bnc-siem-suite.macos

#!/bin/bash

#
# bnc-siem-suite.macos
# by Kevin Branch (kevin@branchnetconsulting.com)
#
# This script is a dual-role script, both running through a series of checks to determine if there is need to install the SIEM packages and installing the SIEM packages
# if warranted.
#
# Deployment will install Wazuh agent and Wazuh-integrated Osquery on Mac OS computers.
# After preserving the working Wazuh agent registration key if present, Wazuh agent and/or Osquery are completely purged and then reinstalled,
# with an option to skip Osquery.
# The Wazuh agent self registration process is included, but will be skipped if an existing working registration can be recycled.
# Agent name and group names must match exactly for registration to be recycled.  This will keep the same agent id associated with the agent.
#
# If any of the listed test families fail, the SIEM packages will be (re)installed.
#
# If the call to this script is deemed broken, or either the Wazuh Manager connect port or registration port are unresponsive to a probe, an exit code of 2 will be returned.
#
# The default exit code is 0.
#
# Is the agent presently really connected to the Wazuh manager?
# Is the agent connected to the right manager?
# Is the agent currently a member of all intended Wazuh agent groups?
# Is the target version of Wazuh agent installed?
# Is the target version of Osquery installed and running?
#
# Parameters:
#
# -WazuhMgr         IP or FQDN of the Wazuh manager for ongoing agent connections. (Required)
# -WazuhRegMgr      IP or FQDN of the Wazuh manager for agent registration connection (defaults to $WazuhMgr if not specified)
# -WazuhRegPass     Required: password for registration with Wazuh manager (put in quotes).
# -WazuhVer         Full version of Wazuh agent to confirm and/or install, like "3.13.2".
# -WazuhSrc         Static download path to fetch Wazuh agent installer.  Overrides WazuhVer value.
# -WazuhAgentName   Name under which to register this agent in place of locally detected host name
# -WazuhGroups      Comma separated list of optional extra Wazuh agent groups to member this agent.  No spaces.  Put whole list in quotes.  Groups must already exist.
#                   Use "" to expect zero extra groups.
#                   If not specified, agent group membership will not be checked at all.
#                   Do not include "macos", "macos-local", "osquery", "osquery-local", or "org" groups as these are autodetected and will dynamically be inserted as the first groups.
#                   Also, do not include "osquery" as this will automatically be included unless SkipOsquery is set to "1"
# -OsqueryVer       Full version of Osquery to validate and/or install, like "4.2.0" (always N.N.N format) (Required unless -SkipOsquery specified).
# -OsquerySrc       Static download path to fetch Osquery agent installer.  Overrides OsqueryVer value.
# -SkipOsquery      Set this flag to skip examination and/or installation of Osquery.  If the script determines that installation is warranted, this flag will result in Osquery being removed if present.
#                   Osquery is installed by default.
# -Install                      Skip all checks and force installation
# -Uninstall            Uninstall Wazuh agent and sub-agents
# -CheckOnly            Only run checks to see if installation is current or in need of deployment
# -Debug                Show debug output
# -help             Show command syntax
#
# Sample way to fetch and use this script:
#
# curl https://raw.githubusercontent.com/branchnetconsulting/wazuh-tools/master/bnc-siem-suite.macos > bnc-siem-suite.macos
# chmod 700 bnc-siem-suite.macos
#
# Example minimal usage:
#
# ./bnc-siem-suite.macos -WazuhMgr siem.company.com -WazuhRegPass "self-reg-pw" -WazuhVer 3.13.2 -OsqueryVer 4.5.1
#
# The above would (re)install the latest stable Wazuh agent and Osquery, if the checks determine it is warranted.
# It would also self-register with the specified Wazuh manager using the specified password, unless an existing working registration can be kept.
# The agent would be registered with agent groups "macos,macos-local,osquery,osquery-local".
#

function show_usage() {
   LBLU='\033[1;34m'
   NC='\033[0m'
   printf "\nCommand syntax:\n   $0 \n      -WazuhMgr ${LBLU}WAZUH_MANAGER${NC}\n      [-WazuhRegMgr ${LBLU}WAZUH_REGISTRATION_MANAGER${NC}]\n      -WazuhRegPass \"${LBLU}WAZUH_REGISTRATION_PASSWORD${NC}\"\n      {-WazuhVer ${LBLU}WAZUH_VERSION${NC} | -WazuhSrc ${LBLU}WAZUH_AGENT_DOWNLOAD_URL${NC}}\n      [-WazuhAgentName ${LBLU}WAZUH_AGENT_NAME_OVERRIDE${NC}]\n      [-WazuhGroups {${LBLU}LIST_OF_EXTRA_GROUPS${NC} | \"\"}]\n      {-OsqueryVer ${LBLU}OSQUERY_VERSION${NC} | -OsquerySrc ${LBLU}OSQUERY_DOWNLOAD_URL${NC} | -SkipOsquery}\n      [-Install]\n      [-Uninstall]\n      [-CheckOnly]\n      [-Debug]\n      [-help]\n\n"
   printf "Example:\n   $0 -WazuhMgr ${LBLU}siem.company.org${NC} -WazuhRegPass ${LBLU}\"h58fg3FS###12\"${NC} -WazuhVer ${LBLU}3.13.1${NC} -OsqueryVer ${LBLU}4.4.0${NC} -WazuhGroups ${LBLU}finance,denver${NC}\n\n"
   exit 2
}

function check_value() {
   if [[ "$1" == "" || "$1" == "-"* ]]; then
   	show_usage
   fi
}

# Named parameter optional default values
WazuhMgr=
WazuhRegMgr=
WazuhRegPass=
WazuhVer=
WazuhSrc=
WazuhAgentName=
WazuhGroups="#NOGROUP#"
OsqueryVer=
OsquerySrc=
SkipOsquery=0
#Local=0
CheckOnly=0
Install=0
Uninstall=0
Debug=0

while [ "$1" != "" ]; do
   case $1 in
      -WazuhMgr )     shift
                      check_value $1
                      WazuhMgr=$1
                      ;;
      -WazuhRegMgr )  shift
                      check_value $1
                      WazuhRegMgr=$1
                      ;;
      -WazuhRegPass ) shift
                      check_value $1
                      WazuhRegPass=$1
                      ;;
      -WazuhVer )     shift
                      check_value $1
                      WazuhVer="$1"
                      ;;
      -WazuhSrc )     shift
                      check_value $1
                      WazuhSrc="$1"
                      ;;
      -WazuhAgentName ) shift
                      check_value $1
                      WazuhAgentName="$1"
                                          ;;
      -WazuhGroups )  if [[ "$2" == "" ]]; then
                         shift
                         WazuhGroups=""
                      elif [[ "$2" == "-"* ]]; then
                         WazuhGroups=""
                      else
                         shift
                         WazuhGroups="$1"
                      fi
                      ;;
      -OsqueryVer )   shift
                      check_value $1
                      OsqueryVer="$1"
                      ;;
      -OsquerySrc )   shift
                      check_value $1
                      OsquerySrc="$1"
                      ;;
      -SkipOsquery )  # no shift
                      SkipOsquery=1
                      ;;
#      -Local )        # no shift
#                      Local=1
#                      ;;
      -CheckOnly )    # no shift
                      CheckOnly=1
                      ;;
      -Install )      # no shift
                      Install=1
                      ;;
      -Uninstall )  # no shift
                      Uninstall=1
                      ;;
      -Debug )        # no shift
                      Debug=1
                      ;;
      -help )         show_usage
                      ;;
      * )             show_usage
   esac
   shift
done

