From e2af836a8f072e8a6dab28952d23448e5bd8aac0 Mon Sep 17 00:00:00 2001 From: doug Date: Fri, 25 May 2018 12:50:00 -0400 Subject: [PATCH] update for 16.04 --- bin/so-allow-elastic | 203 + bin/so-allow-view | 22 + bin/so-allow-view-iptables | 25 + bin/{sosetup-elsa => sosetup} | 1157 ++-- bin/sosetup-network | 6 +- debian/changelog | 96 + debian/patches/add-back | 97 + ...-OSSEC_AGENT_ENABLED-in-securityonion.conf | 40 + debian/patches/control-salt-with-systemd | 103 + ...-and-move-so-allow-scripts-to-this-package | 309 ++ ...fix-custom-forward-node-and-Elastic-prompt | 227 + debian/patches/fix-references-to-restart | 4705 +++++++++++++++++ debian/patches/fix-sosetup-forward.conf | 36 + ...root-password-not-set,-set-random-password | 53 + debian/patches/more-forward-node-fixes | 203 + debian/patches/remove-old-stuff | 114 + ...round-and-fix-in-onionsalt-package-instead | 46 + debian/patches/series | 16 + debian/patches/set-timezone-using-timedatectl | 55 + debian/patches/streamline-setup | 266 + debian/patches/update-etcsaltminion_id | 35 + ...s-to-new-ethernet-device-naming-convention | 450 ++ .../workaround-bug-in-16.04-salt-package | 38 + debian/postinst | 7 +- share/securityonion/sosetup-elsa.conf | 330 -- share/securityonion/sosetup-forward.conf | 9 +- share/securityonion/sosetup-master.conf | 7 +- share/securityonion/sosetup-storage.conf | 7 +- share/securityonion/sosetup.conf | 7 +- 29 files changed, 7764 insertions(+), 905 deletions(-) create mode 100644 bin/so-allow-elastic create mode 100644 bin/so-allow-view create mode 100644 bin/so-allow-view-iptables rename bin/{sosetup-elsa => sosetup} (74%) mode change 100644 => 100755 create mode 100644 debian/patches/add-back create mode 100644 debian/patches/avoid-duplicating-OSSEC_AGENT_ENABLED-in-securityonion.conf create mode 100644 debian/patches/control-salt-with-systemd create mode 100644 debian/patches/enable-systemd-script-and-move-so-allow-scripts-to-this-package create mode 100644 debian/patches/fix-custom-forward-node-and-Elastic-prompt create mode 100644 debian/patches/fix-references-to-restart create mode 100644 debian/patches/fix-sosetup-forward.conf create mode 100644 debian/patches/if-mysql-root-password-not-set,-set-random-password create mode 100644 debian/patches/more-forward-node-fixes create mode 100644 debian/patches/remove-old-stuff create mode 100644 debian/patches/remove-salt-workaround-and-fix-in-onionsalt-package-instead create mode 100644 debian/patches/set-timezone-using-timedatectl create mode 100644 debian/patches/streamline-setup create mode 100644 debian/patches/update-etcsaltminion_id create mode 100644 debian/patches/update-sosetup-conf-files-to-new-ethernet-device-naming-convention create mode 100644 debian/patches/workaround-bug-in-16.04-salt-package delete mode 100644 share/securityonion/sosetup-elsa.conf diff --git a/bin/so-allow-elastic b/bin/so-allow-elastic new file mode 100644 index 0000000..e0e7b95 --- /dev/null +++ b/bin/so-allow-elastic @@ -0,0 +1,203 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +######################################### +# function to validate IP address +######################################### +is_ip() { + case "$*" in + ""|*[!0-9.]*) return 1 ;; + esac + oldIFS=$IFS + IFS='.' + set -- $* + IFS=$oldIFS + [ $# -eq 4 ] || return 1 + for ipseg in $1 $2 $3 $4 + do + case $ipseg in + *[!0-9]*) return 1 ;; + esac + [ $ipseg -le 255 ] || return 1 + done +} + +is_cidr() { + [[ "$1" =~ ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ]] && return 0 +} +######################################### +# check for root privileges +######################################### +if [[ $(/usr/bin/id -u) -ne 0 ]]; then + echo "This script needs to be run as root. Please try again using sudo." + exit +fi + +######################################### +# Prompt user for kind of device +######################################### +echo "This program allows you to add a firewall rule to allow connections from a new IP address." +echo +echo "What kind of device do you want to allow?" +echo +echo "[a] - analyst - ports 22/tcp, 443/tcp, and 7734/tcp" +echo "[b] - Logstash Beat - port 5044/tcp" +echo "[c] - apt-cacher-ng client - port 3142/tcp" +echo "[f] - Logstash Forwarder - Standard - port 6050/tcp" +echo "[j] - Logstash Forwarder - JSON - port 6051/tcp " +echo "[l] - syslog device - port 514" +echo "[o] - ossec agent - port 1514/udp" +echo "[s] - Security Onion sensor - 22/tcp, 4505/tcp, 4506/tcp, and 7736/tcp" +echo +echo "If you need to add any ports other than those listed above," +echo "you can do so using the standard 'ufw' utility." +echo +echo "For more information, please see the Firewall page on our Wiki:" +echo "https://github.com/Security-Onion-Solutions/security-onion/wiki/Firewall" + +device="none" +while [ "$device" = "none" ]; do + echo + echo "Please enter your selection (a - analyst, c - apt-cacher-ng client, l - syslog, o - ossec, or s - Security Onion sensor, etc.):" + read input + + . /etc/nsm/securityonion.conf +case $input in + a) + device="analyst" + proto="proto tcp" + port="22,443,7734" + ;; + b) + device="Logstash - Beat" + category="elastic" + proto="tcp" + port="5044" + ;; + c) + device="apt-cacher-ng client" + proto="proto tcp" + port="3142" + ;; + f) + device="Logstash Forwarder" + category="elastic" + proto="tcp" + port="6050" + ;; + j) + device="Logstash Forwarder - JSON" + category="elastic" + proto="tcp" + port="6051" + ;; + l) + device="syslog" + proto="" + port="514" + ;; + o) + device="ossec agent" + proto="proto udp" + port="1514" + ;; + s) + device="Security Onion sensor" + proto="proto tcp" + port="22,4505,4506,7736" + ;; + status) + device=status + ;; + esac +done + +######################################### +# Status +######################################## +if [ "$device" == "status" ]; then + /usr/sbin/so-allow-view + echo + exit 0 +fi + +######################################### +# Prompt user for IP address +######################################### +valid="no" +while [ "$valid" = "no" ]; do + echo "Please enter the IP address of the $device you'd like to allow to connect to port(s) $port:" + read address + # Check if CIDR + is_cidr $address && valid="yes" + # Check if IP + [ $? -ne 0 ] && is_ip $address && valid="yes" + +done + +######################################### +# Confirm rule before adding +######################################### +echo "We're going to allow connections from $address to port(s) $port." +echo +echo "Here's the firewall rule we're about to add:" +if [[ "$category" == "elastic" ]]; then + ufw_after_rules="-I DOCKER-USER ! -i docker0 -o docker0 -s $address -p tcp --dport $port -j ACCEPT" + rule="sudo iptables $ufw_after_rules" +else + rule="sudo ufw allow $proto from $address to any port $port" +fi +echo $rule +echo + +if [ "$device" == "analyst" ]; then + echo "We're also whitelisting $address in /var/ossec/etc/ossec.conf to prevent OSSEC Active Response from blocking it. Keep in mind, the OSSEC server will be restarted once configuration is complete." + echo +fi +echo "To continue and add this rule, press Enter." +echo "Otherwise, press Ctrl-c to exit." +read input + +######################################### +# Run the command to add the firewall rule +######################################### +$rule + +if [[ "$category" == "elastic" ]]; then + # Add rule to /etc/ufw/after.rules + sed -i "/so-allow/a $ufw_after_rules" /etc/ufw/after.rules +fi + +echo "Rule has been added." +echo +echo "Here is the entire firewall ruleset:" +echo +/usr/sbin/so-allow-view +echo + +if [ "$device" == "analyst" ]; then + if ! grep -q "$address" /var/ossec/etc/ossec.conf ; then + DATE=`date` + sed -i 's/<\/ossec_config>//' /var/ossec/etc/ossec.conf + sed -i '/^$/N;/^\n$/D' /var/ossec/etc/ossec.conf + echo -e "\n \n $address\n \n" >> /var/ossec/etc/ossec.conf + echo "Added whitelist entry for $address in /var/ossec/etc/ossec.conf." + echo + echo "Restarting OSSEC Server..." + service ossec-hids-server restart + fi +fi diff --git a/bin/so-allow-view b/bin/so-allow-view new file mode 100644 index 0000000..253618d --- /dev/null +++ b/bin/so-allow-view @@ -0,0 +1,22 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +header "UFW Rules" +ufw status | sed -n '1!p' +/usr/sbin/so-allow-view-iptables diff --git a/bin/so-allow-view-iptables b/bin/so-allow-view-iptables new file mode 100644 index 0000000..f4066f8 --- /dev/null +++ b/bin/so-allow-view-iptables @@ -0,0 +1,25 @@ +#!/bin/bash +# +# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +. /usr/sbin/so-common + +header "Docker IPTables Rules" +echo +echo "To Action From" +echo "-- ------ ----" +iptables -vL DOCKER-USER |grep ACCEPT |grep -v "state RELATED,ESTABLISHED" |awk '{print substr($11,5) "/" $4,$7,$3,$6,$8}' +echo diff --git a/bin/sosetup-elsa b/bin/sosetup old mode 100644 new mode 100755 similarity index 74% rename from bin/sosetup-elsa rename to bin/sosetup index f36c841..7090fae --- a/bin/sosetup-elsa +++ b/bin/sosetup @@ -1,6 +1,7 @@ #!/bin/bash # -# Copyright (C) 2010-2016 Doug Burks and Security Onion +# Copyright (C) 2010-2014 Doug Burks +# Copyright (C) 2015-2018 Security Onion Solutions, LLC # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License Version 2 as @@ -32,7 +33,7 @@ IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0. TITLE="Security Onion Setup ($HOSTNAME)" # File locations CONF="/etc/nsm/securityonion.conf" -LOG=`mktemp /tmp/sosetup.log.XXXXXXXXXX` +LOG=`mktemp /tmp/sosetup-elastic.log.XXXXXXXXXX` PP_CONF="/etc/nsm/pulledpork/pulledpork.conf" # URLs ET_URL="rules.emergingthreats.net" @@ -120,12 +121,11 @@ SOSETUPSCP=`mktemp` SECURITYONION_CONF_MASTER=`mktemp` # CUSTOM gives access to all options CUSTOM=0 -# ELSA is now enabled by default -ELSA="YES" -ELASTIC="NO" +# Elastic is now enabled by default +ELASTIC="yes" # Create /nsm if it doesn't already exist mkdir -p /nsm -# Calculate half of available disk space for ELSA log_size_limit +# Calculate half of available disk space for Elastic logs DISK_SIZE_K=`df /nsm |grep -v "^Filesystem" | awk '{print $2}'` let DISK_SIZE=DISK_SIZE_K*1000 let LOG_SIZE_LIMIT=DISK_SIZE/2 @@ -137,9 +137,20 @@ TOTAL_MEM=`grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//'` # Make RAM # human readable (GB) HR_MEM=$((TOTAL_MEM / 1000)) # Text for minimum memory check -MEM_TEXT="This machine currently has "$HR_MEM"GB of RAM allocated.\n\For best performance, please ensure the machine is allocated at least 3GB of RAM.\n\n\Please consult the following link for more information:\n\https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware\n\n\ +MEM_TEXT="This machine currently has "$HR_MEM"GB of RAM allocated.\n\For best performance, please ensure the machine is allocated at least 8GB of RAM.\n\n\Please consult the following link for more information:\n\https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware\n\n\ Click 'No' to stop setup and adjust the amount of RAM allocated to this machine.\n\ Otherwise, click 'Yes' to continue." +# Text for minimum core check +CORE_TEXT="This machine currently has "$CORES" processor core(s) allocated.\n\For best performance, please ensure the machine is allocated at least 2 processor cores.\n\n\Please consult the following link for more information:\n\https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware\n\n\ +Click 'No' to stop setup and adjust the number of processor cores allocated to this machine.\n\ +Otherwise, click 'Yes' to continue." +ARGS=("$@") +REVERSE_PORT=50000 +DOCKER_INTERFACE="172.18.0.1" +DOCKER_NETWORK="172.18.0.0/24" +LOGSTASH_OUTPUT_REDIS="no" +LOGSTASH_INPUT_REDIS="no" + ######################################### # Debug ######################################### @@ -158,9 +169,18 @@ function ask() { ######################################### # Welcome screen ######################################### -TEXT="Welcome to Security Onion Setup!\n\ +TEXT="Welcome to Security Onion Elastic Setup!\n\ +\n\ +Elastic Setup will configure the following services:\n\ \n\ -This program will allow you to configure Security Onion on $HOSTNAME.\n\ +Elasticsearch\n\ +Logstash\n\ +Kibana\n\ +Squert\n\ +Sguil\n\ +Bro\n\ +Snort/Suricata\n\ +netsniff-ng\n\ \n\ Would you like to continue?" if [ "$WRITEANSWERFILE" ]; then @@ -187,44 +207,25 @@ fi ######################################### # sosetup-network ######################################### -if [ -z "$WRITEANSWERFILE" ]; then # Network config not yet supported when generating an answer file -[ -f /usr/sbin/sosetup-network ] && /usr/sbin/sosetup-network -ANSWER="$?" -# If there were errors in sosetup-network, then exit -[ $ANSWER -eq 1 ] && exit +# Network config not yet supported when generating an answer file +if [ -z "$WRITEANSWERFILE" ] && [ "${ARGS[0]}" != "skipnetwork" ] && [ -f /usr/sbin/sosetup-network ]; then + /usr/sbin/sosetup-network + # If there were errors in sosetup-network, then exit + [ $? -eq 1 ] && exit fi ######################################### -# Stable Setup or Experimental Setup +# CHeck hardware requirements ######################################### -if [ -f /usr/sbin/sosetup-elastic ] && [ -d /opt/elastic/src ]; then -TEXT="Elastic Setup or ELSA Setup?\n\ -\n\ -Choosing Elastic Setup will run the Elastic version of Setup.\n\ -This will configure the Elastic stack (Elasticsearch, Logstash, and Kibana).\n\ -If you are unsure, choose Elastic Setup.\n\ -\n\ -Choosing ELSA Setup will run the old ELSA version of Setup.\n\ -Please note that ELSA will reach EOL soon!" -SETUP="" -SETUP=`zenity --list --radiolist \ - --column "1" --column "2" --hide-header --title="$TITLE" \ - TRUE "Elastic Setup" FALSE "ELSA Setup" --text="$TEXT"` -if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi -fi -[ "$SETUP" == "" ] && exit -if [ "$SETUP" == "Elastic Setup" ]; then - ELASTIC="YES" -fi -if [ "$ELASTIC" == "YES" ]; then - /usr/sbin/sosetup-elastic skipnetwork - exit $? + +if [ $TOTAL_MEM -lt 8000 ]; then zenity --question --title="$TITLE" --text="$MEM_TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap + [ $? = 1 ] && exit 1 + [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low RAM." fi + +if [ $CORES -lt 2 ]; then zenity --question --title="$TITLE" --text="$CORE_TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap + [ $? = 1 ] && exit 1 + [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low core count." fi ######################################### @@ -236,40 +237,24 @@ Evaluation Mode is recommended for first-time users or standalone VMs:\n\ - ideal for quickly evaluating Security Onion\n\ - will automatically configure most details of your system\n\ - configures Snort and Bro to monitor one network interface\n\ -- NOT intended for a production sensor\n\ +- NOT intended for a production deployment\n\ \n\ Production Mode is recommended for production deployments\n\ as it gives you more control over the details of your system\n\ -and allows you to build a distributed sensor network. You choose:\n\ -- Sguil server, Sguil sensor, or both\n\ -- which IDS engine to use (Snort or Suricata)\n\ -- which IDS ruleset(s) to use (Emerging Threats, Snort Subscriber (Talos), or both)\n\ -- how many processes to run for Snort/Suricata/Bro" +and allows you to build a distributed deployment. You choose:\n\ +- build a new master server or connect to an existing master server\n\ +- enable or disable network sensor services\n\ +- store logs locally or forward to master server\n" SETUP="" SETUP=`zenity --list --radiolist \ --column "1" --column "2" --hide-header --title="$TITLE" \ TRUE "Evaluation Mode" FALSE "Production Mode" --text="$TEXT"` -if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi -fi +[ $? = 1 ] && exit 1 + [ "$SETUP" == "" ] && exit [ "$SETUP" == "Production Mode" ] && ADVANCED_SETUP="1" || ADVANCED_SETUP="0" if [ $ADVANCED_SETUP -eq 0 ]; then [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Evaluation Mode." - if [ $TOTAL_MEM -lt 3000 ]; then zenity --question --title="$TITLE" --text="$MEM_TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked No. Exiting." && exit 1 - else - exit 1 - fi - fi - [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low RAM." - fi if [ $NUM_INTERFACES -gt 1 ]; then TEXT="Which network interface should be monitored?\n\nIf you allowed Setup to configure /etc/network/interfaces, your first monitor interface is already selected." INTERFACES=`awk '/:/ {print $1}' /proc/net/dev | tr -d ':' | grep -v "^lo$" | grep -v "^docker" | grep -v "^br-" | grep -v "^veth" | sort` @@ -295,92 +280,44 @@ if [ $ADVANCED_SETUP -eq 0 ]; then fi SERVER=1 SENSOR=1 - ELSA="YES" + ELASTIC="yes" SERVERNAME="localhost" SENSOR_CONFIRM_1="- Configure Snort and Bro to monitor the following interface:\n" SENSOR_CONFIRM_2="$INTERFACES\n" else [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Production Mode." - # Ask which components to configure - TEXT="If this is the first machine in a distributed deployment, choose Server.\n\ -This machine will only run Sguil, Squert, and ELSA and will not monitor any network interfaces.\n\ + TEXT="Do you want to build a new Security Onion deployment or add to an existing deployment?\n\ \n\ -If this is a sensor for a distributed deployment (you've already installed the Server), choose Sensor.\n\ -You will need to be able to SSH to the existing Server box with an account with sudo privileges.\n\ +If you choose New, this machine will be the master server and will run the Kibana and Squert web interfaces.\n\ \n\ -Otherwise, choose Standalone to configure both Server and Sensor components on this box." - COMPONENTS=`zenity --height=300 --list --radiolist --column="1" --column="2" --hide-header --title="$TITLE" --text="$TEXT" TRUE Server FALSE Sensor FALSE Standalone` - case $COMPONENTS in - Standalone) - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Standalone." - SERVER=1 - SENSOR=1 - SERVERNAME="localhost" - if [ $TOTAL_MEM -lt 3000 ];then zenity --question --title="$TITLE" --text="$MEM_TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked No. Exiting." && exit 1 - else - exit 1 - fi - fi - [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low RAM." - fi - ;; - Server) - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Server." +If you already have a master server, choose Existing.\n\ +You will need to be able to SSH to the existing master server with an account that has sudo privileges.\n" + DEPLOYMENT=`zenity --height=250 --list --radiolist --column="1" --column="2" --hide-header --title="$TITLE" --text="$TEXT" TRUE New FALSE Existing` + case $DEPLOYMENT in + New) + [ $DEBUG -eq 1 ] && echo "DEBUG: Selected New." SERVER=1 - SENSOR=0 SERVERNAME="localhost" IDS_LB_PROCS_CONFIRM="" BRO_LB_PROCS_CONFIRM="" - if [ $TOTAL_MEM -lt 2000 ];then zenity --question --title="$TITLE" --text="This machine currently has "$HR_MEM"GB of RAM allocated.\n\For best performance, please ensure the machine is allocated at least 2GB of RAM.\n\n\Consult the following link for more information:\n\https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware\n\n\ -Click 'No' to stop setup and adjust the amount of RAM allocated to this machine.\n\ -Otherwise, click 'Yes' to continue." --ok-label="$YES" --cancel-label="$NO" --no-wrap - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked No. Exiting." && exit 1 - else - exit 1 - fi - fi - [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low RAM." - fi ;; - Sensor) - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Sensor." + Existing) + [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Existing." SERVER=0 - SENSOR=1 - TEXT="What is the hostname or IP address of the master server that this sensor should connect to?" + TEXT="What is the hostname or IP address of the master server that this node should connect to?" SERVERNAME_CONFIRMED="no" - if [ $TOTAL_MEM -lt 3000 ];then zenity --question --title="$TITLE" --text="$MEM_TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked No. Exiting." && exit 1 - else - exit 1 - fi - fi - [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low RAM." - fi while [ $SERVERNAME_CONFIRMED = "no" ]; do SERVERNAME=`zenity --title="$TITLE" --text="$TEXT" --entry` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi + [ $? = 1 ] && exit 1 # Did the user enter the hostname or IP address of the local box? if [ "$SERVERNAME" = "$HOSTNAME" ]; then zenity --error --title "$TITLE" --text="That is the hostname of this box\!\r \ \r \ -Since you chose a sensor-only installation, the master server should be a separate box." +Since you chose a node installation, the master server should be a separate box." elif [ "$SERVERNAME" = "$IP" ]; then zenity --error --title "$TITLE" --text="That is the IP address of this box\!\r \ \r \ -Since you chose a sensor-only installation, the master server should be a separate box." +Since you chose a node installation, the master server should be a separate box." elif [ "x$SERVERNAME" = "x" ]; then zenity --error --title "$TITLE" --text="No server defined\!\r \ \r \ @@ -390,7 +327,7 @@ Please provide the hostname or IP address of a valid master server." # nc will result in OSSEC Active Response blocking the IP address # nc -vz $SERVERNAME 22 -w 5 2>&1 | grep "succeeded\!" >/dev/null 2>&1 && SERVERNAME_CONFIRMED="yes" # so use ssh instead: - ssh $SERVERNAME -o ConnectTimeout=5 -o BatchMode=yes 2>&1 | egrep 'Connection timed out|Could not resolve hostname' >/dev/null 2>&1 || SERVERNAME_CONFIRMED="yes" + ssh $SERVERNAME -o ConnectTimeout=5 -o BatchMode=yes 2>&1 | egrep 'Connection timed out|No route to host|Could not resolve hostname' >/dev/null 2>&1 || SERVERNAME_CONFIRMED="yes" [ $DEBUG -eq 1 ] && echo "DEBUG: Hostname/IP set to $SERVERNAME." if [ $SERVERNAME_CONFIRMED = "no" ]; then zenity --error --title "$TITLE" --text="Couldn't connect to $SERVERNAME on port 22\!\r \ @@ -404,13 +341,7 @@ firewall rules." SENSOR_CONFIRM_3="no" while [[ $SENSOR_CONFIRM_3 = "no" ]]; do SSH_USERNAME=`zenity --title="$TITLE" --text="$TEXT" --entry` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi + [ $? = 1 ] && exit 1 if [ x$SSH_USERNAME = "x" ]; then zenity --error --title "$TITLE" --text="No username defined\!\r \ \r\ \ @@ -426,29 +357,8 @@ Please provide a username that can SSH to the master server and execute sudo." ;; esac - TEXT="Best Practices or Custom?\n\ -\n\ -If you'd like to use the Best Practices defaults, please select Best Practices.\n\ -\n\ -If you'd like to see all options, choose Custom." - CUSTOM="" - CUSTOM=`zenity --list --radiolist \ - --column "1" --column "2" --hide-header --title="$TITLE" \ - TRUE "Best Practices" FALSE "Custom" --text="$TEXT"` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi - [ "$CUSTOM" == "" ] && exit - [ "$CUSTOM" == "Custom" ] && CUSTOM="1" || CUSTOM="0" - if [ $CUSTOM -eq 0 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Best Practices." - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Custom." - fi + + fi ######################################### @@ -457,15 +367,17 @@ fi if [ $SERVER -eq 1 ]; then USERNAME_CONFIRMED="no" while [ $USERNAME_CONFIRMED = "no" ]; do - TEXT="What would you like your Sguil username to be?\r\rThis will be used when logging into Sguil, Squert, and ELSA.\r\rPlease use alphanumeric characters only." + TEXT="Let's create our first user account.\n\ +\n\ +This account will be used when logging into Kibana, Squert, and Sguil.\n\ +\n\ +What would you like the username to be?\n\ +\n\ +Please use alphanumeric characters only.\n\ +\n\ +You can create other usernames later using so-user-add." SGUIL_CLIENT_USERNAME=`zenity --title="$TITLE" --text="$TEXT" --entry` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi + [ $? = 1 ] && exit 1 COMPRESSED="$(echo $SGUIL_CLIENT_USERNAME | sed -e 's/[^[:alnum:]]//g')" if [ "$COMPRESSED" != "$SGUIL_CLIENT_USERNAME" ] || [ x$SGUIL_CLIENT_USERNAME = "x" ] ; then zenity --error --title "$TITLE" --text="Invalid username\! \r \ @@ -484,33 +396,21 @@ fi if [ $SERVER -eq 1 ]; then SGUIL_CLIENT_PASSWORD_CONFIRMED="no" while [ $SGUIL_CLIENT_PASSWORD_CONFIRMED = "no" ]; do - TEXT="What would you like to set your password to?\n\ + TEXT="Now let's set the password for this first user account.\n\ \n\ -Password must be at least 6 characters.\n\ +This password will be used for Kibana, Squert, and Sguil.\n\ \n\ -This password will be used for Sguil, Squert, and ELSA.\n\ +This password must be at least 6 characters.\n\ \n\ -Once you've logged into these interfaces using this initial password, you can change it in the Sguil client." +You can change this password later in the Sguil client or with so-user-passwd." SGUIL_CLIENT_PASSWORD_1=`zenity --title="$TITLE" --text="$TEXT" --entry --hide-text` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi + [ $? = 1 ] && exit 1 if [ "${#SGUIL_CLIENT_PASSWORD_1}" -lt "6" ]; then zenity --error --title "$TITLE" --text="Password must be at least 6 characters\!" else TEXT="Please confirm what you would like to set your password to." SGUIL_CLIENT_PASSWORD_2=`zenity --title="$TITLE" --text="$TEXT" --entry --hide-text` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi + [ $? = 1 ] && exit 1 if [ "$SGUIL_CLIENT_PASSWORD_1" = "$SGUIL_CLIENT_PASSWORD_2" ]; then SGUIL_CLIENT_PASSWORD_CONFIRMED="yes" [ $DEBUG -eq 1 ] && echo "DEBUG: Password set." @@ -520,7 +420,78 @@ Once you've logged into these interfaces using this initial password, you can ch fi done SERVER_CONFIRM="- Create a Sguil server named $SGUIL_SERVER_NAME. \n" - SERVER_USER_CONFIRM="- Create a Sguil user named $SGUIL_CLIENT_USERNAME. \n" + SERVER_USER_CONFIRM="- Create a user account named $SGUIL_CLIENT_USERNAME. \n" +fi + +######################################### +# If node is enabled, pick from 3 node types +######################################### +NODE="Master" +if [ $ADVANCED_SETUP -eq 1 ] && [ $SERVER -ne 1 ]; then + TEXT="To add to your existing deployment, please select a node type for this node.\n\ +\n\ +Forward Nodes generate and collect logs and forward them to the master server.\n\ +Full packet capture remains on Forward Nodes.\n\ +Forward Nodes do not run any Elastic stack processes.\n\ +Forward Nodes require less hardware than Heavy Nodes, but typically use more network bandwidth.\n\ +\n\ +Heavy Nodes generate and collect logs and store them locally.\n\ +Heavy Nodes run Elasticsearch and Logstash.\n\ +The master server queries Heavy Nodes via cross cluster search.\n\ +Heavy Nodes require more hardware than Forward Nodes, but typically use less network bandwidth.\n\ +\n\ +Storage Nodes do not generate logs themselves but simply extend the storage of the master server.\n\ +They require that the master server has already been configured to load balance to additional Storage Nodes.\n\ +Storage Nodes run Elasticsearch and Logstash.\n\ +The master server queries Storage Nodes via cross cluster search.\n" + NODE=`zenity --height=450 --list --radiolist --column="1" --column="2" --hide-header --title="$TITLE" --text="$TEXT" TRUE Forward FALSE Heavy FALSE Storage` + case $NODE in + Forward) + SENSOR=1 + FORWARD="yes" + ELASTIC="no" + ELASTIC_ACTION_CONFIRM="- Forward logs to master server.\n" + ;; + Heavy) + SENSOR=1 + ELASTIC="yes" + ;; + Storage) + SENSOR=0 + ELASTIC="yes" + LOGSTASH_INPUT_REDIS="yes" + IDS_LB_PROCS_CONFIRM="" + BRO_LB_PROCS_CONFIRM="" + SENSOR_CONFIRM_3="" + ELASTIC_ACTION_CONFIRM="- Configure as Elastic storage node.\n" + ;; + *) + exit + ;; + esac +fi + +######################################### +# Best Practices or Custom +######################################### +if [ $ADVANCED_SETUP -eq 1 ] && [ $NODE != "Storage" ]; then +TEXT="Best Practices or Custom?\n\ +\n\ +If you'd like to use the Best Practices defaults, please select Best Practices.\n\ +\n\ +If you'd like to see all options, choose Custom." + CUSTOM="" + CUSTOM=`zenity --list --radiolist \ + --column "1" --column "2" --hide-header --title="$TITLE" \ + TRUE "Best Practices" FALSE "Custom" --text="$TEXT"` + [ $? = 1 ] && exit 1 + [ "$CUSTOM" == "" ] && exit + [ "$CUSTOM" == "Custom" ] && CUSTOM="1" || CUSTOM="0" + if [ $CUSTOM -eq 0 ]; then + [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Best Practices." + else + [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Custom." + fi fi ######################################### @@ -532,14 +503,8 @@ if [ $ADVANCED_SETUP -eq 1 ] && [ $SERVER -eq 1 ]; then # Ask for DAYSTOKEEP DAYSTOKEEP_CONFIRMED="no" while [ $DAYSTOKEEP_CONFIRMED = "no" ]; do - DAYSTOKEEP=`zenity --entry --title "$TITLE" --text="How many days of data do you want to keep in your Sguil database?\n\nThis includes things like IDS alerts, PADS events, and PRADS session data.\n\nIf you need to change this later, you can change DAYSTOKEEP in /etc/nsm/securityonion.conf.\n\nPlease enter an integer. The default is 30 days." --entry-text=30` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi + DAYSTOKEEP=`zenity --entry --title "$TITLE" --text="How many days of alerts do you want to keep in your Sguil database?\n\nIf you need to change this later, you can change DAYSTOKEEP in /etc/nsm/securityonion.conf.\n\nPlease enter an integer. The default is 30 days." --entry-text=30` + [ $? = 1 ] && exit 1 COMPRESSED="$(echo $DAYSTOKEEP | sed -e 's/[^[:digit:]]//g')" if [ "$COMPRESSED" != "$DAYSTOKEEP" ] || [ x$DAYSTOKEEP = "x" ]; then zenity --error --title "$TITLE" --text "Invalid value! Please use integers only." @@ -552,13 +517,7 @@ if [ $ADVANCED_SETUP -eq 1 ] && [ $SERVER -eq 1 ]; then DAYSTOREPAIR_CONFIRMED="no" while [ $DAYSTOREPAIR_CONFIRMED = "no" ]; do DAYSTOREPAIR=`zenity --entry --title "$TITLE" --text="How many days of data do you want to repair in your Sguil database?\n\nA daily cronjob stops Sguil, repairs the MySQL tables for the last X days, and then starts Sguil back up.\n\nIf you choose a higher value, Sguil will be down for longer.\n\nIf you need to change this later, you can change DAYSTOREPAIR in /etc/nsm/securityonion.conf.\n\nPlease enter an integer. The default is 7 days." --entry-text=7` - if [ $? = 1 ];then - if [ $DEBUG -eq 1 ];then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi + [ $? = 1 ] && exit 1 COMPRESSED="$(echo $DAYSTOREPAIR | sed -e 's/[^[:digit:]]//g')" if [ "$COMPRESSED" != "$DAYSTOREPAIR" ] || [ x$DAYSTOREPAIR = "x" ]; then zenity --error --title "$TITLE" --text "Invalid value! Please use integers only." @@ -568,16 +527,16 @@ if [ $ADVANCED_SETUP -eq 1 ] && [ $SERVER -eq 1 ]; then done fi - # Ask which IDS engine to use. - TEXT="Which IDS Engine would you like to use?" - IDS_ENGINE=`zenity --list --radiolist --column="1" --column="2" --hide-header --title="$TITLE" --text="$TEXT" TRUE Snort FALSE Suricata` - #[ -z $IDS_ENGINE ] - [ $? = 1 ] && [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected $IDS_ENGINE." - # Ask which IDS ruleset to use. - TEXT="Which IDS ruleset would you like to use?" - IDS_RULESET=`zenity --width=600 --height=300 --list --radiolist --column="1" --column="Ruleset" --column="Ruleset" --column="Oinkcode required?" --hide-header --hide-column="2" --text="$TEXT" --title="$TITLE" \ + TEXT="Which IDS ruleset would you like to use?\n\ +\n\ +This master server is responsible for downloading the IDS ruleset from the Internet.\n\ +\n\ +Sensors then pull a copy of this ruleset from the master server.\n\ +\n\ +If you select a commercial ruleset, it is your responsibility to purchase enough licenses\n\ +for all of your sensors in compliance with your vendor's policies.\n" + IDS_RULESET=`zenity --width=750 --height=350 --list --radiolist --column="1" --column="Ruleset" --column="Ruleset" --column="Oinkcode required?" --hide-header --hide-column="2" --text="$TEXT" --title="$TITLE" \ TRUE "ETOPEN" "Emerging Threats Open" "no oinkcode required" \ FALSE "ETPRO" "Emerging Threats PRO" "requires ETPRO oinkcode" \ FALSE "TALOSET" "Snort Subscriber (Talos) ruleset and Emerging Threats NoGPL ruleset" "requires Snort Subscriber oinkcode" \ @@ -615,12 +574,48 @@ if [ $ADVANCED_SETUP -eq 1 ] && [ $SERVER -eq 1 ]; then IDS_RULESET_ACTION="- Download the Snort Subscriber (Talos) ruleset using oinkcode $OINKCODE.\n- Download the Emerging Threats NoGPL ruleset.\n" ;; *) - [ $? = 1 ] && [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." && exit 1 + [ $? = 1 ] && exit 1 ;; esac + + # Ask which IDS engine to use. + TEXT="Which IDS Engine would you like to use?\n\ +\n\ +For best results, use the corresponding engine for the ruleset you chose in the previous screen.\n\ +\n\ +For example, if you chose the Snort Talos ruleset, you should probably choose the Snort engine.\n\ +\n\ +Likewise, if you chose an Emerging Threats ruleset, you should probably choose the Suricata engine.\n" + IDS_ENGINE=`zenity --list --radiolist --column="1" --column="2" --hide-header --title="$TITLE" --text="$TEXT" TRUE Snort FALSE Suricata` + #[ -z $IDS_ENGINE ] + [ $? = 1 ] && exit 1 + [ $DEBUG -eq 1 ] && echo "DEBUG: Selected $IDS_ENGINE." + # End of ADVANCED SETUP - SERVER fi +######################################### +# Network Sensor Services +######################################### +if [ $ADVANCED_SETUP -eq 1 ] && [ $SERVER -eq 1 ]; then +TEXT="Network sensor services include:\n\ +\n\ +- Snort or Suricata for NIDS alerts\n\ +- Bro for protocol logging\n\ +- netsniff-ng for full packet capture\n\ +\n\ +For best performance, we recommend disabling network sensor services on master servers.\n\ +\n\ +Would you like to enable or disable network sensor services?" + SENSOR="" + SENSOR=`zenity --list --radiolist \ + --column "1" --column "2" --hide-header --title="$TITLE" \ + TRUE "Enable network sensor services" FALSE "Disable network sensor services" --text="$TEXT"` + [ $? = 1 ] && exit 1 + [ "$SENSOR" == "" ] && exit + [ "$SENSOR" == "Enable network sensor services" ] && SENSOR="1" || SENSOR="0" +fi + ######################################### # ADVANCED SETUP - SENSOR ######################################### @@ -633,13 +628,7 @@ if [ $ADVANCED_SETUP -eq 1 ] && [ $SENSOR -eq 1 ]; then PF_RING_SLOTS_CONFIRMED="no" while [ $PF_RING_SLOTS_CONFIRMED = "no" ]; do PF_RING_SLOTS=`zenity --entry --title "$TITLE" --text="What would you like to set PF__RING min__num__slots to?\n\nThe default is 4096. For busy networks, you may want to increase this to a higher number like 65534.\n\nIf you need to change this later, you can modify /etc/modprobe.d/pf__ring.conf and reload the pf_ring module." --entry-text=4096` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi + [ $? = 1 ] && exit 1 COMPRESSED="$(echo $PF_RING_SLOTS | sed -e 's/[^[:digit:]]//g')" if [ "$COMPRESSED" != "$PF_RING_SLOTS" ] || [ x$PF_RING_SLOTS = "x" ]; then zenity --error --title "$TITLE" --text "Invalid value! Please use integers only." @@ -759,7 +748,6 @@ Would you like to enable Bro?" if [ $ANSWER -eq 1 ]; then [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling Bro." BRO_ENABLED="no" - HTTP_AGENT_ENABLED="no" else [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling Bro." fi @@ -810,69 +798,6 @@ If you need to change this setting later, you can change the lb_procs variable i fi if [ $CUSTOM -eq 1 ]; then - # http_agent - if [ "$BRO_ENABLED" == "yes" ]; then - TEXT="http_agent sends Bro's http.log to the Sguil database.\n\ -\n\ -If you plan to access Bro's http.log via ELSA,\n\ -you may want to disable http_agent to avoid duplication of effort.\n\ -\n\ -Would you like to enable http_agent?" - YES="Yes, enable http__agent!" - NO="No, disable http__agent." - zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - ANSWER="$?" - if [ $ANSWER -eq 1 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling http_agent." - HTTP_AGENT_ENABLED="no" - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling http_agent." - HTTP_AGENT_ENABLED="yes" - fi - fi - - # Argus - TEXT="Argus listens on the chosen interfaces and logs session data to the filesystem.\n\ -\n\ -If you plan to use other forms of session data (like Bro's conn.log or Prads),\n\ -you may want to disable Argus to avoid duplication of effort.\n\ -\n\ -Would you like to enable Argus?" - YES="Yes, enable Argus!" - NO="No, disable Argus." - zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - ANSWER="$?" - if [ $ANSWER -eq 1 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling Argus." - ARGUS_ENABLED="no" - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling Argus." - ARGUS_ENABLED="yes" - fi - - # Prads - TEXT="Prads listens on the chosen interfaces and provides session and asset data for Sguil.\n\ -\n\ -If you plan to use other forms of session data (like Bro's conn.log or Argus)\n\ -and/or you plan to use other forms of asset data (like Bro's software.log),\n\ -you may want to disable Prads to avoid duplication of effort.\n\ -\n\ -Would you like to enable Prads?" - YES="Yes, enable Prads!" - NO="No, disable Prads." - zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - ANSWER="$?" - if [ $ANSWER -eq 1 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling Prads." - PRADS_ENABLED="no" - PADS_AGENT_ENABLED="no" - SANCP_AGENT_ENABLED="no" - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling Prads." - PRADS_ENABLED="yes" - PADS_AGENT_ENABLED="yes" - SANCP_AGENT_ENABLED="yes" - fi # PCAP TEXT="Full packet capture writes all monitored traffic to disk.\n\ @@ -941,19 +866,6 @@ Would you like to enable mmap I/O?" PCAP_RING_SIZE_CONFIRMED="yes" fi done - else - # Note about disabling full packet capture - YES="Yes, Continue." - NO="No, Quit." - zenity --title "$TITLE" --question --text="Please note, if you choose not to enable full packet capture, you will not\nbe able to pivot from Sguil to PCAP, or to CapME to retrieve PCAP data.\n\nClick 'Yes' to continue without enabling full packet capture.\n\nOtherwise, click 'No' to exit setup and re-run it to enable the capture of this valuable data." --ok-label="$YES" --cancel-label="$NO" --no-wrap - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked No. Exiting." && exit 1 - else - exit 1 - fi - fi - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Continuing without enabling full packet capture." fi # Ask for CRIT_DISK_USAGE @@ -981,7 +893,7 @@ fi # End of ADVANCED SETUP - SENSOR if [ $ADVANCED_SETUP -eq 1 ] && dpkg -l |grep "securityonion-onionsalt" |grep "ii" >/dev/null; then SALT="yes" if [ $CUSTOM -eq 1 ]; then -TEXT="Salt can be enabled to help manage your entire sensor deployment.\n\ +TEXT="Salt can be enabled to help manage your entire Security Onion deployment.\n\ \n\ By default, Salt will automatically keep the following updated:\n\ * OS user accounts\n\ @@ -989,7 +901,7 @@ By default, Salt will automatically keep the following updated:\n\ * IDS rulesets\n\ \n\ Salt can also be used for remote execution, so you can run a command\n\ -and have it execute on all sensors across your deployment.\n\ +and have it execute on all boxes across your deployment.\n\ \n\ Would you like to enable Salt?" YES="Yes, enable Salt!" @@ -1006,93 +918,100 @@ Would you like to enable Salt?" fi fi -# End of ADVANCED SETUP - ######################################### -# Ask whether or not to use ELSA +# Ask whether or not to use Elastic ######################################### -if [ $CUSTOM -eq 1 ]; then -TEXT="ELSA (Enterprise Log Search and Archive) is a centralized syslog framework\n\ -built on Syslog-NG, MySQL, and Sphinx full-text search.\n\ +if [ $CUSTOM -eq 1 ] && [ $SERVER -eq 1 ]; then +TEXT="The Elastic Stack is a platform for data ingestion, formatting, and visualization\n\ +built on ElasticSearch, Logstash, and Kibana. Our customized stack also includes \n\ +Curator and Elastalert.\n\ \n\ -It provides a distributed database with a web-based interface\n\ +The Elastic Stack provides a search engine and and web interface\n\ for hunting through your logs, including:\n\ * Bro logs\n\ * OSSEC alerts/logs\n\ * Snort/Suricata logs\n\ * standard syslog\n\ \n\ -In a distributed deployment with separate server and sensor(s),\n\ -you'll want to enable/disable ELSA on all boxes. So if you want\n\ -to use ELSA, you should enable it on the master server and all sensors.\n\ +Would you like to enable the Elastic Stack?" + YES="Yes, enable the Elastic Stack." + NO="No, disable the Elastic Stack." + zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap + ANSWER="$?" + if [ $ANSWER -eq 0 ]; then + [ $DEBUG -eq 1 ] && echo "DEBUG: Enable Elastic Stack." + ELASTIC="yes" + else + [ $DEBUG -eq 1 ] && echo "DEBUG: Disable Elastic Stack." + ELASTIC="no" + fi +fi + +######################################### +# Configure master to output to redis? +######################################### +if [ "$ELASTIC" = "yes" ] && [ $ADVANCED_SETUP -eq 1 ] && [ $SERVER -eq 1 ]; then + TEXT="By default, the master server stores logs in its own local Elasticsearch database via a local Logstash instance.\n\ +\n\ +If you want to forward logs from multiple nodes to this master server, then you may overwhelm those single instances of Logstash and Elasticsearch.\n\ +You may want to consider load balancing these forwarded logs to additional storage nodes.\n\ \n\ -Would you like to enable ELSA?" - YES="Yes, enable ELSA!" - NO="No, disable ELSA." +Would you like to store logs locally on $HOSTNAME?" + YES="Yes, store logs locally." + NO="No, I will add storage nodes for load balancing." zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap ANSWER="$?" if [ $ANSWER -eq 0 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Enable ELSA." - ELSA="YES" + LOGSTASH_OUTPUT_REDIS="no" else - [ $DEBUG -eq 1 ] && echo "DEBUG: Disable ELSA." - ELSA="NO" + LOGSTASH_OUTPUT_REDIS="yes" + FORWARD_CONFIRM="- Load balance to additional storage nodes." fi +fi - # If user chose to enable ELSA, ask about log_size_limit - if [ "$ELSA" = "YES" ]; then - # If Advanced Setup, ask user - if [ $ADVANCED_SETUP -eq 1 ]; then - LOG_SIZE_LIMIT_CONFIRMED="no" - while [ $LOG_SIZE_LIMIT_CONFIRMED = "no" ]; do - LOG_SIZE_LIMIT_GB=`zenity --entry --title "$TITLE" --text="How much disk space (in GigaBytes) should be allocated for ELSA to store logs?\n\nPlease enter an integer greater than 0. The default is half your disk size.\n\nPlease make sure that the value you set here is less than the size of your disk!\n\nIf you need to adjust this later, you can modify log__size__limit in the /etc/elsa__node.conf file." --entry-text=$LOG_SIZE_LIMIT_GB` - [ $? = 1 ] && exit - if [ x$LOG_SIZE_LIMIT_GB = "x" ]; then - zenity --error --title "$TITLE" --text "Invalid log size limit! Please use integers greater than 0 and less than your disk size." - else - COMPRESSED="$(echo $LOG_SIZE_LIMIT_GB | sed -e 's/[^[:digit:]]//g')" - [ "$COMPRESSED" == "$LOG_SIZE_LIMIT_GB" ] && - [ $LOG_SIZE_LIMIT_GB -gt 0 ] && - [ $LOG_SIZE_LIMIT_GB -lt $DISK_SIZE_GB ] && - LOG_SIZE_LIMIT_CONFIRMED="yes" || - zenity --error --title "$TITLE" --text "Invalid log size limit! Please use integers greater than 0 and less than your disk size." - fi - done - let LOG_SIZE_LIMIT=LOG_SIZE_LIMIT_GB*1000000000 - [ $DEBUG -eq 1 ] && echo "DEBUG: LOG_SIZE_LIMIT set to $LOG_SIZE_LIMIT." +######################################### +# ES LOG_SIZE_LIMIT +######################################### +if [ "$ELASTIC" = "yes" ] && [ $ADVANCED_SETUP -eq 1 ] && [ "$FORWARD" != "yes" ] && [ "$LOGSTASH_OUTPUT_REDIS" != "yes" ]; then + LOG_SIZE_LIMIT_CONFIRMED="no" + while [ $LOG_SIZE_LIMIT_CONFIRMED = "no" ]; do + LOG_SIZE_LIMIT_GB=`zenity --entry --title "$TITLE" --text="How much disk space (in GigaBytes) should be allocated for Elasticsearch to store logs?\n\ +\n\ +Please enter an integer greater than 0.\n\ +\n\ +Please make sure that the value you set here is less than the size of your disk!\n\ +\n\ +If you need to adjust this later, you can modify LOG__SIZE__LIMIT in /etc/nsm/securityonion.conf." --entry-text=$LOG_SIZE_LIMIT_GB` + [ $? = 1 ] && exit + if [ x$LOG_SIZE_LIMIT_GB = "x" ]; then + zenity --error --title "$TITLE" --text "Invalid log size limit! Please use integers greater than 0 and less than your disk size." + else + COMPRESSED="$(echo $LOG_SIZE_LIMIT_GB | sed -e 's/[^[:digit:]]//g')" + [ "$COMPRESSED" == "$LOG_SIZE_LIMIT_GB" ] && + [ $LOG_SIZE_LIMIT_GB -gt 0 ] && + [ $LOG_SIZE_LIMIT_GB -lt $DISK_SIZE_GB ] && + LOG_SIZE_LIMIT_CONFIRMED="yes" || + zenity --error --title "$TITLE" --text "Invalid log size limit!