105 lines
4.5 KiB
Bash
Executable File
105 lines
4.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Copyright (c) 2021 Battelle Energy Alliance, LLC. All rights reserved.
|
|
|
|
SCRIPT_PATH="$(dirname $(realpath -e "${BASH_SOURCE[0]}"))"
|
|
|
|
echo "sensor" > /etc/installer
|
|
|
|
MAIN_USER="$(id -nu 1000)"
|
|
|
|
if [[ -r "$SCRIPT_PATH"/common-init.sh ]]; then
|
|
. "$SCRIPT_PATH"/common-init.sh
|
|
|
|
# remove default accounts/groups we don't want, create/set directories for non-user users for stig to not complain
|
|
CleanDefaultAccounts
|
|
|
|
# get a list of the hardware interfaces
|
|
PopulateInterfaces
|
|
|
|
# set up some sensor-specific stuff
|
|
if [[ -d /opt/sensor ]]; then
|
|
|
|
# set ownership for /opt/sensor files for sensor UID:GID
|
|
chown -R 1000:1000 /opt/sensor
|
|
find /opt/sensor/ -type d -exec chmod 750 "{}" \;
|
|
find /opt/sensor/ -type f -exec chmod 640 "{}" \;
|
|
find /opt/sensor/ -type f -name "*.sh" -exec chmod 750 "{}" \;
|
|
find /opt/sensor/ -type f -name "*.keystore" -exec chmod 600 "{}" \;
|
|
|
|
if [[ -f /opt/sensor/sensor_ctl/control_vars.conf ]]; then
|
|
# if the capture interface hasn't been set in control_vars.conf, set it now
|
|
if grep --quiet CAPTURE_INTERFACE=xxxx /opt/sensor/sensor_ctl/control_vars.conf; then
|
|
CAP_IFACE="$(DetermineCaptureInterface)"
|
|
if [[ -n "${CAP_IFACE}" ]]; then
|
|
sed -i "s/CAPTURE_INTERFACE=xxxx/CAPTURE_INTERFACE=${CAP_IFACE}/g" /opt/sensor/sensor_ctl/control_vars.conf
|
|
fi
|
|
fi
|
|
chmod 600 /opt/sensor/sensor_ctl/control_vars.conf*
|
|
fi
|
|
|
|
[[ -d /opt/sensor/sensor_ctl/moloch/config.ini ]] && chmod 600 /opt/sensor/sensor_ctl/moloch/config.ini
|
|
|
|
fi
|
|
|
|
# zeekctl won't like being run by a non-root user unless the whole stupid thing is owned by the non-root user
|
|
if [[ -d /opt/zeek.orig ]]; then
|
|
# as such, we're going to reset zeek to a "clean" state after each reboot. the config files will get
|
|
# regenerated when we are about to deploy zeek itself
|
|
[[ -d /opt/zeek ]] && rm -rf /opt/zeek
|
|
rsync -a /opt/zeek.orig/ /opt/zeek
|
|
fi
|
|
if [[ -d /opt/zeek ]]; then
|
|
chown -R 1000:1000 /opt/zeek/*
|
|
[[ -f /opt/zeek/bin/zeek ]] && setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /opt/zeek/bin/zeek
|
|
fi
|
|
if [[ -d /opt/yara-rules ]]; then
|
|
mkdir -p /opt/yara-rules/custom
|
|
chown -R 1000:1000 /opt/yara-rules/custom
|
|
chmod -R 750 /opt/yara-rules/custom
|
|
fi
|
|
|
|
# if the sensor needs to do clamav scanning, configure it to run as the sensor user
|
|
if dpkg -s clamav >/dev/null 2>&1 ; then
|
|
mkdir -p /var/log/clamav /var/lib/clamav
|
|
chown -R 1000:1000 /var/log/clamav /var/lib/clamav
|
|
chmod -R 750 /var/log/clamav /var/lib/clamav
|
|
sed -i 's/^Foreground .*$/Foreground true/g' /etc/clamav/freshclam.conf
|
|
sed -i 's/^Foreground .*$/Foreground true/g' /etc/clamav/clamd.conf
|
|
if [[ -d /opt/sensor/sensor_ctl ]]; then
|
|
# disable clamd/freshclam logfiles as supervisord will handle the logging from STDOUT instead
|
|
sed -i 's@^UpdateLogFile .*$@#UpdateLogFile /var/log/clamav/freshclam.log@g' /etc/clamav/freshclam.conf
|
|
sed -i 's@^LogFile .*$@#LogFile /var/log/clamav/clamd.log@g' /etc/clamav/clamd.conf
|
|
# use local directory for socket file
|
|
mkdir -p /opt/sensor/sensor_ctl/clamav
|
|
chown -R 1000:1000 /opt/sensor/sensor_ctl/clamav
|
|
chmod -R 750 /opt/sensor/sensor_ctl/clamav
|
|
sed -i 's@^LocalSocket .*$@LocalSocket /opt/sensor/sensor_ctl/clamav/clamd.ctl@g' /etc/clamav/clamd.conf
|
|
fi
|
|
if [[ -n $MAIN_USER ]]; then
|
|
sed -i "s/^User .*$/User $MAIN_USER/g" /etc/clamav/clamd.conf
|
|
sed -i "s/^LocalSocketGroup .*$/LocalSocketGroup $MAIN_USER/g" /etc/clamav/clamd.conf
|
|
sed -i "s/^DatabaseOwner .*$/DatabaseOwner $MAIN_USER/g" /etc/clamav/freshclam.conf
|
|
fi
|
|
[[ -r /opt/sensor/sensor_ctl/control_vars.conf ]] && source /opt/sensor/sensor_ctl/control_vars.conf
|
|
[[ -z $EXTRACTED_FILE_MAX_BYTES ]] && EXTRACTED_FILE_MAX_BYTES=134217728
|
|
sed -i "s/^MaxFileSize .*$/MaxFileSize $EXTRACTED_FILE_MAX_BYTES/g" /etc/clamav/clamd.conf
|
|
sed -i "s/^MaxScanSize .*$/MaxScanSize $(echo "$EXTRACTED_FILE_MAX_BYTES * 4" | bc)/g" /etc/clamav/clamd.conf
|
|
grep -q "^TCPSocket" /etc/clamav/clamd.conf && (sed -i 's/^TCPSocket .*$/TCPSocket 3310/g' /etc/clamav/clamd.conf) || (echo "TCPSocket 3310" >> /etc/clamav/clamd.conf)
|
|
fi
|
|
|
|
# if the network configuration files for the interfaces haven't been set to come up on boot, configure that now.
|
|
InitializeSensorNetworking
|
|
|
|
# fix some permisions to make sure things belong to the right person
|
|
[[ -n $MAIN_USER ]] && FixPermissions "$MAIN_USER"
|
|
|
|
# block some call-homes
|
|
BadTelemetry
|
|
|
|
exit 0
|
|
else
|
|
exit 1
|
|
fi
|
|
|