CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
7d6f8d922b695b2899f0d73c6b61373bfe7d4cf2
securityonion/setup/so-setup
Jason Ertel b99c7ce76e improve verbosity of setup logs
2023-11-06 11:22:35 -05:00

819 lines
22 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Copyright Security Onion Solutions LLC and/or licensed to Security Onion Solutions LLC under one
# or more contributor license agreements. Licensed under the Elastic License 2.0 as shown at
# https://securityonion.net/license; you may not use this file except in compliance with the
# Elastic License 2.0.
# Make sure you are root before doing anything
uid="$(id -u)"
if [ "$uid" -ne 0 ]; then
echo "This script must be run using sudo!"
fail_setup
fi
# Save the original argument array since we modify it
original_args=("$@")
cd "$(dirname "$0")" || fail_setup
echo "Getting started..."
# Source the generic function libraries that are also used by the product after
# setup. These functions are intended to be reusable outside of the setup process.
source ../salt/common/tools/sbin/so-common
source ../salt/common/tools/sbin/so-image-common
# Setup bash functionality is divided into functions and user-facing prompts.
# Do not attempt to re-use any of this functionality outside of setup. Instead,
# if needed, migrated generic functions into so-common.
source ./so-functions
source ./so-whiptail
# Finally, source the default variable definitions, which require availability of
# functions sourced above.
source ./so-variables
# Parse command line arguments
setup_type=$1
test_profile=$2
WHATWOULDYOUSAYYAHDOHERE=setup
while [[ $# -gt 0 ]]; do
arg="$1"
shift
case "$arg" in
"--turbo="* )
export TURBO="http://${arg#*=}";;
"--proxy="* )
export {http,https,ftp,rsync,all}_proxy="${arg#*=}";;
"--allow-cidr="* )
export ALLOW_CIDR="${arg#*=}";;
* )
if [[ "$arg" == "--"* ]]; then
echo "Invalid option"
fi
esac
done
set_timezone
# Preserve old setup/error logs
[ -f "$error_log" ] && mv "$error_log" "$error_log.$(date +%Y-%m-%dT%H:%M:%S)"
[ -f "$setup_log" ] && mv "$setup_log" "$setup_log.$(date +%Y-%m-%dT%H:%M:%S)"
# Let's see what OS we are dealing with here
detect_os
# Ubuntu/Debian whiptail pallete to make it look the same as CentOS and Rocky.
set_palette >> $setup_log 2>&1
if [[ $not_supported ]] && [ -z "$test_profile" ]; then
if [[ "$OSVER" == "focal" ]]; then
if (whiptail_focal_warning); then
true
else
info "User cancelled setup."
whiptail_cancel
fi
else
if (whiptail_unsupported_os_warning); then
true
else
info "User cancelled setup."
whiptail_cancel
fi
fi
fi
# we need to upgrade packages on debian prior to install and reboot if there are due to iptables-restore not running properly
# if packages are updated and the box isn't rebooted
if [[ $is_debian ]]; then
update_packages
if [[ -f "/var/run/reboot-required" ]] && [ -z "$test_profile" ]; then
whiptail_debian_reboot_required
reboot
fi
fi
# Check to see if this is the setup type of "desktop".
is_desktop=
if [ "$setup_type" = 'desktop' ]; then
is_desktop=true
# Check to see if this is an ISO. Usually this dir on exists on ISO installs.
if [ -d /root/SecurityOnion ]; then
is_desktop_iso=true
install_type='DESKTOP'
fi
fi
# Make sure if ISO is specified that we are dealing with CentOS or Rocky
title "Detecting if this is an ISO install"
if [[ "$setup_type" == 'iso' ]]; then
if [[ $is_rpm ]]; then
is_iso=true
else
echo "Only use 'so-setup iso' for an ISO install on Security Onion ISO images. Please run 'so-setup network' instead."
fail_setup
fi
fi
if ! [ -f $install_opt_file ] && [ -d /root/manager_setup/securityonion ] && [[ $(pwd) != /root/manager_setup/securityonion/setup ]]; then
exec bash /root/manager_setup/securityonion/setup/so-setup "${original_args[@]}"
fi
title "Checking to see if install has run before"
if [[ -f /root/accept_changes ]]; then
is_reinstall=true
whiptail_reinstall
info "Old setup detected. Preparing for reinstallation."
