpasswd --crypt-method=SHA512
|
|
fi
|
|
}
|
|
|
|
add_socore_user_master() {
|
|
so_add_user "socore" "939" "939" "/opt/so" 1
|
|
}
|
|
|
|
add_soremote_user_master() {
|
|
so_add_user "soremote" "947" "947" "/home/soremote" 1 "$SOREMOTEPASS1"
|
|
}
|
|
|
|
add_socore_user_notmaster() {
|
|
so_add_user "soremote" "939" "939" "/opt/so" 0
|
|
}
|
|
|
|
wait_for_identity_db_to_exist() {
|
|
MAXATTEMPTS=30
|
|
attempts=0
|
|
while [[ $attempts -lt $MAXATTEMPTS ]]; do
|
|
# Check and see if the DB file is in there
|
|
if [ -f /opt/so/conf/kratos/db/db.sqlite ]; then
|
|
echo "Database file exists at $(date)"
|
|
return 0
|
|
else
|
|
echo "Identity database does not yet exist; waiting 5 seconds and will check again ($attempts/$MAXATTEMPTS)..."
|
|
sleep 5
|
|
attempts=$((attempts+1))
|
|
fi
|
|
done
|
|
return 1
|
|
}
|
|
|
|
add_web_user() {
|
|
wait_for_identity_db_to_exist
|
|
echo "Attempting to add administrator user for web interface..."
|
|
echo "$WEBPASSWD1" | /usr/sbin/so-user add "$WEBUSER"
|
|
echo "Add user result: $?"
|
|
}
|
|
|
|
# Create an secrets pillar so that passwords survive re-install
|
|
secrets_pillar(){
|
|
if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then
|
|
echo "Creating Secrets Pillar" >> "$SETUPLOG" 2>&1
|
|
mkdir -p /opt/so/saltstack/pillar
|
|
printf '%s\n'\
|
|
"secrets:"\
|
|
" mysql: $MYSQLPASS"\
|
|
" fleet: $FLEETPASS"\
|
|
" fleet_jwt: $FLEETJWT"\
|
|
" fleet_enroll-secret: False" >> /opt/so/saltstack/pillar/secrets.sls
|
|
fi
|
|
}
|
|
|
|
# Enable Bro Logs
|
|
bro_logs_enabled() {
|
|
echo "Enabling Bro Logs" >> "$SETUPLOG" 2>&1
|
|
|
|
local brologs_pillar="$SCRIPTDIR/pillar/brologs.sls"
|
|
|
|
printf '%s\n'\
|
|
"brologs:"\
|
|
" enabled:" > "$brologs_pillar"
|
|
|
|
if [ "$MASTERADV" = 'ADVANCED' ]; then
|
|
for BLOG in "${BLOGS[@]}"; do
|
|
echo " - $BLOG" | tr -d '"' >> "$brologs_pillar"
|
|
done
|
|
else
|
|
printf '%s\n'\
|
|
" - conn"\
|
|
" - dce_rpc"\
|
|
" - dhcp"\
|
|
" - dhcpv6"\
|
|
" - dnp3"\
|
|
" - dns"\
|
|
" - dpd"\
|
|
" - files"\
|
|
" - ftp"\
|
|
" - http"\
|
|
" - intel"\
|
|
" - irc"\
|
|
" - kerberos"\
|
|
" - modbus"\
|
|
" - mqtt"\
|
|
" - notice"\
|
|
" - ntlm"\
|
|
" - openvpn"\
|
|
" - pe"\
|
|
" - radius"\
|
|
" - rfb"\
|
|
" - rdp"\
|
|
" - signatures"\
|
|
" - sip"\
|
|
" - smb_files"\
|
|
" - smb_mapping"\
|
|
" - smtp"\
|
|
" - snmp"\
|
|
" - software"\
|
|
" - ssh"\
|
|
" - ssl"\
|
|
" - syslog"\
|
|
" - telnet"\
|
|
" - tunnel"\
|
|
" - weird"\
|
|
" - mysql"\
|
|
" - socks"\
|
|
" - x509" >> "$brologs_pillar"
|
|
fi
|
|
}
|
|
|
|
calculate_useable_cores() {
|
|
|
|
# Calculate reasonable core usage
|
|
local CORES4BRO=$(( CPUCORES/2 - 1 ))
|
|
LBPROCSROUND=$(printf "%.0f\n" $CORES4BRO)
|
|
# We don't want it to be 0
|
|
if [ "$LBPROCSROUND" -lt 1 ]; then
|
|
LBPROCS=1
|
|
else
|
|
LBPROCS=$LBPROCSROUND
|
|
fi
|
|
|
|
}
|
|
|
|
check_admin_pass() {
|
|
check_pass_match "$ADMINPASS1" "$ADMINPASS2" "APMATCH"
|
|
}
|
|
|
|
check_hive_init_then_reboot() {
|
|
WAIT_STEP=0
|
|
MAX_WAIT=100
|
|
|
|
until [ -f /opt/so/state/thehive.txt ] ; do
|
|
WAIT_STEP=$(( WAIT_STEP + 1 ))
|
|
echo "Waiting on the_hive to init ($WAIT_STEP/$MAX_WAIT)..."
|
|
if [ ${WAIT_STEP} -gt ${MAX_WAIT} ]; then
|
|
echo "ERROR: We waited ${MAX_WAIT} seconds but the_hive is not working."
|
|
return 5
|
|
fi
|
|
sleep 1s;
|
|
done
|
|
|
|
docker stop so-thehive
|
|
docker rm so-thehive
|
|
shutdown -r now
|
|
}
|
|
|
|
check_network_manager_conf() {
|
|
local gmdconf="/usr/lib/NetworkManager/conf.d/10-globally-managed-devices.conf"
|
|
local nmconf="/etc/NetworkManager/NetworkManager.conf"
|
|
local preupdir="/etc/NetworkManager/dispatcher.d/pre-up.d"
|
|
|
|
if test -f "$gmdconf"; then
|
|
if ! test -f "${gmdconf}.bak"; then
|
|
{
|
|
mv "$gmdconf" "${gmdconf}.bak"
|
|
touch "$gmdconf"
|
|
systemctl restart NetworkManager
|
|
} >> "$SETUPLOG" 2>&1
|
|
fi
|
|
fi
|
|
|
|
if test -f "$nmconf"; then
|
|
sed -i 's/managed=false/managed=true/g' "$nmconf" >> "$SETUPLOG" 2>&1
|
|
fi
|
|
|
|
if [[ ! -d "$preupdir" ]]; then
|
|
mkdir "$preupdir" >> "$SETUPLOG" 2>&1
|
|
fi
|
|
}
|
|
|
|
# $1 => password
|
|
# $2 => confirm password
|
|
# $3 => variable to set
|
|
check_pass_match() {
|
|
local pass=$1
|
|
local confirm_pass=$2
|
|
local var=$3
|
|
|
|
if [ "$pass" = "$confirm_pass" ]; then
|
|
eval "$var"="\"yes\""
|
|
else
|
|
whiptail_passwords_dont_match
|
|
fi
|
|
}
|
|
|
|
check_soremote_pass() {
|
|
check_pass_match "$SOREMOTEPASS1" "$SOREMOTEPASS2" "SCMATCH"
|
|
}
|
|
|
|
check_web_pass() {
|
|
check_pass_match "$WEBPASSWD1" "$WEBPASSWD2" "WPMATCH"
