work on permissions, folders and tpotinit

2025-04-19 21:52:27 +00:00 · 2024-02-14 19:04:05 +01:00 · 2024-02-14 19:04:05 +01:00 · efd5465837
commit efd5465837
parent ef2f5b3f93
3 changed files with 117 additions and 98 deletions
--- a/docker/tpotinit/dist/bin/clean.sh
+++ b/docker/tpotinit/dist/bin/clean.sh
@ -42,8 +42,8 @@ fuLOGROTATE () {
 # Ensure correct permissions and ownerships for logrotate to run without issues
 chmod 770 /data/ -R
 chown tpot:tpot /data -R
-chmod 644 /data/nginx/conf -R
-chmod 644 /data/nginx/cert -R
+chmod 774 /data/nginx/conf -R
+chmod 774 /data/nginx/cert -R

 # Run logrotate with force (-f) first, so the status file can be written and race conditions (with tar) be avoided
 logrotate -f -s $mySTATUS $myCONF
@ -74,10 +74,23 @@ chown tpot:tpot $myADBHONEYDL $myCOWRIETTYLOGS $myCOWRIEDL $myDIONAEABI $myDIONA
 logrotate -s $mySTATUS $myCONF
 }

+# Let's create a function to clean up and prepare tpotinit data
+fuTPOTINIT () {
+  mkdir -vp /data/ews/conf \
+            /data/tpot/etc/{compose,logrotate} \
+            /tmp/etc/
+  chmod 770 /data/ews/ -R
+  chmod 770 /data/tpot/ -R
+  chmod 770 /tmp/etc/ -R
+  chown tpot:tpot /data/ews/ -R
+  chown tpot:tpot /data/tpot/ -R
+  chown tpot:tpot /tmp/etc/ -R
+}
+
 # Let's create a function to clean up and prepare honeytrap data
 fuADBHONEY () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/adbhoney/*; fi
-  mkdir -p /data/adbhoney/log/ /data/adbhoney/downloads/
+  mkdir -vp /data/adbhoney/{downloads,log}
  chmod 770 /data/adbhoney/ -R
  chown tpot:tpot /data/adbhoney/ -R
 }
@ -85,7 +98,7 @@ fuADBHONEY () {
 # Let's create a function to clean up and prepare ciscoasa data
 fuCISCOASA () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ciscoasa/*; fi
-  mkdir -p /data/ciscoasa/log
+  mkdir -vp /data/ciscoasa/log
  chmod 770 /data/ciscoasa -R
  chown tpot:tpot /data/ciscoasa -R
 }
@ -93,7 +106,7 @@ fuCISCOASA () {
 # Let's create a function to clean up and prepare citrixhoneypot data
 fuCITRIXHONEYPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/citrixhoneypot/*; fi
-  mkdir -p /data/citrixhoneypot/logs/
+  mkdir -vp /data/citrixhoneypot/logs/
  chmod 770 /data/citrixhoneypot/ -R
  chown tpot:tpot /data/citrixhoneypot/ -R
 }
@ -101,7 +114,7 @@ fuCITRIXHONEYPOT () {
 # Let's create a function to clean up and prepare conpot data
 fuCONPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/conpot/*; fi
-  mkdir -p /data/conpot/log
+  mkdir -vp /data/conpot/log
  chmod 770 /data/conpot -R
  chown tpot:tpot /data/conpot -R
 }
@ -109,7 +122,7 @@ fuCONPOT () {
 # Let's create a function to clean up and prepare cowrie data
 fuCOWRIE () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/cowrie/*; fi
-  mkdir -p /data/cowrie/log/tty/ /data/cowrie/downloads/ /data/cowrie/keys/ /data/cowrie/misc/
+  mkdir -vp /data/cowrie/{downloads,keys,misc,log,log/tty}
  chmod 770 /data/cowrie -R
  chown tpot:tpot /data/cowrie -R
 }
@ -117,7 +130,7 @@ fuCOWRIE () {
 # Let's create a function to clean up and prepare ddospot data
 fuDDOSPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ddospot/log; fi
-  mkdir -p /data/ddospot/bl /data/ddospot/db /data/ddospot/log
