Merge pull request #393 from lnxg33k/master

Make sure we have a DNS resolution when calling fix_eth1_static_ip.
2020-03-13 12:09:44 -07:00
parent 05a3faae17 0b1488a0eb
commit 66ad89c160
1 changed files with 56 additions and 52 deletions
--- a/Vagrant/bootstrap.sh
+++ b/Vagrant/bootstrap.sh
@@ -1,8 +1,8 @@
 #! /bin/bash

 export DEBIAN_FRONTEND=noninteractive
-echo "apt-fast apt-fast/maxdownloads string 10" | debconf-set-selections;
-echo "apt-fast apt-fast/dlflag boolean true" | debconf-set-selections;
+echo "apt-fast apt-fast/maxdownloads string 10" | debconf-set-selections
+echo "apt-fast apt-fast/dlflag boolean true" | debconf-set-selections

 sed -i "2ideb mirror://mirrors.ubuntu.com/mirrors.txt bionic main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt bionic-updates main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt bionic-backports main restricted universe multiverse\ndeb mirror://mirrors.ubuntu.com/mirrors.txt bionic-security main restricted universe multiverse" /etc/apt/sources.list

@@ -12,7 +12,7 @@ apt_install_prerequisites() {
  add-apt-repository -y ppa:apt-fast/stable
  # Add repository for yq
  add-apt-repository -y ppa:rmescandon/yq
-　# Add repository for suricata
+  　# Add repository for suricata
  add-apt-repository -y ppa:oisf/suricata-stable
  # Install prerequisites and useful tools
  echo "[$(date +%H:%M:%S)]: Running apt-get clean..."
@@ -37,15 +37,14 @@ modify_motd() {
 }

 test_prerequisites() {
-  for package in jq whois build-essential git docker docker-compose unzip yq
-  do
+  for package in jq whois build-essential git docker docker-compose unzip yq; do
    echo "[$(date +%H:%M:%S)]: [TEST] Validating that $package is correctly installed..."
    # Loop through each package using dpkg
-    if ! dpkg -S $package > /dev/null; then
+    if ! dpkg -S $package >/dev/null; then
      # If which returns a non-zero return code, try to re-install the package
      echo "[-] $package was not found. Attempting to reinstall."
      apt-get -qq update && apt-get install -y $package
-      if ! which $package > /dev/null; then
+      if ! which $package >/dev/null; then
        # If the reinstall fails, give up
        echo "[X] Unable to install $package even after a retry. Exiting."
        exit 1
@@ -64,8 +63,8 @@ fix_eth1_static_ip() {
  fi
  if [ -f /sys/class/net/eth2/address ]; then
    if [ "$(cat /sys/class/net/eth2/address)" == "00:50:56:a3:b1:c4" ]; then
-    echo "[*] Using ESXi, no need to change anything"
-    return 0
+      echo "[*] Using ESXi, no need to change anything"
+      return 0
    fi
  fi
  # There's a fun issue where dhclient keeps messing with eth1 despite the fact
@@ -73,7 +72,7 @@ fix_eth1_static_ip() {
  echo -e 'interface "eth1" {
    send host-name = gethostname();
    send dhcp-requested-address 192.168.38.105;
-  }' >> /etc/dhcp/dhclient.conf
+  }' >>/etc/dhcp/dhclient.conf
  netplan apply
  # Fix eth1 if the IP isn't set correctly
  ETH1_IP=$(ip -4 addr show eth1 | grep -oP '(?<=inet\s)\d+(\.\d+){3}')
@@ -90,6 +89,12 @@ fix_eth1_static_ip() {
      exit 1
    fi
  fi
+
+  # Make sure we do have a DNS resolution
+  while true; do
+    if [ "$(dig +short @8.8.8.8 github.com)" ]; then break; fi
+    sleep 1
+  done
 }

 install_splunk() {
@@ -99,9 +104,9 @@ install_splunk() {
  else
    echo "[$(date +%H:%M:%S)]: Installing Splunk..."
    # Get download.splunk.com into the DNS cache. Sometimes resolution randomly fails during wget below
-    dig @8.8.8.8 download.splunk.com > /dev/null
-    dig @8.8.8.8 splunk.com > /dev/null
-    dig @8.8.8.8 www.splunk.com > /dev/null
+    dig @8.8.8.8 download.splunk.com >/dev/null
+    dig @8.8.8.8 splunk.com >/dev/null
+    dig @8.8.8.8 www.splunk.com >/dev/null

