From 353d2274ea28347d3f16b2f2892eaae598043bb1 Mon Sep 17 00:00:00 2001 From: Jaerdon <23489368+Jaerdon@users.noreply.github.com> Date: Tue, 29 Dec 2020 17:02:52 -0800 Subject: [PATCH] Yeet. --- inv.sh | 89 ++++++++++++++ inventory.sh | 270 ++++++++++++++++++++++++++++++++++++++++++ makeforwarder.sh | 49 ++++++++ snort-install.sh | 129 ++++++++++++++++++++ splunk-ent-install.sh | 11 ++ 5 files changed, 548 insertions(+) create mode 100644 inv.sh create mode 100644 inventory.sh create mode 100644 makeforwarder.sh create mode 100644 snort-install.sh create mode 100644 splunk-ent-install.sh diff --git a/inv.sh b/inv.sh new file mode 100644 index 0000000..76d765f --- /dev/null +++ b/inv.sh @@ -0,0 +1,89 @@ +#!/bin/bash + +#testing + +''' + _________ ______ + ___/ \ V \ + / ^ |\ |\ \ + /_O_/\ / / | ‾‾‾\ | + // \ |‾‾‾\_ | ‾‾ +// _\| _\| + + zot zot, thots. +''' + +if [[ $EUID -ne 0 ]]; then + printf 'Must be run as root, exiting!\n' + exit 1 +fi + +log () { printf "\033[01;30m$(date +"%T")\033[0m: $1\n"; } + +declare -a checkfiles=(~/.ssh/authorized_keys /root/.ssh/authorized_keys) + +log "SYSTEM INFORMATION" +uname -a +lsb_release -a +cat /proc/version + +## Fancy /etc/passwd +minid=$(grep "^UID_MIN" /etc/login.defs) +maxid=$(grep "^UID_MAX" /etc/login.defs) +printf "========================================================\n| Users List | Key: \033[01;34mUID = 0\033[0m, \033[01;32mUser\033[0m, \033[01;33mCan Login\033[0m, \033[01;31mNo Login\033[0m |\n========================================================\n" +awk -F':' -v minuid="${minid#UID_MIN}" -v maxuid="${maxid#UID_MAX}" '{ +if ($7=="/bin/false" || $7=="/sbin/nologin") printf "\033[1;31m%s\033[0m\n", $1; +else if ($3=="0") printf "\033[01;34m%s\033[0m\n", $1; +else if ($3 >= minuid && $3 <= maxuid) printf "\033[01;32m%s\033[0m\n", $1; +else printf "\033[01;33m%s\033[0m\n", $1; +}' /etc/passwd | column + +## /etc/group +printf "[ \033[01;35mUser\033[0m, \033[01;36mGroup\033[0m ]\n" && grep "sudo\|adm\|bin\|sys\|uucp\|wheel\|nopasswdlogin\|root" /etc/group | awk -F: '{printf "\033[01;35m" $4 "\033[0m : \033[01;36m" $1 "\033[0m\n"}' | column +printf "To delete users/groups, use \033[01;30msudo userdel -r $user\033[0m and \033[01;30msudo groupdel $user\033[0m\n" + +## /etc/sudoers +log "Sudoers" +sudo awk '!/#(.*)|^$/' /etc/sudoers + +## Less Fancy /etc/shadow +log "Passwordless accounts: " +awk -F: '($2 == "") {print}' /etc/shadow # Prints accounts without passwords +echo; + +log "IP Addresses:" # Okay I stole this one from Morgan, I'll make it prettier later +ip addr | awk '/^[0-9]+:/ { sub(/:/,"",$2); iface=$2 } /^[[:space:]]*inet / { split($2, a, "/"); print iface" : "a[1]; }' +printf "\n" + +for i in ${checkfiles[@]}; do [ -s $i ] && log "\033[01;31mWARNING: $i HAS ACCESSIBLE INFORMATION\033[0m\n"; done + +## Find world-writeable files +#log "List all world-writeable files?" +#read -n 1 -r; echo; if [[ $REPLY =~ ^[Yy]$ ]]; then find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print; fi + +## Find no-owner files +log "List all no-owner files? (This will take a while!) Y/n" +read -n 1 -r; echo; if [[ $REPLY =~ ^[Yy]$ ]]; then find / -xdev \( -nouser -o -nogroup \) -print; fi + +log "List all user files? Y/n" +read -n 1 -r; echo; if [[ $REPLY =~ ^[Yy]$ ]]; then grep -R /home; fi + +log "Ports" +sudo ss -ln +printf "To close ports: \033[01;30msudo lsof -i :$port\033[0m, remember to kill the process with \033[01;30mkillall -9 $program\033[0m and remove.