|
|
}
|
|
|
|
checkin_at_boot() {
|
|
echo "Enabling checkin at boot" >> "$SETUPLOG" 2>&1
|
|
echo "startup_states: highstate" >> /etc/salt/minion
|
|
}
|
|
|
|
chown_salt_master() {
|
|
|
|
echo "Chown the salt dirs on the master for socore" >> "$SETUPLOG" 2>&1
|
|
chown -R socore:socore /opt/so
|
|
|
|
}
|
|
|
|
clear_master() {
|
|
# Clear out the old master public key in case this is a re-install.
|
|
# This only happens if you re-install the master.
|
|
if [ -f /etc/salt/pki/minion/minion_master.pub ]; then
|
|
echo "Clearing old master key" >> "$SETUPLOG" 2>&1
|
|
rm /etc/salt/pki/minion/minion_master.pub
|
|
service salt-minion restart
|
|
fi
|
|
|
|
}
|
|
|
|
collect_webuser_inputs() {
|
|
# Get a password for the web admin user
|
|
local VALIDUSER=no
|
|
while [ $VALIDUSER != yes ]; do
|
|
whiptail_create_web_user
|
|
if so-user valemail "$WEBUSER"; then
|
|
VALIDUSER=yes
|
|
else
|
|
whiptail_invalid_user_warning
|
|
fi
|
|
done
|
|
|
|
WPMATCH=no
|
|
while [ $WPMATCH != yes ]; do
|
|
whiptail_create_web_user_password1
|
|
if echo "$WEBPASSWD1" | so-user valpass; then
|
|
whiptail_create_web_user_password2
|
|
check_web_pass
|
|
else
|
|
whiptail_invalid_pass_warning
|
|
fi
|
|
done
|
|
}
|
|
|
|
# $1 => install type
|
|
configure_minion() {
|
|
local TYPE=$1
|
|
echo "Configuring minion type as $TYPE" >> "$SETUPLOG" 2>&1
|
|
echo "role: so-$TYPE" > /etc/salt/grains
|
|
|
|
local minion_config=/etc/salt/minion
|
|
|
|
echo "id: $MINION_ID" > "$minion_config"
|
|
|
|
case "$TYPE" in
|
|
'helix')
|
|
echo "master: $HOSTNAME" >> "$minion_config"
|
|
;;
|
|
'master' | 'eval' | 'mastersearch')
|
|
printf '%s\n'\
|
|
"master: $HOSTNAME"\
|
|
"mysql.host: '$MAINIP'"\
|
|
"mysql.port: 3306"\
|
|
"mysql.user: 'root'" >> "$minion_config"
|
|
if [ ! -f /opt/so/saltstack/pillar/secrets.sls ]; then
|
|
echo "mysql.pass: '$MYSQLPASS'" >> "$minion_config"
|
|
else
|
|
OLDPASS=$(grep "mysql" /opt/so/saltstack/pillar/secrets.sls | awk '{print $2}')
|
|
echo "mysql.pass: '$OLDPASS'" >> "$minion_config"
|
|
fi
|
|
;;
|
|
*)
|
|
echo "master: $MSRV" >> "$minion_config"
|
|
;;
|
|
esac
|
|
|
|
printf '%s\n'\
|
|
"use_superseded:"\
|
|
" - module.run" >> /etc/salt/minion
|
|
|
|
service salt-minion restart
|
|
|
|
}
|
|
|
|
copy_master_config() {
|
|
|
|
# Copy the master config template to the proper directory
|
|
if [ "$INSTALLMETHOD" = 'iso' ]; then
|
|
cp /root/SecurityOnion/files/master /etc/salt/master
|
|
else
|
|
cp "$SCRIPTDIR"/../files/master /etc/salt/master
|
|
fi
|
|
|
|
# Restart the service so it picks up the changes -TODO Enable service on CentOS
|
|
service salt-master restart
|
|
|
|
}
|
|
|
|
copy_minion_tmp_files() {
|
|
case "$INSTALLTYPE" in
|
|
'MASTER' | 'EVAL' | 'HELIXSENSOR' | 'MASTERSEARCH')
|
|
echo "Copying pillar and salt files in $TMP to /opt/so/saltstack"
|
|
cp -Rv "$TMP"/pillar/ /opt/so/saltstack/ >> "$SETUPLOG" 2>&1
|
|
if [ -d "$TMP"/salt ] ; then
|
|
cp -Rv "$TMP"/salt/ /opt/so/saltstack/ >> "$SETUPLOG" 2>&1
|
|
fi
|
|
;;
|
|
*)
|
|
{
|
|
echo "scp pillar and salt files in $TMP to master /opt/so/saltstack";
|
|
ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/pillar;
|
|
ssh -i /root/.ssh/so.key soremote@"$MSRV" mkdir -p /tmp/"$MINION_ID"/schedules;
|
|
scp -prv -i /root/.ssh/so.key "$TMP"/pillar/minions/* soremote@"$MSRV":/tmp/"$MINION_ID"/pillar/;
|
|
scp -prv -i /root/.ssh/so.key "$TMP"/salt/patch/os/schedules/* soremote@"$MSRV":/tmp/"$MINION_ID"/schedules;
|
|
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/salt/master/files/add_minion.sh "$MINION_ID";
|
|
} >> "$SETUPLOG" 2>&1
|
|
;;
|
|
esac
|
|
}
|
|
|
|
copy_ssh_key() {
|
|
|
|
echo "Generating SSH key"
|
|
# Generate SSH key
|
|
mkdir -p /root/.ssh
|
|
ssh-keygen -f /root/.ssh/so.key -t rsa -q -N "" < /dev/zero
|
|
chown -R "$SUDO_USER":"$SUDO_USER" /root/.ssh
|
|
echo "Copying the SSH key to the master"
|
|
#Copy the key over to the master
|
|
ssh-copy-id -f -i /root/.ssh/so.key soremote@"$MSRV"
|
|
}
|
|
|
|
|
|
create_sensor_bond() {
|
|
echo "Setting up sensor bond" >> "$SETUPLOG" 2>&1
|
|
|
|
local nic_error=0
|
|
|
|
check_network_manager_conf >> "$SETUPLOG" 2>&1
|
|
|
|
# Set the MTU
|
|
if [[ $NSMSETUP != 'ADVANCED' ]]; then
|
|
MTU=1500
|
|
fi
|
|
|
|
# Create the bond interface only if it doesn't already exist
|
|
if ! [[ $(nmcli -f name,uuid -p con | sed -n 's/bond0 //p' | tr -d ' ') ]]; then
|
|
nmcli con add ifname bond0 con-name "bond0" type bond mode 0 -- \
|
|
ipv4.method disabled \
|
|
ipv6.method ignore \
|
|
ethernet.mtu $MTU \
|
|
connection.autoconnect "yes" >> "$SETUPLOG" 2>&1
|
|
fi
|
|
|
|
|
|
for BNIC in "${BNICS[@]}"; do
|
|
BONDNIC="$(echo -e "${BNIC}" | tr -d '"')" # Strip the quotes from the NIC names
|
|
|
|
# Check if specific offload features are able to be disabled
|
|
for string in "generic-segmentation-offload" "generic-receive-offload" "tcp-segmentation-offload"; do
|
|
if ethtool -k "$BONDNIC" | grep $string | grep -q "on [fixed]"; then
|
|
echo "The hardware or driver for interface ${BONDNIC} is not supported, packet capture may not work as expected." >> "$SETUPLOG" 2>&1
|
|
nic_error=1
|
|
break
|
|
fi
|
|
done
|
|
|
|
# Turn off various offloading settings for the interface
|
|
for i in rx tx sg tso ufo gso gro lro; do
|
|
ethtool -K "$BONDNIC" $i off >> "$SETUPLOG" 2>&1
|
|
done
|
|
|
|
# Check if the bond slave connection has already been created
|
|
if ! [[ $(nmcli -f name,uuid -p con | sed -n "s/bond0-slave-$BONDNIC //p" | tr -d ' ') ]]; then
|
|
# Create the slave interface and assign it to the bond
|
|
nmcli con add type ethernet ifname "$BONDNIC" con-name "bond0-slave-$BONDNIC" master bond0 -- \
|
|
ethernet.mtu $MTU \
|
|
connection.autoconnect "yes" >> "$SETUPLOG" 2>&1
|
|
fi
|
|
|
|
nmcli con up "bond0-slave-$BONDNIC" >> "$SETUPLOG" 2>&1 # Bring the slave interface up
|
|
done
|
|
|
|
if [ $nic_error != 0 ]; then
|
|
return 1
|
|
fi
|
|
}
|
|
|
|
# keep ">> $SETUPLOG" syntax
|
|
detect_os() {
|
|
|
|
# Detect Base OS
|
|
echo "Detecting Base OS" >> "$SETUPLOG" 2>&1
|
|
if [ -f /etc/redhat-release ]; then
|
|
OS=centos
|
|
if grep -q "CentOS Linux release 7" /etc/redhat-release; then
|
|
OSVER=7
|
|
elif grep -q "CentOS Linux release 8" /etc/redhat-release; then
|
|
OSVER=8
|
|
echo "We currently do not support CentOS $OSVER but we are working on it!"