    # Try to resolve the latest version of Splunk by parsing the HTML on the downloads page
    echo "[$(date +%H:%M:%S)]: Attempting to autoresolve the latest version of Splunk..."
@@ -131,15 +136,15 @@ install_splunk() {
    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/asn-lookup-generator_101.tgz -auth 'admin:changeme'
    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/lookup-file-editor_331.tgz -auth 'admin:changeme'
    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/splunk-add-on-for-zeek-aka-bro_400.tgz -auth 'admin:changeme'
-    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz  -auth 'admin:changeme'
-    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz  -auth 'admin:changeme'
-    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/force-directed-app-for-splunk_200.tgz -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/punchcard-custom-visualization_130.tgz -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/sankey-diagram-custom-visualization_130.tgz -auth 'admin:changeme'
    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/link-analysis-app-for-splunk_161.tgz -auth 'admin:changeme'
-    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_141.tgz  -auth 'admin:changeme'
+    /opt/splunk/bin/splunk install app /vagrant/resources/splunk_server/threathunting_141.tgz -auth 'admin:changeme'

-    # Uncomment the following block to install BOTSv2 
+    # Uncomment the following block to install BOTSv2
    # Thanks to @MHaggis for this addition!
-    # It is recommended to only uncomment the attack-only dataset comment block. 
+    # It is recommended to only uncomment the attack-only dataset comment block.
    # You may also link to the full dataset which is ~12GB if you prefer.
    # More information on BOTSv2 can be found at https://github.com/splunk/botsv2

@@ -179,7 +184,7 @@ install_splunk() {
    # echo "[$(date +%H:%M:%S)]: Extracting to Splunk Apps directory"
    # tar zxvf botsv2_data_set.tgz /opt/splunk/etc/apps
    ### FULL DATASET COMMENT BLOCK ENDS ###
-    
+
    ### BOTSv2 COMMENT BLOCK ENDS ###

    # Add custom Macro definitions for ThreatHunting App
@@ -192,7 +197,7 @@ install_splunk() {
    rm /opt/splunk/etc/apps/force_directed_viz/default/savedsearches.conf

    # Add a Splunk TCP input on port 9997
-    echo -e "[splunktcp://9997]\nconnection_host = ip" > /opt/splunk/etc/apps/search/local/inputs.conf
+    echo -e "[splunktcp://9997]\nconnection_host = ip" >/opt/splunk/etc/apps/search/local/inputs.conf
    # Add props.conf and transforms.conf
    cp /vagrant/resources/splunk_server/props.conf /opt/splunk/etc/apps/search/local/
    cp /vagrant/resources/splunk_server/transforms.conf /opt/splunk/etc/apps/search/local/
@@ -204,7 +209,7 @@ install_splunk() {
    echo "[$(date +%H:%M:%S)]: Disabling the Splunk tour prompt..."
    touch /opt/splunk/etc/.ui_login
    mkdir -p /opt/splunk/etc/users/admin/search/local
-    echo -e "[search-tour]\nviewed = 1" > /opt/splunk/etc/system/local/ui-tour.conf
+    echo -e "[search-tour]\nviewed = 1" >/opt/splunk/etc/system/local/ui-tour.conf
    # Source: https://answers.splunk.com/answers/660728/how-to-disable-the-modal-pop-up-help-us-to-improve.html
    echo '[general]
 render_version_messages = 0
@@ -213,7 +218,7 @@ dismissedInstrumentationOptInVersion = 1
 [general_default]
 hideInstrumentationOptInModal = 1
 showWhatsNew = 0
-notification_python_3_impact = false' > /opt/splunk/etc/system/local/user-prefs.conf
+notification_python_3_impact = false' >/opt/splunk/etc/system/local/user-prefs.conf
    echo '[general]
 render_version_messages = 0
 hideInstrumentationOptInModal = 1
@@ -221,12 +226,12 @@ dismissedInstrumentationOptInVersion = 1
 [general_default]
 hideInstrumentationOptInModal = 1
 showWhatsNew = 0
-notification_python_3_impact = false' > /opt/splunk/etc/apps/user-prefs/local/user-prefs.conf
-  # Disable the instrumentation popup
-  echo -e "showOptInModal = 0\noptInVersionAcknowledged = 4" >> /opt/splunk/etc/apps/splunk_instrumentation/local/telemetry.conf
+notification_python_3_impact = false' >/opt/splunk/etc/apps/user-prefs/local/user-prefs.conf
+    # Disable the instrumentation popup
+    echo -e "showOptInModal = 0\noptInVersionAcknowledged = 4" >>/opt/splunk/etc/apps/splunk_instrumentation/local/telemetry.conf