+  mkdir -vp /data/ddospot/{bl,db,log}
  chmod 770 /data/ddospot -R
  chown tpot:tpot /data/ddospot -R
 }
@ -125,8 +138,7 @@ fuDDOSPOT () {
 # Let's create a function to clean up and prepare dicompot data
 fuDICOMPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dicompot/log; fi
-  mkdir -p /data/dicompot/log
-  mkdir -p /data/dicompot/images
+  mkdir -vp /data/dicompot/{images,log}
  chmod 770 /data/dicompot -R
  chown tpot:tpot /data/dicompot -R
 }
@ -134,7 +146,12 @@ fuDICOMPOT () {
 # Let's create a function to clean up and prepare dionaea data
 fuDIONAEA () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/dionaea/*; fi
-  mkdir -p /data/dionaea/log /data/dionaea/bistreams /data/dionaea/binaries /data/dionaea/rtp /data/dionaea/roots/ftp /data/dionaea/roots/tftp /data/dionaea/roots/www /data/dionaea/roots/upnp
+  mkdir -vp /data/dionaea/{log,bistreams,binaries,rtp,roots,roots/ftp,roots/tftp,roots/www,roots/upnp}
+  touch /data/dionaea/dionaea-errors.log
+  touch /data/dionaea/sipaccounts.sqlite
+  touch /data/dionaea/sipaccounts.sqlite-journal
+  touch /data/dionaea/log/dionaea.json
+  touch /data/dionaea/log/dionaea.sqlite
  chmod 770 /data/dionaea -R
  chown tpot:tpot /data/dionaea -R
 }
@ -142,7 +159,7 @@ fuDIONAEA () {
 # Let's create a function to clean up and prepare elasticpot data
 fuELASTICPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elasticpot/*; fi
-  mkdir -p /data/elasticpot/log
+  mkdir -vp /data/elasticpot/log
  chmod 770 /data/elasticpot -R
  chown tpot:tpot /data/elasticpot -R
 }
@ -152,7 +169,7 @@ fuELK () {
  # ELK data will be kept for <= 90 days, check /etc/crontab for curator modification
  # ELK daemon log files will be removed
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/elk/log/*; fi
-  mkdir -p /data/elk
+  mkdir -vp /data/elk/{data,log}
  chmod 770 /data/elk -R
  chown tpot:tpot /data/elk -R
 }
@ -160,7 +177,7 @@ fuELK () {
 # Let's create a function to clean up and prepare endlessh data
 fuENDLESSH () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/endlessh/log; fi
-  mkdir -p /data/endlessh/log
+  mkdir -vp /data/endlessh/log
  chmod 770 /data/endlessh -R
  chown tpot:tpot /data/endlessh -R
 }
@ -168,7 +185,7 @@ fuENDLESSH () {
 # Let's create a function to clean up and prepare fatt data
 fuFATT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/fatt/*; fi
-  mkdir -p /data/fatt/log
+  mkdir -vp /data/fatt/log
  chmod 770 -R /data/fatt
  chown tpot:tpot -R /data/fatt
 }
@ -176,7 +193,7 @@ fuFATT () {
 # Let's create a function to clean up and prepare glastopf data
 fuGLUTTON () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/glutton/*; fi
-  mkdir -p /data/glutton/log
+  mkdir -vp /data/glutton/log
  chmod 770 /data/glutton -R
  chown tpot:tpot /data/glutton -R
 }
@ -184,7 +201,7 @@ fuGLUTTON () {
 # Let's create a function to clean up and prepare hellpot data
 fuHELLPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/hellpot/log; fi
-  mkdir -p /data/hellpot/log
+  mkdir -vp /data/hellpot/log
  chmod 770 /data/hellpot -R
  chown tpot:tpot /data/hellpot -R
 }
@ -192,7 +209,7 @@ fuHELLPOT () {