|
|
exit 1
|
|
else
|
|
echo "We do not support the version of CentOS you are trying to use."
|
|
exit 1
|
|
fi
|
|
|
|
# Install bind-utils so the host command exists
|
|
yum -y install bind-utils >> "$SETUPLOG" 2>&1
|
|
|
|
|
|
elif [ -f /etc/os-release ]; then
|
|
OS=ubuntu
|
|
if grep -q "UBUNTU_CODENAME=bionic" /etc/os-release; then
|
|
OSVER=bionic
|
|
elif grep -q "UBUNTU_CODENAME=xenial" /etc/os-release; then
|
|
OSVER=xenial
|
|
else
|
|
echo "We do not support your current version of Ubuntu."
|
|
exit 1
|
|
fi
|
|
# Install network manager so we can do interface stuff
|
|
{
|
|
apt-get install -y network-manager;
|
|
systemctl enable NetworkManager;
|
|
systemctl start NetworkManager;
|
|
} >> "$SETUPLOG" 2<&1
|
|
|
|
else
|
|
echo "We were unable to determine if you are using a supported OS."
|
|
exit 1
|
|
fi
|
|
|
|
echo "Found OS: $OS $OSVER" >> "$SETUPLOG" 2>&1
|
|
|
|
}
|
|
|
|
disable_onion_user() {
|
|
# Disable the default account cause security.
|
|
usermod -L onion
|
|
}
|
|
|
|
disable_misc_network_features() {
|
|
for UNUSED_NIC in "${FNICS[@]}"; do
|
|
# Disable DHCPv4/v6 and autoconnect
|
|
nmcli con mod "$UNUSED_NIC" \
|
|
ipv4.method disabled \
|
|
ipv6.method ignore \
|
|
connection.autoconnect "no" >> "$SETUPLOG" 2>&1
|
|
|
|
# Flush any existing IPs
|
|
ip addr flush "$UNUSED_NIC" >> "$SETUPLOG" 2>&1
|
|
done
|
|
# Disable IPv6
|
|
{
|
|
echo "net.ipv6.conf.all.disable_ipv6 = 1"
|
|
echo "net.ipv6.conf.default.disable_ipv6 = 1"
|
|
echo "net.ipv6.conf.lo.disable_ipv6 = 1"
|
|
} >> /etc/sysctl.conf
|
|
}
|
|
|
|
docker_install() {
|
|
|
|
if [ $OS = 'centos' ]; then
|
|
yum clean expire-cache
|
|
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
|
|
yum -y update
|
|
yum -y install docker-ce
|
|
else
|
|
case "$INSTALLTYPE" in
|
|
'MASTER' | 'EVAL')
|
|
apt-get update >> "$SETUPLOG" 2>&1
|
|
;;
|
|
*)
|
|
{
|
|
apt-key add "$TMP"/gpg/docker.pub;
|
|
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable";
|
|
apt-get update;
|
|
} >> "$SETUPLOG" 2>&1
|
|
;;
|
|
esac
|
|
|
|
if [ $OSVER != "xenial" ]; then
|
|
apt-get -y install docker-ce python3-docker >> "$SETUPLOG" 2>&1
|
|
else
|
|
apt-get -y install docker-ce python-docker >> "$SETUPLOG" 2>&1
|
|
fi
|
|
fi
|
|
docker_registry
|
|
{
|
|
echo "Restarting Docker";
|
|
systemctl restart docker;
|
|
systemctl enable docker;
|
|
} >> "$SETUPLOG" 2>&1
|
|
}
|
|
|
|
docker_registry() {
|
|
|
|
echo "Setting up Docker Registry" >> "$SETUPLOG" 2>&1
|
|
mkdir -p /etc/docker >> "$SETUPLOG" 2>&1
|
|
# Make the host use the master docker registry
|
|
printf '%s\n'\
|
|
"{"\
|
|
" \"registry-mirrors\": [\"https://$MSRV:5000\"]"\
|
|
"}" > /etc/docker/daemon.json
|
|
echo "Docker Registry Setup - Complete" >> "$SETUPLOG" 2>&1
|
|
|
|
}
|
|
docker_seed_registry() {
|
|
local VERSION="HH$SOVERSION"
|
|
|
|
if [ ! -f /nsm/docker-registry/docker/so-dockers-"$VERSION".tar ]; then
|
|
local TRUSTED_CONTAINERS=(\
|
|
"so-core:$VERSION" \
|
|
"so-filebeat:$VERSION" \
|
|
"so-logstash:$VERSION" \
|
|
"so-idstools:$VERSION" \
|
|
"so-redis:$VERSION" \
|
|
"so-steno:$VERSION" \
|
|
"so-suricata:$VERSION" \
|
|
"so-telegraf:$VERSION" \
|
|
"so-zeek:$VERSION"
|
|
)
|
|
if [ "$INSTALLTYPE" != 'HELIXSENSOR' ]; then
|
|
TRUSTED_CONTAINERS=("${TRUSTED_CONTAINERS[@]}" \
|
|
"so-acng:$VERSION" \
|
|
"so-thehive-cortex:$VERSION" \
|
|
"so-curator:$VERSION" \
|
|
"so-domainstats:$VERSION" \
|
|
"so-elastalert:$VERSION" \
|
|
"so-elasticsearch:$VERSION" \
|
|
"so-fleet:$VERSION" \
|
|
"so-fleet-launcher:$VERSION" \
|
|
"so-freqserver:$VERSION" \
|
|
"so-grafana:$VERSION" \
|
|
"so-influxdb:$VERSION" \
|
|
"so-kibana:$VERSION" \
|
|
"so-mysql:$VERSION" \
|
|
"so-navigator:$VERSION" \
|
|
"so-playbook:$VERSION" \
|
|
"so-soc:$VERSION" \
|
|
"so-kratos:$VERSION" \
|
|
"so-soctopus:$VERSION" \
|
|
"so-thehive:$VERSION" \
|
|
"so-thehive-es:$VERSION" \
|
|
"so-wazuh:$VERSION" \
|
|
)
|
|
fi
|
|
for i in "${TRUSTED_CONTAINERS[@]}"; do
|
|
# Pull down the trusted docker image
|
|
echo "Downloading $i"
|
|
docker pull --disable-content-trust=false docker.io/soshybridhunter/"$i"
|
|
# Tag it with the new registry destination
|
|
docker tag soshybridhunter/"$i" "$HOSTNAME":5000/soshybridhunter/"$i"
|
|
docker push "$HOSTNAME":5000/soshybridhunter/"$i"
|
|
done
|
|
|
|
# Prune any images that aren't used by containers
|
|
docker image prune -af
|
|
else
|
|
rm /nsm/docker-registry/docker/so-dockers-$VERSION.tar
|
|
fi
|
|
|
|
}
|
|
|
|
es_heapsize() {
|
|
|
|
# Determine ES Heap Size
|
|
if [ "$TOTAL_MEM" -lt 8000 ] ; then
|
|
ES_HEAP_SIZE="600m"
|
|
elif [ "$TOTAL_MEM" -ge 100000 ]; then
|
|
# Set a max of 25GB for heap size
|
|
# https://www.elastic.co/guide/en/elasticsearch/guide/current/heap-sizing.html
|
|
ES_HEAP_SIZE="25000m"
|
|
else
|
|
# Set heap size to 25% of available memory
|
|
ES_HEAP_SIZE=$(( TOTAL_MEM / 4 ))"m"
|
|
fi
|
|
|
|
}
|
|
|
|
filter_unused_nics() {
|
|
# Set the main NIC as the default grep search string
|
|
local grep_string="$MNIC"
|
|
|
|
# If we call this function and NICs have already been assigned to the bond interface then add them to the grep search string
|
|
if [[ $BNICS ]]; then
|
|
for BONDNIC in "${BNICS[@]}"; do
|
|
grep_string="$grep_string\|$BONDNIC"
|
|
done
|
|
fi
|
|
|
|
# Finally, set FNICS to any NICs we aren't using (and ignore interfaces that aren't of use)
|
|
FNICS=$(ip link | grep -vwe "$grep_string" | awk -F: '$0 !~ "lo|vir|veth|br|docker|wl|^[^0-9]"{print $2}')
|
|
}
|
|
|
|
fireeye_pillar() {
|
|
|
|
local fireeye_pillar_path=/opt/so/saltstack/pillar/fireeye
|
|
mkdir -p "$fireeye_pillar_path"
|
|
|
|
printf '%s\n'\
|
|
"fireeye:"\
|
|
" helix:"\
|
|
" api_key: $HELIXAPIKEY"
|
|
"" > "$fireeye_pillar_path"/init.sls
|
|
|
|
}
|
|
|
|
fleet_pillar() {
|
|
|
|
local pillar_file="$TMP"/pillar/minions/"$MINION_ID".sls
|
|
|
|
# Create the fleet pillar
|
|
printf '%s\n'\
|
|
"fleet:"\
|
|
" mainip: $MAINIP"\
|
|
" master: $MSRV"\
|
|
"" > "$pillar_file"
|
|
}
|
|
|
|
generate_passwords(){
|
|
# Generate Random Passwords for Things
|
|
MYSQLPASS=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1)
|
|
FLEETPASS=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1)
|
|
FLEETJWT=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1)
|
|
HIVEKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1)
|
|
CORTEXKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1)
|
|
CORTEXORGUSERKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1)
|
|
SENSORONIKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1)
|
|
KRATOSKEY=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 20 | head -n 1)
|
|
}
|
|
|
|
get_filesystem_nsm(){
|
|
FSNSM=$(df /nsm | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }')
|
|
}
|
|
|
|
get_log_size_limit() {
|
|
|
|
local DISK_DIR="/"
|
|
if [ -d /nsm ]; then
|
|
DISK_DIR="/nsm"
|
|
fi
|
|
DISK_SIZE_K=$(df $DISK_DIR |grep -v "^Filesystem" | awk '{print $2}')
|
|
PERCENTAGE=85
|
|
DISK_SIZE=$(( DISK_SIZE_K * 1000 ))
|
|
PERCENTAGE_DISK_SPACE=$(( DISK_SIZE * PERCENTAGE / 100 ))
|
|
LOG_SIZE_LIMIT=$(( PERCENTAGE_DISK_SPACE / 1000000000 ))
|
|
|
|
}
|
|
|
|
get_filesystem_root(){
|
|
FSROOT=$(df / | awk '$3 ~ /[0-9]+/ { print $2 * 1000 }')
|
|
}
|
|
|
|
get_main_ip() {
|
|
|
|
# Get the main IP address the box is using
|
|
|
|
# FIXME: find a way to get the ip of MNIC instead
|
|
|
|
# Add some logic because Bubntu 18.04 like to be different
|
|
if [ $OSVER = 'bionic' ]; then
|
|
MAINIP=$(ip route get 1 | awk '{print $7;exit}')
|
|
else
|
|
MAINIP=$(ip route get 1 | awk '{print $NF;exit}')
