mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-04-20 06:02:24 +00:00
adjust group and permissions for /data
This commit is contained in:
listbot
parent
ce89e44474
commit
c09547e3a4
6 changed files with 36 additions and 26 deletions
|
|
@ -1,5 +1,9 @@
|
||||||
# Changelog
|
# Changelog
|
||||||
|
|
||||||
|
## 20190508
|
||||||
|
- **Add tsec / install user to tpot group**
|
||||||
|
- For users being able to easily download logs from the /data folder the installer now adds the `tpot` or the logged in user (`who am i`) via `usermod -a -G tpot <user>` to the tpot group. Also /data permissions will now be enforced to `770`, which is necessary for directory listings.
|
||||||
|
|
||||||
## 20190502
|
## 20190502
|
||||||
- **Fix KVPs**
|
- **Fix KVPs**
|
||||||
- Some KVPs for Cowrie changed and the tagcloud was not showing any values in the Cowrie dashboard.
|
- Some KVPs for Cowrie changed and the tagcloud was not showing any values in the Cowrie dashboard.
|
||||||
|
|
|
||||||
44
bin/clean.sh
44
bin/clean.sh
|
|
@ -37,7 +37,7 @@ fuLOGROTATE () {
|
||||||
local myTANNERFTGZ="/data/tanner/files.tgz"
|
local myTANNERFTGZ="/data/tanner/files.tgz"
|
||||||
|
|
||||||
# Ensure correct permissions and ownerships for logrotate to run without issues
|
# Ensure correct permissions and ownerships for logrotate to run without issues
|
||||||
chmod 760 /data/ -R
|
chmod 770 /data/ -R
|
||||||
chown tpot:tpot /data -R
|
chown tpot:tpot /data -R
|
||||||
chmod 644 /data/nginx/conf -R
|
chmod 644 /data/nginx/conf -R
|
||||||
chmod 644 /data/nginx/cert -R
|
chmod 644 /data/nginx/cert -R
|
||||||
|
|
@ -56,7 +56,7 @@ if [ "$(fuEMPTY $myHONEYTRAPDL)" != "0" ]; then tar cvfz $myHONEYTRAPDLTGZ $myHO
|
||||||
if [ "$(fuEMPTY $myTANNERF)" != "0" ]; then tar cvfz $myTANNERFTGZ $myTANNERF; fi
|
if [ "$(fuEMPTY $myTANNERF)" != "0" ]; then tar cvfz $myTANNERFTGZ $myTANNERF; fi
|
||||||
|
|
||||||
# Ensure correct permissions and ownership for previously created archives
|
# Ensure correct permissions and ownership for previously created archives
|
||||||
chmod 760 $myADBHONEYTGZ $myCOWRIETTYTGZ $myCOWRIEDLTGZ $myDIONAEABITGZ $myDIONAEABINTGZ $myHONEYTRAPATTACKSTGZ $myHONEYTRAPDLTGZ $myTANNERFTGZ
|
chmod 770 $myADBHONEYTGZ $myCOWRIETTYTGZ $myCOWRIEDLTGZ $myDIONAEABITGZ $myDIONAEABINTGZ $myHONEYTRAPATTACKSTGZ $myHONEYTRAPDLTGZ $myTANNERFTGZ
|
||||||
chown tpot:tpot $myADBHONEYTGZ $myCOWRIETTYTGZ $myCOWRIEDLTGZ $myDIONAEABITGZ $myDIONAEABINTGZ $myHONEYTRAPATTACKSTGZ $myHONEYTRAPDLTGZ $myTANNERFTGZ
|
chown tpot:tpot $myADBHONEYTGZ $myCOWRIETTYTGZ $myCOWRIEDLTGZ $myDIONAEABITGZ $myDIONAEABINTGZ $myHONEYTRAPATTACKSTGZ $myHONEYTRAPDLTGZ $myTANNERFTGZ
|
||||||
|
|
||||||
# Need to remove subfolders since too many files cause rm to exit with errors
|
# Need to remove subfolders since too many files cause rm to exit with errors
|
||||||
|
|
@ -64,7 +64,7 @@ rm -rf $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $my
|
||||||
|
|
||||||
# Recreate subfolders with correct permissions and ownership
|
# Recreate subfolders with correct permissions and ownership
|
||||||
mkdir -p $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF
|
mkdir -p $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF
|
||||||
chmod 760 $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF
|
chmod 770 $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF
|
||||||
chown tpot:tpot $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF
|
chown tpot:tpot $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONAEABIN $myHONEYTRAPATTACKS $myHONEYTRAPDL $myTANNERF
