#!/bin/bash

#################################################################################

# Copyright (c) 2017-2018 SecureStack & Paul McCarty <[email protected]> #

#################################################################################

CONFIG_VERSION=1.2.4_6

stop_ubuntu () {

sudo /var/ossec/bin/ossec-control stop

# Daemons to manage go here #

daemons=(

wazuh-manager

wazuh-agent

fail2ban

filebeat

metricbeat

logstash

kibana

elasticsearch

maldet

clamav-daemon

clamav-freshclam

nginx

wazuh-api

)

for i in "${daemons[@]}"

do

echo "Disabling $i" && sudo systemctl stop $i && sudo systemctl disable $i

done

}

stop_el () {

sudo /var/ossec/bin/ossec-control stop

# Daemons to manage go here #

daemons=(

wazuh-manager

wazuh-agent

fail2ban

filebeat

metricbeat

logstash

kibana

elasticsearch

maldet

clamd@scan

nginx

wazuh-api

)

for i in "${daemons[@]}"

do

sudo rpm -qa | grep -q $i && echo "Disabling $i" && sudo systemctl stop $i && sudo systemctl disable $i

done

sudo rpm -qa | grep -q clamav-scanner && echo "Disabling clamd@scan" && sudo systemctl stop clamd@scan && sudo systemctl disable clamd@scan

}

start () {

if [[ $SECURESTACK_ROLE = 'server' ]];then

echo "SecureStack Role is SERVER"

echo "Starting Wazuh, Elasticsearch, Logstash, Kibana, Filebeat and Metricbeat"

sudo systemctl start wazuh-manager && sudo systemctl enable wazuh-manager

sudo systemctl start wazuh-api && sudo systemctl enable wazuh-api

sudo systemctl start nginx && sudo systemctl enable nginx

sudo systemctl start elasticsearch && sudo systemctl enable elasticsearch

sudo systemctl start logstash && sudo systemctl enable logstash

sudo systemctl start kibana && sudo systemctl enable kibana

sudo systemctl start filebeat && sudo systemctl enable filebeat

sudo systemctl start metricbeat && sudo systemctl enable metricbeat

# Get IP information

echo " "

echo "============================================================================================================================================"

echo "As a general rule we suggest that you don't allow access to the Web UI from the internet at all. But, in the absence of a VPN or some other"

echo "way to connect using the local IP address you will need to create a Security Group in AWS that allows access to HTTP (tcp 80) from your IP"

echo "address. You will need to do this before you can connect successfully. During the configuration you should have created a whitelist of"

echo "known good IP source addresses. Any addresses on the whitelist were given access to HTTP (tcp 80)."

echo "============================================================================================================================================"

echo " "

echo "If you've allowed http access to the internet you can login to the SecureStack Web UI at http://$(curl -s icanhazip.com)"

echo "Otherwise you can login to the SecureStack Web UI at http://$(hostname -I | xargs)"

echo " "

echo "============================================================================================================================================"

elif [[ $SECURESTACK_ROLE != 'server' ]];then

echo "SecureStack Role is Base"

echo "Starting wazuh-agent..."; sudo systemctl start wazuh-agent && sudo systemctl enable wazuh-agent

if [[ $(grep 'fail2ban:' ./securestack.yml | grep -i -cim1 enabled) -eq 1 ]]; then

echo "Enabling fail2ban..." && sudo systemctl start fail2ban && sudo systemctl enable fail2ban

else echo "Disabling fail2ban..." && sudo systemctl stop fail2ban && sudo systemctl disable fail2ban

fi

if [[ $(grep 'clamav:' ./securestack.yml | grep -i -cim1 enabled) -eq 1 ]]; then

echo "Enabling clamav..." && sudo systemctl start clamd@scan && sudo systemctl enable clamd@scan

else echo "Disabling clamav..." && sudo systemctl stop clamd@scan && sudo systemctl disable clamd@scan

fi

if [[ $(grep 'maldet:' ./securestack.yml | grep -i -cim1 enabled) -eq 1 ]]; then

echo "Adding /mnt /media /home /opt/securestack to maldet monitor dirs." && sudo /usr/local/sbin/maldet --monitor users && sudo /usr/local/sbin/maldet --monitor /home,/mnt,/media

grep "/opt/securestack" /usr/local/maldetect/monitor_paths || echo '/opt/securestack' >> /usr/local/maldetect/monitor_paths

echo "Enabling Linux Malware Detect..." && sudo systemctl start maldet && sudo systemctl enable maldet

else echo "Disabling maldet..." && sudo systemctl stop maldet && sudo systemctl disable maldet

fi

if [[ $(grep 'metricbeat:' ./securestack.yml | grep -i -cim1 enabled) -eq 1 ]]; then

echo "Enabling Metricbeat..." && sudo systemctl start metricbeat && sudo systemctl enable metricbeat

else echo "Disabling metricbeat..." && sudo systemctl stop metricbeat && sudo systemctl disable metricbeat

fi

if [[ $(grep 'filebeat:' ./securestack.yml | grep -i -cim1 enabled) -eq 1 ]]; then

echo "Enabling Filebeat..." && sudo systemctl start filebeat && sudo systemctl enable filebeat

else echo "Disabling Filebeat..." && sudo systemctl stop filebeat && sudo systemctl disable filebeat

fi

if [[ $(grep 'rkhunter:' ./securestack.yml | grep -i -cim1 enabled) -eq 1 ]]; then

echo "Enabling Rootkit Hunter..." && sudo chmod a+x /etc/cron.daily/rkhunter

else echo "Disabling Rootkit Hunter..." && sudo chmod a-x /etc/cron.daily/rkhunter

fi

if [[ $(grep 'lynis:' ./securestack.yml | grep -i -cim1 enabled) -eq 1 ]]; then

echo "Enabling Lynis System Auditing..." && sudo chmod a+x /etc/cron.daily/lynis

else echo "Disabling Lynis System Auditing..." && sudo chmod a-x /etc/cron.daily/lynis

fi

if [[ $(grep 'selinux:' ./securestack.yml | grep -i -cim1 enabled) -eq 1 ]]; then

echo "Enabling SELinux..." && sudo setenforce 1

else echo "Disabling SELinux..." && sudo setenforce 0

fi

elif [[ $SECURESTACK_ROLE = 'naked' ]];then

echo "SecureStack Role is NAKED"

echo "Not doing anything."