|
|
fi
|
|
|
|
# FIXME: should MAININT be MNIC?
|
|
MAININT=$(ip route get 1 | awk '{print $5;exit}')
|
|
|
|
}
|
|
|
|
get_redirect() {
|
|
whiptail_set_redirect_info
|
|
whiptail_set_redirect
|
|
if [ "$REDIRECTINFO" = "OTHER" ]; then
|
|
whiptail_set_redirect_host
|
|
fi
|
|
}
|
|
|
|
got_root() {
|
|
# Make sure you are root
|
|
if [ "$(id -u)" -ne 0 ]; then
|
|
echo "This script must be run using sudo!"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
install_cleanup() {
|
|
|
|
echo "Installer removing the following files:"
|
|
ls -lR "$TMP"
|
|
|
|
# Clean up after ourselves
|
|
rm -rf "$TMP"
|
|
|
|
}
|
|
|
|
install_prep() {
|
|
|
|
# Create a tmp space that isn't in /tmp
|
|
mkdir -p /root/installtmp/pillar/minions
|
|
TMP=/root/installtmp
|
|
|
|
}
|
|
|
|
# TODO: figure out if this is necessary
|
|
install_master() {
|
|
|
|
# Install the salt master package
|
|
if [ $OS != 'centos' ]; then
|
|
if [ $OSVER != "xenial" ]; then
|
|
apt-get install -y salt-common=2019.2.3+ds-1 salt-master=2019.2.3+ds-1 salt-minion=2019.2.3+ds-1 libssl-dev python-m2crypto
|
|
apt-mark hold salt-common salt-master salt-minion
|
|
else
|
|
apt-get install -y salt-common=2019.2.3+ds-1 salt-master=2019.2.3+ds-1 salt-minion=2019.2.3+ds-1 libssl-dev python-m2crypto
|
|
apt-mark hold salt-common salt-master salt-minion
|
|
fi
|
|
fi
|
|
|
|
copy_master_config
|
|
|
|
}
|
|
|
|
ls_heapsize() {
|
|
|
|
if [ "$TOTAL_MEM" -ge 32000 ]; then
|
|
LS_HEAP_SIZE='1000m'
|
|
return
|
|
fi
|
|
|
|
case "$INSTALLTYPE" in
|
|
'MASTERSEARCH' | 'HEAVYNODE' | 'HELIXSENSOR')
|
|
LS_HEAP_SIZE='1000m'
|
|
;;
|
|
'EVAL')
|
|
LS_HEAP_SIZE='700m'
|
|
;;
|
|
*)
|
|
LS_HEAP_SIZE='500m'
|
|
;;
|
|
esac
|
|
}
|
|
|
|
master_pillar() {
|
|
|
|
local pillar_file=$TMP/pillar/minions/$MINION_ID.sls
|
|
|
|
# Create the master pillar
|
|
printf '%s\n'\
|
|
"master:"\
|
|
" mainip: $MAINIP"\
|
|
" esheap: $ES_HEAP_SIZE"\
|
|
" esclustername: {{ grains.host }}"\
|
|
" freq: 0"\
|
|
" domainstats: 0" >> "$pillar_file"
|
|
|
|
if [ "$INSTALLTYPE" = 'EVAL' ] || [ "$INSTALLTYPE" = 'HELIXSENSOR' ] || [ "$INSTALLTYPE" = 'MASTERSEARCH' ]; then
|
|
printf '%s\n'\
|
|
" ls_pipeline_batch_size: 125"\
|
|
" ls_input_threads: 1"\
|
|
" ls_batch_count: 125"\
|
|
" mtu: $MTU" >> "$pillar_file"
|
|
fi
|
|
printf '%s\n'\
|
|
" lsheap: $LS_HEAP_SIZE"\
|
|
" lsaccessip: 127.0.0.1"\
|
|
" elastalert: 1"\
|
|
" ls_pipeline_workers: $CPUCORES"\
|
|
" nids_rules: $RULESETUP"\
|
|
" oinkcode: $OINKCODE"\
|
|
" es_port: $NODE_ES_PORT"\
|
|
" log_size_limit: $LOG_SIZE_LIMIT"\
|
|
" cur_close_days: $CURCLOSEDAYS"\
|
|
" grafana: $GRAFANA"\
|
|
" osquery: $OSQUERY"\
|
|
" wazuh: $WAZUH"\
|
|
" thehive: $THEHIVE"\
|
|
" playbook: $PLAYBOOK"\
|
|
" strelka: $STRELKA"\
|
|
""\
|
|
"kratos:" >> "$pillar_file"
|
|
|
|
case $REDIRECTINFO in
|
|
'IP')
|
|
REDIRECTIT="$MAINIP"
|
|
;;
|
|
'HOSTNAME')
|
|
REDIRECTIT=$HOSTNAME
|
|
;;
|
|
*)
|
|
REDIRECTIT="$REDIRECT"
|
|
;;
|
|
esac
|
|
|
|
printf '%s\n'\
|
|
" kratoskey: $KRATOSKEY"\
|
|
" redirect: $REDIRECTIT"\
|
|
"" >> "$pillar_file"
|
|
|
|
|
|
}
|
|
|
|
master_static() {
|
|
local static_pillar="/opt/so/saltstack/pillar/static.sls"
|
|
|
|
# Create a static file for global values
|
|
printf '%s\n'\
|
|
"static:"\
|
|
" soversion: HH$SOVERSION"\
|
|
" hnmaster: $HNMASTER"\
|
|
" ntpserver: $NTPSERVER"\
|
|
" proxy: $PROXY"\
|
|
" broversion: $BROVERSION"\
|
|
" ids: $NIDS"\
|
|
" masterip: $MAINIP"\
|
|
" hiveuser: hiveadmin"\
|
|
" hivepassword: hivechangeme"\
|
|
" hivekey: $HIVEKEY"\
|
|
" cortexuser: cortexadmin"\
|
|
" cortexpassword: cortexchangeme"\
|
|
" cortexkey: $CORTEXKEY"\
|
|
" cortexorgname: SecurityOnion"\