    # Enable SSL Login for Splunk
-    echo -e "[settings]\nenableSplunkWebSSL = true" > /opt/splunk/etc/system/local/web.conf
+    echo -e "[settings]\nenableSplunkWebSSL = true" >/opt/splunk/etc/system/local/web.conf
    # Reboot Splunk to make changes take effect
    /opt/splunk/bin/splunk restart
    /opt/splunk/bin/splunk enable boot-start
@@ -241,8 +246,8 @@ install_fleet() {
    echo "[$(date +%H:%M:%S)]: Fleet is already installed"
  else
    echo "[$(date +%H:%M:%S)]: Installing Fleet..."
-    echo -e "\n127.0.0.1       kolide" >> /etc/hosts
-    echo -e "\n127.0.0.1       logger" >> /etc/hosts
+    echo -e "\n127.0.0.1       kolide" >>/etc/hosts
+    echo -e "\n127.0.0.1       logger" >>/etc/hosts
    cd /opt && git clone https://github.com/kolide/kolide-quickstart.git
    cd /opt/kolide-quickstart || echo "Something went wrong while trying to clone the kolide-quickstart repository"
    cp /vagrant/resources/fleet/server.* .
@@ -294,8 +299,8 @@ import_osquery_config_into_fleet() {
  # Use fleetctl to import YAML files
  fleetctl apply -f osquery-configuration/Fleet/Endpoints/MacOS/osquery.yaml
  fleetctl apply -f osquery-configuration/Fleet/Endpoints/Windows/osquery.yaml
-  for pack in osquery-configuration/Fleet/Endpoints/packs/*.yaml
-    do fleetctl apply -f "$pack"
+  for pack in osquery-configuration/Fleet/Endpoints/packs/*.yaml; do
+    fleetctl apply -f "$pack"
  done

  # Add Splunk monitors for Fleet
@@ -313,7 +318,7 @@ install_zeek() {
  SPLUNK_SURICATA_SOURCETYPE='json_suricata'
  sh -c "echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/ /' > /etc/apt/sources.list.d/security:zeek.list"
  wget -nv https://download.opensuse.org/repositories/security:zeek/xUbuntu_18.04/Release.key -O /tmp/Release.key
-  apt-key add - < /tmp/Release.key
+  apt-key add - </tmp/Release.key
  # Update APT repositories
  apt-get -qq -ym update
  # Install tools to build and configure Zeek
@@ -343,7 +348,7 @@ install_zeek() {
  redef Intel::read_files += {
    "/opt/zeek/etc/intel.dat"
  };
-  ' >> /opt/zeek/share/zeek/site/local.zeek
+  ' >>/opt/zeek/share/zeek/site/local.zeek

  # Configure Zeek
  crudini --del $NODECFG zeek
@@ -367,23 +372,23 @@ install_zeek() {
  mkdir -p $SPLUNK_ZEEK_JSON/local
  cp $SPLUNK_ZEEK_JSON/default/inputs.conf $SPLUNK_ZEEK_JSON/local/inputs.conf