# Function for probing the Wazuh agent connection and Wazuh agent self-registration ports on the manager(s).
function tprobe() {
        if [ $Debug == 1 ]; then echo "Preparing to probe $1 on port $2..."; fi
        if [[ `echo $1 | grep -E "^(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.(25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])$"` ]]; then
                if [ $Debug == 1 ]; then echo "$1 appears to be an IP number."; fi
                tpr_ip=$1
        else
                if [ $Debug == 1 ]; then echo "Looking up IP for host $1..."; fi
                #tpr_ip=`getent ahostsv4 $1 | awk '{ print $1 }' | head -n1`
		tpr_ip=`host siem.wycliffe.org | grep " has address" | awk '{print $4}'`
        fi
        if [ "$tpr_ip" == "" ]; then
                if [ $Debug == 1 ]; then echo "*** Failed to find IP for $1."; fi
                exit 2
        fi
        if [ $Debug == 1 ]; then echo "Probing $tpr_ip:$2..."; fi
        echo > /dev/tcp/$tpr_ip/$2 &
        sleep 2
        if [[ `ps auxw | awk '{print $2}' | egrep "^$!"` ]]; then
                if [ $Debug = 1 ]; then echo "*** Failed to get response from $1 on tcp/$2."; fi
                kill $!
                exit 2
        fi
        if [ $Debug == 1 ]; then echo "Success!"; fi
}

# Uninstallion function
function uninstallsuite() {

# Shut down and clean out any previous Wazuh agent
/Library/Ossec/bin/ossec-control stop
/bin/kill -kill `/bin/ps auxw | /usr/bin/grep ' /usr/bin/log stream ' | /usr/bin/grep -v grep | /usr/bin/awk '{print $2}'` 2> /dev/null
/bin/rm -r /Library/Ossec
/bin/rm /etc/ossec-init.conf
/bin/launchctl unload /Library/LaunchDaemons/com.wazuh.agent.plist
/bin/rm -f /Library/LaunchDaemons/com.wazuh.agent.plist
/bin/rm -rf /Library/StartupItems/WAZUH
/usr/bin/dscl . -delete "/Users/ossec"
/usr/bin/dscl . -delete "/Groups/ossec"
/usr/sbin/pkgutil --forget com.wazuh.pkg.wazuh-agent
kill -kill `ps auxw | grep "/Library/Ossec/bin" | grep -v grep | awk '{print $2}'` 2> /dev/null

# Clean out any previous Osquery
launchctl unload /Library/LaunchDaemons/com.facebook.osqueryd.plist 2> /dev/null
rm /Library/LaunchDaemons/com.facebook.osqueryd.plist 2> /dev/null
rm -rf /private/var/log/osquery
rm -rf /private/var/osquery
rm /usr/local/bin/osquery*
pkgutil --forget com.facebook.osquery

if [ $Uninstall == 1 ]; then
        echo -e "\n*** Wazuh Agent suite successfully uninstalled";
        exit 0
fi
}

# Checks function
function checksuite() {
if [ -f /etc/nsm/securityonion.conf ]; then
		if [ $Debug == 1 ]; then echo -e "\n*** This deploy script cannot be used on a system where Security Onion is installed."; fi
        exit 2
fi
if [[ `grep server /Library/Ossec/etc/ossec-init.conf` ]]; then
        if [ $Debug == 1 ]; then echo -e "\n*** This deploy script cannot be used on a system where Wazuh manager is already installed."; fi
        exit 2
fi
if [ "$WazuhMgr" == "" ]; then
        echo -e "\n*** Must use '-WazuhMgr' to specify the FQDN or IP of the Wazuh manager to which the agent shall retain a connection."
        show_usage
        exit 2
fi
if [ "$WazuhRegMgr" == "" ]; then
        WazuhRegMgr=$WazuhMgr
fi
if [ "$WazuhVer" == "" ]; then
        echo -e "\n*** Must use '-WazuhVer' to specify the Wazuh Agent version to check for."
        show_usage
        exit 2
fi
if [[ "$OsqueryVer" == "" && "$SkipOsquery" == "0" ]]; then
        echo -e "\nIf -SkipOsquery is not specified, then -OsqueryVer must be provided."
        show_usage
        exit 2
fi