reinstall_init
reset_proxy
fi
title "Parsing Username for Install"
parse_install_username
if ! [ -f $install_opt_file ]; then
# Begin Installation pre-processing
title "Initializing Setup"
info "Installing as the $INSTALLUSERNAME user"
analyze_system
fi
# Set up handler for setup to exit early (use `kill -SIGUSR1 "$setup_proc"; exit 1` in child scripts)
trap 'catch $LINENO' SIGUSR1
setup_proc="$$"
catch() {
info "Fatal error occurred at $1 in so-setup, failing setup."
grep --color=never "ERROR" "$setup_log" > "$error_log"
whiptail_setup_failed
fail_setup
}
# Add the progress function for manager node type installs
progress() {
local msg=${1:-'Please wait while installing...'}
if [ -z "$TESTING" ]; then
whiptail --title "$whiptail_title" --gauge "$msg" 6 70 0 # append to text
else
cat >> $setup_log 2>&1
fi
}
if [ -n "$test_profile" ]; then
install_type="$(echo $test_profile |awk -F- '{print $1}')"
if [[ "$install_type" == "distributed" ]]; then
install_type=MANAGER
else
install_type=${install_type^^}
fi
# The below settings are hardcoded purely for automated testing purposes.
TESTING=true
if [[ "$test_profile" =~ "-sensor" ]]; then
install_type=SENSOR
HOSTNAME=sensor
MSRVIP_OFFSET=-2
elif [[ "$test_profile" =~ "-search" ]]; then
install_type=SEARCHNODE
HOSTNAME=search
MSRVIP_OFFSET=-1
elif [[ "$test_profile" =~ "-managersearch" ]]; then
install_type=MANAGERSEARCH
HOSTNAME=manager
elif [[ "$test_profile" =~ "-heavynode" ]]; then
install_type=HEAVYNODE
HOSTNAME=sensor
MSRVIP_OFFSET=-1
elif [[ "$test_profile" =~ "-desktop" ]]; then
install_type=DESKTOP
MSRVIP_OFFSET=-3
is_desktop_grid=true
elif [[ "$test_profile" =~ "-idh" ]]; then
install_type=IDH
HOSTNAME=idh
MSRVIP_OFFSET=-4
elif [[ "$test_profile" =~ "-receiver" ]]; then
install_type=RECEIVER
HOSTNAME=receiver
MSRVIP_OFFSET=-5
elif [[ "$test_profile" =~ "-fleet" ]]; then
install_type=FLEET
HOSTNAME=fleet
MSRVIP_OFFSET=-6
else
HOSTNAME=manager
fi
if [[ "$install_type" =~ "DESKTOP" ]]; then
is_desktop=true
HOSTNAME=desktop
if [[ -z "$is_desktop_grid" ]]; then
is_desktop_grid=false
fi
fi
info "Activating test profile; profile=$test_profile; install_type=$install_type"
MINION_CIDR=10.0.0.0/8
MSRV=manager
if [[ "$test_profile" =~ "-net" ]] || [[ "$test_profile" =~ "-iso" ]]; then
address_type=DHCP
elif [[ "$test_profile" =~ "-cloud" ]]; then
MSRVIP=10.99.1.20
elif [[ "$test_profile" =~ "-airgap" ]]; then
is_airgap=true
address_type=DHCP
fi
if [ -f "/root/public_ip" ]; then
REDIRECTHOST=$(cat /root/public_ip)
REDIRECTINFO=OTHER
else
REDIRECTINFO=IP
fi
ALLOW_CIDR=0.0.0.0/0
nic_list=$(ls -1 /sys/class/net | grep -v docker | grep -v lo)
MNIC=$(echo "$nic_list" | head -1)
BNICS=$(echo "$nic_list" | head -2 | tail -1)
WEBUSER=onionuser@somewhere.invalid
WEBPASSWD1=0n10nus3r
WEBPASSWD2=0n10nus3r
update_sudoers_for_testing
fi
# Make sure the setup type is suppoted.
case "$setup_type" in
iso | network | desktop) # Accepted values
info "Beginning Security Onion $setup_type install"
;;
*)
error "Invalid install type, must be 'iso', 'network' or 'desktop'."