fi

}

agent () {

case "$2" in

[lL][iI][sS][tT]|[lL])

echo "Listing all SecureStack agents... "

sudo /var/ossec/bin/agent_control -l | grep -v "Wazuh agent_control"

;;

[aA][cC][tT][iI][vV][eE]|[aA])

echo "Listing all SecureStack active agents... "

sudo /var/ossec/bin/agent_control -lc | grep -v "Wazuh agent_control"

;;

[iI][nN][fF][oO]|[iI])

if [[ $3 = 'all' ]]; then

echo "==========================================================================" >> /tmp/agent.report.$agent_time;

for agents in $(sudo /var/ossec/bin/agent_control -l| grep -v 127.0.0.1 |grep "ID: "| awk '{print $2}'| sed 's/,//g'); do

echo "OSSEC Report: " >> /tmp/agent.report.$agent_time

sudo /var/ossec/bin/agent_control -i $agents >> /tmp/agent.report.$agent_time;

echo "System Audit Report: " >> /tmp/agent.report.$agent_time;

if [[ $(sudo grep -cm1 "WARNING" /var/log/lynis.log) -eq 1 ]]; then echo "$(grep WARNING | wc -l /var/log/lynis.log) warnings in total";

else echo "Zero warnings from audit.";fi

echo -n "Audit executed at " && sudo grep "Hardening index" /var/log/lynis.log >> /tmp/agent.report.$agent_time;

echo >> /tmp/agent.report.$agent_time

echo "Firewall Report: " >> /tmp/agent.report.$agent_time

ssh $(sudo /var/ossec/bin/agent_control -i $agents |grep "IP address: "|awk '{print $3}') "sudo ufw status" >> /tmp/agent.report.$agent_time;

echo "==========================================================================" >> /tmp/agent.report.$agent_time;

done

more /tmp/agent.report.$agent_time;

exit 0;

elif [[ $3 -ge 1 ]]; then

echo "==========================================================================" >> /tmp/agent.report.$agent_time;

echo "OSSEC Report: " >> /tmp/agent.report.$agent_time

sudo /var/ossec/bin/agent_control -i $3 >> /tmp/agent.report.$agent_time

echo >> /tmp/agent.report.$agent_time

echo "Firewall Report: " >> /tmp/agent.report.$agent_time

ssh -q $(sudo /var/ossec/bin/agent_control -i $3 | grep "IP address: "|awk '{print $3}') "sudo ufw status" >> /tmp/agent.report.$agent_time;

echo "==========================================================================" >> /tmp/agent.report.$agent_time;

more /tmp/agent.report.$agent_time;

exit 0;

elif [[ -z $3 ]]; then

echo "Which agents do you want to get info for? "

exit 0;

fi

;;

[rR][eE][sS][tT][aA][rR][tT]|[rR])

if [[ $3 = 'all' ]]; then

sudo /var/ossec/bin/agent_control -Ra;

exit 0;

elif [[ -z $3 ]]; then

echo "Which agents do you want to restart? If you want to restart all instances type all."

echo "Otherwise if you want to restart a specific server supply its agent id."

exit 0;

elif [[ $3 -ge 1 ]]; then

sudo /var/ossec/bin/agent_control -R -u $3;

exit 0;

fi

;;

[sS][cC][aA][nN]|[sS])

if [[ $3 = 'all' ]]; then

sudo /var/ossec/bin/agent_control -ra;

exit 0;

elif [[ -z $3 ]]; then

echo "Which agents do you want to scan? If you want to scan all instances type all."

echo "Otherwise if you want to scan a specific server supply its agent id."

exit 0;

elif [[ $3 -ge 1 ]]; then

sudo /var/ossec/bin/agent_control -r -u $3;

exit 0;

fi

;;

[uU][pP][dD][aA][tT][eE]|[uU])

if [[ -z $3 ]]; then echo "Must supply target. Example: securestack agent update 10.0.0.100"; exit 0; fi

if [[ $3 = 'all' ]]; then echo "Updating all machines...";

for i in $(sudo /var/ossec/bin/agent_control -lc | grep -v 127.0.0.1 | grep -o "IP:.*"|awk '{print $2}'|tr -d ,);

do ssh -o StrictHostKeyChecking=no $i "$sshome/scripts/securestack update";

done;

else ssh -o StrictHostKeyChecking=no $3 "$sshome/scripts/securestack update"

fi

;;

[pP][aA][tT][cC][hH]|[pP])

if [[ -z $3 ]]; then echo "Must supply target. Example: securestack agent report 10.0.0.100"; exit 0; fi

if [[ $3 = 'all' ]]; then echo "Reporting on all machines...";

for i in $(sudo /var/ossec/bin/agent_control -lc | grep -v 127.0.0.1 | grep -o "IP:.*"|awk '{print $2}'|tr -d ,);

do ssh -o StrictHostKeyChecking=no $i "$sshome/scripts/securestack check_update";

done;

else ssh -o StrictHostKeyChecking=no $3 "$sshome/scripts/securestack check_update"

fi

;;