\n\nPlease use integers greater than 0 and less than your disk size." fi - fi + done + + let LOG_SIZE_LIMIT=LOG_SIZE_LIMIT_GB*1000000000 + [ $DEBUG -eq 1 ] && echo "DEBUG: LOG_SIZE_LIMIT set to $LOG_SIZE_LIMIT." fi -# Set ELSA_ACTION_CONFIRM and ask about updating ELSA server if applicable -if [ "$ELSA" = "NO" ]; then - ELSA_ACTION_CONFIRM="- Disable ELSA." +# Set ELASTIC_ACTION_CONFIRM +if [ "$ELASTIC" = "no" ]; then + ELASTIC_ACTION_CONFIRM="- Disable Elastic stack." else if [ $SERVER -eq 1 ]; then - ELSA_ACTION_CONFIRM="- Configure ELSA as a Log Node and enable web interface.\n" + ELASTIC_ACTION_CONFIRM="- Configure Elastic Stack.\n" else - ELSA_ACTION_CONFIRM="- Configure ELSA as a Log Node.\n" - - # Ask if they want to update the SERVER and restart Apache - TEXT="Would you like to automatically update the ELSA server?\n\ -\n\ -This will restart Apache on the ELSA server which will disrupt\n\ -any ELSA queries running at the time." - YES="Yes, update ELSA server!" - NO="No, do not update ELSA server." - zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" - ANSWER="$?" - if [ $ANSWER -eq 0 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Update ELSA Server." - UPDATE_ELSA_SERVER="YES" - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Do not update ELSA server." - UPDATE_ELSA_SERVER="NO" + if [ "$FORWARD" = "no" ]; then + ELASTIC_ACTION_CONFIRM="- Configure Elastic Stack cross cluster search.\n" fi fi fi - ######################################### # If just writing a file, do it and exit ######################################### @@ -1104,7 +1023,6 @@ if [ "$WRITEANSWERFILE" ]; then exit 0 fi - ######################################### # Confirm all choices before proceeding ######################################### @@ -1121,7 +1039,8 @@ $IDS_LB_PROCS_CONFIRM\ $BRO_LB_PROCS_CONFIRM\ $IDS_RULESET_ACTION\ $IDS_HOME_NET_CONFIRM\ -$ELSA_ACTION_CONFIRM\ +$ELASTIC_ACTION_CONFIRM\ +$FORWARD_CONFIRM\ \n\ We're about to make changes to your system!\n\ \n\ @@ -1144,11 +1063,12 @@ fi function CONFIGURE_SERVICES() { ######################################### -# Remove any tmp files from previous run +# Remove old files ######################################### rm -f /tmp/GeoIP.dat rm -f /tmp/GeoLiteCity.dat rm -f /tmp/GeoLiteCity.dat.gz +rm -f /opt/bro/etc/node.cfg ######################################### # Create files/dirs as necessary @@ -1162,23 +1082,19 @@ mkdir -p /var/log/nsm/ ######################################### echo "2" echo "# Please wait while setting OS timezone to UTC..." | tee -a $LOG -echo "Etc/UTC" > /etc/timezone -dpkg-reconfigure --frontend noninteractive tzdata >> $LOG 2>&1 +#echo "Etc/UTC" > /etc/timezone +#dpkg-reconfigure --frontend noninteractive tzdata >> $LOG 2>&1 +# Need to use timedatectl for Ubuntu 16.04 Server +timedatectl set-timezone Etc/UTC >> $LOG 2>&1 date >> $LOG 2>&1 -if pgrep rsyslog>/dev/null; then - echo "4" - echo "# Please wait while restarting rsyslog..." | tee -a $LOG - service rsyslog restart >> $LOG 2>&1 -fi - echo "4" echo "# Please wait while setting OSSEC timezone to UTC..." | tee -a $LOG cp /etc/localtime /var/ossec/etc/localtime chown root:ossec /var/ossec/etc/localtime -# If user enabled ELSA, configure OSSEC to send alerts to local syslog -if [ "$ELSA" = "YES" ]; then +# If user enabled ELASTIC, configure OSSEC to send alerts to local syslog +if [ "$ELASTIC" = "yes" ]; then grep "syslog_output" /var/ossec/etc/ossec.conf >/dev/null || sed -i 's| | \ 127.0.0.1\ \ @@ -1191,63 +1107,96 @@ echo "6" echo "# Please wait while restarting OSSEC..." | tee -a $LOG service ossec-hids-server restart >> $LOG 2>&1 +######################################### +# Configure services to start on boot +######################################### +echo "7" +echo "# Please wait while enabling securityonion.service in systemd..." | tee -a $LOG +systemctl enable securityonion.service >> $LOG 2>&1 + ######################################### # Stop all Sguil services and delete config ######################################### echo "8" -echo "# Please wait while stopping all NSM services..." | tee -a $LOG -service nsm stop >> $LOG 2>&1 +echo "# Please wait while stopping services..." | tee -a $LOG + +# Stop Elasticsearch and all other processes +so-stop >> $LOG 2>&1 pkill suricata pkill snort pkill autossh + +# Delete any Elasticsearch or Logstash data +rm -rf /nsm/elasticsearch/nodes +rm -rf /nsm/logstash/queue/main/* +rm -f /etc/elasticsearch/elasticsearch.yml + # Make sure MySQL is running so that we can fully delete the NSM databases [ $SERVER -eq 1 ] && service mysql start >> $LOG 2>&1 + # Uncomment any disabled sensors so that we can fully delete them sed -i "s|^#$HOST_ORIG-|$HOST_ORIG-|g" $SENSORTAB sed -i "s|^#$HOSTNAME-|$HOSTNAME-|g" $SENSORTAB + # Delete all nsm configuration and data /usr/sbin/nsm_all_del_quick >> $LOG 2>&1 # Delete any existing ELSA databases. -if [ "$ELSA" = "YES" ]; then - if [ -d /var/lib/mysql/elsa_web/ ]; then - mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database elsa_web" >> $LOG 2>&1 - fi - if [ -d /var/lib/mysql/syslog/ ]; then - mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database syslog" >> $LOG 2>&1 - fi - if [ -d /var/lib/mysql/syslog_data/ ]; then - mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database syslog_data" >> $LOG 2>&1 - fi +if [ -d /var/lib/mysql/elsa_web/ ]; then + mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database elsa_web" >> $LOG 2>&1 +fi +if [ -d /var/lib/mysql/syslog/ ]; then + mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database syslog" >> $LOG 2>&1 +fi +if [ -d /var/lib/mysql/syslog_data/ ]; then + mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database syslog_data" >> $LOG 2>&1 fi ######################################### -# MySQL tuning +# MySQL ######################################### +if [ $SERVER -eq 1 ]; then -# Make changes in /etc/mysql/conf.d/ -mkdir -p /etc/mysql/conf.d/ + # Make changes in /etc/mysql/conf.d/ + mkdir -p /etc/mysql/conf.d/ -# https://code.google.com/p/security-onion/issues/detail?id=416 -# sguild may try to open lots of files -# (especially if you are sending prads session data into the sancp table) -# so increase open_files_limit on master server -if [ $SERVER -eq 1 ]; then + # https://code.google.com/p/security-onion/issues/detail?id=416 + # sguild may try to open lots of files + # so increase open_files_limit on master server cat << EOF > /etc/mysql/conf.d/securityonion-sguild.cnf [mysqld] open_files_limit = 90000 EOF -fi -# https://code.google.com/p/security-onion/issues/detail?id=388 -# http://stackoverflow.com/questions/3456159/how-to-shrink-purge-ibdata1-file-in-mysql -cat << EOF > /etc/mysql/conf.d/securityonion-ibdata1.cnf + # https://code.google.com/p/security-onion/issues/detail?id=388 + # http://stackoverflow.com/questions/3456159/how-to-shrink-purge-ibdata1-file-in-mysql + cat << EOF > /etc/mysql/conf.d/securityonion-ibdata1.cnf [mysqld] innodb_file_per_table EOF -# Restart mysql to make changes take effect -pgrep -lf mysqld >/dev/null && restart mysql >> $LOG 2>&1 + # Enable MySQL + systemctl enable mysql.service >> $LOG 2>&1 + + # Reset debian.cnf + rm /etc/mysql/debian.cnf >> $LOG 2>&1 + dpkg-reconfigure --frontend noninteractive mysql-server-5.7 >> $LOG 2>&1 + + # If root password is blank, set random password + if echo "quit" | mysql -uroot 2>/dev/null; then + PASSWORD=$(LC_ALL=C /dev/null && service mysql restart >> $LOG 2>&1 + +else + + # If we're not a server, we can stop mysql + service mysql stop >> $LOG 2>&1 + +fi ######################################### # PF_RING @@ -1279,26 +1228,19 @@ pkill -f ossec_agent # Add the Sguil server if necessary ######################################### if [ $SERVER -eq 1 ]; then -# If this box was previously a slave, we need to remove securityonion_ssh.conf -rm -f /root/.ssh/securityonion_ssh.conf -echo "10" -echo "# Please wait while creating the Sguil server..." | tee -a $LOG -/usr/sbin/nsm_server_add --server-name="$SGUIL_SERVER_NAME" --server-sensor-name=NULL --server-sensor-port=7736 --server-client-port=7734 --server-client-user="$SGUIL_CLIENT_USERNAME" --server-client-pass="$SGUIL_CLIENT_PASSWORD_1" --server-auto=yes --force-yes >> $LOG 2>&1 - + # If this box was previously a slave, we need to remove $SSH_CONF + rm -f $SSH_CONF + echo "10" + echo "# Please wait while creating the Sguil server..." | tee -a $LOG + /usr/sbin/nsm_server_add --server-name="$SGUIL_SERVER_NAME" --server-sensor-name=NULL --server-sensor-port=7736 --server-client-port=7734 --server-client-user="$SGUIL_CLIENT_USERNAME" --server-client-pass="$SGUIL_CLIENT_PASSWORD_1" --server-auto=yes --force-yes >> $LOG 2>&1 fi ######################################### -# Sguil Sensor(s) if necessary +# If not master server, configure SSH Key authentication to master server ######################################### -if [ $SENSOR -eq 1 ]; then -echo "20" -echo "# Please wait while creating Sguil sensor(s)..." | tee -a $LOG -BY2PORT=8000 -HOST_ORIG=`hostname` -HOSTNAME=${HOST_ORIG,,} +if [ "$SERVER" -ne 1 ]; then -# Configure SSH Key authentication to server if necessary -if [ "$SERVERNAME" != "localhost" ]; then + # Create an ssh keypair mkdir -p $SSH_DIR [ -f "$KEY" ] && mv $KEY $KEY.old ssh-keygen -f "$KEY" -N '' >> $LOG 2>&1 @@ -1314,14 +1256,17 @@ if [ "$SERVERNAME" != "localhost" ]; then # Need to open ports in server firewall to allow connections from sensor echo "IPADDRESS=\`who -m --ips | awk '{print \$5}' |cut -d\( -f2 | cut -d\) -f1\`" >> $SOSETUPSCP echo "ufw allow proto tcp from \$IPADDRESS to any port 22,4505,4506,7736" >> $SOSETUPSCP + # Copy the script over scp -i "$KEY" $SOSETUPSCP $SSH_USERNAME@$SERVERNAME:$SOSETUPSCP >> $LOG 2>&1 + # Run the script on the master server using sudo if [ "$OUTPUT" = "gui" ]; then xfce4-terminal -x ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo /bin/bash $SOSETUPSCP else ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo /bin/bash $SOSETUPSCP >> $LOG 2>&1 fi + # Cleanup rm -f $SOSETUPSCP ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME rm -f $SOSETUPSCP >> $LOG 2>&1 @@ -1353,6 +1298,16 @@ if [ "$SERVERNAME" != "localhost" ]; then echo "SERVERNAME=$SERVERNAME" >> $SSH_CONF fi +######################################### +# Network Sensor(s) if necessary +######################################### +if [ $SENSOR -eq 1 ]; then +echo "15" +echo "# Please wait while creating Sguil sensor(s)..." | tee -a $LOG +BY2PORT=8000 +HOST_ORIG=`hostname` +HOSTNAME=${HOST_ORIG,,} + # NIDS sensor(s) for INTERFACE in $ALL_INTERFACES; do SENSORNAME="$HOSTNAME-$INTERFACE" @@ -1524,13 +1479,6 @@ EOF fi done - # Bro 2.2 should support PF_RING on multiple interfaces properly now, so comment this out. - # If monitoring more than one interface, disable PF_RING: - # http://securityonion.blogspot.com/2013/02/important-note-for-those-monitoring.html - #if [ `echo $INTERFACES | wc -w` -gt 1 ]; then - # sed -i 's|^lb_method=pf_ring|#lb_method=pf_ring|g' /opt/bro/etc/node.cfg - # sed -i 's|^lb_procs|#lb_procs|g' /opt/bro/etc/node.cfg - #fi fi # Finished with node.cfg # Now update networks.cfg @@ -1561,6 +1509,8 @@ EOF sed -i 's|^@load file-extraction|#@load file-extraction|g' /opt/bro/share/bro/site/local.bro fi + # Configure Bro to log in JSON + /usr/sbin/so-elastic-configure-bro >> $LOG 2>&1 fi fi @@ -1568,7 +1518,7 @@ fi ######################################### # /etc/nsm/securityonion.conf ######################################### -echo "30" +echo "20" echo "# Please wait while configuring $CONF..." | tee -a $LOG DATE=`date` IDS_ENGINE_LOWER=`echo ${IDS_ENGINE,,}` @@ -1605,12 +1555,12 @@ OSSEC_AGENT_ENABLED=$OSSEC_AGENT_ENABLED # OSSEC_AGENT_LEVEL specifies the level at which OSSEC alerts are sent to sguild. OSSEC_AGENT_LEVEL=$OSSEC_AGENT_LEVEL -# Do you want to run Xplico? yes/no +# Xplico is no longer included in Security Onion XPLICO_ENABLED=$XPLICO_ENABLED # LOCAL_HIDS_RULE_TUNING -# If set to no (default), sensor will copy OSSEC rules from master server as-is (no changes). -# If set to yes, sensor will keep its own copy of the OSSEC rules. +# If set to no (default), this node will copy OSSEC rules from master server as-is (no changes). +# If set to yes, this node will keep its own copy of the OSSEC rules. LOCAL_HIDS_RULE_TUNING=no # LOCAL_NIDS_RULE_TUNING @@ -1631,7 +1581,7 @@ EOF # Download rules using Pulledpork ######################################### if [ "$SERVERNAME" = "localhost" ]; then - echo "40" + echo "25" echo "# Please wait while configuring IDS Ruleset..." | tee -a $LOG # Start from a clean slate (pulledpork.conf.master) # Here are the rule_url directives in pulledpork.conf.master: @@ -1701,7 +1651,7 @@ EOF fi if [ "$INTERNET" = "UP" ]; then - echo "45" + echo "30" echo "# Please wait while executing PulledPork to download rules..." | tee -a $LOG echo "LOCAL_NIDS_RULE_TUNING=no" >> $CONF date > /var/log/nsm/pulledpork.log @@ -1715,17 +1665,17 @@ fi ######################################### # Apache configuration ######################################### -SSH_DIR="/root/.ssh" -SSH_CONF="$SSH_DIR/securityonion_ssh.conf" -echo "50" +echo "35" if [ -f $SSH_CONF ]; then # We are a SENSOR echo "# Please wait while stopping and disabling Apache..." | tee -a $LOG + # Sensors don't need the Apache web server, so stop and disable it service apache2 stop >> $LOG 2>&1 update-rc.d -f apache2 disable >> $LOG 2>&1 else - # We are the MASTER. + # We are the MASTER + echo "# Please wait while configuring and restarting Apache..." | tee -a $LOG # Make sure that the Apache web server is enabled update-rc.d -f apache2 enable >> $LOG 2>&1 @@ -1736,16 +1686,6 @@ else # Disable old default-ssl site a2dissite default-ssl >> $LOG 2>&1 - # Determine IP address to be used below in Squert database - IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1` - - # Pivot from Squert to ELSA - #URL="https://$IP/elsa-query/?query_string=\"\${var}\"%20groupby:program" - # We can use a relative hyperlink now that Apache is proxying ELSA at /elsa-query - URL="/elsa-query/?query_string=\"\${var}\"%20groupby:program" - HEXVAL=$(xxd -pu -c 256 <<< "$URL") - [ "$ELSA" = "YES" ] && mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e "INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) VALUES ('url','','1','454C5341','','ELSA','$HEXVAL');" - # Restart web server apache2ctl restart >> $LOG 2>&1 fi @@ -1753,16 +1693,15 @@ fi ######################################### # Configure Salt ######################################### -echo "70" +echo "40" echo "# Please wait while configuring salt..." | tee -a $LOG if dpkg -l |grep "securityonion-onionsalt" |grep "ii" >/dev/null; then if [ "$SALT" = "no" ]; then - # Stop both running salt services + # Stop and disable both salt-master and salt-minion service salt-master stop >> $LOG 2>&1 service salt-minion stop >> $LOG 2>&1 - # Disable both salt services - [ -f /etc/init/salt-master.conf ] && echo "manual" > /etc/init/salt-master.override - [ -f /etc/init/salt-minion.conf ] && echo "manual" > /etc/init/salt-minion.override + systemctl disable salt-master >> $LOG 2>&1 + systemctl disable salt-minion >> $LOG 2>&1 # If the box had previously been configured with salt, we need to remove the cron job [ -f /etc/cron.d/salt-update ] && rm -f /etc/cron.d/salt-update else @@ -1785,20 +1724,13 @@ if dpkg -l |grep "securityonion-onionsalt" |grep "ii" >/dev/null; then echo " '$FQDN':" >> $TOPSLS echo " - backend" >> $TOPSLS echo "" >> $TOPSLS - # If salt-master is DISABLED we need to enable it - [ -f /etc/init/salt-master.DISABLED ] && mv /etc/init/salt-master.DISABLED /etc/init/salt-master.conf - [ -f /etc/init/salt-master.override ] && rm -f /etc/init/salt-master.override - # Start salt-master + # Enable and restart salt-master + systemctl enable salt-master >> $LOG 2>&1 service salt-master restart >> $LOG 2>&1 - # We no longer open the salt port by default - # This is now done when the sensor runs Setup - #ufw allow salt >> $LOG 2>&1 else - # If this box is not a Master we need to disable salt-master - # Stop salt-master + # If this box is not a Master we need to stop and disable salt-master service salt-master stop >> $LOG 2>&1 - # Disable salt-master - [ -f /etc/init/salt-master.conf ] && echo "manual" > /etc/init/salt-master.override + systemctl disable salt-master >> $LOG 2>&1 # Tell the salt-master that we are a sensor cat << EOF >> $SOSETUPSCP if ! grep "'$FQDN':" /opt/onionsalt/salt/top.sls >/dev/null 2>&1; then @@ -1812,9 +1744,9 @@ EOF # All boxes run salt-minion # Configure minion echo "master: $SERVERNAME" > /etc/salt/minion.d/onionsalt.conf - # If salt-minion is DISABLED, enable it - [ -f /etc/init/salt-minion.DISABLED ] && mv /etc/init/salt-minion.DISABLED /etc/init/salt-minion.conf - [ -f /etc/init/salt-minion.override ] && rm -f /etc/init/salt-minion.override + echo "$FQDN" > /etc/salt/minion_id + # Enable and restart salt-minion + systemctl enable salt-minion >> $LOG 2>&1 service salt-minion restart >> $LOG 2>&1 # salt-master needs to accept the key from salt-minion @@ -1840,14 +1772,26 @@ EOF fi fi +######################################### +# Forward Node AutoSSH +######################################### +if [ "$FORWARD" = "yes" ]; then + # If AUTOSSH_OPTIONS is already in SSH_CONF, remove it and replace it with new value. + if grep "AUTOSSH_OPTIONS=" $SSH_CONF >/dev/null 2>&1; then + sed -i 's/AUTOSSH_OPTIONS.*/AUTOSSH_OPTIONS="-L 6050:localhost:6050"/' $SSH_CONF >> $LOG 2>&1 + else + echo 'AUTOSSH_OPTIONS="-L 6050:localhost:6050"' >> $SSH_CONF + fi +fi + ######################################### # Start securityonion services ######################################### # disable the snorby output in all barnyard config files sed -i 's|^output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|#output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|g' /etc/nsm/*/barnyard2*.conf >> $LOG 2>&1 -echo "80" +echo "45" echo "# Please wait while starting all Security Onion services..." | tee -a $LOG -/sbin/start securityonion >> $LOG 2>&1 +/usr/sbin/so-start >> $LOG 2>&1 sleep 10s ######################################### @@ -1881,12 +1825,12 @@ EOF sed -i 's|https://localhost|https://localhost/squert|g' $SQUERT_LAUNCHER sed -i 's|Name=README|Name=Squert|g' $SQUERT_LAUNCHER - # Use README launcher as template to create ELSA launcher (if enabled) - if [ "$ELSA" = "YES" ]; then - ELSA_LAUNCHER="$DIR/securityonion-elsa.desktop" - cp $README_LAUNCHER $ELSA_LAUNCHER - sed -i 's|https://localhost|https://localhost/elsa|g' $ELSA_LAUNCHER - sed -i 's|Name=README|Name=ELSA|g' $ELSA_LAUNCHER + # Use README launcher as template to create Kibana launcher (if enabled) + if [ "$ELASTIC" = "yes" ]; then + KIBANA_LAUNCHER="$DIR/securityonion-kibana.desktop" + cp $README_LAUNCHER $KIBANA_LAUNCHER + sed -i 's|https://localhost|https://localhost/app/kibana|g' $KIBANA_LAUNCHER + sed -i 's|Name=README|Name=Kibana|g' $KIBANA_LAUNCHER fi # Copy web launchers to /usr/share/applications @@ -1910,38 +1854,186 @@ EOF fi ######################################### -# Configure ELSA +# syslog-ng ######################################### -if [ "$ELSA" = "YES" ]; then - echo "90" - echo "# Please wait while configuring ELSA..." | tee -a $LOG +echo "49" +echo "# Please wait while configuring syslog-ng..." | tee -a $LOG - # update LOG_SIZE_LIMIT - sed -i "s|\"log_size_limit\" :.*$|\"log_size_limit\" : $LOG_SIZE_LIMIT,|g" /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-node.conf +# We need to copy a new syslog-ng.conf into place +SYSLOGNGCONFSRC="/opt/elastic/src/etc/syslog-ng/syslog-ng.conf" +SYSLOGNGCONFDST="/etc/syslog-ng/syslog-ng.conf" - # check if there is an ELSA directive already - ELSA_USE=$(grep "ELSA=" $CONF) - if [ ! $? -eq 0 ]; then - echo "" >> $CONF - echo "# ELSA" >> $CONF - echo "ELSA=YES" >> $CONF - else - sed -i 's,ELSA=NO,ELSA=YES,' $CONF - fi +# Initialize HTTP_LOGS +HTTP_LOGS="" - # Delete sphinxsearch binlog files - rm -f /var/lib/sphinxsearch/data/binlog.* +# Get a list of sensors from /etc/nsm/sensortab +SENSORS=$(grep -v "^#" /etc/nsm/sensortab | cut -f 4) - # Configure all Log Node and Web Node functionality if we are a server - if [ $SERVER -eq 1 ]; then - /usr/bin/securityonion-elsa-config.sh -t WEB >> $LOG 2>&1 - # restart apache to update ELSA APIKEY - apache2ctl restart >> $LOG 2>&1 - else - /usr/bin/securityonion-elsa-config.sh -t LOG >> $LOG 2>&1 - # Update the securityonion group - echo "usermod -a -G securityonion $SSH_USERNAME" >> $SOSETUPSCP - fi +# Determine the number of sensor interfaces +COUNT=0 +for token in $SENSORS; do + COUNT=$((COUNT+1)) +done + +# If master server only, copy syslog-ng.conf into place +if [ $COUNT -eq 0 ]; then + cp $SYSLOGNGCONFSRC $SYSLOGNGCONFDST +fi + +# If single sensor interface, we need to determine if Bro is running in standalone mode or cluster mode +if [ $COUNT -eq 1 ]; then + if grep "type=standalone" /opt/bro/etc/node.cfg > /dev/null; then + echo "* Leaving syslog-ng.conf bro_http entry unmolested." >> $LOG 2>&1 + cp $SYSLOGNGCONFSRC $SYSLOGNGCONFDST + else + echo "* Altering syslog-ng.conf bro_http entry for single interface cluster-mode" >> $LOG 2>&1 + # Pull the interface bro is listening for from node.cfg + BRO_IFACE=$(grep "interface=" /opt/bro/etc/node.cfg | cut -d'=' -f2) + # Alter syslog-ng.conf's entry for http + sed -e "s|^\tfile(\"/nsm/bro/logs/current/http.log\".*|\tfile(\"/nsm/bro/logs/current/http_$BRO_IFACE.log\" flags(no-parse) program_override(\"bro_http\"));\n|" $SYSLOGNGCONFSRC > $SYSLOGNGCONFDST + fi +fi + +# If multiple sensor interfaces, Bro must be running in cluster mode and we need to watch multiple http logs +if [ $COUNT -gt 1 ]; then + echo "* Altering syslog-ng.conf bro_http entries for multiple interfaces" >> $LOG 2>&1 + for i in $SENSORS; do + HTTP_LOGS=$HTTP_LOGS"\tfile(\"/nsm/bro/logs/current/http_$i.log\" flags(no-parse) program_override(\"bro_http\"));\n" + done + sed -e "s|^\tfile(\"/nsm/bro/logs/current/http.log\".*|$HTTP_LOGS|" $SYSLOGNGCONFSRC > $SYSLOGNGCONFDST +fi + +/usr/sbin/so-elastic-configure-syslog-ng >> $LOG 2>&1 + +######################################### +# Elastic +######################################### +if [ "$ELASTIC" = "yes" ]; then + + if ! dpkg -L docker-ce >/dev/null 2>&1; then + echo "50" + echo "# Please wait while downloading Elastic components..." | tee -a $LOG + /usr/sbin/so-elastic-download >> $LOG 2>&1 + fi + + echo "75" + echo "# Please wait while configuring Elastic..." | tee -a $LOG + + if ! grep -q LOG_SIZE_LIMIT $CONF; then + cat << EOF >> $CONF + +# Log size limit (GB) for Elasticsearch logs +LOG_SIZE_LIMIT=$LOG_SIZE_LIMIT_GB +EOF + else + sed "s/LOG_SIZE_LIMIT=.*/LOG_SIZE_LIMIT=$LOG_SIZE_LIMIT_GB/" $CONF + fi + + if [ $SERVER -eq 1 ] && [ $LOGSTASH_OUTPUT_REDIS = "yes" ]; then + echo "LOGSTASH_OUTPUT_REDIS=$LOGSTASH_OUTPUT_REDIS" >> $CONF + fi + + if [ $SERVER -ne 1 ]; then + echo 'KIBANA_ENABLED="no"' >> $CONF + echo 'ELASTALERT_ENABLED="no"' >> $CONF + echo 'FREQ_SERVER_ENABLED="no"' >> $CONF + echo 'DOMAIN_STATS_ENABLED="no"' >> $CONF + + if [ "$FORWARD" = "yes" ]; then + echo 'ELASTICSEARCH_ENABLED="no"' >> $CONF + echo 'LOGSTASH_ENABLED="no"' >> $CONF + echo 'CURATOR_ENABLED="no"' >> $CONF + fi + + if [ "$LOGSTASH_INPUT_REDIS" = "yes" ]; then + echo 'LOGSTASH_INPUT_REDIS="yes"' >> $CONF + if grep OSSEC_AGENT_ENABLED $CONF >/dev/null 2>&1; then + sed -i 's|OSSEC_AGENT_ENABLED.*$|OSSEC_AGENT_ENABLED=no|g' $CONF + else + echo 'OSSEC_AGENT_ENABLED=no' >> $CONF + fi + fi + fi + + /usr/sbin/so-elastic-configure >> $LOG 2>&1 + + if [ $SERVER -ne 1 ]; then + echo "95" + echo "# Please wait while performing final node configuration..." | tee -a $LOG + + if [ "$LOGSTASH_INPUT_REDIS" = "yes" ]; then + if grep "AUTOSSH_OPTIONS=" $SSH_CONF >/dev/null 2>&1; then + sed -i 's/AUTOSSH_OPTIONS.*/AUTOSSH_OPTIONS="-L 172.18.0.1:6379:localhost:6379"/' $SSH_CONF >> $LOG 2>&1 + else + echo 'AUTOSSH_OPTIONS="-L 172.18.0.1:6379:localhost:6379"' >> $SSH_CONF + fi + ufw allow proto tcp from 172.18.0.0/24 to 172.18.0.1 port 6379 >> $LOG 2>&1 + fi + + # We need to determine a few things from the master server: + + # DOCKER_INTERFACE, DOCKER_NETWORK, and REVERSE_PORT + + # DOCKER_INTERFACE + SSH_CMD="sudo /usr/sbin/so-elastic-network | jq '.[0].IPAM.Config[0].Gateway'" + SSH_OUTPUT=`ssh -i $KEY $SSH_USERNAME@$SERVERNAME "$SSH_CMD"` + DOCKER_INTERFACE=$(echo $SSH_OUTPUT | cut -d\" -f2) + echo "DOCKER_INTERFACE is $DOCKER_INTERFACE" >> $LOG 2>&1 + + # DOCKER_NETWORK + SSH_CMD="sudo /usr/sbin/so-elastic-network | jq '.[0].IPAM.Config[0].Subnet'" + SSH_OUTPUT=`ssh -i $KEY $SSH_USERNAME@$SERVERNAME "$SSH_CMD"` + DOCKER_NETWORK=$(echo $SSH_OUTPUT | cut -d\" -f2) + echo "DOCKER_NETWORK is $DOCKER_NETWORK" >> $LOG 2>&1 + + # REVERSE_PORT + SSH_CMD='sudo /usr/sbin/so-crossclustercheck | jq "." | grep ":5" | cut -d: -f2 | cut -d\" -f1 | sort | tail -1' + HIGHEST_REVERSE_PORT=`ssh -i $KEY $SSH_USERNAME@$SERVERNAME "$SSH_CMD"` + if [ "$HIGHEST_REVERSE_PORT" = "" ]; then + echo "Found no other nodes." >> $LOG 2>&1 + REVERSE_PORT=50000 + else + echo "HIGHEST_REVERSE_PORT is $HIGHEST_REVERSE_PORT" >> $LOG 2>&1 + if [ ${HIGHEST_REVERSE_PORT} -gt 49999 ] && [ ${HIGHEST_REVERSE_PORT} -lt 59999 ]; then + let REVERSE_PORT=HIGHEST_REVERSE_PORT+1 + fi + fi + echo "REVERSE_PORT is $REVERSE_PORT" >> $LOG 2>&1 + + # Now that we've determined those 3 values, we need to store DOCKER_INTERFACE and REVERSE_PORT in SSH_CONF. + + # If DOCKER_INTERFACE is not already in SSH_CONF, then store it for future use. + if grep "DOCKER_INTERFACE=" $SSH_CONF >/dev/null 2>&1; then + echo "DOCKER_INTERFACE already exists in $SSH_CONF." >> $LOG 2>&1 + else + echo "DOCKER_INTERFACE=$DOCKER_INTERFACE" >> $SSH_CONF + fi + + # If REVERSE_PORT is not already in SSH_CONF, then store it for future use. + if grep "REVERSE_PORT=" $SSH_CONF >/dev/null 2>&1; then + echo "REVERSE_PORT already exists in $SSH_CONF." >> $LOG 2>&1 + else + echo "REVERSE_PORT=$REVERSE_PORT" >> $SSH_CONF + fi + + # Configure Elasticsearch + ELASTIC_CONFIG="/etc/elasticsearch/elasticsearch.yml" + echo "transport.bind_host: 0.0.0.0" >> $ELASTIC_CONFIG + echo "transport.publish_host: $DOCKER_INTERFACE" >> $ELASTIC_CONFIG + echo "transport.publish_port: $REVERSE_PORT" >> $ELASTIC_CONFIG + docker restart so-elasticsearch >> $LOG 2>&1 + cat << EOF >> $SOSETUPSCP +if ! grep "Match User $SSH_USERNAME" /etc/ssh/sshd_config >/dev/null 2>&1; then +echo Match User $SSH_USERNAME >> /etc/ssh/sshd_config +echo ' GatewayPorts clientspecified' >> /etc/ssh/sshd_config +service ssh restart +fi +ufw allow proto tcp from $DOCKER_NETWORK to $DOCKER_INTERFACE port $REVERSE_PORT +source /etc/nsm/securityonion.conf +curl -XPUT http://\$ELASTICSEARCH_HOST:\$ELASTICSEARCH_PORT/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"$HOSTNAME": {"skip_unavailable": "true", "seeds": ["$DOCKER_INTERFACE:$REVERSE_PORT"]}}}}}' +EOF + + fi fi } @@ -1963,40 +2055,12 @@ if [ "$SERVERNAME" != "localhost" ]; then ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME rm -f $SOSETUPSCP >> $LOG 2>&1 fi -if [ $SERVER -ne 1 ] && [ "$ELSA" = "YES" ]; then - # Register the log node and restart the server. - SSH_CMD="/usr/bin/securityonion_elsa_register.rb --register --peer-name `hostname` --force" - ELSA_REGISTER_RESPONSE=`ssh -i $KEY $SSH_USERNAME@$SERVERNAME $SSH_CMD` - ELSA_PORT=`echo $ELSA_REGISTER_RESPONSE | cut -d',' -f1` - ELSA_APIKEY=`echo $ELSA_REGISTER_RESPONSE | cut -d',' -f2` - # If ELSA_PORT is not already in SSH_CONF, then store it for future use. - if grep "ELSA_PORT=" $SSH_CONF >/dev/null 2>&1; then - echo "ELSA_PORT already exists in $SSH_CONF." >> $LOG 2>&1 - else - echo "ELSA_PORT=$ELSA_PORT" >> $SSH_CONF - fi - # Update the local ELSA API key - /usr/bin/securityonion_elsa_register.rb --update-apikey $ELSA_APIKEY >> $LOG 2>&1 - # Restart starman for new API key - service starman stop >> $LOG 2>&1 - service starman start >> $LOG 2>&1 - # Since the securityonion service started before we the ELSA ports - # were determined, we need to tear down the SSH tunnel and restart it. - # Kill autossh with SIGINT - if pgrep autossh>/dev/null; then - kill -SIGINT `pgrep autossh` - # Restart the autossh tunnel - /usr/bin/autossh -M 0 -f -q -N -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -i "$KEY" -L 3306:127.0.0.1:3306 -R $ELSA_PORT:localhost:3154 $SSH_USERNAME@$SERVERNAME - fi - if [ "$UPDATE_ELSA_SERVER" = "YES" ]; then - # Instruct the server to restart apache2. - # Run the script with sudo - if [ "$OUTPUT" = "gui" ]; then - xfce4-terminal -x ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo service apache2 restart - else - ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo service apache2 restart >> $LOG 2>&1 +if [ $SERVER -ne 1 ] && [ "$ELASTIC" = "yes" ]; then + # Now that the server side configuration is done, we need to tear down the ssh tunnel and restart it. + if pgrep autossh>/dev/null; then + kill -SIGINT `pgrep autossh` + /usr/sbin/so-autossh-start >> $LOG 2>&1 fi - fi fi } @@ -2031,9 +2095,9 @@ TEXT="Security Onion Setup is now complete! \n \ Setup log can be found here:\n \ $LOG\n \ \n \ -You may view IDS alerts using Sguil, Squert, or ELSA (if enabled). \n \ +You may view IDS alerts using Sguil, Squert, or Kibana (if enabled). \n \ \n \ -Bro logs can be found in ELSA (if enabled) and the following location: \n \ +Bro logs can be found in Kibana (if enabled) and the following location: \n \ /nsm/bro/" } @@ -2134,9 +2198,6 @@ save() echo "SGUIL_CLIENT_USERNAME='$SGUIL_CLIENT_USERNAME'" >> $WRITEANSWERFILE echo "SGUIL_CLIENT_PASSWORD_1='$SGUIL_CLIENT_PASSWORD_1'" >> $WRITEANSWERFILE echo "XPLICO_ENABLED=$XPLICO_ENABLED" >> $WRITEANSWERFILE - echo "ELSA=$ELSA" >> $WRITEANSWERFILE - echo "UPDATE_ELSA_SERVER=$UPDATE_ELSA_SERVER" >> $WRITEANSWERFILE - echo "LOG_SIZE_LIMIT=$LOG_SIZE_LIMIT" >> $WRITEANSWERFILE echo "OSSEC_AGENT_ENABLED=$OSSEC_AGENT_ENABLED" >> $WRITEANSWERFILE echo "OSSEC_AGENT_LEVEL=$OSSEC_AGENT_LEVEL" >> $WRITEANSWERFILE echo "SALT=$SALT" >> $WRITEANSWERFILE @@ -2166,6 +2227,10 @@ save() echo "CRIT_DISK_USAGE=$CRIT_DISK_USAGE" >> $WRITEANSWERFILE echo "DAYSTOKEEP=$DAYSTOKEEP" >> $WRITEANSWERFILE echo "DAYSTOREPAIR=$DAYSTOREPAIR" >> $WRITEANSWERFILE + echo "LOGSTASH_OUTPUT_REDIS=$LOGSTASH_OUTPUT_REDIS" >> $WRITEANSWERFILE + echo "LOGSTASH_INPUT_REDIS=$LOGSTASH_INPUT_REDIS" >> $WRITEANSWERFILE + echo "ELASTIC=$ELASTIC" >> $WRITEANSWERFILE + echo "LOG_SIZE_LIMIT=$LOG_SIZE_LIMIT" >> $WRITEANSWERFILE } @@ -2254,33 +2319,25 @@ else INTERFACES="$SNIFFING_INTERFACES" ADVANCED_SETUP="1" if [ $SKIP -ne 1 ];then - if [ "$ELASTIC" != "YES" ]; then - echo - echo "Security Onion Setup" - echo - echo "Ready to configure system using parameters in $ANSWERFILE." - echo - echo "WARNING! Continuing will destroy any existing data/config." - echo "Are you sure you want to continue?" - echo "Type yes to continue or anything else to exit." - read INPUT - [ "$INPUT" != "yes" ] && exit 0 - else - SETUPCONF=$2 - fi + echo + echo "Security Onion Setup" + echo + echo "Ready to configure system using parameters in $ANSWERFILE." + echo + echo "WARNING! Continuing will destroy any existing data/config." + echo "Are you sure you want to continue?" + echo "Type yes to continue or anything else to exit." + read INPUT + [ "$INPUT" != "yes" ] && exit 0 echo # If /etc/network/interfaces has not been configured yet, then we need # to run sosetup-network and pass it the answerfile if ! grep "Security Onion" /etc/network/interfaces >/dev/null 2>&1; then /usr/sbin/sosetup-network $@ fi - if [ "$ELASTIC" == "YES" ]; then - /usr/sbin/sosetup-elastic -f $SETUPCONF skipnetwork - exit $? - fi fi fi - + # Perform the requested actions, handling output differently for gui vs cli if [ "$OUTPUT" = "gui" ]; then CONFIGURE_SERVICES | diff --git a/bin/sosetup-network b/bin/sosetup-network index 8d761fe..222130a 100644 --- a/bin/sosetup-network +++ b/bin/sosetup-network @@ -454,8 +454,10 @@ done function SET_UTC() { -echo "Etc/UTC" > /etc/timezone -dpkg-reconfigure --frontend noninteractive tzdata >> $LOG 2>&1 +#echo "Etc/UTC" > /etc/timezone +#dpkg-reconfigure --frontend noninteractive tzdata >> $LOG 2>&1 +# Need to use timedatectl for Ubuntu 16.04 Server +timedatectl set-timezone Etc/UTC >> $LOG 2>&1 cp /etc/localtime /var/ossec/etc/localtime chown root:ossec /var/ossec/etc/localtime diff --git a/debian/changelog b/debian/changelog index 5d1acad..ce56beb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,99 @@ +securityonion-setup (20120912-0ubuntu0securityonion267) xenial; urgency=medium + + * if mysql root password not set, set random password + + -- Doug Burks Fri, 25 May 2018 12:48:26 -0400 + +securityonion-setup (20120912-0ubuntu0securityonion266) xenial; urgency=medium + + * avoid duplicating OSSEC_AGENT_ENABLED in securityonion.conf + + -- Doug Burks Tue, 22 May 2018 09:21:46 -0400 + +securityonion-setup (20120912-0ubuntu0securityonion265) xenial; urgency=medium + + * streamline setup + + -- Doug Burks Sat, 19 May 2018 07:17:38 -0400 + +securityonion-setup (20120912-0ubuntu0securityonion264) xenial; urgency=medium + + * update sosetup-forward.conf + + -- Doug Burks Fri, 18 May 2018 17:43:41 -0400 + +securityonion-setup (20120912-0ubuntu0securityonion263) xenial; urgency=medium + + * more forward node fixes + + -- Doug Burks Fri, 18 May 2018 17:29:43 -0400 + +securityonion-setup (20120912-0ubuntu0securityonion262) xenial; urgency=medium + + * fix custom forward node and Elastic prompt + + -- Doug Burks Thu, 17 May 2018 15:30:21 -0400 + +securityonion-setup (20120912-0ubuntu0securityonion261) xenial; urgency=medium + + * update sosetup conf files to new eth device naming convention + + -- Doug Burks Thu, 17 May 2018 08:35:22 -0400 + +securityonion-setup (20120912-0ubuntu0securityonion260) xenial; urgency=medium + + * control salt with systemd + + -- Doug Burks Thu, 17 May 2018 08:18:46 -0400 + +securityonion-setup (20120912-0ubuntu0securityonion259) xenial; urgency=medium + + * remove salt workaround and fix in onionsalt package instead + + -- Doug Burks Wed, 16 May 2018 16:01:27 -0400 + +securityonion-setup (20120912-0ubuntu0securityonion258) xenial; urgency=medium + + * workaround bug in 16.04 salt package + + -- Doug Burks Wed, 16 May 2018 15:21:48 -0400 + +securityonion-setup (20120912-0ubuntu0securityonion257) xenial; urgency=medium + + * update /etc/salt/minion_id + + -- Doug Burks Tue, 15 May 2018 18:17:55 -0400 + +securityonion-setup (20120912-0ubuntu0securityonion256) xenial; urgency=medium + + * set timezone using timedatectl + + -- Doug Burks Sat, 05 May 2018 15:05:51 -0400 + +securityonion-setup (20120912-0ubuntu0securityonion255) xenial; urgency=medium + + * enabled systemd script and move so-allow scripts to this package + + -- Doug Burks Fri, 04 May 2018 08:56:08 -0400 + +securityonion-setup (20120912-0ubuntu0securityonion254) xenial; urgency=medium + + * add back + + -- Doug Burks Thu, 03 May 2018 15:55:49 -0400 + +securityonion-setup (20120912-0ubuntu0securityonion253) xenial; urgency=medium + + * remove old stuff + + -- Doug Burks Thu, 03 May 2018 15:32:52 -0400 + +securityonion-setup (20120912-0ubuntu0securityonion252) xenial; urgency=medium + + * fix references to restart + + -- Doug Burks Thu, 03 May 2018 14:45:23 -0400 + securityonion-setup (20120912-0ubuntu0securityonion251) trusty; urgency=medium * update sosetup.conf diff --git a/debian/patches/add-back b/debian/patches/add-back new file mode 100644 index 0000000..37125c8 --- /dev/null +++ b/debian/patches/add-back @@ -0,0 +1,97 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion254) xenial; urgency=medium + . + * add back +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-setup-20120912.orig/bin/sosetup ++++ securityonion-setup-20120912/bin/sosetup +@@ -89,12 +89,18 @@ BRO_LB_PROCS_CONFIRM="- Run a single Bro + BRO_ENABLED="yes" + OSSEC_AGENT_ENABLED="yes" + OSSEC_AGENT_LEVEL=5 ++XPLICO_ENABLED="no" + # /etc/nsm/HOSTNAME-INTERFACE/sensor.conf services enabled by default + PCAP_ENABLED="yes" + PCAP_AGENT_ENABLED="yes" + SNORT_AGENT_ENABLED="yes" + IDS_ENGINE_ENABLED="yes" + BARNYARD2_ENABLED="yes" ++PRADS_ENABLED="no" ++SANCP_AGENT_ENABLED="no" ++PADS_AGENT_ENABLED="no" ++ARGUS_ENABLED="no" ++HTTP_AGENT_ENABLED="no" + # Salt is disabled by default + SALT="no" + # Number of days to keep in Sguil database +@@ -1330,7 +1336,7 @@ for INTERFACE in $ALL_INTERFACES; do + + # Create symbolic links for individual bpf-*.conf files pointing to the sensor bpf.conf (which points to the GLOBAL bpf.conf) + cd /etc/nsm/"$SENSORNAME" +- for FILENAME in bpf-bro.conf bpf-ids.conf bpf-pcap.conf ++ for FILENAME in bpf-bro.conf bpf-ids.conf bpf-pcap.conf bpf-prads.conf + do + ln -s bpf.conf $FILENAME >> $LOG 2>&1 + done +@@ -1346,6 +1352,11 @@ for INTERFACE in $ALL_INTERFACES; do + echo "SNORT_AGENT_ENABLED=\"$SNORT_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf + echo "IDS_ENGINE_ENABLED=\"$IDS_ENGINE_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf + echo "BARNYARD2_ENABLED=\"$BARNYARD2_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "PRADS_ENABLED=\"$PRADS_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "SANCP_AGENT_ENABLED=\"$SANCP_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "PADS_AGENT_ENABLED=\"$PADS_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "ARGUS_ENABLED=\"$ARGUS_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "HTTP_AGENT_ENABLED=\"$HTTP_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf + + # Create symbolic link for sensor rules directory on server + # Since a user may have as many Snort/Suricata instances as they have CPU cores, +@@ -1519,6 +1530,9 @@ OSSEC_AGENT_ENABLED=$OSSEC_AGENT_ENABLED + # OSSEC_AGENT_LEVEL specifies the level at which OSSEC alerts are sent to sguild. + OSSEC_AGENT_LEVEL=$OSSEC_AGENT_LEVEL + ++# Xplico is no longer included in Security Onion ++XPLICO_ENABLED=$XPLICO_ENABLED ++ + # LOCAL_HIDS_RULE_TUNING + # If set to no (default), this node will copy OSSEC rules from master server as-is (no changes). + # If set to yes, this node will keep its own copy of the OSSEC rules. +@@ -2175,6 +2189,7 @@ save() + echo "SGUIL_SERVER_NAME=$SGUIL_SERVER_NAME" >> $WRITEANSWERFILE + echo "SGUIL_CLIENT_USERNAME='$SGUIL_CLIENT_USERNAME'" >> $WRITEANSWERFILE + echo "SGUIL_CLIENT_PASSWORD_1='$SGUIL_CLIENT_PASSWORD_1'" >> $WRITEANSWERFILE ++ echo "XPLICO_ENABLED=$XPLICO_ENABLED" >> $WRITEANSWERFILE + echo "OSSEC_AGENT_ENABLED=$OSSEC_AGENT_ENABLED" >> $WRITEANSWERFILE + echo "OSSEC_AGENT_LEVEL=$OSSEC_AGENT_LEVEL" >> $WRITEANSWERFILE + echo "SALT=$SALT" >> $WRITEANSWERFILE +@@ -2185,6 +2200,11 @@ save() + echo "BARNYARD2_ENABLED=$BARNYARD2_ENABLED" >> $WRITEANSWERFILE + echo "PCAP_ENABLED=$PCAP_ENABLED" >> $WRITEANSWERFILE + echo "PCAP_AGENT_ENABLED=$PCAP_AGENT_ENABLED" >> $WRITEANSWERFILE ++ echo "PRADS_ENABLED=$PRADS_ENABLED" >> $WRITEANSWERFILE ++ echo "SANCP_AGENT_ENABLED=$SANCP_AGENT_ENABLED" >> $WRITEANSWERFILE ++ echo "PADS_AGENT_ENABLED=$PADS_AGENT_ENABLED" >> $WRITEANSWERFILE ++ echo "HTTP_AGENT_ENABLED=$HTTP_AGENT_ENABLED" >> $WRITEANSWERFILE ++ echo "ARGUS_ENABLED=$ARGUS_ENABLED" >> $WRITEANSWERFILE + echo "IDS_RULESET='$IDS_RULESET'" >> $WRITEANSWERFILE + echo "OINKCODE='$OINKCODE'" >> $WRITEANSWERFILE + echo "PF_RING_SLOTS=$PF_RING_SLOTS" >> $WRITEANSWERFILE diff --git a/debian/patches/avoid-duplicating-OSSEC_AGENT_ENABLED-in-securityonion.conf b/debian/patches/avoid-duplicating-OSSEC_AGENT_ENABLED-in-securityonion.conf new file mode 100644 index 0000000..967eaf9 --- /dev/null +++ b/debian/patches/avoid-duplicating-OSSEC_AGENT_ENABLED-in-securityonion.conf @@ -0,0 +1,40 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion266) xenial; urgency=medium + . + * avoid duplicating OSSEC_AGENT_ENABLED in securityonion.conf +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-setup-20120912.orig/bin/sosetup ++++ securityonion-setup-20120912/bin/sosetup +@@ -1932,7 +1932,11 @@ EOF + + if [ "$LOGSTASH_INPUT_REDIS" = "yes" ]; then + echo 'LOGSTASH_INPUT_REDIS="yes"' >> $CONF +- echo 'OSSEC_AGENT_ENABLED="no"' >> $CONF ++ if grep OSSEC_AGENT_ENABLED $CONF >/dev/null 2>&1; then ++ sed -i 's|OSSEC_AGENT_ENABLED.*$|OSSEC_AGENT_ENABLED=no|g' $CONF ++ else ++ echo 'OSSEC_AGENT_ENABLED=no' >> $CONF ++ fi + fi + fi + diff --git a/debian/patches/control-salt-with-systemd b/debian/patches/control-salt-with-systemd new file mode 100644 index 0000000..a92b147 --- /dev/null +++ b/debian/patches/control-salt-with-systemd @@ -0,0 +1,103 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion260) xenial; urgency=medium + . + * control salt with systemd +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-setup-20120912.orig/bin/sosetup ++++ securityonion-setup-20120912/bin/sosetup +@@ -1659,7 +1659,7 @@ if [ -f $SSH_CONF ]; then + service apache2 stop >> $LOG 2>&1 + update-rc.d -f apache2 disable >> $LOG 2>&1 + else +- # We are the MASTER. ++ # We are the MASTER + + # Make sure that the Apache web server is enabled + update-rc.d -f apache2 enable >> $LOG 2>&1 +@@ -1670,16 +1670,6 @@ else + # Disable old default-ssl site + a2dissite default-ssl >> $LOG 2>&1 + +- # Determine IP address to be used below in Squert database +- IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1` +- +- # Pivot from Squert to ELSA +- #URL="https://$IP/elsa-query/?query_string=\"\${var}\"%20groupby:program" +- # We can use a relative hyperlink now that Apache is proxying ELSA at /elsa-query +- URL="/elsa-query/?query_string=\"\${var}\"%20groupby:program" +- HEXVAL=$(xxd -pu -c 256 <<< "$URL") +- [ "$ELSA" = "YES" ] && mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e "INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) VALUES ('url','','1','454C5341','','ELSA','$HEXVAL');" +- + # Restart web server + apache2ctl restart >> $LOG 2>&1 + fi +@@ -1691,12 +1681,11 @@ echo "40" + echo "# Please wait while configuring salt..." | tee -a $LOG + if dpkg -l |grep "securityonion-onionsalt" |grep "ii" >/dev/null; then + if [ "$SALT" = "no" ]; then +- # Stop both running salt services ++ # Stop and disable both salt-master and salt-minion + service salt-master stop >> $LOG 2>&1 + service salt-minion stop >> $LOG 2>&1 +- # Disable both salt services +- [ -f /etc/init/salt-master.conf ] && echo "manual" > /etc/init/salt-master.override +- [ -f /etc/init/salt-minion.conf ] && echo "manual" > /etc/init/salt-minion.override ++ systemctl disable salt-master >> $LOG 2>&1 ++ systemctl disable salt-minion >> $LOG 2>&1 + # If the box had previously been configured with salt, we need to remove the cron job + [ -f /etc/cron.d/salt-update ] && rm -f /etc/cron.d/salt-update + else +@@ -1719,17 +1708,13 @@ if dpkg -l |grep "securityonion-onionsal + echo " '$FQDN':" >> $TOPSLS + echo " - backend" >> $TOPSLS + echo "" >> $TOPSLS +- # If salt-master is DISABLED we need to enable it +- [ -f /etc/init/salt-master.DISABLED ] && mv /etc/init/salt-master.DISABLED /etc/init/salt-master.conf +- [ -f /etc/init/salt-master.override ] && rm -f /etc/init/salt-master.override +- # Start salt-master ++ # Enable and restart salt-master ++ systemctl enable salt-master >> $LOG 2>&1 + service salt-master restart >> $LOG 2>&1 + else +- # If this box is not a Master we need to disable salt-master +- # Stop salt-master ++ # If this box is not a Master we need to stop and disable salt-master + service salt-master stop >> $LOG 2>&1 +- # Disable salt-master +- [ -f /etc/init/salt-master.conf ] && echo "manual" > /etc/init/salt-master.override ++ systemctl disable salt-master >> $LOG 2>&1 + # Tell the salt-master that we are a sensor + cat << EOF >> $SOSETUPSCP + if ! grep "'$FQDN':" /opt/onionsalt/salt/top.sls >/dev/null 2>&1; then +@@ -1744,9 +1729,8 @@ EOF + # Configure minion + echo "master: $SERVERNAME" > /etc/salt/minion.d/onionsalt.conf + echo "$FQDN" > /etc/salt/minion_id +- # If salt-minion is DISABLED, enable it +- [ -f /etc/init/salt-minion.DISABLED ] && mv /etc/init/salt-minion.DISABLED /etc/init/salt-minion.conf +- [ -f /etc/init/salt-minion.override ] && rm -f /etc/init/salt-minion.override ++ # Enable and restart salt-minion ++ systemctl enable salt-minion >> $LOG 2>&1 + service salt-minion restart >> $LOG 2>&1 + + # salt-master needs to accept the key from salt-minion diff --git a/debian/patches/enable-systemd-script-and-move-so-allow-scripts-to-this-package b/debian/patches/enable-systemd-script-and-move-so-allow-scripts-to-this-package new file mode 100644 index 0000000..ed8e3fa --- /dev/null +++ b/debian/patches/enable-systemd-script-and-move-so-allow-scripts-to-this-package @@ -0,0 +1,309 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion255) xenial; urgency=medium + . + * enabled systemd script and move so-allow scripts to this package +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- /dev/null ++++ securityonion-setup-20120912/bin/so-allow-elastic +@@ -0,0 +1,203 @@ ++#!