|
|
" cortexorguser: soadmin"\
|
|
" cortexorguserkey: $CORTEXORGUSERKEY"\
|
|
" fleet_master: False"\
|
|
" fleet_node: False"\
|
|
" fleet_packages-timestamp: N/A"\
|
|
" fleet_hostname: N/A"\
|
|
" fleet_ip: N/A"\
|
|
" sensoronikey: $SENSORONIKEY"
|
|
" masterupdate: $MASTERUPDATES" > "$static_pillar"
|
|
echo "elastic:" >> /opt/so/saltstack/pillar/static.sls
|
|
echo " features: False" >> /opt/so/saltstack/pillar/static.sls
|
|
}
|
|
|
|
minio_generate_keys() {
|
|
|
|
local charSet="[:graph:]"
|
|
|
|
ACCESS_KEY=$(tr -cd "$charSet" < /dev/urandom | tr -d \' | tr -d \" | head -c 20)
|
|
ACCESS_SECRET=$(tr -cd "$charSet" < /dev/urandom | tr -d \' | tr -d \" | head -c 40)
|
|
|
|
}
|
|
|
|
network_setup() {
|
|
{
|
|
echo "Finishing up network setup";
|
|
|
|
echo "... Verifying all network devices are managed by Network Manager";
|
|
check_network_manager_conf;
|
|
|
|
echo "... Disabling unused NICs";
|
|
disable_misc_network_features;
|
|
|
|
echo "... Setting ONBOOT for management interface";
|
|
if ! netplan > /dev/null 2>&1; then
|
|
nmcli con mod "$MAININT" connection.autoconnect "yes";
|
|
fi
|
|
|
|
echo "... Copying 99-so-checksum-offload-disable";
|
|
cp "$SCRIPTDIR/install_scripts/99-so-checksum-offload-disable" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable ;
|
|
|
|
echo "... Modifying 99-so-checksum-offload-disable";
|
|
sed -i "s/\$MAININT/${MAININT}/g" /etc/NetworkManager/dispatcher.d/pre-up.d/99-so-checksum-offload-disable;
|
|
} >> "$SETUPLOG" 2>&1
|
|
}
|
|
|
|
node_pillar() {
|
|
|
|
local pillar_file=$TMP/pillar/minions/$MINION_ID.sls
|
|
|
|
# Create the node pillar
|
|
printf '%s\n'\
|
|
"node:"\
|
|
" mainip: $MAINIP"\
|
|
" mainint: $MAININT"\
|
|
" esheap: $NODE_ES_HEAP_SIZE"\
|
|
" esclustername: {{ grains.host }}"\
|
|
" lsheap: $NODE_LS_HEAP_SIZE"\
|
|
" ls_pipeline_workers: $LSPIPELINEWORKERS"\
|
|
" ls_pipeline_batch_size: $LSPIPELINEBATCH"\
|
|
" ls_input_threads: $LSINPUTTHREADS"\
|
|
" ls_batch_count: $LSINPUTBATCHCOUNT"\
|
|
" es_shard_count: $SHARDCOUNT"\
|
|
" node_type: $NODETYPE"\
|
|
" es_port: $NODE_ES_PORT"\
|
|
" log_size_limit: $LOG_SIZE_LIMIT"\
|
|
" cur_close_days: $CURCLOSEDAYS"\
|
|
"" >> "$pillar_file"
|
|
|
|
}
|
|
|
|
patch_pillar() {
|
|
|
|
local pillar_file=$TMP/pillar/minions/$MINION_ID.sls
|
|
|
|
printf '%s\n'\
|
|
""\
|
|
"patch:"\
|
|
" os:"\
|
|
" schedule_name: $PATCHSCHEDULENAME"\
|
|
" enabled: True"\
|
|
" splay: 300"\
|
|
"" >> "$pillar_file"
|
|
|
|
}
|
|
|
|
patch_schedule_os_new() {
|
|
local OSPATCHSCHEDULEDIR="$TMP/salt/patch/os/schedules"
|
|
local OSPATCHSCHEDULE="$OSPATCHSCHEDULEDIR/$PATCHSCHEDULENAME.yml"
|
|
|
|
mkdir -p $OSPATCHSCHEDULEDIR
|
|
|
|
printf '%s\n'\
|
|
"patch:"\
|
|
" os:"\
|
|
" schedule:"> "$OSPATCHSCHEDULE"
|
|
for psd in "${PATCHSCHEDULEDAYS[@]}";do
|
|
psd="${psd//\"/}"
|
|
echo " - $psd:" >> "$OSPATCHSCHEDULE"
|
|
for psh in "${PATCHSCHEDULEHOURS[@]}"
|
|
do
|
|
psh="${psh//\"/}"
|
|
echo " - '$psh'" >> "$OSPATCHSCHEDULE"
|
|
done
|
|
done
|
|
|
|
}
|
|
|
|
reserve_group_ids() {
|
|
# This is a hack to fix CentOS from taking group IDs that we need
|
|
groupadd -g 928 kratos
|
|
groupadd -g 930 elasticsearch
|
|
groupadd -g 931 logstash
|
|
groupadd -g 932 kibana
|
|
groupadd -g 933 elastalert
|
|
groupadd -g 934 curator
|
|
groupadd -g 937 zeek
|
|
groupadd -g 940 suricata
|
|
groupadd -g 941 stenographer
|
|
groupadd -g 945 ossec
|
|
groupadd -g 946 cyberchef
|
|
}
|
|
|
|
saltify() {
|
|
|
|
# Install updates and Salt
|
|
if [ $OS = 'centos' ]; then
|
|
case "$INSTALLTYPE" in
|
|
'MASTER' | 'EVAL' | 'MASTERSEARCH' | 'FLEET') # FIXME: should this be separate?