*)

echo "Must supply verb. Example: securestack agent (list|restart|active|scan|info|patch|update)"; exit 0

;;

esac

}

configure_networking_server () {

echo "******************************************************************************"

echo "############ local_net section #######################################"

echo "What subnets do you want to have access to this SecureStack server?"

echo "If you are deploying to AWS this is usually the main IPv4 CIDR block attached to your VPC"

echo "or you can specify individual subnets but this will limit what instances can talk to this"

echo "SecureStack server."

echo "Please include all networks that will be managed by this particular instance of SecureStack."

echo "Enter subnets here: "; read -a local_net

echo "******************************************************************************"

echo "############ whitelist section ######################################"

echo "This is where you define what IP addresses or networks you want to have administrative"

echo "access to this SecureStack server. This access is limited to http for nginx and"

echo "tcp 22 for ssh. Please be careful as you can lock yourself out of your server if you"

echo "enter the wrong values here. You can cancel by hitting Ctrl-C now which will leave ssh"

echo "open but you won't be able to use the web UI until you define this access."

echo "---- Hit Ctrl-C now to exit or any key to continue -------------------"; read

echo "Define your whitelist ips here: "; read -a whitelist

echo "Writing ${local_net[@]} to local_net in $sshome/securestack.yml."

sed -i "s#^local_net:.*#local_net: '$(echo ${local_net[@]})'#g" /opt/securestack/securestack.yml

echo "Writing ${whitelist[@]} to whitelist in $sshome/securestack.yml."

sed -i "s#^whitelist:.*#whitelist: '$(echo ${whitelist[@]})'#g" /opt/securestack/securestack.yml

# echo set the OSSEC server IP below

sed -i "s#^ossec_server_ip:.*#ossec_server_ip: '$(hostname -I | xargs)'#g" /opt/securestack/securestack.yml

sed -i "s#^ossec_server_ip:.*#ossec_server_ip: '$(hostname -I | xargs)'#g" /opt/securestack/ansible/launch_vars.yml

firewall_restart

}

configure_networking_base () {

echo "******************************************************************************"

echo "############ whitelist section ######################################"

echo "This is where you define what IP addresses or networks you want to have administrative"

echo "access to this SecureStack server. This access is limited to"

echo "tcp 22 for ssh. Please be careful as you can lock yourself out of your server if you"

echo "enter the wrong values here. You can cancel by hitting Ctrl-C now which will leave ssh"

echo "open but you won't be able to use the web UI until you define this access."

echo "---- Hit Ctrl-C now to exit or any key to continue -------------------"; read

echo "Define your whitelist ips here: "; read -a whitelist

#echo "Writing ${local_net[@]} to local_net in $sshome/securestack.yml."

#sed -i "s#^local_net:.*#local_net: '$(echo ${local_net[@]})'#g" /opt/securestack/securestack.yml

echo "Writing ${whitelist[@]} to whitelist in $sshome/securestack.yml."

sed -i "s#^whitelist:.*#whitelist: '$(echo ${whitelist[@]})'#g" /opt/securestack/securestack.yml

firewall_restart

}

configure_networking_profile () {

echo "******************************************************************************"

echo "############ local_net section #######################################"

echo "What subnets do you want to have access to this SecureStack server?"

echo "If you are deploying to AWS this is usually the main IPv4 CIDR block attached to your VPC"

echo "or you can specify individual subnets but this will limit what instances can talk to this"

echo "SecureStack server."

echo "Please include all networks that will be managed by this particular instance of SecureStack."

echo "Enter subnets here: "; read -a local_net

echo "******************************************************************************"

echo "############ whitelist section ######################################"

echo "This is where you define what IP addresses or networks you want to have administrative"

echo "access to this SecureStack server. This access is limited to"

echo "tcp 22 for ssh. Please be careful as you can lock yourself out of your server if you"

echo "enter the wrong values here. You can cancel by hitting Ctrl-C now which will leave ssh"

echo "open but you won't be able to use the web UI until you define this access."

echo "---- Hit Ctrl-C now to exit or any key to continue -------------------"; read

echo "Define your whitelist ips here: "; read -a whitelist

echo "******************************************************************************"

echo "Writing ${local_net[@]} to local_net in $1"

sed -i "s#^local_net:.*#local_net: '$(echo ${local_net[@]})'#g" $1

echo "Writing ${whitelist[@]} to whitelist in $1"

sed -i "s#^whitelist:.*#whitelist: '$(echo ${whitelist[@]})'#g" $1

read -p "Will this SecureStack SIPServer manage this profile? [y/N] : " ossecserv_ans

case "$ossecserv_ans" in

[yY][eE][sS]|[yY])

sed -i "s#^ossec_server_ip:.*#ossec_server_ip: '$(hostname -I | xargs)'#g" $1

whitelist=( "${whitelist[@]}" "$(hostname -I | xargs)" )

;;

*)

read -p "What's the hostname or IP address of the SIPServer that will manage this profile? " sipserver_ans

sed -i "s#^ossec_server_ip:.*#ossec_server_ip: '$sipserver_ans'#g" $1

;;

esac

}

firewall () {

case "$2" in

[rR][eE][sS][tT][aA][rR][tT]|[rR])

firewall_restart $@

;;

