trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
master
DetectionLab/Vagrant/resources/malcolm/shared/bin/sensor-init.sh
Trinitor 70f1922e80 added Malcolm
2021-08-06 10:35:01 +02:00

105 lines
4.5 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
SCRIPT_PATH="$(dirname $(realpath -e "${BASH_SOURCE[0]}"))"
echo "sensor" > /etc/installer
MAIN_USER="$(id -nu 1000)"
if [[ -r "$SCRIPT_PATH"/common-init.sh ]]; then
. "$SCRIPT_PATH"/common-init.sh
# remove default accounts/groups we don't want, create/set directories for non-user users for stig to not complain
CleanDefaultAccounts
# get a list of the hardware interfaces
PopulateInterfaces
# set up some sensor-specific stuff
if [[ -d /opt/sensor ]]; then
# set ownership for /opt/sensor files for sensor UID:GID
chown -R 1000:1000 /opt/sensor
find /opt/sensor/ -type d -exec chmod 750 "{}" \;
find /opt/sensor/ -type f -exec chmod 640 "{}" \;
find /opt/sensor/ -type f -name "*.sh" -exec chmod 750 "{}" \;
find /opt/sensor/ -type f -name "*.keystore" -exec chmod 600 "{}" \;
if [[ -f /opt/sensor/sensor_ctl/control_vars.conf ]]; then
# if the capture interface hasn't been set in control_vars.conf, set it now
if grep --quiet CAPTURE_INTERFACE=xxxx /opt/sensor/sensor_ctl/control_vars.conf; then
CAP_IFACE="$(DetermineCaptureInterface)"
if [[ -n "${CAP_IFACE}" ]]; then
sed -i "s/CAPTURE_INTERFACE=xxxx/CAPTURE_INTERFACE=${CAP_IFACE}/g" /opt/sensor/sensor_ctl/control_vars.conf
fi
fi
chmod 600 /opt/sensor/sensor_ctl/control_vars.conf*
fi
[[ -d /opt/sensor/sensor_ctl/moloch/config.ini ]] && chmod 600 /opt/sensor/sensor_ctl/moloch/config.ini
fi
# zeekctl won't like being run by a non-root user unless the whole stupid thing is owned by the non-root user
if [[ -d /opt/zeek.orig ]]; then
# as such, we're going to reset zeek to a "clean" state after each reboot. the config files will get
# regenerated when we are about to deploy zeek itself
[[ -d /opt/zeek ]] && rm -rf /opt/zeek
rsync -a /opt/zeek.orig/ /opt/zeek
fi
if [[ -d /opt/zeek ]]; then
chown -R 1000:1000 /opt/zeek/*
[[ -f /opt/zeek/bin/zeek ]] && setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /opt/zeek/bin/zeek
fi
if [[ -d /opt/yara-rules ]]; then
mkdir -p /opt/yara-rules/custom
chown -R 1000:1000 /opt/yara-rules/custom
chmod -R 750 /opt/yara-rules/custom
fi
# if the sensor needs to do clamav scanning, configure it to run as the sensor user
if dpkg -s clamav >/dev/null 2>&1 ; then
mkdir -p /var/log/clamav /var/lib/clamav
chown -R 1000:1000 /var/log/clamav /var/lib/clamav
chmod -R 750 /var/log/clamav /var/lib/clamav
sed -i 's/^Foreground .*$/Foreground true/g' /etc/clamav/freshclam.conf
sed -i 's/^Foreground .*$/Foreground true/g' /etc/clamav/clamd.conf
if [[ -d /opt/sensor/sensor_ctl ]]; then
# disable clamd/freshclam logfiles as supervisord will handle the logging from STDOUT instead
sed -i 's@^UpdateLogFile .*$@#UpdateLogFile /var/log/clamav/freshclam.log@g' /etc/clamav/freshclam.conf
sed -i 's@^LogFile .*$@#LogFile /var/log/clamav/clamd.log@g' /etc/clamav/clamd.conf
# use local directory for socket file
mkdir -p /opt/sensor/sensor_ctl/clamav
chown -R 1000:1000 /opt/sensor/sensor_ctl/clamav
chmod -R 750 /opt/sensor/sensor_ctl/clamav
sed -i 's@^LocalSocket .*$@LocalSocket /opt/sensor/sensor_ctl/clamav/clamd.ctl@g' /etc/clamav/clamd.conf
fi
if [[ -n $MAIN_USER ]]; then
sed -i "s/^User .*$/User $MAIN_USER/g" /etc/clamav/clamd.conf
sed -i "s/^LocalSocketGroup .*$/LocalSocketGroup $MAIN_USER/g" /etc/clamav/clamd.conf
sed -i "s/^DatabaseOwner .*$/DatabaseOwner $MAIN_USER/g" /etc/clamav/freshclam.conf
fi
[[ -r /opt/sensor/sensor_ctl/control_vars.conf ]] && source /opt/sensor/sensor_ctl/control_vars.conf
[[ -z $EXTRACTED_FILE_MAX_BYTES ]] && EXTRACTED_FILE_MAX_BYTES=134217728
sed -i "s/^MaxFileSize .*$/MaxFileSize $EXTRACTED_FILE_MAX_BYTES/g" /etc/clamav/clamd.conf
sed -i "s/^MaxScanSize .*$/MaxScanSize $(echo "$EXTRACTED_FILE_MAX_BYTES * 4" | bc)/g" /etc/clamav/clamd.conf
grep -q "^TCPSocket" /etc/clamav/clamd.conf && (sed -i 's/^TCPSocket .*$/TCPSocket 3310/g' /etc/clamav/clamd.conf) || (echo "TCPSocket 3310" >> /etc/clamav/clamd.conf)
fi
# if the network configuration files for the interfaces haven't been set to come up on boot, configure that now.
InitializeSensorNetworking
# fix some permisions to make sure things belong to the right person
[[ -n $MAIN_USER ]] && FixPermissions "$MAIN_USER"
# block some call-homes
BadTelemetry
exit 0
else
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink