Alex-Devera/tpotce
1
0
Fork 0
mirror of https://github.com/telekom-security/tpotce.git synced 2025-04-20 06:02:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

continue working on env, tpotinit and deploy

Browse source
This commit is contained in:
t3chn0m4g3 2024-02-23 16:41:52 +01:00
parent 72fd6d963b
commit 31f09413e0
3 changed files with 99 additions and 71 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
docker-compose.yml
View file

@ -628,7 +628,7 @@ services:
################## ##################
#### Tools #### Tools
################## ##################
#### ELK #### ELK

95
docker/tpotinit/dist/entrypoint.sh vendored
View file

@ -11,7 +11,7 @@ check_var() {
# Check if variable is set and not empty # Check if variable is set and not empty
if [[ -z "$var_value" ]]; if [[ -z "$var_value" ]];
then then
echo "# Error: $var_name is not set or empty. Please check T-Pot config file (.env)." echo "# Error: $var_name is not set or empty. Please check T-Pot .env config."
echo echo
echo "# Aborting" echo "# Aborting"
exit 1 exit 1
@ -26,27 +26,28 @@ check_safety() {
# General safety check for most variables # General safety check for most variables
if [[ $var_value =~ [^a-zA-Z0-9_/.:-] ]]; if [[ $var_value =~ [^a-zA-Z0-9_/.:-] ]];
then then
echo "# Error: Unsafe characters detected in $var_name. Please check T-Pot config file (.env)." echo "# Error: Unsafe characters detected in $var_name. Please check T-Pot .env config."
echo echo
echo "# Aborting" echo "# Aborting"
exit 1 exit 1
fi fi
} }
# Function to check the safety of the WEB_USER variable validate_base64() {
check_web_user_safety() { local myCHECK=$1
local web_user="$1" # base64 pattern match
local IFS=$'\n' # Set the Internal Field Separator (IFS) to newline for the loop for i in ${myCHECK};
do
# Iterate over each line in web_user if [[ $i =~ ^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$ ]];
for user in $web_user; do then
# Allow alphanumeric, $, ., /, and : for WEB_USER (to accommodate htpasswd hash) echo -n "Found valid user: "
if [[ ! $user =~ ^[a-zA-Z0-9]+:\$apr1\$[a-zA-Z0-9./]+\$[a-zA-Z0-9./]+$ ]]; then echo $i | base64 -d -w0 | cut -f1 -d":"
echo "# Error: Unsafe characters / wrong format detected in (LS_)WEB_USER for user $user. Please check T-Pot config file (.env)." else
echo echo "$i is not a valid base64 string. Please check T-Pot .env config."
echo "# Aborting" echo
exit 1 echo "# Aborting"
fi exit 1
fi
done done
} }
@ -59,15 +60,12 @@ validate_format() {
TPOT_BLACKHOLE|TPOT_PERSISTENCE|TPOT_ATTACKMAP_TEXT) TPOT_BLACKHOLE|TPOT_PERSISTENCE|TPOT_ATTACKMAP_TEXT)
if ! [[ $var_value =~ ^(ENABLED|DISABLED|on|off|true|false)$ ]]; if ! [[ $var_value =~ ^(ENABLED|DISABLED|on|off|true|false)$ ]];
then then
echo "# Error: Invalid value for $var_name. Expected ENABLED/DISABLED, on/off, true/false. Please check T-Pot config file (.env)." echo "# Error: Invalid value for $var_name. Expected ENABLED/DISABLED, on/off, true/false. Please check T-Pot .env config."
echo echo
echo "# Aborting" echo "# Aborting"
exit 1 exit 1
fi fi
;; ;;
*)
# Add additional specific format checks here if necessary
;;
esac esac
} }
@ -81,26 +79,12 @@ validate_ip_or_domain() {
local domainRegex='^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$' local domainRegex='^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$'
