mirror of
https://github.com/telekom-security/tpotce.git
synced 2025-04-29 11:48:52 +00:00
3524bafda2
Remove old Sensor Edition and replace with Pot Edition Rename Pot Edition to new Sensor Edition POT is now called SENSOR
85 lines
2.5 KiB
Bash
85 lines
2.5 KiB
Bash
#!/bin/bash
|
|
|
|
# Let's ensure normal operation on exit or if interrupted ...
|
|
function fuCLEANUP {
|
|
exit 0
|
|
}
|
|
trap fuCLEANUP EXIT
|
|
|
|
# Check internet availability
|
|
function fuCHECKINET () {
|
|
mySITES=$1
|
|
error=0
|
|
for i in $mySITES;
|
|
do
|
|
curl --connect-timeout 5 -Is $i 2>&1 > /dev/null
|
|
if [ $? -ne 0 ];
|
|
then
|
|
let error+=1
|
|
fi;
|
|
done;
|
|
echo $error
|
|
}
|
|
|
|
# Check for connectivity and download latest translation maps
|
|
myCHECK=$(fuCHECKINET "listbot.sicherheitstacho.eu")
|
|
if [ "$myCHECK" == "0" ];
|
|
then
|
|
echo "Connection to Listbot looks good, now downloading latest translation maps."
|
|
cd /etc/listbot
|
|
aria2c -s16 -x 16 https://listbot.sicherheitstacho.eu/cve.yaml.bz2 && \
|
|
aria2c -s16 -x 16 https://listbot.sicherheitstacho.eu/iprep.yaml.bz2 && \
|
|
bunzip2 -f *.bz2
|
|
cd /
|
|
else
|
|
echo "Cannot reach Listbot, starting Logstash without latest translation maps."
|
|
fi
|
|
|
|
# Distributed T-Pot installation needs a different pipeline config and autossh tunnel.
|
|
if [ "$MY_TPOT_TYPE" == "SENSOR" ];
|
|
then
|
|
echo
|
|
echo "Distributed T-Pot setup, sending T-Pot logs to $MY_HIVE_IP."
|
|
echo
|
|
echo "T-Pot type: $MY_TPOT_TYPE"
|
|
echo "Keyfile used: $MY_SENSOR_PRIVATEKEYFILE"
|
|
echo "Hive username: $MY_HIVE_USERNAME"
|
|
echo "Hive IP: $MY_HIVE_IP"
|
|
echo
|
|
cp /usr/share/logstash/config/pipelines_pot.yml /usr/share/logstash/config/pipelines.yml
|
|
autossh -f -M 0 -4 -l $MY_HIVE_USERNAME -i $MY_SENSOR_PRIVATEKEYFILE -p 64295 -N -L64305:127.0.0.1:64305 $MY_HIVE_IP -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "StrictHostKeyChecking=no" -o "UserKnownHostsFile=/dev/null"
|
|
exit 0
|
|
fi
|
|
|
|
# Index Management is happening through ILM, but we need to put T-Pot ILM setting on ES.
|
|
myTPOTILM=$(curl -s -XGET "http://elasticsearch:9200/_ilm/policy/tpot" | grep "Lifecycle policy not found: tpot" -c)
|
|
if [ "$myTPOTILM" == "1" ];
|
|
then
|
|
echo "T-Pot ILM template not found on ES, putting it on ES now."
|
|
curl -XPUT "http://elasticsearch:9200/_ilm/policy/tpot" -H 'Content-Type: application/json' -d'
|
|
{
|
|
"policy": {
|
|
"phases": {
|
|
"hot": {
|
|
"min_age": "0ms",
|
|
"actions": {}
|
|
},
|
|
"delete": {
|
|
"min_age": "30d",
|
|
"actions": {
|
|
"delete": {
|
|
"delete_searchable_snapshot": true
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"_meta": {
|
|
"managed": true,
|
|
"description": "T-Pot ILM policy with a retention of 30 days"
|
|
}
|
|
}
|
|
}'
|
|
else
|
|
echo "T-Pot ILM already configured."
|
|
fi
|
|
echo
|