-  crudini --set  $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR index   zeek
-  crudini --set  $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR sourcetype   bro:json
-  crudini --set  $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR whitelist   '.*\.log$'
-  crudini --set  $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR blacklist   '.*(communication|stderr)\.log$'
-  crudini --set  $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR disabled   0
-  crudini --set  $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index   suricata
-  crudini --set  $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype   suricata:json
-  crudini --set  $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist   'eve.json'
-  crudini --set  $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled   0
-  crudini --set  $SPLUNK_ZEEK_JSON/local/props.conf  $SPLUNK_SURICATA_SOURCETYPE TRUNCATE    0
+  crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR index zeek
+  crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR sourcetype bro:json
+  crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR whitelist '.*\.log$'
+  crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR blacklist '.*(communication|stderr)\.log$'
+  crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_ZEEK_MONITOR disabled 0
+  crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR index suricata
+  crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR sourcetype suricata:json
+  crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR whitelist 'eve.json'
+  crudini --set $SPLUNK_ZEEK_JSON/local/inputs.conf $SPLUNK_SURICATA_MONITOR disabled 0
+  crudini --set $SPLUNK_ZEEK_JSON/local/props.conf $SPLUNK_SURICATA_SOURCETYPE TRUNCATE 0

  # Ensure permissions are correct and restart splunk
  chown -R splunk $SPLUNK_ZEEK_JSON
  /opt/splunk/bin/splunk restart

  # Verify that Zeek is running
-  if ! pgrep -f zeek > /dev/null; then
+  if ! pgrep -f zeek >/dev/null; then
    echo "Zeek attempted to start but is not running. Exiting"
    exit 1
  fi
@@ -407,7 +412,7 @@ install_suricata() {
  # update suricata signature sources
  suricata-update update-sources
  # disable protocol decode as it is duplicative of Zeek
-  echo re:protocol-command-decode >> /etc/suricata/disable.conf
+  echo re:protocol-command-decode >>/etc/suricata/disable.conf
  # enable et-open and attackdetection sources
  suricata-update enable-source et/open
  suricata-update enable-source ptresearch/attackdetection
@@ -419,22 +424,21 @@ install_suricata() {
  sleep 3

  # Verify that Suricata is running
-  if ! pgrep -f suricata > /dev/null; then
+  if ! pgrep -f suricata >/dev/null; then
    echo "Suricata attempted to start but is not running. Exiting"
    exit 1
  fi
 }

 test_suricata_prerequisites() {
-  for package in suricata crudini
-  do
+  for package in suricata crudini; do
    echo "[$(date +%H:%M:%S)]: [TEST] Validating that $package is correctly installed..."
    # Loop through each package using dpkg
-    if ! dpkg -S $package > /dev/null; then
+    if ! dpkg -S $package >/dev/null; then
      # If which returns a non-zero return code, try to re-install the package
      echo "[-] $package was not found. Attempting to reinstall."
      apt-get clean && apt-get -qq update && apt-get install -y $package
-      if ! which $package > /dev/null; then
+      if ! which $package >/dev/null; then
        # If the reinstall fails, give up
        echo "[X] Unable to install $package even after a retry. Exiting."
        exit 1
@@ -451,7 +455,7 @@ install_guacamole() {
  apt-get -qq install -y libcairo2-dev libjpeg62-dev libpng-dev libossp-uuid-dev libfreerdp-dev libpango1.0-dev libssh2-1-dev libssh-dev tomcat8 tomcat8-admin tomcat8-user
  wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/source/guacamole-server-1.0.0.tar.gz" -O guacamole-server-1.0.0.tar.gz
  tar -xvf guacamole-server-1.0.0.tar.gz && cd guacamole-server-1.0.0
-  ./configure &> /dev/null && make --quiet &> /dev/null && make --quiet install &> /dev/null || echo "[-] An error occurred while installing Guacamole."
+  ./configure &>/dev/null && make --quiet &>/dev/null && make --quiet install &>/dev/null || echo "[-] An error occurred while installing Guacamole."
  ldconfig
  cd /var/lib/tomcat8/webapps
  wget --progress=bar:force "http://apache.org/dyn/closer.cgi?action=download&filename=guacamole/1.0.0/binary/guacamole-1.0.0.war" -O guacamole.war
@@ -470,7 +474,7 @@ install_guacamole() {

 postinstall_tasks() {
  # Include Splunk and Zeek in the PATH
-  echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >> ~/.bashrc
+  echo export PATH="$PATH:/opt/splunk/bin:/opt/zeek/bin" >>~/.bashrc
  # Ping DetectionLab server for usage statistics
  curl -A "DetectionLab-logger" "https://detectionlab.network/logger"
 }