diff --git a/bin/sosetup-elastic b/bin/sosetup-elastic deleted file mode 100644 index 05367ab..0000000 --- a/bin/sosetup-elastic +++ /dev/null @@ -1,2325 +0,0 @@ -#!/bin/bash -# -# Copyright (C) 2010-2017 Doug Burks and Security Onion -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License Version 2 as -# published by the Free Software Foundation. You may not use, modify or -# distribute this program under any other version of the GNU General -# Public License. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# -# Description: -# Configure Security Onion. - -######################################### -# Variables -######################################### -DEBUG="0" -# Window title -HOST_ORIG=`hostname` -HOSTNAME=${HOST_ORIG,,} -IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1` -TITLE="Security Onion Setup ($HOSTNAME)" -# File locations -CONF="/etc/nsm/securityonion.conf" -LOG=`mktemp /tmp/sosetup.log.XXXXXXXXXX` -PP_CONF="/etc/nsm/pulledpork/pulledpork.conf" -# URLs -ET_URL="rules.emergingthreats.net" -TALOS_URL="www.snort.org" -# Provide sensible defaults for Quick Setup -SGUIL_SERVER_NAME="securityonion" -IDS_ENGINE="snort" -IDS_RULESET="ETOPEN" -HOME_NET="192.168.0.0/16,10.0.0.0/8,172.16.0.0/12" -INTERFACES=`awk '/:/ {print $1}' /proc/net/dev | tr -d ':' | grep -v "^lo$" | grep -v "^docker" | grep -v "^br-" | grep -v "^veth" | sort` -ALL_INTERFACES="$INTERFACES" -NUM_INTERFACES=`echo $INTERFACES | wc -w` -SNIFF_INTERFACES=`awk '/manual/ {print $2}' /etc/network/interfaces | wc -l` -[ $SNIFF_INTERFACES -eq 0 ] && SNIFF_INTERFACES=1 -SENSORTAB="/etc/nsm/sensortab" -UPDATE_ELSA_SERVER="NO" -# PCAP_OPTIONS are passed to netsniff-ng -# "netsniff-ng -c" does the following: -# -c|--clrw Use slower read(2)/write(2) I/O -# we set this as the default for classroom/training users -# who are monitoring low-bandwidth networks and don't -# want to wait for scatter/gather mode to write pcaps. -# Users running Advanced Setup are likely on production networks -# with higher bandwidth and want better performance, so we clear -# PCAP_OPTIONS in the Advanced Setup section. -PCAP_OPTIONS="-c" -# PCAP_SIZE is the size at which we rotate to a new pcap file -# Default to 150MB, but user can choose if running Advanced Setup -PCAP_SIZE=150 -# PCAP_RING_SIZE is the RX_RING size for buffering packets -# Default is 64MB -PCAP_RING_SIZE="64" -# WARN_DISK_USAGE is the percentage of disk usage at which the NSM scripts warn the disk is getting full -WARN_DISK_USAGE=80 -# CRIT_DISK_USAGE is the percentage of disk usage at which the NSM scripts begin purging old files -CRIT_DISK_USAGE=90 -# CORES is the number of CPU cores in the box -# This is used for limiting IDS_LB_PROCS and BRO_LB_PROCS -CORES=`grep -c ^processor /proc/cpuinfo` -# SO_CORES is the number of CPU cores in the box, minus a reserved CPU core -# for the OS, divided by the number of sniffing interfaces. -SO_CORES=$(((CORES - 1) / SNIFF_INTERFACES)) -# CALCD_CORES subtracts a reserved CPU core for netsniff-ng from the available cores for -# each interface and splits the number of cores between the IDS and Bro processes. -CALCD_CORES=$(((SO_CORES - 1) / 2)) -# IDS_LB_PROCS goes into sensor.conf and controls threads for Snort/Suricata -IDS_LB_PROCS=1 -IDS_LB_PROCS_CONFIRM="- Run a single IDS process per interface.\n" -# BRO_LB_PROCS goes into Bro's node.cfg and controls threads for Bro -BRO_LB_PROCS=1 -BRO_LB_PROCS_CONFIRM="- Run a single Bro process per interface.\n" -# /etc/nsm/securityonion.conf services enabled by default -BRO_ENABLED="yes" -OSSEC_AGENT_ENABLED="yes" -OSSEC_AGENT_LEVEL=5 -XPLICO_ENABLED="no" -# /etc/nsm/HOSTNAME-INTERFACE/sensor.conf services enabled by default -PCAP_ENABLED="yes" -PCAP_AGENT_ENABLED="yes" -SNORT_AGENT_ENABLED="yes" -IDS_ENGINE_ENABLED="yes" -BARNYARD2_ENABLED="yes" -PRADS_ENABLED="no" -SANCP_AGENT_ENABLED="no" -PADS_AGENT_ENABLED="no" -ARGUS_ENABLED="no" -HTTP_AGENT_ENABLED="no" -# Salt is disabled by default -SALT="no" -# Number of days to keep in Sguil database -DAYSTOKEEP=30 -# Number of days to repair -DAYSTOREPAIR=7 -# File extraction -EXTRACT_FILES="yes" -# PF_RING min_num_slots -PF_RING_SLOTS="4096" -# SSH key variables -SSH_DIR="/root/.ssh" -SSH_CONF="$SSH_DIR/securityonion_ssh.conf" -KEY="$SSH_DIR/securityonion" -# SOSETUPSCP is a file that will be copied to the master server and executed -SOSETUPSCP=`mktemp` -# SECURITYONION_CONF_MASTER is the securityonion.conf from the master server -SECURITYONION_CONF_MASTER=`mktemp` -# CUSTOM gives access to all options -CUSTOM=0 -# ELSA is now enabled by default -ELSA="YES" -# Create /nsm if it doesn't already exist -mkdir -p /nsm -# Calculate half of available disk space for ELSA log_size_limit -DISK_SIZE_K=`df /nsm |grep -v "^Filesystem" | awk '{print $2}'` -let DISK_SIZE=DISK_SIZE_K*1000 -let LOG_SIZE_LIMIT=DISK_SIZE/2 -let LOG_SIZE_LIMIT_GB=LOG_SIZE_LIMIT/1000000000 -let DISK_SIZE_GB=DISK_SIZE/1000000000 -let LOG_SIZE_LIMIT=LOG_SIZE_LIMIT_GB*1000000000 -# Check amount of system RAM (MB) -TOTAL_MEM=`grep MemTotal /proc/meminfo | awk '{print $2}' | sed -r 's/.{3}$//'` -# Make RAM # human readable (GB) -HR_MEM=$((TOTAL_MEM / 1000)) -# Text for minimum memory check -MEM_TEXT="This machine currently has "$HR_MEM"GB of RAM allocated.\n\For best performance, please ensure the machine is allocated at least 3GB of RAM.\n\n\Please consult the following link for more information:\n\https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware\n\n\ -Click 'No' to stop setup and adjust the amount of RAM allocated to this machine.\n\ -Otherwise, click 'Yes' to continue." -ARGS=("$@") - -######################################### -# Debug -######################################### -[ $DEBUG -eq 1 ] && echo "DEBUG: Debug is enabled. To disable it, edit the script and change DEBUG to 0." - -######################################### -# Got r00t? -######################################### -if [[ $(/usr/bin/id -u) -ne 0 && "$1" != "-w" ]]; then - echo "Setup needs to be run as root. Please try again using sudo." - zenity --error --title "$TITLE" --text="Setup needs to be run as root. Please try again using sudo." - exit -fi - -function ask() { -######################################### -# Welcome screen -######################################### -TEXT="WARNINGS AND DISCLAIMERS!\n\ -\n\ -Experimental Mode is ALPHA, BLEEDING EDGE, and TOTALLY UNSUPPORTED!\n\ -If this breaks your system, you get to keep both pieces!\n\ -This is a work in progress and is in constant flux.\n\ -This is intended to build a quick prototype proof of concept so you can see what our\n\ -ultimate Elastic configuration might look like. This configuration will change drastically\n\ -over time leading up to the final release.\n\ -Do NOT run this on a system that you care about!\n\ -Do NOT run this on a system that has data that you care about!\n\ -This should only be run on a TEST box with TEST data!\n\ -This is only designed for standalone boxes and does NOT support distributed deployments.\n\ -Experimental Mode may result in nausea, vomiting, or a burning sensation.\n\ -\n\ -Would you like to continue?" -if [ "$WRITEANSWERFILE" ]; then - TEXT="Welcome to Security Onion Setup!\n\ -\n\ -Writing an answer file is still experimental, and does not\n\ -yet support network configuration. Please make sure\n\ -your /etc/network/interfaces file is already configured and\n\ -has at least one interface configured for monitoring.\n\ -\n\ -Would you like to continue?" -fi -YES="Yes, Continue!" -NO="No, Quit." -zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap -ANSWER="$?" -if [ $ANSWER -eq 1 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Exiting Setup" - exit -else - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Continuing Setup." -fi - -######################################### -# sosetup-network -######################################### -# Network config not yet supported when generating an answer file -if [ -z "$WRITEANSWERFILE" ] && [ "${ARGS[0]}" != "skipnetwork" ] && [ -f /usr/sbin/sosetup-network ]; then - /usr/sbin/sosetup-network - # If there were errors in sosetup-network, then exit - [ $? -eq 1 ] && exit -fi - -######################################### -# Evaluation Mode or Production Mode -######################################### -TEXT="Evaluation Mode or Production Mode?\n\ -\n\ -Evaluation Mode is recommended for first-time users or standalone VMs:\n\ -- ideal for quickly evaluating Security Onion\n\ -- will automatically configure most details of your system\n\ -- configures Snort and Bro to monitor one network interface\n\ -- NOT intended for a production sensor\n\ -\n\ -Production Mode is recommended for production deployments\n\ -as it gives you more control over the details of your system\n\ -and allows you to build a distributed sensor network. You choose:\n\ -- Sguil server, Sguil sensor, or both\n\ -- which IDS engine to use (Snort or Suricata)\n\ -- which IDS ruleset(s) to use (Emerging Threats, Snort Subscriber (Talos), or both)\n\ -- how many processes to run for Snort/Suricata/Bro" -SETUP="" -SETUP=`zenity --list --radiolist \ - --column "1" --column "2" --hide-header --title="$TITLE" \ - TRUE "Evaluation Mode" FALSE "Production Mode" --text="$TEXT"` -if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi -fi -[ "$SETUP" == "" ] && exit -[ "$SETUP" == "Production Mode" ] && ADVANCED_SETUP="1" || ADVANCED_SETUP="0" -if [ $ADVANCED_SETUP -eq 0 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Evaluation Mode." - if [ $TOTAL_MEM -lt 3000 ]; then zenity --question --title="$TITLE" --text="$MEM_TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked No. Exiting." && exit 1 - else - exit 1 - fi - fi - [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low RAM." - fi - if [ $NUM_INTERFACES -gt 1 ]; then - TEXT="Which network interface should be monitored?\n\nIf you allowed Setup to configure /etc/network/interfaces, your first monitor interface is already selected." - INTERFACES=`awk '/:/ {print $1}' /proc/net/dev | tr -d ':' | grep -v "^lo$" | grep -v "^docker" | grep -v "^br-" | grep -v "^veth" | sort` - if grep "Security Onion" /etc/network/interfaces >/dev/null 2>&1 && grep manual /etc/network/interfaces >/dev/null 2>&1; then - - CONFIGURED_INTERFACES=`awk '/manual/ {print $2}' /etc/network/interfaces | head -1` - INPUT=`for i in $INTERFACES; do - if echo $CONFIGURED_INTERFACES |grep $i >/dev/null 2>&1; then - echo -n "TRUE $i " - else - echo -n "FALSE $i " - fi - done` - else - INPUT=`for i in $INTERFACES; do echo -n "FALSE $i "; done` - fi - INTERFACES=`zenity --list --radiolist --column "Enabled" --column "Interface" --hide-header --title="$TITLE" --text="$TEXT" $INPUT |sed 's/|/ /g'` - if [ "$INTERFACES" = "" ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." - exit - fi - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected interfaces $INTERFACES." - fi - SERVER=1 - SENSOR=1 - ELSA="YES" - XPLICO_ENABLED="yes" - SERVERNAME="localhost" - SENSOR_CONFIRM_1="- Configure Snort and Bro to monitor the following interface:\n" - SENSOR_CONFIRM_2="$INTERFACES\n" -else - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Production Mode." - # Ask which components to configure - TEXT="If this is the first machine in a distributed deployment, choose Server.\n\ -This machine will only run Sguil, Squert, and ELSA and will not monitor any network interfaces.\n\ -\n\ -If this is a sensor for a distributed deployment (you've already installed the Server), choose Sensor.