# Confirm the self registration and agent connection ports on the manager(s) are responsive.
# If either are not, then (re)deployment is not feasible, so return an exit code of 2 so as to not trigger the attempt of such.
tprobe $WazuhMgr 1514
tprobe $WazuhRegMgr 1515

#
# Is the agent presently really connected to the Wazuh manager?
#
if [[ ! `grep "'connected'" /Library/Ossec/var/run/ossec-agentd.state 2> /dev/null` ]]; then
        if [ $Debug == 1 ]; then echo "*** The Wazuh agent is not connected to the Wazuh manager."; fi
                if [ $CheckOnly == 1 ]; then
                        exit 1
                else
                        deploysuite
                fi
else
        if [ $Debug == 1 ]; then echo "The Wazuh agent is connected to the Wazuh manager."; fi
fi

#
# Connected to the right manager?
#
CURR_MGR=`grep address /Library/Ossec/etc/ossec.conf | sed -E 's/.*[>]([^<]+).*/\1/'`
if  [[ "$CURR_MGR" != "$WazuhMgr" ]]; then
        if [ $Debug == 1 ]; then echo "The Wazuh agent is not connected to the right manager."; fi 
                if [ $CheckOnly == 1 ]; then
                        exit 1
                else
                        deploysuite
                fi
else
        if [ $Debug == 1 ]; then echo "The Wazuh agent is connected to the right manager."; fi
fi        

#
# Is the agent currently a member of all intended Wazuh agent groups, and no others?
#
if [ "$WazuhGroups" != "#NOGROUP#" ]; then
        WazuhGroupsPrefix="macos,macos-local,"
        if [ "$SkipOsquery" == 0 ]; then
                WazuhGroupsPrefix="${WazuhGroupsPrefix}osquery,osquery-local,"
        fi
                WazuhGroupsPrefix="${WazuhGroupsPrefix}org,"
                WazuhGroups="${WazuhGroupsPrefix}$WazuhGroups"
        # If there were no additional groups, strip off the trailing comma in the list.
        WazuhGroups=`echo $WazuhGroups | sed 's/,$//'`
        CURR_GROUPS=`echo \`grep "<\!-- Source file: " /Library/Ossec/etc/shared/merged.mg | cut -d" " -f4 | cut -d/ -f1 \` | sed 's/ /,/g'`
        if [ $Debug == 1 ]; then echo "Current agent groups: $CURR_GROUPS"; fi
        if [ $Debug == 1 ]; then echo "Target agent groups:  $WazuhGroups"; fi
        if [ "$CURR_GROUPS" != "$WazuhGroups" ]; then
                if [ $Debug == 1 ]; then echo "*** Current and target groups to not match."; fi
				if [ $CheckOnly == 1 ]; then
						exit 1
				else
						deploysuite
                        	fi
        else
                if [ $Debug == 1 ]; then echo "Current and target groups match."; fi
        fi
else
        if [ $Debug == 1 ]; then echo "Skipping the agent group check since no -WazuhGroups was provided."; fi
fi

#
# Is the target version of Wazuh agent installed?
#
if [[ ! `grep "\"v$WazuhVer\"" /Library/Ossec/etc/ossec-init.conf` ]]; then
        if [ $Debug == 1 ]; then echo "*** The running Wazuh agent does not appear to be at the desired version ($WazuhVer)."; fi
        		if [ $CheckOnly == 1 ]; then
				exit 1
			else
				deploysuite
                    	fi
else
        if [ $Debug == 1 ]; then echo "The running Wazuh agent appears to be at the desired version ($WazuhVer)."; fi
fi