fail_setup
;;
esac
# Allow execution of SO tools during setup
local_sbin="$(pwd)/../salt/common/tools/sbin"
manager_sbin="$(pwd)/../salt/manager/tools/sbin"
export PATH=$PATH:$local_sbin:$manager_sbin
# Kernel messages can overwrite whiptail screen #812
# https://github.com/Security-Onion-Solutions/securityonion/issues/812
dmesg -D
# Kernel consoleblank is causing whiptail progress screen to appear to hang #1084
# https://github.com/Security-Onion-Solutions/securityonion/issues/1084
if [ -z "$TESTING" ]; then
TTY=$(tty)
info "Setup is running on TTY $TTY"
if echo $TTY | grep -q "/dev/tty"; then
CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank)
info "Kernel consoleblank value before: $CONSOLEBLANK"
if [ $CONSOLEBLANK -gt 0 ]; then
info "Running 'setterm -blank 0' for TTY $TTY"
TERM=linux setterm -blank 0 >$TTY <$TTY
CONSOLEBLANK=$(cat /sys/module/kernel/parameters/consoleblank)
info "Kernel consoleblank value after: $CONSOLEBLANK"
fi
fi
fi
# Begin prompting the user with whiptail.
if ! [[ -f $install_opt_file ]]; then
if (whiptail_you_sure); then
true
else
info "User cancelled setup."
whiptail_cancel
fi
# If this is an desktop install lets streamline the process.
if [[ $is_desktop ]]; then
# Prompt for hostname
collect_hostname
if [[ $is_desktop_iso ]]; then
# Prompt Network Setup
whiptail_management_nic
whiptail_dhcp_or_static
if [ "$address_type" != 'DHCP' ]; then
collect_int_ip_mask
collect_gateway
collect_dns
collect_dns_domain
fi
fi
if [[ ! $is_desktop_iso ]]; then
# This should be a network install
whiptail_network_notice
# Warn about the dangers of DHCP
whiptail_dhcp_warn
whiptail_management_nic
fi
# Initializing the network based on the previous information
network_init
printf '%s\n' \
"MNIC=$MNIC" \
"HOSTNAME=$HOSTNAME" > "$net_init_file"
set_main_ip
compare_main_nic_ip
fi
if [[ $setup_type == 'iso' ]] && [ -z "$TESTING" ]; then
whiptail_first_menu_iso
if [[ $option == "CONFIGURENETWORK" ]]; then
collect_hostname
network_init_whiptail
network_init
printf '%s\n' \
"MNIC=$MNIC" \
"HOSTNAME=$HOSTNAME" > "$net_init_file"
set_main_ip
compare_main_nic_ip
whiptail_net_setup_complete
else
true
fi
fi
if [[ ! $is_desktop ]]; then
whiptail_install_type
fi
else
source $install_opt_file
fi
# Process the install type
process_installtype
# Check to see if this is an desktop install. If it is let's run things differently
if [[ $is_desktop ]]; then
title "This is a desktop install"
# Make sure it's oracle
if [[ $is_oracle ]]; then
info "Security Onion Desktop is supported on this OS."
else
info "Security Onion Desktop is not supported on this OS."
exit 1
fi
whiptail_desktop_install
if ! $is_desktop_grid; then
if [[ $is_desktop_iso ]]; then
if whiptail_desktop_nongrid_iso; then
# Remove setup from auto launching
parse_install_username
sed -i '$ d' /home/$INSTALLUSERNAME/.bash_profile >> "$setup_log" 2>&1
securityonion_repo
info "Enabling graphical interface and setting it to load at boot"
systemctl set-default graphical.target
info "Setting desktop background"
set_desktop_background
echo "Desktop Install Complete!"
echo ""
echo "Please reboot to start graphical interface."