\n\ -You will need to be able to SSH to the existing Server box with an account with sudo privileges.\n\ -\n\ -Otherwise, choose Standalone to configure both Server and Sensor components on this box." - COMPONENTS=`zenity --height=300 --list --radiolist --column="1" --column="2" --hide-header --title="$TITLE" --text="$TEXT" TRUE Server FALSE Sensor FALSE Standalone` - case $COMPONENTS in - Standalone) - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Standalone." - SERVER=1 - SENSOR=1 - SERVERNAME="localhost" - if [ $TOTAL_MEM -lt 3000 ];then zenity --question --title="$TITLE" --text="$MEM_TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked No. Exiting." && exit 1 - else - exit 1 - fi - fi - [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low RAM." - fi - ;; - Server) - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Server." - SERVER=1 - SENSOR=0 - SERVERNAME="localhost" - IDS_LB_PROCS_CONFIRM="" - BRO_LB_PROCS_CONFIRM="" - if [ $TOTAL_MEM -lt 2000 ];then zenity --question --title="$TITLE" --text="This machine currently has "$HR_MEM"GB of RAM allocated.\n\For best performance, please ensure the machine is allocated at least 2GB of RAM.\n\n\Consult the following link for more information:\n\https://github.com/Security-Onion-Solutions/security-onion/wiki/Hardware\n\n\ -Click 'No' to stop setup and adjust the amount of RAM allocated to this machine.\n\ -Otherwise, click 'Yes' to continue." --ok-label="$YES" --cancel-label="$NO" --no-wrap - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked No. Exiting." && exit 1 - else - exit 1 - fi - fi - [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low RAM." - fi - ;; - Sensor) - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Sensor." - SERVER=0 - SENSOR=1 - TEXT="What is the hostname or IP address of the master server that this sensor should connect to?" - SERVERNAME_CONFIRMED="no" - if [ $TOTAL_MEM -lt 3000 ];then zenity --question --title="$TITLE" --text="$MEM_TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked No. Exiting." && exit 1 - else - exit 1 - fi - fi - [ $DEBUG -eq 1 ] && echo "DEBUG: Continuing, despite low RAM." - fi - while [ $SERVERNAME_CONFIRMED = "no" ]; do - SERVERNAME=`zenity --title="$TITLE" --text="$TEXT" --entry` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi - # Did the user enter the hostname or IP address of the local box? - if [ "$SERVERNAME" = "$HOSTNAME" ]; then - zenity --error --title "$TITLE" --text="That is the hostname of this box\!\r \ -\r \ -Since you chose a sensor-only installation, the master server should be a separate box." - elif [ "$SERVERNAME" = "$IP" ]; then - zenity --error --title "$TITLE" --text="That is the IP address of this box\!\r \ -\r \ -Since you chose a sensor-only installation, the master server should be a separate box." - elif [ "x$SERVERNAME" = "x" ]; then - zenity --error --title "$TITLE" --text="No server defined\!\r \ -\r \ -Please provide the hostname or IP address of a valid master server." - - else - # nc will result in OSSEC Active Response blocking the IP address - # nc -vz $SERVERNAME 22 -w 5 2>&1 | grep "succeeded\!" >/dev/null 2>&1 && SERVERNAME_CONFIRMED="yes" - # so use ssh instead: - ssh $SERVERNAME -o ConnectTimeout=5 -o BatchMode=yes 2>&1 | egrep 'Connection timed out|Could not resolve hostname' >/dev/null 2>&1 || SERVERNAME_CONFIRMED="yes" - [ $DEBUG -eq 1 ] && echo "DEBUG: Hostname/IP set to $SERVERNAME." - if [ $SERVERNAME_CONFIRMED = "no" ]; then - zenity --error --title "$TITLE" --text="Couldn't connect to $SERVERNAME on port 22\!\r \ -\r \ -Please double-check hostname or IP address and\r\ -firewall rules." - fi - fi - done - TEXT="Please enter a username that can SSH to the master server and execute sudo." - SENSOR_CONFIRM_3="no" - while [[ $SENSOR_CONFIRM_3 = "no" ]]; do - SSH_USERNAME=`zenity --title="$TITLE" --text="$TEXT" --entry` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi - if [ x$SSH_USERNAME = "x" ]; then - zenity --error --title "$TITLE" --text="No username defined\!\r \ -\r\ \ -Please provide a username that can SSH to the master server and execute sudo." - else - [ $DEBUG -eq 1 ] && echo "DEBUG: SSH username set." - SENSOR_CONFIRM_3="- Configure the sensors to report to $SERVERNAME.\n" - fi - done - ;; - *) - exit - ;; - esac - - TEXT="Best Practices or Custom?\n\ -\n\ -If you'd like to use the Best Practices defaults, please select Best Practices.\n\ -\n\ -If you'd like to see all options, choose Custom." - CUSTOM="" - CUSTOM=`zenity --list --radiolist \ - --column "1" --column "2" --hide-header --title="$TITLE" \ - TRUE "Best Practices" FALSE "Custom" --text="$TEXT"` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi - [ "$CUSTOM" == "" ] && exit - [ "$CUSTOM" == "Custom" ] && CUSTOM="1" || CUSTOM="0" - if [ $CUSTOM -eq 0 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Best Practices." - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Custom." - fi -fi - -######################################### -# If server is enabled, ask for Sguil client username -######################################### -if [ $SERVER -eq 1 ]; then - USERNAME_CONFIRMED="no" - while [ $USERNAME_CONFIRMED = "no" ]; do - TEXT="What would you like your Sguil username to be?\r\rThis will be used when logging into Sguil, Squert, and Kibana.\r\rPlease use alphanumeric characters only." - SGUIL_CLIENT_USERNAME=`zenity --title="$TITLE" --text="$TEXT" --entry` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi - COMPRESSED="$(echo $SGUIL_CLIENT_USERNAME | sed -e 's/[^[:alnum:]]//g')" - if [ "$COMPRESSED" != "$SGUIL_CLIENT_USERNAME" ] || [ x$SGUIL_CLIENT_USERNAME = "x" ] ; then - zenity --error --title "$TITLE" --text="Invalid username\! \r \ -\r \ -Please use alphanumeric characters only." - else - USERNAME_CONFIRMED="yes" - [ $DEBUG -eq 1 ] && echo "DEBUG: Sguil username set." - fi - done -fi - -######################################### -# If server is enabled, ask for and confirm password -######################################### -if [ $SERVER -eq 1 ]; then - SGUIL_CLIENT_PASSWORD_CONFIRMED="no" - while [ $SGUIL_CLIENT_PASSWORD_CONFIRMED = "no" ]; do - TEXT="What would you like to set your password to?\n\ -\n\ -Password must be at least 6 characters.\n\ -\n\ -This password will be used for Sguil, Squert, and Kibana.\n\ -\n\ -Once you've logged into these interfaces using this initial password, you can change it in the Sguil client." - SGUIL_CLIENT_PASSWORD_1=`zenity --title="$TITLE" --text="$TEXT" --entry --hide-text` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi - if [ "${#SGUIL_CLIENT_PASSWORD_1}" -lt "6" ]; then - zenity --error --title "$TITLE" --text="Password must be at least 6 characters\!" - else - TEXT="Please confirm what you would like to set your password to." - SGUIL_CLIENT_PASSWORD_2=`zenity --title="$TITLE" --text="$TEXT" --entry --hide-text` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi - if [ "$SGUIL_CLIENT_PASSWORD_1" = "$SGUIL_CLIENT_PASSWORD_2" ]; then - SGUIL_CLIENT_PASSWORD_CONFIRMED="yes" - [ $DEBUG -eq 1 ] && echo "DEBUG: Password set." - else - zenity --error --title "$TITLE" --text="Passwords didn't match\!" - fi - fi - done - SERVER_CONFIRM="- Create a Sguil server named $SGUIL_SERVER_NAME. \n" - SERVER_USER_CONFIRM="- Create a Sguil user named $SGUIL_CLIENT_USERNAME. \n" -fi - -######################################### -# ADVANCED SETUP - SERVER -######################################### -if [ $ADVANCED_SETUP -eq 1 ] && [ $SERVER -eq 1 ]; then - - if [ $CUSTOM -eq 1 ]; then - # Ask for DAYSTOKEEP - DAYSTOKEEP_CONFIRMED="no" - while [ $DAYSTOKEEP_CONFIRMED = "no" ]; do - DAYSTOKEEP=`zenity --entry --title "$TITLE" --text="How many days of data do you want to keep in your Sguil database?\n\nThis includes things like IDS alerts, PADS events, and PRADS session data.\n\nIf you need to change this later, you can change DAYSTOKEEP in /etc/nsm/securityonion.conf.\n\nPlease enter an integer. The default is 30 days." --entry-text=30` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi - COMPRESSED="$(echo $DAYSTOKEEP | sed -e 's/[^[:digit:]]//g')" - if [ "$COMPRESSED" != "$DAYSTOKEEP" ] || [ x$DAYSTOKEEP = "x" ]; then - zenity --error --title "$TITLE" --text "Invalid value! Please use integers only." - else - DAYSTOKEEP_CONFIRMED="yes" - fi - done - - # Ask for DAYSTOREPAIR - DAYSTOREPAIR_CONFIRMED="no" - while [ $DAYSTOREPAIR_CONFIRMED = "no" ]; do - DAYSTOREPAIR=`zenity --entry --title "$TITLE" --text="How many days of data do you want to repair in your Sguil database?\n\nA daily cronjob stops Sguil, repairs the MySQL tables for the last X days, and then starts Sguil back up.\n\nIf you choose a higher value, Sguil will be down for longer.\n\nIf you need to change this later, you can change DAYSTOREPAIR in /etc/nsm/securityonion.conf.\n\nPlease enter an integer. The default is 7 days." --entry-text=7` - if [ $? = 1 ];then - if [ $DEBUG -eq 1 ];then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi - COMPRESSED="$(echo $DAYSTOREPAIR | sed -e 's/[^[:digit:]]//g')" - if [ "$COMPRESSED" != "$DAYSTOREPAIR" ] || [ x$DAYSTOREPAIR = "x" ]; then - zenity --error --title "$TITLE" --text "Invalid value! Please use integers only." - else - DAYSTOREPAIR_CONFIRMED="yes" - fi - done - fi - - # Ask which IDS engine to use. - TEXT="Which IDS Engine would you like to use?" - IDS_ENGINE=`zenity --list --radiolist --column="1" --column="2" --hide-header --title="$TITLE" --text="$TEXT" TRUE Snort FALSE Suricata` - #[ -z $IDS_ENGINE ] - [ $? = 1 ] && [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected $IDS_ENGINE." - - # Ask which IDS ruleset to use. - TEXT="Which IDS ruleset would you like to use?" - IDS_RULESET=`zenity --width=600 --height=300 --list --radiolist --column="1" --column="Ruleset" --column="Ruleset" --column="Oinkcode required?" --hide-header --hide-column="2" --text="$TEXT" --title="$TITLE" \ - TRUE "ETOPEN" "Emerging Threats Open" "no oinkcode required" \ - FALSE "ETPRO" "Emerging Threats PRO" "requires ETPRO oinkcode" \ - FALSE "TALOSET" "Snort Subscriber (Talos) ruleset and Emerging Threats NoGPL ruleset" "requires Snort Subscriber oinkcode" \ - FALSE "TALOS" "Snort Subscriber (Talos) ruleset only and set a Snort Subscriber policy" "requires Snort Subscriber oinkcode" ` - - case $IDS_RULESET in - ETOPEN) - [ $DEBUG -eq 1 ] && echo "DEBUG: Selecting Emerging Threats Open ruleset." - IDS_RULESET_ACTION="- Download Emerging Threats Open ruleset.\n" - ;; - ETPRO) - [ $DEBUG -eq 1 ] && echo "DEBUG: Selecting ETPRO ruleset." - TEXT="Please enter your Emerging Threats Pro oinkcode.\n\nIf you don't already have one, you can purchase one from http://www.emergingthreatspro.com/." - OINKCODE=`zenity --title "$TITLE" --entry --text="$TEXT"` - [ $DEBUG -eq 1 ] && echo "DEBUG: Entered ETPRO oinkcode $OINKCODE" - IDS_RULESET_ACTION="- Download ETPRO ruleset using oinkcode $OINKCODE.\n" - ;; - TALOS) - [ $DEBUG -eq 1 ] && echo "DEBUG: Selecting Snort Subscriber (Talos) ruleset only and setting a Snort Subscriber policy." - TEXT="Please enter your Snort Subscriber (Talos) oinkcode.\n\nIf you don't already have one, you can obtain one from http://www.snort.org/." - OINKCODE=`zenity --title "$TITLE" --entry --text="$TEXT"` - [ $DEBUG -eq 1 ] && echo "DEBUG: Entered Snort Subscriber (Talos) oinkcode $OINKCODE" - TALOS_POLICY=`zenity --list --radiolist --hide-header --column="1" --column="2" --text="Please choose a Snort Subscriber (Talos) policy." --title "$TITLE" \ - FALSE "connectivity" \ - FALSE "balanced" \ - FALSE "security" ` - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected Snort Subscriber (Talos) policy $TALOS_POLICY" - IDS_RULESET_ACTION="- Download the Snort Subscriber (Talos) ruleset using oinkcode $OINKCODE.