|
|
yum instal -y mariadb-devel
|
|
;;
|
|
'HELIXSENSOR')
|
|
reserve_group_ids
|
|
yum -y install epel-release
|
|
yum -y install wget https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest-2.el7.noarch.rpm
|
|
cp /etc/yum.repos.d/salt-py3-latest.repo /etc/yum.repos.d/salt-py3-2019-2.repo
|
|
sed -i 's/latest/2019.2/g' /etc/yum.repos.d/salt-py3-2019-2.repo
|
|
yum -y install sqlite3 argon2 curl jq openssl
|
|
# Download Ubuntu Keys in case master updates = 1
|
|
mkdir -p /opt/so/gpg
|
|
wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/16.04/amd64/latest/SALTSTACK-GPG-KEY.pub
|
|
wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg
|
|
wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH
|
|
cp "$SCRIPTDIR/yum_repos/wazuh.repo" /etc/yum.repos.d/wazuh.repo
|
|
yum -y install salt-master-2019.2.3
|
|
systemctl enable salt-master
|
|
;;
|
|
*)
|
|
if [ "$MASTERUPDATES" -eq 1 ]; then
|
|
# Create the GPG Public Key for the Salt Repo
|
|
cp "$SCRIPTDIR"/public_keys/salt.pem /etc/pki/rpm-gpg/saltstack-signing-key
|
|
|
|
# Add the Wazuh Key
|
|
cp "$SCRIPTDIR"/public_keys/wazuh.pem /etc/pki/rpm-gpg/GPG-KEY-WAZUH
|
|
|
|
# Copy repo files over
|
|
cp "$SCRIPTDIR"/yum_repos/salt-latest.repo /etc/yum.repos.d/salt-latest.repo
|
|
cp "$SCRIPTDIR"/yum_repos/salt-2019-2.repo /etc/yum.repos.d/salt-2019-2.repo
|
|
else
|
|
yum -y install https://repo.saltstack.com/py3/redhat/salt-py3-repo-latest-2.el7.noarch.rpm
|
|
cp /etc/yum.repos.d/salt-py3-latest.repo /etc/yum.repos.d/salt-2019-2.repo
|
|
sed -i 's/latest/2019.2/g' /etc/yum.repos.d/salt-2019-2.repo
|
|
fi
|
|
;;
|
|
esac
|
|
cp "$SCRIPTDIR/yum_repos/wazuh.repo" /etc/yum.repos.d/wazuh.repo
|
|
yum clean expire-cache
|
|
yum -y install epel-release\
|
|
salt-minion-2019.2.3\
|
|
python3\
|
|
python36-docker\
|
|
python36-dateutil\
|
|
python36-m2crypto\
|
|
python36-mysql\
|
|
yum-utils\
|
|
device-mapper-persistent-data\
|
|
lvm2\
|
|
openssl\
|
|
jq
|
|
yum -y update exclude=salt*
|
|
systemctl enable salt-minion
|
|
echo "exclude=salt*" >> /etc/yum.conf
|
|
else
|
|
DEBIAN_FRONTEND=noninteractive apt-get -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" upgrade
|
|
|
|
if [ $OSVER != "xenial" ]; then
|
|
# Switch to Python 3 as default if this is not xenial
|
|
update-alternatives --install /usr/bin/python python /usr/bin/python3.6 10
|
|
fi
|
|
# Add the pre-requisites for installing docker-ce
|
|
apt-get -y install ca-certificates\
|
|
curl\
|
|
software-properties-common\
|
|
apt-transport-https\
|
|
openssl\
|
|
jq >> "$SETUPLOG" 2>&1
|
|
|
|
# Grab the version from the os-release file
|
|
local ubuntu_version
|
|
ubuntu_version=$(grep VERSION_ID /etc/os-release | awk -F '[ "]' '{print $2}')
|
|
|
|
case "$INSTALLTYPE" in
|
|
'FLEET')
|
|
if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-mysqldb >> "$SETUPLOG" 2>&1; else apt-get -y install python-mysqldb >> "$SETUPLOG" 2>&1; fi
|
|
;;
|
|
'MASTER' | 'EVAL' | 'MASTERSEARCH') # TODO: should this also be HELIXSENSOR?
|
|
if [ "$OSVER" != "xenial" ]; then local py_ver_url_path="/py3"; else local py_ver_url_path="/apt"; fi
|
|
|
|
# Add saltstack repo(s)
|
|
wget --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/3000/SALTSTACK-GPG-KEY.pub | apt-key add -
|
|
wget --inet4-only -O - https://repo.saltstack.com"$py_ver_url_path"/ubuntu/"$ubuntu_version"/amd64/2019.2/SALTSTACK-GPG-KEY.pub | apt-key add -
|
|
echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/latest $OSVER main" > /etc/apt/sources.list.d/saltstack.list
|
|
echo "deb http://repo.saltstack.com/py3/ubuntu/$ubuntu_version/amd64/2019.2 $OSVER main" > /etc/apt/sources.list.d/saltstack2019.list
|
|
|
|
# Add Docker repo
|
|
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
|
|
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
|
|
|
|
# Get gpg keys
|
|
mkdir -p /opt/so/gpg
|
|
wget --inet4-only -O /opt/so/gpg/SALTSTACK-GPG-KEY.pub https://repo.saltstack.com/apt/ubuntu/"$ubuntu_version"/amd64/latest/SALTSTACK-GPG-KEY.pub
|
|
wget --inet4-only -O /opt/so/gpg/docker.pub https://download.docker.com/linux/ubuntu/gpg
|
|
wget --inet4-only -O /opt/so/gpg/GPG-KEY-WAZUH https://packages.wazuh.com/key/GPG-KEY-WAZUH