*)

echo "Must supply verb. Example: securestack firewall (restart|apply)"; exit 0

;;

esac

}

firewall_restart () {

# Get the IP info from $$home/securestack.yml

whitelist_arr=$(grep ^whitelist $sshome/securestack.yml | sed 's/^.*: //'| sed "s/'//g")

localnet_arr=$(grep ^local_net $sshome/securestack.yml | sed 's/^.*: //'| sed "s/'//g")

ossec_server_arr=$(grep ^ossec_server_ip $sshome/securestack.yml | sed 's/^.*: //'| sed "s/'//g")

echo "******************************************************************************"

echo "Deleting existing firewall rules..."

sudo ufw --force reset

sudo ufw --force enable

echo "******************************************************************************"

if [[ $SECURESTACK_ROLE = 'server' ]];then

echo "Allowing access to OSSEC from local_net.";

for subnets in ${localnet_arr[@]}

do

sudo ufw allow proto tcp from $subnets to any port 1514

sudo ufw allow proto tcp from $subnets to any port 1515

done

echo "Allowing ssh and http from whitelist."

for ip in ${whitelist_arr[@]}

do

sudo ufw allow proto tcp from $ip to any port 22

sudo ufw allow proto tcp from $ip to any port 80

done

elif [[ $SECURESTACK_ROLE != 'server' ]];then

echo "Allowing ssh from whitelist."

for ip in ${whitelist_arr[@]}

do

sudo ufw allow proto tcp from $ip to any port 22

done

for ip2 in ${ossec_server_arr[@]}

do

sudo ufw allow proto tcp from $ip2 to any port 22

done

fi

echo "******************************************************************************"

echo "Removing inital ssh rule..."

sudo ufw --force delete 1

echo "******************************************************************************"

}

auth_type () {

echo

echo "******************************************************************************"

echo "To manage Linux instances you will need to create ssh keys or install the"

echo "Kryptonite MFA client. Kryptonite enables multi-factor authentication for"

echo "your Linux instances and is our preferred authentication method."

echo "******************************************************************************"

echo

read -p "Do you want to use Kryptonite multi-factor authentication? [y/N] : " kryptonite_ans

case "$kryptonite_ans" in

[yY][eE][sS]|[yY])

mfa

;;

*)

ssh_keys

;;

esac

}

ssh_keys () {

read -p "Do you want to create ssh keys to use with SecureStack now? [y/N] : " ssh_ans

case "$ssh_ans" in

[yY][eE][sS]|[yY])

read -p "What do you want to name your ssh keys? [y/N] : " key_name_ans

ssh-keygen -t rsa -b 4096 -f /opt/securestack/.ssh/$key_name_ans

echo

echo "If you have the AWS cli installed and configured you can use this command to import the new ssh key into"

echo "your AWS acccount: "

echo "aws ec2 import-key-pair --key-name \"$key_name_ans\" --public-key-material file://~/.ssh/$key_name_ans.pub"

echo

echo "Otherwise you can manually open https://console.aws.amazon.com/ec2/v2/#KeyPairs:sort=keyName and click the"

echo ""Import Key Pair" button at the top and copy the $key_name_ans.pub key contents into the field and click"

echo ""Import". You should now see your new key in the list. Add this key name to your launch_vars.yml in"

echo "/opt/securestack/ansible/ and you will be able to provision new instances using this key."

exit

;;

*)

echo "You don't have to create ssh keys now but be aware that you will not"

echo "be able to provision with this SecureStack server without defining"

echo "which ssh keys to use. You can do this manually by importing keys"

echo "into AWS manually and defining the key name in ec2_vars.yml"

;;

esac

}

secret () {

if [[ $2 = 'restart' ]] && [[ $SECURESTACK_ROLE = 'server' ]]; then

echo "Restarting authd daemon...";

sudo kill $(pgrep ossec-authd);

sudo /var/ossec/bin/ossec-authd -i -F 600 -P;

exit 0;

fi

read -p "Generate a new authd key and configure it for distribution to your base instances? [y/N] : " authd_create

case "$authd_create" in

[yY][eE][sS]|[yY])

echo "Generating random key now..."

authd_key=$(sudo cat /dev/urandom | tr -dc 'a-fA-F0-9' | fold -w 64 | head -n 1)

echo "Syncing launch_vars.yml and authd.pass now..."

echo $authd_key | sudo tee /var/ossec/etc/authd.pass

sed -i "s/^authd_password:.*/authd_password: '$authd_key'/g" /opt/securestack/ansible/launch_vars.yml

if [[ $SECURESTACK_ROLE = 'server' ]]; then echo "Restarting authd daemon..."; sudo kill $(pgrep ossec-authd); sudo /var/ossec/bin/ossec-authd -i -F 600 -P;fi

;;

*)

echo "Skipping authd update. If you plan on provisioning from this SIPServer"

echo "please check that you are using the correct authd key."

;;

esac

}

create_user () {

read -p "Do you want to create a new user for the web ui? [y/N] : " nginx_create

case "$nginx_create" in

[yY][eE][sS]|[yY])

read -p "What is the new username? " nginx_user

echo "Enter the new password? "; read -s nginx_pass

sudo htpasswd -cb /etc/nginx/htpasswd.users $nginx_user $nginx_pass || echo "No htpasswd found. This command only works on Server instances"

unset nginx_pass

sudo chown nginx:nginx /etc/nginx/htpasswd.users

;;

*)

echo "Cancelling new user creation."