\n- Set Snort Subscriber (Talos) policy to $TALOS_POLICY.\n" - ;; - TALOSET) - [ $DEBUG -eq 1 ] && echo "DEBUG: Selecting Snort Subscriber (Talos) and Emerging Threats NoGPL ruleset." - TEXT="Please enter your Snort Subscriber (Talos) oinkcode.\n\nIf you don't already have one, you can obtain one from http://www.snort.org/." - OINKCODE=`zenity --entry --title "$TITLE" --text="$TEXT"` - [ $DEBUG -eq 1 ] && echo "DEBUG: Entered Snort Subscriber (Talos) oinkcode $OINKCODE" - IDS_RULESET_ACTION="- Download the Snort Subscriber (Talos) ruleset using oinkcode $OINKCODE.\n- Download the Emerging Threats NoGPL ruleset.\n" - ;; - *) - [ $? = 1 ] && [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - ;; - esac - # End of ADVANCED SETUP - SERVER -fi - -######################################### -# ADVANCED SETUP - SENSOR -######################################### -if [ $ADVANCED_SETUP -eq 1 ] && [ $SENSOR -eq 1 ]; then - - # Remove "-c" from PCAP_OPTIONS for better performance on production networks - PCAP_OPTIONS="" - - # Ask for PF_RING_SLOTS - PF_RING_SLOTS_CONFIRMED="no" - while [ $PF_RING_SLOTS_CONFIRMED = "no" ]; do - PF_RING_SLOTS=`zenity --entry --title "$TITLE" --text="What would you like to set PF__RING min__num__slots to?\n\nThe default is 4096. For busy networks, you may want to increase this to a higher number like 65534.\n\nIf you need to change this later, you can modify /etc/modprobe.d/pf__ring.conf and reload the pf_ring module." --entry-text=4096` - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked Cancel. Exiting." && exit 1 - else - exit 1 - fi - fi - COMPRESSED="$(echo $PF_RING_SLOTS | sed -e 's/[^[:digit:]]//g')" - if [ "$COMPRESSED" != "$PF_RING_SLOTS" ] || [ x$PF_RING_SLOTS = "x" ]; then - zenity --error --title "$TITLE" --text "Invalid value! Please use integers only." - else - [ $DEBUG -eq 1 ] && echo "DEBUG: PF_RING min_num_slots set to $PF_RING_SLOTS." - PF_RING_SLOTS_CONFIRMED="yes" - fi - done - - # Ask which interface(s) to listen on - if [ $NUM_INTERFACES -gt 1 ]; then - TEXT="Which network interface(s) should be monitored?\n\nIf you allowed Setup to configure /etc/network/interfaces, your monitor interfaces are already selected." - INTERFACES=`awk '/:/ {print $1}' /proc/net/dev | tr -d ':' | grep -v "^lo$" | grep -v "^docker" | grep -v "^br-" | grep -v "^veth" | sort` - if grep "Security Onion" /etc/network/interfaces >/dev/null 2>&1 && grep manual /etc/network/interfaces >/dev/null 2>&1; then - [ $? = 1 ] && exit 1 - CONFIGURED_INTERFACES=`awk '/manual/ {print $2}' /etc/network/interfaces` - INPUT=`for i in $INTERFACES; do - if echo $CONFIGURED_INTERFACES |grep $i >/dev/null 2>&1; then - echo -n "TRUE $i " - else - echo -n "FALSE $i " - fi - done` - else - INPUT=`for i in $INTERFACES; do echo -n "FALSE $i "; done` - fi - INTERFACES=`zenity --list --checklist --column "Enabled" --column "Interface" --hide-header --title="$TITLE" --text="$TEXT" $INPUT |sed 's/|/ /g'` - if [ "$INTERFACES" = "" ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." - exit - fi - [ $DEBUG -eq 1 ] && echo "DEBUG: Selected interfaces $INTERFACES." - fi - SENSOR_CONFIRM_1="- Monitor each of the following interfaces:\n" - SENSOR_CONFIRM_2="$INTERFACES\n" - - # Determine number of cores and use that as a maximum value for IDS/Bro processes to run - LIST=`seq 1 $CALCD_CORES`; SELECTIONS=`for i in $LIST; do echo "FALSE $i"; done` - - if [ $CUSTOM -eq 1 ]; then - # IDS Engine - TEXT="The IDS Engine (Snort/Suricata) listens on the interfaces\n\ -specified on the previous screen and logs IDS alerts.\n\ -\n\ -Would you like to enable the IDS Engine?" - YES="Yes, enable the IDS Engine!" - NO="No, disable the IDS Engine." - zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - ANSWER="$?" - if [ $ANSWER -eq 1 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling IDS Engine." - IDS_ENGINE_ENABLED="no" - BARNYARD2_ENABLED="no" - SNORT_AGENT_ENABLED="no" - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling IDS Engine." - fi - fi - - # IDS Engine Procs - if [ "$IDS_ENGINE_ENABLED" == "yes" ] && [ "$CALCD_CORES" -gt 1 ] && [ "$CUSTOM" -eq 1 ]; then - TEXT="How many IDS engine processes would you like to run?\n\ -\n\ -Based on your system's number of CPU cores, it is recommended that you run $CALCD_CORES IDS engine processes per interface.\n\ -\n\ -If you need to change this setting later, change IDS_LB_PROCS in /etc/nsm/HOSTNAME-INTERFACE/sensor.conf" - IDS_LB_PROCS=`zenity --list --radiolist --column "" --column "" $SELECTIONS --hide-header --text="$TEXT" --title="$TITLE"` - if [ "$IDS_LB_PROCS" = "" ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." - exit - fi - if [ "$CALCD_CORES" -gt 1 ]; then - IDS_LB_PROCS_CONFIRM="- Run $IDS_LB_PROCS load-balanced IDS engine processes per interface.\n" - else - IDS_LB_PROCS=1 - IDS_LB_PROCS_CONFIRM="- Run a a single IDS engine process per interface.\n" - fi - else - IDS_LB_PROCS=$CALCD_CORES - if [ "$CALCD_CORES" -gt 1 ]; then - IDS_LB_PROCS_CONFIRM="- Run $CALCD_CORES load-balanced IDS engine processes per interface.\n" - else - IDS_LB_PROCS=1 - IDS_LB_PROCS_CONFIRM="- Run a single IDS engine process per interface.\n" - fi - fi - # Ask if user would like to configure a custom HOME_NET - if [ "$IDS_ENGINE_ENABLED" == "yes" ]; then - HOME_NET_CONFIRMED="no" - while [ "$HOME_NET_CONFIRMED" == "no" ];do - TEXT="What would you like to configure HOME__NET as?\n\n\Add a comma (no space) after each address range.\n\n\Ex. 192.168.0.0/16,10.0.0.0/8,172.16.0.0/12" - HOME_NET=`zenity --title="$TITLE" --text="$TEXT" --entry --entry-text="$HOME_NET"` - ANSWER="$?" - if [ $ANSWER -eq 1 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting Setup." - exit 1 - else - if [ "$HOME_NET" == "" ]; then - zenity --error --title "$TITLE" --text="Please provide a value for HOME_NET!" - else - HOME_NET_CONFIRMED="yes" - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked OK. Configuring HOME_NET as $HOME_NET." - fi - fi - done - fi - IDS_HOME_NET_CONFIRM="- Configure IDS HOME_NET as: $HOME_NET.\n" - if [ $CUSTOM -eq 1 ]; then - # Bro - TEXT="Bro listens on the chosen interfaces and writes protocol logs.\n\ -\n\ -Would you like to enable Bro?" - YES="Yes, enable Bro!" - NO="No, disable Bro." - zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - ANSWER="$?" - if [ $ANSWER -eq 1 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling Bro." - BRO_ENABLED="no" - HTTP_AGENT_ENABLED="no" - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling Bro." - fi - - # Bro file extraction - if [ "$BRO_ENABLED" == "yes" ]; then - TEXT="Bro can extract files (EXEs by default) from your network traffic.\n\nIf enabled, EXEs will be stored in /nsm/bro/extracted/.\n\nWould you like to enable file extraction?" - YES="Yes, enable file extraction!" - NO="No, disable file extraction." - zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - ANSWER="$?" - if [ $ANSWER -eq 1 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling file extraction" - EXTRACT_FILES="no" - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling file extraction." - EXTRACT_FILES="yes" - fi - fi - fi - - # BRO_LB_PROCS - if [ "$BRO_ENABLED" == "yes" ] && [ "$CALCD_CORES" -gt 1 ] && [ "$CUSTOM" -eq 1 ]; then - TEXT="How many Bro processes would you like to run?\n\ -\n\ -Based on your system's number of CPU cores, it is recommended that you run $CALCD_CORES Bro processes per interface. -\n\ -If you need to change this setting later, you can change the lb_procs variable in /opt/bro/etc/node.cfg." - BRO_LB_PROCS=`zenity --list --radiolist --column "" --column "" $SELECTIONS --hide-header --text="$TEXT" --title="$TITLE"` - if [ "$BRO_LB_PROCS" = "" ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Cancel. Exiting." - exit - fi - if [ "$CALCD_CORES" -gt 1 ]; then - BRO_LB_PROCS_CONFIRM="- Run $BRO_LB_PROCS load-balanced Bro processes per interface.\n" - else - BRO_LB_PROCS=1 - BRO_LB_PROCS_CONFIRM="- Run a a single Bro process per interface.\n" - fi - else - BRO_LB_PROCS=$CALCD_CORES - if [ "$CALCD_CORES" -gt 1 ]; then - BRO_LB_PROCS_CONFIRM="- Run $CALCD_CORES load-balanced Bro processes per interface.\n" - else - BRO_LB_PROCS=1 - BRO_LB_PROCS_CONFIRM="- Run a single Bro process per interface.\n" - fi - fi - - if [ $CUSTOM -eq 1 ]; then - # http_agent - if [ "$BRO_ENABLED" == "yes" ]; then - TEXT="http_agent sends Bro's http.log to the Sguil database.\n\ -\n\ -If you plan to access Bro's http.log via ELSA,\n\ -you may want to disable http_agent to avoid duplication of effort.\n\ -\n\ -Would you like to enable http_agent?" - YES="Yes, enable http__agent!" - NO="No, disable http__agent." - zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - ANSWER="$?" - if [ $ANSWER -eq 1 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling http_agent." - HTTP_AGENT_ENABLED="no" - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling http_agent." - HTTP_AGENT_ENABLED="yes" - fi - fi - - # Argus - TEXT="Argus listens on the chosen interfaces and logs session data to the filesystem.\n\ -\n\ -If you plan to use other forms of session data (like Bro's conn.log or Prads),\n\ -you may want to disable Argus to avoid duplication of effort.\n\ -\n\ -Would you like to enable Argus?" - YES="Yes, enable Argus!" - NO="No, disable Argus." - zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - ANSWER="$?" - if [ $ANSWER -eq 1 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling Argus." - ARGUS_ENABLED="no" - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling Argus." - ARGUS_ENABLED="yes" - fi - - # Prads - TEXT="Prads listens on the chosen interfaces and provides session and asset data for Sguil.\n\ -\n\ -If you plan to use other forms of session data (like Bro's conn.log or Argus)\n\ -and/or you plan to use other forms of asset data (like Bro's software.log),\n\ -you may want to disable Prads to avoid duplication of effort.\n\ -\n\ -Would you like to enable Prads?" - YES="Yes, enable Prads!" - NO="No, disable Prads." - zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - ANSWER="$?" - if [ $ANSWER -eq 1 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling Prads." - PRADS_ENABLED="no" - PADS_AGENT_ENABLED="no" - SANCP_AGENT_ENABLED="no" - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling Prads." - PRADS_ENABLED="yes" - PADS_AGENT_ENABLED="yes" - SANCP_AGENT_ENABLED="yes" - fi - - # PCAP - TEXT="Full packet capture writes all monitored traffic to disk.\n\ -\n\ -Full packet capture requires lots of disk space,\n\ -but gives you lots of forensic capabilities\n\ -and is therefore highly recommended!\n\ -\n\ -Would you like to enable full packet capture?" - YES="Yes, enable full packet capture!" - NO="No, disable full packet capture." - zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - ANSWER="$?" - if [ $ANSWER -eq 1 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Disabling full packet capture." - PCAP_ENABLED="no" - PCAP_AGENT_ENABLED="no" - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Enabling full packet capture." - fi - - # Ask for PCAP_SIZE - if [ "$PCAP_ENABLED" == "yes" ]; then - - # Ask for PCAP_SIZE - PCAP_SIZE_CONFIRMED="no" - while [ $PCAP_SIZE_CONFIRMED = "no" ]; do - PCAP_SIZE=`zenity --entry --title "$TITLE" --text="How big do you want your pcap files to be?