/bin/bash ++# ++# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++ ++######################################### ++# function to validate IP address ++######################################### ++is_ip() { ++ case "$*" in ++ ""|*[!0-9.]*) return 1 ;; ++ esac ++ oldIFS=$IFS ++ IFS='.' ++ set -- $* ++ IFS=$oldIFS ++ [ $# -eq 4 ] || return 1 ++ for ipseg in $1 $2 $3 $4 ++ do ++ case $ipseg in ++ *[!0-9]*) return 1 ;; ++ esac ++ [ $ipseg -le 255 ] || return 1 ++ done ++} ++ ++is_cidr() { ++ [[ "$1" =~ ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$ ]] && return 0 ++} ++######################################### ++# check for root privileges ++######################################### ++if [[ $(/usr/bin/id -u) -ne 0 ]]; then ++ echo "This script needs to be run as root. Please try again using sudo." ++ exit ++fi ++ ++######################################### ++# Prompt user for kind of device ++######################################### ++echo "This program allows you to add a firewall rule to allow connections from a new IP address." ++echo ++echo "What kind of device do you want to allow?" ++echo ++echo "[a] - analyst - ports 22/tcp, 443/tcp, and 7734/tcp" ++echo "[b] - Logstash Beat - port 5044/tcp" ++echo "[c] - apt-cacher-ng client - port 3142/tcp" ++echo "[f] - Logstash Forwarder - Standard - port 6050/tcp" ++echo "[j] - Logstash Forwarder - JSON - port 6051/tcp " ++echo "[l] - syslog device - port 514" ++echo "[o] - ossec agent - port 1514/udp" ++echo "[s] - Security Onion sensor - 22/tcp, 4505/tcp, 4506/tcp, and 7736/tcp" ++echo ++echo "If you need to add any ports other than those listed above," ++echo "you can do so using the standard 'ufw' utility." ++echo ++echo "For more information, please see the Firewall page on our Wiki:" ++echo "https://github.com/Security-Onion-Solutions/security-onion/wiki/Firewall" ++ ++device="none" ++while [ "$device" = "none" ]; do ++ echo ++ echo "Please enter your selection (a - analyst, c - apt-cacher-ng client, l - syslog, o - ossec, or s - Security Onion sensor, etc.):" ++ read input ++ ++ . /etc/nsm/securityonion.conf ++case $input in ++ a) ++ device="analyst" ++ proto="proto tcp" ++ port="22,443,7734" ++ ;; ++ b) ++ device="Logstash - Beat" ++ category="elastic" ++ proto="tcp" ++ port="5044" ++ ;; ++ c) ++ device="apt-cacher-ng client" ++ proto="proto tcp" ++ port="3142" ++ ;; ++ f) ++ device="Logstash Forwarder" ++ category="elastic" ++ proto="tcp" ++ port="6050" ++ ;; ++ j) ++ device="Logstash Forwarder - JSON" ++ category="elastic" ++ proto="tcp" ++ port="6051" ++ ;; ++ l) ++ device="syslog" ++ proto="" ++ port="514" ++ ;; ++ o) ++ device="ossec agent" ++ proto="proto udp" ++ port="1514" ++ ;; ++ s) ++ device="Security Onion sensor" ++ proto="proto tcp" ++ port="22,4505,4506,7736" ++ ;; ++ status) ++ device=status ++ ;; ++ esac ++done ++ ++######################################### ++# Status ++######################################## ++if [ "$device" == "status" ]; then ++ /usr/sbin/so-allow-view ++ echo ++ exit 0 ++fi ++ ++######################################### ++# Prompt user for IP address ++######################################### ++valid="no" ++while [ "$valid" = "no" ]; do ++ echo "Please enter the IP address of the $device you'd like to allow to connect to port(s) $port:" ++ read address ++ # Check if CIDR ++ is_cidr $address && valid="yes" ++ # Check if IP ++ [ $? -ne 0 ] && is_ip $address && valid="yes" ++ ++done ++ ++######################################### ++# Confirm rule before adding ++######################################### ++echo "We're going to allow connections from $address to port(s) $port." ++echo ++echo "Here's the firewall rule we're about to add:" ++if [[ "$category" == "elastic" ]]; then ++ ufw_after_rules="-I DOCKER-USER ! -i docker0 -o docker0 -s $address -p tcp --dport $port -j ACCEPT" ++ rule="sudo iptables $ufw_after_rules" ++else ++ rule="sudo ufw allow $proto from $address to any port $port" ++fi ++echo $rule ++echo ++ ++if [ "$device" == "analyst" ]; then ++ echo "We're also whitelisting $address in /var/ossec/etc/ossec.conf to prevent OSSEC Active Response from blocking it. Keep in mind, the OSSEC server will be restarted once configuration is complete." ++ echo ++fi ++echo "To continue and add this rule, press Enter." ++echo "Otherwise, press Ctrl-c to exit." ++read input ++ ++######################################### ++# Run the command to add the firewall rule ++######################################### ++$rule ++ ++if [[ "$category" == "elastic" ]]; then ++ # Add rule to /etc/ufw/after.rules ++ sed -i "/so-allow/a $ufw_after_rules" /etc/ufw/after.rules ++fi ++ ++echo "Rule has been added." ++echo ++echo "Here is the entire firewall ruleset:" ++echo ++/usr/sbin/so-allow-view ++echo ++ ++if [ "$device" == "analyst" ]; then ++ if ! grep -q "$address" /var/ossec/etc/ossec.conf ; then ++ DATE=`date` ++ sed -i 's/<\/ossec_config>//' /var/ossec/etc/ossec.conf ++ sed -i '/^$/N;/^\n$/D' /var/ossec/etc/ossec.conf ++ echo -e "\n \n $address\n \n" >> /var/ossec/etc/ossec.conf ++ echo "Added whitelist entry for $address in /var/ossec/etc/ossec.conf." ++ echo ++ echo "Restarting OSSEC Server..." ++ service ossec-hids-server restart ++ fi ++fi +--- /dev/null ++++ securityonion-setup-20120912/bin/so-allow-view +@@ -0,0 +1,22 @@ ++#!/bin/bash ++# ++# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++ ++. /usr/sbin/so-common ++ ++header "UFW Rules" ++ufw status | sed -n '1!p' ++/usr/sbin/so-allow-view-iptables +--- /dev/null ++++ securityonion-setup-20120912/bin/so-allow-view-iptables +@@ -0,0 +1,25 @@ ++#!/bin/bash ++# ++# Copyright 2014,2015,2016,2017,2018 Security Onion Solutions, LLC ++# ++# This program is free software: you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation, either version 3 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program. If not, see . ++ ++. /usr/sbin/so-common ++ ++header "Docker IPTables Rules" ++echo ++echo "To Action From" ++echo "-- ------ ----" ++iptables -vL DOCKER-USER |grep ACCEPT |grep -v "state RELATED,ESTABLISHED" |awk '{print substr($11,5) "/" $4,$7,$3,$6,$8}' ++echo +--- securityonion-setup-20120912.orig/bin/sosetup ++++ securityonion-setup-20120912/bin/sosetup +@@ -1069,7 +1069,7 @@ function CONFIGURE_SERVICES() { + rm -f /tmp/GeoIP.dat + rm -f /tmp/GeoLiteCity.dat + rm -f /tmp/GeoLiteCity.dat.gz +-[ -f /opt/bro/etc/node.cfg ] && rm -f /opt/bro/etc/node.cfg ++rm -f /opt/bro/etc/node.cfg + + ######################################### + # Create files/dirs as necessary +@@ -1107,6 +1107,13 @@ echo "# Please wait while restarting OSS + service ossec-hids-server restart >> $LOG 2>&1 + + ######################################### ++# Configure services to start on boot ++######################################### ++echo "7" ++echo "# Please wait while enabling securityonion.service in systemd..." | tee -a $LOG ++systemctl enable securityonion.service >> $LOG 2>&1 ++ ++######################################### + # Stop all Sguil services and delete config + ######################################### + echo "8" diff --git a/debian/patches/fix-custom-forward-node-and-Elastic-prompt b/debian/patches/fix-custom-forward-node-and-Elastic-prompt new file mode 100644 index 0000000..2be0c09 --- /dev/null +++ b/debian/patches/fix-custom-forward-node-and-Elastic-prompt @@ -0,0 +1,227 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion262) xenial; urgency=medium + . + * fix custom forward node and Elastic prompt +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-setup-20120912.orig/bin/sosetup ++++ securityonion-setup-20120912/bin/sosetup +@@ -449,13 +449,16 @@ The master server queries Storage Nodes + Forward) + SENSOR=1 + FORWARD="yes" ++ ELASTIC="no" + ELASTIC_ACTION_CONFIRM="- Forward logs to master server.\n" + ;; + Heavy) + SENSOR=1 ++ ELASTIC="yes" + ;; + Storage) + SENSOR=0 ++ ELASTIC="yes" + LOGSTASH_INPUT_REDIS="yes" + IDS_LB_PROCS_CONFIRM="" + BRO_LB_PROCS_CONFIRM="" +@@ -918,22 +921,18 @@ fi + ######################################### + # Ask whether or not to use Elastic + ######################################### +-if [ $CUSTOM -eq 1 ]; then +-TEXT="The Elastic Stack is a platform for data ingestion, formatting, and visualization.\n\ ++if [ $CUSTOM -eq 1 ] && [ $SERVER -eq 1 ]; then ++TEXT="The Elastic Stack is a platform for data ingestion, formatting, and visualization\n\ + built on ElasticSearch, Logstash, and Kibana. Our customized stack also includes \n\ +-the use of DomainStats, FreqServer, Curator, and Elastalert.\n\ ++Curator and Elastalert.\n\ + \n\ +-It provides a distributed database with a web-based interface\n\ ++The Elastic Stack provides a search engine and and web interface\n\ + for hunting through your logs, including:\n\ + * Bro logs\n\ + * OSSEC alerts/logs\n\ + * Snort/Suricata logs\n\ + * standard syslog\n\ + \n\ +-If this is a node installation, you can store logs in a local Elasticsearch\n\ +-database or you can forward to your master server.\n\ +-For either of these options, choose Yes.\n\ +-\n\ + Would you like to enable the Elastic Stack?" + YES="Yes, enable the Elastic Stack." + NO="No, disable the Elastic Stack." +@@ -1277,6 +1276,15 @@ if [ "$SERVER" -ne 1 ]; then + echo "SERVERNAME=$SERVERNAME" >> $SSH_CONF + fi + ++if [ "$FORWARD" = "yes" ]; then ++ # If AUTOSSH_OPTIONS is already in SSH_CONF, remove it and replace it with new value. ++ if grep "AUTOSSH_OPTIONS=" $SSH_CONF >/dev/null 2>&1; then ++ sed -i 's/AUTOSSH_OPTIONS.*/AUTOSSH_OPTIONS="-L 6050:localhost:6050"/' $SSH_CONF >> $LOG 2>&1 ++ else ++ echo 'AUTOSSH_OPTIONS="-L 6050:localhost:6050"' >> $SSH_CONF ++ fi ++fi ++ + ######################################### + # Network Sensor(s) if necessary + ######################################### +@@ -1935,76 +1943,68 @@ EOF + echo "95" + echo "# Please wait while performing final node configuration..." | tee -a $LOG + +- if [ "$FORWARD" = "yes" ]; then +- # If AUTOSSH_OPTIONS is already in SSH_CONF, remove it and replace it with new value. +- if grep "AUTOSSH_OPTIONS=" $SSH_CONF >/dev/null 2>&1; then +- sed -i 's/AUTOSSH_OPTIONS.*/AUTOSSH_OPTIONS="-L 6050:localhost:6050"/' $SSH_CONF >> $LOG 2>&1 +- else +- echo 'AUTOSSH_OPTIONS="-L 6050:localhost:6050"' >> $SSH_CONF +- fi +- else +- if [ "$LOGSTASH_INPUT_REDIS" = "yes" ]; then +- if grep "AUTOSSH_OPTIONS=" $SSH_CONF >/dev/null 2>&1; then +- sed -i 's/AUTOSSH_OPTIONS.*/AUTOSSH_OPTIONS="-L 172.18.0.1:6379:localhost:6379"/' $SSH_CONF >> $LOG 2>&1 +- else +- echo 'AUTOSSH_OPTIONS="-L 172.18.0.1:6379:localhost:6379"' >> $SSH_CONF +- fi +- ufw allow proto tcp from 172.18.0.0/24 to 172.18.0.1 port 6379 >> $LOG 2>&1 +- fi ++ if [ "$LOGSTASH_INPUT_REDIS" = "yes" ]; then ++ if grep "AUTOSSH_OPTIONS=" $SSH_CONF >/dev/null 2>&1; then ++ sed -i 's/AUTOSSH_OPTIONS.*/AUTOSSH_OPTIONS="-L 172.18.0.1:6379:localhost:6379"/' $SSH_CONF >> $LOG 2>&1 ++ else ++ echo 'AUTOSSH_OPTIONS="-L 172.18.0.1:6379:localhost:6379"' >> $SSH_CONF ++ fi ++ ufw allow proto tcp from 172.18.0.0/24 to 172.18.0.1 port 6379 >> $LOG 2>&1 ++ fi + +- # We need to determine a few things from the master server: ++ # We need to determine a few things from the master server: + +- # DOCKER_INTERFACE, DOCKER_NETWORK, and REVERSE_PORT ++ # DOCKER_INTERFACE, DOCKER_NETWORK, and REVERSE_PORT + +- # DOCKER_INTERFACE +- SSH_CMD="sudo /usr/sbin/so-elastic-network | jq '.[0].IPAM.Config[0].Gateway'" +- SSH_OUTPUT=`ssh -i $KEY $SSH_USERNAME@$SERVERNAME "$SSH_CMD"` +- DOCKER_INTERFACE=$(echo $SSH_OUTPUT | cut -d\" -f2) +- echo "DOCKER_INTERFACE is $DOCKER_INTERFACE" >> $LOG 2>&1 +- +- # DOCKER_NETWORK +- SSH_CMD="sudo /usr/sbin/so-elastic-network | jq '.[0].IPAM.Config[0].Subnet'" +- SSH_OUTPUT=`ssh -i $KEY $SSH_USERNAME@$SERVERNAME "$SSH_CMD"` +- DOCKER_NETWORK=$(echo $SSH_OUTPUT | cut -d\" -f2) +- echo "DOCKER_NETWORK is $DOCKER_NETWORK" >> $LOG 2>&1 +- +- # REVERSE_PORT +- SSH_CMD='sudo /usr/sbin/so-crossclustercheck | jq "." | grep ":5" | cut -d: -f2 | cut -d\" -f1 | sort | tail -1' +- HIGHEST_REVERSE_PORT=`ssh -i $KEY $SSH_USERNAME@$SERVERNAME "$SSH_CMD"` +- if [ "$HIGHEST_REVERSE_PORT" = "" ]; then +- echo "Found no other nodes." >> $LOG 2>&1 +- REVERSE_PORT=50000 +- else +- echo "HIGHEST_REVERSE_PORT is $HIGHEST_REVERSE_PORT" >> $LOG 2>&1 +- if [ ${HIGHEST_REVERSE_PORT} -gt 49999 ] && [ ${HIGHEST_REVERSE_PORT} -lt 59999 ]; then +- let REVERSE_PORT=HIGHEST_REVERSE_PORT+1 +- fi ++ # DOCKER_INTERFACE ++ SSH_CMD="sudo /usr/sbin/so-elastic-network | jq '.[0].IPAM.Config[0].Gateway'" ++ SSH_OUTPUT=`ssh -i $KEY $SSH_USERNAME@$SERVERNAME "$SSH_CMD"` ++ DOCKER_INTERFACE=$(echo $SSH_OUTPUT | cut -d\" -f2) ++ echo "DOCKER_INTERFACE is $DOCKER_INTERFACE" >> $LOG 2>&1 ++ ++ # DOCKER_NETWORK ++ SSH_CMD="sudo /usr/sbin/so-elastic-network | jq '.[0].IPAM.Config[0].Subnet'" ++ SSH_OUTPUT=`ssh -i $KEY $SSH_USERNAME@$SERVERNAME "$SSH_CMD"` ++ DOCKER_NETWORK=$(echo $SSH_OUTPUT | cut -d\" -f2) ++ echo "DOCKER_NETWORK is $DOCKER_NETWORK" >> $LOG 2>&1 ++ ++ # REVERSE_PORT ++ SSH_CMD='sudo /usr/sbin/so-crossclustercheck | jq "." | grep ":5" | cut -d: -f2 | cut -d\" -f1 | sort | tail -1' ++ HIGHEST_REVERSE_PORT=`ssh -i $KEY $SSH_USERNAME@$SERVERNAME "$SSH_CMD"` ++ if [ "$HIGHEST_REVERSE_PORT" = "" ]; then ++ echo "Found no other nodes." >> $LOG 2>&1 ++ REVERSE_PORT=50000 ++ else ++ echo "HIGHEST_REVERSE_PORT is $HIGHEST_REVERSE_PORT" >> $LOG 2>&1 ++ if [ ${HIGHEST_REVERSE_PORT} -gt 49999 ] && [ ${HIGHEST_REVERSE_PORT} -lt 59999 ]; then ++ let REVERSE_PORT=HIGHEST_REVERSE_PORT+1 + fi +- echo "REVERSE_PORT is $REVERSE_PORT" >> $LOG 2>&1 ++ fi ++ echo "REVERSE_PORT is $REVERSE_PORT" >> $LOG 2>&1 + +- # Now that we've determined those 3 values, we need to store DOCKER_INTERFACE and REVERSE_PORT in SSH_CONF. +- +- # If DOCKER_INTERFACE is not already in SSH_CONF, then store it for future use. +- if grep "DOCKER_INTERFACE=" $SSH_CONF >/dev/null 2>&1; then +- echo "DOCKER_INTERFACE already exists in $SSH_CONF." >> $LOG 2>&1 +- else +- echo "DOCKER_INTERFACE=$DOCKER_INTERFACE" >> $SSH_CONF +- fi ++ # Now that we've determined those 3 values, we need to store DOCKER_INTERFACE and REVERSE_PORT in SSH_CONF. + +- # If REVERSE_PORT is not already in SSH_CONF, then store it for future use. +- if grep "REVERSE_PORT=" $SSH_CONF >/dev/null 2>&1; then +- echo "REVERSE_PORT already exists in $SSH_CONF." >> $LOG 2>&1 +- else +- echo "REVERSE_PORT=$REVERSE_PORT" >> $SSH_CONF +- fi ++ # If DOCKER_INTERFACE is not already in SSH_CONF, then store it for future use. ++ if grep "DOCKER_INTERFACE=" $SSH_CONF >/dev/null 2>&1; then ++ echo "DOCKER_INTERFACE already exists in $SSH_CONF." >> $LOG 2>&1 ++ else ++ echo "DOCKER_INTERFACE=$DOCKER_INTERFACE" >> $SSH_CONF ++ fi + +- # Configure Elasticsearch +- ELASTIC_CONFIG="/etc/elasticsearch/elasticsearch.yml" +- echo "transport.bind_host: 0.0.0.0" >> $ELASTIC_CONFIG +- echo "transport.publish_host: $DOCKER_INTERFACE" >> $ELASTIC_CONFIG +- echo "transport.publish_port: $REVERSE_PORT" >> $ELASTIC_CONFIG +- docker restart so-elasticsearch >> $LOG 2>&1 +- cat << EOF >> $SOSETUPSCP ++ # If REVERSE_PORT is not already in SSH_CONF, then store it for future use. ++ if grep "REVERSE_PORT=" $SSH_CONF >/dev/null 2>&1; then ++ echo "REVERSE_PORT already exists in $SSH_CONF." >> $LOG 2>&1 ++ else ++ echo "REVERSE_PORT=$REVERSE_PORT" >> $SSH_CONF ++ fi ++ ++ # Configure Elasticsearch ++ ELASTIC_CONFIG="/etc/elasticsearch/elasticsearch.yml" ++ echo "transport.bind_host: 0.0.0.0" >> $ELASTIC_CONFIG ++ echo "transport.publish_host: $DOCKER_INTERFACE" >> $ELASTIC_CONFIG ++ echo "transport.publish_port: $REVERSE_PORT" >> $ELASTIC_CONFIG ++ docker restart so-elasticsearch >> $LOG 2>&1 ++ cat << EOF >> $SOSETUPSCP + if ! grep "Match User $SSH_USERNAME" /etc/ssh/sshd_config >/dev/null 2>&1; then + echo Match User $SSH_USERNAME >> /etc/ssh/sshd_config + echo ' GatewayPorts clientspecified' >> /etc/ssh/sshd_config +@@ -2014,7 +2014,6 @@ ufw allow proto tcp from $DOCKER_NETWORK + source /etc/nsm/securityonion.conf + curl -XPUT http://\$ELASTICSEARCH_HOST:\$ELASTICSEARCH_PORT/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"$HOSTNAME": {"skip_unavailable": "true", "seeds": ["$DOCKER_INTERFACE:$REVERSE_PORT"]}}}}}' + EOF +- fi + + fi + fi diff --git a/debian/patches/fix-references-to-restart b/debian/patches/fix-references-to-restart new file mode 100644 index 0000000..0716ebd --- /dev/null +++ b/debian/patches/fix-references-to-restart @@ -0,0 +1,4705 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion252) xenial; urgency=medium + . + * fix references to restart +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- /dev/null ++++ securityonion-setup-20120912/bin/sosetup +@@ -0,0 +1,2362 @@ ++#!/bin/bash ++# ++# Copyright (C) 2010-2014 Doug Burks ++# Copyright (C) 2015-2018 Security Onion Solutions, LLC ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License Version 2 as ++# published by the Free Software Foundation. You may not use, modify or ++# distribute this program under any other version of the GNU General ++# Public License. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. ++# ++# ++# Description: ++# Configure Security Onion. ++ ++######################################### ++# Variables ++######################################### ++DEBUG="0" ++# Window title ++HOST_ORIG=`hostname` ++HOSTNAME=${HOST_ORIG,,} ++IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1` ++TITLE="Security Onion Setup ($HOSTNAME)" ++# File locations ++CONF="/etc/nsm/securityonion.conf" ++LOG=`mktemp /tmp/sosetup-elastic.log.XXXXXXXXXX` ++PP_CONF="/etc/nsm/pulledpork/pulledpork.conf" ++# URLs ++ET_URL="rules.emergingthreats.net" ++TALOS_URL="www.snort.org" ++# Provide sensible defaults for Quick Setup ++SGUIL_SERVER_NAME="securityonion" ++IDS_ENGINE="snort" ++IDS_RULESET="ETOPEN" ++HOME_NET="192.168.0.0/16,10.0.0.0/8,172.16.0.0/12" ++INTERFACES=`awk '/:/ {print $1}' /proc/net/dev | tr -d ':' | grep -v "^lo$" | grep -v "^docker" | grep -v "^br-" | grep -v "^veth" | sort` ++ALL_INTERFACES="$INTERFACES" ++NUM_INTERFACES=`echo $INTERFACES | wc -w` ++SNIFF_INTERFACES=`awk '/manual/ {print $2}' /etc/network/interfaces | wc -l` ++[ $SNIFF_INTERFACES -eq 0 ] && SNIFF_INTERFACES=1 ++SENSORTAB="/etc/nsm/sensortab" ++UPDATE_ELSA_SERVER="NO" ++# PCAP_OPTIONS are passed to netsniff-ng ++# "netsniff-ng -c" does the following: ++# -c|--clrw Use slower read(2)/write(2) I/O ++# we set this as the default for classroom/training users ++# who are monitoring low-bandwidth networks and don't ++# want to wait for scatter/gather mode to write pcaps. ++# Users running Advanced Setup are likely on production networks ++# with higher bandwidth and want better performance, so we clear ++# PCAP_OPTIONS in the Advanced Setup section. ++PCAP_OPTIONS="-c" ++# PCAP_SIZE is the size at which we rotate to a new pcap file ++# Default to 150MB, but user can choose if running Advanced Setup ++PCAP_SIZE=150 ++# PCAP_RING_SIZE is the RX_RING size for buffering packets ++# Default is 64MB ++PCAP_RING_SIZE="64" ++# WARN_DISK_USAGE is the percentage of disk usage at which the NSM scripts warn the disk is getting full ++WARN_DISK_USAGE=80 ++# CRIT_DISK_USAGE is the percentage of disk usage at which the NSM scripts begin purging old files ++CRIT_DISK_USAGE=90 ++# CORES is the number of CPU cores in the box ++# This is used for limiting IDS_LB_PROCS and BRO_LB_PROCS ++CORES=`grep -c ^processor /proc/cpuinfo` ++# SO_CORES is the number of CPU cores in the box, minus a reserved CPU core ++# for the OS, divided by the number of sniffing interfaces. ++SO_CORES=$(((CORES - 1) / SNIFF_INTERFACES)) ++# CALCD_CORES subtracts a reserved CPU core for netsniff-ng from the available cores for ++# each interface and splits the number of cores between the IDS and Bro processes. ++CALCD_CORES=$(((SO_CORES - 1) / 2)) ++# IDS_LB_PROCS goes into sensor.conf and controls threads for Snort/Suricata ++IDS_LB_PROCS=1 ++IDS_LB_PROCS_CONFIRM="- Run a single IDS process per interface.\n" ++# BRO_LB_PROCS goes into Bro's node.cfg and controls threads for Bro ++BRO_LB_PROCS=1 ++BRO_LB_PROCS_CONFIRM="- Run a single Bro process per interface.\n" ++# /etc/nsm/securityonion.conf services enabled by default ++BRO_ENABLED="yes" ++OSSEC_AGENT_ENABLED="yes" ++OSSEC_AGENT_LEVEL=5 ++XPLICO_ENABLED="no" ++# /etc/nsm/HOSTNAME-INTERFACE/sensor.conf services enabled by default ++PCAP_ENABLED="yes" ++PCAP_AGENT_ENABLED="yes" ++SNORT_AGENT_ENABLED="yes" ++IDS_ENGINE_ENABLED="yes" ++BARNYARD2_ENABLED="yes" ++PRADS_ENABLED="no" ++SANCP_AGENT_ENABLED="no" ++PADS_AGENT_ENABLED="no" ++ARGUS_ENABLED="no" ++HTTP_AGENT_ENABLED="no" ++# Salt is disabled by default ++SALT="no" ++# Number of days to keep in Sguil database ++DAYSTOKEEP=30 ++# Number of days to repair ++DAYSTOREPAIR=7 ++# File extraction ++EXTRACT_FILES="yes" ++# PF_RING min_num_slots ++PF_RING_SLOTS="4096" ++# SSH key variables ++SSH_DIR="/root/.ssh" ++SSH_CONF="$SSH_DIR/securityonion_ssh.conf" ++KEY="$SSH_DIR/securityonion" ++# SOSETUPSCP is a file that will be copied to the master server and executed ++SOSETUPSCP=`mktemp` ++# SECURITYONION_CONF_MASTER is the securityonion.conf from the master server ++SECURITYONION_CONF_MASTER=`mktemp` ++# CUSTOM gives access to all options ++CUSTOM=0 ++# Elastic is now enabled by default ++ELASTIC="yes" ++# Create /nsm if it doesn't already exist ++mkdir -p /nsm ++# Calculate half of available disk space for Elastic logs ++DISK_SIZE_K=`df /nsm |grep -v "^Filesystem" | awk '{print $2}'` ++let DISK_SIZE=DISK_SIZE_K*1000 ++let LOG_SIZE_LIMIT=DISK_SIZE/2 ++let LOG_SIZE_LIMIT_GB=LOG_SIZE_LIMIT/1000000000 ++let DISK_SIZE_GB=DISK_SIZE/1000000000 ++let LOG_SIZE_LIMIT=LOG_SIZE_LIMIT_GB*1000000000 ++# Check amount of system RAM (MB) ++TOTAL_MEM=`grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//'` ++# Make RAM # human readable (GB) ++HR_MEM=$((TOTAL_MEM / 1000)) ++# Text for minimum memory check ++MEM_TEXT="This machine currently has "$HR_MEM"GB of RAM allocated.\n\For best performance, please ensure the machine is allocated at least 8GB of RAM.\n\n\Please consult the following link for more information:\n\https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware\n\n\ ++Click 'No' to stop setup and adjust the amount of RAM allocated to this machine.\n\ ++Otherwise, click 'Yes' to continue." ++# Text for minimum core check ++CORE_TEXT="This machine currently has "$CORES" processor core(s) allocated.\n\For best performance, please ensure the machine is allocated at least 2 processor cores.\n\n\Please consult the following link for more information:\n\https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware\n\n\ ++Click 'No' to stop setup and adjust the number of processor cores allocated to this machine.\n\ ++Otherwise, click 'Yes' to continue." ++ARGS=("$@") ++REVERSE_PORT=50000 ++DOCKER_INTERFACE="172.18.0.1" ++DOCKER_NETWORK="172.18.0.0/24" ++LOGSTASH_OUTPUT_REDIS="no" ++LOGSTASH_INPUT_REDIS="no" ++ ++######################################### ++# Debug ++######################################### ++[ $DEBUG -eq 1 ] && echo "DEBUG: Debug is enabled. To disable it, edit the script and change DEBUG to 0." ++ ++######################################### ++# Got r00t? ++######################################### ++if [[ $(/usr/bin/id -u) -ne 0 && "$1" != "-w" ]]; then ++ echo "Setup needs to be run as root. Please try again using sudo." ++ zenity --error --title "$TITLE" --text="Setup needs to be run as root. Please try again using sudo." ++ exit ++fi ++ ++function ask() { ++######################################### ++# Welcome screen ++######################################### ++TEXT="Welcome to Security Onion Elastic Setup!\n\ ++\n\ ++Elastic Setup will configure the following services:\n\ ++\n\ ++Elasticsearch\n\ ++Logstash\n\ ++Kibana\n\ ++Squert\n\ ++Sguil\n\ ++Bro\n\ ++Snort/Suricata\n\ ++netsniff-ng\n\ ++\n\ ++Would you like to continue?" ++if [ "$WRITEANSWERFILE" ]; then ++ TEXT="Welcome to Security Onion Setup!\n\ ++\n\ ++Writing an answer file is still experimental, and does not\n\ ++yet support network configuration. Please make sure\n\ ++your /etc/network/interfaces file is already configured and\n\ ++has at least one interface configured for monitoring.\n\ ++\n\ ++Would you like to continue?" ++fi ++YES="Yes, Continue!" ++NO="No, Quit." ++zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap ++ANSWER="$?" ++if [ $ANSWER -eq 1 ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Exiting Setup" ++ exit ++else ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Continuing Setup." ++fi ++ ++######################################### ++# sosetup-network ++######################################### ++# Network config not yet supported when generating an answer file ++if [ -z "$WRITEANSWERFILE" ] && [ "${ARGS[0]}" != "skipnetwork" ] && [ -f /usr/sbin/sosetup-network ]; then ++ /usr/sbin/sosetup-network ++ # If there were errors in sosetup-network, then exit ++ [ $? -eq 1 ] && exit ++fi ++ ++######################################### ++# CHeck hardware requirements ++######################################### ++ ++if [ $TOTAL_MEM -lt 8000 ]; then zenity --question --title="$TITLE" --text="$MEM_TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap ++ [ $? = 1 ] && exit 1 ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low RAM." ++fi ++ ++if [ $CORES -lt 2 ]; then zenity --question --title="$TITLE" --text="$CORE_TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap ++ [ $? = 1 ] && exit 1 ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low core count." ++fi ++ ++######################################### ++# Evaluation Mode or Production Mode ++######################################### ++TEXT="Evaluation Mode or Production Mode?\n\ ++\n\ ++Evaluation Mode is recommended for first-time users or standalone VMs:\n\ ++- ideal for quickly evaluating Security Onion\n\ ++- will automatically configure most details of your system\n\ ++- configures Snort and Bro to monitor one network interface\n\ ++- NOT intended for a production deployment\n\ ++\n\ ++Production Mode is recommended for production deployments\n\ ++as it gives you more control over the details of your system\n\ ++and allows you to build a distributed deployment. You choose:\n\ ++- build a new master server or connect to an existing master server\n\ ++- enable or disable network sensor services\n\ ++- store logs locally or forward to master server\n" ++SETUP="" ++SETUP=`zenity --list --radiolist \ ++ --column "1" --column "2" --hide-header --title="$TITLE" \ ++ TRUE "Evaluation Mode" FALSE "Production Mode" --text="$TEXT"` ++[ $? = 1 ] && exit 1 ++ ++[ "$SETUP" == "" ] && exit ++[ "$SETUP" == "Production Mode" ] && ADVANCED_SETUP="1" || ADVANCED_SETUP="0" ++if [ $ADVANCED_SETUP -eq 0 ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Evaluation Mode." ++ if [ $NUM_INTERFACES -gt 1 ]; then ++ TEXT="Which network interface should be monitored?\n\nIf you allowed Setup to configure /etc/network/interfaces, your first monitor interface is already selected." ++ INTERFACES=`awk '/:/ {print $1}' /proc/net/dev | tr -d ':' | grep -v "^lo$" | grep -v "^docker" | grep -v "^br-" | grep -v "^veth" | sort` ++ if grep "Security Onion" /etc/network/interfaces >/dev/null 2>&1 && grep manual /etc/network/interfaces >/dev/null 2>&1; then ++ ++ CONFIGURED_INTERFACES=`awk '/manual/ {print $2}' /etc/network/interfaces | head -1` ++ INPUT=`for i in $INTERFACES; do ++ if echo $CONFIGURED_INTERFACES |grep $i >/dev/null 2>&1; then ++ echo -n "TRUE $i " ++ else ++ echo -n "FALSE $i " ++ fi ++ done` ++ else ++ INPUT=`for i in $INTERFACES; do echo -n "FALSE $i "; done` ++ fi ++ INTERFACES=`zenity --list --radiolist --column "Enabled" --column "Interface" --hide-header --title="$TITLE" --text="$TEXT" $INPUT |sed 's/|/ /g'` ++ if [ "$INTERFACES" = "" ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." ++ exit ++ fi ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Selected interfaces $INTERFACES." ++ fi ++ SERVER=1 ++ SENSOR=1 ++ ELASTIC="yes" ++ SERVERNAME="localhost" ++ SENSOR_CONFIRM_1="- Configure Snort and Bro to monitor the following interface:\n" ++ SENSOR_CONFIRM_2="$INTERFACES\n" ++else ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Production Mode." ++ TEXT="Do you want to build a new Security Onion deployment or add to an existing deployment?\n\ ++\n\ ++If you choose New, this machine will be the master server and will run the Kibana and Squert web interfaces.\n\ ++\n\ ++If you already have a master server, choose Existing.\n\ ++You will need to be able to SSH to the existing master server with an account that has sudo privileges.\n" ++ DEPLOYMENT=`zenity --height=250 --list --radiolist --column="1" --column="2" --hide-header --title="$TITLE" --text="$TEXT" TRUE New FALSE Existing` ++ case $DEPLOYMENT in ++ New) ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Selected New." ++ SERVER=1 ++ SERVERNAME="localhost" ++ IDS_LB_PROCS_CONFIRM="" ++ BRO_LB_PROCS_CONFIRM="" ++ ;; ++ Existing) ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Existing." ++ SERVER=0 ++ TEXT="What is the hostname or IP address of the master server that this node should connect to?" ++ SERVERNAME_CONFIRMED="no" ++ while [ $SERVERNAME_CONFIRMED = "no" ]; do ++ SERVERNAME=`zenity --title="$TITLE" --text="$TEXT" --entry` ++ [ $? = 1 ] && exit 1 ++ # Did the user enter the hostname or IP address of the local box? ++ if [ "$SERVERNAME" = "$HOSTNAME" ]; then ++ zenity --error --title "$TITLE" --text="That is the hostname of this box\!\r \ ++\r \ ++Since you chose a node installation, the master server should be a separate box." ++ elif [ "$SERVERNAME" = "$IP" ]; then ++ zenity --error --title "$TITLE" --text="That is the IP address of this box\!\r \ ++\r \ ++Since you chose a node installation, the master server should be a separate box." ++ elif [ "x$SERVERNAME" = "x" ]; then ++ zenity --error --title "$TITLE" --text="No server defined\!\r \ ++\r \ ++Please provide the hostname or IP address of a valid master server." ++ ++ else ++ # nc will result in OSSEC Active Response blocking the IP address ++ # nc -vz $SERVERNAME 22 -w 5 2>&1 | grep "succeeded\!" >/dev/null 2>&1 && SERVERNAME_CONFIRMED="yes" ++ # so use ssh instead: ++ ssh $SERVERNAME -o ConnectTimeout=5 -o BatchMode=yes 2>&1 | egrep 'Connection timed out|No route to host|Could not resolve hostname' >/dev/null 2>&1 || SERVERNAME_CONFIRMED="yes" ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Hostname/IP set to $SERVERNAME." ++ if [ $SERVERNAME_CONFIRMED = "no" ]; then ++ zenity --error --title "$TITLE" --text="Couldn't connect to $SERVERNAME on port 22\!\r \ ++\r \ ++Please double-check hostname or IP address and\r\ ++firewall rules." ++ fi ++ fi ++ done ++ TEXT="Please enter a username that can SSH to the master server and execute sudo." ++ SENSOR_CONFIRM_3="no" ++ while [[ $SENSOR_CONFIRM_3 = "no" ]]; do ++ SSH_USERNAME=`zenity --title="$TITLE" --text="$TEXT" --entry` ++ [ $? = 1 ] && exit 1 ++ if [ x$SSH_USERNAME = "x" ]; then ++ zenity --error --title "$TITLE" --text="No username defined\!\r \ ++\r\ \ ++Please provide a username that can SSH to the master server and execute sudo." ++ else ++ [ $DEBUG -eq 1 ] && echo "DEBUG: SSH username set." ++ SENSOR_CONFIRM_3="- Configure the sensors to report to $SERVERNAME.\n" ++ fi ++ done ++ ;; ++ *) ++ exit ++ ;; ++ esac ++ ++ ++ ++fi ++ ++######################################### ++# If server is enabled, ask for Sguil client username ++######################################### ++if [ $SERVER -eq 1 ]; then ++ USERNAME_CONFIRMED="no" ++ while [ $USERNAME_CONFIRMED = "no" ]; do ++ TEXT="Let's create our first user account.\n\ ++\n\ ++This account will be used when logging into Kibana, Squert, and Sguil.\n\ ++\n\ ++What would you like the username to be?\n\ ++\n\ ++Please use alphanumeric characters only.\n\ ++\n\ ++You can create other usernames later using so-user-add." ++ SGUIL_CLIENT_USERNAME=`zenity --title="$TITLE" --text="$TEXT" --entry` ++ [ $? = 1 ] && exit 1 ++ COMPRESSED="$(echo $SGUIL_CLIENT_USERNAME | sed -e 's/[^[:alnum:]]//g')" ++ if [ "$COMPRESSED" != "$SGUIL_CLIENT_USERNAME" ] || [ x$SGUIL_CLIENT_USERNAME = "x" ] ; then ++ zenity --error --title "$TITLE" --text="Invalid username\! \r \ ++\r \ ++Please use alphanumeric characters only." ++ else ++ USERNAME_CONFIRMED="yes" ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Sguil username set." ++ fi ++ done ++fi ++ ++######################################### ++# If server is enabled, ask for and confirm password ++######################################### ++if [ $SERVER -eq 1 ]; then ++ SGUIL_CLIENT_PASSWORD_CONFIRMED="no" ++ while [ $SGUIL_CLIENT_PASSWORD_CONFIRMED = "no" ]; do ++ TEXT="Now let's set the password for this first user account.\n\ ++\n\ ++This password will be used for Kibana, Squert, and Sguil.\n\ ++\n\ ++This password must be at least 6 characters.\n\ ++\n\ ++You can change this password later in the Sguil client or with so-user-passwd." ++ SGUIL_CLIENT_PASSWORD_1=`zenity --title="$TITLE" --text="$TEXT" --entry --hide-text` ++ [ $? = 1 ] && exit 1 ++ if [ "${#SGUIL_CLIENT_PASSWORD_1}" -lt "6" ]; then ++ zenity --error --title "$TITLE" --text="Password must be at least 6 characters\!" ++ else ++ TEXT="Please confirm what you would like to set your password to." ++ SGUIL_CLIENT_PASSWORD_2=`zenity --title="$TITLE" --text="$TEXT" --entry --hide-text` ++ [ $? = 1 ] && exit 1 ++ if [ "$SGUIL_CLIENT_PASSWORD_1" = "$SGUIL_CLIENT_PASSWORD_2" ]; then ++ SGUIL_CLIENT_PASSWORD_CONFIRMED="yes" ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Password set." ++ else ++ zenity --error --title "$TITLE" --text="Passwords didn't match\!" ++ fi ++ fi ++ done ++ SERVER_CONFIRM="- Create a Sguil server named $SGUIL_SERVER_NAME. \n" ++ SERVER_USER_CONFIRM="- Create a user account named $SGUIL_CLIENT_USERNAME. \n" ++fi ++ ++######################################### ++# If node is enabled, pick from 3 node types ++######################################### ++NODE="Master" ++if [ $ADVANCED_SETUP -eq 1 ] && [ $SERVER -ne 1 ]; then ++ TEXT="To add to your existing deployment, please select a node type for this node.\n\ ++\n\ ++Forward Nodes generate and collect logs and forward them to the master server.\n\ ++Full packet capture remains on Forward Nodes.\n\ ++Forward Nodes do not run any Elastic stack processes.\n\ ++Forward Nodes require less hardware than Heavy Nodes, but typically use more network bandwidth.\n\ ++\n\ ++Heavy Nodes generate and collect logs and store them locally.\n\ ++Heavy Nodes run Elasticsearch and Logstash.\n\ ++The master server queries Heavy Nodes via cross cluster search.\n\ ++Heavy Nodes require more hardware than Forward Nodes, but typically use less network bandwidth.\n\ ++\n\ ++Storage Nodes do not generate logs themselves but simply extend the storage of the master server.\n\ ++They require that the master server has already been configured to load balance to additional Storage Nodes.\n\ ++Storage Nodes run Elasticsearch and Logstash.\n\ ++The master server queries Storage Nodes via cross cluster search.\n" ++ NODE=`zenity --height=450 --list --radiolist --column="1" --column="2" --hide-header --title="$TITLE" --text="$TEXT" TRUE Forward FALSE Heavy FALSE Storage` ++ case $NODE in ++ Forward) ++ SENSOR=1 ++ FORWARD="yes" ++ ELASTIC_ACTION_CONFIRM="- Forward logs to master server.\n" ++ ;; ++ Heavy) ++ SENSOR=1 ++ ;; ++ Storage) ++ SENSOR=0 ++ LOGSTASH_INPUT_REDIS="yes" ++ IDS_LB_PROCS_CONFIRM="" ++ BRO_LB_PROCS_CONFIRM="" ++ SENSOR_CONFIRM_3="" ++ ELASTIC_ACTION_CONFIRM="- Configure as Elastic storage node.\n" ++ ;; ++ *) ++ exit ++ ;; ++ esac ++fi ++ ++######################################### ++# Best Practices or Custom ++######################################### ++if [ $ADVANCED_SETUP -eq 1 ] && [ $NODE != "Storage" ]; then ++TEXT="Best Practices or Custom?\n\ ++\n\ ++If you'd like to use the Best Practices defaults, please select Best Practices.\n\ ++\n\ ++If you'd like to see all options, choose Custom." ++ CUSTOM="" ++ CUSTOM=`zenity --list --radiolist \ ++ --column "1" --column "2" --hide-header --title="$TITLE" \ ++ TRUE "Best Practices" FALSE "Custom" --text="$TEXT"` ++ [ $? = 1 ] && exit 1 ++ [ "$CUSTOM" == "" ] && exit ++ [ "$CUSTOM" == "Custom" ] && CUSTOM="1" || CUSTOM="0" ++ if [ $CUSTOM -eq 0 ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Best Practices." ++ else ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Custom." ++ fi ++fi ++ ++######################################### ++# ADVANCED SETUP - SERVER ++######################################### ++if [ $ADVANCED_SETUP -eq 1 ] && [ $SERVER -eq 1 ]; then ++ ++ if [ $CUSTOM -eq 1 ]; then ++ # Ask for DAYSTOKEEP ++ DAYSTOKEEP_CONFIRMED="no" ++ while [ $DAYSTOKEEP_CONFIRMED = "no" ]; do ++ DAYSTOKEEP=`zenity --entry --title "$TITLE" --text="How many days of data do you want to keep in your Sguil database?\n\nThis includes things like IDS alerts, PADS events, and PRADS session data.\n\nIf you need to change this later, you can change DAYSTOKEEP in /etc/nsm/securityonion.conf.\n\nPlease enter an integer. The default is 30 days." --entry-text=30` ++ [ $? = 1 ] && exit 1 ++ COMPRESSED="$(echo $DAYSTOKEEP | sed -e 's/[^[:digit:]]//g')" ++ if [ "$COMPRESSED" != "$DAYSTOKEEP" ] || [ x$DAYSTOKEEP = "x" ]; then ++ zenity --error --title "$TITLE" --text "Invalid value! Please use integers only." ++ else ++ DAYSTOKEEP_CONFIRMED="yes" ++ fi ++ done ++ ++ # Ask for DAYSTOREPAIR ++ DAYSTOREPAIR_CONFIRMED="no" ++ while [ $DAYSTOREPAIR_CONFIRMED = "no" ]; do ++ DAYSTOREPAIR=`zenity --entry --title "$TITLE" --text="How many days of data do you want to repair in your Sguil database?\n\nA daily cronjob stops Sguil, repairs the MySQL tables for the last X days, and then starts Sguil back up.\n\nIf you choose a higher value, Sguil will be down for longer.\n\nIf you need to change this later, you can change DAYSTOREPAIR in /etc/nsm/securityonion.conf.\n\nPlease enter an integer. The default is 7 days." --entry-text=7` ++ [ $? = 1 ] && exit 1 ++ COMPRESSED="$(echo $DAYSTOREPAIR | sed -e 's/[^[:digit:]]//g')" ++ if [ "$COMPRESSED" != "$DAYSTOREPAIR" ] || [ x$DAYSTOREPAIR = "x" ]; then ++ zenity --error --title "$TITLE" --text "Invalid value! Please use integers only." ++ else ++ DAYSTOREPAIR_CONFIRMED="yes" ++ fi ++ done ++ fi ++ ++ # Ask which IDS ruleset to use. ++ TEXT="Which IDS ruleset would you like to use?\n\ ++\n\ ++This master server is responsible for downloading the IDS ruleset from the Internet.\n\ ++\n\ ++Sensors then pull a copy of this ruleset from the master server.\n\ ++\n\ ++If you select a commercial ruleset, it is your responsibility to purchase enough licenses\n\ ++for all of your sensors in compliance with your vendor's policies.\n" ++ IDS_RULESET=`zenity --width=750 --height=350 --list --radiolist --column="1" --column="Ruleset" --column="Ruleset" --column="Oinkcode required?" --hide-header --hide-column="2" --text="$TEXT" --title="$TITLE" \ ++ TRUE "ETOPEN" "Emerging Threats Open" "no oinkcode required" \ ++ FALSE "ETPRO" "Emerging Threats PRO" "requires ETPRO oinkcode" \ ++ FALSE "TALOSET" "Snort Subscriber (Talos) ruleset and Emerging Threats NoGPL ruleset" "requires Snort Subscriber oinkcode" \ ++ FALSE "TALOS" "Snort Subscriber (Talos) ruleset only and set a Snort Subscriber policy" "requires Snort Subscriber oinkcode" ` ++ ++ case $IDS_RULESET in ++ ETOPEN) ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Selecting Emerging Threats Open ruleset." ++ IDS_RULESET_ACTION="- Download Emerging Threats Open ruleset.\n" ++ ;; ++ ETPRO) ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Selecting ETPRO ruleset." ++ TEXT="Please enter your Emerging Threats Pro oinkcode.\n\nIf you don't already have one, you can purchase one from http://www.emergingthreatspro.com/." ++ OINKCODE=`zenity --title "$TITLE" --entry --text="$TEXT"` ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Entered ETPRO oinkcode $OINKCODE" ++ IDS_RULESET_ACTION="- Download ETPRO ruleset using oinkcode $OINKCODE.\n" ++ ;; ++ TALOS) ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Selecting Snort Subscriber (Talos) ruleset only and setting a Snort Subscriber policy." ++ TEXT="Please enter your Snort Subscriber (Talos) oinkcode.\n\nIf you don't already have one, you can obtain one from http://www.snort.org/." ++ OINKCODE=`zenity --title "$TITLE" --entry --text="$TEXT"` ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Entered Snort Subscriber (Talos) oinkcode $OINKCODE" ++ TALOS_POLICY=`zenity --list --radiolist --hide-header --column="1" --column="2" --text="Please choose a Snort Subscriber (Talos) policy." --title "$TITLE" \ ++ FALSE "connectivity" \ ++ FALSE "balanced" \ ++ FALSE "security" ` ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Snort Subscriber (Talos) policy $TALOS_POLICY" ++ IDS_RULESET_ACTION="- Download the Snort Subscriber (Talos) ruleset using oinkcode $OINKCODE.\n- Set Snort Subscriber (Talos) policy to $TALOS_POLICY.\n" ++ ;; ++ TALOSET) ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Selecting Snort Subscriber (Talos) and Emerging Threats NoGPL ruleset." ++ TEXT="Please enter your Snort Subscriber (Talos) oinkcode.\n\nIf you don't already have one, you can obtain one from http://www.snort.org/." ++ OINKCODE=`zenity --entry --title "$TITLE" --text="$TEXT"` ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Entered Snort Subscriber (Talos) oinkcode $OINKCODE" ++ IDS_RULESET_ACTION="- Download the Snort Subscriber (Talos) ruleset using oinkcode $OINKCODE.\n- Download the Emerging Threats NoGPL ruleset.\n" ++ ;; ++ *) ++ [ $? = 1 ] && exit 1 ++ ;; ++ esac ++ ++ # Ask which IDS engine to use. ++ TEXT="Which IDS Engine would you like to use?\n\ ++\n\ ++For best results, use the corresponding engine for the ruleset you chose in the previous screen.\n\ ++\n\ ++For example, if you chose the Snort Talos ruleset, you should probably choose the Snort engine.\n\ ++\n\ ++Likewise, if you chose an Emerging Threats ruleset, you should probably choose the Suricata engine.\n" ++ IDS_ENGINE=`zenity --list --radiolist --column="1" --column="2" --hide-header --title="$TITLE" --text="$TEXT" TRUE Snort FALSE Suricata` ++ #[ -z $IDS_ENGINE ] ++ [ $? = 1 ] && exit 1 ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Selected $IDS_ENGINE." ++ ++ # End of ADVANCED SETUP - SERVER ++fi ++ ++######################################### ++# Network Sensor Services ++######################################### ++if [ $ADVANCED_SETUP -eq 1 ] && [ $SERVER -eq 1 ]; then ++TEXT="Network sensor services include:\n\ ++\n\ ++- Snort or Suricata for NIDS alerts\n\ ++- Bro for protocol logging\n\ ++- netsniff-ng for full packet capture\n\ ++\n\ ++For best performance, we recommend disabling network sensor services on master servers.\n\ ++\n\ ++Would you like to enable or disable network sensor services?" ++ SENSOR="" ++ SENSOR=`zenity --list --radiolist \ ++ --column "1" --column "2" --hide-header --title="$TITLE" \ ++ TRUE "Enable network sensor services" FALSE "Disable network sensor services" --text="$TEXT"` ++ [ $? = 1 ] && exit 1 ++ [ "$SENSOR" == "" ] && exit ++ [ "$SENSOR" == "Enable network sensor services" ] && SENSOR="1" || SENSOR="0" ++fi ++ ++######################################### ++# ADVANCED SETUP - SENSOR ++######################################### ++if [ $ADVANCED_SETUP -eq 1 ] && [ $SENSOR -eq 1 ]; then ++ ++ # Remove "-c" from PCAP_OPTIONS for better performance on production networks ++ PCAP_OPTIONS="" ++ ++ # Ask for PF_RING_SLOTS ++ PF_RING_SLOTS_CONFIRMED="no" ++ while [ $PF_RING_SLOTS_CONFIRMED = "no" ]; do ++ PF_RING_SLOTS=`zenity --entry --title "$TITLE" --text="What would you like to set PF__RING min__num__slots to?