This repository has been archived by the owner on Aug 10, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 22
/
run.bash
175 lines (157 loc) · 4.89 KB
/
run.bash
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
#!/bin/bash
#
# OSSEC container bootstrap. See the README for information of the environment
# variables expected by this script.
#
source /data_dirs.env
FIRST_TIME_INSTALLATION=false
DATA_PATH=/var/ossec/data
for ossecdir in "${DATA_DIRS[@]}"; do
if [ ! -e "${DATA_PATH}/${ossecdir}" ]
then
echo "Installing ${ossecdir}"
cp -pr /var/ossec/${ossecdir}-template ${DATA_PATH}/${ossecdir}
FIRST_TIME_INSTALLATION=true
fi
done
#
# Check for the process_list file. If this file is missing, it doesn't
# count as a first time installation
#
touch ${DATA_PATH}/process_list
chgrp ossec ${DATA_PATH}/process_list
chmod g+rw ${DATA_PATH}/process_list
#
# If this is a first time installation, then do the
# special configuration steps.
#
AUTO_ENROLLMENT_ENABLED=${AUTO_ENROLLMENT_ENABLED:-true}
#
# Support SMTP, if configured
#
SMTP_ENABLED_DEFAULT=false
if [ -n "$ALERTS_TO_EMAIL" ]
then
SMTP_ENABLED_DEFAULT=true
fi
SMTP_ENABLED=${SMTP_ENABLED:-$SMTP_ENABLED_DEFAULT}
if [ $FIRST_TIME_INSTALLATION == true ]
then
#
# Support auto-enrollment if configured
#
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
if [ ! -e ${DATA_PATH}/etc/sslmanager.key ]
then
echo "Creating ossec-authd key and cert"
openssl genrsa -out ${DATA_PATH}/etc/sslmanager.key 4096
openssl req -new -x509 -key ${DATA_PATH}/etc/sslmanager.key\
-out ${DATA_PATH}/etc/sslmanager.cert -days 3650\
-subj /CN=${HOSTNAME}/
fi
fi
if [ $SMTP_ENABLED == true ]
then
if [[ -z "$SMTP_RELAY_HOST" || -z "$ALERTS_TO_EMAIL" ]]
then
echo "Unable to configure SMTP, SMTP_RELAY_HOST or ALERTS_TO_EMAIL not defined"
SMTP_ENABLED=false
else
ALERTS_FROM_EMAIL=${ALERTS_FROM_EMAIL:-ossec_alerts@$HOSTNAME}
echo "d-i ossec-hids/email_notification boolean yes" >> /tmp/debconf.selections
echo "d-i ossec-hids/email_from string $ALERTS_FROM_EMAIL" >> /tmp/debconf.selections
echo "d-i ossec-hids/email_to string $ALERTS_TO_EMAIL" >> /tmp/debconf.selections
echo "d-i ossec-hids/smtp_server string $SMTP_RELAY_HOST" >> /tmp/debconf.selections
fi
fi
if [ $SMTP_ENABLED == false ]
then
echo "d-i ossec-hids/email_notification boolean no" >> /tmp/debconf.selections
fi
if [ -e /tmp/debconf.selections ]
then
debconf-set-selections /tmp/debconf.selections
dpkg-reconfigure -f noninteractive ossec-hids
rm /tmp/debconf.selections
/var/ossec/bin/ossec-control stop
fi
#
# Support SYSLOG forwarding, if configured
#
SYSLOG_FORWADING_ENABLED=${SYSLOG_FORWADING_ENABLED:-false}
if [ $SYSLOG_FORWADING_ENABLED == true ]
then
if [ -z "$SYSLOG_FORWARDING_SERVER_IP" ]
then
echo "Cannot setup sylog forwarding because SYSLOG_FORWARDING_SERVER_IP is not defined"
else
SYSLOG_FORWARDING_SERVER_PORT=${SYSLOG_FORWARDING_SERVER_PORT:-514}
SYSLOG_FORWARDING_FORMAT=${SYSLOG_FORWARDING_FORMAT:-default}
SYSLOG_XML_SNIPPET="\
<syslog_output>\n\
<server>${SYSLOG_FORWARDING_SERVER_IP}</server>\n\
<port>${SYSLOG_FORWARDING_SERVER_PORT}</port>\n\
<format>${SYSLOG_FORWARDING_FORMAT}</format>\n\
</syslog_output>";
cat /var/ossec/etc/ossec.conf |\
perl -pe "s,<ossec_config>,<ossec_config>\n${SYSLOG_XML_SNIPPET}\n," \
> /var/ossec/etc/ossec.conf-new
mv -f /var/ossec/etc/ossec.conf-new /var/ossec/etc/ossec.conf
chgrp ossec /var/ossec/etc/ossec.conf
/var/ossec/bin/ossec-control enable client-syslog
fi
fi
fi
function ossec_shutdown(){
/var/ossec/bin/ossec-control stop;
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
kill $AUTHD_PID
fi
}
# Trap exit signals and do a proper shutdown
trap "ossec_shutdown; exit" SIGINT SIGTERM
#
# Startup the services
#
chmod -R g+rw ${DATA_PATH}/logs/ ${DATA_PATH}/stats/ ${DATA_PATH}/queue/ ${DATA_PATH}/etc/client.keys
chown -R ossec:ossec /var/ossec/
/var/ossec/bin/ossec-control start
if [ $AUTO_ENROLLMENT_ENABLED == true ]
then
echo "Starting ossec-authd..."
/var/ossec/bin/ossec-authd -p 1515 -g ossec $AUTHD_OPTIONS >/dev/null 2>&1 &
AUTHD_PID=$!
fi
sleep 15 # give ossec a reasonable amount of time to start before checking status
LAST_OK_DATE=`date +%s`
#
# Watch the service in a while loop, exit if the service exits
#
# Note that ossec-execd is never expected to run here.
#
STATUS_CMD="service ossec status | sed '/ossec-maild/d' | sed '/ossec-execd/d' | grep ' not running' | test -z"
if [ $SMTP_ENABLED == true ]
then
STATUS_CMD="/var/ossec/bin/ossec-control status | sed '/ossec-execd/d' | grep ' not running' | test -z"
fi
while true
do
eval $STATUS_CMD > /dev/null
if (( $? != 0 ))
then
CUR_TIME=`date +%s`
# Allow ossec to not run return an ok status for up to 15 seconds
# before worring.
if (( (CUR_TIME - LAST_OK_DATE) > 15 ))
then
echo "ossec not properly running! exiting..."
ossec_shutdown
exit 1
fi
else
LAST_OK_DATE=`date +%s`
fi
sleep 1
done