\n\nPlease enter an integer in Megabytes (MB). The default is 150 MB." --entry-text=150` - [ $? = 1 ] && exit - COMPRESSED="$(echo $PCAP_SIZE | sed -e 's/[^[:digit:]]//g')" - if [ "$COMPRESSED" != "$PCAP_SIZE" ] || [ x$PCAP_SIZE = "x" ]; then - zenity --error --title "$TITLE" --text "Invalid MB Value! Please use integers only." - else - [ $DEBUG -eq 1 ] && echo "DEBUG: PCAP size set to $PCAP_SIZE." - PCAP_SIZE_CONFIRMED="yes" - fi - done - - # Ask about MMAP - TEXT="netsniff-ng defaults to using scatter/gather pcap file I/O.\n\ -\n\ -For higher performance, you can enable mmap I/O, but this requires more RAM.\n\ -\n\ -Would you like to enable mmap I/O?" - YES="Yes, enable mmap I/O!" - NO="No, use default scatter/gather I/O." - zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - ANSWER="$?" - if [ $ANSWER -eq 1 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Using scatter/gather." - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Using mmap I/O." - PCAP_OPTIONS="--mmap" - fi - - # Ask for PCAP_RING_SIZE - PCAP_RING_SIZE_CONFIRMED="no" - while [ $PCAP_RING_SIZE_CONFIRMED = "no" ]; do - PCAP_RING_SIZE=`zenity --entry --title "$TITLE" --text="How large do you want your PCAP ring buffer?\n\nEach monitoring interface will have the specified amount allocated from RAM\nso be sure your system has enough memory. In the case of 4 sensor interfaces\nand a specified ring buffer of 1GB, 4GB of total RAM will be allocated for packet\nbuffering. For busy networks a ring buffer of at least 256MB is recommended.\n\nPlease enter an integer in Megabytes (MB). The default is 64 MB." --entry-text=64` - [ $? = 1 ] && exit - COMPRESSED="$(echo $PCAP_RING_SIZE | sed -e 's/[^[:digit:]]//g')" - if [ "$COMPRESSED" != "$PCAP_RING_SIZE" ] || [ x$PCAP_RING_SIZE = "x" ]; then - zenity --error --title "$TITLE" --text "Invalid MB Value! Please use integers only." - else - [ $DEBUG -eq 1 ] && echo "DEBUG: PCAP ring size set to $PCAP_RING_SIZE." - PCAP_RING_SIZE_CONFIRMED="yes" - fi - done - else - # Note about disabling full packet capture - YES="Yes, Continue." - NO="No, Quit." - zenity --title "$TITLE" --question --text="Please note, if you choose not to enable full packet capture, you will not\nbe able to pivot from Sguil to PCAP, or to CapME to retrieve PCAP data.\n\nClick 'Yes' to continue without enabling full packet capture.\n\nOtherwise, click 'No' to exit setup and re-run it to enable the capture of this valuable data." --ok-label="$YES" --cancel-label="$NO" --no-wrap - if [ $? = 1 ]; then - if [ $DEBUG -eq 1 ]; then - echo "DEBUG: Clicked No. Exiting." && exit 1 - else - exit 1 - fi - fi - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes. Continuing without enabling full packet capture." - fi - - # Ask for CRIT_DISK_USAGE - CRIT_DISK_USAGE_CONFIRMED="no" - while [ $CRIT_DISK_USAGE_CONFIRMED = "no" ]; do - CRIT_DISK_USAGE=`zenity --entry --title "$TITLE" --text="At what percent of disk usage would you like to begin purging old logs?\n\nPlease enter an integer between 10 and 100. The default is 90." --entry-text=90` - [ $? = 1 ] && exit - COMPRESSED="$(echo $CRIT_DISK_USAGE | sed -e 's/[^[:digit:]]//g')" - [ "$COMPRESSED" == "$CRIT_DISK_USAGE" ] && - [ $CRIT_DISK_USAGE -gt 10 ] && - [ $CRIT_DISK_USAGE -lt 100 ] && - CRIT_DISK_USAGE_CONFIRMED="yes" || - zenity --error --title "$TITLE" --text "Invalid percentage! Please use integers between 0 and 100." - done - let WARN_DISK_USAGE=${CRIT_DISK_USAGE}-10 - [ $DEBUG -eq 1 ] && echo "DEBUG: CRIT_DISK_USAGE set to $CRIT_DISK_USAGE." - fi # End of CUSTOM - -fi # End of ADVANCED SETUP - SENSOR - -######################################### -# Ask whether or not to use SALT -######################################### -# Check to see if the securityonion-onionsalt package is installed -if [ $ADVANCED_SETUP -eq 1 ] && dpkg -l |grep "securityonion-onionsalt" |grep "ii" >/dev/null; then - SALT="yes" - if [ $CUSTOM -eq 1 ]; then -TEXT="Salt can be enabled to help manage your entire sensor deployment.\n\ -\n\ -By default, Salt will automatically keep the following updated:\n\ -* OS user accounts\n\ -* SSH keys for those user accounts\n\ -* IDS rulesets\n\ -\n\ -Salt can also be used for remote execution, so you can run a command\n\ -and have it execute on all sensors across your deployment.\n\ -\n\ -Would you like to enable Salt?" - YES="Yes, enable Salt!" - NO="No, disable Salt" - zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - ANSWER="$?" - if [ $ANSWER -eq 0 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Enable Salt." - SALT="yes" - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Disable Salt." - SALT="no" - fi - fi -fi - -# End of ADVANCED SETUP - -######################################### -# Ask whether or not to use ELSA -######################################### -if [ $CUSTOM -eq 1 ]; then -TEXT="ELSA (Enterprise Log Search and Archive) is a centralized syslog framework\n\ -built on Syslog-NG, MySQL, and Sphinx full-text search.\n\ -\n\ -It provides a distributed database with a web-based interface\n\ -for hunting through your logs, including:\n\ -* Bro logs\n\ -* OSSEC alerts/logs\n\ -* Snort/Suricata logs\n\ -* standard syslog\n\ -\n\ -In a distributed deployment with separate server and sensor(s),\n\ -you'll want to enable/disable ELSA on all boxes. So if you want\n\ -to use ELSA, you should enable it on the master server and all sensors.\n\ -\n\ -Would you like to enable ELSA?" - YES="Yes, enable ELSA!" - NO="No, disable ELSA." - zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" --no-wrap - ANSWER="$?" - if [ $ANSWER -eq 0 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Enable ELSA." - ELSA="YES" - else - [ $DEBUG -eq 1 ] && echo "DEBUG: Disable ELSA." - ELSA="NO" - fi - - # If user chose to enable ELSA, ask about log_size_limit - if [ "$ELSA" = "YES" ]; then - # If Advanced Setup, ask user - if [ $ADVANCED_SETUP -eq 1 ]; then - LOG_SIZE_LIMIT_CONFIRMED="no" - while [ $LOG_SIZE_LIMIT_CONFIRMED = "no" ]; do - LOG_SIZE_LIMIT_GB=`zenity --entry --title "$TITLE" --text="How much disk space (in GigaBytes) should be allocated for ELSA to store logs?\n\nPlease enter an integer greater than 0. The default is half your disk size.\n\nPlease make sure that the value you set here is less than the size of your disk!\n\nIf you need to adjust this later, you can modify log__size__limit in the /etc/elsa__node.conf file." --entry-text=$LOG_SIZE_LIMIT_GB` - [ $? = 1 ] && exit - if [ x$LOG_SIZE_LIMIT_GB = "x" ]; then - zenity --error --title "$TITLE" --text "Invalid log size limit! Please use integers greater than 0 and less than your disk size." - else - COMPRESSED="$(echo $LOG_SIZE_LIMIT_GB | sed -e 's/[^[:digit:]]//g')" - [ "$COMPRESSED" == "$LOG_SIZE_LIMIT_GB" ] && - [ $LOG_SIZE_LIMIT_GB -gt 0 ] && - [ $LOG_SIZE_LIMIT_GB -lt $DISK_SIZE_GB ] && - LOG_SIZE_LIMIT_CONFIRMED="yes" || - zenity --error --title "$TITLE" --text "Invalid log size limit! Please use integers greater than 0 and less than your disk size." - fi - done - let LOG_SIZE_LIMIT=LOG_SIZE_LIMIT_GB*1000000000 - [ $DEBUG -eq 1 ] && echo "DEBUG: LOG_SIZE_LIMIT set to $LOG_SIZE_LIMIT." - fi - fi -fi - -# Set ELSA_ACTION_CONFIRM and ask about updating ELSA server if applicable -if [ "$ELSA" = "NO" ]; then - ELSA_ACTION_CONFIRM="- Disable ELSA." -else - if [ $SERVER -eq 1 ]; then - ELSA_ACTION_CONFIRM="- Configure Elastic stack.\n" - else - ELSA_ACTION_CONFIRM="- Configure Elastic stack cross cluster search.\n" - - # Ask if they want to update the SERVER and restart Apache -# TEXT="Would you like to automatically update the ELSA server?\n\ -#\n\ -#This will restart Apache on the ELSA server which will disrupt\n\ -#any ELSA queries running at the time." -# YES="Yes, update ELSA server!" -# NO="No, do not update ELSA server." -# zenity --question --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" -# ANSWER="$?" -# if [ $ANSWER -eq 0 ]; then -# [ $DEBUG -eq 1 ] && echo "DEBUG: Update ELSA Server." -# UPDATE_ELSA_SERVER="YES" -# else -# [ $DEBUG -eq 1 ] && echo "DEBUG: Do not update ELSA server." -# UPDATE_ELSA_SERVER="NO" -# fi - fi -fi - - -######################################### -# If just writing a file, do it and exit -######################################### -TEXT="$WRITEANSWERFILE has been saved." -if [ "$WRITEANSWERFILE" ]; then - # write all the answers out - save - zenity --info --title="$TITLE" --text="$TEXT" --no-wrap - exit 0 -fi - - -######################################### -# Confirm all choices before proceeding -######################################### -# Last chance! -TEXT="We're about to do the following:\n\ -- Set the OS timezone to UTC. \n\ -- Delete any existing NSM data/configuration. \n\ -$SERVER_CONFIRM\ -$SERVER_USER_CONFIRM\ -$SENSOR_CONFIRM_1\ -$SENSOR_CONFIRM_2\ -$SENSOR_CONFIRM_3\ -$IDS_LB_PROCS_CONFIRM\ -$BRO_LB_PROCS_CONFIRM\ -$IDS_RULESET_ACTION\ -$IDS_HOME_NET_CONFIRM\ -$ELSA_ACTION_CONFIRM\ -\n\ -We're about to make changes to your system!\n\ -\n\ -Would you like to continue?" -YES="Yes, proceed with the changes!" -NO="No, do not make changes!" -zenity --question --no-wrap --title="$TITLE" --text="$TEXT" --ok-label="$YES" --cancel-label="$NO" -ANSWER="$?" -if [ $ANSWER -eq 1 ]; then - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked No. Do not proceed." - exit -else - [ $DEBUG -eq 1 ] && echo "DEBUG: Clicked Yes to proceed with all changes." -fi -} - -######################################### -# Begin function CONFIGURE_SERVICES -######################################### -function CONFIGURE_SERVICES() { - -######################################### -# Remove any tmp files from previous run -######################################### -rm -f /tmp/GeoIP.dat -rm -f /tmp/GeoLiteCity.dat -rm -f /tmp/GeoLiteCity.dat.gz - -######################################### -# Create files/dirs as necessary -######################################### -touch $LOG -touch $SENSORTAB -mkdir -p /var/log/nsm/ - -######################################### -# Set OS timezone to UTC -######################################### -echo "2" -echo "# Please wait while setting OS timezone to UTC..." | tee -a $LOG -echo "Etc/UTC" > /etc/timezone -dpkg-reconfigure --frontend noninteractive tzdata >> $LOG 2>&1 -date >> $LOG 2>&1 - -if pgrep rsyslog>/dev/null; then - echo "4" - echo "# Please wait while restarting rsyslog..." | tee -a $LOG - service rsyslog restart >> $LOG 2>&1 -fi - -echo "4" -echo "# Please wait while setting OSSEC timezone to UTC..." | tee -a $LOG -cp /etc/localtime /var/ossec/etc/localtime -chown root:ossec /var/ossec/etc/localtime - -# If user enabled ELSA, configure OSSEC to send alerts to local syslog -if [ "$ELSA" = "YES" ]; then -grep "syslog_output" /var/ossec/etc/ossec.conf >/dev/null || sed -i 's| | \ - 127.0.0.1\ - \ -\ - |g' /var/ossec/etc/ossec.conf -/var/ossec/bin/ossec-control enable client-syslog -fi - -echo "6" -echo "# Please wait while restarting OSSEC..." | tee -a $LOG -service ossec-hids-server restart >> $LOG 2>&1 - -######################################### -# Stop all Sguil services and delete config -######################################### -echo "8" -echo "# Please wait while stopping all NSM services..." | tee -a $LOG -service nsm stop >> $LOG 2>&1 -pkill suricata -pkill snort -pkill autossh -# Make sure MySQL is running so that we can fully delete the NSM databases -[ $SERVER -eq 1 ] && service