|
|
|
|
# Get key and install wazuh
|
|
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
|
|
# Add repo
|
|
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
|
|
# Initialize the new repos
|
|
apt-get update >> "$SETUPLOG" 2>&1
|
|
# FIXME: Install salt-master on Ubuntu?
|
|
apt-get -y install sqlite3 argon2 openssl >> "$SETUPLOG" 2>&1
|
|
if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-mysqldb >> "$SETUPLOG" 2>&1; else apt-get -y install python-mysqldb >> "$SETUPLOG" 2>&1; fi
|
|
;;
|
|
*)
|
|
# Copy down the gpg keys and install them from the master
|
|
mkdir "$TMP"/gpg
|
|
echo "scp the gpg keys and install them from the master"
|
|
scp -v -i /root/.ssh/so.key soremote@"$MSRV":/opt/so/gpg/* "$TMP"/gpg
|
|
echo "Using apt-key add to add SALTSTACK-GPG-KEY.pub and GPG-KEY-WAZUH"
|
|
apt-key add "$TMP"/gpg/SALTSTACK-GPG-KEY.pub
|
|
apt-key add "$TMP"/gpg/GPG-KEY-WAZUH
|
|
echo "deb http://repo.saltstack.com/apt/ubuntu/$ubuntu_version/amd64/2019.2 $OSVER main" > /etc/apt/sources.list.d/saltstack.list
|
|
echo "deb https://packages.wazuh.com/3.x/apt/ stable main" | tee /etc/apt/sources.list.d/wazuh.list
|
|
;;
|
|
esac
|
|
apt-get update >> "$SETUPLOG" 2>&1
|
|
apt-get -y install salt-minion=2019.2.3+ds-1\
|
|
salt-common=2019.2.3+ds-1 >> "$SETUPLOG" 2>&1
|
|
apt-mark hold salt-minion salt-common
|
|
if [ "$OSVER" != 'xenial' ]; then apt-get -y install python3-dateutil python3-m2crypto >> "$SETUPLOG" 2>&1; else apt-get -y install python-dateutil python-m2crypto >> "$SETUPLOG" 2>&1; fi
|
|
fi
|
|
|
|
}
|
|
|
|
salt_checkin() {
|
|
|
|
case "$INSTALLTYPE" in
|
|
'MASTER' | 'EVAL' | 'HELIXSENSOR' | 'MASTERSEARCH') # Fix Mine usage
|
|
{
|
|
echo "Building Certificate Authority";
|
|
salt-call state.apply ca;
|
|
echo " *** Restarting Salt to fix any SSL errors. ***";
|
|
service salt-master restart;
|
|
sleep 5;
|
|
service salt-minion restart;
|
|
sleep 15;
|
|
echo " Applyng a mine hack";
|
|
salt '*' mine.send x509.get_pem_entries glob_path=/etc/pki/ca.crt;
|
|
echo " Applying SSL state";
|
|
salt-call state.apply ssl;
|
|
} >> "$SETUPLOG" 2>&1
|
|
;;
|
|
*)
|
|
salt-call state.apply ca >> "$SETUPLOG" 2>&1
|
|
salt-call state.apply ssl >> "$SETUPLOG" 2>&1
|
|
;;
|
|
esac
|
|
}
|
|
|
|
# FIXME: should this be a function?
|
|
salt_firstcheckin() {
|
|
#First Checkin
|
|
salt-call state.highstate >> "$SETUPLOG" 2>&1
|
|
|
|
}
|
|
|
|
salt_master_directories() {
|
|
# Create salt paster directories
|
|
mkdir -p /opt/so/saltstack/salt
|
|
mkdir -p /opt/so/saltstack/pillar
|
|
|
|
# Copy over the salt code and templates
|
|
if [ "$INSTALLMETHOD" = 'iso' ]; then
|
|
rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/pillar/* /opt/so/saltstack/pillar/
|
|
rsync -avh --exclude 'TRANS.TBL' /home/onion/SecurityOnion/salt/* /opt/so/saltstack/salt/
|
|
else
|
|
cp -R "$SCRIPTDIR"/../pillar/* /opt/so/saltstack/pillar/
|
|
cp -R "$SCRIPTDIR"/../salt/* /opt/so/saltstack/salt/
|
|
fi
|
|
|
|
# FIXME: why is this being done?
|
|
chmod +x /opt/so/saltstack/pillar/firewall/addfirewall.sh
|
|
chmod +x /opt/so/saltstack/pillar/data/addtotab.sh
|
|
|
|
}
|
|
|
|
sensor_pillar() {
|
|
|
|
local pillar_file=$TMP/pillar/minions/$MINION_ID.sls
|
|
|
|
# Create the sensor pillar
|
|
printf '%s\n'\
|
|
"sensor"\
|
|
" interface: bond0"\
|
|
" mainip: $MAINIP"\
|
|
" mainint: $MAININT" > "$pillar_file"
|
|
|
|
if [ "$NSMSETUP" = 'ADVANCED' ]; then
|
|
echo " bro_pins:" >> "$pillar_file"
|
|
for PIN in $BROPINS; do
|
|
PIN=$(echo "$PIN" | cut -d\" -f2)
|
|
echo " - $PIN" >> "$pillar_file"
|
|
done
|
|
echo " suripins:" >> "$pillar_file"
|
|
for SPIN in $SURIPINS; do
|
|
SPIN=$(echo "$SPIN" | cut -d\" -f2)
|
|
echo " - $SPIN" >> "$pillar_file"
|
|
done
|
|
elif [ "$INSTALLTYPE" = 'HELIXSENSOR' ]; then
|
|
echo " bro_lbprocs: $LBPROCS" >> "$pillar_file"
|
|
echo " suriprocs: $LBPROCS" >> "$pillar_file"
|
|
else
|
|
echo " bro_lbprocs: $BASICBRO" >> "$pillar_file"
|
|
echo " suriprocs: $BASICSURI" >> "$pillar_file"
|
|
fi
|
|
printf '%s\n'\
|
|
" brobpf:"\
|
|
" pcapbpf:"\
|
|
" nidsbpf:"\
|
|
" master: $MSRV"\
|
|
" mtu: $MTU"\
|
|
" uniqueid: $(date '+%s')" >> "$pillar_file"
|
|
if [ "$HNSENSOR" != 'inherit' ]; then
|
|
echo " hnsensor: $HNSENSOR" >> "$pillar_file"
|
|
fi
|
|
printf '%s\n'\
|
|
" access_key: $ACCESS_KEY"\
|
|
" access_secret: $ACCESS_SECRET"\
|
|
"" >> "$pillar_file"
|
|
}
|
|
|
|
set_hostname() {
|
|
|
|
set_hostname_iso
|
|
|
|
HOSTNAME=$(cat /etc/hostname)
|
|
if [[ ! $INSTALLTYPE =~ ^(MASTER|EVAL|HELIXSENSOR|MASTERSEARCH)$ ]]; then
|
|
if [[ $TESTHOST = *"not found"* ]] || [ -z "$TESTHOST" ] || [[ $TESTHOST = *"connection timed out"* ]]; then
|
|
if ! grep -q "$MSRVIP" /etc/hosts; then
|
|
echo "$MSRVIP $MSRV" >> /etc/hosts
|
|
fi
|
|
fi
|
|
fi
|
|
|
|
}
|
|
|
|
set_hostname_iso() {
|
|
|
|
hostnamectl set-hostname --static "$HOSTNAME"
|
|