\n\nThe default is 4096. For busy networks, you may want to increase this to a higher number like 65534.\n\nIf you need to change this later, you can modify /etc/modprobe.d/pf__ring.conf and reload the pf_ring module." --entry-text=4096` ++ [ $? = 1 ] && exit 1 ++ COMPRESSED="$(echo $PF_RING_SLOTS | sed -e 's/[^[:digit:]]//g')" ++ if [ "$COMPRESSED" != "$PF_RING_SLOTS" ] || [ x$PF_RING_SLOTS = "x" ]; then ++ zenity --error --title "$TITLE" --text "Invalid value! Please use integers only." ++ else ++ [ $DEBUG -eq 1 ] && echo "DEBUG: PF_RING min_num_slots set to $PF_RING_SLOTS." ++ PF_RING_SLOTS_CONFIRMED="yes" ++ fi ++ done ++ ++ # Ask which interface(s) to listen on ++ if [ $NUM_INTERFACES -gt 1 ]; then ++ TEXT="Which network interface(s) should be monitored?\n\nIf you allowed Setup to configure /etc/network/interfaces, your monitor interfaces are already selected." ++ INTERFACES=`awk '/:/ {print $1}' /proc/net/dev | tr -d ':' | grep -v "^lo$" | grep -v "^docker" | grep -v "^br-" | grep -v "^veth" | sort` ++ if grep "Security Onion" /etc/network/interfaces >/dev/null 2>&1 && grep manual /etc/network/interfaces >/dev/null 2>&1; then ++ [ $? = 1 ] && exit 1 ++ CONFIGURED_INTERFACES=`awk '/manual/ {print $2}' /etc/network/interfaces` ++ INPUT=`for i in $INTERFACES; do ++ if echo $CONFIGURED_INTERFACES |grep $i >/dev/null 2>&1; then ++ echo -n "TRUE $i " ++ else ++ echo -n "FALSE $i " ++ fi ++ done` ++ else ++ INPUT=`for i in $INTERFACES; do echo -n "FALSE $i "; done` ++ fi ++ INTERFACES=`zenity --list --checklist --column "Enabled" --column "Interface" --hide-header --title="$TITLE" --text="$TEXT" $INPUT |sed 's/|/ /g'` ++ if [ "$INTERFACES" = "" ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." ++ exit ++ fi ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Selected interfaces $INTERFACES." ++ fi ++ SENSOR_CONFIRM_1="- Monitor each of the following interfaces:\n" ++ SENSOR_CONFIRM_2="$INTERFACES\n" ++ ++ # Determine number of cores and use that as a maximum value for IDS/Bro processes to run ++ LIST=`seq 1 $CALCD_CORES`; SELECTIONS=`for i in $LIST; do echo "FALSE $i"; done` ++ ++ if [ $CUSTOM -eq 1 ]; then ++ # IDS Engine ++ TEXT="The IDS Engine (Snort/Suricata) listens on the interfaces\n\ ++specified on the previous screen and logs IDS alerts.\n\ ++\n\ ++Would you like to enable the IDS Engine?" ++ YES="Yes, enable the IDS Engine!" ++ NO="No, disable the IDS Engine." ++ zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap ++ ANSWER="$?" ++ if [ $ANSWER -eq 1 ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling IDS Engine." ++ IDS_ENGINE_ENABLED="no" ++ BARNYARD2_ENABLED="no" ++ SNORT_AGENT_ENABLED="no" ++ else ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling IDS Engine." ++ fi ++ fi ++ ++ # IDS Engine Procs ++ if [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ "$CALCD_CORES" -gt 1 ] && [ "$CUSTOM" -eq 1 ]; then ++ TEXT="How many IDS engine processes would you like to run?\n\ ++\n\ ++Based on your system's number of CPU cores, it is recommended that you run $CALCD_CORES IDS engine processes per interface.\n\ ++\n\ ++If you need to change this setting later, change IDS_LB_PROCS in /etc/nsm/HOSTNAME-INTERFACE/sensor.conf" ++ IDS_LB_PROCS=`zenity --list --radiolist --column "" --column "" $SELECTIONS --hide-header --text="$TEXT" --title="$TITLE"` ++ if [ "$IDS_LB_PROCS" = "" ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." ++ exit ++ fi ++ if [ "$CALCD_CORES" -gt 1 ]; then ++ IDS_LB_PROCS_CONFIRM="- Run $IDS_LB_PROCS load-balanced IDS engine processes per interface.\n" ++ else ++ IDS_LB_PROCS=1 ++ IDS_LB_PROCS_CONFIRM="- Run a a single IDS engine process per interface.\n" ++ fi ++ else ++ IDS_LB_PROCS=$CALCD_CORES ++ if [ "$CALCD_CORES" -gt 1 ]; then ++ IDS_LB_PROCS_CONFIRM="- Run $CALCD_CORES load-balanced IDS engine processes per interface.\n" ++ else ++ IDS_LB_PROCS=1 ++ IDS_LB_PROCS_CONFIRM="- Run a single IDS engine process per interface.\n" ++ fi ++ fi ++ # Ask if user would like to configure a custom HOME_NET ++ if [ "$IDS_ENGINE_ENABLED" == "yes" ]; then ++ HOME_NET_CONFIRMED="no" ++ while [ "$HOME_NET_CONFIRMED" == "no" ];do ++ TEXT="What would you like to configure HOME__NET as?\n\n\Add a comma (no space) after each address range.\n\n\Ex. 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12" ++ HOME_NET=`zenity --title="$TITLE" --text="$TEXT" --entry --entry-text="$HOME_NET"` ++ ANSWER="$?" ++ if [ $ANSWER -eq 1 ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting Setup." ++ exit 1 ++ else ++ if [ "$HOME_NET" == "" ]; then ++ zenity --error --title "$TITLE" --text="Please provide a value for HOME_NET!" ++ else ++ HOME_NET_CONFIRMED="yes" ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked OK. Configuring HOME_NET as $HOME_NET." ++ fi ++ fi ++ done ++ fi ++ IDS_HOME_NET_CONFIRM="- Configure IDS HOME_NET as: $HOME_NET.\n" ++ if [ $CUSTOM -eq 1 ]; then ++ # Bro ++ TEXT="Bro listens on the chosen interfaces and writes protocol logs.\n\ ++\n\ ++Would you like to enable Bro?" ++ YES="Yes, enable Bro!" ++ NO="No, disable Bro." ++ zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap ++ ANSWER="$?" ++ if [ $ANSWER -eq 1 ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling Bro." ++ BRO_ENABLED="no" ++ else ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling Bro." ++ fi ++ ++ # Bro file extraction ++ if [ "$BRO_ENABLED" == "yes" ]; then ++ TEXT="Bro can extract files (EXEs by default) from your network traffic.\n\nIf enabled, EXEs will be stored in /nsm/bro/extracted/.\n\nWould you like to enable file extraction?" ++ YES="Yes, enable file extraction!" ++ NO="No, disable file extraction." ++ zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap ++ ANSWER="$?" ++ if [ $ANSWER -eq 1 ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling file extraction" ++ EXTRACT_FILES="no" ++ else ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling file extraction." ++ EXTRACT_FILES="yes" ++ fi ++ fi ++ fi ++ ++ # BRO_LB_PROCS ++ if [ "$BRO_ENABLED" == "yes" ] && [ "$CALCD_CORES" -gt 1 ] && [ "$CUSTOM" -eq 1 ]; then ++ TEXT="How many Bro processes would you like to run?\n\ ++\n\ ++Based on your system's number of CPU cores, it is recommended that you run $CALCD_CORES Bro processes per interface. ++\n\ ++If you need to change this setting later, you can change the lb_procs variable in /opt/bro/etc/node.cfg." ++ BRO_LB_PROCS=`zenity --list --radiolist --column "" --column "" $SELECTIONS --hide-header --text="$TEXT" --title="$TITLE"` ++ if [ "$BRO_LB_PROCS" = "" ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." ++ exit ++ fi ++ if [ "$CALCD_CORES" -gt 1 ]; then ++ BRO_LB_PROCS_CONFIRM="- Run $BRO_LB_PROCS load-balanced Bro processes per interface.\n" ++ else ++ BRO_LB_PROCS=1 ++ BRO_LB_PROCS_CONFIRM="- Run a a single Bro process per interface.\n" ++ fi ++ else ++ BRO_LB_PROCS=$CALCD_CORES ++ if [ "$CALCD_CORES" -gt 1 ]; then ++ BRO_LB_PROCS_CONFIRM="- Run $CALCD_CORES load-balanced Bro processes per interface.\n" ++ else ++ BRO_LB_PROCS=1 ++ BRO_LB_PROCS_CONFIRM="- Run a single Bro process per interface.\n" ++ fi ++ fi ++ ++ if [ $CUSTOM -eq 1 ]; then ++ ++ # PCAP ++ TEXT="Full packet capture writes all monitored traffic to disk.\n\ ++\n\ ++Full packet capture requires lots of disk space,\n\ ++but gives you lots of forensic capabilities\n\ ++and is therefore highly recommended!\n\ ++\n\ ++Would you like to enable full packet capture?" ++ YES="Yes, enable full packet capture!" ++ NO="No, disable full packet capture." ++ zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap ++ ANSWER="$?" ++ if [ $ANSWER -eq 1 ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling full packet capture." ++ PCAP_ENABLED="no" ++ PCAP_AGENT_ENABLED="no" ++ else ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling full packet capture." ++ fi ++ ++ # Ask for PCAP_SIZE ++ if [ "$PCAP_ENABLED" == "yes" ]; then ++ ++ # Ask for PCAP_SIZE ++ PCAP_SIZE_CONFIRMED="no" ++ while [ $PCAP_SIZE_CONFIRMED = "no" ]; do ++ PCAP_SIZE=`zenity --entry --title "$TITLE" --text="How big do you want your pcap files to be?\n\nPlease enter an integer in Megabytes (MB). The default is 150 MB." --entry-text=150` ++ [ $? = 1 ] && exit ++ COMPRESSED="$(echo $PCAP_SIZE | sed -e 's/[^[:digit:]]//g')" ++ if [ "$COMPRESSED" != "$PCAP_SIZE" ] || [ x$PCAP_SIZE = "x" ]; then ++ zenity --error --title "$TITLE" --text "Invalid MB Value! Please use integers only." ++ else ++ [ $DEBUG -eq 1 ] && echo "DEBUG: PCAP size set to $PCAP_SIZE." ++ PCAP_SIZE_CONFIRMED="yes" ++ fi ++ done ++ ++ # Ask about MMAP ++ TEXT="netsniff-ng defaults to using scatter/gather pcap file I/O.\n\ ++\n\ ++For higher performance, you can enable mmap I/O, but this requires more RAM.\n\ ++\n\ ++Would you like to enable mmap I/O?" ++ YES="Yes, enable mmap I/O!" ++ NO="No, use default scatter/gather I/O." ++ zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap ++ ANSWER="$?" ++ if [ $ANSWER -eq 1 ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Using scatter/gather." ++ else ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Using mmap I/O." ++ PCAP_OPTIONS="--mmap" ++ fi ++ ++ # Ask for PCAP_RING_SIZE ++ PCAP_RING_SIZE_CONFIRMED="no" ++ while [ $PCAP_RING_SIZE_CONFIRMED = "no" ]; do ++ PCAP_RING_SIZE=`zenity --entry --title "$TITLE" --text="How large do you want your PCAP ring buffer?\n\nEach monitoring interface will have the specified amount allocated from RAM\nso be sure your system has enough memory. In the case of 4 sensor interfaces\nand a specified ring buffer of 1GB, 4GB of total RAM will be allocated for packet\nbuffering. For busy networks a ring buffer of at least 256MB is recommended.\n\nPlease enter an integer in Megabytes (MB). The default is 64 MB." --entry-text=64` ++ [ $? = 1 ] && exit ++ COMPRESSED="$(echo $PCAP_RING_SIZE | sed -e 's/[^[:digit:]]//g')" ++ if [ "$COMPRESSED" != "$PCAP_RING_SIZE" ] || [ x$PCAP_RING_SIZE = "x" ]; then ++ zenity --error --title "$TITLE" --text "Invalid MB Value! Please use integers only." ++ else ++ [ $DEBUG -eq 1 ] && echo "DEBUG: PCAP ring size set to $PCAP_RING_SIZE." ++ PCAP_RING_SIZE_CONFIRMED="yes" ++ fi ++ done ++ fi ++ ++ # Ask for CRIT_DISK_USAGE ++ CRIT_DISK_USAGE_CONFIRMED="no" ++ while [ $CRIT_DISK_USAGE_CONFIRMED = "no" ]; do ++ CRIT_DISK_USAGE=`zenity --entry --title "$TITLE" --text="At what percent of disk usage would you like to begin purging old logs?\n\nPlease enter an integer between 10 and 100. The default is 90." --entry-text=90` ++ [ $? = 1 ] && exit ++ COMPRESSED="$(echo $CRIT_DISK_USAGE | sed -e 's/[^[:digit:]]//g')" ++ [ "$COMPRESSED" == "$CRIT_DISK_USAGE" ] && ++ [ $CRIT_DISK_USAGE -gt 10 ] && ++ [ $CRIT_DISK_USAGE -lt 100 ] && ++ CRIT_DISK_USAGE_CONFIRMED="yes" || ++ zenity --error --title "$TITLE" --text "Invalid percentage! Please use integers between 0 and 100." ++ done ++ let WARN_DISK_USAGE=${CRIT_DISK_USAGE}-10 ++ [ $DEBUG -eq 1 ] && echo "DEBUG: CRIT_DISK_USAGE set to $CRIT_DISK_USAGE." ++ fi # End of CUSTOM ++ ++fi # End of ADVANCED SETUP - SENSOR ++ ++######################################### ++# Ask whether or not to use SALT ++######################################### ++# Check to see if the securityonion-onionsalt package is installed ++if [ $ADVANCED_SETUP -eq 1 ] && dpkg -l |grep "securityonion-onionsalt" |grep "ii" >/dev/null; then ++ SALT="yes" ++ if [ $CUSTOM -eq 1 ]; then ++TEXT="Salt can be enabled to help manage your entire Security Onion deployment.\n\ ++\n\ ++By default, Salt will automatically keep the following updated:\n\ ++* OS user accounts\n\ ++* SSH keys for those user accounts\n\ ++* IDS rulesets\n\ ++\n\ ++Salt can also be used for remote execution, so you can run a command\n\ ++and have it execute on all boxes across your deployment.\n\ ++\n\ ++Would you like to enable Salt?" ++ YES="Yes, enable Salt!" ++ NO="No, disable Salt" ++ zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap ++ ANSWER="$?" ++ if [ $ANSWER -eq 0 ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Enable Salt." ++ SALT="yes" ++ else ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Disable Salt." ++ SALT="no" ++ fi ++ fi ++fi ++ ++######################################### ++# Ask whether or not to use Elastic ++######################################### ++if [ $CUSTOM -eq 1 ]; then ++TEXT="The Elastic Stack is a platform for data ingestion, formatting, and visualization.\n\ ++built on ElasticSearch, Logstash, and Kibana. Our customized stack also includes \n\ ++the use of DomainStats, FreqServer, Curator, and Elastalert.\n\ ++\n\ ++It provides a distributed database with a web-based interface\n\ ++for hunting through your logs, including:\n\ ++* Bro logs\n\ ++* OSSEC alerts/logs\n\ ++* Snort/Suricata logs\n\ ++* standard syslog\n\ ++\n\ ++If this is a node installation, you can store logs in a local Elasticsearch\n\ ++database or you can forward to your master server.\n\ ++For either of these options, choose Yes.\n\ ++\n\ ++Would you like to enable the Elastic Stack?" ++ YES="Yes, enable the Elastic Stack." ++ NO="No, disable the Elastic Stack." ++ zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap ++ ANSWER="$?" ++ if [ $ANSWER -eq 0 ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Enable Elastic Stack." ++ ELASTIC="yes" ++ else ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Disable Elastic Stack." ++ ELASTIC="no" ++ fi ++fi ++ ++######################################### ++# Configure master to output to redis? ++######################################### ++if [ "$ELASTIC" = "yes" ] && [ $ADVANCED_SETUP -eq 1 ] && [ $SERVER -eq 1 ]; then ++ TEXT="By default, the master server stores logs in its own local Elasticsearch database via a local Logstash instance.\n\ ++\n\ ++If you want to forward logs from multiple nodes to this master server, then you may overwhelm those single instances of Logstash and Elasticsearch.\n\ ++You may want to consider load balancing these forwarded logs to additional storage nodes.\n\ ++\n\ ++Would you like to store logs locally on $HOSTNAME?" ++ YES="Yes, store logs locally." ++ NO="No, I will add storage nodes for load balancing." ++ zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap ++ ANSWER="$?" ++ if [ $ANSWER -eq 0 ]; then ++ LOGSTASH_OUTPUT_REDIS="no" ++ else ++ LOGSTASH_OUTPUT_REDIS="yes" ++ FORWARD_CONFIRM="- Load balance to additional storage nodes." ++ fi ++fi ++ ++######################################### ++# ES LOG_SIZE_LIMIT ++######################################### ++if [ "$ELASTIC" = "yes" ] && [ $ADVANCED_SETUP -eq 1 ] && [ "$FORWARD" != "yes" ] && [ "$LOGSTASH_OUTPUT_REDIS" != "yes" ]; then ++ LOG_SIZE_LIMIT_CONFIRMED="no" ++ while [ $LOG_SIZE_LIMIT_CONFIRMED = "no" ]; do ++ LOG_SIZE_LIMIT_GB=`zenity --entry --title "$TITLE" --text="How much disk space (in GigaBytes) should be allocated for Elasticsearch to store logs?\n\ ++\n\ ++Please enter an integer greater than 0.\n\ ++\n\ ++Please make sure that the value you set here is less than the size of your disk!\n\ ++\n\ ++If you need to adjust this later, you can modify LOG__SIZE__LIMIT in /etc/nsm/securityonion.conf." --entry-text=$LOG_SIZE_LIMIT_GB` ++ [ $? = 1 ] && exit ++ if [ x$LOG_SIZE_LIMIT_GB = "x" ]; then ++ zenity --error --title "$TITLE" --text "Invalid log size limit! Please use integers greater than 0 and less than your disk size." ++ else ++ COMPRESSED="$(echo $LOG_SIZE_LIMIT_GB | sed -e 's/[^[:digit:]]//g')" ++ [ "$COMPRESSED" == "$LOG_SIZE_LIMIT_GB" ] && ++ [ $LOG_SIZE_LIMIT_GB -gt 0 ] && ++ [ $LOG_SIZE_LIMIT_GB -lt $DISK_SIZE_GB ] && ++ LOG_SIZE_LIMIT_CONFIRMED="yes" || ++ zenity --error --title "$TITLE" --text "Invalid log size limit!\n\nPlease use integers greater than 0 and less than your disk size." ++ fi ++ done ++ ++ let LOG_SIZE_LIMIT=LOG_SIZE_LIMIT_GB*1000000000 ++ [ $DEBUG -eq 1 ] && echo "DEBUG: LOG_SIZE_LIMIT set to $LOG_SIZE_LIMIT." ++fi ++ ++# Set ELASTIC_ACTION_CONFIRM ++if [ "$ELASTIC" = "no" ]; then ++ ELASTIC_ACTION_CONFIRM="- Disable Elastic stack." ++else ++ if [ $SERVER -eq 1 ]; then ++ ELASTIC_ACTION_CONFIRM="- Configure Elastic Stack.\n" ++ else ++ if [ "$FORWARD" = "no" ]; then ++ ELASTIC_ACTION_CONFIRM="- Configure Elastic Stack cross cluster search.\n" ++ fi ++ fi ++fi ++ ++######################################### ++# If just writing a file, do it and exit ++######################################### ++TEXT="$WRITEANSWERFILE has been saved." ++if [ "$WRITEANSWERFILE" ]; then ++ # write all the answers out ++ save ++ zenity --info --title="$TITLE" --text="$TEXT" --no-wrap ++ exit 0 ++fi ++ ++######################################### ++# Confirm all choices before proceeding ++######################################### ++# Last chance! ++TEXT="We're about to do the following:\n\ ++- Set the OS timezone to UTC. \n\ ++- Delete any existing NSM data/configuration. \n\ ++$SERVER_CONFIRM\ ++$SERVER_USER_CONFIRM\ ++$SENSOR_CONFIRM_1\ ++$SENSOR_CONFIRM_2\ ++$SENSOR_CONFIRM_3\ ++$IDS_LB_PROCS_CONFIRM\ ++$BRO_LB_PROCS_CONFIRM\ ++$IDS_RULESET_ACTION\ ++$IDS_HOME_NET_CONFIRM\ ++$ELASTIC_ACTION_CONFIRM\ ++$FORWARD_CONFIRM\ ++\n\ ++We're about to make changes to your system!\n\ ++\n\ ++Would you like to continue?" ++YES="Yes, proceed with the changes!" ++NO="No, do not make changes!" ++zenity --question --no-wrap --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" ++ANSWER="$?" ++if [ $ANSWER -eq 1 ]; then ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Do not proceed." ++ exit ++else ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes to proceed with all changes." ++fi ++} ++ ++######################################### ++# Begin function CONFIGURE_SERVICES ++######################################### ++function CONFIGURE_SERVICES() { ++ ++######################################### ++# Remove old files ++######################################### ++rm -f /tmp/GeoIP.dat ++rm -f /tmp/GeoLiteCity.dat ++rm -f /tmp/GeoLiteCity.dat.gz ++[ -f /opt/bro/etc/node.cfg ] && rm -f /opt/bro/etc/node.cfg ++ ++######################################### ++# Create files/dirs as necessary ++######################################### ++touch $LOG ++touch $SENSORTAB ++mkdir -p /var/log/nsm/ ++ ++######################################### ++# Set OS timezone to UTC ++######################################### ++echo "2" ++echo "# Please wait while setting OS timezone to UTC..." | tee -a $LOG ++echo "Etc/UTC" > /etc/timezone ++dpkg-reconfigure --frontend noninteractive tzdata >> $LOG 2>&1 ++date >> $LOG 2>&1 ++ ++echo "4" ++echo "# Please wait while setting OSSEC timezone to UTC..." | tee -a $LOG ++cp /etc/localtime /var/ossec/etc/localtime ++chown root:ossec /var/ossec/etc/localtime ++ ++# If user enabled ELASTIC, configure OSSEC to send alerts to local syslog ++if [ "$ELASTIC" = "yes" ]; then ++grep "syslog_output" /var/ossec/etc/ossec.conf >/dev/null || sed -i 's| | \ ++ 127.0.0.1\ ++ \ ++\ ++ |g' /var/ossec/etc/ossec.conf ++/var/ossec/bin/ossec-control enable client-syslog ++fi ++ ++echo "6" ++echo "# Please wait while restarting OSSEC..." | tee -a $LOG ++service ossec-hids-server restart >> $LOG 2>&1 ++ ++######################################### ++# Stop all Sguil services and delete config ++######################################### ++echo "8" ++echo "# Please wait while stopping services..." | tee -a $LOG ++# Stop Elasticsearch and all other processes ++so-stop >> $LOG 2>&1 ++pkill suricata ++pkill snort ++pkill autossh ++# Delete any Elasticsearch or Logstash data ++rm -rf /nsm/elasticsearch/nodes ++rm -rf /nsm/logstash/queue/main/* ++rm -f /etc/elasticsearch/elasticsearch.yml ++# Make sure MySQL is running so that we can fully delete the NSM databases ++[ $SERVER -eq 1 ] && service mysql start >> $LOG 2>&1 ++# Uncomment any disabled sensors so that we can fully delete them ++sed -i "s|^#$HOST_ORIG-|$HOST_ORIG-|g" $SENSORTAB ++sed -i "s|^#$HOSTNAME-|$HOSTNAME-|g" $SENSORTAB ++# Delete all nsm configuration and data ++/usr/sbin/nsm_all_del_quick >> $LOG 2>&1 ++ ++# Delete any existing ELSA databases. ++if [ "$ELASTIC" = "yes" ]; then ++ if [ -d /var/lib/mysql/elsa_web/ ]; then ++ mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database elsa_web" >> $LOG 2>&1 ++ fi ++ if [ -d /var/lib/mysql/syslog/ ]; then ++ mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database syslog" >> $LOG 2>&1 ++ fi ++ if [ -d /var/lib/mysql/syslog_data/ ]; then ++ mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database syslog_data" >> $LOG 2>&1 ++ fi ++fi ++ ++######################################### ++# MySQL tuning ++######################################### ++ ++# Make changes in /etc/mysql/conf.d/ ++mkdir -p /etc/mysql/conf.d/ ++ ++# https://code.google.com/p/security-onion/issues/detail?id=416 ++# sguild may try to open lots of files ++# (especially if you are sending prads session data into the sancp table) ++# so increase open_files_limit on master server ++if [ $SERVER -eq 1 ]; then ++ cat << EOF > /etc/mysql/conf.d/securityonion-sguild.cnf ++[mysqld] ++open_files_limit = 90000 ++EOF ++fi ++ ++# https://code.google.com/p/security-onion/issues/detail?id=388 ++# http://stackoverflow.com/questions/3456159/how-to-shrink-purge-ibdata1-file-in-mysql ++cat << EOF > /etc/mysql/conf.d/securityonion-ibdata1.cnf ++[mysqld] ++innodb_file_per_table ++EOF ++ ++# Restart mysql to make changes take effect ++pgrep -lf mysqld >/dev/null && service mysql restart >> $LOG 2>&1 ++ ++######################################### ++# PF_RING ++######################################### ++rmmod pf_ring >> $LOG 2>&1 ++echo "options pf_ring transparent_mode=0 min_num_slots=$PF_RING_SLOTS" > /etc/modprobe.d/pf_ring.conf ++ ++######################################### ++# Firewall ++# When enabling ufw over SSH, it says it might disrupt the SSH ++# connection and asks for confirmation, so we put in the "allow 22" first, ++# and then echo "y" into the "ufw enable". ++######################################### ++# Open port 22 for remote administration ++ufw allow 22/tcp >> $LOG 2>&1 ++# Enable ufw if not already enabled ++echo "y" | ufw enable >> $LOG 2>&1 ++ ++######################################### ++# HIDS Sensor ++######################################### ++SENSORNAME="$HOSTNAME-ossec" ++sed -i "s|^set HOSTNAME.*$|set HOSTNAME $SENSORNAME|g" /etc/nsm/ossec/ossec_agent.conf ++sed -i "s|^set NET_GROUP.*$|set NET_GROUP $SENSORNAME|g" /etc/nsm/ossec/ossec_agent.conf ++sed -i "s|^set SERVER_HOST.*$|set SERVER_HOST $SERVERNAME|g" /etc/nsm/ossec/ossec_agent.conf ++pkill -f ossec_agent ++ ++######################################### ++# Add the Sguil server if necessary ++######################################### ++if [ $SERVER -eq 1 ]; then ++ # If this box was previously a slave, we need to remove securityonion_ssh.conf ++ rm -f /root/.ssh/securityonion_ssh.conf ++ echo "10" ++ echo "# Please wait while creating the Sguil server..." | tee -a $LOG ++ /usr/sbin/nsm_server_add --server-name="$SGUIL_SERVER_NAME" --server-sensor-name=NULL --server-sensor-port=7736 --server-client-port=7734 --server-client-user="$SGUIL_CLIENT_USERNAME" --server-client-pass="$SGUIL_CLIENT_PASSWORD_1" --server-auto=yes --force-yes >> $LOG 2>&1 ++fi ++ ++######################################### ++# If not master server, configure SSH Key authentication to master server ++######################################### ++if [ "$SERVER" -ne 1 ]; then ++ ++ # Create an ssh keypair ++ mkdir -p $SSH_DIR ++ [ -f "$KEY" ] && mv $KEY $KEY.old ++ ssh-keygen -f "$KEY" -N '' >> $LOG 2>&1 ++ chmod 600 "$KEY"* ++ if [ "$OUTPUT" = "gui" ]; then ++ # ssh-copy-id needs to get new HOME directory using sudo -i ++ xfce4-terminal -x sudo -i ssh-copy-id -i "$KEY".pub $SSH_USERNAME@$SERVERNAME ++ else ++ # ssh-copy-id needs to get new HOME directory using sudo -i ++ sudo -i ssh-copy-id -i "$KEY".pub $SSH_USERNAME@$SERVERNAME ++ fi ++ ++ # Need to open ports in server firewall to allow connections from sensor ++ echo "IPADDRESS=\`who -m --ips | awk '{print \$5}' |cut -d\( -f2 | cut -d\) -f1\`" >> $SOSETUPSCP ++ echo "ufw allow proto tcp from \$IPADDRESS to any port 22,4505,4506,7736" >> $SOSETUPSCP ++ ++ # Copy the script over ++ scp -i "$KEY" $SOSETUPSCP $SSH_USERNAME@$SERVERNAME:$SOSETUPSCP >> $LOG 2>&1 ++ ++ # Run the script on the master server using sudo ++ if [ "$OUTPUT" = "gui" ]; then ++ xfce4-terminal -x ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo /bin/bash $SOSETUPSCP ++ else ++ ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo /bin/bash $SOSETUPSCP >> $LOG 2>&1 ++ fi ++ ++ # Cleanup ++ rm -f $SOSETUPSCP ++ ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME rm -f $SOSETUPSCP >> $LOG 2>&1 ++ ++ # Backup existing files ++ mkdir -p /etc/nsm/rules/backup/ ++ cp /etc/nsm/rules/downloaded.rules /etc/nsm/rules/backup/downloaded.rules.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 ++ cp /etc/nsm/rules/local.rules /etc/nsm/rules/backup/local.rules.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 ++ cp /etc/nsm/rules/so_rules.rules /etc/nsm/rules/backup/so_rules.rules.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 ++ cp /etc/nsm/rules/sid-msg.map /etc/nsm/rules/backup/sid-msg.map.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 ++ cp /etc/nsm/rules/threshold.conf /etc/nsm/rules/backup/threshold.conf.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 ++ cp /etc/nsm/rules/bpf.conf /etc/nsm/rules/backup/bpf.conf.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 ++ ++ # Copy files from server ++ scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/downloaded.rules /etc/nsm/rules/downloaded.rules >> $LOG 2>&1 ++ scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/local.rules /etc/nsm/rules/local.rules >> $LOG 2>&1 ++ scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/so_rules.rules /etc/nsm/rules/so_rules.rules >> $LOG 2>&1 ++ scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/sid-msg.map /etc/nsm/rules/sid-msg.map >> $LOG 2>&1 ++ scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/threshold.conf /etc/nsm/rules/threshold.conf >> $LOG 2>&1 ++ scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/bpf.conf /etc/nsm/rules/bpf.conf >> $LOG 2>&1 ++ ++ # Set IDS_ENGINE variable ++ scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/securityonion.conf $SECURITYONION_CONF_MASTER >> $LOG 2>&1 ++ IDS_ENGINE=`grep ENGINE $SECURITYONION_CONF_MASTER 2>/dev/null | cut -d\= -f2` ++ rm -f $SECURITYONION_CONF_MASTER ++ ++ # Save configuration ++ echo "SSH_USERNAME=$SSH_USERNAME" > $SSH_CONF ++ echo "SERVERNAME=$SERVERNAME" >> $SSH_CONF ++fi ++ ++######################################### ++# Network Sensor(s) if necessary ++######################################### ++if [ $SENSOR -eq 1 ]; then ++echo "15" ++echo "# Please wait while creating Sguil sensor(s)..." | tee -a $LOG ++BY2PORT=8000 ++HOST_ORIG=`hostname` ++HOSTNAME=${HOST_ORIG,,} ++ ++# NIDS sensor(s) ++for INTERFACE in $ALL_INTERFACES; do ++ SENSORNAME="$HOSTNAME-$INTERFACE" ++ echo "# Please wait while creating Sguil sensor: $SENSORNAME..." | tee -a $LOG ++ [ $DEBUG -eq 1 ] && echo "DEBUG: Adding Sensor $INTERFACE." ++ ++ # Add the sensor ++ /usr/sbin/nsm_sensor_add --sensor-name="$SENSORNAME" --sensor-interface="$INTERFACE" --sensor-interface-auto=no \ ++ --sensor-server-host="$SERVERNAME" --sensor-server-port=7736 \ ++ --sensor-barnyard2-port=$BY2PORT --sensor-auto=yes --sensor-utc=yes \ ++ --sensor-vlan-tagging=no --sensor-net-group="$SENSORNAME" --force-yes >> $LOG 2>&1 ++ ++ # Increment the Barnyard2 port number by 100 ++ let BY2PORT=BY2PORT+100 ++ ++ # Copy our customized snort.conf (and associated files) into place ++ cp /etc/nsm/templates/snort/attribute_table.dtd /etc/nsm/"$SENSORNAME"/ >> $LOG 2>&1 ++ cp /etc/nsm/templates/snort/snort.conf /etc/nsm/"$SENSORNAME"/ >> $LOG 2>&1 ++ cp /etc/nsm/templates/snort/unicode.map /etc/nsm/"$SENSORNAME"/ >> $LOG 2>&1 ++ cp /etc/nsm/templates/suricata/suricata.yaml.in /etc/nsm/"$SENSORNAME"/suricata.yaml >> $LOG 2>&1 ++ ++ # Grab MTU for interface(s) and add 24 to snaplen for VLAN-tagging, etc ++ MTU=`cat /sys/class/net/$INTERFACE/mtu` ++ MTU_FIN=`echo $(($MTU+24))` ++ ++ # Write IDS config to files ++ sed -i "s|# config snaplen:|config snaplen: $MTU_FIN|g" /etc/nsm/"$SENSORNAME"/snort.conf ++ sed -i "s|^ipvar HOME_NET.*|ipvar HOME_NET \[$HOME_NET\]|g" /etc/nsm/"$SENSORNAME"/snort.conf ++ sed -i "s|classification-file: /etc/suricata/classification.config|classification-file: /etc/nsm/$SENSORNAME/classification.config|g" /etc/nsm/"$SENSORNAME"/suricata.yaml ++ sed -i "s|reference-config-file: /etc/suricata/reference.config|reference-config-file: /etc/nsm/$SENSORNAME/reference.config|g" /etc/nsm/"$SENSORNAME"/suricata.yaml ++ sed -i "s|# threshold-file: /etc/suricata/threshold.config|threshold-file: /etc/nsm/$SENSORNAME/threshold.conf|g" /etc/nsm/"$SENSORNAME"/suricata.yaml ++ sed -i "s|filename: unified2.alert|filename: snort.unified2|g" /etc/nsm/"$SENSORNAME"/suricata.yaml ++ #sed -i "s|threads: 1|threads: $IDS_LB_PROCS|g" /etc/nsm/"$SENSORNAME"/suricata.yaml ++ sed -i "s|interface: eth0|interface: $INTERFACE|g" /etc/nsm/"$SENSORNAME"/suricata.yaml ++ sed -i "s|cluster-id: 99|cluster-id: $BY2PORT|g" /etc/nsm/"$SENSORNAME"/suricata.yaml ++ sed -i "s| HOME_NET:.*| HOME_NET: \"[$HOME_NET]\"|g" /etc/nsm/"$SENSORNAME"/suricata.yaml ++ mkdir -p /usr/local/lib/snort_dynamicrules ++ ++ # /etc/nsm/rules/ ++ if [ ! -f /etc/nsm/rules/bpf.conf ]; then touch /etc/nsm/rules/bpf.conf; fi ++ if [ ! -f /etc/nsm/rules/threshold.conf ]; then cp /etc/nsm/templates/snort/threshold.conf /etc/nsm/rules/; fi ++ if [ ! -f /etc/nsm/rules/gen-msg.map ]; then cp /etc/nsm/templates/snort/gen-msg.map /etc/nsm/rules/; fi ++ if [ ! -f /etc/nsm/rules/classification.config ]; then ++ grep -h -v "^#" /etc/nsm/templates/snort/classification.config /etc/nsm/templates/suricata/classification.config |sort -u > /etc/nsm/rules/classification.config ++ fi ++ if [ ! -f /etc/nsm/rules/reference.config ]; then ++ grep -h -v "^#" /etc/nsm/templates/snort/reference.config /etc/nsm/templates/suricata/reference.config |sort -u > /etc/nsm/rules/reference.config ++ fi ++ ++ # Create symbolic links for bpf.conf, threshold.conf, sid-msg.map, gen-msg.map, classification.config, and reference.config ++ for FILENAME in bpf.conf threshold.conf sid-msg.map gen-msg.map classification.config reference.config ++ do ++ rm -f /etc/nsm/"$SENSORNAME"/$FILENAME >> $LOG 2>&1 ++ ln -s /etc/nsm/rules/$FILENAME /etc/nsm/"$SENSORNAME"/$FILENAME >> $LOG 2>&1 ++ done ++ ++ # Create symbolic links for individual bpf-*.conf files pointing to the sensor bpf.conf (which points to the GLOBAL bpf.conf) ++ cd /etc/nsm/"$SENSORNAME" ++ for FILENAME in bpf-bro.conf bpf-ids.conf bpf-pcap.conf bpf-prads.conf ++ do ++ ln -s bpf.conf $FILENAME >> $LOG 2>&1 ++ done ++ cd - >/dev/null ++ ++ # Add options to sensor.conf ++ echo "PCAP_OPTIONS=\"$PCAP_OPTIONS\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "PCAP_SIZE=${PCAP_SIZE}MiB" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "PCAP_RING_SIZE=${PCAP_RING_SIZE}MiB" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "IDS_LB_PROCS=$IDS_LB_PROCS" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "PCAP_ENABLED=\"$PCAP_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "PCAP_AGENT_ENABLED=\"$PCAP_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "SNORT_AGENT_ENABLED=\"$SNORT_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "IDS_ENGINE_ENABLED=\"$IDS_ENGINE_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "BARNYARD2_ENABLED=\"$BARNYARD2_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "PRADS_ENABLED=\"$PRADS_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "SANCP_AGENT_ENABLED=\"$SANCP_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "PADS_AGENT_ENABLED=\"$PADS_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "ARGUS_ENABLED=\"$ARGUS_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ echo "HTTP_AGENT_ENABLED=\"$HTTP_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf ++ ++ # Create symbolic link for sensor rules directory on server ++ # Since a user may have as many Snort/Suricata instances as they have CPU cores, ++ # we need to create a symbolic link for each and every CPU core. ++ if [ "$SERVERNAME" = "localhost" ]; then ++ ln -s /etc/nsm/rules /nsm/server_data/"$SGUIL_SERVER_NAME"/rules/"$SENSORNAME" >> $LOG 2>&1 ++ for i in `seq 1 $CORES`; do ln -s /etc/nsm/rules /nsm/server_data/"$SGUIL_SERVER_NAME"/rules/"$SENSORNAME"-$i >> $LOG 2>&1; done ++ else ++ echo "ln -f -s /etc/nsm/rules /nsm/server_data/$SGUIL_SERVER_NAME/rules/$SENSORNAME" >> $SOSETUPSCP ++ for i in `seq 1 $CORES`; do ++ echo "ln -f -s /etc/nsm/rules /nsm/server_data/$SGUIL_SERVER_NAME/rules/$SENSORNAME-$i" >> $SOSETUPSCP ++ done ++ fi ++ ++ # Configure snort.conf to log statistics to /nsm/sensor_data/"$SENSORNAME"/snort.stats ++ sed -i "s|# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000|preprocessor perfmonitor: time 300 file /nsm/sensor_data/"$SENSORNAME"/snort.stats pktcnt 10000|" /etc/nsm/"$SENSORNAME"/snort.conf >> $LOG 2>&1 ++ ++ # Setup should create snort.stats to prevent Sguil errors when running Suricata ++ # http://code.google.com/p/security-onion/issues/detail?id=257 ++ touch /nsm/sensor_data/"$SENSORNAME"/snort.stats ++ ++done ++ ++# We just enabled all available interfaces in /etc/nsm/sensortab. ++# Now we need to go back and disable any unwanted interfaces. ++INTERFACES_CSV=`for i in $INTERFACES; do echo -n "$i,"; done` ++for INTERFACE in $ALL_INTERFACES; do ++ if echo $INTERFACES_CSV | grep "$INTERFACE," >/dev/null 2>&1; then ++ echo "Leaving $INTERFACE as-is (enabled)." >> $LOG 2>&1 ++ else ++ echo "$INTERFACE not found in selected interfaces. Disabling." >> $LOG 2>&1 ++ sed -i "s|^$HOSTNAME-$INTERFACE|#$HOSTNAME-$INTERFACE|g" /etc/nsm/sensortab ++ fi ++done ++ ++# Bro ++if grep -v "^#" $SENSORTAB > /dev/null; then ++ # If user selected Quick Setup, do standalone config. ++ # Otherwise, do cluster config. ++ if [ $ADVANCED_SETUP -eq 0 ]; then ++ # standalone config ++ INTERFACE=`grep -v "^#" $SENSORTAB | awk '{print $4}'` ++ cat << EOF > /opt/bro/etc/node.cfg ++[bro] ++type=standalone ++host=localhost ++interface=$INTERFACE ++EOF ++ else ++ # User selected Advanced Setup, so do cluster config ++ cat << EOF > /opt/bro/etc/node.cfg ++[manager] ++type=manager ++host=localhost ++ ++[proxy] ++type=proxy ++host=localhost ++ ++EOF ++ # Don't need to change to IP address anymore ++ #IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1` ++ #sed -i "s|host=localhost|host=$IP|g" /opt/bro/etc/node.cfg ++ ++ # Go ahead and populate the file with all available interfaces ++ # Comment out inactive interfaces ++ # grep -v "^#" $SENSORTAB | awk '{print $1}' |while read SENSOR ++ for INTERFACE in $ALL_INTERFACES; do ++ if echo $INTERFACES_CSV |grep "$INTERFACE," >/dev/null 2>&1; then ++ echo "* Configuring Bro to monitor $INTERFACE" >> $LOG 2>&1 ++ cat << EOF >> /opt/bro/etc/node.cfg ++[$HOSTNAME-$INTERFACE] ++type=worker ++host=localhost ++interface=$INTERFACE ++lb_method=pf_ring ++lb_procs=$BRO_LB_PROCS ++ ++EOF ++ else ++ cat << EOF >> /opt/bro/etc/node.cfg ++#[$HOSTNAME-$INTERFACE] ++#type=worker ++#host=localhost ++#inter#face=$INTERFACE ++#lb_method=pf_ring ++#lb_procs=$BRO_LB_PROCS ++ ++EOF ++ fi ++ done ++ ++ # Bro 2.2 should support PF_RING on multiple interfaces properly now, so comment this out. ++ # If monitoring more than one interface, disable PF_RING: ++ # http://securityonion.blogspot.com/2013/02/important-note-for-those-monitoring.html ++ #if [ `echo $INTERFACES | wc -w` -gt 1 ]; then ++ # sed -i 's|^lb_method=pf_ring|#lb_method=pf_ring|g' /opt/bro/etc/node.cfg ++ # sed -i 's|^lb_procs|#lb_procs|g' /opt/bro/etc/node.cfg ++ #fi ++ fi ++ # Finished with node.cfg ++ # Now update networks.cfg ++ sed -i '1,4!d' /opt/bro/etc/networks.cfg ++ echo $HOME_NET | tr , '\n\\' >> /opt/bro/etc/networks.cfg ++ # update broctl.cfg ++ if grep "nsm" /opt/bro/etc/broctl.cfg >/dev/null; then ++ echo "/opt/bro/etc/broctl.cfg already contains nsm" >> $LOG 2>&1 ++ else ++ # Before Bro 2.4, broctl.cfg defaulted to /var/opt/bro/ ++ sed -i 's|SpoolDir = /var/opt/bro/spool|SpoolDir = /nsm/bro/spool|g' /opt/bro/etc/broctl.cfg ++ sed -i 's|LogDir = /var/opt/bro/logs|LogDir = /nsm/bro/logs|g' /opt/bro/etc/broctl.cfg ++ # Starting with Bro 2.4, broctl.cfg defaults to /opt/bro/ ++ sed -i 's|SpoolDir = /opt/bro/spool|SpoolDir = /nsm/bro/spool|g' /opt/bro/etc/broctl.cfg ++ sed -i 's|LogDir = /opt/bro/logs|LogDir = /nsm/bro/logs|g' /opt/bro/etc/broctl.cfg ++ fi ++ # Finished updating config files ++ ++ # create the /nsm/bro/ directories ++ mkdir -p /nsm/bro/spool ++ mkdir -p /nsm/bro/logs ++ mkdir -p /nsm/bro/extracted ++ ++ # Enable Bro file extraction ++ if [ "$EXTRACT_FILES" = "yes" ]; then ++ sed -i 's|^#@load file-extraction|@load file-extraction|g' /opt/bro/share/bro/site/local.bro ++ else ++ sed -i 's|^@load file-extraction|#@load file-extraction|g' /opt/bro/share/bro/site/local.bro ++ fi ++ ++fi ++ ++fi ++ ++######################################### ++# /etc/nsm/securityonion.conf ++######################################### ++echo "20" ++echo "# Please wait while configuring $CONF..." | tee -a $LOG ++DATE=`date` ++IDS_ENGINE_LOWER=`echo ${IDS_ENGINE,,}` ++cat << EOF > $CONF ++# /etc/nsm/securityonion.conf ++# Generated by Security Onion Setup (sosetup) at $DATE ++ ++# Which IDS engine would you like to run? ++ENGINE=$IDS_ENGINE_LOWER ++ ++# How many days would you like to keep in the Sguil database archive? ++DAYSTOKEEP=$DAYSTOKEEP ++ ++# How many days worth of tables would you like to repair every day? ++DAYSTOREPAIR=$DAYSTOREPAIR ++ ++# At what percentage of disk usage should the NSM scripts warn you? ++WARN_DISK_USAGE=$WARN_DISK_USAGE ++ ++# At what percentage of disk usage should the NSM scripts begin purging old data? ++CRIT_DISK_USAGE=$CRIT_DISK_USAGE ++ ++# Do you want to run Bro? yes/no ++BRO_ENABLED=$BRO_ENABLED ++ ++# BRO_USER specifies the user account used to start Bro. ++BRO_USER=sguil ++BRO_GROUP=sguil ++ ++# The OSSEC agent sends OSSEC HIDS alerts into the Sguil database. ++# Do you want to run the OSSEC Agent? yes/no ++OSSEC_AGENT_ENABLED=$OSSEC_AGENT_ENABLED ++ ++# OSSEC_AGENT_LEVEL specifies the level at which OSSEC alerts are sent to sguild. ++OSSEC_AGENT_LEVEL=$OSSEC_AGENT_LEVEL ++ ++# Do you want to run Xplico? yes/no ++XPLICO_ENABLED=$XPLICO_ENABLED ++ ++# LOCAL_HIDS_RULE_TUNING ++# If set to no (default), this node will copy OSSEC rules from master server as-is (no changes). ++# If set to yes, this node will keep its own copy of the OSSEC rules. ++LOCAL_HIDS_RULE_TUNING=no ++ ++# LOCAL_NIDS_RULE_TUNING ++# The effect of this option is different depending on whether this box is a server or not. ++# SERVER ++# LOCAL_NIDS_RULE_TUNING=yes ++# rule-update will operate on a local copy of the rules instead of downloading rules from the Internet ++# LOCAL_NIDS_RULE_TUNING=no ++# rule-update will try to download rules from the Internet ++# SENSOR-ONLY ++# LOCAL_NIDS_RULE_TUNING=yes ++# rule-update will copy rules from master server and then try to run PulledPork locally for tuning ++# LOCAL_NIDS_RULE_TUNING=no ++# rule-update will copy rules from master server as-is (no changes) ++EOF ++ ++######################################### ++# Download rules using Pulledpork ++######################################### ++if [ "$SERVERNAME" = "localhost" ]; then ++ echo "25" ++ echo "# Please wait while configuring IDS Ruleset..." | tee -a $LOG ++ # Start from a clean slate (pulledpork.conf.master) ++ # Here are the rule_url directives in pulledpork.conf.master: ++ # (note that the ET ruleset is uncommented and the other two are commented) ++ ++ # #rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| ++ # #rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community ++ # rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open ++ # #rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz| ++ ++ cp /etc/nsm/templates/pulledpork/pulledpork.conf.master $PP_CONF >> $LOG 2>&1 ++ ++ # Start with the assumption that Internet is down ++ # If all necessary sites are up, then initiate PulledPork ++ INTERNET="DOWN" ++ ++ case $IDS_RULESET in ++ ETOPEN) ++ echo "Already configured for Emerging Threats Open ruleset." >> $LOG 2>&1 ++ # Test Internet access ++ curl -s $ET_URL >/dev/null 2>&1 && INTERNET="UP" ++ ;; ++ ETPRO) ++ echo "Configuring for ETPRO ruleset." >> $LOG 2>&1 ++ # Snort is already disabled in pulledpork.conf.master ++ # Comment out emergingthreats.net ++ sed -i 's\rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open\#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open\g' $PP_CONF >> $LOG 2>&1 ++ # Un-comment emergingthreatspro.com ++ sed -i "s\#rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|\rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|$OINKCODE\g" $PP_CONF >> $LOG 2>&1 ++ # Test Internet access ++ curl -s $ET_URL >/dev/null 2>&1 && INTERNET="UP" ++ ;; ++ TALOS) ++ echo "Configuring for Snort Subscriber (Talos) ruleset only and setting a Snort Subscriber policy." >> $LOG 2>&1 ++ # Comment out emergingthreats.net ++ sed -i 's\rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open\#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open\g' $PP_CONF >> $LOG 2>&1 ++ # Un-comment snort.org reg-rules ++ sed -i "s\#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|\rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|$OINKCODE\g" $PP_CONF >> $LOG 2>&1 ++ # Un-comment snort.org community rules ++ sed -i "s\#rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community\rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community\g" $PP_CONF >> $LOG 2>&1 ++ # Set Snort Subscriber (Talos) Policy. ++ sed -i "s|# ips_policy=security|ips_policy=$TALOS_POLICY|g" $PP_CONF >> $LOG 2>&1 ++ # Test Internet access ++ curl -s $TALOS_URL >/dev/null 2>&1 && INTERNET="UP" ++ ;; ++ TALOSET) ++ echo "Configuring for Snort Subscriber (Talos) and Emerging Threats NoGPL rulesets" >> $LOG 2>&1 ++ # Un-comment snort.org reg-rules ++ sed -i "s\#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|\rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|$OINKCODE\g" $PP_CONF >> $LOG 2>&1 ++ # Un-comment snort.org community rules ++ sed -i "s\#rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community\rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community\g" $PP_CONF >> $LOG 2>&1 ++ # Change open to open-nogpl ++ sed -i 's\rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open\rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl\g' $PP_CONF >> $LOG 2>&1 ++ # Test Internet access ++ curl -s $ET_URL >/dev/null 2>&1 && curl -s $TALOS_URL >/dev/null 2>&1 && INTERNET="UP" ++ ;; ++ esac ++ ++ # Disable noisy Suricata rules ++ if ! grep "Security Onion Setup" /etc/nsm/pulledpork/disablesid.conf >/dev/null 2>&1; then ++cat << EOF >> /etc/nsm/pulledpork/disablesid.conf ++ ++# Added by Security Onion Setup ++stream-events ++pcre:SURICATA\ ICMPv6 ++EOF ++ fi ++ ++ if [ "$INTERNET" = "UP" ]; then ++ echo "30" ++ echo "# Please wait while executing PulledPork to download rules..." | tee -a $LOG ++ echo "LOCAL_NIDS_RULE_TUNING=no" >> $CONF ++ date > /var/log/nsm/pulledpork.log ++ /usr/sbin/rule-update >> /var/log/nsm/pulledpork.log 2>&1 ++ else ++ echo "LOCAL_NIDS_RULE_TUNING=yes" >> $CONF ++ echo "Can't reach rule download sites. Setting LOCAL_NIDS_RULE_TUNING to yes." >> $LOG 2>&1 ++ fi ++fi ++ ++######################################### ++# Apache configuration ++######################################### ++SSH_DIR="/root/.ssh" ++SSH_CONF="$SSH_DIR/securityonion_ssh.conf" ++echo "35" ++if [ -f $SSH_CONF ]; then ++ # We are a SENSOR ++ echo "# Please wait while stopping and disabling Apache..." | tee -a $LOG ++ # Sensors don't need the Apache web server, so stop and disable it ++ service apache2 stop >> $LOG 2>&1 ++ update-rc.d -f apache2 disable >> $LOG 2>&1 ++else ++ # We are the MASTER. ++ ++ # Make sure that the Apache web server is enabled ++ update-rc.d -f apache2 enable >> $LOG 2>&1 ++ ++ # Enable new securityonion site ++ a2ensite securityonion >> $LOG 2>&1 ++ ++ # Disable old default-ssl site ++ a2dissite default-ssl >> $LOG 2>&1 ++ ++ # Determine IP address to be used below in Squert database ++ IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1` ++ ++ # Pivot from Squert to ELSA ++ #URL="https://$IP/elsa-query/?query_string=\"\${var}\"%20groupby:program" ++ # We can use a relative hyperlink now that Apache is proxying ELSA at /elsa-query ++ URL="/elsa-query/?query_string=\"\${var}\"%20groupby:program" ++ HEXVAL=$(xxd -pu -c 256 <<< "$URL") ++ [ "$ELSA" = "YES" ] && mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e "INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) VALUES ('url','','1','454C5341','','ELSA','$HEXVAL');" ++ ++ # Restart web server ++ apache2ctl restart >> $LOG 2>&1 ++fi ++ ++######################################### ++# Configure Salt ++######################################### ++echo "40" ++echo "# Please wait while configuring salt..." | tee -a $LOG ++if dpkg -l |grep "securityonion-onionsalt" |grep "ii" >/dev/null; then ++ if [ "$SALT" = "no" ]; then ++ # Stop both running salt services ++ service salt-master stop >> $LOG 2>&1 ++ service salt-minion stop >> $LOG 2>&1 ++ # Disable both salt services ++ [ -f /etc/init/salt-master.conf ] && echo "manual" > /etc/init/salt-master.override ++ [ -f /etc/init/salt-minion.conf ] && echo "manual" > /etc/init/salt-minion.override ++ # If the box had previously been configured with salt, we need to remove the cron job ++ [ -f /etc/cron.d/salt-update ] && rm -f /etc/cron.d/salt-update ++ else ++ # Enable Salt ++ # Salt uses FQDN instead of just hostname ++ FQDN=`python -c 'import socket; print socket.getfqdn()'` ++ if [ $SERVER -eq 1 ]; then ++ # If this box is a Master Server we need to run salt-master ++ # Copy init.sls.template to init.sls ++ cp /opt/onionsalt/pillar/users/init.sls.template /opt/onionsalt/pillar/users/init.sls ++ # Copy top.sls.template to top.sls ++ TOPSLS="/opt/onionsalt/salt/top.sls" ++ cp $TOPSLS.template $TOPSLS ++ # Comment out examples in top.sls ++ sed -i "s|^ 'A\*':$|# 'A*':|g" $TOPSLS ++ sed -i "s|^ - sensor|# - sensor|g" $TOPSLS ++ sed -i "s|^ 'C\*':$|# 'C*':|g" $TOPSLS ++ sed -i "s|^ - backend|# - backend|g" $TOPSLS ++ # Add backend config to top.sls ++ echo " '$FQDN':" >> $TOPSLS ++ echo " - backend" >> $TOPSLS ++ echo "" >> $TOPSLS ++ # If salt-master is DISABLED we need to enable it ++ [ -f /etc/init/salt-master.DISABLED ] && mv /etc/init/salt-master.DISABLED /etc/init/salt-master.conf ++ [ -f /etc/init/salt-master.override ] && rm -f /etc/init/salt-master.override ++ # Start salt-master ++ service salt-master restart >> $LOG 2>&1 ++ # We no longer open the salt port by default ++ # This is now done when the sensor runs Setup ++ #ufw allow salt >> $LOG 2>&1 ++ else ++ # If this box is not a Master we need to disable salt-master ++ # Stop salt-master ++ service salt-master stop >> $LOG 2>&1 ++ # Disable salt-master ++ [ -f /etc/init/salt-master.conf ] && echo "manual" > /etc/init/salt-master.override ++ # Tell the salt-master that we are a sensor ++ cat << EOF >> $SOSETUPSCP ++if ! grep "'$FQDN':" /opt/onionsalt/salt/top.sls >/dev/null 2>&1; then ++echo " '$FQDN':" >> /opt/onionsalt/salt/top.sls ++echo " - sensor" >> /opt/onionsalt/salt/top.sls ++echo "" >> /opt/onionsalt/salt/top.sls ++fi ++EOF ++ fi ++ ++ # All boxes run salt-minion ++ # Configure minion ++ echo "master: $SERVERNAME" > /etc/salt/minion.d/onionsalt.conf ++ # If salt-minion is DISABLED, enable it ++ [ -f /etc/init/salt-minion.DISABLED ] && mv /etc/init/salt-minion.DISABLED /etc/init/salt-minion.conf ++ [ -f /etc/init/salt-minion.override ] && rm -f /etc/init/salt-minion.override ++ service salt-minion restart >> $LOG 2>&1 ++ ++ # salt-master needs to accept the key from salt-minion ++ if [ "$SERVERNAME" = "localhost" ]; then ++ TIMER=60 ++ while [ $TIMER -gt 0 ]; do ++ if salt-key -l accepted 2>&1 |grep "^$FQDN$" > /dev/null 2>&1; then ++ echo "salt-minion key already accepted" >> $LOG ++ TIMER=0 ++ elif salt-key -l unaccepted 2>&1 | grep "^$FQDN$" > /dev/null 2>&1; then ++ salt-key -a $FQDN -y >> $LOG 2>&1 ++ TIMER=0 ++ else ++ let TIMER=TIMER-1 ++ echo "salt-minion hasn't checked in yet, $TIMER seconds remaining until timeout" >> $LOG ++ sleep 1s ++ fi ++ done ++ else ++ # this is a sensor-only box so we have to ask the master to accept the key via SOSETUPSCP ++ echo "salt-key -a $FQDN -y" >> $SOSETUPSCP ++ fi ++ fi ++fi ++ ++######################################### ++# Start securityonion services ++######################################### ++# disable the snorby output in all barnyard config files ++sed -i 's|^output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|#output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|g' /etc/nsm/*/barnyard2*.conf >> $LOG 2>&1 ++echo "45" ++echo "# Please wait while starting all Security Onion services..." | tee -a $LOG ++/usr/sbin/so-autossh-start >> $LOG 2>&1 ++/usr/sbin/so-start >> $LOG 2>&1 ++sleep 10s ++ ++######################################### ++# Create icons ++######################################### ++if [ $SERVER -eq 1 ]; then ++ ++ # Add launchers to /etc/skel/ for new users ++ DIR="/etc/skel/Desktop" ++ mkdir -p $DIR ++ ++ # Create README launcher ++ README_LAUNCHER="$DIR/securityonion-readme.desktop" ++ cat << EOF > $README_LAUNCHER ++[Desktop Entry] ++Version=1.0 ++Type=Application ++Name=README ++Comment= ++Exec=/etc/alternatives/x-www-browser https://localhost ++Icon=web-browser ++Path= ++Terminal=false ++StartupNotify=false ++Categories=SecurityOnion; ++EOF ++ ++ # Use README launcher as template to create SQUERT launcher ++ SQUERT_LAUNCHER="$DIR/securityonion-squert.desktop" ++ cp $README_LAUNCHER $SQUERT_LAUNCHER ++ sed -i 's|https://localhost|https://localhost/squert|g' $SQUERT_LAUNCHER ++ sed -i 's|Name=README|Name=Squert|g' $SQUERT_LAUNCHER ++ ++ # Use README launcher as template to create Kibana launcher (if enabled) ++ if [ "$ELASTIC" = "yes" ]; then ++ KIBANA_LAUNCHER="$DIR/securityonion-kibana.desktop" ++ cp $README_LAUNCHER $KIBANA_LAUNCHER ++ sed -i 's|https://localhost|https://localhost/app/kibana|g' $KIBANA_LAUNCHER ++ sed -i 's|Name=README|Name=Kibana|g' $KIBANA_LAUNCHER ++ fi ++ ++ # Copy web launchers to /usr/share/applications ++ cp $DIR/securityonion-*.desktop /usr/share/applications/ ++ ++ # Copy Sguil launcher from /usr/share/applications/ ++ SGUIL="$DIR/securityonion-sguil.desktop" ++ cp /usr/share/applications/securityonion-sguil.desktop $SGUIL ++ ++ # Copy launchers from /etc/skel to existing user Desktop directories ++ for i in `ls /home/`; do ++ mkdir -p /home/$i/Desktop ++ cp /etc/skel/Desktop/securityonion-*.desktop /home/$i/Desktop/ ++ chown $i:$i /home/$i/Desktop/securityonion-*.desktop ++ done ++ ++ # Make launchers executable ++ chmod +x /etc/skel/Desktop/*.desktop ++ chmod +x /home/*/Desktop/securityonion-*.desktop ++ ++fi ++ ++######################################### ++# Configure Elastic ++######################################### ++if [ "$ELASTIC" = "yes" ]; then ++ echo "49" ++ echo "# Please wait while configuring Elastic..." | tee -a $LOG ++ ++ # We need to copy a new syslog-ng.conf into place ++ SYSLOGNGCONFSRC="/opt/elastic/src/etc/syslog-ng/syslog-ng.conf" ++ SYSLOGNGCONFDST="/etc/syslog-ng/syslog-ng.conf" ++ ++ # Initialize HTTP_LOGS ++ HTTP_LOGS="" ++ ++ # Get a list of sensors from /etc/nsm/sensortab ++ SENSORS=$(grep -v "^#" /etc/nsm/sensortab | cut -f 4) ++ ++ # Determine the number of sensor interfaces ++ COUNT=0 ++ for token in $SENSORS; do ++ COUNT=$((COUNT+1)) ++ done ++ ++ # If master server only, copy syslog-ng.conf into place ++ if [ $COUNT -eq 0 ]; then ++ cp $SYSLOGNGCONFSRC $SYSLOGNGCONFDST ++ fi ++ ++ # If single sensor interface, we need to determine if Bro is running in standalone mode or cluster mode ++ if [ $COUNT -eq 1 ]; then ++ if grep "type=standalone" /opt/bro/etc/node.cfg > /dev/null; then ++ echo "* Leaving syslog-ng.conf bro_http entry unmolested." >> $LOG 2>&1 ++ cp $SYSLOGNGCONFSRC $SYSLOGNGCONFDST ++ else ++ echo "* Altering syslog-ng.conf bro_http entry for single interface cluster-mode" >> $LOG 2>&1 ++ # Pull the interface bro is listening for from node.cfg ++ BRO_IFACE=$(grep "interface=" /opt/bro/etc/node.cfg | cut -d'=' -f2) ++ # Alter syslog-ng.conf's entry for http ++ sed -e "s|^\tfile(\"/nsm/bro/logs/current/http.log\".*|\tfile(\"/nsm/bro/logs/current/http_$BRO_IFACE.log\" flags(no-parse) program_override(\"bro_http\"));\n|" $SYSLOGNGCONFSRC > $SYSLOGNGCONFDST ++ fi ++ fi ++ ++ # If multiple sensor interfaces, Bro must be running in cluster mode and we need to watch multiple http logs ++ if [ $COUNT -gt 1 ]; then ++ echo "* Altering syslog-ng.conf bro_http entries for multiple interfaces" >> $LOG 2>&1 ++ for i in $SENSORS; do ++ HTTP_LOGS=$HTTP_LOGS"\tfile(\"/nsm/bro/logs/current/http_$i.log\" flags(no-parse) program_override(\"bro_http\"));\n" ++ done ++ sed -e "s|^\tfile(\"/nsm/bro/logs/current/http.log\".*|$HTTP_LOGS|" $SYSLOGNGCONFSRC > $SYSLOGNGCONFDST ++ fi ++ ++ echo "* Restarting syslog-ng" >> $LOG 2>&1 ++ service syslog-ng restart >> $LOG 2>&1 ++ ++ if ! dpkg -L docker-ce >/dev/null 2>&1; then ++ echo "50" ++ echo "# Please wait while downloading Elastic components..." | tee -a $LOG ++ /usr/sbin/so-elastic-download >> $LOG 2>&1 ++ fi ++ ++ echo "75" ++ echo "# Please wait while configuring Elastic..." | tee -a $LOG ++ if ! grep -q LOG_SIZE_LIMIT $CONF; then ++ cat << EOF >> $CONF ++ ++# Log size limit (GB) for Elasticsearch logs ++LOG_SIZE_LIMIT=$LOG_SIZE_LIMIT_GB ++EOF ++ else ++ sed "s/LOG_SIZE_LIMIT=.*/LOG_SIZE_LIMIT=$LOG_SIZE_LIMIT_GB/" $CONF ++ fi ++ ++ if [ $SERVER -eq 1 ] && [ $LOGSTASH_OUTPUT_REDIS = "yes" ]; then ++ echo "LOGSTASH_OUTPUT_REDIS=$LOGSTASH_OUTPUT_REDIS" >> $CONF ++ fi ++ ++ if [ $SERVER -ne 1 ]; then ++ echo 'KIBANA_ENABLED="no"' >> $CONF ++ echo 'ELASTALERT_ENABLED="no"' >> $CONF ++ echo 'FREQ_SERVER_ENABLED="no"' >> $CONF ++ echo 'DOMAIN_STATS_ENABLED="no"' >> $CONF ++ ++ if [ "$FORWARD" = "yes" ]; then ++ echo 'ELASTICSEARCH_ENABLED="no"' >> $CONF ++ echo 'LOGSTASH_ENABLED="no"' >> $CONF ++ echo 'CURATOR_ENABLED="no"' >> $CONF ++ fi ++ ++ if [ "$LOGSTASH_INPUT_REDIS" = "yes" ]; then ++ echo 'LOGSTASH_INPUT_REDIS="yes"' >> $CONF ++ echo 'OSSEC_AGENT_ENABLED="no"' >> $CONF ++ fi ++ fi ++ ++ /usr/sbin/so-elastic-configure >> $LOG 2>&1 ++ ++ if [ $SERVER -ne 1 ]; then ++ echo "85" ++ echo "# Please wait while stopping Apache web server..." | tee -a $LOG ++ service apache2 stop >> $LOG 2>&1 ++ ++ echo "93" ++ echo "# Please wait while stopping and disabling MySQL..." | tee -a $LOG ++ service mysql stop >> $LOG 2>&1 ++ echo "manual" > /etc/init/mysql.override ++ ++ echo "95" ++ echo "# Please wait while performing final node configuration..." | tee -a $LOG ++ ++ if [ "$FORWARD" = "yes" ]; then ++ # If AUTOSSH_OPTIONS is already in SSH_CONF, remove it and replace it with new value. ++ if grep "AUTOSSH_OPTIONS=" $SSH_CONF >/dev/null 2>&1; then ++ sed -i 's/AUTOSSH_OPTIONS.*/AUTOSSH_OPTIONS="-L 6050:localhost:6050"/' $SSH_CONF >> $LOG 2>&1 ++ else ++ echo 'AUTOSSH_OPTIONS="-L 6050:localhost:6050"' >> $SSH_CONF ++ fi ++ else ++ if [ "$LOGSTASH_INPUT_REDIS" = "yes" ]; then ++ if grep "AUTOSSH_OPTIONS=" $SSH_CONF >/dev/null 2>&1; then ++ sed -i 's/AUTOSSH_OPTIONS.*/AUTOSSH_OPTIONS="-L 172.18.0.1:6379:localhost:6379"/' $SSH_CONF >> $LOG 2>&1 ++ else ++ echo 'AUTOSSH_OPTIONS="-L 172.18.0.1:6379:localhost:6379"' >> $SSH_CONF ++ fi ++ ufw allow proto tcp from 172.18.0.0/24 to 172.18.0.1 port 6379 >> $LOG 2>&1 ++ fi ++ ++ # We need to determine a few things from the master server: ++ ++ # DOCKER_INTERFACE, DOCKER_NETWORK, and REVERSE_PORT ++ ++ # DOCKER_INTERFACE ++ SSH_CMD="sudo /usr/sbin/so-elastic-network | jq '.[0].IPAM.Config[0].Gateway'" ++ SSH_OUTPUT=`ssh -i $KEY $SSH_USERNAME@$SERVERNAME "$SSH_CMD"` ++ DOCKER_INTERFACE=$(echo $SSH_OUTPUT | cut -d\" -f2) ++ echo "DOCKER_INTERFACE is $DOCKER_INTERFACE" >> $LOG 2>&1 ++ ++ # DOCKER_NETWORK ++ SSH_CMD="sudo /usr/sbin/so-elastic-network | jq '.[0].IPAM.Config[0].Subnet'" ++ SSH_OUTPUT=`ssh -i $KEY $SSH_USERNAME@$SERVERNAME "$SSH_CMD"` ++ DOCKER_NETWORK=$(echo $SSH_OUTPUT | cut -d\" -f2) ++ echo "DOCKER_NETWORK is $DOCKER_NETWORK" >> $LOG 2>&1 ++ ++ # REVERSE_PORT ++ SSH_CMD='sudo /usr/sbin/so-crossclustercheck | jq "." | grep ":5" | cut -d: -f2 | cut -d\" -f1 | sort | tail -1' ++ HIGHEST_REVERSE_PORT=`ssh -i $KEY $SSH_USERNAME@$SERVERNAME "$SSH_CMD"` ++ if [ "$HIGHEST_REVERSE_PORT" = "" ]; then ++ echo "Found no other nodes." >> $LOG 2>&1 ++ REVERSE_PORT=50000 ++ else ++ echo "HIGHEST_REVERSE_PORT is $HIGHEST_REVERSE_PORT" >> $LOG 2>&1 ++ if [ ${HIGHEST_REVERSE_PORT} -gt 49999 ] && [ ${HIGHEST_REVERSE_PORT} -lt 59999 ]; then ++ let REVERSE_PORT=HIGHEST_REVERSE_PORT+1 ++ fi ++ fi ++ echo "REVERSE_PORT is $REVERSE_PORT" >> $LOG 2>&1 ++ ++ # Now that we've determined those 3 values, we need to store DOCKER_INTERFACE and REVERSE_PORT in SSH_CONF. ++ ++ # If DOCKER_INTERFACE is not already in SSH_CONF, then store it for future use. ++ if grep "DOCKER_INTERFACE=" $SSH_CONF >/dev/null 2>&1; then ++ echo "DOCKER_INTERFACE already exists in $SSH_CONF." >> $LOG 2>&1 ++ else ++ echo "DOCKER_INTERFACE=$DOCKER_INTERFACE" >> $SSH_CONF ++ fi ++ ++ # If REVERSE_PORT is not already in SSH_CONF, then store it for future use. ++ if grep "REVERSE_PORT=" $SSH_CONF >/dev/null 2>&1; then ++ echo "REVERSE_PORT already exists in $SSH_CONF." >> $LOG 2>&1 ++ else ++ echo "REVERSE_PORT=$REVERSE_PORT" >> $SSH_CONF ++ fi ++ ++ # Configure Elasticsearch ++ ELASTIC_CONFIG="/etc/elasticsearch/elasticsearch.yml" ++ echo "transport.bind_host: 0.0.0.0" >> $ELASTIC_CONFIG ++ echo "transport.publish_host: $DOCKER_INTERFACE" >> $ELASTIC_CONFIG ++ echo "transport.publish_port: $REVERSE_PORT" >> $ELASTIC_CONFIG ++ docker restart so-elasticsearch >> $LOG 2>&1 ++ cat << EOF >> $SOSETUPSCP ++if ! grep "Match User $SSH_USERNAME" /etc/ssh/sshd_config >/dev/null 2>&1; then ++echo Match User $SSH_USERNAME >> /etc/ssh/sshd_config ++echo ' GatewayPorts clientspecified' >> /etc/ssh/sshd_config ++service ssh restart ++fi ++ufw allow proto tcp from $DOCKER_NETWORK to $DOCKER_INTERFACE port $REVERSE_PORT ++source /etc/nsm/securityonion.conf ++curl -XPUT http://\$ELASTICSEARCH_HOST:\$ELASTICSEARCH_PORT/_cluster/settings -H'Content-Type: application/json' -d '{"persistent": {"search": {"remote": {"$HOSTNAME": {"skip_unavailable": "true", "seeds": ["$DOCKER_INTERFACE:$REVERSE_PORT"]}}}}}' ++EOF ++ fi ++ ++ fi ++fi ++} ++ ++function SERVER_QUEUE() { ++######################################### ++# Send all queued commands to server ++######################################### ++if [ "$SERVERNAME" != "localhost" ]; then ++ # Copy the script over ++ scp -i "$KEY" $SOSETUPSCP $SSH_USERNAME@$SERVERNAME:$SOSETUPSCP >> $LOG 2>&1 ++ # Run the script on the master server using sudo ++ if [ "$OUTPUT" = "gui" ]; then ++ xfce4-terminal -x ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo /bin/bash $SOSETUPSCP ++ else ++ ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo /bin/bash $SOSETUPSCP >> $LOG 2>&1 ++ fi ++ # Cleanup ++ rm -f $SOSETUPSCP ++ ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME rm -f $SOSETUPSCP >> $LOG 2>&1 ++fi ++ ++if [ $SERVER -ne 1 ] && [ "$ELASTIC" = "yes" ]; then ++ # Now that the server side configuration is done, we need to tear down the ssh tunnel and restart it. ++ if pgrep autossh>/dev/null; then ++ kill -SIGINT `pgrep autossh` ++ /usr/sbin/so-autossh-start >> $LOG 2>&1 ++ fi ++fi ++} ++ ++function MINION() { ++dpkg -l |grep "securityonion-onionsalt" |grep "ii" >/dev/null && [ "$SALT" = "yes" ] && salt-call state.highstate >> /var/log/nsm/sosetup_salt_call.log 2>&1 & ++} ++ ++ ++function MOVELOG() { ++# Move log file from /tmp/ to /var/log/nsm/ ++mv $LOG /var/log/nsm/sosetup.log ++LOG="/var/log/nsm/sosetup.log" ++} ++ ++function IP2C() { ++# If this is a server, populate ip2c table ++if [ -d /var/lib/mysql/securityonion_db/ ]; then ++ /usr/sbin/sguild-add-user "$SGUIL_CLIENT_USERNAME" "$SGUIL_CLIENT_PASSWORD_1" >/dev/null ++ # Setup needs to delete /var/www/so/squert/.scripts/*.md5 before running ip2c.tcl ++ # http://code.google.com/p/security-onion/issues/detail?id=250 ++ rm -f /var/www/so/squert/.scripts/*.md5 ++ /usr/sbin/so-squert-ip2c >> $LOG 2>&1 & ++fi ++} ++ ++######################################### ++# FINAL (FIN) OUTPUT FUNCTIONS ++######################################### ++function FIN1() { ++TEXT="Security Onion Setup is now complete! \n \ ++\n \ ++Setup log can be found here:\n \ ++$LOG\n \ ++\n \ ++You may view IDS alerts using Sguil, Squert, or Kibana (if enabled). \n \ ++\n \ ++Bro logs can be found in Kibana (if enabled) and the following location: \n \ ++/nsm/bro/" ++} ++ ++function FIN2() { ++TEXT="You can check the status of your running services with the sostat utilites:\n \ ++\n \ ++'sudo sostat' will give you DETAILED information about your service status.\n \ ++\n \ ++'sudo sostat-quick' will give you a guided tour of the sostat output.\n \ ++\n \ ++'sudo sostat-redacted' will give you REDACTED information to share with our mailing list if you have questions." ++} ++ ++function FIN3() { ++if [ $SERVER -eq 1 ]; then ++source /etc/nsm/securityonion.conf ++if [ "$LOCAL_NIDS_RULE_TUNING" = "no" ] ; then ++TEXT="Rules downloaded by Pulledpork are stored in: \n \ ++/etc/nsm/rules/downloaded.rules \n \ ++\n \ ++Local rules can be added to: \n \ ++/etc/nsm/rules/local.rules \n \ ++\n \ ++You can have PulledPork modify the downloaded rules \n \ ++by modifying the files in: \n \ ++/etc/nsm/pulledpork/ \n \ ++\n \ ++Rules will be updated every morning. \n \ ++You can manually update them by running: \n \ ++sudo rule-update \n \ ++\n \ ++Sensors can be tuned by modifying the files in: \n \ ++/etc/nsm/NAME-OF-SENSOR/" ++else ++TEXT="Setup was not able to download rules from the Internet.\n \ ++LOCAL_NIDS_RULE_TUNING has been set to 'yes' in /etc/nsm/securityonion.conf.\n \ ++\n \ ++If you do have Internet access and want to download rules from the Internet,\n \ ++you'll need to change this option to 'no'." ++fi ++fi ++} ++ ++function FIN4() { ++TEXT='Please note that the local ufw firewall\ ++has been locked down to only allow connections\ ++to port 22. If you need to connect over any\ ++other port, then run "sudo so-allow".' ++} ++ ++function FIN5() { ++TEXT='If you have any questions or problems,\ ++please visit our website where you can find\ ++the following links:\ ++FAQ\ ++Wiki\ ++Mailing Lists\ ++IRC channel\ ++and more!\ ++\ ++https://securityonion.net' ++} ++ ++function FIN6() { ++TEXT='If you need commercial support or training,\ ++please see:\ ++\ ++https://securityonionsolutions.com' ++} ++ ++ ++######################################### ++# write collected answers ++######################################### ++ ++save() ++{ ++ # TODO ++ echo "# ANSWERFILE generated by sosetup -w option" > $WRITEANSWERFILE ++ echo -n "# Generation date: " >> $WRITEANSWERFILE ++ date >> $WRITEANSWERFILE ++ echo "# Generated on host $HOSTNAME" >> $WRITEANSWERFILE ++ echo "#" >> $WRITEANSWERFILE ++ echo "# These fields were computed automatically" >> $WRITEANSWERFILE ++ echo "#IP=$IP" >> $WRITEANSWERFILE ++ echo "#CORES=$CORES" >> $WRITEANSWERFILE ++ echo \#ALL_INTERFACES=$ALL_INTERFACES >> $WRITEANSWERFILE # no quotes to collapse to one line ++ echo "#NUM_INTERFACES=$NUM_INTERFACES" >> $WRITEANSWERFILE ++ echo "#" >> $WRITEANSWERFILE ++ echo "# This field is specific to reading an answer file" >> $WRITEANSWERFILE ++ echo "SNIFFING_INTERFACES=$INTERFACES" >> $WRITEANSWERFILE ++ echo "#" >> $WRITEANSWERFILE ++ echo "# These fields were generated from your answers" >> $WRITEANSWERFILE ++ echo "SERVER=$SERVER" >> $WRITEANSWERFILE ++ echo "SERVERNAME=$SERVERNAME" >> $WRITEANSWERFILE ++ echo "SSH_USERNAME='$SSH_USERNAME'" >> $WRITEANSWERFILE ++ echo "SGUIL_SERVER_NAME=$SGUIL_SERVER_NAME" >> $WRITEANSWERFILE ++ echo "SGUIL_CLIENT_USERNAME='$SGUIL_CLIENT_USERNAME'" >> $WRITEANSWERFILE ++ echo "SGUIL_CLIENT_PASSWORD_1='$SGUIL_CLIENT_PASSWORD_1'" >> $WRITEANSWERFILE ++ echo "XPLICO_ENABLED=$XPLICO_ENABLED" >> $WRITEANSWERFILE ++ echo "OSSEC_AGENT_ENABLED=$OSSEC_AGENT_ENABLED" >> $WRITEANSWERFILE ++ echo "OSSEC_AGENT_LEVEL=$OSSEC_AGENT_LEVEL" >> $WRITEANSWERFILE ++ echo "SALT=$SALT" >> $WRITEANSWERFILE ++ echo "SENSOR=$SENSOR" >> $WRITEANSWERFILE ++ echo "BRO_ENABLED=$BRO_ENABLED" >> $WRITEANSWERFILE ++ echo "IDS_ENGINE_ENABLED=$IDS_ENGINE_ENABLED" >> $WRITEANSWERFILE ++ echo "SNORT_AGENT_ENABLED=$SNORT_AGENT_ENABLED" >> $WRITEANSWERFILE ++ echo "BARNYARD2_ENABLED=$BARNYARD2_ENABLED" >> $WRITEANSWERFILE ++ echo "PCAP_ENABLED=$PCAP_ENABLED" >> $WRITEANSWERFILE ++ echo "PCAP_AGENT_ENABLED=$PCAP_AGENT_ENABLED" >> $WRITEANSWERFILE ++ echo "PRADS_ENABLED=$PRADS_ENABLED" >> $WRITEANSWERFILE ++ echo "SANCP_AGENT_ENABLED=$SANCP_AGENT_ENABLED" >> $WRITEANSWERFILE ++ echo "PADS_AGENT_ENABLED=$PADS_AGENT_ENABLED" >> $WRITEANSWERFILE ++ echo "HTTP_AGENT_ENABLED=$HTTP_AGENT_ENABLED" >> $WRITEANSWERFILE ++ echo "ARGUS_ENABLED=$ARGUS_ENABLED" >> $WRITEANSWERFILE ++ echo "IDS_RULESET='$IDS_RULESET'" >> $WRITEANSWERFILE ++ echo "OINKCODE='$OINKCODE'" >> $WRITEANSWERFILE ++ echo "PF_RING_SLOTS=$PF_RING_SLOTS" >> $WRITEANSWERFILE ++ echo "IDS_ENGINE=$IDS_ENGINE" >> $WRITEANSWERFILE ++ echo "IDS_LB_PROCS=$IDS_LB_PROCS" >> $WRITEANSWERFILE ++ echo "BRO_LB_PROCS=$BRO_LB_PROCS" >> $WRITEANSWERFILE ++ echo "EXTRACT_FILES=$EXTRACT_FILES" >> $WRITEANSWERFILE ++ echo "PCAP_SIZE=$PCAP_SIZE" >> $WRITEANSWERFILE ++ echo "PCAP_RING_SIZE=$PCAP_RING_SIZE" >> $WRITEANSWERFILE ++ echo "PCAP_OPTIONS='$PCAP_OPTIONS'" >> $WRITEANSWERFILE ++ echo "WARN_DISK_USAGE=$WARN_DISK_USAGE" >> $WRITEANSWERFILE ++ echo "CRIT_DISK_USAGE=$CRIT_DISK_USAGE" >> $WRITEANSWERFILE ++ echo "DAYSTOKEEP=$DAYSTOKEEP" >> $WRITEANSWERFILE ++ echo "DAYSTOREPAIR=$DAYSTOREPAIR" >> $WRITEANSWERFILE ++ echo "LOGSTASH_OUTPUT_REDIS=$LOGSTASH_OUTPUT_REDIS" >> $WRITEANSWERFILE ++ echo "LOGSTASH_INPUT_REDIS=$LOGSTASH_INPUT_REDIS" >> $WRITEANSWERFILE ++ echo "ELASTIC=$ELASTIC" >> $WRITEANSWERFILE ++ echo "LOG_SIZE_LIMIT=$LOG_SIZE_LIMIT" >> $WRITEANSWERFILE ++} ++ ++ ++######################################### ++# Options ++######################################### ++ ++usage() ++{ ++cat < Configure using answer file ++ -w Create answer file ++ -y Configure without prompting ++ ++Usage: $0 ++EOF ++} ++ ++ ++######################################### ++# Call functions ++######################################### ++ ++# Check to see if the user provided an answer file ++SKIP=0 ++while getopts "hf:yw:" OPTION ++do ++ case $OPTION in ++ h) ++ usage ++ exit 0 ++ ;; ++ f) ++ ANSWERFILE="$OPTARG" ++ # Verify answer file exists and then read it into memory ++ if [ ! -f "$ANSWERFILE" ]; then ++ echo "Error accessing $ANSWERFILE" ++ exit 1 ++ fi ++ ;; ++ w) ++ WRITEANSWERFILE="$OPTARG" ++ ;; ++ y) ++ SKIP=1 ++ ;; ++ esac ++done ++ ++# GUI (Zenity) or CLI? ++# Default to zenity ++OUTPUT="gui" ++# If no X11, then fall back to cli ++[ -z "$DISPLAY" ] && OUTPUT="cli" ++# If user provided an answer file, set to cli ++[ -f "$ANSWERFILE" ] && OUTPUT="cli" ++ ++# If the user didn't provide an answer file, then ask them the questions ++if [ ! -f "$ANSWERFILE" ]; then ++ if [ "$OUTPUT" = "gui" ] ; then ++ ask ++ else ++ echo ++ echo "No X display found." ++ echo ++ echo "You'll need to either:" ++ echo ++ echo "- use SSH X-forwarding (ssh -X)" ++ echo ++ echo "OR" ++ echo ++ echo "- use an answer file (sudo sosetup -f sosetup.conf)" ++ echo ++ usage ++ exit 0 ++ fi ++else ++ source "$ANSWERFILE" ++ # copy SNIFFING_INTERFACES into INTERFACES ++ INTERFACES="$SNIFFING_INTERFACES" ++ ADVANCED_SETUP="1" ++ if [ $SKIP -ne 1 ];then ++ echo ++ echo "Security Onion Setup" ++ echo ++ echo "Ready to configure system using parameters in $ANSWERFILE." ++ echo ++ echo "WARNING! Continuing will destroy any existing data/config." ++ echo "Are you sure you want to continue?" ++ echo "Type yes to continue or anything else to exit." ++ read INPUT ++ [ "$INPUT" != "yes" ] && exit 0 ++ echo ++ # If /etc/network/interfaces has not been configured yet, then we need ++ # to run sosetup-network and pass it the answerfile ++ if ! grep "Security Onion" /etc/network/interfaces >/dev/null 2>&1; then ++ /usr/sbin/sosetup-network $@ ++ fi ++ fi ++fi ++ ++# Perform the requested actions, handling output differently for gui vs cli ++if [ "$OUTPUT" = "gui" ]; then ++ CONFIGURE_SERVICES | ++ zenity --progress --title="$TITLE" --text="Please wait while making changes to the system..." --percentage=0 --auto-close ++else ++ echo "Please wait while..." ++ CONFIGURE_SERVICES | grep --line-buffered "^#" | sed 's|# Please wait while||g' ++fi ++ ++# SERVER_QUEUE will interactively prompt for password ++# so we can't consume stdout ++SERVER_QUEUE ++ ++# The next few functions should have no output ++MINION ++MOVELOG ++IP2C ++ ++# Final screens ++for i in FIN1 FIN2 FIN3 FIN4 FIN5 FIN6; do ++ $i ++ if [ "$OUTPUT" = "gui" ]; then ++ zenity --info --title="$TITLE" --text="$TEXT" --no-wrap ++ else ++ echo ++ echo "$TEXT" | sed 's|\\n|\n|g' | sed 's|\\||g' ++ echo ++ fi ++done +--- securityonion-setup-20120912.orig/bin/sosetup-elsa ++++ /dev/null +@@ -1,2312 +0,0 @@ +-#!/bin/bash +-# +-# Copyright (C) 2010-2016 Doug Burks and Security Onion +-# +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License Version 2 as +-# published by the Free Software Foundation. You may not use, modify or +-# distribute this program under any other version of the GNU General +-# Public License. +-# +-# This program is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License +-# along with this program; if not, write to the Free Software +-# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +-# +-# +-# Description: +-# Configure Security Onion. +- +-######################################### +-# Variables +-######################################### +-DEBUG="0" +-# Window title +-HOST_ORIG=`hostname` +-HOSTNAME=${HOST_ORIG,,} +-IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1` +-TITLE="Security Onion Setup ($HOSTNAME)" +-# File locations +-CONF="/etc/nsm/securityonion.conf" +-LOG=`mktemp /tmp/sosetup.log.XXXXXXXXXX` +-PP_CONF="/etc/nsm/pulledpork/pulledpork.conf" +-# URLs +-ET_URL="rules.emergingthreats.net" +-TALOS_URL="www.snort.org" +-# Provide sensible defaults for Quick Setup +-SGUIL_SERVER_NAME="securityonion" +-IDS_ENGINE="snort" +-IDS_RULESET="ETOPEN" +-HOME_NET="192.168.0.0/16,10.0.0.0/8,172.16.0.0/12" +-INTERFACES=`awk '/:/ {print $1}' /proc/net/dev | tr -d ':' | grep -v "^lo$" | grep -v "^docker" | grep -v "^br-" | grep -v "^veth" | sort` +-ALL_INTERFACES="$INTERFACES" +-NUM_INTERFACES=`echo $INTERFACES | wc -w` +-SNIFF_INTERFACES=`awk '/manual/ {print $2}' /etc/network/interfaces | wc -l` +-[ $SNIFF_INTERFACES -eq 0 ] && SNIFF_INTERFACES=1 +-SENSORTAB="/etc/nsm/sensortab" +-UPDATE_ELSA_SERVER="NO" +-# PCAP_OPTIONS are passed to netsniff-ng +-# "netsniff-ng -c" does the following: +-# -c|--clrw Use slower read(2)/write(2) I/O +-# we set this as the default for classroom/training users +-# who are monitoring low-bandwidth networks and don't +-# want to wait for scatter/gather mode to write pcaps. +-# Users running Advanced Setup are likely on production networks +-# with higher bandwidth and want better performance, so we clear +-# PCAP_OPTIONS in the Advanced Setup section. +-PCAP_OPTIONS="-c" +-# PCAP_SIZE is the size at which we rotate to a new pcap file +-# Default to 150MB, but user can choose if running Advanced Setup +-PCAP_SIZE=150 +-# PCAP_RING_SIZE is the RX_RING size for buffering packets +-# Default is 64MB +-PCAP_RING_SIZE="64" +-# WARN_DISK_USAGE is the percentage of disk usage at which the NSM scripts warn the disk is getting full +-WARN_DISK_USAGE=80 +-# CRIT_DISK_USAGE is the percentage of disk usage at which the NSM scripts begin purging old files +-CRIT_DISK_USAGE=90 +-# CORES is the number of CPU cores in the box +-# This is used for limiting IDS_LB_PROCS and BRO_LB_PROCS +-CORES=`grep -c ^processor /proc/cpuinfo` +-# SO_CORES is the number of CPU cores in the box, minus a reserved CPU core +-# for the OS, divided by the number of sniffing interfaces. +-SO_CORES=$(((CORES - 1) / SNIFF_INTERFACES)) +-# CALCD_CORES subtracts a reserved CPU core for netsniff-ng from the available cores for +-# each interface and splits the number of cores between the IDS and Bro processes. +-CALCD_CORES=$(((SO_CORES - 1) / 2)) +-# IDS_LB_PROCS goes into sensor.conf and controls threads for Snort/Suricata +-IDS_LB_PROCS=1 +-IDS_LB_PROCS_CONFIRM="- Run a single IDS process per interface.\n" +-# BRO_LB_PROCS goes into Bro's node.cfg and controls threads for Bro +-BRO_LB_PROCS=1 +-BRO_LB_PROCS_CONFIRM="- Run a single Bro process per interface.\n" +-# /etc/nsm/securityonion.conf services enabled by default +-BRO_ENABLED="yes" +-OSSEC_AGENT_ENABLED="yes" +-OSSEC_AGENT_LEVEL=5 +-XPLICO_ENABLED="no" +-# /etc/nsm/HOSTNAME-INTERFACE/sensor.conf services enabled by default +-PCAP_ENABLED="yes" +-PCAP_AGENT_ENABLED="yes" +-SNORT_AGENT_ENABLED="yes" +-IDS_ENGINE_ENABLED="yes" +-BARNYARD2_ENABLED="yes" +-PRADS_ENABLED="no" +-SANCP_AGENT_ENABLED="no" +-PADS_AGENT_ENABLED="no" +-ARGUS_ENABLED="no" +-HTTP_AGENT_ENABLED="no" +-# Salt is disabled by default +-SALT="no" +-# Number of days to keep in Sguil database +-DAYSTOKEEP=30 +-# Number of days to repair +-DAYSTOREPAIR=7 +-# File extraction +-EXTRACT_FILES="yes" +-# PF_RING min_num_slots +-PF_RING_SLOTS="4096" +-# SSH key variables +-SSH_DIR="/root/.ssh" +-SSH_CONF="$SSH_DIR/securityonion_ssh.conf" +-KEY="$SSH_DIR/securityonion" +-# SOSETUPSCP is a file that will be copied to the master server and executed +-SOSETUPSCP=`mktemp` +-# SECURITYONION_CONF_MASTER is the securityonion.conf from the master server +-SECURITYONION_CONF_MASTER=`mktemp` +-# CUSTOM gives access to all options +-CUSTOM=0 +-# ELSA is now enabled by default +-ELSA="YES" +-ELASTIC="NO" +-# Create /nsm if it doesn't already exist +-mkdir -p /nsm +-# Calculate half of available disk space for ELSA log_size_limit +-DISK_SIZE_K=`df /nsm |grep -v "^Filesystem" | awk '{print $2}'` +-let DISK_SIZE=DISK_SIZE_K*1000 +-let LOG_SIZE_LIMIT=DISK_SIZE/2 +-let LOG_SIZE_LIMIT_GB=LOG_SIZE_LIMIT/1000000000 +-let DISK_SIZE_GB=DISK_SIZE/1000000000 +-let LOG_SIZE_LIMIT=LOG_SIZE_LIMIT_GB*1000000000 +-# Check amount of system RAM (MB) +-TOTAL_MEM=`grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//'` +-# Make RAM # human readable (GB) +-HR_MEM=$((TOTAL_MEM / 1000)) +-# Text for minimum memory check +-MEM_TEXT="This machine currently has "$HR_MEM"GB of RAM allocated.\n\For best performance, please ensure the machine is allocated at least 3GB of RAM.\n\n\Please consult the following link for more information:\n\https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware\n\n\ +-Click 'No' to stop setup and adjust the amount of RAM allocated to this machine.\n\ +-Otherwise, click 'Yes' to continue." +-######################################### +-# Debug +-######################################### +-[ $DEBUG -eq 1 ] && echo "DEBUG: Debug is enabled. To disable it, edit the script and change DEBUG to 0." +- +-######################################### +-# Got r00t? +-######################################### +-if [[ $(/usr/bin/id -u) -ne 0 && "$1" != "-w" ]]; then +- echo "Setup needs to be run as root. Please try again using sudo." +- zenity --error --title "$TITLE" --text="Setup needs to be run as root. Please try again using sudo." +- exit +-fi +- +-function ask() { +-######################################### +-# Welcome screen +-######################################### +-TEXT="Welcome to Security Onion Setup!\n\ +-\n\ +-This program will allow you to configure Security Onion on $HOSTNAME.\n\ +-\n\ +-Would you like to continue?" +-if [ "$WRITEANSWERFILE" ]; then +- TEXT="Welcome to Security Onion Setup!\n\ +-\n\ +-Writing an answer file is still experimental, and does not\n\ +-yet support network configuration. Please make sure\n\ +-your /etc/network/interfaces file is already configured and\n\ +-has at least one interface configured for monitoring.\n\ +-\n\ +-Would you like to continue?" +-fi +-YES="Yes, Continue!" +-NO="No, Quit." +-zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap +-ANSWER="$?" +-if [ $ANSWER -eq 1 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Exiting Setup" +- exit +-else +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Continuing Setup." +-fi +- +-######################################### +-# sosetup-network +-######################################### +-if [ -z "$WRITEANSWERFILE" ]; then # Network config not yet supported when generating an answer file +-[ -f /usr/sbin/sosetup-network ] && /usr/sbin/sosetup-network +-ANSWER="$?" +-# If there were errors in sosetup-network, then exit +-[ $ANSWER -eq 1 ] && exit +-fi +- +-######################################### +-# Stable Setup or Experimental Setup +-######################################### +-if [ -f /usr/sbin/sosetup-elastic ] && [ -d /opt/elastic/src ]; then +-TEXT="Elastic Setup or ELSA Setup?\n\ +-\n\ +-Choosing Elastic Setup will run the Elastic version of Setup.\n\ +-This will configure the Elastic stack (Elasticsearch, Logstash, and Kibana).\n\ +-If you are unsure, choose Elastic Setup.\n\ +-\n\ +-Choosing ELSA Setup will run the old ELSA version of Setup.\n\ +-Please note that ELSA will reach EOL soon!" +-SETUP="" +-SETUP=`zenity --list --radiolist \ +- --column "1" --column "2" --hide-header --title="$TITLE" \ +- TRUE "Elastic Setup" FALSE "ELSA Setup" --text="$TEXT"` +-if [ $? = 1 ]; then +- if [ $DEBUG -eq 1 ]; then +- echo "DEBUG: Clicked Cancel. Exiting." && exit 1 +- else +- exit 1 +- fi +-fi +-[ "$SETUP" == "" ] && exit +-if [ "$SETUP" == "Elastic Setup" ]; then +- ELASTIC="YES" +-fi +-if [ "$ELASTIC" == "YES" ]; then +- /usr/sbin/sosetup-elastic skipnetwork +- exit $? +-fi +-fi +- +-######################################### +-# Evaluation Mode or Production Mode +-######################################### +-TEXT="Evaluation Mode or Production Mode?\n\ +-\n\ +-Evaluation Mode is recommended for first-time users or standalone VMs:\n\ +-- ideal for quickly evaluating Security Onion\n\ +-- will automatically configure most details of your system\n\ +-- configures Snort and Bro to monitor one network interface\n\ +-- NOT intended for a production sensor\n\ +-\n\ +-Production Mode is recommended for production deployments\n\ +-as it gives you more control over the details of your system\n\ +-and allows you to build a distributed sensor network. You choose:\n\ +-- Sguil server, Sguil sensor, or both\n\ +-- which IDS engine to use (Snort or Suricata)\n\ +-- which IDS ruleset(s) to use (Emerging Threats, Snort Subscriber (Talos), or both)\n\ +-- how many processes to run for Snort/Suricata/Bro" +-SETUP="" +-SETUP=`zenity --list --radiolist \ +- --column "1" --column "2" --hide-header --title="$TITLE" \ +- TRUE "Evaluation Mode" FALSE "Production Mode" --text="$TEXT"` +-if [ $? = 1 ]; then +- if [ $DEBUG -eq 1 ]; then +- echo "DEBUG: Clicked Cancel. Exiting." && exit 1 +- else +- exit 1 +- fi +-fi +-[ "$SETUP" == "" ] && exit +-[ "$SETUP" == "Production Mode" ] && ADVANCED_SETUP="1" || ADVANCED_SETUP="0" +-if [ $ADVANCED_SETUP -eq 0 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Evaluation Mode." +- if [ $TOTAL_MEM -lt 3000 ]; then zenity --question --title="$TITLE" --text="$MEM_TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap +- if [ $? = 1 ]; then +- if [ $DEBUG -eq 1 ]; then +- echo "DEBUG: Clicked No. Exiting." && exit 1 +- else +- exit 1 +- fi +- fi +- [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low RAM." +- fi +- if [ $NUM_INTERFACES -gt 1 ]; then +- TEXT="Which network interface should be monitored?\n\nIf you allowed Setup to configure /etc/network/interfaces, your first monitor interface is already selected." +- INTERFACES=`awk '/:/ {print $1}' /proc/net/dev | tr -d ':' | grep -v "^lo$" | grep -v "^docker" | grep -v "^br-" | grep -v "^veth" | sort` +- if grep "Security Onion" /etc/network/interfaces >/dev/null 2>&1 && grep manual /etc/network/interfaces >/dev/null 2>&1; then +- +- CONFIGURED_INTERFACES=`awk '/manual/ {print $2}' /etc/network/interfaces | head -1` +- INPUT=`for i in $INTERFACES; do +- if echo $CONFIGURED_INTERFACES |grep $i >/dev/null 2>&1; then +- echo -n "TRUE $i " +- else +- echo -n "FALSE $i " +- fi +- done` +- else +- INPUT=`for i in $INTERFACES; do echo -n "FALSE $i "; done` +- fi +- INTERFACES=`zenity --list --radiolist --column "Enabled" --column "Interface" --hide-header --title="$TITLE" --text="$TEXT" $INPUT |sed 's/|/ /g'` +- if [ "$INTERFACES" = "" ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." +- exit +- fi +- [ $DEBUG -eq 1 ] && echo "DEBUG: Selected interfaces $INTERFACES." +- fi +- SERVER=1 +- SENSOR=1 +- ELSA="YES" +- SERVERNAME="localhost" +- SENSOR_CONFIRM_1="- Configure Snort and Bro to monitor the following interface:\n" +- SENSOR_CONFIRM_2="$INTERFACES\n" +-else +- [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Production Mode." +- # Ask which components to configure +- TEXT="If this is the first machine in a distributed deployment, choose Server.\n\ +-This machine will only run Sguil, Squert, and ELSA and will not monitor any network interfaces.\n\ +-\n\ +-If this is a sensor for a distributed deployment (you've already installed the Server), choose Sensor.\n\ +-You will need to be able to SSH to the existing Server box with an account with sudo privileges.\n\ +-\n\ +-Otherwise, choose Standalone to configure both Server and Sensor components on this box." +- COMPONENTS=`zenity --height=300 --list --radiolist --column="1" --column="2" --hide-header --title="$TITLE" --text="$TEXT" TRUE Server FALSE Sensor FALSE Standalone` +- case $COMPONENTS in +- Standalone) +- [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Standalone." +- SERVER=1 +- SENSOR=1 +- SERVERNAME="localhost" +- if [ $TOTAL_MEM -lt 3000 ];then zenity --question --title="$TITLE" --text="$MEM_TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap +- if [ $? = 1 ]; then +- if [ $DEBUG -eq 1 ]; then +- echo "DEBUG: Clicked No. Exiting." && exit 1 +- else +- exit 1 +- fi +- fi +- [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low RAM." +- fi +- ;; +- Server) +- [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Server." +- SERVER=1 +- SENSOR=0 +- SERVERNAME="localhost" +- IDS_LB_PROCS_CONFIRM="" +- BRO_LB_PROCS_CONFIRM="" +- if [ $TOTAL_MEM -lt 2000 ];then zenity --question --title="$TITLE" --text="This machine currently has "$HR_MEM"GB of RAM allocated.\n\For best performance, please ensure the machine is allocated at least 2GB of RAM.\n\n\Consult the following link for more information:\n\https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware\n\n\ +-Click 'No' to stop setup and adjust the amount of RAM allocated to this machine.\n\ +-Otherwise, click 'Yes' to continue." --ok-label="$YES" --cancel-label="$NO" --no-wrap +- if [ $? = 1 ]; then +- if [ $DEBUG -eq 1 ]; then +- echo "DEBUG: Clicked No. Exiting." && exit 1 +- else +- exit 1 +- fi +- fi +- [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low RAM." +- fi +- ;; +- Sensor) +- [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Sensor." +- SERVER=0 +- SENSOR=1 +- TEXT="What is the hostname or IP address of the master server that this sensor should connect to?" +- SERVERNAME_CONFIRMED="no" +- if [ $TOTAL_MEM -lt 3000 ];then zenity --question --title="$TITLE" --text="$MEM_TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap +- if [ $? = 1 ]; then +- if [ $DEBUG -eq 1 ]; then +- echo "DEBUG: Clicked No. Exiting." && exit 1 +- else +- exit 1 +- fi +- fi +- [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low RAM." +- fi +- while [ $SERVERNAME_CONFIRMED = "no" ]; do +- SERVERNAME=`zenity --title="$TITLE" --text="$TEXT" --entry` +- if [ $? = 1 ]; then +- if [ $DEBUG -eq 1 ]; then +- echo "DEBUG: Clicked Cancel. Exiting." && exit 1 +- else +- exit 1 +- fi +- fi +- # Did the user enter the hostname or IP address of the local box? +- if [ "$SERVERNAME" = "$HOSTNAME" ]; then +- zenity --error --title "$TITLE" --text="That is the hostname of this box\!\r \ +-\r \ +-Since you chose a sensor-only installation, the master server should be a separate box." +- elif [ "$SERVERNAME" = "$IP" ]; then +- zenity --error --title "$TITLE" --text="That is the IP address of this box\!\r \ +-\r \ +-Since you chose a sensor-only installation, the master server should be a separate box." +- elif [ "x$SERVERNAME" = "x" ]; then +- zenity --error --title "$TITLE" --text="No server defined\!\r \ +-\r \ +-Please provide the hostname or IP address of a valid master server." +- +- else +- # nc will result in OSSEC Active Response blocking the IP address +- # nc -vz $SERVERNAME 22 -w 5 2>&1 | grep "succeeded\!" >/dev/null 2>&1 && SERVERNAME_CONFIRMED="yes" +- # so use ssh instead: +- ssh $SERVERNAME -o ConnectTimeout=5 -o BatchMode=yes 2>&1 | egrep 'Connection timed out|Could not resolve hostname' >/dev/null 2>&1 || SERVERNAME_CONFIRMED="yes" +- [ $DEBUG -eq 1 ] && echo "DEBUG: Hostname/IP set to $SERVERNAME." +- if [ $SERVERNAME_CONFIRMED = "no" ]; then +- zenity --error --title "$TITLE" --text="Couldn't connect to $SERVERNAME on port 22\!\r \ +-\r \ +-Please double-check hostname or IP address and\r\ +-firewall rules." +- fi +- fi +- done +- TEXT="Please enter a username that can SSH to the master server and execute sudo." +- SENSOR_CONFIRM_3="no" +- while [[ $SENSOR_CONFIRM_3 = "no" ]]; do +- SSH_USERNAME=`zenity --title="$TITLE" --text="$TEXT" --entry` +- if [ $? = 1 ]; then +- if [ $DEBUG -eq 1 ]; then +- echo "DEBUG: Clicked Cancel. Exiting." && exit 1 +- else +- exit 1 +- fi +- fi +- if [ x$SSH_USERNAME = "x" ]; then +- zenity --error --title "$TITLE" --text="No username defined\!\r \ +-\r\ \ +-Please provide a username that can SSH to the master server and execute sudo." +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: SSH username set." +- SENSOR_CONFIRM_3="- Configure the sensors to report to $SERVERNAME.\n" +- fi +- done +- ;; +- *) +- exit +- ;; +- esac +- +- TEXT="Best Practices or Custom?\n\ +-\n\ +-If you'd like to use the Best Practices defaults, please select Best Practices.\n\ +-\n\ +-If you'd like to see all options, choose Custom." +- CUSTOM="" +- CUSTOM=`zenity --list --radiolist \ +- --column "1" --column "2" --hide-header --title="$TITLE" \ +- TRUE "Best Practices" FALSE "Custom" --text="$TEXT"` +- if [ $? = 1 ]; then +- if [ $DEBUG -eq 1 ]; then +- echo "DEBUG: Clicked Cancel. Exiting." && exit 1 +- else +- exit 1 +- fi +- fi +- [ "$CUSTOM" == "" ] && exit +- [ "$CUSTOM" == "Custom" ] && CUSTOM="1" || CUSTOM="0" +- if [ $CUSTOM -eq 0 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Best Practices." +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Custom." +- fi +-fi +- +-######################################### +-# If server is enabled, ask for Sguil client username +-######################################### +-if [ $SERVER -eq 1 ]; then +- USERNAME_CONFIRMED="no" +- while [ $USERNAME_CONFIRMED = "no" ]; do +- TEXT="What would you like your Sguil username to be?\r\rThis will be used when logging into Sguil, Squert, and ELSA.\r\rPlease use alphanumeric characters only." +- SGUIL_CLIENT_USERNAME=`zenity --title="$TITLE" --text="$TEXT" --entry` +- if [ $? = 1 ]; then +- if [ $DEBUG -eq 1 ]; then +- echo "DEBUG: Clicked Cancel. Exiting." && exit 1 +- else +- exit 1 +- fi +- fi +- COMPRESSED="$(echo $SGUIL_CLIENT_USERNAME | sed -e 's/[^[:alnum:]]//g')" +- if [ "$COMPRESSED" != "$SGUIL_CLIENT_USERNAME" ] || [ x$SGUIL_CLIENT_USERNAME = "x" ] ; then +- zenity --error --title "$TITLE" --text="Invalid username\! \r \ +-\r \ +-Please use alphanumeric characters only." +- else +- USERNAME_CONFIRMED="yes" +- [ $DEBUG -eq 1 ] && echo "DEBUG: Sguil username set." +- fi +- done +-fi +- +-######################################### +-# If server is enabled, ask for and confirm password +-######################################### +-if [ $SERVER -eq 1 ]; then +- SGUIL_CLIENT_PASSWORD_CONFIRMED="no" +- while [ $SGUIL_CLIENT_PASSWORD_CONFIRMED = "no" ]; do +- TEXT="What would you like to set your password to?\n\ +-\n\ +-Password must be at least 6 characters.\n\ +-\n\ +-This password will be used for Sguil, Squert, and ELSA.