mysql start >> $LOG 2>&1 -# Uncomment any disabled sensors so that we can fully delete them -sed -i "s|^#$HOST_ORIG-|$HOST_ORIG-|g" $SENSORTAB -sed -i "s|^#$HOSTNAME-|$HOSTNAME-|g" $SENSORTAB -# Delete all nsm configuration and data -/usr/sbin/nsm_all_del_quick >> $LOG 2>&1 - -# Delete any existing ELSA databases. -if [ "$ELSA" = "YES" ]; then - if [ -d /var/lib/mysql/elsa_web/ ]; then - mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database elsa_web" >> $LOG 2>&1 - fi - if [ -d /var/lib/mysql/syslog/ ]; then - mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database syslog" >> $LOG 2>&1 - fi - if [ -d /var/lib/mysql/syslog_data/ ]; then - mysql --defaults-file=/etc/mysql/debian.cnf -e "drop database syslog_data" >> $LOG 2>&1 - fi -fi - -######################################### -# MySQL tuning -######################################### - -# Make changes in /etc/mysql/conf.d/ -mkdir -p /etc/mysql/conf.d/ - -# https://code.google.com/p/security-onion/issues/detail?id=416 -# sguild may try to open lots of files -# (especially if you are sending prads session data into the sancp table) -# so increase open_files_limit on master server -if [ $SERVER -eq 1 ]; then - cat << EOF > /etc/mysql/conf.d/securityonion-sguild.cnf -[mysqld] -open_files_limit = 90000 -EOF -fi - -# https://code.google.com/p/security-onion/issues/detail?id=388 -# http://stackoverflow.com/questions/3456159/how-to-shrink-purge-ibdata1-file-in-mysql -cat << EOF > /etc/mysql/conf.d/securityonion-ibdata1.cnf -[mysqld] -innodb_file_per_table -EOF - -# Restart mysql to make changes take effect -pgrep -lf mysqld >/dev/null && restart mysql >> $LOG 2>&1 - -######################################### -# PF_RING -######################################### -rmmod pf_ring >> $LOG 2>&1 -echo "options pf_ring transparent_mode=0 min_num_slots=$PF_RING_SLOTS" > /etc/modprobe.d/pf_ring.conf - -######################################### -# Firewall -# When enabling ufw over SSH, it says it might disrupt the SSH -# connection and asks for confirmation, so we put in the "allow 22" first, -# and then echo "y" into the "ufw enable". -######################################### -# Open port 22 for remote administration -ufw allow 22/tcp >> $LOG 2>&1 -# Enable ufw if not already enabled -echo "y" | ufw enable >> $LOG 2>&1 - -######################################### -# HIDS Sensor -######################################### -SENSORNAME="$HOSTNAME-ossec" -sed -i "s|^set HOSTNAME.*$|set HOSTNAME $SENSORNAME|g" /etc/nsm/ossec/ossec_agent.conf -sed -i "s|^set NET_GROUP.*$|set NET_GROUP $SENSORNAME|g" /etc/nsm/ossec/ossec_agent.conf -sed -i "s|^set SERVER_HOST.*$|set SERVER_HOST $SERVERNAME|g" /etc/nsm/ossec/ossec_agent.conf -pkill -f ossec_agent - -######################################### -# Add the Sguil server if necessary -######################################### -if [ $SERVER -eq 1 ]; then -# If this box was previously a slave, we need to remove securityonion_ssh.conf -rm -f /root/.ssh/securityonion_ssh.conf -echo "10" -echo "# Please wait while creating the Sguil server..." | tee -a $LOG -/usr/sbin/nsm_server_add --server-name="$SGUIL_SERVER_NAME" --server-sensor-name=NULL --server-sensor-port=7736 --server-client-port=7734 --server-client-user="$SGUIL_CLIENT_USERNAME" --server-client-pass="$SGUIL_CLIENT_PASSWORD_1" --server-auto=yes --force-yes >> $LOG 2>&1 - -fi - -######################################### -# Sguil Sensor(s) if necessary -######################################### -if [ $SENSOR -eq 1 ]; then -echo "20" -echo "# Please wait while creating Sguil sensor(s)..." | tee -a $LOG -BY2PORT=8000 -HOST_ORIG=`hostname` -HOSTNAME=${HOST_ORIG,,} - -# Configure SSH Key authentication to server if necessary -if [ "$SERVERNAME" != "localhost" ]; then - mkdir -p $SSH_DIR - [ -f "$KEY" ] && mv $KEY $KEY.old - ssh-keygen -f "$KEY" -N '' >> $LOG 2>&1 - chmod 600 "$KEY"* - if [ "$OUTPUT" = "gui" ]; then - # ssh-copy-id needs to get new HOME directory using sudo -i - xfce4-terminal -x sudo -i ssh-copy-id -i "$KEY".pub $SSH_USERNAME@$SERVERNAME - else - # ssh-copy-id needs to get new HOME directory using sudo -i - sudo -i ssh-copy-id -i "$KEY".pub $SSH_USERNAME@$SERVERNAME - fi - - # Need to open ports in server firewall to allow connections from sensor - echo "IPADDRESS=\`who -m --ips | awk '{print \$5}' |cut -d\( -f2 | cut -d\) -f1\`" >> $SOSETUPSCP - echo "ufw allow proto tcp from \$IPADDRESS to any port 22,4505,4506,7736" >> $SOSETUPSCP - # Copy the script over - scp -i "$KEY" $SOSETUPSCP $SSH_USERNAME@$SERVERNAME:$SOSETUPSCP >> $LOG 2>&1 - # Run the script on the master server using sudo - if [ "$OUTPUT" = "gui" ]; then - xfce4-terminal -x ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo /bin/bash $SOSETUPSCP - else - ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo /bin/bash $SOSETUPSCP >> $LOG 2>&1 - fi - # Cleanup - rm -f $SOSETUPSCP - ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME rm -f $SOSETUPSCP >> $LOG 2>&1 - - # Backup existing files - mkdir -p /etc/nsm/rules/backup/ - cp /etc/nsm/rules/downloaded.rules /etc/nsm/rules/backup/downloaded.rules.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 - cp /etc/nsm/rules/local.rules /etc/nsm/rules/backup/local.rules.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 - cp /etc/nsm/rules/so_rules.rules /etc/nsm/rules/backup/so_rules.rules.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 - cp /etc/nsm/rules/sid-msg.map /etc/nsm/rules/backup/sid-msg.map.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 - cp /etc/nsm/rules/threshold.conf /etc/nsm/rules/backup/threshold.conf.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 - cp /etc/nsm/rules/bpf.conf /etc/nsm/rules/backup/bpf.conf.`date +%Y%m%d%H%M%S` >> $LOG 2>&1 - - # Copy files from server - scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/downloaded.rules /etc/nsm/rules/downloaded.rules >> $LOG 2>&1 - scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/local.rules /etc/nsm/rules/local.rules >> $LOG 2>&1 - scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/so_rules.rules /etc/nsm/rules/so_rules.rules >> $LOG 2>&1 - scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/sid-msg.map /etc/nsm/rules/sid-msg.map >> $LOG 2>&1 - scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/threshold.conf /etc/nsm/rules/threshold.conf >> $LOG 2>&1 - scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/rules/bpf.conf /etc/nsm/rules/bpf.conf >> $LOG 2>&1 - - # Set IDS_ENGINE variable - scp -i "$KEY" $SSH_USERNAME@$SERVERNAME:/etc/nsm/securityonion.conf $SECURITYONION_CONF_MASTER >> $LOG 2>&1 - IDS_ENGINE=`grep ENGINE $SECURITYONION_CONF_MASTER 2>/dev/null | cut -d\= -f2` - rm -f $SECURITYONION_CONF_MASTER - - # Save configuration - echo "SSH_USERNAME=$SSH_USERNAME" > $SSH_CONF - echo "SERVERNAME=$SERVERNAME" >> $SSH_CONF -fi - -# NIDS sensor(s) -for INTERFACE in $ALL_INTERFACES; do - SENSORNAME="$HOSTNAME-$INTERFACE" - echo "# Please wait while creating Sguil sensor: $SENSORNAME..." | tee -a $LOG - [ $DEBUG -eq 1 ] && echo "DEBUG: Adding Sensor $INTERFACE." - - # Add the sensor - /usr/sbin/nsm_sensor_add --sensor-name="$SENSORNAME" --sensor-interface="$INTERFACE" --sensor-interface-auto=no \ - --sensor-server-host="$SERVERNAME" --sensor-server-port=7736 \ - --sensor-barnyard2-port=$BY2PORT --sensor-auto=yes --sensor-utc=yes \ - --sensor-vlan-tagging=no --sensor-net-group="$SENSORNAME" --force-yes >> $LOG 2>&1 - - # Increment the Barnyard2 port number by 100 - let BY2PORT=BY2PORT+100 - - # Copy our customized snort.conf (and associated files) into place - cp /etc/nsm/templates/snort/attribute_table.dtd /etc/nsm/"$SENSORNAME"/ >> $LOG 2>&1 - cp /etc/nsm/templates/snort/snort.conf /etc/nsm/"$SENSORNAME"/ >> $LOG 2>&1 - cp /etc/nsm/templates/snort/unicode.map /etc/nsm/"$SENSORNAME"/ >> $LOG 2>&1 - cp /etc/nsm/templates/suricata/suricata.yaml.in /etc/nsm/"$SENSORNAME"/suricata.yaml >> $LOG 2>&1 - - # Grab MTU for interface(s) and add 24 to snaplen for VLAN-tagging, etc - MTU=`cat /sys/class/net/$INTERFACE/mtu` - MTU_FIN=`echo $(($MTU+24))` - - # Write IDS config to files - sed -i "s|# config snaplen:|config snaplen: $MTU_FIN|g" /etc/nsm/"$SENSORNAME"/snort.conf - sed -i "s|^ipvar HOME_NET.*|ipvar HOME_NET \[$HOME_NET\]|g" /etc/nsm/"$SENSORNAME"/snort.conf - sed -i "s|classification-file: /etc/suricata/classification.config|classification-file: /etc/nsm/$SENSORNAME/classification.config|g" /etc/nsm/"$SENSORNAME"/suricata.yaml - sed -i "s|reference-config-file: /etc/suricata/reference.config|reference-config-file: /etc/nsm/$SENSORNAME/reference.config|g" /etc/nsm/"$SENSORNAME"/suricata.yaml - sed -i "s|# threshold-file: /etc/suricata/threshold.config|threshold-file: /etc/nsm/$SENSORNAME/threshold.conf|g" /etc/nsm/"$SENSORNAME"/suricata.yaml - sed -i "s|filename: unified2.alert|filename: snort.unified2|g" /etc/nsm/"$SENSORNAME"/suricata.yaml - #sed -i "s|threads: 1|threads: $IDS_LB_PROCS|g" /etc/nsm/"$SENSORNAME"/suricata.yaml - sed -i "s|interface: eth0|interface: $INTERFACE|g" /etc/nsm/"$SENSORNAME"/suricata.yaml - sed -i "s|cluster-id: 99|cluster-id: $BY2PORT|g" /etc/nsm/"$SENSORNAME"/suricata.yaml - sed -i "s| HOME_NET:.*| HOME_NET: \"[$HOME_NET]\"|g" /etc/nsm/"$SENSORNAME"/suricata.yaml - mkdir -p /usr/local/lib/snort_dynamicrules - - # /etc/nsm/rules/ - if [ ! -f /etc/nsm/rules/bpf.conf ]; then touch /etc/nsm/rules/bpf.conf; fi - if [ ! -f /etc/nsm/rules/threshold.conf ]; then cp /etc/nsm/templates/snort/threshold.conf /etc/nsm/rules/; fi - if [ ! -f /etc/nsm/rules/gen-msg.map ]; then cp /etc/nsm/templates/snort/gen-msg.map /etc/nsm/rules/; fi - if [ ! -f /etc/nsm/rules/classification.config ]; then - grep -h -v "^#" /etc/nsm/templates/snort/classification.config /etc/nsm/templates/suricata/classification.config |sort -u > /etc/nsm/rules/classification.config - fi - if [ ! -f /etc/nsm/rules/reference.config ]; then - grep -h -v "^#" /etc/nsm/templates/snort/reference.config /etc/nsm/templates/suricata/reference.config |sort -u > /etc/nsm/rules/reference.config - fi - - # Create symbolic links for bpf.conf, threshold.conf, sid-msg.map, gen-msg.map, classification.config, and reference.config - for FILENAME in bpf.conf threshold.conf sid-msg.map gen-msg.map classification.config reference.config - do - rm -f /etc/nsm/"$SENSORNAME"/$FILENAME >> $LOG 2>&1 - ln -s /etc/nsm/rules/$FILENAME /etc/nsm/"$SENSORNAME"/$FILENAME >> $LOG 2>&1 - done - - # Create symbolic links for individual bpf-*.conf files pointing to the sensor bpf.conf (which points to the GLOBAL bpf.conf) - cd /etc/nsm/"$SENSORNAME" - for FILENAME in bpf-bro.conf bpf-ids.conf bpf-pcap.conf bpf-prads.conf - do - ln -s bpf.conf $FILENAME >> $LOG 2>&1 - done - cd - >/dev/null - - # Add options to sensor.conf - echo "PCAP_OPTIONS=\"$PCAP_OPTIONS\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf - echo "PCAP_SIZE=${PCAP_SIZE}MiB" >> /etc/nsm/"$SENSORNAME"/sensor.conf - echo "PCAP_RING_SIZE=${PCAP_RING_SIZE}MiB" >> /etc/nsm/"$SENSORNAME"/sensor.conf - echo "IDS_LB_PROCS=$IDS_LB_PROCS" >> /etc/nsm/"$SENSORNAME"/sensor.conf - echo "PCAP_ENABLED=\"$PCAP_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf - echo "PCAP_AGENT_ENABLED=\"$PCAP_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf - echo "SNORT_AGENT_ENABLED=\"$SNORT_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf - echo "IDS_ENGINE_ENABLED=\"$IDS_ENGINE_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf - echo "BARNYARD2_ENABLED=\"$BARNYARD2_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf - echo "PRADS_ENABLED=\"$PRADS_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf - echo "SANCP_AGENT_ENABLED=\"$SANCP_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf - echo "PADS_AGENT_ENABLED=\"$PADS_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf - echo "ARGUS_ENABLED=\"$ARGUS_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf - echo "HTTP_AGENT_ENABLED=\"$HTTP_AGENT_ENABLED\"" >> /etc/nsm/"$SENSORNAME"/sensor.conf - - # Create symbolic link for sensor rules directory on server - # Since a user may have as many Snort/Suricata instances as they have CPU cores, - # we need to create a symbolic link for each and every CPU core. - if [ "$SERVERNAME" = "localhost" ]; then - ln -s /etc/nsm/rules /nsm/server_data/"$SGUIL_SERVER_NAME"/rules/"$SENSORNAME" >> $LOG 2>&1 - for i in `seq 1 $CORES`; do ln -s /etc/nsm/rules /nsm/server_data/"$SGUIL_SERVER_NAME"/rules/"$SENSORNAME"-$i >> $LOG 2>&1; done - else - echo "ln -f -s /etc/nsm/rules /nsm/server_data/$SGUIL_SERVER_NAME/rules/$SENSORNAME" >> $SOSETUPSCP - for i in `seq 1 $CORES`; do - echo "ln -f -s /etc/nsm/rules /nsm/server_data/$SGUIL_SERVER_NAME/rules/$SENSORNAME-$i" >> $SOSETUPSCP - done - fi - - # Configure snort.conf to log statistics to /nsm/sensor_data/"$SENSORNAME"/snort.stats - sed -i "s|# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000|preprocessor perfmonitor: time 300 file /nsm/sensor_data/"$SENSORNAME"/snort.stats pktcnt 10000|" /etc/nsm/"$SENSORNAME"/snort.conf >> $LOG 2>&1 - - # Setup should create snort.stats to prevent Sguil errors when running Suricata - # http://code.google.com/p/security-onion/issues/detail?id=257 - touch /nsm/sensor_data/"$SENSORNAME"/snort.stats - -done - -# We just enabled all available interfaces in /etc/nsm/sensortab. -# Now we need to go back and disable any unwanted interfaces. -INTERFACES_CSV=`for i in $INTERFACES; do echo -n "$i,"; done` -for INTERFACE in $ALL_INTERFACES; do - if echo $INTERFACES_CSV | grep "$INTERFACE," >/dev/null 2>&1; then - echo "Leaving $INTERFACE as-is (enabled)." >> $LOG 2>&1 - else - echo "$INTERFACE not found in selected interfaces. Disabling." >> $LOG 2>&1 - sed -i "s|^$HOSTNAME-$INTERFACE|#$HOSTNAME-$INTERFACE|g" /etc/nsm/sensortab - fi -done - -# Bro -if grep -v "^#" $SENSORTAB > /dev/null; then - # If user selected Quick Setup, do standalone config. - # Otherwise, do cluster config. - if [ $ADVANCED_SETUP -eq 0 ]; then - # standalone config - INTERFACE=`grep -v "^#" $SENSORTAB | awk '{print $4}'` - cat << EOF > /opt/bro/etc/node.cfg -[bro] -type=standalone -host=localhost -interface=$INTERFACE -EOF - else - # User selected Advanced Setup, so do cluster config - cat << EOF > /opt/bro/etc/node.cfg -[manager] -type=manager -host=localhost - -[proxy] -type=proxy -host=localhost - -EOF - # Don't need to change to IP address anymore - #IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1` - #sed -i "s|host=localhost|host=$IP|g" /opt/bro/etc/node.cfg - - # Go ahead and populate the file with all available interfaces - # Comment out inactive interfaces - # grep -v "^#" $SENSORTAB | awk '{print $1}' |while read SENSOR - for INTERFACE in $ALL_INTERFACES; do - if echo $INTERFACES_CSV |grep "$INTERFACE," >/dev/null 2>&1; then - echo "* Configuring Bro to monitor $INTERFACE" >> $LOG 2>&1 - cat << EOF >> /opt/bro/etc/node.cfg -[$HOSTNAME-$INTERFACE] -type=worker -host=localhost -interface=$INTERFACE -lb_method=pf_ring -lb_procs=$BRO_LB_PROCS - -EOF - else - cat << EOF >> /opt/bro/etc/node.cfg -#[$HOSTNAME-$INTERFACE] -#type=worker -#host=localhost -#inter#face=$INTERFACE -#lb_method=pf_ring -#lb_procs=$BRO_LB_PROCS - -EOF - fi - done - - # Bro 2.2 should support PF_RING on multiple interfaces properly now, so comment this out. - # If monitoring more than one interface, disable PF_RING: - # http://securityonion.blogspot.com/2013/02/important-note-for-those-monitoring.html - #if [ `echo $INTERFACES | wc -w` -gt 1 ]; then - # sed -i 's|^lb_method=pf_ring|#lb_method=pf_ring|g' /opt/bro/etc/node.cfg - # sed -i 's|^lb_procs|#lb_procs|g' /opt/bro/etc/node.cfg - #fi - fi - # Finished with node.cfg - # Now update networks.cfg - sed -i '1,4!d' /opt/bro/etc/networks.cfg - echo $HOME_NET | tr , '\n\\' >> /opt/bro/etc/networks.cfg - # update broctl.cfg - if grep "nsm" /opt/bro/etc/broctl.cfg >/dev/null; then - echo "/opt/bro/etc/broctl.cfg already contains nsm" >> $LOG 2>&1 - else - # Before Bro 2.4, broctl.cfg defaulted to /var/opt/bro/ - sed -i 's|SpoolDir = /var/opt/bro/spool|SpoolDir = /nsm/bro/spool|g' /opt/bro/etc/broctl.cfg - sed -i 's|LogDir = /var/opt/bro/logs|LogDir = /nsm/bro/logs|g' /opt/bro/etc/broctl.cfg - # Starting with Bro 2.4, broctl.cfg defaults to /opt/bro/ - sed -i 's|SpoolDir = /opt/bro/spool|SpoolDir = /nsm/bro/spool|g' /opt/bro/etc/broctl.cfg - sed -i 's|LogDir = /opt/bro/logs|LogDir = /nsm/bro/logs|g' /opt/bro/etc/broctl.cfg - fi - # Finished updating config files - - # create the /nsm/bro/ directories - mkdir -p /nsm/bro/spool - mkdir -p /nsm/bro/logs - mkdir -p /nsm/bro/extracted - - # Enable Bro file extraction - if [ "$EXTRACT_FILES" = "yes" ]; then - sed -i 's|^#@load file-extraction|@load file-extraction|g' /opt/bro/share/bro/site/local.bro - else - sed -i 's|^@load file-extraction|#@load file-extraction|g' /opt/bro/share/bro/site/local.bro - fi - -fi - -fi - -######################################### -# /etc/nsm/securityonion.conf -######################################### -echo "30" -echo "# Please wait while configuring $CONF..." | tee -a $LOG -DATE=`date` -IDS_ENGINE_LOWER=`echo ${IDS_ENGINE,,}` -cat << EOF > $CONF -# /etc/nsm/securityonion.conf -# Generated by Security Onion Setup (sosetup) at $DATE - -# Which IDS engine would you like to run? -ENGINE=$IDS_ENGINE_LOWER - -# How many days would you like to keep in the Sguil database archive? -DAYSTOKEEP=$DAYSTOKEEP - -# How many days worth of tables would you like to repair every day? -DAYSTOREPAIR=$DAYSTOREPAIR - -# At what percentage of disk usage should the NSM scripts warn you? -WARN_DISK_USAGE=$WARN_DISK_USAGE - -# At what percentage of disk usage should the NSM scripts begin purging old data? -CRIT_DISK_USAGE=$CRIT_DISK_USAGE - -# Do you want to run Bro? yes/no -BRO_ENABLED=$BRO_ENABLED - -# BRO_USER specifies the user account used to start Bro. -BRO_USER=sguil -BRO_GROUP=sguil - -# The OSSEC agent sends OSSEC HIDS alerts into the Sguil database. -# Do you want to run the OSSEC Agent? yes/no -OSSEC_AGENT_ENABLED=$OSSEC_AGENT_ENABLED - -# OSSEC_AGENT_LEVEL specifies the level at which OSSEC alerts are sent to sguild. -OSSEC_AGENT_LEVEL=$OSSEC_AGENT_LEVEL - -# Do you want to run Xplico? yes/no -XPLICO_ENABLED=$XPLICO_ENABLED - -# LOCAL_HIDS_RULE_TUNING -# If set to no (default), sensor will copy OSSEC rules from master server as-is (no changes). -# If set to yes, sensor will keep its own copy of the OSSEC rules. -LOCAL_HIDS_RULE_TUNING=no - -# LOCAL_NIDS_RULE_TUNING -# The effect of this option is different depending on whether this box is a server or not. -# SERVER -# LOCAL_NIDS_RULE_TUNING=yes -# rule-update will operate on a local copy of the rules instead of downloading rules from the Internet -# LOCAL_NIDS_RULE_TUNING=no -# rule-update will try to download rules from the Internet -# SENSOR-ONLY -# LOCAL_NIDS_RULE_TUNING=yes -# rule-update will copy rules from master server and then try to run PulledPork locally for tuning -# LOCAL_NIDS_RULE_TUNING=no -# rule-update will copy rules from master server as-is (no changes) -EOF - -######################################### -# Download rules using Pulledpork -######################################### -if [ "$SERVERNAME" = "localhost" ]; then - echo "40" - echo "# Please wait while configuring IDS Ruleset..." | tee -a $LOG - # Start from a clean slate (pulledpork.conf.master) - # Here are the rule_url directives in pulledpork.conf.master: - # (note that the ET ruleset is uncommented and the other two are commented) - - # #rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz| - # #rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community - # rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open - # #rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz| - - cp /etc/nsm/templates/pulledpork/pulledpork.conf.master $PP_CONF >> $LOG 2>&1 - - # Start with the assumption that Internet is down - # If all necessary sites are up, then initiate PulledPork - INTERNET="DOWN" - - case $IDS_RULESET in - ETOPEN) - echo "Already configured for Emerging Threats Open ruleset." >> $LOG 2>&1 - # Test Internet access - curl -s $ET_URL >/dev/null 2>&1 && INTERNET="UP" - ;; - ETPRO) - echo "Configuring for ETPRO ruleset." >> $LOG 2>&1 - # Snort is already disabled in pulledpork.conf.master - # Comment out emergingthreats.net - sed -i 's\rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open\#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open\g' $PP_CONF >> $LOG 2>&1 - # Un-comment emergingthreatspro.com - sed -i "s\#rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|\rule_url=https://rules.emergingthreatspro.com/|etpro.rules.tar.gz|$OINKCODE\g" $PP_CONF >> $LOG 2>&1 - # Test Internet access - curl -s $ET_URL >/dev/null 2>&1 && INTERNET="UP" - ;; - TALOS) - echo "Configuring for Snort Subscriber (Talos) ruleset only and setting a Snort Subscriber policy." >> $LOG 2>&1 - # Comment out emergingthreats.net - sed -i 's\rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open\#rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open\g' $PP_CONF >> $LOG 2>&1 - # Un-comment snort.org reg-rules - sed -i "s\#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|\rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|$OINKCODE\g" $PP_CONF >> $LOG 2>&1 - # Un-comment snort.org community rules - sed -i "s\#rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community\rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community\g" $PP_CONF >> $LOG 2>&1 - # Set Snort Subscriber (Talos) Policy. - sed -i "s|# ips_policy=security|ips_policy=$TALOS_POLICY|g" $PP_CONF >> $LOG 2>&1 - # Test Internet access - curl -s $TALOS_URL >/dev/null 2>&1 && INTERNET="UP" - ;; - TALOSET) - echo "Configuring for Snort Subscriber (Talos) and Emerging Threats NoGPL rulesets" >> $LOG 2>&1 - # Un-comment snort.org reg-rules - sed -i "s\#rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|\rule_url=https://www.snort.org/reg-rules/|snortrules-snapshot.tar.gz|$OINKCODE\g" $PP_CONF >> $LOG 2>&1 - # Un-comment snort.org community rules - sed -i "s\#rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community\rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community\g" $PP_CONF >> $LOG 2>&1 - # Change open to open-nogpl - sed -i 's\rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open\rule_url=https://rules.emergingthreats.net/|emerging.rules.tar.gz|open-nogpl\g' $PP_CONF >> $LOG 2>&1 - # Test Internet access - curl -s $ET_URL >/dev/null 2>&1 && curl -s $TALOS_URL >/dev/null 2>&1 && INTERNET="UP" - ;; - esac - - # Disable noisy Suricata rules - if ! grep "Security Onion Setup" /etc/nsm/pulledpork/disablesid.conf >/dev/null 2>&1; then -cat << EOF >> /etc/nsm/pulledpork/disablesid.conf - -# Added by Security Onion Setup -stream-events -pcre:SURICATA\ ICMPv6 -EOF - fi - - if [ "$INTERNET" = "UP" ]; then - echo "45" - echo "# Please wait while executing PulledPork to download rules..." | tee -a $LOG - echo "LOCAL_NIDS_RULE_TUNING=no" >> $CONF - date > /var/log/nsm/pulledpork.log - /usr/sbin/rule-update >> /var/log/nsm/pulledpork.log 2>&1 - else - echo "LOCAL_NIDS_RULE_TUNING=yes" >> $CONF - echo "Can't reach rule download sites. Setting LOCAL_NIDS_RULE_TUNING to yes." >> $LOG 2>&1 - fi -fi - -######################################### -# Apache configuration -######################################### -SSH_DIR="/root/.ssh" -SSH_CONF="$SSH_DIR/securityonion_ssh.conf" -echo "50" -if [ -f $SSH_CONF ]; then - # We are a SENSOR - echo "# Please wait while stopping and disabling Apache..." | tee -a $LOG - # Sensors don't need the Apache web server, so stop and disable it - service apache2 stop >> $LOG 2>&1 - update-rc.d -f apache2 disable >> $LOG 2>&1 -else - # We are the MASTER. - - # Make sure that the Apache web server is enabled - update-rc.d -f apache2 enable >> $LOG 2>&1 - - # Enable new securityonion site - a2ensite securityonion >> $LOG 2>&1 - - # Disable old default-ssl site - a2dissite default-ssl >> $LOG 2>&1 - - # Determine IP address to be used below in Squert database - IP=`ifconfig |grep "inet addr" | awk '{print $2}' |cut -d\: -f2 |grep -v "127.0.0.1" |head -1` - - # Pivot from Squert to ELSA - #URL="https://$IP/elsa-query/?query_string=\"\${var}\"%20groupby:program" - # We can use a relative hyperlink now that Apache is proxying ELSA at /elsa-query - URL="/elsa-query/?query_string=\"\${var}\"%20groupby:program" - HEXVAL=$(xxd -pu -c 256 <<< "$URL") - [ "$ELSA" = "YES" ] && mysql --defaults-file=/etc/mysql/debian.cnf -Dsecurityonion_db -e "INSERT IGNORE INTO filters (type,username,global,name,notes,alias,filter) VALUES ('url','','1','454C5341','','ELSA','$HEXVAL');" - - # Restart web server - apache2ctl restart >> $LOG 2>&1 -fi - -######################################### -# Configure Salt -######################################### -echo "70" -echo "# Please wait while configuring salt..." | tee -a $LOG -if dpkg -l |grep "securityonion-onionsalt" |grep "ii" >/dev/null; then - if [ "$SALT" = "no" ]; then - # Stop both running salt services - service salt-master stop >> $LOG 2>&1 - service salt-minion stop >> $LOG 2>&1 - # Disable both salt services - [ -f /etc/init/salt-master.conf ] && echo "manual" > /etc/init/salt-master.override - [ -f /etc/init/salt-minion.conf ] && echo "manual" > /etc/init/salt-minion.override - # If the box had previously been configured with salt, we need to remove the cron job - [ -f /etc/cron.d/salt-update ] && rm -f /etc/cron.d/salt-update - else - # Enable Salt - # Salt uses FQDN instead of just hostname - FQDN=`python -c 'import socket; print socket.getfqdn()'` - if [ $SERVER -eq 1 ]; then - # If this box is a Master Server we need to run salt-master - # Copy init.sls.template to init.sls - cp /opt/onionsalt/pillar/users/init.sls.template /opt/onionsalt/pillar/users/init.sls - # Copy top.sls.template to top.sls - TOPSLS="/opt/onionsalt/salt/top.sls" - cp $TOPSLS.template $TOPSLS - # Comment out examples in top.sls - sed -i "s|^ 'A\*':$|# 'A*':|g" $TOPSLS - sed -i "s|^ - sensor|# - sensor|g" $TOPSLS - sed -i "s|^ 'C\*':$|# 'C*':|g" $TOPSLS - sed -i "s|^ - backend|# - backend|g" $TOPSLS - # Add backend config to top.sls - echo " '$FQDN':" >> $TOPSLS - echo " - backend" >> $TOPSLS - echo "" >> $TOPSLS - # If salt-master is DISABLED we need to enable it - [ -f /etc/init/salt-master.DISABLED ] && mv /etc/init/salt-master.DISABLED /etc/init/salt-master.conf - [ -f /etc/init/salt-master.override ] && rm -f /etc/init/salt-master.override - # Start salt-master - service salt-master restart >> $LOG 2>&1 - # We no longer open the salt port by default - # This is now done when the sensor runs Setup - #ufw allow salt >> $LOG 2>&1 - else - # If this box is not a Master we need to disable salt-master - # Stop salt-master - service salt-master stop >> $LOG 2>&1 - # Disable salt-master - [ -f /etc/init/salt-master.conf ] && echo "manual" > /etc/init/salt-master.override - # Tell the salt-master that we are a sensor - cat << EOF >> $SOSETUPSCP -if ! grep "'$FQDN':" /opt/onionsalt/salt/top.sls >/dev/null 2>&1; then -echo " '$FQDN':" >> /opt/onionsalt/salt/top.sls -echo " - sensor" >> /opt/onionsalt/salt/top.sls -echo "" >> /opt/onionsalt/salt/top.sls -fi -EOF - fi - - # All boxes run salt-minion - # Configure minion - echo "master: $SERVERNAME" > /etc/salt/minion.d/onionsalt.conf - # If salt-minion is DISABLED, enable it - [ -f /etc/init/salt-minion.DISABLED ] && mv /etc/init/salt-minion.DISABLED /etc/init/salt-minion.conf - [ -f /etc/init/salt-minion.override ] && rm -f /etc/init/salt-minion.override - service salt-minion restart >> $LOG 2>&1 - - # salt-master needs to accept the key from salt-minion - if [ "$SERVERNAME" = "localhost" ]; then - TIMER=60 - while [ $TIMER -gt 0 ]; do - if salt-key -l accepted 2>&1 |grep "^$FQDN$" > /dev/null 2>&1; then - echo "salt-minion key already accepted" >> $LOG - TIMER=0 - elif salt-key -l unaccepted 2>&1 | grep "^$FQDN$" > /dev/null 2>&1; then - salt-key -a $FQDN -y >> $LOG 2>&1 - TIMER=0 - else - let TIMER=TIMER-1 - echo "salt-minion hasn't checked in yet, $TIMER seconds remaining until timeout" >> $LOG - sleep 1s - fi - done - else - # this is a sensor-only box so we have to ask the master to accept the key via SOSETUPSCP - echo "salt-key -a $FQDN -y" >> $SOSETUPSCP - fi - fi -fi - -######################################### -# Start securityonion services -######################################### -# disable the snorby output in all barnyard config files -sed -i 's|^output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|#output database: alert, mysql, user=root dbname=snorby host=127.0.0.1|g' /etc/nsm/*/barnyard2*.conf >> $LOG 2>&1 -echo "80" -echo "# Please wait while starting all Security Onion services..." | tee -a $LOG -/sbin/start securityonion >> $LOG 2>&1 -sleep 10s - -######################################### -# Create icons -######################################### -if [ $SERVER -eq 1 ]; then - - # Add launchers to /etc/skel/ for new users - DIR="/etc/skel/Desktop" - mkdir -p $DIR - - # Create README launcher - README_LAUNCHER="$DIR/securityonion-readme.desktop" - cat << EOF > $README_LAUNCHER -[Desktop Entry] -Version=1.0 -Type=Application -Name=README -Comment= -Exec=/etc/alternatives/x-www-browser https://localhost -Icon=web-browser -Path= -Terminal=false -StartupNotify=false -Categories=SecurityOnion; -EOF - - # Use README launcher as template to create SQUERT launcher - SQUERT_LAUNCHER="$DIR/securityonion-squert.desktop" - cp $README_LAUNCHER $SQUERT_LAUNCHER - sed -i 's|https://localhost|https://localhost/squert|g' $SQUERT_LAUNCHER - sed -i 's|Name=README|Name=Squert|g' $SQUERT_LAUNCHER - - # Use README launcher as template to create Kibana launcher (if enabled) - if [ "$ELSA" = "YES" ]; then - KIBANA_LAUNCHER="$DIR/securityonion-kibana.desktop" - cp $README_LAUNCHER $KIBANA_LAUNCHER - sed -i 's|https://localhost|https://localhost/app/kibana|g' $KIBANA_LAUNCHER - sed -i 's|Name=README|Name=Kibana|g' $KIBANA_LAUNCHER - fi - - # Use README launcher as template to create Xplico launcher (if enabled) - if [ "$XPLICO_ENABLED" = "yes" ]; then - XPLICO_LAUNCHER="$DIR/securityonion-xplico.desktop" - cp $README_LAUNCHER $XPLICO_LAUNCHER - sed -i 's|https://localhost|http://localhost:9876|g' $XPLICO_LAUNCHER - sed -i 's|Name=README|Name=Xplico|g' $XPLICO_LAUNCHER - fi - - # Copy web launchers to /usr/share/applications - cp $DIR/securityonion-*.desktop /usr/share/applications/ - - # Copy Sguil launcher from /usr/share/applications/ - SGUIL="$DIR/securityonion-sguil.desktop" - cp /usr/share/applications/securityonion-sguil.desktop $SGUIL - - # Copy launchers from /etc/skel to existing user Desktop directories - for i in `ls /home/`; do - mkdir -p /home/$i/Desktop - cp /etc/skel/Desktop/securityonion-*.desktop /home/$i/Desktop/ - chown $i:$i /home/$i/Desktop/securityonion-*.desktop - done - - # Make launchers executable - chmod +x /etc/skel/Desktop/*.desktop - chmod +x /home/*/Desktop/securityonion-*.desktop - -fi - -######################################### -# Configure ELSA -######################################### -if [ "$ELSA" = "YES" ]; then - echo "90" - echo "# Please wait while configuring Elastic..." | tee -a $LOG - - # update LOG_SIZE_LIMIT - #sed -i "s|\"log_size_limit\" :.*$|\"log_size_limit\" : $LOG_SIZE_LIMIT,|g" /opt/elsa/contrib/securityonion/contrib/securityonion-elsa-node.conf - - HTTP_LOGS="" - SENSORS=$(grep -v "^#" /etc/nsm/sensortab | cut -f 4) - COUNT=0 - for token in $SENSORS; do - COUNT=$((COUNT+1)) - done - #echo $COUNT - - if [ $COUNT -eq 1 ]; then - if grep "type=standalone" /opt/bro/etc/node.cfg > /dev/null; then - echo "* Leaving syslog-ng.conf bro_http entry unmolested." >> $LOG 2>&1 - cp /opt/elsa/contrib/securityonion/contrib/securityonion-syslog-ng.conf /etc/syslog-ng/syslog-ng.conf - else - echo "* Altering syslog-ng.conf bro_http entry for single interface cluster-mode" >> $LOG 2>&1 - # Pull the interface bro is listening for from node.cfg - BRO_IFACE=$(grep "interface=" /opt/bro/etc/node.cfg | cut -d'=' -f2) - # Alter syslog-ng.conf's entry for http - sed -e "s|^\tfile(\"/nsm/bro/logs/current/http.log\".*|\tfile(\"/nsm/bro/logs/current/http_$BRO_IFACE.log\" flags(no-parse) program_override(\"bro_http\"));\n|" /opt/elsa/contrib/securityonion/contrib/securityonion-syslog-ng.conf > /etc/syslog-ng/syslog-ng.conf - fi - fi - - if [ $COUNT -gt 1 ]; then - echo "* Altering syslog-ng.conf bro_http entries for multiple interfaces" >> $LOG 2>&1 - for i in $SENSORS; do - HTTP_LOGS=$HTTP_LOGS"\tfile(\"/nsm/bro/logs/current/http_$i.log\" flags(no-parse) program_override(\"bro_http\"));\n" - done - sed -e "s|^\tfile(\"/nsm/bro/logs/current/http.log\".*|$HTTP_LOGS|" /opt/elsa/contrib/securityonion/contrib/securityonion-syslog-ng.conf > /etc/syslog-ng/syslog-ng.conf - fi - - echo "* Restarting syslog-ng" >> $LOG 2>&1 - service syslog-ng restart >> $LOG 2>&1 - - echo "91" - echo "# Please wait while downloading Elastic components..." | tee -a $LOG - /usr/sbin/so-elastic-download >> $LOG 2>&1 - echo "95" - echo "# Please wait while configuring Elastic..." | tee -a $LOG - /usr/sbin/so-elastic-configure >> $LOG 2>&1 - if [ $SERVER -ne 1 ]; then - ELASTIC_CONFIG="/etc/elasticsearch/elasticsearch.yml" - echo "transport.bind_host: 0.0.0.0" >> $ELASTIC_CONFIG - echo "transport.publish_host: 172.18.0.1" >> $ELASTIC_CONFIG - echo "transport.publish_port: 50000" >> $ELASTIC_CONFIG - docker restart so-elasticsearch - fi - -fi -} - -function SERVER_QUEUE() { -######################################### -# Send all queued commands to server -######################################### -if [ $SERVER -ne 1 ] && [ "$ELSA" = "YES" ]; then -cat << EOF >> $SOSETUPSCP -echo Match User $SSH_USERNAME >> /etc/ssh/sshd_config -echo ' GatewayPorts clientspecified' >> /etc/ssh/sshd_config -service ssh restart -ufw allow proto tcp from 172.18.0.0/24 to 172.18.0.1 port 50000 -curl -XPUT http://localhost:9200/_cluster/settings -d'{"persistent": {"search": {"remote": {"sensor1": {"seeds": ["172.18.0.1:50000"]}}}}}' -EOF -fi - -if [ "$SERVERNAME" != "localhost" ]; then - # Copy the script over - scp -i "$KEY" $SOSETUPSCP $SSH_USERNAME@$SERVERNAME:$SOSETUPSCP >> $LOG 2>&1 - # Run the script on the master server using sudo - if [ "$OUTPUT" = "gui" ]; then - xfce4-terminal -x ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo /bin/bash $SOSETUPSCP - else - ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo /bin/bash $SOSETUPSCP >> $LOG 2>&1 - fi - # Cleanup - rm -f $SOSETUPSCP - ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME rm -f $SOSETUPSCP >> $LOG 2>&1 -fi - -if [ $SERVER -ne 1 ] && [ "$ELSA" = "YES" ]; then - # Register the log node and restart the server. - #SSH_CMD="/usr/bin/securityonion_elsa_register.rb --register --peer-name `hostname` --force" - #ELSA_REGISTER_RESPONSE=`ssh -i $KEY $SSH_USERNAME@$SERVERNAME $SSH_CMD` - #ELSA_PORT=`echo $ELSA_REGISTER_RESPONSE | cut -d',' -f1` - #ELSA_APIKEY=`echo $ELSA_REGISTER_RESPONSE | cut -d',' -f2` - # If ELSA_PORT is not already in SSH_CONF, then store it for future use. - #if grep "ELSA_PORT=" $SSH_CONF >/dev/null 2>&1; then - #echo "ELSA_PORT already exists in $SSH_CONF." >> $LOG 2>&1 - #else - #echo "ELSA_PORT=$ELSA_PORT" >> $SSH_CONF - #fi - # Update the local ELSA API key - #/usr/bin/securityonion_elsa_register.rb --update-apikey $ELSA_APIKEY >> $LOG 2>&1 - # Restart starman for new API key - #service starman stop >> $LOG 2>&1 - #service starman start >> $LOG 2>&1 - - # Since the securityonion service started before we the ELSA ports - # were determined, we need to tear down the SSH tunnel and restart it. - # Kill autossh with SIGINT - if pgrep autossh>/dev/null; then - kill -SIGINT `pgrep autossh` - # Restart the autossh tunnel - /usr/bin/autossh -M 0 -f -q -N -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -i "$KEY" -L 3306:127.0.0.1:3306 -R 172.18.0.1:50000:localhost:9300 $SSH_USERNAME@$SERVERNAME - fi - #if [ "$UPDATE_ELSA_SERVER" = "YES" ]; then - # Instruct the server to restart apache2. - # Run the script with sudo - #if [ "$OUTPUT" = "gui" ]; then - # xfce4-terminal -x ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo service apache2 restart - #else - # ssh -i "$KEY" -t $SSH_USERNAME@$SERVERNAME sudo service apache2 restart >> $LOG 2>&1 - #fi - #fi -fi -} - -function MINION() { -dpkg -l |grep "securityonion-onionsalt" |grep "ii" >/dev/null && [ "$SALT" = "yes" ] && salt-call state.highstate >> /var/log/nsm/sosetup_salt_call.log 2>&1 & -} - - -function MOVELOG() { -# Move log file from /tmp/ to /var/log/nsm/ -mv $LOG /var/log/nsm/sosetup.log -LOG="/var/log/nsm/sosetup.log" -} - -function IP2C() { -# If this is a server, populate ip2c table -if [ -d /var/lib/mysql/securityonion_db/ ]; then - /usr/sbin/sguild-add-user "$SGUIL_CLIENT_USERNAME" "$SGUIL_CLIENT_PASSWORD_1" >/dev/null - # Setup needs to delete /var/www/so/squert/.scripts/*.md5 before running ip2c.tcl - # http://code.google.com/p/security-onion/issues/detail?id=250 - rm -f /var/www/so/squert/.scripts/*.md5 - /usr/sbin/so-squert-ip2c >> $LOG 2>&1 & -fi -} - -######################################### -# FINAL (FIN) OUTPUT FUNCTIONS -######################################### -function FIN1() { -TEXT="Security Onion Setup is now complete! \n \ -\n \ -Setup log can be found here:\n \ -$LOG\n \ -\n \ -You may view IDS alerts using Sguil, Squert, or Kibana (if enabled). \n \ -\n \ -Bro logs can be found in Kibana (if enabled) and the following location: \n \ -/nsm/bro/" -} - -function FIN2() { -TEXT="You can check the status of your running services with the sostat utilites:\n \ -\n \ -'sudo sostat' will give you DETAILED information about your service status.\n \ -\n \ -'sudo sostat-quick' will give you a guided tour of the sostat output.\n \ -\n \ -'sudo sostat-redacted' will give you REDACTED information to share with our mailing list if you have questions." -} - -function FIN3() { -if [ $SERVER -eq 1 ]; then -source /etc/nsm/securityonion.conf -if [ "$LOCAL_NIDS_RULE_TUNING" = "no" ] ; then -TEXT="Rules downloaded by Pulledpork are stored in: \n \ -/etc/nsm/rules/downloaded.rules \n \ -\n \ -Local rules can be added to: \n \ -/etc/nsm/rules/local.rules \n \ -\n \ -You can have PulledPork modify the downloaded rules \n \ -by modifying the files in: \n \ -/etc/nsm/pulledpork/ \n \ -\n \ -Rules will be updated every morning. \n \ -You can manually update them by running: \n \ -sudo rule-update \n \ -\n \ -Sensors can be tuned by modifying the files in: \n \ -/etc/nsm/NAME-OF-SENSOR/" -else -TEXT="Setup was not able to download rules from the Internet.\n \ -LOCAL_NIDS_RULE_TUNING has been set to 'yes' in /etc/nsm/securityonion.conf.\n \ -\n \ -If you do have Internet access and want to download rules from the Internet,\n \ -you'll need to change this option to 'no'." -fi -fi -} - -function FIN4() { -TEXT='Please note that the local ufw firewall\ -has been locked down to only allow connections\ -to port 22. If you need to connect over any\ -other port, then run "sudo so-allow".' -} - -function FIN5() { -TEXT='If you have any questions or problems,\ -please visit our website where you can find\ -the following links:\ -FAQ\ -Wiki\ -Mailing Lists\ -IRC channel\ -and more!\ -\ -https://securityonion.net' -} - -function FIN6() { -TEXT='If you need commercial support or training,\ -please see:\ -\ -https://securityonionsolutions.com' -} - - -######################################### -# write collected answers -######################################### - -save() -{ - # TODO - echo "# ANSWERFILE generated by sosetup -w option" > $WRITEANSWERFILE - echo -n "# Generation date: " >> $WRITEANSWERFILE - date >> $WRITEANSWERFILE - echo "# Generated on host $HOSTNAME" >> $WRITEANSWERFILE - echo "#" >> $WRITEANSWERFILE - echo "# These fields were computed automatically" >> $WRITEANSWERFILE - echo "#IP=$IP" >> $WRITEANSWERFILE - echo "#CORES=$CORES" >> $WRITEANSWERFILE - echo \#ALL_INTERFACES=$ALL_INTERFACES >> $WRITEANSWERFILE # no quotes to collapse to one line - echo "#NUM_INTERFACES=$NUM_INTERFACES" >> $WRITEANSWERFILE - echo "#" >> $WRITEANSWERFILE - echo "# This field is specific to reading an answer file" >> $WRITEANSWERFILE - echo "SNIFFING_INTERFACES=$INTERFACES" >> $WRITEANSWERFILE - echo "#" >> $WRITEANSWERFILE - echo "# These fields were generated from your answers" >> $WRITEANSWERFILE - echo "SERVER=$SERVER" >> $WRITEANSWERFILE - echo "SERVERNAME=$SERVERNAME" >> $WRITEANSWERFILE - echo "SSH_USERNAME='$SSH_USERNAME'" >> $WRITEANSWERFILE - echo "SGUIL_SERVER_NAME=$SGUIL_SERVER_NAME" >> $WRITEANSWERFILE - echo "SGUIL_CLIENT_USERNAME='$SGUIL_CLIENT_USERNAME'" >> $WRITEANSWERFILE - echo "SGUIL_CLIENT_PASSWORD_1='$SGUIL_CLIENT_PASSWORD_1'" >> $WRITEANSWERFILE - echo "XPLICO_ENABLED=$XPLICO_ENABLED" >> $WRITEANSWERFILE - echo "ELSA=$ELSA" >> $WRITEANSWERFILE - echo "UPDATE_ELSA_SERVER=$UPDATE_ELSA_SERVER" >> $WRITEANSWERFILE - echo "LOG_SIZE_LIMIT=$LOG_SIZE_LIMIT" >> $WRITEANSWERFILE - echo "OSSEC_AGENT_ENABLED=$OSSEC_AGENT_ENABLED" >> $WRITEANSWERFILE - echo "OSSEC_AGENT_LEVEL=$OSSEC_AGENT_LEVEL" >> $WRITEANSWERFILE - echo "SALT=$SALT" >> $WRITEANSWERFILE - echo "SENSOR=$SENSOR" >> $WRITEANSWERFILE - echo "BRO_ENABLED=$BRO_ENABLED" >> $WRITEANSWERFILE - echo "IDS_ENGINE_ENABLED=$IDS_ENGINE_ENABLED" >> $WRITEANSWERFILE - echo "SNORT_AGENT_ENABLED=$SNORT_AGENT_ENABLED" >> $WRITEANSWERFILE - echo "BARNYARD2_ENABLED=$BARNYARD2_ENABLED" >> $WRITEANSWERFILE - echo "PCAP_ENABLED=$PCAP_ENABLED" >> $WRITEANSWERFILE - echo "PCAP_AGENT_ENABLED=$PCAP_AGENT_ENABLED" >> $WRITEANSWERFILE - echo "PRADS_ENABLED=$PRADS_ENABLED" >> $WRITEANSWERFILE - echo "SANCP_AGENT_ENABLED=$SANCP_AGENT_ENABLED" >> $WRITEANSWERFILE - echo "PADS_AGENT_ENABLED=$PADS_AGENT_ENABLED" >> $WRITEANSWERFILE - echo "HTTP_AGENT_ENABLED=$HTTP_AGENT_ENABLED" >> $WRITEANSWERFILE - echo "ARGUS_ENABLED=$ARGUS_ENABLED" >> $WRITEANSWERFILE - echo "IDS_RULESET='$IDS_RULESET'" >> $WRITEANSWERFILE - echo "OINKCODE='$OINKCODE'" >> $WRITEANSWERFILE - echo "PF_RING_SLOTS=$PF_RING_SLOTS" >> $WRITEANSWERFILE - echo "IDS_ENGINE=$IDS_ENGINE" >> $WRITEANSWERFILE - echo "IDS_LB_PROCS=$IDS_LB_PROCS" >> $WRITEANSWERFILE - echo "BRO_LB_PROCS=$BRO_LB_PROCS" >> $WRITEANSWERFILE - echo "EXTRACT_FILES=$EXTRACT_FILES" >> $WRITEANSWERFILE - echo "PCAP_SIZE=$PCAP_SIZE" >> $WRITEANSWERFILE - echo "PCAP_RING_SIZE=$PCAP_RING_SIZE" >> $WRITEANSWERFILE - echo "PCAP_OPTIONS='$PCAP_OPTIONS'" >> $WRITEANSWERFILE - echo "WARN_DISK_USAGE=$WARN_DISK_USAGE" >> $WRITEANSWERFILE - echo "CRIT_DISK_USAGE=$CRIT_DISK_USAGE" >> $WRITEANSWERFILE - echo "DAYSTOKEEP=$DAYSTOKEEP" >> $WRITEANSWERFILE - echo "DAYSTOREPAIR=$DAYSTOREPAIR" >> $WRITEANSWERFILE -} - - -######################################### -# Options -######################################### - -usage() -{ -cat < Configure using answer file - -w Create answer file - -y Configure without prompting - -Usage: $0 -EOF -} - - -######################################### -# Call functions -######################################### - -# Check to see if the user provided an answer file -SKIP=0 -while getopts "hf:yw:" OPTION -do - case $OPTION in - h) - usage - exit 0 - ;; - f) - ANSWERFILE="$OPTARG" - # Verify answer file exists and then read it into memory - if [ ! -f "$ANSWERFILE" ]; then - echo "Error accessing $ANSWERFILE" - exit 1 - fi - ;; - w) - WRITEANSWERFILE="$OPTARG" - ;; - y) - SKIP=1 - ;; - esac -done - -# GUI (Zenity) or CLI? -# Default to zenity -OUTPUT="gui" -# If no X11, then fall back to cli -[ -z "$DISPLAY" ] && OUTPUT="cli" -# If user provided an answer file, set to cli -[ -f "$ANSWERFILE" ] && OUTPUT="cli" - -# If the user didn't provide an answer file, then ask them the questions -if [ ! -f "$ANSWERFILE" ]; then - if [ "$OUTPUT" = "gui" ] ; then - ask - else - echo - echo "No X display found." - echo - echo "You'll need to either:" - echo - echo "- use SSH X-forwarding (ssh -X)" - echo - echo "OR" - echo - echo "- use an answer file (sudo sosetup -f sosetup.conf)" - echo - usage - exit 0 - fi -else - source "$ANSWERFILE" - # copy SNIFFING_INTERFACES into INTERFACES - INTERFACES="$SNIFFING_INTERFACES" - ADVANCED_SETUP="1" - if [ $SKIP -ne 1 ];then - echo - echo "Security Onion Setup" - echo - echo "Ready to configure system using parameters in $ANSWERFILE." - echo - echo "WARNING! Continuing will destroy any existing data/config." - echo "Are you sure you want to continue?" - echo "Type yes to continue or anything else to exit." - read INPUT - [ "$INPUT" != "yes" ] && exit 0 - echo - # If /etc/network/interfaces has not been configured yet, then we need - # to run sosetup-network and pass it the answerfile - if ! grep "Security Onion" /etc/network/interfaces >/dev/null 2>&1; then - /usr/sbin/sosetup-network $@ - fi - fi -fi - -# Perform the requested actions, handling output differently for gui vs cli -if [ "$OUTPUT" = "gui" ]; then - CONFIGURE_SERVICES | - zenity --progress --title="$TITLE" --text="Please wait while making changes to the system..." --percentage=0 --auto-close -else - echo "Please wait while..." - CONFIGURE_SERVICES | grep --line-buffered "^#" | sed 's|# Please wait while||g' -fi - -# SERVER_QUEUE will interactively prompt for password -# so we can't consume stdout -SERVER_QUEUE - -# The next few functions should have no output -MINION -MOVELOG -IP2C - -# Final screens -for i in FIN1 FIN2 FIN3 FIN4 FIN5 FIN6; do - $i - if [ "$OUTPUT" = "gui" ]; then - zenity --info --title="$TITLE" --text="$TEXT" --no-wrap - else - echo - echo "$TEXT" | sed 's|\\n|\n|g' | sed 's|\\||g' - echo - fi -done diff --git a/debian/changelog b/debian/changelog index 21fa758..77c9e68 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-setup (20120912-0ubuntu0securityonion244) trusty; urgency=medium + + * move sosetup-elastic to securityonion-elastic package to allow more frequent updates + + -- Doug Burks Sat, 02 Sep 2017 11:20:52 -0400 + securityonion-setup (20120912-0ubuntu0securityonion243) trusty; urgency=medium * cross cluster json