;;

esac

#nginx_pass=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w64 | head -n1)

}

configure_apps () {

echo

echo "SecureStack Role: $SECURESTACK_ROLE"

echo "******************************************************************************"

read -p "Do you want to enable clamav anti-virus? [y/n] : " clamav_ans

read -p "Do you want to enable Linux Malware Detect (LMD/maldet)? [y/n] : " maldet_ans

read -p "Do you want to enable fail2ban? [y/n] : " fail2ban_ans

if [[ $SECURESTACK_ROLE != 'server' ]]; then read -p "Do you want to enable Metricbeat? [y/n] : " metricbeat_ans; fi

if [[ $SECURESTACK_ROLE != 'server' ]]; then read -p "Do you want to enable Filebeat? [y/n] : " filebeat_ans; fi

#read -p "Do you want to enable Web Application Firewall? [y/n] " waf_ans

read -p "Do you want to enable Rootkit Hunter? [y/n] " rkhunter_ans

if [[ $SECURESTACK_ROLE != 'server' ]]; then read -p "Do you want to enable SELinux? [y/n] : " selinux_ans; fi

if [[ $SECURESTACK_ROLE != 'server' ]]; then read -p "Do you want to enable Lynis System Auditing? [y/n] : " lynis_ans; fi

echo "******************************************************************************"

# clamav section

case "$clamav_ans" in

[yY][eE][sS]|[yY])

sed -i "s/^clamav:.*/clamav: 'enabled'/g" $1

;;

*)

sed -i "s/^clamav:.*/clamav: 'disabled'/g" $1

;;

esac

# maldet section

case "$maldet_ans" in

[yY][eE][sS]|[yY])

sed -i "s/^maldet:.*/maldet: 'enabled'/g" $1

;;

*)

sed -i "s/^maldet:.*/maldet: 'disabled'/g" $1

;;

esac

# fail2ban section

case "$fail2ban_ans" in

[yY][eE][sS]|[yY])

sed -i "s/^fail2ban:.*/fail2ban: 'enabled'/g" $1

;;

*)

sed -i "s/^fail2ban:.*/fail2ban: 'disabled'/g" $1

;;

esac

# metricbeat section

case "$metricbeat_ans" in

[yY][eE][sS]|[yY])

sed -i "s/^metricbeat:.*/metricbeat: 'enabled'/g" $1

;;

*)

sed -i "s/^metricbeat:.*/metricbeat: 'disabled'/g" $1

;;

esac

# filebeat section

case "$filebeat_ans" in

[yY][eE][sS]|[yY])

sed -i "s/^filebeat:.*/filebeat: 'enabled'/g" $1

;;

*)

sed -i "s/^filebeat:.*/filebeat: 'disabled'/g" $1

;;

esac

# rkhunter section

case "$rkhunter_ans" in

[yY][eE][sS]|[yY])

sed -i "s/^rkhunter:.*/rkhunter: 'enabled'/g" $1

;;

*)

sed -i "s/^rkhunter:.*/rkhunter: 'disabled'/g" $1

;;

esac

# selinux section

case "$selinux_ans" in

[yY][eE][sS]|[yY])

sed -i "s/^selinux:.*/selinux: 'enabled'/g" $1

;;

*)

sed -i "s/^selinux:.*/selinux: 'disabled'/g" $1

;;

esac

# lynis section

case "$lynis_ans" in

[yY][eE][sS]|[yY])

sed -i "s/^lynis:.*/lynis: 'enabled'/g" $1

;;

*)

sed -i "s/^lynis:.*/lynis: 'disabled'/g" $1

;;

esac

if [[ $SECURESTACK_ROLE = 'server' ]]; then sed -i "s/^filebeat:.*/filebeat: 'enabled'/g" $1; fi

if [[ $SECURESTACK_ROLE = 'server' ]]; then sed -i "s/^metricbeat:.*/metricbeat: 'enabled'/g" $1; fi

}

profile() {

export ANSIBLE_HOST_KEY_CHECKING=False

case "$2" in

[cC][rR][eE][aA][tT][eE]|[cC])

if [[ -z $3 ]]; then echo "Must provide a profile name. Example: securestack profile create test_profile"; exit 0; fi

echo

echo "You are creating a new profile. This will allow you apply which security applications are running"

echo "on individual servers or groups of servers."

echo

if [[ -f $sshome/profiles/$3.profile.yml ]]; then echo "That profile already exists."; exit 0; fi

cp $sshome/profiles/example.profile.yml $sshome/profiles/$3.profile.yml

sed -i "s/^profile_name:.*/profile_name: '$3'/g" ./profiles/$3.profile.yml

#sed -i "/---/a profile_name: $3" ./profiles/$3.profile.yml

SECURESTACK_ROLE='base' && configure_apps $sshome/profiles/$3.profile.yml

configure_networking_profile $sshome/profiles/$3.profile.yml

;;

[lL][iI][sS][tT]|[lL])

grep -s "profile_name: " $sshome/profiles/*.profile.yml | awk '{print $2}'

;;

[sS][hH][oO][wW]|[sS])

if [[ -z $3 ]]; then echo "Must provide a profile name. Example: securestack profile show test_profile"; exit 0; fi

cat $sshome/profiles/$3.profile.yml

;;

[aA][pP][pP][lL][yY]|[aA])

echo "Applying profile..."

if [[ -z $3 ]]; then

echo "Must provide a profile name and target to apply. Example: securestack profile apply test_profile server01";

exit 0;

elif [[ -z $4 ]]; then

echo "Must provide a target to apply profile to. Example: securestack profile apply test_profile server01";

exit 0;

fi

echo "Copying profile to $4 ..." && scp $sshome/profiles/$3.profile.yml securestack@$4:$sshome/securestack.yml

echo "Updating SecureStack on $4 ..." && ssh $4 "$sshome/scripts/securestack update"

echo "Configuring services on $4 ..." && ssh $4 "$sshome/scripts/securestack stop && $sshome/scripts/securestack start"

echo "Pushing firewall rules to $4 ..." && ssh $4 "$sshome/scripts/securestack firewall restart"