#
# If not ignoring Osquery, is the target version of Osquery installed and running?
#
if [ "$SkipOsquery" == 0 ]; then
       if [[ ! `ps auxw | grep -v grep | egrep "osqueryd.*osquery-macos.conf"` ]]; then
                if [ $Debug == 1 ]; then echo "*** No osqueryd child process was found under the wazuh-modulesd process."; fi
                        if [ $CheckOnly == 1 ]; then
					exit 1
			else
                        		deploysuite
                        fi
        else
                if [ $Debug == 1 ]; then echo "Osqueryd was found running under the wazuh-modulesd process."; fi
        fi
        CURR_OSQ_VER=`/usr/local/bin/osqueryi --csv "select version from osquery_info;" | tail -n1`
        if [ ! "$CURR_OSQ_VER" == "$OsqueryVer" ]; then
                if [ $Debug == 1 ]; then echo "*** The version of Osquery running on this system ($CURR_OSQ_VER) is not the target version ($OsqueryVer)."; fi
                        if [ $CheckOnly == 1 ]; then
					exit 1
			else
                        		deploysuite
                        fi
        else
                if [ $Debug == 1 ]; then echo "The target version of Osquery is running on this system."; fi
        fi
else
        if [ $Debug == 1 ]; then echo "Ignoring Osquery..."; fi
fi

#
# Passed!
#
if [ $Debug == 1 ]; then echo "All appears current on this system with respect to the Wazuh MacOS agent suite."; fi
exit 0
}

# Deploy function
function deploysuite() {
if [ "$WazuhGroups" == "#NOGROUP#" ]; then
        GROUPS_SKIPPED=1
        WazuhGroups=""
else
        GROUPS_SKIPPED=0
fi

if [ -f /etc/nsm/securityonion.conf ]; then
        echo -e "\n*** This deploy script cannot be used on a system where Security Onion is installed."
        show_usage
        exit 2
fi
if [[ `grep server /Library/Ossec/etc/ossec-init.conf` ]]; then
        echo -e "\n*** This deploy script cannot be used on a system where Wazuh manager is already installed."
        show_usage
        exit 2
fi

if [ "$WazuhMgr" == "" ]; then
        echo -e "\n*** WazuhMgr variable must be used to specify the FQDN or IP of the Wazuh manager to which the agent shall retain a connection."
	show_usage
        exit 2
fi

if [ "$WazuhRegPass" == "" ]; then
        echo -e "\n*** WazuhRegPass variable must be used to specify the password to use for agent registration."
        show_usage
        exit 2
fi

if [[ "$WazuhVer" == "" && "$WazuhSrc" == "" ]]; then
        echo -e "\n*** Must use '-WazuhVer' or '-WazuhSrc' to specify which Wazuh agent to (re)install (and possibly download first)."
        show_usage
        exit 2
fi

if [[ "$WazuhVer" != "" && "$WazuhSrc" != "" ]]; then
        echo -e "\n*** Must use either '-WazuhVer' or '-WazuhSrc' (not both) to specify which Wazuh agent to (re)install (and possibly download first)."
        show_usage
        exit 2
fi

if [[ "$WazuhRegMgr" == "" ]]; then
        WazuhRegMgr="$WazuhMgr"
fi

# Work up the full set of Wazuh agent groups including dynamically set prefix plus custom extras.
WazuhGroupsPrefix="macos,macos-local,"
if [ "$SkipOsquery" == "0" ]; then
        WazuhGroupsPrefix="${WazuhGroupsPrefix}osquery,osquery-local,"
fi
WazuhGroupsPrefix="${WazuhGroupsPrefix}org,"
WazuhGroups="${WazuhGroupsPrefix}$WazuhGroups"
# If there were no additional groups, strip off the trailing comma in the list.
WazuhGroups=`echo $WazuhGroups | sed 's/,$//'`

if [ "$WazuhSrc" == "" ]; then
	WazuhMajorVer=`echo $WazuhVer | cut -c1`
	if [ "$WazuhMajorVer" == "3" ]; then
		mDirName="osx"
	else
		mDirName="macos"
	fi
	WazuhSrc="https://packages.wazuh.com/$WazuhMajorVer.x/$mDirName/wazuh-agent-$WazuhVer-1.pkg"
fi

