From 9455877fa3d076e7c63a36b21dafe4d48cf2a430 Mon Sep 17 00:00:00 2001 From: t3chn0m4g3 Date: Tue, 13 May 2025 15:32:00 +0200 Subject: [PATCH] add TPOT_PERSISTENCE_CYCLES setting - makes logrotate cycles configurable, instead of static 30 days - adjust .env / env.example for setting cycles - adjust tpotinit dockerfile to include envsubst - add logrotate.template - add checks / validations --- .env | 8 ++ docker/tpotinit/Dockerfile | 3 +- docker/tpotinit/dist/bin/clean.sh | 17 +++- docker/tpotinit/dist/entrypoint.sh | 19 ++++- .../dist/etc/logrotate/logrotate.template | 78 +++++++++++++++++++ env.example | 8 ++ 6 files changed, 130 insertions(+), 3 deletions(-) create mode 100644 docker/tpotinit/dist/etc/logrotate/logrotate.template diff --git a/.env b/.env index 32fa6caf..fd39580d 100644 --- a/.env +++ b/.env @@ -40,6 +40,14 @@ TPOT_BLACKHOLE=DISABLED # if you just do not need any of the logfiles. TPOT_PERSISTENCE=on +# T-Pot Persistence Cycles +# <1-999>: Set the number of T-Pot restart cycles for logrotate. +# Be mindful of this setting as the logs will use up a lot of available disk space. +# In case the setting is invalid, T-Pot will default to 30 cycles. +# Remember to adjust the Elastic Search Lifecycle Policy (https://github.com/telekom-security/tpotce/?tab=readme-ov-file#log-persistence) +# as this setting only accounts for the honeypot logs in the ~/tpotce/data folder. +TPOT_PERSISTENCE_CYCLES=30 + # T-Pot Type # HIVE: This is the default and offers everything to connect T-Pot sensors. # SENSOR: This needs to be used when running a sensor. Be aware to adjust all other diff --git a/docker/tpotinit/Dockerfile b/docker/tpotinit/Dockerfile index ad35c289..6797e562 100644 --- a/docker/tpotinit/Dockerfile +++ b/docker/tpotinit/Dockerfile @@ -13,6 +13,7 @@ RUN apk --no-cache -U upgrade && \ conntrack-tools \ cracklib \ curl \ + envsubst \ ethtool \ figlet \ git \ @@ -32,7 +33,7 @@ RUN apk --no-cache -U upgrade && \ # Setup user, logrotate permissions addgroup -g 2000 tpot && \ adduser -S -s /bin/ash -u 2000 -D -g 2000 tpot && \ - chmod 0600 /opt/tpot/etc/logrotate/logrotate.conf && \ + chmod 0600 /opt/tpot/etc/logrotate/logrotate.* && \ # # Clean up apk del --purge git && \ diff --git a/docker/tpotinit/dist/bin/clean.sh b/docker/tpotinit/dist/bin/clean.sh index d731912c..ec1c3d2a 100755 --- a/docker/tpotinit/dist/bin/clean.sh +++ b/docker/tpotinit/dist/bin/clean.sh @@ -10,6 +10,9 @@ myPIGZ=$(which pigz) # Set persistence myPERSISTENCE=$1 +myPERSISTENCE_CYCLES=$2 +myPERSISTENCE_CYCLES="${myPERSISTENCE_CYCLES:=30}" +export myPERSISTENCE_CYCLES # Let's create a function to check if folder is empty fuEMPTY () { @@ -18,6 +21,15 @@ fuEMPTY () { echo $(ls $myFOLDER | wc -l) } +# Let's create a function to setup logrotate config +fuLOGROTATECONF () { + local myLOGROTATECONF="/opt/tpot/etc/logrotate/logrotate.conf" + local myLOGROTATETEMP="/opt/tpot/etc/logrotate/logrotate.template" + envsubst < $myLOGROTATETEMP > $myLOGROTATECONF + chown root:root $myLOGROTATECONF + chmod 0600 $myLOGROTATECONF +} + # Let's create a function to rotate and compress logs fuLOGROTATE () { local mySTATUS="/data/tpot/etc/logrotate/status" @@ -43,6 +55,9 @@ fuLOGROTATE () { local myTANNERF="/data/tanner/files/" local myTANNERFTGZ="/data/tanner/files.tgz" +# Setup logrotate config +fuLOGROTATECONF + # Ensure correct permissions and ownerships for logrotate to run without issues chmod 770 /data/ -R chown tpot:tpot /data -R @@ -408,7 +423,7 @@ fi # Check persistence, if enabled compress and rotate logs if [ "$myPERSISTENCE" = "on" ]; then - echo "Persistence enabled, now rotating and compressing logs." + echo "Persistence enabled for $myPERSISTENCE_CYCLES cycles, now rotating and compressing logs." fuLOGROTATE fi diff --git a/docker/tpotinit/dist/entrypoint.sh b/docker/tpotinit/dist/entrypoint.sh index 706924a3..5bc46aff 100755 --- a/docker/tpotinit/dist/entrypoint.sh +++ b/docker/tpotinit/dist/entrypoint.sh @@ -114,6 +114,20 @@ validate_ip_or_domain() { fi } +# Function to validate if TPOT_PERSISTENCE_CYCLES is set and valid +validate_tpot_persistence_cycles() { + # Check