\n\ +-\n\ +-Once you've logged into these interfaces using this initial password, you can change it in the Sguil client." +- SGUIL_CLIENT_PASSWORD_1=`zenity --title="$TITLE" --text="$TEXT" --entry --hide-text` +- if [ $? = 1 ]; then +- if [ $DEBUG -eq 1 ]; then +- echo "DEBUG: Clicked Cancel. Exiting." && exit 1 +- else +- exit 1 +- fi +- fi +- if [ "${#SGUIL_CLIENT_PASSWORD_1}" -lt "6" ]; then +- zenity --error --title "$TITLE" --text="Password must be at least 6 characters\!" +- else +- TEXT="Please confirm what you would like to set your password to." +- SGUIL_CLIENT_PASSWORD_2=`zenity --title="$TITLE" --text="$TEXT" --entry --hide-text` +- if [ $? = 1 ]; then +- if [ $DEBUG -eq 1 ]; then +- echo "DEBUG: Clicked Cancel. Exiting." && exit 1 +- else +- exit 1 +- fi +- fi +- if [ "$SGUIL_CLIENT_PASSWORD_1" = "$SGUIL_CLIENT_PASSWORD_2" ]; then +- SGUIL_CLIENT_PASSWORD_CONFIRMED="yes" +- [ $DEBUG -eq 1 ] && echo "DEBUG: Password set." +- else +- zenity --error --title "$TITLE" --text="Passwords didn't match\!" +- fi +- fi +- done +- SERVER_CONFIRM="- Create a Sguil server named $SGUIL_SERVER_NAME. \n" +- SERVER_USER_CONFIRM="- Create a Sguil user named $SGUIL_CLIENT_USERNAME. \n" +-fi +- +-######################################### +-# ADVANCED SETUP - SERVER +-######################################### +-if [ $ADVANCED_SETUP -eq 1 ] && [ $SERVER -eq 1 ]; then +- +- if [ $CUSTOM -eq 1 ]; then +- # Ask for DAYSTOKEEP +- DAYSTOKEEP_CONFIRMED="no" +- while [ $DAYSTOKEEP_CONFIRMED = "no" ]; do +- DAYSTOKEEP=`zenity --entry --title "$TITLE" --text="How many days of data do you want to keep in your Sguil database?\n\nThis includes things like IDS alerts, PADS events, and PRADS session data.\n\nIf you need to change this later, you can change DAYSTOKEEP in /etc/nsm/securityonion.conf.\n\nPlease enter an integer. The default is 30 days." --entry-text=30` +- if [ $? = 1 ]; then +- if [ $DEBUG -eq 1 ]; then +- echo "DEBUG: Clicked Cancel. Exiting." && exit 1 +- else +- exit 1 +- fi +- fi +- COMPRESSED="$(echo $DAYSTOKEEP | sed -e 's/[^[:digit:]]//g')" +- if [ "$COMPRESSED" != "$DAYSTOKEEP" ] || [ x$DAYSTOKEEP = "x" ]; then +- zenity --error --title "$TITLE" --text "Invalid value! Please use integers only." +- else +- DAYSTOKEEP_CONFIRMED="yes" +- fi +- done +- +- # Ask for DAYSTOREPAIR +- DAYSTOREPAIR_CONFIRMED="no" +- while [ $DAYSTOREPAIR_CONFIRMED = "no" ]; do +- DAYSTOREPAIR=`zenity --entry --title "$TITLE" --text="How many days of data do you want to repair in your Sguil database?\n\nA daily cronjob stops Sguil, repairs the MySQL tables for the last X days, and then starts Sguil back up.\n\nIf you choose a higher value, Sguil will be down for longer.\n\nIf you need to change this later, you can change DAYSTOREPAIR in /etc/nsm/securityonion.conf.\n\nPlease enter an integer. The default is 7 days." --entry-text=7` +- if [ $? = 1 ];then +- if [ $DEBUG -eq 1 ];then +- echo "DEBUG: Clicked Cancel. Exiting." && exit 1 +- else +- exit 1 +- fi +- fi +- COMPRESSED="$(echo $DAYSTOREPAIR | sed -e 's/[^[:digit:]]//g')" +- if [ "$COMPRESSED" != "$DAYSTOREPAIR" ] || [ x$DAYSTOREPAIR = "x" ]; then +- zenity --error --title "$TITLE" --text "Invalid value! Please use integers only." +- else +- DAYSTOREPAIR_CONFIRMED="yes" +- fi +- done +- fi +- +- # Ask which IDS engine to use. +- TEXT="Which IDS Engine would you like to use?" +- IDS_ENGINE=`zenity --list --radiolist --column="1" --column="2" --hide-header --title="$TITLE" --text="$TEXT" TRUE Snort FALSE Suricata` +- #[ -z $IDS_ENGINE ] +- [ $? = 1 ] && [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." && exit 1 +- [ $DEBUG -eq 1 ] && echo "DEBUG: Selected $IDS_ENGINE." +- +- # Ask which IDS ruleset to use. +- TEXT="Which IDS ruleset would you like to use?" +- IDS_RULESET=`zenity --width=600 --height=300 --list --radiolist --column="1" --column="Ruleset" --column="Ruleset" --column="Oinkcode required?" --hide-header --hide-column="2" --text="$TEXT" --title="$TITLE" \ +- TRUE "ETOPEN" "Emerging Threats Open" "no oinkcode required" \ +- FALSE "ETPRO" "Emerging Threats PRO" "requires ETPRO oinkcode" \ +- FALSE "TALOSET" "Snort Subscriber (Talos) ruleset and Emerging Threats NoGPL ruleset" "requires Snort Subscriber oinkcode" \ +- FALSE "TALOS" "Snort Subscriber (Talos) ruleset only and set a Snort Subscriber policy" "requires Snort Subscriber oinkcode" ` +- +- case $IDS_RULESET in +- ETOPEN) +- [ $DEBUG -eq 1 ] && echo "DEBUG: Selecting Emerging Threats Open ruleset." +- IDS_RULESET_ACTION="- Download Emerging Threats Open ruleset.\n" +- ;; +- ETPRO) +- [ $DEBUG -eq 1 ] && echo "DEBUG: Selecting ETPRO ruleset." +- TEXT="Please enter your Emerging Threats Pro oinkcode.\n\nIf you don't already have one, you can purchase one from http://www.emergingthreatspro.com/." +- OINKCODE=`zenity --title "$TITLE" --entry --text="$TEXT"` +- [ $DEBUG -eq 1 ] && echo "DEBUG: Entered ETPRO oinkcode $OINKCODE" +- IDS_RULESET_ACTION="- Download ETPRO ruleset using oinkcode $OINKCODE.\n" +- ;; +- TALOS) +- [ $DEBUG -eq 1 ] && echo "DEBUG: Selecting Snort Subscriber (Talos) ruleset only and setting a Snort Subscriber policy." +- TEXT="Please enter your Snort Subscriber (Talos) oinkcode.\n\nIf you don't already have one, you can obtain one from http://www.snort.org/." +- OINKCODE=`zenity --title "$TITLE" --entry --text="$TEXT"` +- [ $DEBUG -eq 1 ] && echo "DEBUG: Entered Snort Subscriber (Talos) oinkcode $OINKCODE" +- TALOS_POLICY=`zenity --list --radiolist --hide-header --column="1" --column="2" --text="Please choose a Snort Subscriber (Talos) policy." --title "$TITLE" \ +- FALSE "connectivity" \ +- FALSE "balanced" \ +- FALSE "security" ` +- [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Snort Subscriber (Talos) policy $TALOS_POLICY" +- IDS_RULESET_ACTION="- Download the Snort Subscriber (Talos) ruleset using oinkcode $OINKCODE.\n- Set Snort Subscriber (Talos) policy to $TALOS_POLICY.\n" +- ;; +- TALOSET) +- [ $DEBUG -eq 1 ] && echo "DEBUG: Selecting Snort Subscriber (Talos) and Emerging Threats NoGPL ruleset." +- TEXT="Please enter your Snort Subscriber (Talos) oinkcode.\n\nIf you don't already have one, you can obtain one from http://www.snort.org/." +- OINKCODE=`zenity --entry --title "$TITLE" --text="$TEXT"` +- [ $DEBUG -eq 1 ] && echo "DEBUG: Entered Snort Subscriber (Talos) oinkcode $OINKCODE" +- IDS_RULESET_ACTION="- Download the Snort Subscriber (Talos) ruleset using oinkcode $OINKCODE.\n- Download the Emerging Threats NoGPL ruleset.\n" +- ;; +- *) +- [ $? = 1 ] && [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." && exit 1 +- ;; +- esac +- # End of ADVANCED SETUP - SERVER +-fi +- +-######################################### +-# ADVANCED SETUP - SENSOR +-######################################### +-if [ $ADVANCED_SETUP -eq 1 ] && [ $SENSOR -eq 1 ]; then +- +- # Remove "-c" from PCAP_OPTIONS for better performance on production networks +- PCAP_OPTIONS="" +- +- # Ask for PF_RING_SLOTS +- PF_RING_SLOTS_CONFIRMED="no" +- while [ $PF_RING_SLOTS_CONFIRMED = "no" ]; do +- PF_RING_SLOTS=`zenity --entry --title "$TITLE" --text="What would you like to set PF__RING min__num__slots to?\n\nThe default is 4096. For busy networks, you may want to increase this to a higher number like 65534.\n\nIf you need to change this later, you can modify /etc/modprobe.d/pf__ring.conf and reload the pf_ring module." --entry-text=4096` +- if [ $? = 1 ]; then +- if [ $DEBUG -eq 1 ]; then +- echo "DEBUG: Clicked Cancel. Exiting." && exit 1 +- else +- exit 1 +- fi +- fi +- COMPRESSED="$(echo $PF_RING_SLOTS | sed -e 's/[^[:digit:]]//g')" +- if [ "$COMPRESSED" != "$PF_RING_SLOTS" ] || [ x$PF_RING_SLOTS = "x" ]; then +- zenity --error --title "$TITLE" --text "Invalid value! Please use integers only." +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: PF_RING min_num_slots set to $PF_RING_SLOTS." +- PF_RING_SLOTS_CONFIRMED="yes" +- fi +- done +- +- # Ask which interface(s) to listen on +- if [ $NUM_INTERFACES -gt 1 ]; then +- TEXT="Which network interface(s) should be monitored?\n\nIf you allowed Setup to configure /etc/network/interfaces, your monitor interfaces are already selected." +- INTERFACES=`awk '/:/ {print $1}' /proc/net/dev | tr -d ':' | grep -v "^lo$" | grep -v "^docker" | grep -v "^br-" | grep -v "^veth" | sort` +- if grep "Security Onion" /etc/network/interfaces >/dev/null 2>&1 && grep manual /etc/network/interfaces >/dev/null 2>&1; then +- [ $? = 1 ] && exit 1 +- CONFIGURED_INTERFACES=`awk '/manual/ {print $2}' /etc/network/interfaces` +- INPUT=`for i in $INTERFACES; do +- if echo $CONFIGURED_INTERFACES |grep $i >/dev/null 2>&1; then +- echo -n "TRUE $i " +- else +- echo -n "FALSE $i " +- fi +- done` +- else +- INPUT=`for i in $INTERFACES; do echo -n "FALSE $i "; done` +- fi +- INTERFACES=`zenity --list --checklist --column "Enabled" --column "Interface" --hide-header --title="$TITLE" --text="$TEXT" $INPUT |sed 's/|/ /g'` +- if [ "$INTERFACES" = "" ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." +- exit +- fi +- [ $DEBUG -eq 1 ] && echo "DEBUG: Selected interfaces $INTERFACES." +- fi +- SENSOR_CONFIRM_1="- Monitor each of the following interfaces:\n" +- SENSOR_CONFIRM_2="$INTERFACES\n" +- +- # Determine number of cores and use that as a maximum value for IDS/Bro processes to run +- LIST=`seq 1 $CALCD_CORES`; SELECTIONS=`for i in $LIST; do echo "FALSE $i"; done` +- +- if [ $CUSTOM -eq 1 ]; then +- # IDS Engine +- TEXT="The IDS Engine (Snort/Suricata) listens on the interfaces\n\ +-specified on the previous screen and logs IDS alerts.\n\ +-\n\ +-Would you like to enable the IDS Engine?" +- YES="Yes, enable the IDS Engine!" +- NO="No, disable the IDS Engine." +- zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap +- ANSWER="$?" +- if [ $ANSWER -eq 1 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling IDS Engine." +- IDS_ENGINE_ENABLED="no" +- BARNYARD2_ENABLED="no" +- SNORT_AGENT_ENABLED="no" +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling IDS Engine." +- fi +- fi +- +- # IDS Engine Procs +- if [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ "$CALCD_CORES" -gt 1 ] && [ "$CUSTOM" -eq 1 ]; then +- TEXT="How many IDS engine processes would you like to run?\n\ +-\n\ +-Based on your system's number of CPU cores, it is recommended that you run $CALCD_CORES IDS engine processes per interface.\n\ +-\n\ +-If you need to change this setting later, change IDS_LB_PROCS in /etc/nsm/HOSTNAME-INTERFACE/sensor.conf" +- IDS_LB_PROCS=`zenity --list --radiolist --column "" --column "" $SELECTIONS --hide-header --text="$TEXT" --title="$TITLE"` +- if [ "$IDS_LB_PROCS" = "" ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." +- exit +- fi +- if [ "$CALCD_CORES" -gt 1 ]; then +- IDS_LB_PROCS_CONFIRM="- Run $IDS_LB_PROCS load-balanced IDS engine processes per interface.\n" +- else +- IDS_LB_PROCS=1 +- IDS_LB_PROCS_CONFIRM="- Run a a single IDS engine process per interface.\n" +- fi +- else +- IDS_LB_PROCS=$CALCD_CORES +- if [ "$CALCD_CORES" -gt 1 ]; then +- IDS_LB_PROCS_CONFIRM="- Run $CALCD_CORES load-balanced IDS engine processes per interface.\n" +- else +- IDS_LB_PROCS=1 +- IDS_LB_PROCS_CONFIRM="- Run a single IDS engine process per interface.\n" +- fi +- fi +- # Ask if user would like to configure a custom HOME_NET +- if [ "$IDS_ENGINE_ENABLED" == "yes" ]; then +- HOME_NET_CONFIRMED="no" +- while [ "$HOME_NET_CONFIRMED" == "no" ];do +- TEXT="What would you like to configure HOME__NET as?\n\n\Add a comma (no space) after each address range.\n\n\Ex. 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12" +- HOME_NET=`zenity --title="$TITLE" --text="$TEXT" --entry --entry-text="$HOME_NET"` +- ANSWER="$?" +- if [ $ANSWER -eq 1 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting Setup." +- exit 1 +- else +- if [ "$HOME_NET" == "" ]; then +- zenity --error --title "$TITLE" --text="Please provide a value for HOME_NET!" +- else +- HOME_NET_CONFIRMED="yes" +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked OK. Configuring HOME_NET as $HOME_NET." +- fi +- fi +- done +- fi +- IDS_HOME_NET_CONFIRM="- Configure IDS HOME_NET as: $HOME_NET.\n" +- if [ $CUSTOM -eq 1 ]; then +- # Bro +- TEXT="Bro listens on the chosen interfaces and writes protocol logs.\n\ +-\n\ +-Would you like to enable Bro?" +- YES="Yes, enable Bro!" +- NO="No, disable Bro." +- zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap +- ANSWER="$?" +- if [ $ANSWER -eq 1 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling Bro." +- BRO_ENABLED="no" +- HTTP_AGENT_ENABLED="no" +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling Bro." +- fi +- +- # Bro file extraction +- if [ "$BRO_ENABLED" == "yes" ]; then +- TEXT="Bro can extract files (EXEs by default) from your network traffic.\n\nIf enabled, EXEs will be stored in /nsm/bro/extracted/.\n\nWould you like to enable file extraction?" +- YES="Yes, enable file extraction!" +- NO="No, disable file extraction." +- zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap +- ANSWER="$?" +- if [ $ANSWER -eq 1 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling file extraction" +- EXTRACT_FILES="no" +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling file extraction." +- EXTRACT_FILES="yes" +- fi +- fi +- fi +- +- # BRO_LB_PROCS +- if [ "$BRO_ENABLED" == "yes" ] && [ "$CALCD_CORES" -gt 1 ] && [ "$CUSTOM" -eq 1 ]; then +- TEXT="How many Bro processes would you like to run?\n\ +-\n\ +-Based on your system's number of CPU cores, it is recommended that you run $CALCD_CORES Bro processes per interface. +-\n\ +-If you need to change this setting later, you can change the lb_procs variable in /opt/bro/etc/node.cfg." +- BRO_LB_PROCS=`zenity --list --radiolist --column "" --column "" $SELECTIONS --hide-header --text="$TEXT" --title="$TITLE"` +- if [ "$BRO_LB_PROCS" = "" ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." +- exit +- fi +- if [ "$CALCD_CORES" -gt 1 ]; then +- BRO_LB_PROCS_CONFIRM="- Run $BRO_LB_PROCS load-balanced Bro processes per interface.\n" +- else +- BRO_LB_PROCS=1 +- BRO_LB_PROCS_CONFIRM="- Run a a single Bro process per interface.\n" +- fi +- else +- BRO_LB_PROCS=$CALCD_CORES +- if [ "$CALCD_CORES" -gt 1 ]; then +- BRO_LB_PROCS_CONFIRM="- Run $CALCD_CORES load-balanced Bro processes per interface.\n" +- else +- BRO_LB_PROCS=1 +- BRO_LB_PROCS_CONFIRM="- Run a single Bro process per interface.\n" +- fi +- fi +- +- if [ $CUSTOM -eq 1 ]; then +- # http_agent +- if [ "$BRO_ENABLED" == "yes" ]; then +- TEXT="http_agent sends Bro's http.log to the Sguil database.\n\ +-\n\ +-If you plan to access Bro's http.log via ELSA,\n\ +-you may want to disable http_agent to avoid duplication of effort.\n\ +-\n\ +-Would you like to enable http_agent?" +- YES="Yes, enable http__agent!" +- NO="No, disable http__agent." +- zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap +- ANSWER="$?" +- if [ $ANSWER -eq 1 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling http_agent." +- HTTP_AGENT_ENABLED="no" +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling http_agent." +- HTTP_AGENT_ENABLED="yes" +- fi +- fi +- +- # Argus +- TEXT="Argus listens on the chosen interfaces and logs session data to the filesystem.\n\ +-\n\ +-If you plan to use other forms of session data (like Bro's conn.log or Prads),\n\ +-you may want to disable Argus to avoid duplication of effort.\n\ +-\n\ +-Would you like to enable Argus?" +- YES="Yes, enable Argus!" +- NO="No, disable Argus." +- zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap +- ANSWER="$?" +- if [ $ANSWER -eq 1 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling Argus." +- ARGUS_ENABLED="no" +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling Argus." +- ARGUS_ENABLED="yes" +- fi +- +- # Prads +- TEXT="Prads listens on the chosen interfaces and provides session and asset data for Sguil.\n\ +-\n\ +-If you plan to use other forms of session data (like Bro's conn.log or Argus)\n\ +-and/or you plan to use other forms of asset data (like Bro's software.log),\n\ +-you may want to disable Prads to avoid duplication of effort.\n\ +-\n\ +-Would you like to enable Prads?" +- YES="Yes, enable Prads!" +- NO="No, disable Prads." +- zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap +- ANSWER="$?" +- if [ $ANSWER -eq 1 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling Prads." +- PRADS_ENABLED="no" +- PADS_AGENT_ENABLED="no" +- SANCP_AGENT_ENABLED="no" +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling Prads." +- PRADS_ENABLED="yes" +- PADS_AGENT_ENABLED="yes" +- SANCP_AGENT_ENABLED="yes" +- fi +- +- # PCAP +- TEXT="Full packet capture writes all monitored traffic to disk.\n\ +-\n\ +-Full packet capture requires lots of disk space,\n\ +-but gives you lots of forensic capabilities\n\ +-and is therefore highly recommended!\n\ +-\n\ +-Would you like to enable full packet capture?" +- YES="Yes, enable full packet capture!" +- NO="No, disable full packet capture." +- zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap +- ANSWER="$?" +- if [ $ANSWER -eq 1 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling full packet capture." +- PCAP_ENABLED="no" +- PCAP_AGENT_ENABLED="no" +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling full packet capture." +- fi +- +- # Ask for PCAP_SIZE +- if [ "$PCAP_ENABLED" == "yes" ]; then +- +- # Ask for PCAP_SIZE +- PCAP_SIZE_CONFIRMED="no" +- while [ $PCAP_SIZE_CONFIRMED = "no" ]; do +- PCAP_SIZE=`zenity --entry --title "$TITLE" --text="How big do you want your pcap files to be?\n\nPlease enter an integer in Megabytes (MB). The default is 150 MB." --entry-text=150` +- [ $? = 1 ] && exit +- COMPRESSED="$(echo $PCAP_SIZE | sed -e 's/[^[:digit:]]//g')" +- if [ "$COMPRESSED" != "$PCAP_SIZE" ] || [ x$PCAP_SIZE = "x" ]; then +- zenity --error --title "$TITLE" --text "Invalid MB Value! Please use integers only." +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: PCAP size set to $PCAP_SIZE." +- PCAP_SIZE_CONFIRMED="yes" +- fi +- done +- +- # Ask about MMAP +- TEXT="netsniff-ng defaults to using scatter/gather pcap file I/O.\n\ +-\n\ +-For higher performance, you can enable mmap I/O, but this requires more RAM.\n\ +-\n\ +-Would you like to enable mmap I/O?" +- YES="Yes, enable mmap I/O!" +- NO="No, use default scatter/gather I/O." +- zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap +- ANSWER="$?" +- if [ $ANSWER -eq 1 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Using scatter/gather." +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Using mmap I/O." +- PCAP_OPTIONS="--mmap" +- fi +- +- # Ask for PCAP_RING_SIZE +- PCAP_RING_SIZE_CONFIRMED="no" +- while [ $PCAP_RING_SIZE_CONFIRMED = "no" ]; do +- PCAP_RING_SIZE=`zenity --entry --title "$TITLE" --text="How large do you want your PCAP ring buffer?\n\nEach monitoring interface will have the specified amount allocated from RAM\nso be sure your system has enough memory. In the case of 4 sensor interfaces\nand a specified ring buffer of 1GB, 4GB of total RAM will be allocated for packet\nbuffering. For busy networks a ring buffer of at least 256MB is recommended.\n\nPlease enter an integer in Megabytes (MB). The default is 64 MB." --entry-text=64` +- [ $? = 1 ] && exit +- COMPRESSED="$(echo $PCAP_RING_SIZE | sed -e 's/[^[:digit:]]//g')" +- if [ "$COMPRESSED" != "$PCAP_RING_SIZE" ] || [ x$PCAP_RING_SIZE = "x" ]; then +- zenity --error --title "$TITLE" --text "Invalid MB Value! Please use integers only." +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: PCAP ring size set to $PCAP_RING_SIZE." +- PCAP_RING_SIZE_CONFIRMED="yes" +- fi +- done +- else +- # Note about disabling full packet capture +- YES="Yes, Continue." +- NO="No, Quit." +- zenity --title "$TITLE" --question --text="Please note, if you choose not to enable full packet capture, you will not\nbe able to pivot from Sguil to PCAP, or to CapME to retrieve PCAP data.\n\nClick 'Yes' to continue without enabling full packet capture.\n\nOtherwise, click 'No' to exit setup and re-run it to enable the capture of this valuable data." --ok-label="$YES" --cancel-label="$NO" --no-wrap +- if [ $? = 1 ]; then +- if [ $DEBUG -eq 1 ]; then +- echo "DEBUG: Clicked No. Exiting." && exit 1 +- else +- exit 1 +- fi +- fi +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Continuing without enabling full packet capture." +- fi +- +- # Ask for CRIT_DISK_USAGE +- CRIT_DISK_USAGE_CONFIRMED="no" +- while [ $CRIT_DISK_USAGE_CONFIRMED = "no" ]; do +- CRIT_DISK_USAGE=`zenity --entry --title "$TITLE" --text="At what percent of disk usage would you like to begin purging old logs?\n\nPlease enter an integer between 10 and 100. The default is 90." --entry-text=90` +- [ $? = 1 ] && exit +- COMPRESSED="$(echo $CRIT_DISK_USAGE | sed -e 's/[^[:digit:]]//g')" +- [ "$COMPRESSED" == "$CRIT_DISK_USAGE" ] && +- [ $CRIT_DISK_USAGE -gt 10 ] && +- [ $CRIT_DISK_USAGE -lt 100 ] && +- CRIT_DISK_USAGE_CONFIRMED="yes" || +- zenity --error --title "$TITLE" --text "Invalid percentage! Please use integers between 0 and 100." +- done +- let WARN_DISK_USAGE=${CRIT_DISK_USAGE}-10 +- [ $DEBUG -eq 1 ] && echo "DEBUG: CRIT_DISK_USAGE set to $CRIT_DISK_USAGE." +- fi # End of CUSTOM +- +-fi # End of ADVANCED SETUP - SENSOR +- +-######################################### +-# Ask whether or not to use SALT +-######################################### +-# Check to see if the securityonion-onionsalt package is installed +-if [ $ADVANCED_SETUP -eq 1 ] && dpkg -l |grep "securityonion-onionsalt" |grep "ii" >/dev/null; then +- SALT="yes" +- if [ $CUSTOM -eq 1 ]; then +-TEXT="Salt can be enabled to help manage your entire sensor deployment.\n\ +-\n\ +-By default, Salt will automatically keep the following updated:\n\ +-* OS user accounts\n\ +-* SSH keys for those user accounts\n\ +-* IDS rulesets\n\ +-\n\ +-Salt can also be used for remote execution, so you can run a command\n\ +-and have it execute on all sensors across your deployment.\n\ +-\n\ +-Would you like to enable Salt?" +- YES="Yes, enable Salt!" +- NO="No, disable Salt" +- zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap +- ANSWER="$?" +- if [ $ANSWER -eq 0 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Enable Salt." +- SALT="yes" +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: Disable Salt." +- SALT="no" +- fi +- fi +-fi +- +-# End of ADVANCED SETUP +- +-######################################### +-# Ask whether or not to use ELSA +-######################################### +-if [ $CUSTOM -eq 1 ]; then +-TEXT="ELSA (Enterprise Log Search and Archive) is a centralized syslog framework\n\ +-built on Syslog-NG, MySQL, and Sphinx full-text search.\n\ +-\n\ +-It provides a distributed database with a web-based interface\n\ +-for hunting through your logs, including:\n\ +-* Bro logs\n\ +-* OSSEC alerts/logs\n\ +-* Snort/Suricata logs\n\ +-* standard syslog\n\ +-\n\ +-In a distributed deployment with separate server and sensor(s),\n\ +-you'll want to enable/disable ELSA on all boxes. So if you want\n\ +-to use ELSA, you should enable it on the master server and all sensors.\n\ +-\n\ +-Would you like to enable ELSA?" +- YES="Yes, enable ELSA!" +- NO="No, disable ELSA." +- zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap +- ANSWER="$?" +- if [ $ANSWER -eq 0 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Enable ELSA." +- ELSA="YES" +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: Disable ELSA." +- ELSA="NO" +- fi +- +- # If user chose to enable ELSA, ask about log_size_limit +- if [ "$ELSA" = "YES" ]; then +- # If Advanced Setup, ask user +- if [ $ADVANCED_SETUP -eq 1 ]; then +- LOG_SIZE_LIMIT_CONFIRMED="no" +- while [ $LOG_SIZE_LIMIT_CONFIRMED = "no" ]; do +- LOG_SIZE_LIMIT_GB=`zenity --entry --title "$TITLE" --text="How much disk space (in GigaBytes) should be allocated for ELSA to store logs?\n\nPlease enter an integer greater than 0. The default is half your disk size.\n\nPlease make sure that the value you set here is less than the size of your disk!\n\nIf you need to adjust this later, you can modify log__size__limit in the /etc/elsa__node.conf file." --entry-text=$LOG_SIZE_LIMIT_GB` +- [ $? = 1 ] && exit +- if [ x$LOG_SIZE_LIMIT_GB = "x" ]; then +- zenity --error --title "$TITLE" --text "Invalid log size limit! Please use integers greater than 0 and less than your disk size." +- else +- COMPRESSED="$(echo $LOG_SIZE_LIMIT_GB | sed -e 's/[^[:digit:]]//g')" +- [ "$COMPRESSED" == "$LOG_SIZE_LIMIT_GB" ] && +- [ $LOG_SIZE_LIMIT_GB -gt 0 ] && +- [ $LOG_SIZE_LIMIT_GB -lt $DISK_SIZE_GB ] && +- LOG_SIZE_LIMIT_CONFIRMED="yes" || +- zenity --error --title "$TITLE" --text "Invalid log size limit! Please use integers greater than 0 and less than your disk size." +- fi +- done +- let LOG_SIZE_LIMIT=LOG_SIZE_LIMIT_GB*1000000000 +- [ $DEBUG -eq 1 ] && echo "DEBUG: LOG_SIZE_LIMIT set to $LOG_SIZE_LIMIT." +- fi +- fi +-fi +- +-# Set ELSA_ACTION_CONFIRM and ask about updating ELSA server if applicable +-if [ "$ELSA" = "NO" ]; then +- ELSA_ACTION_CONFIRM="- Disable ELSA." +-else +- if [ $SERVER -eq 1 ]; then +- ELSA_ACTION_CONFIRM="- Configure ELSA as a Log Node and enable web interface.\n" +- else +- ELSA_ACTION_CONFIRM="- Configure ELSA as a Log Node.\n" +- +- # Ask if they want to update the SERVER and restart Apache +- TEXT="Would you like to automatically update the ELSA server?\n\ +-\n\ +-This will restart Apache on the ELSA server which will disrupt\n\ +-any ELSA queries running at the time." +- YES="Yes, update ELSA server!" +- NO="No, do not update ELSA server." +- zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" +- ANSWER="$?" +- if [ $ANSWER -eq 0 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Update ELSA Server." +- UPDATE_ELSA_SERVER="YES" +- else +- [ $DEBUG -eq 1 ] && echo "DEBUG: Do not update ELSA server." +- UPDATE_ELSA_SERVER="NO" +- fi +- fi +-fi +- +- +-######################################### +-# If just writing a file, do it and exit +-######################################### +-TEXT="$WRITEANSWERFILE has been saved." +-if [ "$WRITEANSWERFILE" ]; then +- # write all the answers out +- save +- zenity --info --title="$TITLE" --text="$TEXT" --no-wrap +- exit 0 +-fi +- +- +-######################################### +-# Confirm all choices before proceeding +-######################################### +-# Last chance! +-TEXT="We're about to do the following:\n\ +-- Set the OS timezone to UTC. \n\ +-- Delete any existing NSM data/configuration. \n\ +-$SERVER_CONFIRM\ +-$SERVER_USER_CONFIRM\ +-$SENSOR_CONFIRM_1\ +-$SENSOR_CONFIRM_2\ +-$SENSOR_CONFIRM_3\ +-$IDS_LB_PROCS_CONFIRM\ +-$BRO_LB_PROCS_CONFIRM\ +-$IDS_RULESET_ACTION\ +-$IDS_HOME_NET_CONFIRM\ +-$ELSA_ACTION_CONFIRM\ +-\n\ +-We're about to make changes to your system!\n\ +-\n\ +-Would you like to continue?" +-YES="Yes, proceed with the changes!" +-NO="No, do not make changes!" +-zenity --question --no-wrap --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" +-ANSWER="$?" +-if [ $ANSWER -eq 1 ]; then +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Do not proceed." +- exit +-else +- [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes to proceed with all changes." +-fi +-} +- +-######################################### +-# Begin function CONFIGURE_SERVICES +-######################################### +-function CONFIGURE_SERVICES() { +- +-######################################### +-# Remove any tmp files from previous run +-######################################### +-rm -f /tmp/GeoIP.dat +-rm -f /tmp/GeoLiteCity.dat +-rm -f /tmp/GeoLiteCity.dat.gz +- +-######################################### +-# Create files/dirs as necessary +-######################################### +-touch $LOG +-touch $SENSORTAB +-mkdir -p /var/log/nsm/ +- +-######################################### +-# Set OS timezone to UTC +-######################################### +-echo "2" +-echo "# Please wait while setting OS timezone to UTC..." | tee -a $LOG +-echo "Etc/UTC" > /etc/timezone +-dpkg-reconfigure --frontend noninteractive tzdata >> $LOG 2>&1 +-date >> $LOG 2>&1 +- +-if pgrep rsyslog>/dev/null; then +- echo "4" +- echo "# Please wait while restarting rsyslog..." | tee -a $LOG +- service rsyslog restart >> $LOG 2>&1 +-fi +- +-echo "4" +-echo "# Please wait while setting OSSEC timezone to UTC..." | tee -a $LOG +-cp /etc/localtime /var/ossec/etc/localtime +-chown root:ossec /var/ossec/etc/localtime +- +-# If user enabled ELSA, configure OSSEC to send alerts to local syslog +-if [ "$ELSA" = "YES" ]; then +-grep "syslog_output" /var/ossec/etc/ossec.conf >/dev/null || sed -i 's| | \ +- 127.0.0.1\ +- \ +-\ +- |g' /var/ossec/etc/ossec.conf +-/var/ossec/bin/ossec-control enable client-syslog +-fi +- +-echo "6" +-echo "# Please wait while restarting OSSEC..." | tee -a $LOG +-service ossec-hids-server restart >> $LOG 2>&1 +- +-######################################### +-# Stop all Sguil services and delete config +-######################################### +-echo "8" +-echo "# Please wait while stopping all NSM services..." | tee -a $LOG +-service nsm stop >> $LOG 2>&1 +-pkill suricata +-pkill snort +-pkill autossh +-# Make sure MySQL is running so that we can fully delete the NSM databases +-[ $SERVER -eq 1 ] && service mysql start >> $LOG 2>&1 +-# Uncomment any disabled sensors so that we can fully delete them +-sed -i "s|^#$HOST_ORIG-|$HOST_ORIG-|g" $SENSORTAB +-sed -i "s|^#$HOSTNAME-|$HOSTNAME-|g" $SENSORTAB +-# Delete all nsm configuration and data +-/usr/sbin/nsm_all_del_quick >> $LOG 2>&1 +- +-# Delete any existing ELSA databases. +-if [ "$ELSA" = "YES" ]; then +- if [ -d /var/lib/mysql/elsa_web/ ]; then +- mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database elsa_web" >> $LOG 2>&1 +- fi +- if [ -d /var/lib/mysql/syslog/ ]; then +- mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database syslog" >> $LOG 2>&1 +- fi +- if [ -d /var/lib/mysql/syslog_data/ ]; then +- mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database syslog_data" >> $LOG 2>&1 +- fi +-fi +- +-######################################### +-# MySQL tuning +-######################################### +- +-# Make changes in /etc/mysql/conf.d/ +-mkdir -p /etc/mysql/conf.d/ +- +-# https://code.google.com/p/security-onion/issues/detail?id=416 +-# sguild may try to open lots of files +-# (especially if you are sending prads session data into the sancp table) +-# so increase open_files_limit on master server +-if [ $SERVER -eq 1 ]; then +- cat << EOF > /etc/mysql/conf.d/securityonion-sguild.cnf +-[mysqld] +-open_files_limit = 90000 +-EOF +-fi +- +-# https://code.google.com/p/security-onion/issues/detail?id=388 +-# http://stackoverflow.com/questions/3456159/how-to-shrink-purge-ibdata1-file-in-mysql +-cat << EOF > /etc/mysql/conf.d/securityonion-ibdata1.cnf +-[mysqld] +-innodb_file_per_table +-EOF +- +-# Restart mysql to make changes take effect +-pgrep -lf mysqld >/dev/null && restart mysql >> $LOG 2>&1 +- +-######################################### +-# PF_RING +-######################################### +-rmmod pf_ring >> $LOG 2>&1 +-echo "options pf_ring transparent_mode=0 min_num_slots=$PF_RING_SLOTS" > /etc/modprobe.d/pf_ring.conf +- +-######################################### +-# Firewall +-# When enabling ufw over SSH, it says it might disrupt the SSH +-# connection and asks for confirmation, so we put in the "allow 22" first, +-# and then echo "y" into the "ufw enable". +-######################################### +-# Open port 22 for remote administration +-ufw allow 22/tcp >> $LOG 2>&1 +-# Enable ufw if not already enabled +-echo "y" | ufw enable >> $LOG 2>&1 +- +-######################################### +-# HIDS Sensor +-######################################### +-SENSORNAME="$HOSTNAME-ossec" +-sed -i "s|^set HOSTNAME.*$|set HOSTNAME $SENSORNAME|g" /etc/nsm/ossec/ossec_agent.conf +-sed -i "s|^set NET_GROUP.*$|set NET_GROUP $SENSORNAME|g" /etc/nsm/ossec/ossec_agent.conf +-sed -i "s|^set SERVER_HOST.*$|set SERVER_HOST $SERVERNAME|g" /etc/nsm/ossec/ossec_agent.conf +-pkill -f ossec_agent +- +-######################################### +-# Add the Sguil server if necessary +-######################################### +-if [ $SERVER -eq 1 ]; then +-# If this box was previously a slave, we need to remove securityonion_ssh.conf +-rm -f /root/.ssh/securityonion_ssh.conf +-echo "10" +-echo "# Please wait while creating the Sguil server..." | tee -a $LOG +-/usr/sbin/nsm_server_add --server-name="$SGUIL_SERVER_NAME" --server-sensor-name=NULL --server-sensor-port=7736 --server-client-port=7734 --server-client-user="$SGUIL_CLIENT_USERNAME" --server-client-pass="$SGUIL_CLIENT_PASSWORD_1" --server-auto=yes --force-yes >> $LOG 2>&1 +- +-fi +- +-######################################### +-# Sguil Sensor(s) if necessary +-######################################### +-if [ $SENSOR -eq 1 ]; then +-echo "20" +-echo "# Please wait while creating Sguil sensor(s)..." | tee -a $LOG +-BY2PORT=8000 +-HOST_ORIG=`hostname` +-HOSTNAME=${HOST_ORIG,,} +- +-# Configure SSH Key authentication to server if necessary +-if [ "$SERVERNAME" != "localhost" ]; then +- mkdir -p $SSH_DIR +- [ -f "$KEY" ] && mv $KEY $KEY.old +- ssh-keygen -f "$KEY" -N '' >> $LOG 2>&1 +- chmod 600 "$KEY"* +- if [ "$OUTPUT" = "gui" ]; then +- # ssh-copy-id needs to get new HOME directory using sudo -i +- xfce4-terminal -x sudo -i ssh-copy-id -i "$KEY".pub $SSH_USERNAME@$SERVERNAME +- else +- # ssh-copy-id needs to get new HOME directory using sudo -i +- sudo -i ssh-copy-id -i "$KEY".pub $SSH_USERNAME@$SERVERNAME +- fi +- +- # Need to open ports in server firewall to allow connections from sensor +- echo "IPADDRESS=\`who -m --ips | awk '{print \$5}' |cut -d\( -f2 | cut -d\) -f1\`" >> $SOSETUPSCP +- echo "ufw allow proto tcp from \$IPADDRESS to any port 22,4505,4506,7736" >> $SOSETUPSCP +- # Copy the script over +- scp -i "$KEY" $SOSETUPSCP $SSH_USERNAME@$SERVERNAME:$SOSETUPSCP >> $LOG 2>&1 +- # Run the script on the master server using sudo +- if [ "$OUTPUT" = "gui" ]; then +- xfce4-terminal -x ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo /bin/bash $SOSETUPSCP +- else +- ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo /bin/bash $SOSETUPSCP >> $LOG 2>&1 +- fi +- # Cleanup +- rm -f $SOSETUPSCP +- ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME rm -f $SOSETUPSCP >> $LOG 2>&1 +- +- # Backup existing files +- mkdir -p /etc/nsm/rules/backup/ +- cp /etc/nsm/rules/downloaded.rules /etc/nsm/rules/backup/downloaded.rules.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 +- cp /etc/nsm/rules/local.rules /etc/nsm/rules/backup/local.rules.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 +- cp /etc/nsm/rules/so_rules.rules /etc/nsm/rules/backup/so_rules.rules.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 +- cp /etc/nsm/rules/sid-msg.map /etc/nsm/rules/backup/sid-msg.map.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 +- cp /etc/nsm/rules/threshold.conf /etc/nsm/rules/backup/threshold.conf.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 +- cp /etc/nsm/rules/bpf.conf /etc/nsm/rules/backup/bpf.conf.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 +- +- # Copy files from server +- scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/downloaded.rules /etc/nsm/rules/downloaded.rules >> $LOG 2>&1 +- scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/local.rules /etc/nsm/rules/local.rules >> $LOG 2>&1 +- scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/so_rules.rules /etc/nsm/rules/so_rules.rules >> $LOG 2>&1 +- scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/sid-msg.map /etc/nsm/rules/sid-msg.map >> $LOG 2>&1 +- scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/threshold.conf /etc/nsm/rules/threshold.conf >> $LOG 2>&1 +- scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/bpf.conf /etc/nsm/rules/bpf.conf >> $LOG 2>&1 +- +- # Set IDS_ENGINE variable +- scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/securityonion.conf $SECURITYONION_CONF_MASTER >> $LOG 2>&1 +- IDS_ENGINE=`grep ENGINE $SECURITYONION_CONF_MASTER 2>/dev/null | cut -d\= -f2` +- rm -f $SECURITYONION_CONF_MASTER +- +- # Save configuration +- echo "SSH_USERNAME=$SSH_USERNAME" > $SSH_CONF +- echo "SERVERNAME=$SERVERNAME" >> $SSH_CONF +-fi +- +-# NIDS sensor(s) +-for INTERFACE in $ALL_INTERFACES; do +- SENSORNAME="$HOSTNAME-$INTERFACE" +- echo "# Please wait while creating Sguil sensor: $SENSORNAME..." | tee -a $LOG +- [ $DEBUG -eq 1 ] && echo "DEBUG: Adding Sensor $INTERFACE." +- +- # Add the sensor +- /usr/sbin/nsm_sensor_add --sensor-name="$SENSORNAME" --sensor-interface="$INTERFACE" --sensor-interface-auto=no \ +- --sensor-server-host="$SERVERNAME" --sensor-server-port=7736 \ +- --sensor-barnyard2-port=$BY2PORT --sensor-auto=yes --sensor-utc=yes \ +- --sensor-vlan-tagging=no --sensor-net-group="$SENSORNAME" --force-yes >> $LOG 2>&1 +- +- # Increment the Barnyard2 port number by 100 +- let BY2PORT=BY2PORT+100 +- +- # Copy our customized snort.conf (and associated files) into place +- cp /etc/nsm/templates/snort/attribute_table.dtd /etc/nsm/"$SENSORNAME"/ >> $LOG 2>&1 +- cp /etc/nsm/templates/snort/snort.conf /etc/nsm/"$SENSORNAME"/ >> $LOG 2>&1 +- cp /etc/nsm/templates/snort/unicode.map /etc/nsm/"$SENSORNAME"/ >> $LOG 2>&1 +- cp /etc/nsm/templates/suricata/suricata.yaml.in /etc/nsm/"$SENSORNAME"/suricata.yaml >> $LOG 2>&1 +- +- # Grab MTU for interface(s) and add 24 to snaplen for VLAN-tagging, etc +- MTU=`cat /sys/class/net/$INTERFACE/mtu` +- MTU_FIN=`echo $(($MTU+24))` +- +- # Write IDS config to files +- sed -i "s|# config snaplen:|config snaplen: $MTU_FIN|g" /etc/nsm/"$SENSORNAME"/snort.conf +- sed -i "s|^ipvar HOME_NET.*|ipvar HOME_NET \[$HOME_NET\]|g" /etc/nsm/"$SENSORNAME"/snort.conf +- sed -i "s|classification-file: /etc/suricata/classification.config|classification-file: /etc/nsm/$SENSORNAME/classification.config|g" /etc/nsm/"$SENSORNAME"/suricata.yaml +- sed -i "s|reference-config-file: /etc/suricata/reference.config|reference-config-file: /etc/nsm/$SENSORNAME/reference.config|g" /etc/nsm/"$SENSORNAME"/suricata.yaml +- sed -i "s|# threshold-file: /etc/suricata/threshold.config|threshold-file: /etc/nsm/$SENSORNAME/threshold.conf|g" /etc/nsm/"$SENSORNAME"/suricata.yaml +- sed -i "s|filename: unified2.alert|filename: snort.unified2|g" /etc/nsm/"$SENSORNAME"/suricata.yaml +- #sed -i "s|threads: 1|threads: $IDS_LB_PROCS|g" /etc/nsm/"$SENSORNAME"/suricata.yaml +- sed -i "s|interface: eth0|interface: $INTERFACE|g" /etc/nsm/"$SENSORNAME"/suricata.yaml +- sed -i "s|cluster-id: 99|cluster-id: $BY2PORT|g" /etc/nsm/"$SENSORNAME"/suricata.yaml +- sed -i "s| HOME_NET:.