exit 0
else
# Abort!
exit 0
fi
else
if whiptail_desktop_nongrid_network; then
networking_needful
info ""
info ""
info "Kicking off the automated setup of the Security Onion Desktop. This can take a while depending on your network connection."
info ""
info ""
desktop_salt_local
else
# Abort!
exit 0
fi
fi
fi
# If you got this far then you want to join the grid
is_minion=true
fi
# If this is not an automated install prompt
if ! [[ -f $install_opt_file ]]; then
# If you are a manager ask ALL the manager things here. I know there is code re-use but this makes it easier to add new roles
if [[ $is_eval ]]; then
info "Setting up as node type eval"
# waitforstate means we will run the full salt state at the end. This is for only nodes running the salt-master service
waitforstate=true
# Does this role have monitoring interfaces?
monints=true
# Prompt the user to accept the elastic license
check_elastic_license
# If it is an install from ISO is this airgap?
[[ $is_iso ]] && whiptail_airgap
# Make sure minimum requirements are met
check_requirements
# Do networking things
networking_needful
# Do we need a proxy?
[[ ! $is_airgap ]] && collect_net_method
# Do we need to change the dockernet subnet?
collect_dockernet
# Are we in the clouds?
[[ ! $is_airgap ]] && detect_cloud
# Sets some minion info
set_minion_info
set_default_log_size >> $setup_log 2>&1
info "Verifying all network devices are managed by Network Manager that should be"
check_network_manager_conf
set_network_dev_status_list
# What NIC for watching network traffic?
whiptail_sensor_nics
# How many cores do we have?
calculate_useable_cores
# What is the web user?
collect_webuser_inputs
# How are we accessing the UI?
get_redirect
# Does the user want to allow access to the UI?
collect_so_allow
whiptail_end_settings
elif [[ $is_standalone ]]; then
waitforstate=true
monints=true
check_elastic_license
[[ $is_iso ]] && whiptail_airgap
check_requirements
networking_needful
[[ ! $is_airgap ]] && collect_net_method
collect_dockernet
[[ ! $is_airgap ]] && detect_cloud
set_minion_info
set_default_log_size >> $setup_log 2>&1
info "Verifying all network devices are managed by Network Manager that should be"
check_network_manager_conf
set_network_dev_status_list
whiptail_sensor_nics
calculate_useable_cores
collect_webuser_inputs
get_redirect
collect_so_allow
whiptail_end_settings
elif [[ $is_manager ]]; then
info "Setting up as node type manager"
check_elastic_license
waitforstate=true
[[ $is_iso ]] && whiptail_airgap
check_requirements
networking_needful
[[ ! $is_airgap ]] && collect_net_method
collect_dockernet
[[ ! $is_airgap ]] && detect_cloud
set_minion_info
set_default_log_size >> $setup_log 2>&1
info "Verifying all network devices are managed by Network Manager that should be"
check_network_manager_conf
set_network_dev_status_list
calculate_useable_cores
collect_webuser_inputs
get_redirect
collect_so_allow
whiptail_end_settings
elif [[ $is_managersearch ]]; then
info "Setting up as node type managersearch"
check_elastic_license
waitforstate=true
[[ $is_iso ]] && whiptail_airgap
check_requirements
networking_needful
[[ ! $is_airgap ]] && collect_net_method
collect_dockernet
[[ ! $is_airgap ]] && detect_cloud
set_minion_info
set_default_log_size >> $setup_log 2>&1
info "Verifying all network devices are managed by Network Manager that should be"
check_network_manager_conf
set_network_dev_status_list
calculate_useable_cores
collect_webuser_inputs
get_redirect
collect_so_allow
whiptail_end_settings
elif [[ $is_sensor ]]; then
info "Setting up as node type sensor"
monints=true
check_requirements
calculate_useable_cores
networking_needful
check_network_manager_conf
set_network_dev_status_list
collect_mngr_hostname
add_mngr_ip_to_hosts
check_manager_connection
detect_cloud
whiptail_sensor_nics
set_minion_info
whiptail_end_settings