\n" + +log "Cronjobs:" +sudo grep -R . /var/spool/cron/crontabs/ +for user in $(cut -f1 -d: /etc/passwd); do crontab -u $user -l; done + +log "Services:" +which service && service --status-all +which initctl && initctl list +which systemctl && systemctl list-unit-files --type service +which rc-status && rc-status --servicelist # Alpine +#ls /etc/init.d/ +ls /etc/init/*.conf + +systemctl list-unit-files --type service | grep enabled > servicesList.txt + +watch -d systemctl list-timers diff --git a/inventory.sh b/inventory.sh new file mode 100644 index 0000000..d833926 --- /dev/null +++ b/inventory.sh @@ -0,0 +1,270 @@ +#!/bin/bash + +######################################################## +# https://github.com/UCI-CCDC/CCDC2020 +# script raw is at https://git.io/uciccdc20 +# to install: wget https://git.io/uciccdc20 -O inv.sh && chmod +x inv.sh +#UCI CCDC linux script for inventory & common operations + +#Written by UCI CCDC linux subteam +#UCI CCDC, 2020 +######################################################## + + +if [[ $EUID -ne 0 ]]; then + printf 'Must be run as root, exiting!\n' + exit 1 +fi + +#functions to make shit prettier +banner () { printf "========================================================\n"; } + +#actual functions for actual things +updateOS() { + + ## Install & update utilities + if [ $(command -v apt-get) ]; then # Debian based + apt-get update -y -q + elif [ $(command -v yum) ]; then + yum update + elif [ $(command -v pacman) ]; then + pacman -Syy + pacman -Su + elif [ $(command -v apk) ]; then # Alpine + apk update + apk upgrade + fi + +} + + +#FINISH ME PLS +installPackages() { + packages="sudo nmap tmux tshark vim hostname htop clamav" + printf "this function will be used to install important/essential packages on barebones systems" + if [ $(command -v apt-get) ]; then # Debian based + apt-get install $packages -y -q + + elif [ $(command -v yum) ]; then + yum -y install $packages + elif [ $(command -v pacman) ]; then + yes | pacman -S $packages + elif [ $(command -v apk) ]; then # Alpine + apk update + apk upgrade + apk add bash vim man-pages mdocml-apropos bash-doc bash-completion util-linux pciutils usbutils coreutils binutils findutils attr dialog dialog-doc grep grep-doc util-linux-doc pciutils usbutils binutils findutils readline lsof lsof-doc less less-doc nano nano-doc curl-doc + + apk add $packages + fi +} + + +harden() { + printf "We are now doing system hardening\n" + + read -r -p "Are you sure? The harden script is currently non-functional, as of March 02 [Y/n] " response + case "$response" in + [yY][eE][sS]|[yY]) + wget https://raw.githubusercontent.com/UCI-CCDC/CCDC2020/master/harden.sh -O harden.sh && bash harden.sh + + ;; + *) + exit 1;; + esac + # I know this is shit but I really don't care anymore + #I'm lazy af, this calls the hardening script and runs it. Hope it works +} + + +#below should both be false +ShouldUpdate=false +ShouldInstall=false + +# this fucker is the flag statement +while getopts :huixnsr:m: option +do +case "${option}" in +h) + printf "\n UCI CCDC 2020 Linux Inventory Script\n" + printf "Note: all flags other than the update functions will result in the main script not being run.