;;

[nN][eE][wW]|[nN])

echo "You are creating a new profile"

read -p "Which provider? Choices are: ec2, gce, azure, ali, vmware. " provider_ans

;;

*)

echo "Must supply verb. Example: securestack profile (create|remove|apply|show|list)"; exit 0

;;

esac

}

provision() {

timestamp=$(date +"%Y-%m-%d_%H-%M-%S")

export ANSIBLE_HOST_KEY_CHECKING=False

case "$2" in

[iI][nN][tT]|[iI])

read -p "AWS access key? " aws_access_key_ans

read -p "AWS secret key? " aws_secret_key_ans

read -p "Hostname? " hostname_ans

read -p "Local Network? " local_net_ans

read -p "Subnet? " vpc_subnet_id_ans

read -p "Security Groups? " group_id_ans

read -p "SecureStack Server IP Address? " server_ip_ans

read -p "authd password? " authd_pass_ans

export ANSIBLE_HOST_KEY_CHECKING=False

echo "**************************************************************************"

echo "AWS access key = $aws_access_key_ans"

echo "AWS secret key = $aws_secret_key_ans"

echo "Hostname = $hostname_ans"

echo "Local Network = $local_net_ans"

echo "Subnet = $vpc_subnet_id_ans"

echo "Security Group(s) = $group_id_ans"

echo "Server IP Address = $server_ip_ans"

echo "Authd Password = $authd_pass_ans"

echo "**************************************************************************"

echo "Everything look good? If so, hit enter. Otherwise Cntl-C to exit."

read

ansible-playbook $HOME/ansible/launch_securestack_ami.yml -e "local_net=$local_net_ans ossec_server_ip=$server_ip_ans authd_password=$authd_pass_ans hostname=$hostname_ans" \

-e "aws_access_key=$aws_access_key_ans aws_secret_key=$aws_secret_key_ans vpc_subnet_id=$vpc_subnet_id_ans group_id=$group_id_ans"

;;

[hH][oO][sS][tT]|[hH][oO][sS][tT][nN][aA][mM][eE])

# HOSTNAME

export ANSIBLE_HOST_KEY_CHECKING=False

if [[ -z $4 ]]; then

ansible-playbook $HOME/ansible/launch_securestack_ami.yml -e "host_key_checking=False hostname=$3 image={{ centos_image }}"

elif [[ $4 = 'image' ]]; then

ansible-playbook $HOME/ansible/launch_securestack_ami.yml -e "host_key_checking=False hostname=$3 image={{ $5_image }}"

else echo "Must supply image name. Example: securestack provision hostname test-server01 image centos"; exit 0

fi

;;

[pP][rR][oO][fF]|[pP][rR][oO][fF][iI][lL][eE])

# PROFILE

if [[ $4 = 'hostname' ]]; then

if [[ -z $5 ]]; then

echo "Must supply hostname. Example: securestack provision profile default hostname test-server01"; exit 0

fi

export ANSIBLE_HOST_KEY_CHECKING=False

ansible-playbook $HOME/ansible/launch_securestack_profile.yml -e "host_key_checking=False hostname=$5 remote_user=securestack profile=$3"

else

echo "Must supply hostname. Example: securestack provision profile default hostname test-server01"; exit 0

fi

;;

*)

echo "Must supply hostname. Example: securestack provision hostname test-server01 image centos"; exit 0

;;

esac

}

mfa() {

command -v kr &>/dev/null && export MFA_INSTALLED=yes

if [[ $MFA_INSTALLED = 'yes' ]]; then read -p "Kryptonite Multi-Factor client is already installed. Do you want to pair it with your Krytonite account? [y/n] " kryp_pair

case "$kryp_pair" in

[yY][eE][sS]|[yY])

kr pair

;;

*)

echo "Not pairing with Kryptonite MFA. Exiting..."

#exit 0

;;

esac

elif [[ $MFA_INSTALLED != 'yes' ]]; then

echo "Kryptonite Multi-Factor client is not installed."

read -p "Do you want to install Kryptonite Multi Factor Authentication? " krypt_ans

command -v kr &>/dev/null && echo "Kryptonite is already installed. Exiting... " && exit

case "$krypt_ans" in

[yY][eE][sS]|[yY])

gpg --keyserver=hkp://pgp.mit.edu:80 --recv-keys "C4A05888A1C4FA02E1566F859F2A29A569653940"

gpg --export --armor C4A05888A1C4FA02E1566F859F2A29A569653940 > /tmp/kryptco.key

sudo rpm --import /tmp/kryptco.key

sudo yum-config-manager --add-repo https://kryptco.github.io/yum

sudo rm -rf /tmp/kryptco.key

sudo yum install kr -y

kr pair

#exit 0

;;

*)

echo "Cancelling new MFA creation."