elif [[ $is_fleet ]]; then
info "Setting up as node type fleet"
check_requirements
networking_needful
check_network_manager_conf
set_network_dev_status_list
collect_mngr_hostname
add_mngr_ip_to_hosts
check_manager_connection
detect_cloud
set_minion_info
whiptail_end_settings
elif [[ $is_searchnode ]]; then
info "Setting up as node type searchnode"
check_requirements
networking_needful
check_network_manager_conf
set_network_dev_status_list
collect_mngr_hostname
add_mngr_ip_to_hosts
check_manager_connection
detect_cloud
set_minion_info
whiptail_end_settings
elif [[ $is_heavynode ]]; then
info "Setting up as node type heavynode"
monints=true
check_requirements
calculate_useable_cores
networking_needful
check_network_manager_conf
set_network_dev_status_list
collect_mngr_hostname
add_mngr_ip_to_hosts
check_manager_connection
detect_cloud
whiptail_sensor_nics
set_minion_info
whiptail_end_settings
elif [[ $is_idh ]]; then
info "Setting up as node type idh"
check_requirements
networking_needful
collect_mngr_hostname
add_mngr_ip_to_hosts
check_manager_connection
collect_idh_preferences
set_minion_info
whiptail_end_settings
elif [[ $is_import ]]; then
info "Setting up as node type import"
waitforstate=true
[[ $is_iso ]] && whiptail_airgap
check_elastic_license
check_requirements
networking_needful
[[ ! $is_airgap ]] && detect_cloud
collect_dockernet
[[ ! $is_airgap ]] && collect_net_method
set_minion_info
set_default_log_size >> $setup_log 2>&1
info "Verifying all network devices are managed by Network Manager that should be"
check_network_manager_conf
set_network_dev_status_list
calculate_useable_cores
collect_webuser_inputs
get_redirect
collect_so_allow
whiptail_end_settings
elif [[ $is_receiver ]]; then
info "Setting up as node type receiver"
check_requirements
networking_needful
collect_mngr_hostname
add_mngr_ip_to_hosts
check_manager_connection
set_minion_info
whiptail_end_settings
# desktop install will only get this far if joining the grid
elif [[ $is_desktop ]]; then
info "Setting up as node type desktop"
networking_needful
collect_mngr_hostname
add_mngr_ip_to_hosts
check_manager_connection
set_minion_info
whiptail_end_settings
fi
if [[ $waitforstate ]]; then
touch /root/accept_changes
touch /etc/sohotfix
make_some_dirs
percentage=0
es_heapsize
ls_heapsize
if [[ $needs_proxy ]]; then
set_proxy
fi
set_redirect
if [[ $monints ]]; then
# Generate Interface Vars
generate_interface_vars
configure_network_sensor
fi
info "Reserving ports"
reserve_ports
info "Setting Paths"
# Set the paths
set_path
echo "Disable auto start of setup"
# Disable the setup from prompting at login
disable_auto_start
info "Setting the version"
# Set the version
mark_version
info "Clearing the old manager"
# Remove old manager if re-install
clear_manager
info "Generating Secrets"
# Generate passwords
generate_passwords
info "Populating the secrets pillar"
# Create the secrets pillar
secrets_pillar
info "Add socore user"
# Add the socore user
add_socore_user_manager
create_local_directories
setup_salt_master_dirs
create_manager_pillars
info "Generating the minion pillar"
# Create the minion defaults
export NODETYPE=$install_type
export MINION_ID=$MINION_ID
export ES_HEAP_SIZE=$ES_HEAP_SIZE
export MNIC=$MNIC
export NODE_DESCRIPTION=$NODE_DESCRIPTION
export MAINIP=$MAINIP
export PATCHSCHEDULENAME=$PATCHSCHEDULENAME
export INTERFACE=$INTERFACE
if [[ $low_mem == "true" ]]; then
export CORECOUNT=1
else
export CORECOUNT=$lb_procs
fi
export LSHOSTNAME=$HOSTNAME
export LSHEAP=$LS_HEAP_SIZE
export CPUCORES=$num_cpu_cores
logCmd "so-minion -o=setup"
title "Creating Global SLS"
if [[ $is_airgap ]]; then
# Airgap Rules
airgap_rules
fi
manager_pillar
# Set up the repo to point to local file https://access.redhat.com/solutions/1355683
# reposync down the files is network and createrepo if CentOS
# Import the GPG keys
gpg_rpm_import