|
||||||
|
|
||||||
# Run logrotate again to account for previously created archives - DO NOT FORCE HERE!
|
# Run logrotate again to account for previously created archives - DO NOT FORCE HERE!
|
||||||
|
|
@ -75,7 +75,7 @@ logrotate -s $mySTATUS $myCONF
|
||||||
fuADBHONEY () {
|
fuADBHONEY () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/adbhoney/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/adbhoney/*; fi
|
||||||
mkdir -p /data/adbhoney/log/ /data/adbhoney/downloads/
|
mkdir -p /data/adbhoney/log/ /data/adbhoney/downloads/
|
||||||
chmod 760 /data/adbhoney/ -R
|
chmod 770 /data/adbhoney/ -R
|
||||||
chown tpot:tpot /data/adbhoney/ -R
|
chown tpot:tpot /data/adbhoney/ -R
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -83,7 +83,7 @@ fuADBHONEY () {
|
||||||
fuCISCOASA () {
|
fuCISCOASA () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ciscoasa/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ciscoasa/*; fi
|
||||||
mkdir -p /data/ciscoasa/log
|
mkdir -p /data/ciscoasa/log
|
||||||
chmod 760 /data/ciscoasa -R
|
chmod 770 /data/ciscoasa -R
|
||||||
chown tpot:tpot /data/ciscoasa -R
|
chown tpot:tpot /data/ciscoasa -R
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -91,7 +91,7 @@ fuCISCOASA () {
|
||||||
fuCONPOT () {
|
fuCONPOT () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot/*; fi
|
||||||
mkdir -p /data/conpot/log
|
mkdir -p /data/conpot/log
|
||||||
chmod 760 /data/conpot -R
|
chmod 770 /data/conpot -R
|
||||||
chown tpot:tpot /data/conpot -R
|
chown tpot:tpot /data/conpot -R
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -99,7 +99,7 @@ fuCONPOT () {
|
||||||
fuCOWRIE () {
|
fuCOWRIE () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/cowrie/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/cowrie/*; fi
|
||||||
mkdir -p /data/cowrie/log/tty/ /data/cowrie/downloads/ /data/cowrie/keys/ /data/cowrie/misc/
|
mkdir -p /data/cowrie/log/tty/ /data/cowrie/downloads/ /data/cowrie/keys/ /data/cowrie/misc/
|
||||||
chmod 760 /data/cowrie -R
|
chmod 770 /data/cowrie -R
|
||||||
chown tpot:tpot /data/cowrie -R
|
chown tpot:tpot /data/cowrie -R
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -107,7 +107,7 @@ fuCOWRIE () {
|
||||||
fuDIONAEA () {
|
fuDIONAEA () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dionaea/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dionaea/*; fi
|
||||||
mkdir -p /data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp
|
mkdir -p /data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp
|
||||||
chmod 760 /data/dionaea -R
|
chmod 770 /data/dionaea -R
|
||||||
chown tpot:tpot /data/dionaea -R
|
chown tpot:tpot /data/dionaea -R
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -115,7 +115,7 @@ fuDIONAEA () {
|
||||||
fuELASTICPOT () {
|
fuELASTICPOT () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elasticpot/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elasticpot/*; fi
|
||||||
mkdir -p /data/elasticpot/log
|
mkdir -p /data/elasticpot/log
|
||||||
chmod 760 /data/elasticpot -R
|
chmod 770 /data/elasticpot -R
|
||||||
chown tpot:tpot /data/elasticpot -R
|
chown tpot:tpot /data/elasticpot -R
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -125,7 +125,7 @@ fuELK () {
|
||||||
# ELK daemon log files will be removed
|
# ELK daemon log files will be removed
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elk/log/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elk/log/*; fi
|
||||||
mkdir -p /data/elk
|
mkdir -p /data/elk
|
||||||
chmod 760 /data/elk -R
|
chmod 770 /data/elk -R
|
||||||
chown tpot:tpot /data/elk -R
|
chown tpot:tpot /data/elk -R
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -133,7 +133,7 @@ fuELK () {
|
||||||
