-
Notifications
You must be signed in to change notification settings - Fork 5
/
setup_lacework_agent.sh
216 lines (187 loc) · 5.47 KB
/
setup_lacework_agent.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
#!/usr/bin/env bash
set -e
# Variables coming from the SSM Document
LACEWORK_INSTALL_PATH='{{ LaceworkInstallPath }}'
LACEWORK_TEMP_PATH='{{ LaceworkTempPath }}'
TAGS='{{ Tags }}'
BUILD_HASH='{{ Hash }}'
SERVER_URL='{{ Serverurl }}'
ADDITIONAL_CONFIG='{{ AdditionalConfig }}'
# TODO: Fetch the token from AWS SSM Parameter Store instead of
# taking it in as a Command parameter (avoid leaks in the AWS Console)
TOKEN='{{ Token }}'
ENABLE_DEFAULT_SYSCALL_CONFIG='{{ EnableDefaultSyscallConfig }}'
# Global variables
_curl=''
main() {
get_curl
verify_valid_token
verify_valid_host
install_lacework_agent
render_agent_config
if [ "$ENABLE_DEFAULT_SYSCALL_CONFIG" = "true" ]; then
add_default_syscall_config
fi
verify_agent_running
echo "Lacework configured successfully!"
}
command_exists() {
command -v "$@" >/dev/null 2>&1
}
get_curl() {
if command_exists curl; then
_curl='curl -sSL'
elif command_exists wget; then
_curl='wget -qO-'
elif command_exists busybox && busybox --list-modules | grep -q wget; then
_curl='busybox wget -qO-'
fi
}
notify_use_docker() {
echo "This host appears to be a Kubernetes node, please use the Kubernetes deployment method (https://support.lacework.com/hc/en-us/articles/360005263034-Deploy-on-Kubernetes)."
exit 0
}
render_agent_config() {
local _config_json
local _token_json
local _server_url_json
local _additional_config_json
local _tags_json
# Token
_token_json='"tokens": { "AccessToken": "'$TOKEN'" },'
# Server URL
if [ "$SERVER_URL" != "" ]; then
_server_url_json='"serverurl": "'$SERVER_URL'",'
fi
# Additional Config Json
if [ "$ADDITIONAL_CONFIG" != "" ]; then
_additional_config_json="${ADDITIONAL_CONFIG:1:-1},"
fi
# Tags
_tags_json='"tags": '${TAGS:-"{}"}
# Render config.json
#
# NOTE: We must leave the $_tags_json as the last element of the config.json
# file since it doesn't have a ',' at the end that that will generate
# a valid JSON
_config_json="""{
${_token_json}
${_server_url_json}
${_additional_config_json}
${_tags_json}
}"""
echo "Updating the Lacework agent config.json file..."
if [ ! -d "$LACEWORK_INSTALL_PATH/config" ]; then
mkdir "$LACEWORK_INSTALL_PATH/config"
fi
echo "$_config_json" > "$LACEWORK_INSTALL_PATH/config/config.json"
}
add_default_syscall_config() {
local _syscall_config_yaml
# Default syscall config
_syscall_config_yaml="""
etype.exec:
group-by:
- none
etype.initmod:
group-by:
- none
etype.finitmod:
group-by:
- none
etype.file:
send-if-matches:
user-authorized-keys:
watchpath: /home/*/.ssh/authorized_keys
watchfor: create, modify
root-authorized-keys:
watchpath: /root/.ssh/authorized_keys
watchfor: create, modify
cronfiles:
watchpath: /etc/cron*
depth: 2
systemd:
watchpath: /etc/systemd/*
depth: 2
boot-initd:
watchpath: /etc/init.d/*
depth: 2
boot-rc:
watchpath: /etc/rc*
depth: 2
shadow-file:
watchpath: /etc/shadow*
watchlacework:
watchpath: /var/lib/lacework
depth: 2
watchpasswd:
watchpath: /etc/passwd
watchsshconfig:
watchpath: /etc/ssh/sshd_config
watchfor: create, modify
"""
echo "Updating the Lacework agent syscall_config.yaml file..."
if [ ! -d "$LACEWORK_INSTALL_PATH/config" ]; then
mkdir "$LACEWORK_INSTALL_PATH/config"
fi
echo "$_syscall_config_yaml" > "$LACEWORK_INSTALL_PATH/config/syscall_config.yaml"
}
install_lacework_agent() {
# Check if Lacework is pre-installed. If not installed, install.
if [ ! -f "$LACEWORK_INSTALL_PATH/datacollector" ]; then
echo "Lacework agent not installed, installing..."
_install_sh="https://packages.lacework.net/install.sh"
if [ "$BUILD_HASH" != "" ]; then
_install_sh="https://updates.lacework.net/${BUILD_HASH}/install.sh"
fi
# TODO: Verify the signature of the install.sh script
$_curl "$_install_sh" >"$LACEWORK_TEMP_PATH/install.sh"
chmod +x "$LACEWORK_TEMP_PATH/install.sh"
# Pass flag '-U' when a server URL is provided
local _flags
if [ "$SERVER_URL" != "" ]; then
_flags="-U $SERVER_URL"
fi
sudo "$LACEWORK_TEMP_PATH/install.sh" "$TOKEN" $_flags
rm "$LACEWORK_TEMP_PATH/install.sh"
fi
}
verify_agent_running() {
# Make sure the Lacework datacollector service is enabled and running
if command_exists systemctl; then
if ! systemctl is-active --quiet datacollector; then
echo "Enabling the Lacework datacollector service"
systemctl enable datacollector
echo "Starting the Lacework datacollector service"
systemctl start datacollector
fi
elif command_exists service; then
if ! service datacollector status; then
echo "Starting the Lacework datacollector service"
service datacollector start
fi
fi
}
verify_valid_host() {
# Check if the host is a Kubernetes node. If so, don't install, notify to use Docker instead
if command_exists systemctl; then
if systemctl list-unit-files | grep kubelet; then
notify_use_docker
fi
elif command_exists service; then
if service --status-all | grep -Fq 'kubelet'; then
notify_use_docker
fi
else
echo "Cannot check if this host is a Kubernetes node, aborting!"
exit 1
fi
}
verify_valid_token() {
# Check to make sure that a Lacework agent access token was provided. If not, exit
if [ -z "$TOKEN" ]; then
echo "Lacework agent access token was empty, aborting!"
exit 1
fi
}
main