\n" + + printf " ==============Options==============\n" + printf " -h Prints this help menu\n" + printf " -n Runs Jacob's custom NMAP command\n" + printf " -m Runs custom NMAP command, but IP subnet must be passed as an argument (ex: -m 192.168.1.0)\n" + printf " -x Runs hardening script\n" + printf " -u Installs updates based on system version\n" + printf " -i Installs updates AND useful packages\n" + printf " -s Backups MYSQL databases and config files\n" + printf " -r Restore MYSQL database from backup tar archive (passed as argument)\n" + + printf "\n\n\n" + exit 1;; +u) + ShouldUpdate=true + ;; +i) + ShouldUpdate=true + ShouldInstall=true + ;; + +x) + harden #calls hardening function above + exit 1;; + +n) + printf "Running NMAP command, text and visual xml output created in current directory" + nmap -p- -Anvv -T4 -oN nmapOut.txt -oX nmapOutVisual.xml $(hostname -I | awk '{print $1}')/24 + exit 1;; + +m) + printf "Running NMAP command with user specificed subnet, text and visual xml output created in current directory" + nmap -p- -Anvv -T4 -oN nmapOut.txt -oX nmapOutVisual.xml $OPTARG/24 + exit 1;; + +s) + printf "Backing up MYSQL databases and config files\n" + + mkdir -p $HOME/sql-backup + + read -s -p "Enter root password for mysql database " pass + for db in $(mysql -u root -p$pass -e 'show databases' --skip-column-names); do + mysqldump -u root -p$pass "$db" > "$HOME/sql-backup/$db.sql" + done + cp -r /etc/mysql /$HOME/sql-backup/ + tar -czf $HOME/$HOSTNAME-sqlbackup.tgz $HOME/sql-backup + + exit 1;; + +r) + printf "Restoring MYSQL database from $OPTARG \n" + #sql database recovery, not yet verified to work + + read -s -p "Enter root pass: " pass + printf "\n" + mkdir restore-sql + + tar -xzf "$OPTARG" -C restore-sql/ + for db in $(find restore-sql/ -name *.sql); do + bdb=$(basename $db) + mysql -u root -p$pass -e "create database ${bdb%.sql};" + mysql -u root -p$pass ${bdb%.sql} < "$db" + done + + exit 1;; + + +#both of these are error handling. The top one handles incorrect flags, the bottom one handles when no argument is passed for a flag that requires one +\?) echo "incorrect syntax, use -h for help" + exit 1;; + +:) echo "invalid option: -$OPTARG requires an argument" + exit 1;; +esac +done + + + +echo ' + _________ ______ + ___/ \ V \ + / ^ |\ |\ \ + /_O_/\ / / | ‾‾\ | + // \ |‾‾‾\_ | ‾‾ +// _\| _\| + + zot zot, thots.' + + +#generate inv directory, audit.txt, and set up variables for redirection +printf "\n*** generating inv direcory and audit.txt in your root home directory\n" +mkdir $HOME/inv/ >&/dev/null; #creates directory; stderr is redirected in the case that directory already exists +outFile="$HOME/inv/audit-$(hostname).txt" +touch outFile +adtfile="tee -a $HOME/inv/audit-$(hostname).txt" + + + +echo -e "\n\e[92m" +echo "Hostname: $(hostname)" | $adtfile +echo -e "\e[0m" + +echo "Date: $(date)" >> $outFile + +osOut=$(cat /etc/os-release | grep -w "PRETTY_NAME" | cut -d "=" -f 2) + +printf "This machine's OS is " +echo -e "\e[31m" + +echo $osOut | $adtfile +echo -e "\e[0m" + +echo -e "\e[95m***IP ADDRESSES***\e[0m" +echo "Most recent IP: $(hostname -I | awk '{print $1}')" +echo "All IP Addresses: $(hostname -I)" | $adtfile + +## /etc/sudoers +if [ -f /etc/sudoers ] ; then + printf "\nSudoers File:\n" + sudo awk '!/#(.*)|^$/' /etc/sudoers + echo "" +fi + + +# I stole this from jordan +minid=$(grep "^UID_MIN" /etc/login.defs || echo 1000)n +maxid=$(grep "^UID_MAX" /etc/login.defs || echo 60000) +printf "========================================================\n| Users List | Key: \033[01;34mUID = 0\033[0m, \033[01;32mUser\033[0m, \033[01;33mCan Login\033[0m, \033[01;31mNo Login\033[0m |\n========================================================\n" +awk -F':' -v minuid="${minid#UID_MIN}" -v maxuid="${maxid#UID_MAX}" '{ +if ($7=="/bin/false" || $7=="/sbin/nologin") printf "\033[1;31m%s\033[0m\n", $1; +else