# Check if TPOT_HIVE_IP matches IPv4 or domain name # Check if TPOT_HIVE_IP matches IPv4 or domain name
if [[ $myCHECK =~ $ipv4Regex ]]; then if [[ ${myCHECK} =~ $ipv4Regex ]]; then
echo "$myCHECK is a valid IPv4 address." echo "${myCHECK} is a valid IPv4 address."
elif [[ $myCHECK =~ $domainRegex ]]; then elif [[ ${myCHECK} =~ $domainRegex ]]; then
echo "$myCHECK is a valid domain name." echo "${myCHECK} is a valid domain name."
else else
echo "# Error: $myCHECK is not a valid IPv4 address or domain name. Please check T-Pot config file (.env)." echo "# Error: $myCHECK is not a valid IPv4 address or domain name. Please check T-Pot .env config."
echo
echo "# Aborting"
exit 1
fi
}
validate_base64() {
local myCHECK=$1
# Base64 pattern match
if [[ $myCHECK =~ ^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$ ]]; then
echo "$myCHECK is a valid Base64 string."
else
echo "$myCHECK is not a valid Base64 string. Please check T-Pot config file (.env)"
echo echo
echo "# Aborting" echo "# Aborting"
exit 1 exit 1
@ -109,10 +93,29 @@ validate_base64() {
create_web_users() { create_web_users() {
echo echo
echo "# Creating passwd files based on .env configuration ..." echo "# Creating passwd files based on T-Pot .env config ..."
echo # Clear / create the passwd files
echo "${WEB_USER}" > /data/nginx/conf/nginxpasswd : > /data/nginx/conf/nginxpasswd
echo "${LS_WEB_USER}" > /data/nginx/conf/lswebpasswd : > /data/nginx/conf/lswebpasswd
for i in ${WEB_USER};
do
if [[ -n $i ]];
then
# Need to control newlines as they kept coming up for some reason
echo -n "$i" | base64 -d -w0 | tr -d '\n' >> /data/nginx/conf/nginxpasswd
echo >> /data/nginx/conf/nginxpasswd
fi
done
for i in ${LS_WEB_USER};
do
if [[ -n $i ]];
then
# Need to control newlines as they kept coming up for some reason
echo -n "$i" | base64 -d -w0 | tr -d '\n' >> /data/nginx/conf/lswebpasswd
echo >> /data/nginx/conf/lswebpasswd
fi
done
} }
# Check for compatible OSType # Check for compatible OSType
@ -123,7 +126,7 @@ myOSTYPE=$(uname -a | grep -Eo "linuxkit")
if [ "${myOSTYPE}" == "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ]; if [ "${myOSTYPE}" == "linuxkit" ] && [ "${TPOT_OSTYPE}" == "linux" ];
then then
echo "# Docker Desktop for macOS or Windows detected." echo "# Docker Desktop for macOS or Windows detected."
echo "# 1. You need to adjust the OSType the T-Pot config file (.env)." echo "# 1. You need to adjust the OSType the T-Pot .env config."
echo "# 2. You need to use the macos or win docker compose file." echo "# 2. You need to use the macos or win docker compose file."
echo echo
echo "# Aborting." echo "# Aborting."
@ -143,7 +146,7 @@ if [ "${TPOT_TYPE}" == "HIVE" ];
then then
# No $ for check_var # No $ for check_var
check_var "WEB_USER" check_var "WEB_USER"
check_web_user_safety "$WEB_USER" validate_base64 "${WEB_USER}"
TPOT_HIVE_USER="" TPOT_HIVE_USER=""
TPOT_HIVE_IP="" TPOT_HIVE_IP=""
if [ "${LS_WEB_USER}" == "" ]; if [ "${LS_WEB_USER}" == "" ];
@ -151,7 +154,7 @@ if [ "${TPOT_TYPE}" == "HIVE" ];
echo "# Warning: No LS_WEB_USER detected! T-Pots of type SENSOR will not be able to submit logs to this HIVE." echo "# Warning: No LS_WEB_USER detected! T-Pots of type SENSOR will not be able to submit logs to this HIVE."
echo echo
else else
check_web_user_safety "$LS_WEB_USER" validate_base64 "${LS_WEB_USER}"
fi fi
fi fi
if [ "${TPOT_TYPE}" == "SENSOR" ]; if [ "${TPOT_TYPE}" == "SENSOR" ];