 # Let's create a function to clean up and prepare heralding data
 fuHERALDING () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/heralding/*; fi
-  mkdir -p /data/heralding/log
+  mkdir -vp /data/heralding/log
  chmod 770 /data/heralding -R
  chown tpot:tpot /data/heralding -R
 }
@ -200,7 +217,7 @@ fuHERALDING () {
 # Let's create a function to clean up and prepare honeypots data
 fuHONEYPOTS () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeypots/*; fi
-  mkdir -p /data/honeypots/log
+  mkdir -vp /data/honeypots/log
  chmod 770 /data/honeypots -R
  chown tpot:tpot /data/honeypots -R
 }
@ -208,7 +225,7 @@ fuHONEYPOTS () {
 # Let's create a function to clean up and prepare honeysap data
 fuHONEYSAP () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeysap/*; fi
-  mkdir -p /data/honeysap/log
+  mkdir -vp /data/honeysap/log
  chmod 770 /data/honeysap -R
  chown tpot:tpot /data/honeysap -R
 }
@ -216,7 +233,7 @@ fuHONEYSAP () {
 # Let's create a function to clean up and prepare honeytrap data
 fuHONEYTRAP () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/honeytrap/*; fi
-  mkdir -p /data/honeytrap/log/ /data/honeytrap/attacks/ /data/honeytrap/downloads/
+  mkdir -vp /data/honeytrap/{log,attacks,downloads}
  chmod 770 /data/honeytrap/ -R
  chown tpot:tpot /data/honeytrap/ -R
 }
@ -224,7 +241,7 @@ fuHONEYTRAP () {
 # Let's create a function to clean up and prepare ipphoney data
 fuIPPHONEY () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/ipphoney/*; fi
-  mkdir -p /data/ipphoney/log
+  mkdir -vp /data/ipphoney/log
  chmod 770 /data/ipphoney -R
  chown tpot:tpot /data/ipphoney -R
 }
@ -232,7 +249,7 @@ fuIPPHONEY () {
 # Let's create a function to clean up and prepare log4pot data
 fuLOG4POT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/log4pot/*; fi
-  mkdir -p /data/log4pot/log
+  mkdir -vp /data/log4pot/{log,payloads}
  chmod 770 /data/log4pot -R
  chown tpot:tpot /data/log4pot -R
 }
@ -240,7 +257,7 @@ fuLOG4POT () {
 # Let's create a function to clean up and prepare mailoney data
 fuMAILONEY () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/mailoney/*; fi
-  mkdir -p /data/mailoney/log/
+  mkdir -vp /data/mailoney/log/
  chmod 770 /data/mailoney/ -R
  chown tpot:tpot /data/mailoney/ -R
 }
@ -248,7 +265,7 @@ fuMAILONEY () {
 # Let's create a function to clean up and prepare mailoney data
 fuMEDPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/medpot/*; fi
-  mkdir -p /data/medpot/log/
+  mkdir -vp /data/medpot/log/
  chmod 770 /data/medpot/ -R
  chown tpot:tpot /data/medpot/ -R
 }
@ -256,23 +273,17 @@ fuMEDPOT () {
 # Let's create a function to clean up nginx logs
 fuNGINX () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/nginx/log/*; fi
+  mkdir -vp /data/nginx/{cert,conf,log}
  touch /data/nginx/log/error.log
-  chmod 644 /data/nginx/conf -R
-  chmod 644 /data/nginx/cert -R
-}
-
-# Let's create a function to clean up and prepare rdpy data
-fuRDPY () {
-  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/rdpy/*; fi
-  mkdir -p /data/rdpy/log/
-  chmod 770 /data/rdpy/ -R
-  chown tpot:tpot /data/rdpy/ -R
+  chmod 774 /data/nginx/conf -R
+  chmod 774 /data/nginx/cert -R
+  chown tpot:tpot /data/nginx -R
 }