echo "127.0.0.1 $HOSTNAME $HOSTNAME.localdomain localhost localhost.localdomain localhost4 localhost4.localdomain" > /etc/hosts
|
|
echo "::1 $HOSTNAME $HOSTNAME localhost localhost.localdomain localhost6 localhost6.localdomain6" >> /etc/hosts
|
|
echo "$HOSTNAME" > /etc/hostname
|
|
|
|
}
|
|
|
|
set_initial_firewall_policy() {
|
|
|
|
get_main_ip
|
|
|
|
case "$INSTALLTYPE" in
|
|
'MASTER')
|
|
printf " - %s\n" "$MAINIP" | tee /opt/so/saltstack/pillar/firewall/minions.sls /opt/so/saltstack/pillar/firewall/masterfw.sls
|
|
/opt/so/saltstack/pillar/data/addtotab.sh mastertab "$MINION_ID" "$MAINIP" "$CPUCORES" "$RANDOMUID" "$MAININT" "$FSROOT" "$FSNSM"
|
|
;;
|
|
'EVAL' | 'MASTERSEARCH')
|
|
printf " - %s\n" "$MAINIP" | tee /opt/so/saltstack/pillar/firewall/minions.sls\
|
|
/opt/so/saltstack/pillar/firewall/masterfw.sls\
|
|
/opt/so/saltstack/pillar/firewall/forward_nodes.sls\
|
|
/opt/so/saltstack/pillar/firewall/search_nodes.sls
|
|
case "$INSTALLTYPE" in
|
|
'EVAL')
|
|
/opt/so/saltstack/pillar/data/addtotab.sh evaltab "$MINION_ID" "$MAINIP" "$CPUCORES" "$RANDOMUID" "$MAININT" "$FSROOT" "$FSNSM" bond0
|
|
;;
|
|
'MASTERSEARCH')
|
|
/opt/so/saltstack/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$CPUCORES" "$RANDOMUID" "$MAININT" "$FSROOT" "$FSNSM"
|
|
;;
|
|
esac
|
|
;;
|
|
'HELIXSENSOR')
|
|
printf " - %s\n" "$MAINIP" | tee /opt/so/saltstack/pillar/firewall/minions.sls\
|
|
/opt/so/saltstack/pillar/firewall/masterfw.sls\
|
|
/opt/so/saltstack/pillar/firewall/forward_nodes.sls
|
|
;;
|
|
'SENSOR' | 'SEARCHNODE' | 'HEAVYNODE' | 'FLEET')
|
|
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh minions "$MAINIP"
|
|
case "$INSTALLERTYPE" in
|
|
'SENSOR')
|
|
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP"
|
|
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$CPUCORES" "$RANDOMUID" "$MAININT" "$FSROOT" "$FSNSM" bond0
|
|
;;
|
|
'SEARCHNODE')
|
|
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes "$MAINIP"
|
|
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$CPUCORES" "$RANDOMUID" "$MAININT" "$FSROOT" "$FSNSM"
|
|
;;
|
|
'HEAVYNODE')
|
|
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh forward_nodes "$MAINIP"
|
|
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/firewall/addfirewall.sh search_nodes "$MAINIP"
|
|
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh sensorstab "$MINION_ID" "$MAINIP" "$CPUCORES" "$RANDOMUID" "$MAININT" "$FSROOT" "$FSNSM" bond0
|
|
ssh -i /root/.ssh/so.key soremote@"$MSRV" sudo /opt/so/saltstack/pillar/data/addtotab.sh nodestab "$MINION_ID" "$MAINIP" "$CPUCORES" "$RANDOMUID" "$MAININT" "$FSROOT" "$FSNSM"
|
|
;;
|
|
esac
|
|
;;
|
|
'PARSINGNODE')
|
|
# TODO: implement
|
|
;;
|
|
'HOTNODE')
|
|
# TODO: implement
|
|
;;
|
|
'WARMNODE')
|
|
# TODO: implement
|
|
;;
|
|
esac
|
|
}
|
|
|
|
# Set up the management interface on the ISO
|
|
set_management_interface() {
|
|
|
|
if [ "$ADDRESSTYPE" = 'DHCP' ]; then
|
|
nmcli con mod "$MNIC" connection.autoconnect yes
|
|
nmcli con up "$MNIC"
|
|
else
|
|
# Set Static IP
|
|
nmcli con mod "$MNIC" ipv4.addresses "$MIP"/"$MMASK"\
|
|
ipv4.gateway "$MGATEWAY" \
|
|
ipv4.dns "$MDNS"\
|
|
ipv4.dns-search "$MSEARCH"\
|
|
connection.autoconnect yes\
|
|
ipv4.method manual
|
|
nmcli con up "$MNIC"
|
|
fi
|
|
}
|
|
|
|
set_node_type() {
|
|
|
|
case "$INSTALLTYPE" in
|
|
'SEARCHNODE' | 'EVAL' | 'MASTERSEARCH' | 'HEAVYNODE')
|
|
NODETYPE='search'
|
|
;;
|
|
'PARSINGNODE')
|
|
NODETYPE='parser'
|
|
;;
|
|
'HOTNODE')
|
|
NODETYPE='hot'
|
|
;;
|
|
'WARMNODE')
|
|
NODETYPE='warm'
|
|
;;
|
|
esac
|
|
}
|
|
|
|
set_updates() {
|
|
if [ "$MASTERUPDATES" -eq 1 ]; then
|
|
if [ "$OS" = 'centos' ]; then
|
|
if ! grep -q "$MSRV" /etc/yum.conf; then
|
|
echo "proxy=http://$MSRV:3142" >> /etc/yum.conf
|
|
fi
|
|
else
|
|
# Set it up so the updates roll through the master
|
|
printf '%s\n'\
|
|
"Acquire::http::Proxy \"http://$MSRV:3142\";"\
|
|
"Acquire::https::Proxy \"http://$MSRV:3142\";" > /etc/apt/apt.conf.d/00Proxy
|
|
fi
|
|
fi
|
|
}
|
|
|
|
# FIXME: should this be a function?
|
|
set_version() {
|
|
# Drop a file with the current version
|
|
echo "$SOVERSION" > /etc/soversion
|
|
}
|
|
|
|
update_sudoers() {
|
|
|
|
if ! grep -qE '^soremote\ ALL=\(ALL\)\ NOPASSWD:(\/usr\/bin\/salt\-key|\/opt\/so\/saltstack)' /etc/sudoers; then
|
|
# Update Sudoers so that soremote can accept keys without a password
|
|
echo "soremote ALL=(ALL) NOPASSWD:/usr/bin/salt-key" | tee -a /etc/sudoers
|
|
echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/firewall/addfirewall.sh" | tee -a /etc/sudoers
|
|
echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/pillar/data/addtotab.sh" | tee -a /etc/sudoers
|
|
echo "soremote ALL=(ALL) NOPASSWD:/opt/so/saltstack/salt/master/files/add_minion.sh" | tee -a /etc/sudoers
|
|
else
|
|
echo "User soremote already granted sudo privileges"
|
|
fi
|
|
} |