73
installer/install/deploy.sh Normal file → Executable file
View file

@ -1,9 +1,22 @@
#!/usr/bin/env bash #!/usr/bin/env bash
myANSIBLE_PORT=64295 myANSIBLE_PORT=64295
myANSIBLE_TPOT_PLAYBOOK="deploy.yml" myANSIBLE_TPOT_PLAYBOOK="installer/install/deploy.yml"
myADJECTIVE=$(shuf -n1 installer/install/a.txt)
myNOUN=$(shuf -n1 installer/install/n.txt)
myENV_FILE="$HOME/tpotce/.env" myENV_FILE="$HOME/tpotce/.env"
myDEPLOY=$(cat << "EOF"
____ [ T-Pot ] ____ _
/ ___| ___ _ __ ___ ___ _ __ | _ \ ___ _ __ | | ___ _ _
\___ \ / _ \ _ \/ __|/ _ \| __| | | | |/ _ \ _ \| |/ _ \| | | |
___) | __/ | | \__ \ (_) | | | |_| | __/ |_) | | (_) | |_| |
|____/ \___|_| |_|___/\___/|_| |____/ \___| .__/|_|\___/ \__, |
|_| |___/
EOF
)
# Check if the script is running in a HIVE installation # Check if the script is running in a HIVE installation
if ! grep -q 'TPOT_TYPE=HIVE' "$HOME/tpotce/.env"; if ! grep -q 'TPOT_TYPE=HIVE' "$HOME/tpotce/.env";
@ -12,25 +25,30 @@ if ! grep -q 'TPOT_TYPE=HIVE' "$HOME/tpotce/.env";
exit 1 exit 1
fi fi
# Ask if a T-Pot sensor was installed echo "${myDEPLOY}"
read -p "# Was a T-Pot sensor installed? (y/n): " mySENSOR_INSTALLED echo
echo "This script will prepare a T-Pot SENSOR installation to transmit logs into this HIVE."
echo
# Ask if a T-Pot SENSOR was installed
read -p "# Was a T-Pot SENSOR installed? (y/n): " mySENSOR_INSTALLED
if [[ ${mySENSOR_INSTALLED} != "y" ]]; if [[ ${mySENSOR_INSTALLED} != "y" ]];
then then
echo "# A T-Pot sensor must be installed to continue." echo "# A T-Pot SENSOR must be installed to continue."
exit 1 exit 1
fi fi
# Check if ssh key has been deployed # Check if ssh key has been deployed
read -p "# Has the SSH key been deployed to the sensor? (y/n): " mySSHKEY_DEPLOYED read -p "# Has the SSH key been deployed to the SENSOR? (y/n): " mySSHKEY_DEPLOYED
if [[ ${mySSHKEY_DEPLOYED} != "y" ]]; if [[ ${mySSHKEY_DEPLOYED} != "y" ]];
then then
echo "# Generate a SSH key using 'ssh-keygen' and deploy it to the sensor with 'ssh-copy-id user@sensor-ip'." echo "# Generate a SSH key using 'ssh-keygen' and deploy it to the SENSOR with 'ssh-copy-id user@sensor-ip'."
exit 1 exit 1
fi fi
# Validate IP/domain name loop # Validate IP/domain name loop
while true; do while true; do
read -p "# Enter the IP/domain name of the sensor: " mySENSOR_IP read -p "# Enter the IP/domain name of the SENSOR: " mySENSOR_IP
if [[ ${mySENSOR_IP} =~ ^([a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*\.[a-zA-Z]{2,})|(([0-9]{1,3}\.){3}[0-9]{1,3})$ ]]; if [[ ${mySENSOR_IP} =~ ^([a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*\.[a-zA-Z]{2,})|(([0-9]{1,3}\.){3}[0-9]{1,3})$ ]];
then then
break break
@ -50,10 +68,8 @@ while true; do
fi fi
done done
# Create a random sensor user name that is easily readable # Create a random SENSOR user name that is easily readable
adjective=$(shuf -n1 a.txt) myLS_WEB_USER="sensor-${myADJECTIVE}-${myNOUN}"
noun=$(shuf -n1 n.txt)
myLS_WEB_USER="sensor-${adjective}-${noun}"
# Create a random password # Create a random password
myLS_WEB_PW=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1) myLS_WEB_PW=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)
@ -62,35 +78,44 @@ myLS_WEB_PW=$(tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 32 | head -n 1)