 # Let's create a function to clean up and prepare redishoneypot data
 fuREDISHONEYPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/redishoneypot/log; fi
-  mkdir -p /data/redishoneypot/log
+  mkdir -vp /data/redishoneypot/log
  chmod 770 /data/redishoneypot -R
  chown tpot:tpot /data/redishoneypot -R
 }
@ -280,14 +291,14 @@ fuREDISHONEYPOT () {
 # Let's create a function to clean up and prepare sentrypeer data
 fuSENTRYPEER () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/sentrypeer/log; fi
-  mkdir -p /data/sentrypeer/log
+  mkdir -vp /data/sentrypeer/log
  chmod 770 /data/sentrypeer -R
  chown tpot:tpot /data/sentrypeer -R
 }

 # Let's create a function to prepare spiderfoot db
 fuSPIDERFOOT () {
-  mkdir -p /data/spiderfoot
+  mkdir -vp /data/spiderfoot
  touch /data/spiderfoot/spiderfoot.db
  chmod 770 -R /data/spiderfoot
  chown tpot:tpot -R /data/spiderfoot
@ -296,7 +307,7 @@ fuSPIDERFOOT () {
 # Let's create a function to clean up and prepare suricata data
 fuSURICATA () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/suricata/*; fi
-  mkdir -p /data/suricata/log
+  mkdir -vp /data/suricata/log
  chmod 770 -R /data/suricata
  chown tpot:tpot -R /data/suricata
 }
@ -304,7 +315,7 @@ fuSURICATA () {
 # Let's create a function to clean up and prepare p0f data
 fuP0F () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/p0f/*; fi
-  mkdir -p /data/p0f/log
+  mkdir -vp /data/p0f/log
  chmod 770 -R /data/p0f
  chown tpot:tpot -R /data/p0f
 }
@ -312,7 +323,7 @@ fuP0F () {
 # Let's create a function to clean up and prepare p0f data
 fuTANNER () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/tanner/*; fi
-  mkdir -p /data/tanner/log /data/tanner/files
+  mkdir -vp /data/tanner/{log,files}
  chmod 770 -R /data/tanner
  chown tpot:tpot -R /data/tanner
 }
@ -320,7 +331,7 @@ fuTANNER () {
 # Let's create a function to clean up and prepare wordpot data
 fuWORDPOT () {
  if [ "$myPERSISTENCE" != "on" ]; then rm -rf /data/wordpot/log; fi
-  mkdir -p /data/wordpot/log
+  mkdir -vp /data/wordpot/log
  chmod 770 /data/wordpot -R
  chown tpot:tpot /data/wordpot -R
 }
@ -345,37 +356,38 @@ if [ "$myPERSISTENCE" = "on" ];
  then
    echo "Persistence enabled, now rotating and compressing logs."
    fuLOGROTATE
-  else
-    echo "Cleaning up and preparing data folders."
-    fuADBHONEY
-    fuCISCOASA
-    fuCITRIXHONEYPOT
-    fuCONPOT
-    fuCOWRIE
-    fuDDOSPOT
-    fuDICOMPOT
-    fuDIONAEA
-    fuELASTICPOT
-    fuELK
-    fuENDLESSH
-    fuFATT
-    fuGLUTTON
-    fuHERALDING
-    fuHELLPOT
-    fuHONEYSAP
-    fuHONEYPOTS
-    fuHONEYTRAP
-    fuIPPHONEY
-    fuLOG4POT
-    fuMAILONEY
-    fuMEDPOT
-    fuNGINX
-    fuREDISHONEYPOT
-    fuRDPY
-    fuSENTRYPEER
-    fuSPIDERFOOT
-    fuSURICATA
-    fuP0F
-    fuTANNER
-    fuWORDPOT
-  fi
+fi
+
+echo  
+echo "Checking and preparing data folders."
+fuTPOTINIT
+fuADBHONEY
+fuCISCOASA
+fuCITRIXHONEYPOT
+fuCONPOT
+fuCOWRIE
+fuDDOSPOT
+fuDICOMPOT
+fuDIONAEA
+fuELASTICPOT
+fuELK
+fuENDLESSH
+fuFATT
+fuGLUTTON
+fuHERALDING
+fuHELLPOT
+fuHONEYSAP
+fuHONEYPOTS
+fuHONEYTRAP
+fuIPPHONEY
+fuLOG4POT
+fuMAILONEY
+fuMEDPOT
+fuNGINX
+fuREDISHONEYPOT
+fuSENTRYPEER
+fuSPIDERFOOT
+fuSURICATA
+fuP0F
+fuTANNER
+fuWORDPOT
--- a/docker/tpotinit/dist/entrypoint.sh
+++ b/docker/tpotinit/dist/entrypoint.sh
@ -35,15 +35,18 @@ check_safety() {
 # Function to check the safety of the WEB_USER variable
 check_web_user_safety() {
    local web_user="$1"
+    local IFS=$'\n'  # Set the Internal Field Separator (IFS) to newline for the loop

+    # Iterate over each line in web_user
+    for user in $web_user; do
        # Allow alphanumeric, $, ., /, and : for WEB_USER (to accommodate htpasswd hash)
-    if [[ ! $web_user =~ ^[a-zA-Z0-9]+:\$apr1\$[a-zA-Z0-9./]+\$[a-zA-Z0-9./]+$ ]]; 
-      then
-        echo "# Error: Unsafe characters detected in WEB_USER."
+        if [[ ! $user =~ ^[a-zA-Z0-9]+:\$apr1\$[a-zA-Z0-9./]+\$[a-zA-Z0-9./]+$ ]]; then
+            echo "# Error: Unsafe characters / wrong format detected in WEB_USER for user $user."
            echo
            echo "# Aborting"
            exit 1
        fi
+    done
 }

 # Function to validate specific variable formats
@ -67,6 +70,14 @@ validate_format() {
    esac
 }

+create_web_users() {
+    echo
+    echo "# Creating web user from .env ..."
+    echo
+    echo "${WEB_USER}" > /data/nginx/conf/nginxpasswd
+    touch /data/nginx/conf/lswebpasswd
+}
+
 # Validate environment variables
 for var in TPOT_BLACKHOLE TPOT_PERSISTENCE TPOT_ATTACKMAP_TEXT TPOT_ATTACKMAP_TEXT_TIMEZONE TPOT_REPO TPOT_VERSION TPOT_PULL_POLICY TPOT_OSTYPE; 
  do
@ -103,6 +114,7 @@ if [ -f "/data/uuid" ];
  then
    figlet "Initializing ..."
    figlet "T-Pot: ${TPOT_VERSION}"
+    create_web_users
    echo
    echo "# Data folder is present, just cleaning up, please be patient ..."
    echo
@ -123,11 +135,7 @@ if [ -f "/data/uuid" ];
    echo
    echo "# Setting up data folder structure ..."
    echo
-    mkdir -vp /data/ews/conf \
-              /data/nginx/{cert,conf,log} \
-              /data/tpot/etc/compose/ \
-              /data/tpot/etc/logrotate/ \
-              /tmp/etc/
+    /opt/tpot/bin/clean.sh off
    echo
    echo "# Generating self signed certificate ..."
    echo
@ -143,15 +151,11 @@ if [ -f "/data/uuid" ];
          -subj '/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd' \
          -addext "subjectAltName = IP:${myINTIP}"
    echo
-    echo "# Creating web user from tpot.env, make sure to erase the password from the .env ..."
-    echo
-    echo "${WEB_USER}" > /data/nginx/conf/nginxpasswd
-    touch /data/nginx/conf/lswebpasswd
+    create_web_users
    echo
    echo "# Extracting objects, final touches and permissions ..."
    echo
    tar xvfz /opt/tpot/etc/objects/elkbase.tgz -C /
-    /opt/tpot/bin/clean.sh off
    uuidgen > /data/uuid
 fi

@ -164,16 +168,19 @@ if [ "${myOSTYPE}" == "linuxkit" ];
  else
    if [ "${TPOT_BLACKHOLE}" == "ENABLED" ] && [ ! -f "/etc/blackhole/mass_scanner.txt" ];
      then
+        echo
        echo "# Adding Blackhole routes."
        /opt/tpot/bin/blackhole.sh add
        echo
    fi
    if [ "${TPOT_BLACKHOLE}" == "DISABLED" ] && [ -f "/etc/blackhole/mass_scanner.txt" ];
      then
+        echo
        echo "# Removing Blackhole routes."
        /opt/tpot/bin/blackhole.sh del
        echo
      else
+        echo
        echo "# Blackhole is not active."
    fi
 fi
@ -189,9 +196,9 @@ echo
 echo "# Updating permissions ..."
 echo
 chown -R tpot:tpot /data
-chmod -R 777 /data
-#chmod 644 -R /data/nginx/conf
-#chmod 644 -R /data/nginx/cert
+chmod -R 770 /data
+chmod 774 -R /data/nginx/conf
+chmod 774 -R /data/nginx/cert

 # Update interface settings (p0f and Suricata) and setup iptables to support NFQ based honeypots (glutton, honeytrap)
 ### This is currently not supported on Docker for Desktop, only on Docker Engine for Linux
--- a/docker/tpotinit/dist/etc/logrotate/logrotate.conf
+++ b/docker/tpotinit/dist/etc/logrotate/logrotate.conf
@ -33,12 +33,12 @@
 /data/medpot/log/*.log
 /data/nginx/log/*.log
 /data/p0f/log/p0f.json
-/data/rdpy/log/rdpy.log
 /data/redishoneypot/log/*.log
 /data/sentrypeer/log/*.json
 /data/suricata/log/*.log
 /data/suricata/log/*.json
 /data/tanner/log/*.json
+/data/wordpot/log/*.log
 {
 	su tpot tpot
        copytruncate