*| HOME_NET: \"[$HOME_NET]\"|g" /etc/nsm/"$SENSORNAME"/suricata.yaml +- mkdir -p /usr/local/lib/snort_dynamicrules +- +- # /etc/nsm/rules/ +- if [ ! -f /etc/nsm/rules/bpf.conf ]; then touch /etc/nsm/rules/bpf.conf; fi +- if [ ! -f /etc/nsm/rules/threshold.conf ]; then cp /etc/nsm/templates/snort/threshold.conf /etc/nsm/rules/; fi +- if [ ! -f /etc/nsm/rules/gen-msg.map ]; then cp /etc/nsm/templates/snort/gen-msg.map /etc/nsm/rules/; fi +- if [ ! -f /etc/nsm/rules/classification.config ]; then +- grep -h -v "^#" /etc/nsm/templates/snort/classification.config /etc/nsm/templates/suricata/classification.config |sort -u > /etc/nsm/rules/classification.config +- fi +- if [ ! -f /etc/nsm/rules/reference.config ]; then +- grep -h -v "^#" /etc/nsm/templates/snort/reference.config /etc/nsm/templates/suricata/reference.config |sort -u > /etc/nsm/rules/reference.config +- fi +- +- # Create symbolic links for bpf.conf, threshold.conf, sid-msg.map, gen-msg.map, classification.config, and reference.config +- for FILENAME in bpf.conf threshold.conf sid-msg.map gen-msg.map classification.config reference.config +- do +- rm -f /etc/nsm/"$SENSORNAME"/$FILENAME >> $LOG 2>&1 +- ln -s /etc/nsm/rules/$FILENAME /etc/nsm/"$SENSORNAME"/$FILENAME >> $LOG 2>&1 +- done +- +- # Create symbolic links for individual bpf-*.conf files pointing to the sensor bpf.conf (which points to the GLOBAL bpf.conf) +- cd /etc/nsm/"$SENSORNAME" +- for FILENAME in bpf-bro.conf bpf-ids.conf bpf-pcap.conf bpf-prads.conf +- do +- ln -s bpf.conf $FILENAME >> $LOG 2>&1 +- done +- cd - >/dev/null +- +- # Add options to sensor.conf +- echo "PCAP_OPTIONS=\"$PCAP_OPTIONS\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "PCAP_SIZE=${PCAP_SIZE}MiB" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "PCAP_RING_SIZE=${PCAP_RING_SIZE}MiB" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "IDS_LB_PROCS=$IDS_LB_PROCS" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "PCAP_ENABLED=\"$PCAP_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "PCAP_AGENT_ENABLED=\"$PCAP_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "SNORT_AGENT_ENABLED=\"$SNORT_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "IDS_ENGINE_ENABLED=\"$IDS_ENGINE_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "BARNYARD2_ENABLED=\"$BARNYARD2_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "PRADS_ENABLED=\"$PRADS_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "SANCP_AGENT_ENABLED=\"$SANCP_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "PADS_AGENT_ENABLED=\"$PADS_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "ARGUS_ENABLED=\"$ARGUS_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "HTTP_AGENT_ENABLED=\"$HTTP_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- +- # Create symbolic link for sensor rules directory on server +- # Since a user may have as many Snort/Suricata instances as they have CPU cores, +- # we need to create a symbolic link for each and every CPU core. +- if [ "$SERVERNAME" = "localhost" ]; then +- ln -s /etc/nsm/rules /nsm/server_data/"$SGUIL_SERVER_NAME"/rules/"$SENSORNAME" >> $LOG 2>&1 +- for i in `seq 1 $CORES`; do ln -s /etc/nsm/rules /nsm/server_data/"$SGUIL_SERVER_NAME"/rules/"$SENSORNAME"-$i >> $LOG 2>&1; done +- else +- echo "ln -f -s /etc/nsm/rules /nsm/server_data/$SGUIL_SERVER_NAME/rules/$SENSORNAME" >> $SOSETUPSCP +- for i in `seq 1 $CORES`; do +- echo "ln -f -s /etc/nsm/rules /nsm/server_data/$SGUIL_SERVER_NAME/rules/$SENSORNAME-$i" >> $SOSETUPSCP +- done +- fi +- +- # Configure snort.conf to log statistics to /nsm/sensor_data/"$SENSORNAME"/snort.stats +- sed -i "s|# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000|preprocessor perfmonitor: time 300 file /nsm/sensor_data/"$SENSORNAME"/snort.stats pktcnt 10000|" /etc/nsm/"$SENSORNAME"/snort.conf >> $LOG 2>&1 +- +- # Setup should create snort.stats to prevent Sguil errors when running Suricata +- # http://code.google.com/p/security-onion/issues/detail?id=257 +- touch /nsm/sensor_data/"$SENSORNAME"/snort.stats +- +-done +- +-# We just enabled all available interfaces in /etc/nsm/sensortab. +-# Now we need to go back and disable any unwanted interfaces. +-INTERFACES_CSV=`for i in $INTERFACES; do echo -n "$i,"; done` +-for INTERFACE in $ALL_INTERFACES; do +- if echo $INTERFACES_CSV | grep "$INTERFACE," >/dev/null 2>&1; then +- echo "Leaving $INTERFACE as-is (enabled)." >> $LOG 2>&1 +- else +- echo "$INTERFACE not found in selected interfaces. Disabling." >> $LOG 2>&1 +- sed -i "s|^$HOSTNAME-$INTERFACE|#$HOSTNAME-$INTERFACE|g" /etc/nsm/sensortab +- fi +-done +- +-# Bro +-if grep -v "^#" $SENSORTAB > /dev/null; then +- # If user selected Quick Setup, do standalone config. +- # Otherwise, do cluster config. +- if [ $ADVANCED_SETUP -eq 0 ]; then +- # standalone config +- INTERFACE=`grep -v "^#" $SENSORTAB | awk '{print $4}'` +- cat << EOF > /opt/bro/etc/node.cfg +-[bro] +-type=standalone +-host=localhost +-interface=$INTERFACE +-EOF +- else +- # User selected Advanced Setup, so do cluster config +- cat << EOF > /opt/bro/etc/node.cfg +-[manager] +-type=manager +-host=localhost +- +-[proxy] +-type=proxy +-host=localhost +- +-EOF +- # Don't need to change to IP address anymore +- #IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1` +- #sed -i "s|host=localhost|host=$IP|g" /opt/bro/etc/node.cfg +- +- # Go ahead and populate the file with all available interfaces +- # Comment out inactive interfaces +- # grep -v "^#" $SENSORTAB | awk '{print $1}' |while read SENSOR +- for INTERFACE in $ALL_INTERFACES; do +- if echo $INTERFACES_CSV |grep "$INTERFACE," >/dev/null 2>&1; then +- echo "* Configuring Bro to monitor $INTERFACE" >> $LOG 2>&1 +- cat << EOF >> /opt/bro/etc/node.cfg +-[$HOSTNAME-$INTERFACE] +-type=worker +-host=localhost +-interface=$INTERFACE +-lb_method=pf_ring +-lb_procs=$BRO_LB_PROCS +- +-EOF +- else +- cat << EOF >> /opt/bro/etc/node.cfg +-#[$HOSTNAME-$INTERFACE] +-#type=worker +-#host=localhost +-#inter#face=$INTERFACE +-#lb_method=pf_ring +-#lb_procs=$BRO_LB_PROCS +- +-EOF +- fi +- done +- +- # Bro 2.2 should support PF_RING on multiple interfaces properly now, so comment this out. +- # If monitoring more than one interface, disable PF_RING: +- # http://securityonion.blogspot.com/2013/02/important-note-for-those-monitoring.html +- #if [ `echo $INTERFACES | wc -w` -gt 1 ]; then +- # sed -i 's|^lb_method=pf_ring|#lb_method=pf_ring|g' /opt/bro/etc/node.cfg +- # sed -i 's|^lb_procs|#lb_procs|g' /opt/bro/etc/node.cfg +- #fi +- fi +- # Finished with node.cfg +- # Now update networks.cfg +- sed -i '1,4!d' /opt/bro/etc/networks.cfg +- echo $HOME_NET | tr , '\n\\' >> /opt/bro/etc/networks.cfg +- # update broctl.cfg +- if grep "nsm" /opt/bro/etc/broctl.cfg >/dev/null; then +- echo "/opt/bro/etc/broctl.cfg already contains nsm" >> $LOG 2>&1 +- else +- # Before Bro 2.4, broctl.cfg defaulted to /var/opt/bro/ +- sed -i 's|SpoolDir = /var/opt/bro/spool|SpoolDir = /nsm/bro/spool|g' /opt/bro/etc/broctl.cfg +- sed -i 's|LogDir = /var/opt/bro/logs|LogDir = /nsm/bro/logs|g' /opt/bro/etc/broctl.cfg +- # Starting with Bro 2.4, broctl.cfg defaults to /opt/bro/ +- sed -i 's|SpoolDir = /opt/bro/spool|SpoolDir = /nsm/bro/spool|g' /opt/bro/etc/broctl.cfg +- sed -i 's|LogDir = /opt/bro/logs|LogDir = /nsm/bro/logs|g' /opt/bro/etc/broctl.cfg +- fi +- # Finished updating config files +- +- # create the /nsm/bro/ directories +- mkdir -p /nsm/bro/spool +- mkdir -p /nsm/bro/logs +- mkdir -p /nsm/bro/extracted +- +- # Enable Bro file extraction +- if [ "$EXTRACT_FILES" = "yes" ]; then +- sed -i 's|^#@load file-extraction|@load file-extraction|g' /opt/bro/share/bro/site/local.bro +- else +- sed -i 's|^@load file-extraction|#@load file-extraction|g' /opt/bro/share/bro/site/local.bro +- fi +- +-fi +- +-fi +- +-######################################### +-# /etc/nsm/securityonion.conf +-######################################### +-echo "30" +-echo "# Please wait while configuring $CONF..." | tee -a $LOG +-DATE=`date` +-IDS_ENGINE_LOWER=`echo ${IDS_ENGINE,,}` +-cat << EOF > $CONF +-# /etc/nsm/securityonion.conf +-# Generated by Security Onion Setup (sosetup) at $DATE +- +-# Which IDS engine would you like to run? +-ENGINE=$IDS_ENGINE_LOWER +- +-# How many days would you like to keep in the Sguil database archive? +-DAYSTOKEEP=$DAYSTOKEEP +- +-# How many days worth of tables would you like to repair every day? +-DAYSTOREPAIR=$DAYSTOREPAIR +- +-# At what percentage of disk usage should the NSM scripts warn you? +-WARN_DISK_USAGE=$WARN_DISK_USAGE +- +-# At what percentage of disk usage should the NSM scripts begin purging old data? +-CRIT_DISK_USAGE=$CRIT_DISK_USAGE +- +-# Do you want to run Bro? yes/no +-BRO_ENABLED=$BRO_ENABLED +- +-# BRO_USER specifies the user account used to start Bro. +-BRO_USER=sguil +-BRO_GROUP=sguil +- +-# The OSSEC agent sends OSSEC HIDS alerts into the Sguil database. +-# Do you want to run the OSSEC Agent? yes/no +-OSSEC_AGENT_ENABLED=$OSSEC_AGENT_ENABLED +- +-# OSSEC_AGENT_LEVEL specifies the level at which OSSEC alerts are sent to sguild. +-OSSEC_AGENT_LEVEL=$OSSEC_AGENT_LEVEL +- +-# Do you want to run Xplico? yes/no +-XPLICO_ENABLED=$XPLICO_ENABLED +- +-# LOCAL_HIDS_RULE_TUNING +-# If set to no (default), sensor will copy OSSEC rules from master server as-is (no changes). +-# If set to yes, sensor will keep its own copy of the OSSEC rules. +-LOCAL_HIDS_RULE_TUNING=no +- +-# LOCAL_NIDS_RULE_TUNING +-# The effect of this option is different depending on whether this box is a server or not. +-# SERVER +-# LOCAL_NIDS_RULE_TUNING=yes +-# rule-update will operate on a local copy of the rules instead of downloading rules from the Internet +-# LOCAL_NIDS_RULE_TUNING=no +-# rule-update will try to download rules from the Internet +-# SENSOR-ONLY +-# LOCAL_NIDS_RULE_TUNING=yes +-# rule-update will copy rules from master server and then try to run PulledPork locally for tuning +-# LOCAL_NIDS_RULE_TUNING=no +-# rule-update will copy rules from master server as-is (no changes) +-EOF +- +-######################################### +-# Download rules using Pulledpork +-######################################### +-if [ "$SERVERNAME" = "localhost" ]; then +- echo "40" +- echo "# Please wait while configuring IDS Ruleset..." | tee -a $LOG +- # Start from a clean slate (pulledpork.conf.master) +- # Here are the rule_url directives in pulledpork.conf.master: +- # (note that the ET ruleset is uncommented and the other two are commented) +- +- # #rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| +- # #rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community +- # rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open +- # #rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz| +- +- cp /etc/nsm/templates/pulledpork/pulledpork.conf.master $PP_CONF >> $LOG 2>&1 +- +- # Start with the assumption that Internet is down +- # If all necessary sites are up, then initiate PulledPork +- INTERNET="DOWN" +- +- case $IDS_RULESET in +- ETOPEN) +- echo "Already configured for Emerging Threats Open ruleset." >> $LOG 2>&1 +- # Test Internet access +- curl -s $ET_URL >/dev/null 2>&1 && INTERNET="UP" +- ;; +- ETPRO) +- echo "Configuring for ETPRO ruleset." >> $LOG 2>&1 +- # Snort is already disabled in pulledpork.conf.master +- # Comment out emergingthreats.net +- sed -i 's\rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open\#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open\g' $PP_CONF >> $LOG 2>&1 +- # Un-comment emergingthreatspro.com +- sed -i "s\#rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|\rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|$OINKCODE\g" $PP_CONF >> $LOG 2>&1 +- # Test Internet access +- curl -s $ET_URL >/dev/null 2>&1 && INTERNET="UP" +- ;; +- TALOS) +- echo "Configuring for Snort Subscriber (Talos) ruleset only and setting a Snort Subscriber policy." >> $LOG 2>&1 +- # Comment out emergingthreats.net +- sed -i 's\rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open\#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open\g' $PP_CONF >> $LOG 2>&1 +- # Un-comment snort.org reg-rules +- sed -i "s\#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|\rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|$OINKCODE\g" $PP_CONF >> $LOG 2>&1 +- # Un-comment snort.org community rules +- sed -i "s\#rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community\rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community\g" $PP_CONF >> $LOG 2>&1 +- # Set Snort Subscriber (Talos) Policy. +- sed -i "s|# ips_policy=security|ips_policy=$TALOS_POLICY|g" $PP_CONF >> $LOG 2>&1 +- # Test Internet access +- curl -s $TALOS_URL >/dev/null 2>&1 && INTERNET="UP" +- ;; +- TALOSET) +- echo "Configuring for Snort Subscriber (Talos) and Emerging Threats NoGPL rulesets" >> $LOG 2>&1 +- # Un-comment snort.org reg-rules +- sed -i "s\#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|\rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|$OINKCODE\g" $PP_CONF >> $LOG 2>&1 +- # Un-comment snort.org community rules +- sed -i "s\#rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community\rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community\g" $PP_CONF >> $LOG 2>&1 +- # Change open to open-nogpl +- sed -i 's\rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open\rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl\g' $PP_CONF >> $LOG 2>&1 +- # Test Internet access +- curl -s $ET_URL >/dev/null 2>&1 && curl -s $TALOS_URL >/dev/null 2>&1 && INTERNET="UP" +- ;; +- esac +- +- # Disable noisy Suricata rules +- if ! grep "Security Onion Setup" /etc/nsm/pulledpork/disablesid.conf >/dev/null 2>&1; then +-cat << EOF >> /etc/nsm/pulledpork/disablesid.conf +- +-# Added by Security Onion Setup +-stream-events +-pcre:SURICATA\ ICMPv6 +-EOF +- fi +- +- if [ "$INTERNET" = "UP" ]; then +- echo "45" +- echo "# Please wait while executing PulledPork to download rules..." | tee -a $LOG +- echo "LOCAL_NIDS_RULE_TUNING=no" >> $CONF +- date > /var/log/nsm/pulledpork.log +- /usr/sbin/rule-update >> /var/log/nsm/pulledpork.log 2>&1 +- else +- echo "LOCAL_NIDS_RULE_TUNING=yes" >> $CONF +- echo "Can't reach rule download sites. Setting LOCAL_NIDS_RULE_TUNING to yes." >> $LOG 2>&1 +- fi +-fi +- +-######################################### +-# Apache configuration +-######################################### +-SSH_DIR="/root/.ssh" +-SSH_CONF="$SSH_DIR/securityonion_ssh.conf" +-echo "50" +-if [ -f $SSH_CONF ]; then +- # We are a SENSOR +- echo "# Please wait while stopping and disabling Apache..." | tee -a $LOG +- # Sensors don't need the Apache web server, so stop and disable it +- service apache2 stop >> $LOG 2>&1 +- update-rc.d -f apache2 disable >> $LOG 2>&1 +-else +- # We are the MASTER. +- +- # Make sure that the Apache web server is enabled +- update-rc.d -f apache2 enable >> $LOG 2>&1 +- +- # Enable new securityonion site +- a2ensite securityonion >> $LOG 2>&1 +- +- # Disable old default-ssl site +- a2dissite default-ssl >> $LOG 2>&1 +- +- # Determine IP address to be used below in Squert database +- IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1` +- +- # Pivot from Squert to ELSA +- #URL="https://$IP/elsa-query/?query_string=\"\${var}\"%20groupby:program" +- # We can use a relative hyperlink now that Apache is proxying ELSA at /elsa-query +- URL="/elsa-query/?query_string=\"\${var}\"%20groupby:program" +- HEXVAL=$(xxd -pu -c 256 <<< "$URL") +- [ "$ELSA" = "YES" ] && mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e "INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) VALUES ('url','','1','454C5341','','ELSA','$HEXVAL');" +- +- # Restart web server +- apache2ctl restart >> $LOG 2>&1 +-fi +- +-######################################### +-# Configure Salt +-######################################### +-echo "70" +-echo "# Please wait while configuring salt..." | tee -a $LOG +-if dpkg -l |grep "securityonion-onionsalt" |grep "ii" >/dev/null; then +- if [ "$SALT" = "no" ]; then +- # Stop both running salt services +- service salt-master stop >> $LOG 2>&1 +- service salt-minion stop >> $LOG 2>&1 +- # Disable both salt services +- [ -f /etc/init/salt-master.conf ] && echo "manual" > /etc/init/salt-master.override +- [ -f /etc/init/salt-minion.conf ] && echo "manual" > /etc/init/salt-minion.override +- # If the box had previously been configured with salt, we need to remove the cron job +- [ -f /etc/cron.d/salt-update ] && rm -f /etc/cron.d/salt-update +- else +- # Enable Salt +- # Salt uses FQDN instead of just hostname +- FQDN=`python -c 'import socket; print socket.getfqdn()'` +- if [ $SERVER -eq 1 ]; then +- # If this box is a Master Server we need to run salt-master +- # Copy init.sls.template to init.sls +- cp /opt/onionsalt/pillar/users/init.sls.template /opt/onionsalt/pillar/users/init.sls +- # Copy top.sls.template to top.sls +- TOPSLS="/opt/onionsalt/salt/top.sls" +- cp $TOPSLS.template $TOPSLS +- # Comment out examples in top.sls +- sed -i "s|^ 'A\*':$|# 'A*':|g" $TOPSLS +- sed -i "s|^ - sensor|# - sensor|g" $TOPSLS +- sed -i "s|^ 'C\*':$|# 'C*':|g" $TOPSLS +- sed -i "s|^ - backend|# - backend|g" $TOPSLS +- # Add backend config to top.sls +- echo " '$FQDN':" >> $TOPSLS +- echo " - backend" >> $TOPSLS +- echo "" >> $TOPSLS +- # If salt-master is DISABLED we need to enable it +- [ -f /etc/init/salt-master.DISABLED ] && mv /etc/init/salt-master.DISABLED /etc/init/salt-master.conf +- [ -f /etc/init/salt-master.override ] && rm -f /etc/init/salt-master.override +- # Start salt-master +- service salt-master restart >> $LOG 2>&1 +- # We no longer open the salt port by default +- # This is now done when the sensor runs Setup +- #ufw allow salt >> $LOG 2>&1 +- else +- # If this box is not a Master we need to disable salt-master +- # Stop salt-master +- service salt-master stop >> $LOG 2>&1 +- # Disable salt-master +- [ -f /etc/init/salt-master.conf ] && echo "manual" > /etc/init/salt-master.override +- # Tell the salt-master that we are a sensor +- cat << EOF >> $SOSETUPSCP +-if ! grep "'$FQDN':" /opt/onionsalt/salt/top.sls >/dev/null 2>&1; then +-echo " '$FQDN':" >> /opt/onionsalt/salt/top.sls +-echo " - sensor" >> /opt/onionsalt/salt/top.sls +-echo "" >> /opt/onionsalt/salt/top.sls +-fi +-EOF +- fi +- +- # All boxes run salt-minion +- # Configure minion +- echo "master: $SERVERNAME" > /etc/salt/minion.d/onionsalt.conf +- # If salt-minion is DISABLED, enable it +- [ -f /etc/init/salt-minion.DISABLED ] && mv /etc/init/salt-minion.DISABLED /etc/init/salt-minion.conf +- [ -f /etc/init/salt-minion.override ] && rm -f /etc/init/salt-minion.override +- service salt-minion restart >> $LOG 2>&1 +- +- # salt-master needs to accept the key from salt-minion +- if [ "$SERVERNAME" = "localhost" ]; then +- TIMER=60 +- while [ $TIMER -gt 0 ]; do +- if salt-key -l accepted 2>&1 |grep "^$FQDN$" > /dev/null 2>&1; then +- echo "salt-minion key already accepted" >> $LOG +- TIMER=0 +- elif salt-key -l unaccepted 2>&1 | grep "^$FQDN$" > /dev/null 2>&1; then +- salt-key -a $FQDN -y >> $LOG 2>&1 +- TIMER=0 +- else +- let TIMER=TIMER-1 +- echo "salt-minion hasn't checked in yet, $TIMER seconds remaining until timeout" >> $LOG +- sleep 1s +- fi +- done +- else +- # this is a sensor-only box so we have to ask the master to accept the key via SOSETUPSCP +- echo "salt-key -a $FQDN -y" >> $SOSETUPSCP +- fi +- fi +-fi +- +-######################################### +-# Start securityonion services +-######################################### +-# disable the snorby output in all barnyard config files +-sed -i 's|^output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|#output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|g' /etc/nsm/*/barnyard2*.conf >> $LOG 2>&1 +-echo "80" +-echo "# Please wait while starting all Security Onion services..." | tee -a $LOG +-/sbin/start securityonion >> $LOG 2>&1 +-sleep 10s +- +-######################################### +-# Create icons +-######################################### +-if [ $SERVER -eq 1 ]; then +- +- # Add launchers to /etc/skel/ for new users +- DIR="/etc/skel/Desktop" +- mkdir -p $DIR +- +- # Create README launcher +- README_LAUNCHER="$DIR/securityonion-readme.desktop" +- cat << EOF > $README_LAUNCHER +-[Desktop Entry] +-Version=1.0 +-Type=Application +-Name=README +-Comment= +-Exec=/etc/alternatives/x-www-browser https://localhost +-Icon=web-browser +-Path= +-Terminal=false +-StartupNotify=false +-Categories=SecurityOnion; +-EOF +- +- # Use README launcher as template to create SQUERT launcher +- SQUERT_LAUNCHER="$DIR/securityonion-squert.desktop" +- cp $README_LAUNCHER $SQUERT_LAUNCHER +- sed -i 's|https://localhost|https://localhost/squert|g' $SQUERT_LAUNCHER +- sed -i 's|Name=README|Name=Squert|g' $SQUERT_LAUNCHER +- +- # Use README launcher as template to create ELSA launcher (if enabled) +- if [ "$ELSA" = "YES" ]; then +- ELSA_LAUNCHER="$DIR/securityonion-elsa.desktop" +- cp $README_LAUNCHER $ELSA_LAUNCHER +- sed -i 's|https://localhost|https://localhost/elsa|g' $ELSA_LAUNCHER +- sed -i 's|Name=README|Name=ELSA|g' $ELSA_LAUNCHER +- fi +- +- # Copy web launchers to /usr/share/applications +- cp $DIR/securityonion-*.desktop /usr/share/applications/ +- +- # Copy Sguil launcher from /usr/share/applications/ +- SGUIL="$DIR/securityonion-sguil.desktop" +- cp /usr/share/applications/securityonion-sguil.desktop $SGUIL +- +- # Copy launchers from /etc/skel to existing user Desktop directories +- for i in `ls /home/`; do +- mkdir -p /home/$i/Desktop +- cp /etc/skel/Desktop/securityonion-*.desktop /home/$i/Desktop/ +- chown $i:$i /home/$i/Desktop/securityonion-*.desktop +- done +- +- # Make launchers executable +- chmod +x /etc/skel/Desktop/*.desktop +- chmod +x /home/*/Desktop/securityonion-*.desktop +- +-fi +- +-######################################### +-# Configure ELSA +-######################################### +-if [ "$ELSA" = "YES" ]; then +- echo "90" +- echo "# Please wait while configuring ELSA..." | tee -a $LOG +- +- # update LOG_SIZE_LIMIT +- sed -i "s|\"log_size_limit\" :.*$|\"log_size_limit\" : $LOG_SIZE_LIMIT,|g" /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-node.conf +- +- # check if there is an ELSA directive already +- ELSA_USE=$(grep "ELSA=" $CONF) +- if [ ! $? -eq 0 ]; then +- echo "" >> $CONF +- echo "# ELSA" >> $CONF +- echo "ELSA=YES" >> $CONF +- else +- sed -i 's,ELSA=NO,ELSA=YES,' $CONF +- fi +- +- # Delete sphinxsearch binlog files +- rm -f /var/lib/sphinxsearch/data/binlog.* +- +- # Configure all Log Node and Web Node functionality if we are a server +- if [ $SERVER -eq 1 ]; then +- /usr/bin/securityonion-elsa-config.sh -t WEB >> $LOG 2>&1 +- # restart apache to update ELSA APIKEY +- apache2ctl restart >> $LOG 2>&1 +- else +- /usr/bin/securityonion-elsa-config.sh -t LOG >> $LOG 2>&1 +- # Update the securityonion group +- echo "usermod -a -G securityonion $SSH_USERNAME" >> $SOSETUPSCP +- fi +-fi +-} +- +-function SERVER_QUEUE() { +-######################################### +-# Send all queued commands to server +-######################################### +-if [ "$SERVERNAME" != "localhost" ]; then +- # Copy the script over +- scp -i "$KEY" $SOSETUPSCP $SSH_USERNAME@$SERVERNAME:$SOSETUPSCP >> $LOG 2>&1 +- # Run the script on the master server using sudo +- if [ "$OUTPUT" = "gui" ]; then +- xfce4-terminal -x ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo /bin/bash $SOSETUPSCP +- else +- ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo /bin/bash $SOSETUPSCP >> $LOG 2>&1 +- fi +- # Cleanup +- rm -f $SOSETUPSCP +- ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME rm -f $SOSETUPSCP >> $LOG 2>&1 +-fi +- +-if [ $SERVER -ne 1 ] && [ "$ELSA" = "YES" ]; then +- # Register the log node and restart the server. +- SSH_CMD="/usr/bin/securityonion_elsa_register.rb --register --peer-name `hostname` --force" +- ELSA_REGISTER_RESPONSE=`ssh -i $KEY $SSH_USERNAME@$SERVERNAME $SSH_CMD` +- ELSA_PORT=`echo $ELSA_REGISTER_RESPONSE | cut -d',' -f1` +- ELSA_APIKEY=`echo $ELSA_REGISTER_RESPONSE | cut -d',' -f2` +- # If ELSA_PORT is not already in SSH_CONF, then store it for future use. +- if grep "ELSA_PORT=" $SSH_CONF >/dev/null 2>&1; then +- echo "ELSA_PORT already exists in $SSH_CONF." >> $LOG 2>&1 +- else +- echo "ELSA_PORT=$ELSA_PORT" >> $SSH_CONF +- fi +- # Update the local ELSA API key +- /usr/bin/securityonion_elsa_register.rb --update-apikey $ELSA_APIKEY >> $LOG 2>&1 +- # Restart starman for new API key +- service starman stop >> $LOG 2>&1 +- service starman start >> $LOG 2>&1 +- # Since the securityonion service started before we the ELSA ports +- # were determined, we need to tear down the SSH tunnel and restart it. +- # Kill autossh with SIGINT +- if pgrep autossh>/dev/null; then +- kill -SIGINT `pgrep autossh` +- # Restart the autossh tunnel +- /usr/bin/autossh -M 0 -f -q -N -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -i "$KEY" -L 3306:127.0.0.1:3306 -R $ELSA_PORT:localhost:3154 $SSH_USERNAME@$SERVERNAME +- fi +- if [ "$UPDATE_ELSA_SERVER" = "YES" ]; then +- # Instruct the server to restart apache2. +- # Run the script with sudo +- if [ "$OUTPUT" = "gui" ]; then +- xfce4-terminal -x ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo service apache2 restart +- else +- ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo service apache2 restart >> $LOG 2>&1 +- fi +- fi +-fi +-} +- +-function MINION() { +-dpkg -l |grep "securityonion-onionsalt" |grep "ii" >/dev/null && [ "$SALT" = "yes" ] && salt-call state.highstate >> /var/log/nsm/sosetup_salt_call.log 2>&1 & +-} +- +- +-function MOVELOG() { +-# Move log file from /tmp/ to /var/log/nsm/ +-mv $LOG /var/log/nsm/sosetup.log +-LOG="/var/log/nsm/sosetup.log" +-} +- +-function IP2C() { +-# If this is a server, populate ip2c table +-if [ -d /var/lib/mysql/securityonion_db/ ]; then +- /usr/sbin/sguild-add-user "$SGUIL_CLIENT_USERNAME" "$SGUIL_CLIENT_PASSWORD_1" >/dev/null +- # Setup needs to delete /var/www/so/squert/.scripts/*.md5 before running ip2c.tcl +- # http://code.google.com/p/security-onion/issues/detail?id=250 +- rm -f /var/www/so/squert/.scripts/*.md5 +- /usr/sbin/so-squert-ip2c >> $LOG 2>&1 & +-fi +-} +- +-######################################### +-# FINAL (FIN) OUTPUT FUNCTIONS +-######################################### +-function FIN1() { +-TEXT="Security Onion Setup is now complete! \n \ +-\n \ +-Setup log can be found here:\n \ +-$LOG\n \ +-\n \ +-You may view IDS alerts using Sguil, Squert, or ELSA (if enabled). \n \ +-\n \ +-Bro logs can be found in ELSA (if enabled) and the following location: \n \ +-/nsm/bro/" +-} +- +-function FIN2() { +-TEXT="You can check the status of your running services with the sostat utilites:\n \ +-\n \ +-'sudo sostat' will give you DETAILED information about your service status.\n \ +-\n \ +-'sudo sostat-quick' will give you a guided tour of the sostat output.\n \ +-\n \ +-'sudo sostat-redacted' will give you REDACTED information to share with our mailing list if you have questions." +-} +- +-function FIN3() { +-if [ $SERVER -eq 1 ]; then +-source /etc/nsm/securityonion.conf +-if [ "$LOCAL_NIDS_RULE_TUNING" = "no" ] ; then +-TEXT="Rules downloaded by Pulledpork are stored in: \n \ +-/etc/nsm/rules/downloaded.rules \n \ +-\n \ +-Local rules can be added to: \n \ +-/etc/nsm/rules/local.rules \n \ +-\n \ +-You can have PulledPork modify the downloaded rules \n \ +-by modifying the files in: \n \ +-/etc/nsm/pulledpork/ \n \ +-\n \ +-Rules will be updated every morning. \n \ +-You can manually update them by running: \n \ +-sudo rule-update \n \ +-\n \ +-Sensors can be tuned by modifying the files in: \n \ +-/etc/nsm/NAME-OF-SENSOR/" +-else +-TEXT="Setup was not able to download rules from the Internet.\n \ +-LOCAL_NIDS_RULE_TUNING has been set to 'yes' in /etc/nsm/securityonion.conf.\n \ +-\n \ +-If you do have Internet access and want to download rules from the Internet,\n \ +-you'll need to change this option to 'no'." +-fi +-fi +-} +- +-function FIN4() { +-TEXT='Please note that the local ufw firewall\ +-has been locked down to only allow connections\ +-to port 22. If you need to connect over any\ +-other port, then run "sudo so-allow".' +-} +- +-function FIN5() { +-TEXT='If you have any questions or problems,\ +-please visit our website where you can find\ +-the following links:\ +-FAQ\ +-Wiki\ +-Mailing Lists\ +-IRC channel\ +-and more!\ +-\ +-https://securityonion.net' +-} +- +-function FIN6() { +-TEXT='If you need commercial support or training,\ +-please see:\ +-\ +-https://securityonionsolutions.com' +-} +- +- +-######################################### +-# write collected answers +-######################################### +- +-save() +-{ +- # TODO +- echo "# ANSWERFILE generated by sosetup -w option" > $WRITEANSWERFILE +- echo -n "# Generation date: " >> $WRITEANSWERFILE +- date >> $WRITEANSWERFILE +- echo "# Generated on host $HOSTNAME" >> $WRITEANSWERFILE +- echo "#" >> $WRITEANSWERFILE +- echo "# These fields were computed automatically" >> $WRITEANSWERFILE +- echo "#IP=$IP" >> $WRITEANSWERFILE +- echo "#CORES=$CORES" >> $WRITEANSWERFILE +- echo \#ALL_INTERFACES=$ALL_INTERFACES >> $WRITEANSWERFILE # no quotes to collapse to one line +- echo "#NUM_INTERFACES=$NUM_INTERFACES" >> $WRITEANSWERFILE +- echo "#" >> $WRITEANSWERFILE +- echo "# This field is specific to reading an answer file" >> $WRITEANSWERFILE +- echo "SNIFFING_INTERFACES=$INTERFACES" >> $WRITEANSWERFILE +- echo "#" >> $WRITEANSWERFILE +- echo "# These fields were generated from your answers" >> $WRITEANSWERFILE +- echo "SERVER=$SERVER" >> $WRITEANSWERFILE +- echo "SERVERNAME=$SERVERNAME" >> $WRITEANSWERFILE +- echo "SSH_USERNAME='$SSH_USERNAME'" >> $WRITEANSWERFILE +- echo "SGUIL_SERVER_NAME=$SGUIL_SERVER_NAME" >> $WRITEANSWERFILE +- echo "SGUIL_CLIENT_USERNAME='$SGUIL_CLIENT_USERNAME'" >> $WRITEANSWERFILE +- echo "SGUIL_CLIENT_PASSWORD_1='$SGUIL_CLIENT_PASSWORD_1'" >> $WRITEANSWERFILE +- echo "XPLICO_ENABLED=$XPLICO_ENABLED" >> $WRITEANSWERFILE +- echo "ELSA=$ELSA" >> $WRITEANSWERFILE +- echo "UPDATE_ELSA_SERVER=$UPDATE_ELSA_SERVER" >> $WRITEANSWERFILE +- echo "LOG_SIZE_LIMIT=$LOG_SIZE_LIMIT" >> $WRITEANSWERFILE +- echo "OSSEC_AGENT_ENABLED=$OSSEC_AGENT_ENABLED" >> $WRITEANSWERFILE +- echo "OSSEC_AGENT_LEVEL=$OSSEC_AGENT_LEVEL" >> $WRITEANSWERFILE +- echo "SALT=$SALT" >> $WRITEANSWERFILE +- echo "SENSOR=$SENSOR" >> $WRITEANSWERFILE +- echo "BRO_ENABLED=$BRO_ENABLED" >> $WRITEANSWERFILE +- echo "IDS_ENGINE_ENABLED=$IDS_ENGINE_ENABLED" >> $WRITEANSWERFILE +- echo "SNORT_AGENT_ENABLED=$SNORT_AGENT_ENABLED" >> $WRITEANSWERFILE +- echo "BARNYARD2_ENABLED=$BARNYARD2_ENABLED" >> $WRITEANSWERFILE +- echo "PCAP_ENABLED=$PCAP_ENABLED" >> $WRITEANSWERFILE +- echo "PCAP_AGENT_ENABLED=$PCAP_AGENT_ENABLED" >> $WRITEANSWERFILE +- echo "PRADS_ENABLED=$PRADS_ENABLED" >> $WRITEANSWERFILE +- echo "SANCP_AGENT_ENABLED=$SANCP_AGENT_ENABLED" >> $WRITEANSWERFILE +- echo "PADS_AGENT_ENABLED=$PADS_AGENT_ENABLED" >> $WRITEANSWERFILE +- echo "HTTP_AGENT_ENABLED=$HTTP_AGENT_ENABLED" >> $WRITEANSWERFILE +- echo "ARGUS_ENABLED=$ARGUS_ENABLED" >> $WRITEANSWERFILE +- echo "IDS_RULESET='$IDS_RULESET'" >> $WRITEANSWERFILE +- echo "OINKCODE='$OINKCODE'" >> $WRITEANSWERFILE +- echo "PF_RING_SLOTS=$PF_RING_SLOTS" >> $WRITEANSWERFILE +- echo "IDS_ENGINE=$IDS_ENGINE" >> $WRITEANSWERFILE +- echo "IDS_LB_PROCS=$IDS_LB_PROCS" >> $WRITEANSWERFILE +- echo "BRO_LB_PROCS=$BRO_LB_PROCS" >> $WRITEANSWERFILE +- echo "EXTRACT_FILES=$EXTRACT_FILES" >> $WRITEANSWERFILE +- echo "PCAP_SIZE=$PCAP_SIZE" >> $WRITEANSWERFILE +- echo "PCAP_RING_SIZE=$PCAP_RING_SIZE" >> $WRITEANSWERFILE +- echo "PCAP_OPTIONS='$PCAP_OPTIONS'" >> $WRITEANSWERFILE +- echo "WARN_DISK_USAGE=$WARN_DISK_USAGE" >> $WRITEANSWERFILE +- echo "CRIT_DISK_USAGE=$CRIT_DISK_USAGE" >> $WRITEANSWERFILE +- echo "DAYSTOKEEP=$DAYSTOKEEP" >> $WRITEANSWERFILE +- echo "DAYSTOREPAIR=$DAYSTOREPAIR" >> $WRITEANSWERFILE +-} +- +- +-######################################### +-# Options +-######################################### +- +-usage() +-{ +-cat < Configure using answer file +- -w Create answer file +- -y Configure without prompting +- +-Usage: $0 +-EOF +-} +- +- +-######################################### +-# Call functions +-######################################### +- +-# Check to see if the user provided an answer file +-SKIP=0 +-while getopts "hf:yw:" OPTION +-do +- case $OPTION in +- h) +- usage +- exit 0 +- ;; +- f) +- ANSWERFILE="$OPTARG" +- # Verify answer file exists and then read it into memory +- if [ ! -f "$ANSWERFILE" ]; then +- echo "Error accessing $ANSWERFILE" +- exit 1 +- fi +- ;; +- w) +- WRITEANSWERFILE="$OPTARG" +- ;; +- y) +- SKIP=1 +- ;; +- esac +-done +- +-# GUI (Zenity) or CLI? +-# Default to zenity +-OUTPUT="gui" +-# If no X11, then fall back to cli +-[ -z "$DISPLAY" ] && OUTPUT="cli" +-# If user provided an answer file, set to cli +-[ -f "$ANSWERFILE" ] && OUTPUT="cli" +- +-# If the user didn't provide an answer file, then ask them the questions +-if [ ! -f "$ANSWERFILE" ]; then +- if [ "$OUTPUT" = "gui" ] ; then +- ask +- else +- echo +- echo "No X display found." +- echo +- echo "You'll need to either:" +- echo +- echo "- use SSH X-forwarding (ssh -X)" +- echo +- echo "OR" +- echo +- echo "- use an answer file (sudo sosetup -f sosetup.conf)" +- echo +- usage +- exit 0 +- fi +-else +- source "$ANSWERFILE" +- # copy SNIFFING_INTERFACES into INTERFACES +- INTERFACES="$SNIFFING_INTERFACES" +- ADVANCED_SETUP="1" +- if [ $SKIP -ne 1 ];then +- if [ "$ELASTIC" != "YES" ]; then +- echo +- echo "Security Onion Setup" +- echo +- echo "Ready to configure system using parameters in $ANSWERFILE." +- echo +- echo "WARNING! Continuing will destroy any existing data/config." +- echo "Are you sure you want to continue?" +- echo "Type yes to continue or anything else to exit." +- read INPUT +- [ "$INPUT" != "yes" ] && exit 0 +- else +- SETUPCONF=$2 +- fi +- echo +- # If /etc/network/interfaces has not been configured yet, then we need +- # to run sosetup-network and pass it the answerfile +- if ! grep "Security Onion" /etc/network/interfaces >/dev/null 2>&1; then +- /usr/sbin/sosetup-network $@ +- fi +- if [ "$ELASTIC" == "YES" ]; then +- /usr/sbin/sosetup-elastic -f $SETUPCONF skipnetwork +- exit $? +- fi +- fi +-fi +- +-# Perform the requested actions, handling output differently for gui vs cli +-if [ "$OUTPUT" = "gui" ]; then +- CONFIGURE_SERVICES | +- zenity --progress --title="$TITLE" --text="Please wait while making changes to the system..." --percentage=0 --auto-close +-else +- echo "Please wait while..." +- CONFIGURE_SERVICES | grep --line-buffered "^#" | sed 's|# Please wait while||g' +-fi +- +-# SERVER_QUEUE will interactively prompt for password +-# so we can't consume stdout +-SERVER_QUEUE +- +-# The next few functions should have no output +-MINION +-MOVELOG +-IP2C +- +-# Final screens +-for i in FIN1 FIN2 FIN3 FIN4 FIN5 FIN6; do +- $i +- if [ "$OUTPUT" = "gui" ]; then +- zenity --info --title="$TITLE" --text="$TEXT" --no-wrap +- else +- echo +- echo "$TEXT" | sed 's|\\n|\n|g' | sed 's|\\||g' +- echo +- fi +-done diff --git a/debian/patches/fix-sosetup-forward.conf b/debian/patches/fix-sosetup-forward.conf new file mode 100644 index 0000000..1d9f23b --- /dev/null +++ b/debian/patches/fix-sosetup-forward.conf @@ -0,0 +1,36 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion264) xenial; urgency=medium + . + * update sosetup-forward.conf +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-setup-20120912.orig/share/securityonion/sosetup-forward.conf ++++ securityonion-setup-20120912/share/securityonion/sosetup-forward.conf +@@ -90,7 +90,7 @@ SGUIL_CLIENT_PASSWORD_1='asdfasdf' + ################################ + # Elastic Stack + ################################ +-ELASTIC='yes' ++ELASTIC='no' + + # LOG_SIZE_LIMIT + # This setting controls how much disk space Elastic uses. diff --git a/debian/patches/if-mysql-root-password-not-set,-set-random-password b/debian/patches/if-mysql-root-password-not-set,-set-random-password new file mode 100644 index 0000000..977ac89 --- /dev/null +++ b/debian/patches/if-mysql-root-password-not-set,-set-random-password @@ -0,0 +1,53 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion267) xenial; urgency=medium + . + * if mysql root password not set, set random password +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-setup-20120912.orig/bin/sosetup ++++ securityonion-setup-20120912/bin/sosetup +@@ -1175,9 +1175,24 @@ EOF + innodb_file_per_table + EOF + ++ # Enable MySQL ++ systemctl enable mysql.service >> $LOG 2>&1 ++ ++ # Reset debian.cnf ++ rm /etc/mysql/debian.cnf >> $LOG 2>&1 ++ dpkg-reconfigure --frontend noninteractive mysql-server-5.7 >> $LOG 2>&1 ++ ++ # If root password is blank, set random password ++ if echo "quit" | mysql -uroot 2>/dev/null; then ++ PASSWORD=$(LC_ALL=C /dev/null && service mysql restart >> $LOG 2>&1 ++ #pgrep -lf mysqld >/dev/null && service mysql restart >> $LOG 2>&1 ++ + else ++ + # If we're not a server, we can stop mysql + service mysql stop >> $LOG 2>&1 + diff --git a/debian/patches/more-forward-node-fixes b/debian/patches/more-forward-node-fixes new file mode 100644 index 0000000..813b0a7 --- /dev/null +++ b/debian/patches/more-forward-node-fixes @@ -0,0 +1,203 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion263) xenial; urgency=medium + . + * more forward node fixes +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-setup-20120912.orig/bin/sosetup ++++ securityonion-setup-20120912/bin/sosetup +@@ -1276,15 +1276,6 @@ if [ "$SERVER" -ne 1 ]; then + echo "SERVERNAME=$SERVERNAME" >> $SSH_CONF + fi + +-if [ "$FORWARD" = "yes" ]; then +- # If AUTOSSH_OPTIONS is already in SSH_CONF, remove it and replace it with new value. +- if grep "AUTOSSH_OPTIONS=" $SSH_CONF >/dev/null 2>&1; then +- sed -i 's/AUTOSSH_OPTIONS.*/AUTOSSH_OPTIONS="-L 6050:localhost:6050"/' $SSH_CONF >> $LOG 2>&1 +- else +- echo 'AUTOSSH_OPTIONS="-L 6050:localhost:6050"' >> $SSH_CONF +- fi +-fi +- + ######################################### + # Network Sensor(s) if necessary + ######################################### +@@ -1834,68 +1825,96 @@ EOF + + fi + +-######################################### +-# Configure Elastic +-######################################### +-if [ "$ELASTIC" = "yes" ]; then +- echo "49" +- echo "# Please wait while configuring Elastic..." | tee -a $LOG ++echo "49" ++echo "# Please wait while configuring syslog-ng..." | tee -a $LOG + +- # We need to copy a new syslog-ng.conf into place +- SYSLOGNGCONFSRC="/opt/elastic/src/etc/syslog-ng/syslog-ng.conf" +- SYSLOGNGCONFDST="/etc/syslog-ng/syslog-ng.conf" +- +- # Initialize HTTP_LOGS +- HTTP_LOGS="" +- +- # Get a list of sensors from /etc/nsm/sensortab +- SENSORS=$(grep -v "^#" /etc/nsm/sensortab | cut -f 4) +- +- # Determine the number of sensor interfaces +- COUNT=0 +- for token in $SENSORS; do +- COUNT=$((COUNT+1)) +- done ++# We need to copy a new syslog-ng.conf into place ++SYSLOGNGCONFSRC="/opt/elastic/src/etc/syslog-ng/syslog-ng.conf" ++SYSLOGNGCONFDST="/etc/syslog-ng/syslog-ng.conf" ++ ++# Initialize HTTP_LOGS ++HTTP_LOGS="" ++ ++# Get a list of sensors from /etc/nsm/sensortab ++SENSORS=$(grep -v "^#" /etc/nsm/sensortab | cut -f 4) ++ ++# Determine the number of sensor interfaces ++COUNT=0 ++for token in $SENSORS; do ++ COUNT=$((COUNT+1)) ++done + +- # If master server only, copy syslog-ng.conf into place +- if [ $COUNT -eq 0 ]; then ++# If master server only, copy syslog-ng.conf into place ++if [ $COUNT -eq 0 ]; then ++ cp $SYSLOGNGCONFSRC $SYSLOGNGCONFDST ++fi ++ ++# If single sensor interface, we need to determine if Bro is running in standalone mode or cluster mode ++if [ $COUNT -eq 1 ]; then ++ if grep "type=standalone" /opt/bro/etc/node.cfg > /dev/null; then ++ echo "* Leaving syslog-ng.conf bro_http entry unmolested." >> $LOG 2>&1 + cp $SYSLOGNGCONFSRC $SYSLOGNGCONFDST ++ else ++ echo "* Altering syslog-ng.conf bro_http entry for single interface cluster-mode" >> $LOG 2>&1 ++ # Pull the interface bro is listening for from node.cfg ++ BRO_IFACE=$(grep "interface=" /opt/bro/etc/node.cfg | cut -d'=' -f2) ++ # Alter syslog-ng.conf's entry for http ++ sed -e "s|^\tfile(\"/nsm/bro/logs/current/http.log\".*|\tfile(\"/nsm/bro/logs/current/http_$BRO_IFACE.log\" flags(no-parse) program_override(\"bro_http\"));\n|" $SYSLOGNGCONFSRC > $SYSLOGNGCONFDST + fi ++fi + +- # If single sensor interface, we need to determine if Bro is running in standalone mode or cluster mode +- if [ $COUNT -eq 1 ]; then +- if grep "type=standalone" /opt/bro/etc/node.cfg > /dev/null; then +- echo "* Leaving syslog-ng.conf bro_http entry unmolested." >> $LOG 2>&1 +- cp $SYSLOGNGCONFSRC $SYSLOGNGCONFDST +- else +- echo "* Altering syslog-ng.conf bro_http entry for single interface cluster-mode" >> $LOG 2>&1 +- # Pull the interface bro is listening for from node.cfg +- BRO_IFACE=$(grep "interface=" /opt/bro/etc/node.cfg | cut -d'=' -f2) +- # Alter syslog-ng.conf's entry for http +- sed -e "s|^\tfile(\"/nsm/bro/logs/current/http.log\".*|\tfile(\"/nsm/bro/logs/current/http_$BRO_IFACE.log\" flags(no-parse) program_override(\"bro_http\"));\n|" $SYSLOGNGCONFSRC > $SYSLOGNGCONFDST +- fi +- fi ++# If multiple sensor interfaces, Bro must be running in cluster mode and we need to watch multiple http logs ++if [ $COUNT -gt 1 ]; then ++ echo "* Altering syslog-ng.conf bro_http entries for multiple interfaces" >> $LOG 2>&1 ++ for i in $SENSORS; do ++ HTTP_LOGS=$HTTP_LOGS"\tfile(\"/nsm/bro/logs/current/http_$i.log\" flags(no-parse) program_override(\"bro_http\"));\n" ++ done ++ sed -e "s|^\tfile(\"/nsm/bro/logs/current/http.log\".*|$HTTP_LOGS|" $SYSLOGNGCONFSRC > $SYSLOGNGCONFDST ++fi + +- # If multiple sensor interfaces, Bro must be running in cluster mode and we need to watch multiple http logs +- if [ $COUNT -gt 1 ]; then +- echo "* Altering syslog-ng.conf bro_http entries for multiple interfaces" >> $LOG 2>&1 +- for i in $SENSORS; do +- HTTP_LOGS=$HTTP_LOGS"\tfile(\"/nsm/bro/logs/current/http_$i.log\" flags(no-parse) program_override(\"bro_http\"));\n" +- done +- sed -e "s|^\tfile(\"/nsm/bro/logs/current/http.log\".*|$HTTP_LOGS|" $SYSLOGNGCONFSRC > $SYSLOGNGCONFDST ++echo "* Restarting syslog-ng" >> $LOG 2>&1 ++service syslog-ng restart >> $LOG 2>&1 ++ ++# Forward Nodes now have ELASTIC="no", so we need to do some of that config here ++if [ "$FORWARD" = "yes" ]; then ++ ++ # Configure syslog-ng to forward over autossh ++ /usr/sbin/so-elastic-configure-syslog-ng >> $LOG 2>&1 ++ ++ # Configure Bro to log in JSON ++ /usr/sbin/so-elastic-configure-bro >> $LOG 2>&1 ++ ++ # If AUTOSSH_OPTIONS is already in SSH_CONF, remove it and replace it with new value. ++ if grep "AUTOSSH_OPTIONS=" $SSH_CONF >/dev/null 2>&1; then ++ sed -i 's/AUTOSSH_OPTIONS.*/AUTOSSH_OPTIONS="-L 6050:localhost:6050"/' $SSH_CONF >> $LOG 2>&1 ++ else ++ echo 'AUTOSSH_OPTIONS="-L 6050:localhost:6050"' >> $SSH_CONF + fi ++fi + +- echo "* Restarting syslog-ng" >> $LOG 2>&1 +- service syslog-ng restart >> $LOG 2>&1 ++if [ $SERVER -ne 1 ]; then ++ echo "60" ++ echo "# Please wait while stopping Apache web server..." | tee -a $LOG ++ service apache2 stop >> $LOG 2>&1 ++ ++ echo "65" ++ echo "# Please wait while stopping and disabling MySQL..." | tee -a $LOG ++ service mysql stop >> $LOG 2>&1 ++ echo "manual" > /etc/init/mysql.override ++fi + ++######################################### ++# Configure Elastic ++######################################### ++if [ "$ELASTIC" = "yes" ]; then ++ echo "75" ++ echo "# Please wait while configuring Elastic..." | tee -a $LOG + if ! dpkg -L docker-ce >/dev/null 2>&1; then + echo "50" + echo "# Please wait while downloading Elastic components..." | tee -a $LOG + /usr/sbin/so-elastic-download >> $LOG 2>&1 + fi + +- echo "75" +- echo "# Please wait while configuring Elastic..." | tee -a $LOG + if ! grep -q LOG_SIZE_LIMIT $CONF; then + cat << EOF >> $CONF + +@@ -1931,15 +1950,6 @@ EOF + /usr/sbin/so-elastic-configure >> $LOG 2>&1 + + if [ $SERVER -ne 1 ]; then +- echo "85" +- echo "# Please wait while stopping Apache web server..." | tee -a $LOG +- service apache2 stop >> $LOG 2>&1 +- +- echo "93" +- echo "# Please wait while stopping and disabling MySQL..." | tee -a $LOG +- service mysql stop >> $LOG 2>&1 +- echo "manual" > /etc/init/mysql.override +- + echo "95" + echo "# Please wait while performing final node configuration..." | tee -a $LOG + diff --git a/debian/patches/remove-old-stuff b/debian/patches/remove-old-stuff new file mode 100644 index 0000000..204316a --- /dev/null +++ b/debian/patches/remove-old-stuff @@ -0,0 +1,114 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion253) xenial; urgency=medium + . + * remove old stuff +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-setup-20120912.orig/bin/sosetup ++++ securityonion-setup-20120912/bin/sosetup +@@ -89,18 +89,12 @@ BRO_LB_PROCS_CONFIRM="- Run a single Bro + BRO_ENABLED="yes" + OSSEC_AGENT_ENABLED="yes" + OSSEC_AGENT_LEVEL=5 +-XPLICO_ENABLED="no" + # /etc/nsm/HOSTNAME-INTERFACE/sensor.conf services enabled by default + PCAP_ENABLED="yes" + PCAP_AGENT_ENABLED="yes" + SNORT_AGENT_ENABLED="yes" + IDS_ENGINE_ENABLED="yes" + BARNYARD2_ENABLED="yes" +-PRADS_ENABLED="no" +-SANCP_AGENT_ENABLED="no" +-PADS_AGENT_ENABLED="no" +-ARGUS_ENABLED="no" +-HTTP_AGENT_ENABLED="no" + # Salt is disabled by default + SALT="no" + # Number of days to keep in Sguil database +@@ -500,7 +494,7 @@ if [ $ADVANCED_SETUP -eq 1 ] && [ $SERVE + # Ask for DAYSTOKEEP + DAYSTOKEEP_CONFIRMED="no" + while [ $DAYSTOKEEP_CONFIRMED = "no" ]; do +- DAYSTOKEEP=`zenity --entry --title "$TITLE" --text="How many days of data do you want to keep in your Sguil database?\n\nThis includes things like IDS alerts, PADS events, and PRADS session data.\n\nIf you need to change this later, you can change DAYSTOKEEP in /etc/nsm/securityonion.conf.\n\nPlease enter an integer. The default is 30 days." --entry-text=30` ++ DAYSTOKEEP=`zenity --entry --title "$TITLE" --text="How many days of alerts do you want to keep in your Sguil database?\n\nIf you need to change this later, you can change DAYSTOKEEP in /etc/nsm/securityonion.conf.\n\nPlease enter an integer. The default is 30 days." --entry-text=30` + [ $? = 1 ] && exit 1 + COMPRESSED="$(echo $DAYSTOKEEP | sed -e 's/[^[:digit:]]//g')" + if [ "$COMPRESSED" != "$DAYSTOKEEP" ] || [ x$DAYSTOKEEP = "x" ]; then +@@ -1150,7 +1144,6 @@ mkdir -p /etc/mysql/conf.d/ + + # https://code.google.com/p/security-onion/issues/detail?id=416 + # sguild may try to open lots of files +-# (especially if you are sending prads session data into the sancp table) + # so increase open_files_limit on master server + if [ $SERVER -eq 1 ]; then + cat << EOF > /etc/mysql/conf.d/securityonion-sguild.cnf +@@ -1337,7 +1330,7 @@ for INTERFACE in $ALL_INTERFACES; do + + # Create symbolic links for individual bpf-*.conf files pointing to the sensor bpf.conf (which points to the GLOBAL bpf.conf) + cd /etc/nsm/"$SENSORNAME" +- for FILENAME in bpf-bro.conf bpf-ids.conf bpf-pcap.conf bpf-prads.conf ++ for FILENAME in bpf-bro.conf bpf-ids.conf bpf-pcap.conf + do + ln -s bpf.conf $FILENAME >> $LOG 2>&1 + done +@@ -1353,11 +1346,6 @@ for INTERFACE in $ALL_INTERFACES; do + echo "SNORT_AGENT_ENABLED=\"$SNORT_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf + echo "IDS_ENGINE_ENABLED=\"$IDS_ENGINE_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf + echo "BARNYARD2_ENABLED=\"$BARNYARD2_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "PRADS_ENABLED=\"$PRADS_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "SANCP_AGENT_ENABLED=\"$SANCP_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "PADS_AGENT_ENABLED=\"$PADS_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "ARGUS_ENABLED=\"$ARGUS_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf +- echo "HTTP_AGENT_ENABLED=\"$HTTP_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf + + # Create symbolic link for sensor rules directory on server + # Since a user may have as many Snort/Suricata instances as they have CPU cores, +@@ -1531,9 +1519,6 @@ OSSEC_AGENT_ENABLED=$OSSEC_AGENT_ENABLED + # OSSEC_AGENT_LEVEL specifies the level at which OSSEC alerts are sent to sguild. + OSSEC_AGENT_LEVEL=$OSSEC_AGENT_LEVEL + +-# Do you want to run Xplico? yes/no +-XPLICO_ENABLED=$XPLICO_ENABLED +- + # LOCAL_HIDS_RULE_TUNING + # If set to no (default), this node will copy OSSEC rules from master server as-is (no changes). + # If set to yes, this node will keep its own copy of the OSSEC rules. +@@ -2190,7 +2175,6 @@ save() + echo "SGUIL_SERVER_NAME=$SGUIL_SERVER_NAME" >> $WRITEANSWERFILE + echo "SGUIL_CLIENT_USERNAME='$SGUIL_CLIENT_USERNAME'" >> $WRITEANSWERFILE + echo "SGUIL_CLIENT_PASSWORD_1='$SGUIL_CLIENT_PASSWORD_1'" >> $WRITEANSWERFILE +- echo "XPLICO_ENABLED=$XPLICO_ENABLED" >> $WRITEANSWERFILE + echo "OSSEC_AGENT_ENABLED=$OSSEC_AGENT_ENABLED" >> $WRITEANSWERFILE + echo "OSSEC_AGENT_LEVEL=$OSSEC_AGENT_LEVEL" >> $WRITEANSWERFILE + echo "SALT=$SALT" >> $WRITEANSWERFILE +@@ -2201,11 +2185,6 @@ save() + echo "BARNYARD2_ENABLED=$BARNYARD2_ENABLED" >> $WRITEANSWERFILE + echo "PCAP_ENABLED=$PCAP_ENABLED" >> $WRITEANSWERFILE + echo "PCAP_AGENT_ENABLED=$PCAP_AGENT_ENABLED" >> $WRITEANSWERFILE +- echo "PRADS_ENABLED=$PRADS_ENABLED" >> $WRITEANSWERFILE +- echo "SANCP_AGENT_ENABLED=$SANCP_AGENT_ENABLED" >> $WRITEANSWERFILE +- echo "PADS_AGENT_ENABLED=$PADS_AGENT_ENABLED" >> $WRITEANSWERFILE +- echo "HTTP_AGENT_ENABLED=$HTTP_AGENT_ENABLED" >> $WRITEANSWERFILE +- echo "ARGUS_ENABLED=$ARGUS_ENABLED" >> $WRITEANSWERFILE + echo "IDS_RULESET='$IDS_RULESET'" >> $WRITEANSWERFILE + echo "OINKCODE='$OINKCODE'" >> $WRITEANSWERFILE + echo "PF_RING_SLOTS=$PF_RING_SLOTS" >> $WRITEANSWERFILE diff --git a/debian/patches/remove-salt-workaround-and-fix-in-onionsalt-package-instead b/debian/patches/remove-salt-workaround-and-fix-in-onionsalt-package-instead new file mode 100644 index 0000000..96d94fe --- /dev/null +++ b/debian/patches/remove-salt-workaround-and-fix-in-onionsalt-package-instead @@ -0,0 +1,46 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion259) xenial; urgency=medium + . + * remove salt workaround and fix in onionsalt package instead +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-setup-20120912.orig/bin/sosetup ++++ securityonion-setup-20120912/bin/sosetup +@@ -1719,18 +1719,11 @@ if dpkg -l |grep "securityonion-onionsal + echo " '$FQDN':" >> $TOPSLS + echo " - backend" >> $TOPSLS + echo "" >> $TOPSLS +- # Workaround bug in 16.04 salt package +- if ! grep "^file_ignore_glob:" /etc/salt/master >/dev/null 2>&1; then +- sed -i '/# file_ignore_glob:/a file_ignore_glob: []' /etc/salt/master +- fi + # If salt-master is DISABLED we need to enable it + [ -f /etc/init/salt-master.DISABLED ] && mv /etc/init/salt-master.DISABLED /etc/init/salt-master.conf + [ -f /etc/init/salt-master.override ] && rm -f /etc/init/salt-master.override + # Start salt-master + service salt-master restart >> $LOG 2>&1 +- # We no longer open the salt port by default +- # This is now done when the sensor runs Setup +- #ufw allow salt >> $LOG 2>&1 + else + # If this box is not a Master we need to disable salt-master + # Stop salt-master diff --git a/debian/patches/series b/debian/patches/series index 513466e..3a9899e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -238,3 +238,19 @@ Issue-1163:-Setup:-disable-Xplico-when-choosing-Evaluation-Mode merge-pr-32 default-to-Elastic update-sosetup.conf +fix-references-to-restart +remove-old-stuff +add-back +enable-systemd-script-and-move-so-allow-scripts-to-this-package +set-timezone-using-timedatectl +update-etcsaltminion_id +workaround-bug-in-16.04-salt-package +remove-salt-workaround-and-fix-in-onionsalt-package-instead +control-salt-with-systemd +update-sosetup-conf-files-to-new-ethernet-device-naming-convention +fix-custom-forward-node-and-Elastic-prompt +more-forward-node-fixes +fix-sosetup-forward.conf +streamline-setup +avoid-duplicating-OSSEC_AGENT_ENABLED-in-securityonion.conf +if-mysql-root-password-not-set,-set-random-password diff --git a/debian/patches/set-timezone-using-timedatectl b/debian/patches/set-timezone-using-timedatectl new file mode 100644 index 0000000..4470a2a --- /dev/null +++ b/debian/patches/set-timezone-using-timedatectl @@ -0,0 +1,55 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion256) xenial; urgency=medium + . + * set timezone using timedatectl +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-setup-20120912.orig/bin/sosetup ++++ securityonion-setup-20120912/bin/sosetup +@@ -1083,8 +1083,10 @@ mkdir -p /var/log/nsm/ + ######################################### + echo "2" + echo "# Please wait while setting OS timezone to UTC..." | tee -a $LOG +-echo "Etc/UTC" > /etc/timezone +-dpkg-reconfigure --frontend noninteractive tzdata >> $LOG 2>&1 ++#echo "Etc/UTC" > /etc/timezone ++#dpkg-reconfigure --frontend noninteractive tzdata >> $LOG 2>&1 ++# Need to use timedatectl for Ubuntu 16.04 Server ++timedatectl set-timezone Etc/UTC >> $LOG 2>&1 + date >> $LOG 2>&1 + + echo "4" +--- securityonion-setup-20120912.orig/bin/sosetup-network ++++ securityonion-setup-20120912/bin/sosetup-network +@@ -454,8 +454,10 @@ done + + function SET_UTC() { + +-echo "Etc/UTC" > /etc/timezone +-dpkg-reconfigure --frontend noninteractive tzdata >> $LOG 2>&1 ++#echo "Etc/UTC" > /etc/timezone ++#dpkg-reconfigure --frontend noninteractive tzdata >> $LOG 2>&1 ++# Need to use timedatectl for Ubuntu 16.04 Server ++timedatectl set-timezone Etc/UTC >> $LOG 2>&1 + cp /etc/localtime /var/ossec/etc/localtime + chown root:ossec /var/ossec/etc/localtime + diff --git a/debian/patches/streamline-setup b/debian/patches/streamline-setup new file mode 100644 index 0000000..258a00b --- /dev/null +++ b/debian/patches/streamline-setup @@ -0,0 +1,266 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion265) xenial; urgency=medium + . + * streamline setup +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-setup-20120912.orig/bin/sosetup ++++ securityonion-setup-20120912/bin/sosetup +@@ -1119,62 +1119,69 @@ systemctl enable securityonion.service > + ######################################### + echo "8" + echo "# Please wait while stopping services..." | tee -a $LOG ++ + # Stop Elasticsearch and all other processes + so-stop >> $LOG 2>&1 + pkill suricata + pkill snort + pkill autossh ++ + # Delete any Elasticsearch or Logstash data + rm -rf /nsm/elasticsearch/nodes + rm -rf /nsm/logstash/queue/main/* + rm -f /etc/elasticsearch/elasticsearch.yml ++ + # Make sure MySQL is running so that we can fully delete the NSM databases + [ $SERVER -eq 1 ] && service mysql start >> $LOG 2>&1 ++ + # Uncomment any disabled sensors so that we can fully delete them + sed -i "s|^#$HOST_ORIG-|$HOST_ORIG-|g" $SENSORTAB + sed -i "s|^#$HOSTNAME-|$HOSTNAME-|g" $SENSORTAB ++ + # Delete all nsm configuration and data + /usr/sbin/nsm_all_del_quick >> $LOG 2>&1 + + # Delete any existing ELSA databases. +-if [ "$ELASTIC" = "yes" ]; then +- if [ -d /var/lib/mysql/elsa_web/ ]; then +- mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database elsa_web" >> $LOG 2>&1 +- fi +- if [ -d /var/lib/mysql/syslog/ ]; then +- mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database syslog" >> $LOG 2>&1 +- fi +- if [ -d /var/lib/mysql/syslog_data/ ]; then +- mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database syslog_data" >> $LOG 2>&1 +- fi ++if [ -d /var/lib/mysql/elsa_web/ ]; then ++ mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database elsa_web" >> $LOG 2>&1 ++fi ++if [ -d /var/lib/mysql/syslog/ ]; then ++ mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database syslog" >> $LOG 2>&1 ++fi ++if [ -d /var/lib/mysql/syslog_data/ ]; then ++ mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database syslog_data" >> $LOG 2>&1 + fi + + ######################################### +-# MySQL tuning ++# MySQL + ######################################### ++if [ $SERVER -eq 1 ]; then + +-# Make changes in /etc/mysql/conf.d/ +-mkdir -p /etc/mysql/conf.d/ ++ # Make changes in /etc/mysql/conf.d/ ++ mkdir -p /etc/mysql/conf.d/ + +-# https://code.google.com/p/security-onion/issues/detail?id=416 +-# sguild may try to open lots of files +-# so increase open_files_limit on master server +-if [ $SERVER -eq 1 ]; then ++ # https://code.google.com/p/security-onion/issues/detail?id=416 ++ # sguild may try to open lots of files ++ # so increase open_files_limit on master server + cat << EOF > /etc/mysql/conf.d/securityonion-sguild.cnf + [mysqld] + open_files_limit = 90000 + EOF +-fi + +-# https://code.google.com/p/security-onion/issues/detail?id=388 +-# http://stackoverflow.com/questions/3456159/how-to-shrink-purge-ibdata1-file-in-mysql +-cat << EOF > /etc/mysql/conf.d/securityonion-ibdata1.cnf ++ # https://code.google.com/p/security-onion/issues/detail?id=388 ++ # http://stackoverflow.com/questions/3456159/how-to-shrink-purge-ibdata1-file-in-mysql ++ cat << EOF > /etc/mysql/conf.d/securityonion-ibdata1.cnf + [mysqld] + innodb_file_per_table + EOF + +-# Restart mysql to make changes take effect +-pgrep -lf mysqld >/dev/null && service mysql restart >> $LOG 2>&1 ++ # Restart mysql to make changes take effect ++ pgrep -lf mysqld >/dev/null && service mysql restart >> $LOG 2>&1 ++else ++ # If we're not a server, we can stop mysql ++ service mysql stop >> $LOG 2>&1 ++ ++fi + + ######################################### + # PF_RING +@@ -1206,8 +1213,8 @@ pkill -f ossec_agent + # Add the Sguil server if necessary + ######################################### + if [ $SERVER -eq 1 ]; then +- # If this box was previously a slave, we need to remove securityonion_ssh.conf +- rm -f /root/.ssh/securityonion_ssh.conf ++ # If this box was previously a slave, we need to remove $SSH_CONF ++ rm -f $SSH_CONF + echo "10" + echo "# Please wait while creating the Sguil server..." | tee -a $LOG + /usr/sbin/nsm_server_add --server-name="$SGUIL_SERVER_NAME" --server-sensor-name=NULL --server-sensor-port=7736 --server-client-port=7734 --server-client-user="$SGUIL_CLIENT_USERNAME" --server-client-pass="$SGUIL_CLIENT_PASSWORD_1" --server-auto=yes --force-yes >> $LOG 2>&1 +@@ -1457,13 +1464,6 @@ EOF + fi + done + +- # Bro 2.2 should support PF_RING on multiple interfaces properly now, so comment this out. +- # If monitoring more than one interface, disable PF_RING: +- # http://securityonion.blogspot.com/2013/02/important-note-for-those-monitoring.html +- #if [ `echo $INTERFACES | wc -w` -gt 1 ]; then +- # sed -i 's|^lb_method=pf_ring|#lb_method=pf_ring|g' /opt/bro/etc/node.cfg +- # sed -i 's|^lb_procs|#lb_procs|g' /opt/bro/etc/node.cfg +- #fi + fi + # Finished with node.cfg + # Now update networks.cfg +@@ -1494,6 +1494,8 @@ EOF + sed -i 's|^@load file-extraction|#@load file-extraction|g' /opt/bro/share/bro/site/local.bro + fi + ++ # Configure Bro to log in JSON ++ /usr/sbin/so-elastic-configure-bro >> $LOG 2>&1 + fi + + fi +@@ -1648,17 +1650,17 @@ fi + ######################################### + # Apache configuration + ######################################### +-SSH_DIR="/root/.ssh" +-SSH_CONF="$SSH_DIR/securityonion_ssh.conf" + echo "35" + if [ -f $SSH_CONF ]; then + # We are a SENSOR + echo "# Please wait while stopping and disabling Apache..." | tee -a $LOG ++ + # Sensors don't need the Apache web server, so stop and disable it + service apache2 stop >> $LOG 2>&1 + update-rc.d -f apache2 disable >> $LOG 2>&1 + else + # We are the MASTER ++ echo "# Please wait while configuring and restarting Apache..." | tee -a $LOG + + # Make sure that the Apache web server is enabled + update-rc.d -f apache2 enable >> $LOG 2>&1 +@@ -1756,13 +1758,24 @@ EOF + fi + + ######################################### ++# Forward Node AutoSSH ++######################################### ++if [ "$FORWARD" = "yes" ]; then ++ # If AUTOSSH_OPTIONS is already in SSH_CONF, remove it and replace it with new value. ++ if grep "AUTOSSH_OPTIONS=" $SSH_CONF >/dev/null 2>&1; then ++ sed -i 's/AUTOSSH_OPTIONS.*/AUTOSSH_OPTIONS="-L 6050:localhost:6050"/' $SSH_CONF >> $LOG 2>&1 ++ else ++ echo 'AUTOSSH_OPTIONS="-L 6050:localhost:6050"' >> $SSH_CONF ++ fi ++fi ++ ++######################################### + # Start securityonion services + ######################################### + # disable the snorby output in all barnyard config files + sed -i 's|^output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|#output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|g' /etc/nsm/*/barnyard2*.conf >> $LOG 2>&1 + echo "45" + echo "# Please wait while starting all Security Onion services..." | tee -a $LOG +-/usr/sbin/so-autossh-start >> $LOG 2>&1 + /usr/sbin/so-start >> $LOG 2>&1 + sleep 10s + +@@ -1825,6 +1838,9 @@ EOF + + fi + ++######################################### ++# syslog-ng ++######################################### + echo "49" + echo "# Please wait while configuring syslog-ng..." | tee -a $LOG + +@@ -1872,49 +1888,22 @@ if [ $COUNT -gt 1 ]; then + sed -e "s|^\tfile(\"/nsm/bro/logs/current/http.log\".*|$HTTP_LOGS|" $SYSLOGNGCONFSRC > $SYSLOGNGCONFDST + fi + +-echo "* Restarting syslog-ng" >> $LOG 2>&1 +-service syslog-ng restart >> $LOG 2>&1 +- +-# Forward Nodes now have ELASTIC="no", so we need to do some of that config here +-if [ "$FORWARD" = "yes" ]; then +- +- # Configure syslog-ng to forward over autossh +- /usr/sbin/so-elastic-configure-syslog-ng >> $LOG 2>&1 +- +- # Configure Bro to log in JSON +- /usr/sbin/so-elastic-configure-bro >> $LOG 2>&1 +- +- # If AUTOSSH_OPTIONS is already in SSH_CONF, remove it and replace it with new value. +- if grep "AUTOSSH_OPTIONS=" $SSH_CONF >/dev/null 2>&1; then +- sed -i 's/AUTOSSH_OPTIONS.*/AUTOSSH_OPTIONS="-L 6050:localhost:6050"/' $SSH_CONF >> $LOG 2>&1 +- else +- echo 'AUTOSSH_OPTIONS="-L 6050:localhost:6050"' >> $SSH_CONF +- fi +-fi +- +-if [ $SERVER -ne 1 ]; then +- echo "60" +- echo "# Please wait while stopping Apache web server..." | tee -a $LOG +- service apache2 stop >> $LOG 2>&1 +- +- echo "65" +- echo "# Please wait while stopping and disabling MySQL..." | tee -a $LOG +- service mysql stop >> $LOG 2>&1 +- echo "manual" > /etc/init/mysql.override +-fi ++/usr/sbin/so-elastic-configure-syslog-ng >> $LOG 2>&1 + + ######################################### +-# Configure Elastic ++# Elastic + ######################################### + if [ "$ELASTIC" = "yes" ]; then +- echo "75" +- echo "# Please wait while configuring Elastic..." | tee -a $LOG ++ + if ! dpkg -L docker-ce >/dev/null 2>&1; then + echo "50" + echo "# Please wait while downloading Elastic components..." | tee -a $LOG + /usr/sbin/so-elastic-download >> $LOG 2>&1 + fi + ++ echo "75" ++ echo "# Please wait while configuring Elastic..." | tee -a $LOG ++ + if ! grep -q LOG_SIZE_LIMIT $CONF; then + cat << EOF >> $CONF + diff --git a/debian/patches/update-etcsaltminion_id b/debian/patches/update-etcsaltminion_id new file mode 100644 index 0000000..6a38723 --- /dev/null +++ b/debian/patches/update-etcsaltminion_id @@ -0,0 +1,35 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion257) xenial; urgency=medium + . + * update /etc/salt/minion_id +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-setup-20120912.orig/bin/sosetup ++++ securityonion-setup-20120912/bin/sosetup +@@ -1746,6 +1746,7 @@ EOF + # All boxes run salt-minion + # Configure minion + echo "master: $SERVERNAME" > /etc/salt/minion.d/onionsalt.conf ++ echo "$FQDN" > /etc/salt/minion_id + # If salt-minion is DISABLED, enable it + [ -f /etc/init/salt-minion.DISABLED ] && mv /etc/init/salt-minion.DISABLED /etc/init/salt-minion.conf + [ -f /etc/init/salt-minion.override ] && rm -f /etc/init/salt-minion.override diff --git a/debian/patches/update-sosetup-conf-files-to-new-ethernet-device-naming-convention b/debian/patches/update-sosetup-conf-files-to-new-ethernet-device-naming-convention new file mode 100644 index 0000000..47eded6 --- /dev/null +++ b/debian/patches/update-sosetup-conf-files-to-new-ethernet-device-naming-convention @@ -0,0 +1,450 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion261) xenial; urgency=medium + . + * update sosetup conf files to new eth device naming convention +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-setup-20120912.orig/share/securityonion/sosetup-elsa.conf ++++ /dev/null +@@ -1,330 +0,0 @@ +-################################ +-# sosetup.conf +-################################ +-# +-# Please note this file is intended for sosetup-elsa! +-# Please also note that ELSA will reach EOL soon! +-# +-# This file can be used to automate sosetup. +-# +-# Copy this example file to your home directory: +-# cp /usr/share/securityonion/sosetup.conf ~ +-# +-# Edit your new sosetup.conf: +-# nano ~/sosetup.conf +-# +-# Run Setup with the -f switch and the path to this file: +-# sudo sosetup -f ~/sosetup.conf +- +-################################ +-# Management Interface +-################################ +-# MGMT_INTERFACE +-# Which network interface should be the management interface? +-# The management interface has an IP address and is NOT used for sniffing. +-# We recommend that you always make this eth0 if possible for consistency. +-MGMT_INTERFACE='eth0' +- +-# MGMT_CONFIG_TYPE +-# Should the management interface be configured using DHCP or static IP? +-# We recommend using static IP whenever possible. +-# MGMT_CONFIG_TYPE='static' +-MGMT_CONFIG_TYPE='DHCP' +- +-# If MGMT_CONFIG_TYPE=static, then provide the details here: +-ADDRESS='192.168.244.3' +-NETMASK='255.255.255.0' +-GATEWAY='192.168.244.1' +-NAMESERVER='192.168.244.2 192.168.244.3' +-DOMAIN='example.com' +- +-################################ +-# Sniffing interface(s) +-################################ +-# Which interface(s) will be sniffing network traffic? +-# For multiple interfaces, please separate them with spaces. +-# For example: +-# SNIFFING_INTERFACES='eth1 eth2' +-SNIFFING_INTERFACES='eth1' +- +-################################ +-# Master Server +-################################ +- +-# SERVER +-# If set to 1, then this box will be a Master server: +-# SERVER=1 +-# If set to 0, then this box will connect to a separate Master server: +-# SERVER=0 +-SERVER=1 +- +-# SERVERNAME +-# If SERVER=1, then this should be 'localhost': +-# SERVERNAME='localhost' +-# If SERVER=0, then this should be the name/IP of the separate Master server: +-# SERVERNAME='sguilserver.example.com' +-SERVERNAME='localhost' +- +-# SSH_USERNAME +-# If SERVER=0, then this should be the name of an +-# account on the separate Master server that has sudo privileges. +-# sudo privileges can be revoked after sosetup is complete. +-# SSH_USERNAME='sensor1' +-SSH_USERNAME='' +- +-# SGUIL_SERVER_NAME +-# If SERVER=1, then this is the name of the Sguil server we'll create. +-# You probably shouldn't change this value. +-SGUIL_SERVER_NAME='securityonion' +- +-# SGUIL_CLIENT_USERNAME +-# If SERVER=1, then this is the username that we'll create +-# for Sguil/Squert/ELSA. +-# Please use alphanumeric characters only! +-SGUIL_CLIENT_USERNAME='onionuser' +- +-# SGUIL_CLIENT_PASSWORD_1 +-# If SERVER=1, then this is the password that we'll create +-# for Sguil/Squert/ELSA. +-# If you set a password here, you may want to change it later and/or +-# shred this file. +-SGUIL_CLIENT_PASSWORD_1='asdfasdf' +- +-################################ +-# ELSA +-################################ +-# ELSA +-# If set to YES, then this box will run ELSA components: +-# ELSA=YES +-# If set to NO, then this box will not run ELSA components: +-# ELSA=NO +-# If you want to run ELSA, then you should enable this setting on every box in your deployment. +-ELSA=YES +- +-# UPDATE_ELSA_SERVER +-# If SERVER=0, then the server's elsa_web.conf will need +-# to be updated and Apache restarted for it to recognize +-# this new ELSA node. Restarting Apache will interrupt +-# any running ELSA queries. +-# To automatically update the server's elsa_web.conf and +-# restart Apache, set this option to 'YES': +-# UPDATE_ELSA_SERVER='YES' +-# If you'd rather update the server's elsa_web.conf yourself +-# and manually restart Apache, set this option to 'NO': +-# UPDATE_ELSA_SERVER='NO' +-UPDATE_ELSA_SERVER='YES' +- +-# LOG_SIZE_LIMIT +-# This setting controls how much disk space ELSA uses. +-# 10TB = 10000000000000 +-# LOG_SIZE_LIMIT='10000000000000' +-# 1TB = 1000000000000 +-# LOG_SIZE_LIMIT='1000000000000' +-# 100GB = 100000000000 +-# LOG_SIZE_LIMIT='100000000000' +-# 10GB = 10000000000 +-LOG_SIZE_LIMIT='10000000000' +- +-################################ +-# Enable/disable services +-################################ +- +-# The OSSEC agent sends OSSEC HIDS alerts into the Sguil database. +-# Do you want to run the OSSEC Agent? yes/no +-OSSEC_AGENT_ENABLED='yes' +- +-# OSSEC_AGENT_LEVEL specifies the level at which OSSEC alerts are sent to sguild. +-OSSEC_AGENT_LEVEL='5' +- +-# Salt allows you to manage your entire Security Onion deployment +-# as one cohesive whole. It provides configuration management +-# and remote code execution. +-# Do you want to enable Salt? yes/no +-SALT='yes' +- +-################################ +-# Sensor components +-################################ +-# SENSOR +-# If set to 1, then this box will run sensor components and sniff ethernet interfaces: +-# SENSOR=1 +-# If set to 0, then this box will not run sensor components: +-# SENSOR=0 +-SENSOR=1 +- +-################################ +-# Enable/disable sensor services +-################################ +-# If SENSOR=0, then no sensor services will run. +-# If SENSOR=1, then the following services can be enabled/disabled. +- +-# BRO_ENABLED +-# Do you want to run Bro? yes/no +-BRO_ENABLED='yes' +- +-# IDS_ENGINE_ENABLED +-# Do you want to run an IDS engine (Snort/Suricata)? yes/no +-IDS_ENGINE_ENABLED='yes' +- +-# SNORT_AGENT_ENABLED +-# Do you want to run the Snort agent? yes/no +-# The Snort agent sends Snort IDS alerts to the Sguil database. +-SNORT_AGENT_ENABLED='yes' +- +-# BARNYARD2_ENABLED +-# Do you want to run Barnyard2? yes/no +-# Barnyard2 sends IDS alerts from Snort/Suricata to +-# Sguil's Snort agent and syslog (ELSA). +-BARNYARD2_ENABLED='yes' +- +-# PCAP_ENABLED +-# Do you want to run full packet capture? yes/no +-PCAP_ENABLED='yes' +- +-# PCAP_AGENT_ENABLED +-# Do you want to run Sguil's pcap_agent? yes/no +-# The pcap_agent allows Sguil to access the pcap store. +-PCAP_AGENT_ENABLED='yes' +- +-# PRADS_ENABLED +-# Do you want to run Prads? yes/no +-# Prads writes session data and asset data. +-# Bro provides the same data types plus more, so most +-# folks don't run Prads. +-PRADS_ENABLED='no' +- +-# SANCP_AGENT_ENABLED +-# Do you want to run the sancp_agent? yes/no +-# sancp_agent sends session data from Prads to Sguil. +-SANCP_AGENT_ENABLED='no' +- +-# PADS_AGENT_ENABLED +-# Do you want to run the pads_agent? yes/no +-# pads_agent sends asset data from Prads to Sguil. +-PADS_AGENT_ENABLED='no' +- +-# HTTP_AGENT_ENABLED +-# Do you want to run the http_agent? yes/no +-# http_agent sends http logs from Bro to Sguil. +-# If you're running ELSA, then you probably want to disable this. +-HTTP_AGENT_ENABLED='no' +- +-# ARGUS_ENABLED +-# Do you want to run Argus? yes/no +-# Argus writes session data, also provided by Bro and Prads. +-# Most folks don't run Argus. +-ARGUS_ENABLED='no' +- +-################################ +-# Rules +-################################ +- +-# IDS_RULESET +-# This setting is only necessary on a master server. +-# Sensors automatically inherit ruleset from the master server. +-# Which IDS ruleset would you like to use? +-# Emerging Threats Open (no oinkcode required): +-# ETOPEN +-# Emerging Threats PRO (requires ETPRO oinkcode): +-# ETPRO +-# Sourcefire Talos (requires Talos oinkcode): +-# TALOS +-# TALOS and ET (requires TALOS oinkcode): +-# TALOSET +-IDS_RULESET='ETOPEN' +- +-# OINKCODE +-# This setting is only necessary on a master server. +-# Sensors automatically inherit ruleset from the master server. +-# If you're running TALOS or ETPRO rulesets, you'll need to supply your +-# oinkcode here. +-OINKCODE='' +- +-################################ +-# PF_RING Config +-################################ +- +-# PF_RING_SLOTS +-# The default is 4096. +-# High traffic networks may need to increase this. +-PF_RING_SLOTS=4096 +- +-################################ +-# IDS Config +-################################ +- +-# IDS_ENGINE +-# Which IDS engine would you like to run? snort/suricata +-# Whatever you choose here will apply to the master server +-# and then sensors inherit this setting from the master server. +-# To run Snort: +-# IDS_ENGINE='snort' +-# To run Suricata: +-# IDS_ENGINE='suricata' +-IDS_ENGINE='snort' +- +-# IDS_LB_PROCS +-# How many PF_RING load-balanced processes would you like to run? +-# This value should be lower than your number of CPU cores. +-IDS_LB_PROCS='1' +- +-# HOME_NET +-# Setup by default configures Snort/Suricata's HOME_NET variable +-# as RFC 1918 (192.168.0.0/16,10.0.0.0/8,172.16.0.0/12). +-# If you wish to provide a custom value, enter it below, +-# ensuring a comma is placed after each range, with no spaces in between. +-# Ex. HOME_NET='192.168.0.0/16,10.0.0.0/8,172.16.0.0/12' +-HOME_NET='192.168.0.0/16,10.0.0.0/8,172.16.0.0/12' +- +-################################ +-# Bro Config +-################################ +- +-# BRO_LB_PROCS +-# How many PF_RING load-balanced processes would you like Bro to run? +-# This value should be lower than your number of CPU cores. +-BRO_LB_PROCS='1' +- +-# EXTRACT_FILES +-# Do you want Bro to automatically extract Windows EXEs and write them to disk? yes/no +-EXTRACT_FILES='yes' +- +-################################ +-# PCAP Config +-################################ +- +-# PCAP_SIZE +-# How large do you want your pcap files to be? +-# The default is 150MB. +-PCAP_SIZE='150' +- +-# PCAP_RING_SIZE +-# How big of a ring buffer should be allocated for netsniff-ng? +-# The default is 64MB. +-PCAP_RING_SIZE='64' +- +-# PCAP_OPTIONS +-# The default option here of '-c' is intended for low-volume environments. +-# If monitoring lots of traffic, you will want to remove the -c to use +-# netsniff-ng's default scatter/gather I/O or consider netsniff-ng's --mmap option. +-PCAP_OPTIONS='-c' +- +-################################ +-# Maintenance +-################################ +- +-# WARN_DISK_USAGE +-# Begin warning when disk usage reaches this level +-WARN_DISK_USAGE='80' +- +-# CRIT_DISK_USAGE +-# Begin purging old files when disk usage reaches this level +-CRIT_DISK_USAGE='90' +- +-# DAYSTOKEEP +-# Only applies to Sguil database ('securityonion_db') +-DAYSTOKEEP='30' +- +-# DAYSTOREPAIR +-# Only applies to Sguil database ('securityonion_db') +-DAYSTOREPAIR='7' +--- securityonion-setup-20120912.orig/share/securityonion/sosetup-forward.conf ++++ securityonion-setup-20120912/share/securityonion/sosetup-forward.conf +@@ -18,8 +18,7 @@ + # MGMT_INTERFACE + # Which network interface should be the management interface? + # The management interface has an IP address and is NOT used for sniffing. +-# We recommend that you always make this eth0 if possible for consistency. +-MGMT_INTERFACE='eth0' ++MGMT_INTERFACE='ens33' + + # MGMT_CONFIG_TYPE + # Should the management interface be configured using DHCP or static IP? +@@ -42,8 +41,8 @@ DOMAIN='example.com' + # Which interface(s) will be sniffing network traffic? + # For multiple interfaces, please separate them with spaces. + # For example: +-# SNIFFING_INTERFACES='eth1 eth2' +-SNIFFING_INTERFACES='eth1' ++# SNIFFING_INTERFACES='ens34 ens35' ++SNIFFING_INTERFACES='ens34' + + ################################ + # Master Server +--- securityonion-setup-20120912.orig/share/securityonion/sosetup-master.conf ++++ securityonion-setup-20120912/share/securityonion/sosetup-master.conf +@@ -18,8 +18,7 @@ + # MGMT_INTERFACE + # Which network interface should be the management interface? + # The management interface has an IP address and is NOT used for sniffing. +-# We recommend that you always make this eth0 if possible for consistency. +-MGMT_INTERFACE='eth0' ++MGMT_INTERFACE='ens33' + + # MGMT_CONFIG_TYPE + # Should the management interface be configured using DHCP or static IP? +@@ -42,8 +41,8 @@ DOMAIN='example.com' + # Which interface(s) will be sniffing network traffic? + # For multiple interfaces, please separate them with spaces. + # For example: +-# SNIFFING_INTERFACES='eth1 eth2' +-SNIFFING_INTERFACES='eth1' ++# SNIFFING_INTERFACES='ens34 ens35' ++SNIFFING_INTERFACES='ens34' + + ################################ + # Master Server +--- securityonion-setup-20120912.orig/share/securityonion/sosetup-storage.conf ++++ securityonion-setup-20120912/share/securityonion/sosetup-storage.conf +@@ -18,8 +18,7 @@ + # MGMT_INTERFACE + # Which network interface should be the management interface? + # The management interface has an IP address and is NOT used for sniffing. +-# We recommend that you always make this eth0 if possible for consistency. +-MGMT_INTERFACE='eth0' ++MGMT_INTERFACE='ens33' + + # MGMT_CONFIG_TYPE + # Should the management interface be configured using DHCP or static IP? +@@ -42,8 +41,8 @@ DOMAIN='example.com' + # Which interface(s) will be sniffing network traffic? + # For multiple interfaces, please separate them with spaces. + # For example: +-# SNIFFING_INTERFACES='eth1 eth2' +-SNIFFING_INTERFACES='eth1' ++# SNIFFING_INTERFACES='ens34 ens35' ++SNIFFING_INTERFACES='ens34' + + ################################ + # Master Server +--- securityonion-setup-20120912.orig/share/securityonion/sosetup.conf ++++ securityonion-setup-20120912/share/securityonion/sosetup.conf +@@ -18,8 +18,7 @@ + # MGMT_INTERFACE + # Which network interface should be the management interface? + # The management interface has an IP address and is NOT used for sniffing. +-# We recommend that you always make this eth0 if possible for consistency. +-MGMT_INTERFACE='eth0' ++MGMT_INTERFACE='ens33' + + # MGMT_CONFIG_TYPE + # Should the management interface be configured using DHCP or static IP? +@@ -42,8 +41,8 @@ DOMAIN='example.com' + # Which interface(s) will be sniffing network traffic? + # For multiple interfaces, please separate them with spaces. + # For example: +-# SNIFFING_INTERFACES='eth1 eth2' +-SNIFFING_INTERFACES='eth1' ++# SNIFFING_INTERFACES='ens34 ens35' ++SNIFFING_INTERFACES='ens34' + + ################################ + # Master Server diff --git a/debian/patches/workaround-bug-in-16.04-salt-package b/debian/patches/workaround-bug-in-16.04-salt-package new file mode 100644 index 0000000..a9e98ac --- /dev/null +++ b/debian/patches/workaround-bug-in-16.04-salt-package @@ -0,0 +1,38 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-setup (20120912-0ubuntu0securityonion258) xenial; urgency=medium + . + * workaround bug in 16.04 salt package +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-setup-20120912.orig/bin/sosetup ++++ securityonion-setup-20120912/bin/sosetup +@@ -1719,6 +1719,10 @@ if dpkg -l |grep "securityonion-onionsal + echo " '$FQDN':" >> $TOPSLS + echo " - backend" >> $TOPSLS + echo "" >> $TOPSLS ++ # Workaround bug in 16.04 salt package ++ if ! grep "^file_ignore_glob:" /etc/salt/master >/dev/null 2>&1; then ++ sed -i '/# file_ignore_glob:/a file_ignore_glob: []' /etc/salt/master ++ fi + # If salt-master is DISABLED we need to enable it + [ -f /etc/init/salt-master.DISABLED ] && mv /etc/init/salt-master.DISABLED /etc/init/salt-master.conf + [ -f /etc/init/salt-master.override ] && rm -f /etc/init/salt-master.override diff --git a/debian/postinst b/debian/postinst index dd5146b..881b72a 100644 --- a/debian/postinst +++ b/debian/postinst @@ -7,12 +7,7 @@ case "$1" in # Make sure scripts are executable chmod +x /usr/sbin/sosetup* || echo "Error making sosetup scripts executable." - chmod +x /usr/sbin/so-allow || echo "Error making so-allow script executable." - - # sosetup is now a symlink to sosetup-elastic - if [ -f /usr/sbin/sosetup-elastic ]; then - ln -s sosetup-elastic /usr/sbin/sosetup || echo "Error creating sosetup symlink." - fi + chmod +x /usr/sbin/so-allow* || echo "Error making so-allow script executable." # Fix PulledPork config /usr/sbin/sosetup-fix-ppconf || echo "Error running /usr/sbin/sosetup-fix-ppconf" diff --git a/share/securityonion/sosetup-elsa.conf b/share/securityonion/sosetup-elsa.conf deleted file mode 100644 index 8862554..0000000 --- a/share/securityonion/sosetup-elsa.conf +++ /dev/null @@ -1,330 +0,0 @@ -################################ -# sosetup.conf -################################ -# -# Please note this file is intended for sosetup-elsa! -# Please also note that ELSA will reach EOL soon! -# -# This file can be used to automate sosetup. -# -# Copy this example file to your home directory: -# cp /usr/share/securityonion/sosetup.conf ~ -# -# Edit your new sosetup.conf: -# nano ~/sosetup.conf -# -# Run Setup with the -f switch and the path to this file: -# sudo sosetup -f ~/sosetup.conf - -################################ -# Management Interface -################################ -# MGMT_INTERFACE -# Which network interface should be the management interface? -# The management interface has an IP address and is NOT used for sniffing. -# We recommend that you always make this eth0 if possible for consistency. -MGMT_INTERFACE='eth0' - -# MGMT_CONFIG_TYPE -# Should the management interface be configured using DHCP or static IP? -# We recommend using static IP whenever possible. -# MGMT_CONFIG_TYPE='static' -MGMT_CONFIG_TYPE='DHCP' - -# If MGMT_CONFIG_TYPE=static, then provide the details here: -ADDRESS='192.168.244.3' -NETMASK='255.255.255.0' -GATEWAY='192.168.244.1' -NAMESERVER='192.168.244.2 192.168.244.3' -DOMAIN='example.com' - -################################ -# Sniffing interface(s) -################################ -# Which interface(s) will be sniffing network traffic? -# For multiple interfaces, please separate them with spaces. -# For example: -# SNIFFING_INTERFACES='eth1 eth2' -SNIFFING_INTERFACES='eth1' - -################################ -# Master Server -################################ - -# SERVER -# If set to 1, then this box will be a Master server: -# SERVER=1 -# If set to 0, then this box will connect to a separate Master server: -# SERVER=0 -SERVER=1 - -# SERVERNAME -# If SERVER=1, then this should be 'localhost': -# SERVERNAME='localhost' -# If SERVER=0, then this should be the name/IP of the separate Master server: -# SERVERNAME='sguilserver.example.com' -SERVERNAME='localhost' - -# SSH_USERNAME -# If SERVER=0, then this should be the name of an -# account on the separate Master server that has sudo privileges. -# sudo privileges can be revoked after sosetup is complete. -# SSH_USERNAME='sensor1' -SSH_USERNAME='' - -# SGUIL_SERVER_NAME -# If SERVER=1, then this is the name of the Sguil server we'll create. -# You probably shouldn't change this value. -SGUIL_SERVER_NAME='securityonion' - -# SGUIL_CLIENT_USERNAME -# If SERVER=1, then this is the username that we'll create -# for Sguil/Squert/ELSA. -# Please use alphanumeric characters only! -SGUIL_CLIENT_USERNAME='onionuser' - -# SGUIL_CLIENT_PASSWORD_1 -# If SERVER=1, then this is the password that we'll create -# for Sguil/Squert/ELSA. -# If you set a password here, you may want to change it later and/or -# shred this file. -SGUIL_CLIENT_PASSWORD_1='asdfasdf' - -################################ -# ELSA -################################ -# ELSA -# If set to YES, then this box will run ELSA components: -# ELSA=YES -# If set to NO, then this box will not run ELSA components: -# ELSA=NO -# If you want to run ELSA, then you should enable this setting on every box in your deployment. -ELSA=YES - -# UPDATE_ELSA_SERVER -# If SERVER=0, then the server's elsa_web.conf will need -# to be updated and Apache restarted for it to recognize -# this new ELSA node. Restarting Apache will interrupt -# any running ELSA queries. -# To automatically update the server's elsa_web.conf and -# restart Apache, set this option to 'YES': -# UPDATE_ELSA_SERVER='YES' -# If you'd rather update the server's elsa_web.conf yourself -# and manually restart Apache, set this option to 'NO': -# UPDATE_ELSA_SERVER='NO' -UPDATE_ELSA_SERVER='YES' - -# LOG_SIZE_LIMIT -# This setting controls how much disk space ELSA uses. -# 10TB = 10000000000000 -# LOG_SIZE_LIMIT='10000000000000' -# 1TB = 1000000000000 -# LOG_SIZE_LIMIT='1000000000000' -# 100GB = 100000000000 -# LOG_SIZE_LIMIT='100000000000' -# 10GB = 10000000000 -LOG_SIZE_LIMIT='10000000000' - -################################ -# Enable/disable services -################################ - -# The OSSEC agent sends OSSEC HIDS alerts into the Sguil database. -# Do you want to run the OSSEC Agent? yes/no -OSSEC_AGENT_ENABLED='yes' - -# OSSEC_AGENT_LEVEL specifies the level at which OSSEC alerts are sent to sguild. -OSSEC_AGENT_LEVEL='5' - -# Salt allows you to manage your entire Security Onion deployment -# as one cohesive whole. It provides configuration management -# and remote code execution. -# Do you want to enable Salt? yes/no -SALT='yes' - -################################ -# Sensor components -################################ -# SENSOR -# If set to 1, then this box will run sensor components and sniff ethernet interfaces: -# SENSOR=1 -# If set to 0, then this box will not run sensor components: -# SENSOR=0 -SENSOR=1 - -################################ -# Enable/disable sensor services -################################ -# If SENSOR=0, then no sensor services will run. -# If SENSOR=1, then the following services can be enabled/disabled. - -# BRO_ENABLED -# Do you want to run Bro? yes/no -BRO_ENABLED='yes' - -# IDS_ENGINE_ENABLED -# Do you want to run an IDS engine (Snort/Suricata)? yes/no -IDS_ENGINE_ENABLED='yes' - -# SNORT_AGENT_ENABLED -# Do you want to run the Snort agent? yes/no -# The Snort agent sends Snort IDS alerts to the Sguil database. -SNORT_AGENT_ENABLED='yes' - -# BARNYARD2_ENABLED -# Do you want to run Barnyard2? yes/no -# Barnyard2 sends IDS alerts from Snort/Suricata to -# Sguil's Snort agent and syslog (ELSA). -BARNYARD2_ENABLED='yes' - -# PCAP_ENABLED -# Do you want to run full packet capture? yes/no -PCAP_ENABLED='yes' - -# PCAP_AGENT_ENABLED -# Do you want to run Sguil's pcap_agent? yes/no -# The pcap_agent allows Sguil to access the pcap store. -PCAP_AGENT_ENABLED='yes' - -# PRADS_ENABLED -# Do you want to run Prads? yes/no -# Prads writes session data and asset data. -# Bro provides the same data types plus more, so most -# folks don't run Prads. -PRADS_ENABLED='no' - -# SANCP_AGENT_ENABLED -# Do you want to run the sancp_agent? yes/no -# sancp_agent sends session data from Prads to Sguil. -SANCP_AGENT_ENABLED='no' - -# PADS_AGENT_ENABLED -# Do you want to run the pads_agent? yes/no -# pads_agent sends asset data from Prads to Sguil. -PADS_AGENT_ENABLED='no' - -# HTTP_AGENT_ENABLED -# Do you want to run the http_agent? yes/no -# http_agent sends http logs from Bro to Sguil. -# If you're running ELSA, then you probably want to disable this. -HTTP_AGENT_ENABLED='no' - -# ARGUS_ENABLED -# Do you want to run Argus? yes/no -# Argus writes session data, also provided by Bro and Prads. -# Most folks don't run Argus. -ARGUS_ENABLED='no' - -################################ -# Rules -################################ - -# IDS_RULESET -# This setting is only necessary on a master server. -# Sensors automatically inherit ruleset from the master server. -# Which IDS ruleset would you like to use? -# Emerging Threats Open (no oinkcode required): -# ETOPEN -# Emerging Threats PRO (requires ETPRO oinkcode): -# ETPRO -# Sourcefire Talos (requires Talos oinkcode): -# TALOS -# TALOS and ET (requires TALOS oinkcode): -# TALOSET -IDS_RULESET='ETOPEN' - -# OINKCODE -# This setting is only necessary on a master server. -# Sensors automatically inherit ruleset from the master server. -# If you're running TALOS or ETPRO rulesets, you'll need to supply your -# oinkcode here. -OINKCODE='' - -################################ -# PF_RING Config -################################ - -# PF_RING_SLOTS -# The default is 4096. -# High traffic networks may need to increase this. -PF_RING_SLOTS=4096 - -################################ -# IDS Config -################################ - -# IDS_ENGINE -# Which IDS engine would you like to run? snort/suricata -# Whatever you choose here will apply to the master server -# and then sensors inherit this setting from the master server. -# To run Snort: -# IDS_ENGINE='snort' -# To run Suricata: -# IDS_ENGINE='suricata' -IDS_ENGINE='snort' - -# IDS_LB_PROCS -# How many PF_RING load-balanced processes would you like to run? -# This value should be lower than your number of CPU cores. -IDS_LB_PROCS='1' - -# HOME_NET -# Setup by default configures Snort/Suricata's HOME_NET variable -# as RFC 1918 (192.168.0.0/16,10.0.0.0/8,172.16.0.0/12). -# If you wish to provide a custom value, enter it below, -# ensuring a comma is placed after each range, with no spaces in between. -# Ex. HOME_NET='192.168.0.0/16,10.0.0.0/8,172.16.0.0/12' -HOME_NET='192.168.0.0/16,10.0.0.0/8,172.16.0.0/12' - -################################ -# Bro Config -################################ - -# BRO_LB_PROCS -# How many PF_RING load-balanced processes would you like Bro to run? -# This value should be lower than your number of CPU cores. -BRO_LB_PROCS='1' - -# EXTRACT_FILES -# Do you want Bro to automatically extract Windows EXEs and write them to disk? yes/no -EXTRACT_FILES='yes' - -################################ -# PCAP Config -################################ - -# PCAP_SIZE -# How large do you want your pcap files to be? -# The default is 150MB. -PCAP_SIZE='150' - -# PCAP_RING_SIZE -# How big of a ring buffer should be allocated for netsniff-ng? -# The default is 64MB. -PCAP_RING_SIZE='64' - -# PCAP_OPTIONS -# The default option here of '-c' is intended for low-volume environments. -# If monitoring lots of traffic, you will want to remove the -c to use -# netsniff-ng's default scatter/gather I/O or consider netsniff-ng's --mmap option. -PCAP_OPTIONS='-c' - -################################ -# Maintenance -################################ - -# WARN_DISK_USAGE -# Begin warning when disk usage reaches this level -WARN_DISK_USAGE='80' - -# CRIT_DISK_USAGE -# Begin purging old files when disk usage reaches this level -CRIT_DISK_USAGE='90' - -# DAYSTOKEEP -# Only applies to Sguil database ('securityonion_db') -DAYSTOKEEP='30' - -# DAYSTOREPAIR -# Only applies to Sguil database ('securityonion_db') -DAYSTOREPAIR='7' diff --git a/share/securityonion/sosetup-forward.conf b/share/securityonion/sosetup-forward.conf index 8397323..bb1482f 100644 --- a/share/securityonion/sosetup-forward.conf +++ b/share/securityonion/sosetup-forward.conf @@ -18,8 +18,7 @@ # MGMT_INTERFACE # Which network interface should be the management interface? # The management interface has an IP address and is NOT used for sniffing. -# We recommend that you always make this eth0 if possible for consistency. -MGMT_INTERFACE='eth0' +MGMT_INTERFACE='ens33' # MGMT_CONFIG_TYPE # Should the management interface be configured using DHCP or static IP? @@ -42,8 +41,8 @@ DOMAIN='example.com' # Which interface(s) will be sniffing network traffic? # For multiple interfaces, please separate them with spaces. # For example: -# SNIFFING_INTERFACES='eth1 eth2' -SNIFFING_INTERFACES='eth1' +# SNIFFING_INTERFACES='ens34 ens35' +SNIFFING_INTERFACES='ens34' ################################ # Master Server @@ -91,7 +90,7 @@ SGUIL_CLIENT_PASSWORD_1='asdfasdf' ################################ # Elastic Stack ################################ -ELASTIC='yes' +ELASTIC='no' # LOG_SIZE_LIMIT # This setting controls how much disk space Elastic uses. diff --git a/share/securityonion/sosetup-master.conf b/share/securityonion/sosetup-master.conf index b77a869..3c0769a 100644 --- a/share/securityonion/sosetup-master.conf +++ b/share/securityonion/sosetup-master.conf @@ -18,8 +18,7 @@ # MGMT_INTERFACE # Which network interface should be the management interface? # The management interface has an IP address and is NOT used for sniffing. -# We recommend that you always make this eth0 if possible for consistency. -MGMT_INTERFACE='eth0' +MGMT_INTERFACE='ens33' # MGMT_CONFIG_TYPE # Should the management interface be configured using DHCP or static IP? @@ -42,8 +41,8 @@ DOMAIN='example.com' # Which interface(s) will be sniffing network traffic? # For multiple interfaces, please separate them with spaces. # For example: -# SNIFFING_INTERFACES='eth1 eth2' -SNIFFING_INTERFACES='eth1' +# SNIFFING_INTERFACES='ens34 ens35' +SNIFFING_INTERFACES='ens34' ################################ # Master Server diff --git a/share/securityonion/sosetup-storage.conf b/share/securityonion/sosetup-storage.conf index 44ef488..f3a7aa1 100644 --- a/share/securityonion/sosetup-storage.conf +++ b/share/securityonion/sosetup-storage.conf @@ -18,8 +18,7 @@ # MGMT_INTERFACE # Which network interface should be the management interface? # The management interface has an IP address and is NOT used for sniffing. -# We recommend that you always make this eth0 if possible for consistency. -MGMT_INTERFACE='eth0' +MGMT_INTERFACE='ens33' # MGMT_CONFIG_TYPE # Should the management interface be configured using DHCP or static IP? @@ -42,8 +41,8 @@ DOMAIN='example.com' # Which interface(s) will be sniffing network traffic? # For multiple interfaces, please separate them with spaces. # For example: -# SNIFFING_INTERFACES='eth1 eth2' -SNIFFING_INTERFACES='eth1' +# SNIFFING_INTERFACES='ens34 ens35' +SNIFFING_INTERFACES='ens34' ################################ # Master Server diff --git a/share/securityonion/sosetup.conf b/share/securityonion/sosetup.conf index dad19bd..4e1951f 100644 --- a/share/securityonion/sosetup.conf +++ b/share/securityonion/sosetup.conf @@ -18,8 +18,7 @@ # MGMT_INTERFACE # Which network interface should be the management interface? # The management interface has an IP address and is NOT used for sniffing. -# We recommend that you always make this eth0 if possible for consistency. -MGMT_INTERFACE='eth0' +MGMT_INTERFACE='ens33' # MGMT_CONFIG_TYPE # Should the management interface be configured using DHCP or static IP? @@ -42,8 +41,8 @@ DOMAIN='example.com' # Which interface(s) will be sniffing network traffic? # For multiple interfaces, please separate them with spaces. # For example: -# SNIFFING_INTERFACES='eth1 eth2' -SNIFFING_INTERFACES='eth1' +# SNIFFING_INTERFACES='ens34 ens35' +SNIFFING_INTERFACES='ens34' ################################ # Master Server