# Create the local repo and point the box to use the local repo
securityonion_repo
# Update existing packages
update_packages
# Install salt
saltify
# Start the master service
copy_salt_master_config
configure_minion "$minion_type"
check_sos_appliance
logCmd "salt-key -yd $MINION_ID"
sleep 2 # Debug RSA Key format errors
logCmd "salt-call state.show_top"
sleep 2 # Debug RSA Key format errors
logCmd "salt-key -ya $MINION_ID"
logCmd "salt-call saltutil.sync_all"
logCmd "salt-call state.apply common.packages"
logCmd "salt-call state.apply common"
# this will apply the salt.minion state first since salt.master includes salt.minion
logCmd "salt-call state.apply salt.master"
# wait here until we get a response from the salt-master since it may have just restarted
# exit setup after 5-6 minutes of trying
check_salt_master_status || fail "Can't access salt master or it is not ready"
# apply the ca state to create the ca and put it in the mine early in the install
# the minion ip will already be in the mine from configure_minion function in so-functions
generate_ca
# this will also call the ssl state since docker requires the intca
# the salt-minion service will need to be up on the manager to sign requests
generate_ssl
logCmd "salt-call state.apply docker"
firewall_generate_templates
set_initial_firewall_policy
# Download Elastic Agent Artifacts
title "Downloading Elastic Agent Artifacts"
download_elastic_agent_artifacts
logCmd "salt-call state.apply -l info firewall"
# create these so the registry state can add so-registry to /opt/so/conf/so-status/so-status.conf
logCmd "mkdir -p /opt/so/conf/so-status/ "
logCmd "touch /opt/so/conf/so-status/so-status.conf"
title "Importing Registry Docker"
import_registry_docker
title "Applying the registry state"
logCmd "salt-call state.apply -l info registry"
title "Seeding the docker registry"
docker_seed_registry
title "Applying the manager state"
logCmd "salt-call state.apply -l info manager"
logCmd "salt-call state.apply influxdb -l info"
logCmd "salt-call state.highstate -l info"
logCmd "salt-call schedule.disable -linfo --local"
if [[ ! $is_airgap ]]; then
title "Downloading IDS Rules"
logCmd "so-rule-update"
title "Downloading YARA rules"
logCmd "su socore -c '/usr/sbin/so-yara-download'"
if [[ $monints || $is_import ]]; then
title "Restarting Suricata to pick up the new rules"
logCmd "so-suricata-restart"
fi
if [[ $monints ]]; then
title "Restarting Strelka to use new rules"
logCmd "so-strelka-restart"
fi
fi
title "Setting up Kibana Default Space"
logCmd "so-kibana-space-defaults"
add_web_user
info "Restarting SOC to pick up initial user"
logCmd "so-soc-restart"
title "Setting up Elastic Fleet"
logCmd "salt-call state.apply elasticfleet.config"
if ! logCmd so-elastic-fleet-setup; then
error "Failed to run so-elastic-fleet-setup"
fail_setup
fi
if [[ ! $is_import ]]; then
title "Setting up Playbook"
logCmd "so-playbook-reset"
fi
checkin_at_boot
set_initial_firewall_access
logCmd "salt-call schedule.enable -linfo --local"
verify_setup
else
touch /root/accept_changes
mkdir -p /opt/so
es_heapsize
ls_heapsize
generate_interface_vars
if [[ $monints ]]; then
configure_network_sensor
fi
reserve_ports
# Set the version
mark_version
# Disable the setup from prompting at login
disable_auto_start
info "Clearing the old manager"
# Remove old manager if re-install
clear_manager
gpg_rpm_import
securityonion_repo
update_packages
saltify
configure_minion "$minion_type"
check_sos_appliance
drop_install_options
checkin_at_boot
logCmd "salt-call state.apply setup.highstate_cron --local --file-root=../salt/"
verify_setup
fi
# Need to make sure the latest install is located on the web server of the manager to check the versions and download the code if required
fi
Reference in New Issue View Git Blame Copy Permalink