;;

esac

fi

}

update_el () {

if [[ $SECURESTACK_ROLE = 'server' ]] && [[ ! -d /opt/securestack/bin/ansible/ ]]; then

git clone https://github.com/ansible/ansible.git --recursive /opt/securestack/bin/ansible/;

fi

if [[ $SECURESTACK_ROLE = 'server' ]]; then

grep "source /opt/securestack/bin/ansible/hacking/env-setup" ~/.bash_profile || echo 'source /opt/securestack/bin/ansible/hacking/env-setup &> /dev/null' >> /opt/securestack/.bash_profile;

source /opt/securestack/bin/ansible/hacking/env-setup &> /dev/null;

fi

if [[ -x /etc/yum.repos.d/wazuh.repo ]]; then sudo sed -i 's/enabled=1/enabled=0/g' /etc/yum.repos.d/wazuh.repo;fi

if [[ -x /etc/yum.repos.d/elastic.repo ]]; then sudo sed -i 's/enabled=1/enabled=0/g' /etc/yum.repos.d/elastic.repo;fi

if [[ $(yum check-update --quiet |wc -l) != 0 ]]; then

echo "******************************************************************************"

echo "There are $(yum check-update --quiet |wc -l) packages that need to be updated."

read -p "Do you want to update your operating system now? [y/n] " updatenow

case "$updatenow" in

[yY][eE][sS]|[yY])

sudo yum update -y

;;

*)

echo "Not updating operating system."

;;

esac

else echo "Your operating system is up to date"

fi

echo " "

}

autoupdate () {

chown -R securestack /opt/securestack;

if [[ -x /opt/securestack/clear_logs.sh ]]; then rm -rf /opt/securestack/clear_logs.sh; fi

if [[ $os_ver = 'ubuntu' ]]; then sudo apt-get update && sudo apt-get -y upgrade && sudo apt-get dist-upgrade -y;

elif [[ $os_ver = 'redhat' ]] || [[ $os_ver = 'centos' ]]; then

if [[ $(yum check-update --quiet |wc -l) != 0 ]]; then

echo "******************************************************************************"

echo "There are $(yum check-update --quiet |wc -l) packages that need to be updated on hostname $(hostname)"

sudo yum update -y

else echo "Your operating system is up to date"

fi

fi

echo " "

}

check_update () {

if [[ $os_ver = 'ubuntu' ]]; then echo $(hostname) && sudo /usr/lib/update-notifier/apt-check --human-readable;

elif [[ $os_ver = 'redhat' ]] || [[ $os_ver = 'centos' ]]; then

if [[ $(yum check-update --quiet |wc -l) != 0 ]]; then

echo "******************************************************************************"

echo "There are $(yum check-update --quiet |wc -l) packages that need to be updated on hostname $(hostname)"

echo

else echo "The operating system is up to date on hostname $(hostname)";

echo

fi

fi

}

update_ubuntu () {

if [[ -x /opt/securestack/clear_logs.sh ]]; then rm -rf /opt/securestack/clear_logs.sh; fi

if [[ $SECURESTACK_ROLE = 'server' ]] && [[ ! -d /opt/securestack/bin/ansible/ ]]; then git clone https://github.com/ansible/ansible.git --recursive /opt/securestack/bin/ansible/;fi

if [[ $SECURESTACK_ROLE = 'server' ]]; then

grep "source /opt/securestack/bin/ansible/hacking/env-setup" ~/.bash_profile || echo 'source /opt/securestack/bin/ansible/hacking/env-setup' >> /opt/securestack/.bash_profile;

source /opt/securestack/bin/ansible/hacking/env-setup;

fi

sudo /usr/lib/update-notifier/apt-check --human-readable

echo "******************************************************************************"

sudo apt-get update && sudo apt-get -y upgrade && sudo apt-get dist-upgrade -y;

}

elasticsearch () {

### this section needs to show all indices and their size. additionally it needs to remove or prune existing indices. ###

yellow_index=$(curl -s -X GET "localhost:9200/_cat/indices?v&health=yellow" | grep -v ^"health status"| wc -l)

green_index=$(curl -s -X GET "localhost:9200/_cat/indices?v&health=green" | grep -v ^"health status"| wc -l)

case "$2" in

[lL][iI][sS][tT]|[lL])

curl -X GET "localhost:9200/_cat/indices?v";

;;

[pP][rR][uU][nN][eE]|[pP])

echo "******************************************************************************"

read -p "Do you want to prune all metricbeat indices? This is usually enough to make Elasticsearch healthy. [y/n] " prune_metric

case "$prune_metric" in

[yY][eE][sS]|[yY])

curl -s -X DELETE "localhost:9200/metricbeat-*"

;;

*)

echo "Not pruning all metricbeat indices";

;;

esac

;;

[iI][nN][fF][oO]|[iI])

echo "There are $green_index GREEN indices"

echo "There are $yellow_index YELLOW indices"

echo "Note: a single node cluster will show all indices as yellow."

;;

*)

echo "Must supply verb. Example: securestack elasticsearch (list|prune|info)"; exit 0

;;

esac

}

status() {

echo "******************************************************************************"

yellow_index=$(curl -s -X GET "localhost:9200/_cat/indices?v&health=yellow" | grep -v ^"health status"| wc -l)

green_index=$(curl -s -X GET "localhost:9200/_cat/indices?v&health=green" | grep -v ^"health status"| wc -l)

echo "There are $green_index GREEN indices"

echo "There are $yellow_index YELLOW indices"

echo "Note: a single node cluster will show all indices as yellow."

echo "******************************************************************************"

echo

if [[ -f /var/log/lynis.log ]]; then sudo grep -o "Hardening index.*" /var/log/lynis.log; fi

echo

}

version() {

ss_version=$(grep 'securestack_version:' /etc/securestack.conf | awk '{print $2}')

echo "SecureStack $SECURESTACK_ROLE version $ss_version"

echo "$sshome/scripts/securestack version $CONFIG_VERSION"

}

securestack_help() {

less <<-END

NAME

securescripts/securestackure - manage and provision SecureStack resources

SYNOPSIS

securestack-configure ACTION | SUBACTION <target>

DESCRIPTION

The securestack-configure cli tool allows you to manage existing, or to create new, SecureStack infrastructure.