fuGLASTOPF () {
|
fuGLASTOPF () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glastopf/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glastopf/*; fi
|
||||||
mkdir -p /data/glastopf/db /data/glastopf/log
|
mkdir -p /data/glastopf/db /data/glastopf/log
|
||||||
chmod 760 /data/glastopf -R
|
chmod 770 /data/glastopf -R
|
||||||
chown tpot:tpot /data/glastopf -R
|
chown tpot:tpot /data/glastopf -R
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -141,7 +141,7 @@ fuGLASTOPF () {
|
||||||
fuGLUTTON () {
|
fuGLUTTON () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glutton/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glutton/*; fi
|
||||||
mkdir -p /data/glutton/log
|
mkdir -p /data/glutton/log
|
||||||
chmod 760 /data/glutton -R
|
chmod 770 /data/glutton -R
|
||||||
chown tpot:tpot /data/glutton -R
|
chown tpot:tpot /data/glutton -R
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -149,7 +149,7 @@ fuGLUTTON () {
|
||||||
fuHERALDING () {
|
fuHERALDING () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
|
||||||
mkdir -p /data/heralding/log
|
mkdir -p /data/heralding/log
|
||||||
chmod 760 /data/heralding -R
|
chmod 770 /data/heralding -R
|
||||||
chown tpot:tpot /data/heralding -R
|
chown tpot:tpot /data/heralding -R
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -157,7 +157,7 @@ fuHERALDING () {
|
||||||
fuHONEYPY () {
|
fuHONEYPY () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypy/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypy/*; fi
|
||||||
mkdir -p /data/honeypy/log
|
mkdir -p /data/honeypy/log
|
||||||
chmod 760 /data/honeypy -R
|
chmod 770 /data/honeypy -R
|
||||||
chown tpot:tpot /data/honeypy -R
|
chown tpot:tpot /data/honeypy -R
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -165,7 +165,7 @@ fuHONEYPY () {
|
||||||
fuHONEYTRAP () {
|
fuHONEYTRAP () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeytrap/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeytrap/*; fi
|
||||||
mkdir -p /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/
|
mkdir -p /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/
|
||||||
chmod 760 /data/honeytrap/ -R
|
chmod 770 /data/honeytrap/ -R
|
||||||
chown tpot:tpot /data/honeytrap/ -R
|
chown tpot:tpot /data/honeytrap/ -R
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -173,7 +173,7 @@ fuHONEYTRAP () {
|
||||||
fuMAILONEY () {
|
fuMAILONEY () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi
|
||||||
mkdir -p /data/mailoney/log/
|
mkdir -p /data/mailoney/log/
|
||||||
chmod 760 /data/mailoney/ -R
|
chmod 770 /data/mailoney/ -R
|
||||||
chown tpot:tpot /data/mailoney/ -R
|
chown tpot:tpot /data/mailoney/ -R
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -181,7 +181,7 @@ fuMAILONEY () {
|
||||||
fuMEDPOT () {
|
fuMEDPOT () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/medpot/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/medpot/*; fi
|
||||||
mkdir -p /data/medpot/log/
|
mkdir -p /data/medpot/log/
|
||||||
chmod 760 /data/medpot/ -R
|
chmod 770 /data/medpot/ -R
|
||||||
chown tpot:tpot /data/medpot/ -R
|
chown tpot:tpot /data/medpot/ -R
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -197,7 +197,7 @@ fuNGINX () {
|
||||||
fuRDPY () {
|
fuRDPY () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/rdpy/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/rdpy/*; fi
|
||||||
mkdir -p /data/rdpy/log/
|
mkdir -p /data/rdpy/log/
|
||||||
chmod 760 /data/rdpy/ -R
|
chmod 770 /data/rdpy/ -R
|
||||||
chown tpot:tpot /data/rdpy/ -R
|
chown tpot:tpot /data/rdpy/ -R
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -205,7 +205,7 @@ fuRDPY () {
|
||||||
fuSPIDERFOOT () {
|
fuSPIDERFOOT () {
|
||||||
mkdir -p /data/spiderfoot