myLS_WEB_USER_ENC=$(htpasswd -b -n "${myLS_WEB_USER}" "${myLS_WEB_PW}") myLS_WEB_USER_ENC=$(htpasswd -b -n "${myLS_WEB_USER}" "${myLS_WEB_PW}")
myLS_WEB_USER_ENC_B64=$(echo -n "${myLS_WEB_USER_ENC}" | base64 -w0) myLS_WEB_USER_ENC_B64=$(echo -n "${myLS_WEB_USER_ENC}" | base64 -w0)
# Create myTPOT_HIVE_USER, since this is for Logstash on the sensor, it needs to directly base64 encoded # Create myTPOT_HIVE_USER, since this is for Logstash on the SENSOR, it needs to directly base64 encoded
myTPOT_HIVE_USER=$(echo -n "${myLS_WEB_USER}:${myLS_WEB_PW}" | base64 -w0) myTPOT_HIVE_USER=$(echo -n "${myLS_WEB_USER}:${myLS_WEB_PW}" | base64 -w0)
# Print credentials # Print credentials
echo "# The following sensor credentials have been created:" echo "# The following SENSOR credentials have been created:"
echo "# New sensor username: ${myLS_WEB_USER}" echo "# New SENSOR username: ${myLS_WEB_USER}"
echo "# New sensor passowrd: ${myLS_WEB_PW}" echo "# New SENSOR passowrd: ${myLS_WEB_PW}"
echo "# New htpasswd encoded credentials: ${myLS_WEB_USER_ENC}" echo "# New htpasswd encoded credentials: ${myLS_WEB_USER_ENC}"
echo "# New htpasswd credentials base64 encoded: ${myLS_WEB_USER_ENC_B64}" echo "# New htpasswd credentials base64 encoded: ${myLS_WEB_USER_ENC_B64}"
echo "# New sensor credentials base64 encoded: ${myTPOT_HIVE_USER}" echo "# New SENSOR credentials base64 encoded: ${myTPOT_HIVE_USER}"
# Read LS_WEB_USER from file # Read LS_WEB_USER from file
myENV_LS_WEB_USER=$(grep "^LS_WEB_USER=" "${myENV_FILE}" | sed 's/^LS_WEB_USER=//g' | tr -d "\"'") myENV_LS_WEB_USER=$(grep "^LS_WEB_USER=" "${myENV_FILE}" | sed 's/^LS_WEB_USER=//g' | tr -d "\"'")
# Add the new sensor and show a complete list of all the sensors # Add the new SENSOR and show a complete list of all the SENSORs
myENV_LS_WEB_USER="${myENV_LS_WEB_USER} ${myLS_WEB_USER_ENC_B64}" myENV_LS_WEB_USER="${myENV_LS_WEB_USER} ${myLS_WEB_USER_ENC_B64}"
# Update the .env on the host # Update the T-Pot .env config and lswebpasswd (avoid the need to restart T-Pot) on the host
echo "# Updating SENSOR users on this HIVE and in the T-Pot .env config:"
sed -i "/^LS_WEB_USER=/c\LS_WEB_USER=${myENV_LS_WEB_USER}" "${myENV_FILE}" sed -i "/^LS_WEB_USER=/c\LS_WEB_USER=${myENV_LS_WEB_USER}" "${myENV_FILE}"
: > "${HOME}"/tpotce/data/nginx/conf/lswebpasswd
echo "# Here is the complete and updated sensor list on HIVE:"
for i in $myENV_LS_WEB_USER; for i in $myENV_LS_WEB_USER;
do do
echo -n $i | base64 --decode -w0 if [[ -n $i ]];
echo -n " :" $i then
echo # Need to control newlines as they kept coming up for some reason
echo -n "$i" | base64 -d -w0
echo
echo -n "$i" | base64 -d -w0 | tr -d '\n' >> ${HOME}/tpotce/data/nginx/conf/lswebpasswd
echo >> ${HOME}/tpotce/data/nginx/conf/lswebpasswd
fi
done done
# Need to export for Ansible
export myTPOT_HIVE_USER export myTPOT_HIVE_USER
export myTPOT_HIVE_IP export myTPOT_HIVE_IP
ANSIBLE_LOG_PATH=$HOME/data/deploy_sensor.log ansible-playbook ${myANSIBLE_TPOT_PLAYBOOK} -vvv -i ${mySENSOR_IP}, --check -c ssh -e "ansible_port=${myANSIBLE_PORT}" ANSIBLE_LOG_PATH=${HOME}/tpotce/data/deploy_sensor.log ansible-playbook ${myANSIBLE_TPOT_PLAYBOOK} -i ${mySENSOR_IP}, --check -c ssh -e "ansible_port=${myANSIBLE_PORT}"
unset myTPOT_HIVE_USER
unset myTPOT_HIVE_IP