if the variable is unset, empty, not a number, or out of the valid range (1–999) + if [[ -z "$TPOT_PERSISTENCE_CYCLES" ]] || + [[ ! "$TPOT_PERSISTENCE_CYCLES" =~ ^[0-9]+$ ]] || + (( TPOT_PERSISTENCE_CYCLES < 1 )) || + (( TPOT_PERSISTENCE_CYCLES > 999 )); then + + # Set to default value + echo "WARNING! TPOT_PERSISTENCE_CYCLES is not set, invalid or out of bounds. Using default of 30 cycles." + TPOT_PERSISTENCE_CYCLES=30 + fi +} + create_web_users() { echo echo "# Creating passwd files based on T-Pot .env config ..." @@ -203,6 +217,9 @@ for var in TPOT_BLACKHOLE TPOT_PERSISTENCE TPOT_ATTACKMAP_TEXT TPOT_ATTACKMAP_TE validate_format "$var" done +# Validate TPOT_PERSISTENCE_CYCLES +validate_tpot_persistence_cycles + if [ "${TPOT_TYPE}" == "HIVE" ]; then # No $ for check_var @@ -242,7 +259,7 @@ if [ -f "/data/uuid" ]; echo echo "# Data folder is present, just cleaning up, please be patient ..." echo - /opt/tpot/bin/clean.sh "${TPOT_PERSISTENCE}" + /opt/tpot/bin/clean.sh "${TPOT_PERSISTENCE}" "${TPOT_PERSISTENCE_CYCLES}" echo else figlet "Setting up ..." diff --git a/docker/tpotinit/dist/etc/logrotate/logrotate.template b/docker/tpotinit/dist/etc/logrotate/logrotate.template new file mode 100644 index 00000000..e0ee9b7c --- /dev/null +++ b/docker/tpotinit/dist/etc/logrotate/logrotate.template @@ -0,0 +1,78 @@ +/data/adbhoney/log/*.json +/data/adbhoney/log/*.log +/data/beelzebub/log/*.json +/data/ciscoasa/log/ciscoasa.log +/data/citrixhoneypot/logs/server.log +/data/conpot/log/conpot*.json +/data/conpot/log/conpot*.log +/data/cowrie/log/cowrie.json +/data/cowrie/log/cowrie-textlog.log +/data/cowrie/log/lastlog.txt +/data/ddospot/log/*.log +/data/dicompot/log/dicompot.log +/data/dionaea/log/dionaea.json +/data/dionaea/log/dionaea.sqlite +/data/dionaea/dionaea-errors.log +/data/elasticpot/log/elasticpot.log +/data/elasticpot/log/elasticpot.json +/data/elk/log/*.log +/data/endlessh/log/*.log +/data/fatt/log/fatt.log +/data/galah/log/*.json +/data/glutton/log/*.log +/data/glutton/log/*.err +/data/go-pot/log/*.json +/data/h0neytr4p/log/*.json +/data/hellpot/log/*.log +/data/heralding/log/*.log +/data/heralding/log/*.csv +/data/heralding/log/*.json +/data/honeyaml/log/*.log +/data/honeypots/log/*.log +/data/honeysap/log/*.log +/data/honeytrap/log/*.log +/data/honeytrap/log/*.json +/data/ipphoney/log/*.json +/data/log4pot/log/*.log +/data/mailoney/log/*.log +/data/medpot/log/*.log +/data/miniprint/log/*.json +/data/nginx/log/*.log +/data/p0f/log/p0f.json +/data/redishoneypot/log/*.log +/data/sentrypeer/log/*.json +/data/suricata/log/*.log +/data/suricata/log/*.json +/data/tanner/log/*.json +/data/wordpot/log/*.log +{ + su tpot tpot + copytruncate + create 770 tpot tpot + daily + missingok + notifempty + rotate $myPERSISTENCE_CYCLES + compress + compresscmd /usr/bin/pigz +} + +/data/adbhoney/downloads.tgz +/data/cowrie/log/ttylogs.tgz +/data/cowrie/downloads.tgz +/data/dionaea/bistreams.tgz +/data/dionaea/binaries.tgz +/data/h0neytr4p/payloads.tgz +/data/honeytrap/attacks.tgz +/data/honeytrap/downloads.tgz +/data/miniprint/uploads.tgz +/data/tanner/files.tgz +{ + su tpot tpot + copytruncate + create 770 tpot tpot + daily + missingok + notifempty + rotate $myPERSISTENCE_CYCLES +} diff --git a/env.example b/env.example index 32fa6caf..fd39580d 100644 --- a/env.example +++ b/env.example @@ -40,6 +40,14 @@ TPOT_BLACKHOLE=DISABLED # if you just do not need any of the logfiles. TPOT_PERSISTENCE=on +# T-Pot Persistence Cycles +# <1-999>: Set the number of T-Pot restart cycles for logrotate. +# Be mindful of this setting as the logs will use up a lot of available disk space. +# In case the setting is invalid, T-Pot will default to 30 cycles. +# Remember to adjust the Elastic Search Lifecycle Policy (https://github.com/telekom-security/tpotce/?tab=readme-ov-file#log-persistence) +# as this setting only accounts for the honeypot logs in the ~/tpotce/data folder. +TPOT_PERSISTENCE_CYCLES=30 + # T-Pot Type # HIVE: This is the default and offers everything to connect T-Pot sensors. # SENSOR: This needs to be used when running a sensor. Be aware to adjust all other