|
mkdir -p /data/spiderfoot
|
||||||
touch /data/spiderfoot/spiderfoot.db
|
touch /data/spiderfoot/spiderfoot.db
|
||||||
chmod 760 -R /data/spiderfoot
|
chmod 770 -R /data/spiderfoot
|
||||||
chown tpot:tpot -R /data/spiderfoot
|
chown tpot:tpot -R /data/spiderfoot
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -213,7 +213,7 @@ fuSPIDERFOOT () {
|
||||||
fuSURICATA () {
|
fuSURICATA () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/suricata/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/suricata/*; fi
|
||||||
mkdir -p /data/suricata/log
|
mkdir -p /data/suricata/log
|
||||||
chmod 760 -R /data/suricata
|
chmod 770 -R /data/suricata
|
||||||
chown tpot:tpot -R /data/suricata
|
chown tpot:tpot -R /data/suricata
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -221,7 +221,7 @@ fuSURICATA () {
|
||||||
fuP0F () {
|
fuP0F () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/p0f/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/p0f/*; fi
|
||||||
mkdir -p /data/p0f/log
|
mkdir -p /data/p0f/log
|
||||||
chmod 760 -R /data/p0f
|
chmod 770 -R /data/p0f
|
||||||
chown tpot:tpot -R /data/p0f
|
chown tpot:tpot -R /data/p0f
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -229,7 +229,7 @@ fuP0F () {
|
||||||
fuTANNER () {
|
fuTANNER () {
|
||||||
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/tanner/*; fi
|
if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/tanner/*; fi
|
||||||
mkdir -p /data/tanner/log /data/tanner/files
|
mkdir -p /data/tanner/log /data/tanner/files
|
||||||
chmod 760 -R /data/tanner
|
chmod 770 -R /data/tanner
|
||||||
chown tpot:tpot -R /data/tanner
|
chown tpot:tpot -R /data/tanner
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -31,4 +31,4 @@ MY_INTIP=$myLOCALIP
|
||||||
MY_HOSTNAME=$HOSTNAME
|
MY_HOSTNAME=$HOSTNAME
|
||||||
EOF
|
EOF
|
||||||
chown tpot:tpot /data/ews/conf/ews.ip
|
chown tpot:tpot /data/ews/conf/ews.ip
|
||||||
chmod 760 /data/ews/conf/ews.ip
|
chmod 770 /data/ews/conf/ews.ip
|
||||||
|
|
|
||||||
2
docker/elk/logstash/dist/logstash.conf
vendored
2
docker/elk/logstash/dist/logstash.conf
vendored
|
|
@ -427,7 +427,7 @@ output {
|
||||||
|
|
||||||
#if [type] == "Suricata" {
|
#if [type] == "Suricata" {
|
||||||
# file {
|
# file {
|
||||||
# file_mode => 0760
|
# file_mode => 0770
|
||||||
# path => "/data/suricata/log/suricata_ews.log"
|
# path => "/data/suricata/log/suricata_ews.log"
|
||||||
# }
|
# }
|
||||||
#}
|
#}
|
||||||
|
|
|
||||||
|
|
@ -792,7 +792,13 @@ systemctl enable tpot
|
||||||
|
|
||||||
# Let's take care of some files and permissions
|
# Let's take care of some files and permissions
|
||||||
fuBANNER "Permissions"
|
fuBANNER "Permissions"
|
||||||
chmod 760 -R /data
|
chmod 770 -R /data
|
||||||
|
if [ "$myTPOT_DEPLOYMENT_TYPE" == "iso" ];
|
||||||
|
then
|
||||||
|
usermod -a -G tpot tsec
|
||||||
|
else
|
||||||
|
usermod -a -G tpot $(who am i | awk '{ print $1 }')
|
||||||
|
fi
|
||||||
chown tpot:tpot -R /data
|
chown tpot:tpot -R /data
|
||||||
chown tsec:tsec -R /home/tsec/.ssh
|
chown tsec:tsec -R /home/tsec/.ssh
|
||||||
chmod 644 -R /data/nginx/conf
|
chmod 644 -R /data/nginx/conf
|
||||||
|
|
|
||||||
|
|
@ -235,7 +235,7 @@ mkdir -p /data/adbhoney/downloads /data/adbhoney/log \
|
||||||
/data/p0f/log
|
/data/p0f/log
|
||||||
|
|
||||||
### Let's take care of some files and permissions
|
### Let's take care of some files and permissions
|
||||||
chmod 760 -R /data
|
chmod 770 -R /data
|
||||||
chown tpot:tpot -R /data
|
chown tpot:tpot -R /data
|
||||||
chmod 644 -R /data/nginx/conf
|
chmod 644 -R /data/nginx/conf
|
||||||
chmod 644 -R /data/nginx/cert
|
chmod 644 -R /data/nginx/cert
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue