From faec613b9ad2c6da9ded876a2faeb8a757f2aa18 Mon Sep 17 00:00:00 2001
From: t3chn0m4g3 <t3chn0m4g3@gmail.com>
Date: Fri, 8 Dec 2023 18:00:09 +0100
Subject: [PATCH] add persistence to ENVs
add ENVs checker to keep tpotinit from starting if ENVs are not present or incorrectly set
---
docker/tpotinit/dist/entrypoint.sh | 86 ++++++++++++++++++++++++++++--
env.example | 7 +++
2 files changed, 90 insertions(+), 3 deletions(-)
diff --git a/docker/tpotinit/dist/entrypoint.sh b/docker/tpotinit/dist/entrypoint.sh
index ce551a46..4e280898 100755
--- a/docker/tpotinit/dist/entrypoint.sh
+++ b/docker/tpotinit/dist/entrypoint.sh
@@ -2,6 +2,86 @@
COMPOSE="/tmp/tpot/docker-compose.yml"
+# Function to check if a variable is set, not empty
+check_var() {
+ local var_name="$1"
+ local var_value=$(eval echo \$$var_name)
+
+ # Check if variable is set and not empty
+ if [[ -z "$var_value" ]];
+ then
+ echo "# Error: $var_name is not set or empty."
+ echo
+ echo "# Aborting"
+ exit 1
+ fi
+}
+
+# Function to check for potentially unsafe characters in most variables
+check_safety() {
+ local var_name="$1"
+ local var_value=$(eval echo \$$var_name)
+
+ # General safety check for most variables
+ if [[ $var_value =~ [^a-zA-Z0-9_/.:-] ]];
+ then
+ echo "# Error: Unsafe characters detected in $var_name."
+ echo
+ echo "# Aborting"
+ exit 1
+ fi
+}
+
+# Function to check the safety of the WEB_USER variable
+check_web_user_safety() {
+ local web_user="$1"
+
+ # Allow alphanumeric, $, ., /, and : for WEB_USER (to accommodate htpasswd hash)
+ if [[ ! $web_user =~ ^[a-zA-Z0-9]+:\$apr1\$[a-zA-Z0-9./]+\$[a-zA-Z0-9./]+$ ]];
+ then
+ echo "# Error: Unsafe characters detected in WEB_USER."
+ echo
+ echo "# Aborting"
+ exit 1
+ fi
+}
+
+# Function to validate specific variable formats
+validate_format() {
+ local var_name="$1"
+ local var_value=$(eval echo \$$var_name)
+
+ case "$var_name" in
+ TPOT_BLACKHOLE|TPOT_PERSISTENCE|TPOT_ATTACKMAP_TEXT|COCKPIT)
+ if ! [[ $var_value =~ ^(ENABLED|DISABLED|on|off|true|false)$ ]];
+ then
+ echo "# Error: Invalid value for $var_name. Expected ENABLED/DISABLED, on/off, true/false."
+ echo
+ echo "# Aborting"
+ exit 1
+ fi
+ ;;
+ *)
+ # Add additional specific format checks here if necessary
+ ;;
+ esac
+}
+
+# Validate environment variables
+for var in TPOT_BLACKHOLE TPOT_PERSISTENCE TPOT_ATTACKMAP_TEXT TPOT_ATTACKMAP_TEXT_TIMEZONE TPOT_REPO TPOT_VERSION TPOT_PULL_POLICY TPOT_OSTYPE;
+ do
+ check_var "$var"
+ check_safety "$var"
+ validate_format "$var"
+done
+
+# Specific check for WEB_USER
+check_var "WEB_USER"
+check_web_user_safety "$WEB_USER"
+
+echo "# All settings seem to be valid."
+
+
# Check for compatible OSType
echo
echo "# Checking if OSType is compatible."
@@ -26,7 +106,7 @@ if [ -f "/data/uuid" ];
echo
echo "# Data folder is present, just cleaning up, please be patient ..."
echo
- /opt/tpot/bin/clean.sh on
+ /opt/tpot/bin/clean.sh "${TPOT_PERSISTENCE}"
echo
else
figlet "Setting up ..."
@@ -46,7 +126,7 @@ if [ -f "/data/uuid" ];
mkdir -vp /data/ews/conf \
/data/nginx/{cert,conf,log} \
/data/tpot/etc/compose/ \
- /data/tpot/etc/logrotate/ \
+ /data/tpot/etc/logrotate/ \
/tmp/etc/
echo
echo "# Generating self signed certificate ..."
@@ -148,7 +228,7 @@ fi
# Done
echo
figlet "Starting ..."
-figlet "${VERSION}"
+figlet "T-Pot: ${TPOT_VERSION}"
echo
touch /tmp/success
diff --git a/env.example b/env.example
index 14ea7275..6c4cb692 100644
--- a/env.example
+++ b/env.example
@@ -14,6 +14,13 @@ WEB_USER='change:me'
# DISABLED: This is the default and no stealth efforts are in place.
TPOT_BLACKHOLE=DISABLED
+# T-Pot Persistence
+# on: This is the default. T-Pot will keep the honeypot logfiles and rotate
+# with logrotate for 30 days.
+# off: This is recommended for Raspberry Pi or setups with weaker CPUs or
+# if you just do not need any of the logfiles.
+TPOT_PERSISTENCE=on
+
# T-Pot AttackMap Text Output
# ENABLED: This is the default and the docker container map_data will print events to the console.
# DISABLED: Printing events to the console is disabled.