if [[ "$OsqueryVer" == "" && "$SkipOsquery" == 0 && "$OsquerySrc" == "" ]]; then
        echo -e "\n*** Must use '-OsqueryVer' or '-OsquerySrc' or '-SkipOsquery' to indicate if/how to handle Osquery (re)installation/removal."
        show_usage
        exit 2
fi

if [[ "$OsqueryVer" != "" && "$OsquerySrc" != "" ]]; then
        echo -e "\n*** Cannot specify both '-OsqueryVer' and '-OsquerySrc'."
        show_usage
        exit 2
fi


if [ "$OsquerySrc" == "" ]; then
        OsquerySrc="https://pkg.osquery.io/darwin/osquery-${OsqueryVer}.pkg"
fi

# If no custom agent name specified, use the internal hostname.
if [ "$WazuhAgentName" == "" ]; then
        WazuhAgentName=`hostname`
fi

cd ~

# Take note if agent is already connected to a Wazuh manager and collect relevant data
ALREADY_CONNECTED=0
if [[ `cat /Library/Ossec/var/run/ossec-agentd.state 2> /dev/null | grep "'connected'"` ]]; then
        ALREADY_CONNECTED=1
        OLDNAME=`cut -d" " -f2 /Library/Ossec/etc/client.keys 2> /dev/null`
        CURR_GROUPS=`echo \`grep "<\!-- Source file: " /Library/Ossec/etc/shared/merged.mg | cut -d" " -f4 | cut -d/ -f1 \` | sed 's/ /,/g'`
	CURR_MGR=`grep address /Library/Ossec/etc/ossec.conf | sed -E 's/.*[>]([^<]+).*/\1/'`
        rm -f /tmp/client.keys 2> /dev/null
        cp -p /Library/Ossec/etc/client.keys /tmp/
fi

if [ $Debug == 1 ]; then
        echo -e "\nWazuhMgr: $WazuhMgr"
        echo "WazuhRegMgr: $WazuhRegMgr"
        echo "WazuhRegPass: $WazuhRegPass"
        echo "WazuhVer: $WazuhVer"
        echo "WazuhAgentName: $WazuhAgentName"
        echo "WazuhSrc: $WazuhSrc"
        echo "OsqueryVer: $OsqueryVer"
        echo "OsquerySrc: $OsquerySrc"
        echo "SkipOsquery: $SkipOsquery"
        echo "ALREADY_CONNECTED: $ALREADY_CONNECTED"
        echo "OLDNAME: $OLDNAME"
        echo "WazuhGroups: $WazuhGroups"
        echo "CURR_GROUPS: $CURR_GROUPS"
        echo -e "GROUPS_SKIPPED: $GROUPS_SKIPPED\n"
fi

uninstallsuite

# Dynamically generate a Wazuh config profile name for the major and minor version of a given MacOS, like macos_10, macos10.14.
CFG_PROFILE="macos_`sw_vers -productVersion | cut -d. -f1`, macos_`sw_vers -productVersion | cut -d. -f1-2`"

# Wazuh Agent remove/download/install
rm -f wazuh-agent-$WazuhVer-1.pkg
curl --insecure $WazuhSrc > wazuh-agent-$WazuhVer-1.pkg 
installer -pkg wazuh-agent-$WazuhVer-1.pkg -target /
rm -f wazuh-agent-$WazuhVer-1.pkg