ACTION

ACTION is one of the following:

agent

Manage existing SecureStack agents

Subactions for agent:

active

Get information about instances that are currently active. Does not require a target parameter. Information returned includes agent ID number, name and IP address.

Example: scripts/securestack agent active

info

Get detailed information about a specific agent. Requires an agent ID number or 'all' as a

target parameter. Information available are operating system, client version, last keep alive

time, last syscheck and last rootcheck.

Example: scripts/securestack agent info 011

list

Get information about all instances including active or disconnected agents. Does not require

a target parameter. Information returned includes agent ID number, name and IP address.

Example: scripts/securestack agent list

patch

List number of outstanding patches or updates that need to be applied. Requires an IP address

or 'all' as a target parameter.

Example: scripts/securestack agent patch 172.31.0.100

restart

Restart the agent on a managed instance. Requires a agent ID number or 'all' as a target

parameter. Restarting an agent will usually kick off a syscheck and rootcheck. Restarting

an agent will often fix issues related to changing ssl keys and other configuration

modifications.

Example: scripts/securestack agent restart 011

scan

Manually start a rootcheck and syscheck scan on a managed instance. Requires a agent ID

number or 'all' as a target parameter. Manually scanning an agent is sometimes necessary,

especially if the instance or agent has been turned off or during forensic analysis.

Example: scripts/securestack agent scan 011

update

You can update the agent client version, operating system, scripts/securestack application and more

with the update action. Requires an IP address or 'all' as a target parameter.

Example: scripts/securestack agent update 011

autoupdate

Update all software on a managed instance. This includes updating the operating system, applying

patches, and upgrading the scripts/securestack application.

Example: scripts/securestack autoupdate

check_update

Check to see if there are any outstanding operating system packages or patches to install. If

there are, display the number of packages in total that need to be installed.

Example: scripts/securestack check_update

configure

The configure function can be run manually on a SIPServer or Base instance to configure the local

networking, firewall and application controls in an interactive way. Alternately, this function

can be called from the scripts/securestack application automatically through the use of profiles.

Example: scripts/securestack configure

The sub-functions that configure steps you through are:

* networking

* applications

* authentication type

* MFA secret type

You can also configure how just the applications are managed with configure_apps. Similarly,

you can configure just networking with configure_network. Finally, you can configure just the

firewall controls locally with firewall.

To run configure manually you simply give scripts/securestack the configure action. It will then guide

you through an interactive set of questions to configure this local instance.

Example: scripts/securestack configure

configure_apps

Configure just the application controls on a local instance.

Example: scripts/securestack configure_apps

configure_network

Configure just the network controls on a local instance.

Example: scripts/securestack configure_network

create_user

Create a new user for the web UI interactively.

Example: scripts/securestack create_user

elasticsearch

Manage your Elasticsearch service on your SIPServer.

Subactions for elasticsearch:

info

Get a status of all Elasticsearch indices and in what state they are in: green, yellow, red.

Example: scripts/securestack elasticsearch info

list

Get a list of all indices and their size.

Example: scripts/securestack elasticsearch list

prune

Delete all Metricbeat indices. This sub-function exists because Metricbeat creates very

large indices, often 200MB+ a day. The prune sub-function allows you to quickly remove

those Metriceat indices if they are filling up a filesystem.

Example: scripts/securestack elasticsearch prune

firewall

The firewall function parses the securestack.yml file (and any profiles that modify that file) and

applies the rules therein to the current firewall state.

Example: scripts/securestack firewall

help

Get this help information about SecureStack.

Example: scripts/securestack help

mfa

Manage or create your multi-factor authentication (MFA) method. Usually, with SecureStack this

means using Kryptonite. Kryptonite allows you to use one MFA method across all your SecureStack

infrastructure. This function first checks to make sure that Kryptonite is installed, and if it

isn't, it will install it. Next it authenticates to your companies Kryptonite account and then

pairs the local SIPServer to your account.

Example: scripts/securestack mfa

profile

Manage your different types of servers in SecureStack with profiles. For instance, if you want

all your linux servers to allow ssh and have an admin group of users allowed access you could

create a profile within SecureStack called "all_linux" and you could apply that profile and the

security controls it comes with to that group of servers.

Subactions for profile:

apply

Apply an existing profile to a subset of your infrastructure that is managed by SecureStack.

Example: scripts/securestack profile apply all_linux server01

create

Create a new profile interactively that you can apply to a subset of your infrastructure that

is managed by SecureStack.

Example: scripts/securestack profile create all_linux

list

List all existing SecureStack profiles. These profiles are stored in $sshome/profiles.

Example: scripts/securestack profile list

show

Show the contents of an existing profile.

Example: scripts/securestack profile show

provision

Create new SecureStack Base instances. These instances will use a default build config which you

can then modify by applying SecureStack profiles to.

Subactions for provision:

int

Provision a new instance interactively. This process will walk you through the provisioning

by asking you questions.

Example: scripts/securestack provision int

hostname

Provision a new instance from the scripts/securestack command line interface by defining all values

when you run the command. Two things are required to provision successfully: a hostname and

an image name. Hostname can be anything you want as long as it doesn't have any spaces in

the name. An image name can be: centos ubuntu or redhat

Example: scripts/securestack provision hostname test-webserver01 image centos

profile

Provision a new instance from the scripts/securestack command line interface using an existing

profile. Three things are required to provision successfully: a hostname, a profile name,

and an image name. Hostname can be anything you want as long as it doesn't have any spaces