#
# If we can safely skip self registration and just restore the backed up client.keys file, then do so. Otherwise, self-register.
# This should keep us from burning through so many agent ID numbers.
# Furthermore, when re-registering, if -WazuhGroups was not specified and an existing set of group memberships is detected and the agent is presently connected,
# then preserve those groups during the re-registration instead of rebuilding a standard group list.
#
if [ "$ALREADY_CONNECTED" == "1" ]; then
        if [[ "$WazuhAgentName" == "$OLDNAME" && "$CURR_MGR" == "$WazuhMgr" && ( "$CURR_GROUPS" == "$WazuhGroups" || "$GROUPS_SKIPPED" == "1" ) ]]; then
                echo "Old and new agent registration names, groups and manager match."
                cp -p /tmp/client.keys /Library/Ossec/etc/
        else
                echo "Registration information has changed."
                if [[  "$GROUPS_SKIPPED" == "1" && "$CURR_GROUPS" != "" ]]; then
                        /Library/Ossec/bin/agent-auth -m "$WazuhRegMgr" -P "$WazuhRegPass" -G "$CURR_GROUPS" -A "$WazuhAgentName"
                else
                        /Library/Ossec/bin/agent-auth -m "$WazuhRegMgr" -P "$WazuhRegPass" -G "$WazuhGroups" -A "$WazuhAgentName"
                fi
        fi
else
        if [[  "$GROUPS_SKIPPED" == "1" && "$CURR_GROUPS" != "" ]]; then
                /Library/Ossec/bin/agent-auth -m "$WazuhRegMgr" -P "$WazuhRegPass" -G "$CURR_GROUPS" -A "$WazuhAgentName"
        else
                /Library/Ossec/bin/agent-auth -m "$WazuhRegMgr" -P "$WazuhRegPass" -G "$WazuhGroups" -A "$WazuhAgentName"
        fi
fi

#
# If not set to be skipped, download and install osquery.
#
rm -f osquery-${OsqueryVer}.pkg
if [ "$SkipOsquery" == 0 ]; then
        curl --insecure $OsquerySrc > osquery-${OsqueryVer}.pkg
        installer -pkg osquery-${OsqueryVer}.pkg -target /
        rm -f osquery-${OsqueryVer}.pkg
fi

#
# Dynamically generate ossec.conf
#
echo "
<ossec_config>
  <client>
    <server>
      <address>$WazuhMgr</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
    <config-profile>$CFG_PROFILE</config-profile>
    <notify_time>10</notify_time>
    <time-reconnect>60</time-reconnect>
    <auto_restart>yes</auto_restart>
    <crypto_method>aes</crypto_method>    
    <enrollment>
        <enabled>no</enabled>
    </enrollment>
  </client>
  <logging>
    <log_format>plain, json</log_format>
  </logging>
</ossec_config>
" > /Library/Ossec/etc/ossec.conf

#
# Dynamically generate local_internal_options.conf
#
echo "
# Logcollector - If it should accept remote commands from the manager
logcollector.remote_commands=1

# Wazuh Command Module - If it should accept remote commands from the manager
wazuh_command.remote_commands=1

# Enable it to accept execute commands from SCA policies pushed from the manager in the shared configuration
# Local policies ignore this option
sca.remote_commands=1
" > /Library/Ossec/etc/local_internal_options.conf

# Restart the Wazuh agent (and Osquery subagent)
/Library/Ossec/bin/ossec-control stop
/Library/Ossec/bin/ossec-control start

echo "Waiting 15 seconds before checking connection status to manager..."
sleep 15

# Restart the Wazuh agent a second time so that now-acquired macosToWazuh.py starts this time around
/Library/Ossec/bin/ossec-control stop
/Library/Ossec/bin/ossec-control start

sleep 5

if [[ `cat /Library/Ossec/logs/ossec.log | grep "Connected to the server "` ]]; then
        echo "Agent has successfully reported into the manager."
else
        echo "Something appears to have gone wrong.  Agent is not connected to the manager."
        exit 2
fi
}

if [[ ! `ps auxw | grep -v grep | grep macosToWazuh.py` ]]; then
	echo "However, the macosToWazuh.py log collector is not actually running as it should be at this point."
	exit 2
fi


if [ $Install == 1 ]; then
        deploysuite
elif [ $Uninstall == 1 ]; then
        uninstallsuite
else
        checksuite
fi