if ($3=="0") printf "\033[01;34m%s\033[0m\n", $1; +else if ($3 >= minuid && $3 <= maxuid) printf "\033[01;32m%s\033[0m\n", $1; +else printf "\033[01;33m%s\033[0m\n", $1; +}' /etc/passwd | column + +printf "\n[ \033[01;35mUser\033[0m, \033[01;36mGroup\033[0m ]\n" && grep "sudo\|adm\|bin\|sys\|uucp\|wheel\|nopasswdlogin\|root" /etc/group | awk -F: '{printf "\033[01;35m" $4 "\033[0m : \033[01;36m" $1 "\033[0m\n"}' | column + +# ## Less Fancy /etc/shadow +echo -e "\n\e[93m***Passwordless accounts***\e[0m\n" +awk -F: '($2 == "") {print}' /etc/shadow # Prints accounts without passwords + +echo -e "\n\e[93m***USERS IN SUDO GROUP***\e[0m\n" +echo "Users in sudo group:" >> $outFile +grep -Po '^sudo.+:\K.*$' /etc/group | $adtfile + +printf "\n\e[93m***USERS IN ADMIN GROUP***\e[0m\n" +echo "Users in Admin Group:" >> $outFile +grep -Po '^admin.+:\K.*$' /etc/group | $adtfile + +printf "\n\e[93m***USERS IN WHEEL GROUP***\e[0m\n" +echo "Users in Wheel Group:" >> $outFile +grep -Po '^wheel.+:\K.*$' /etc/group | $adtfile + +printf "\n\e[35mCrontabs\e[0m\n" +sudo grep -R . /var/spool/cron/crontabs/ +for user in $(cut -f1 -d: /etc/passwd); do crontab -u "$user" -l 2> >(grep -v 'no crontab for'); done + +#saves services to variable, prints them out to terminal in blue +printf '\n***services you should cry about***\n' +services=$(ps aux | grep -i 'docker\|samba\|postfix\|dovecot\|smtp\|psql\|ssh\|clamav\|mysql\|bind9\|apache\|smbfs\|samba\|openvpn\|splunk' | grep -v "grep") +echo -e "\e[34m" +echo "Services on this machine:" >> $outFile +echo $services | $adtfile +echo -e "\e[0m" #formatting so audit file is less fucked with the color markers + +banner >> $outFile +printf "\n\n" >> $outFile + + +#these if statements make sure that updates are executed at the end of the script running, instead of the beginning +if [ "$ShouldUpdate" = "true" ]; then + updateOS +fi + +if [ "$ShouldInstall" = "true" ]; then + installPackages +fi + + + +# this string prints the current system time and date "\033[01;30m$(date)\033[0m: %s\n" diff --git a/makeforwarder.sh b/makeforwarder.sh new file mode 100644 index 0000000..74de1dc --- /dev/null +++ b/makeforwarder.sh @@ -0,0 +1,49 @@ +#!/bin/bash + +if [[ $EUID -ne 0 ]]; then + printf 'Must be run as root, exiting!\n' + exit 1 +fi + +if [[ $# -lt 1 ]]; then + printf 'Must specify a forward-server! (This is the server Splunk-enterprise is on)\nex: sudo ./makeforwarder.sh 192.168.0.5' + exit 1 +fi + +# Install Splunk +wget -O splunkforwarder-8.0.2-a7f645ddaf91-Linux-x86_64.tgz 'https://www.splunk.com/bin/splunk/DownloadActivityServlet?architecture=x86_64&platform=linux&version=8.0.2&product=universalforwarder&filename=splunkforwarder-8.0.2-a7f645ddaf91-Linux-x86_64.tgz&wget=true' +tar -xzvf splunkforwarder-8.0.2-a7f645ddaf91-Linux-x86_64.tgz -C /opt +cd /opt/splunkforwarder/bin +./splunk start --accept-license # User will have to input creds here + +./splunk add forward-server "$1":9997 # User will have to input the same creds here +./splunk set deploy-poll "$1":8089 # User will have to input the same creds here + +# Recommended Splunk Configs +if [ -f /var/log/syslog ]; then + ./splunk add monitor /var/log/syslog +fi +if [ -f /var/log/messages ]; then + ./splunk add monitor /var/log/messages +fi +if [ -d /var/log/apache ]; then + ./splunk add monitor /var/log/apache/access.log + ./splunk add monitor /var/log/apache/error.log +fi + +# Add Splunk user +useradd -d /opt/splunkforwarder splunk +groupadd splunk +usermod -a -G splunk splunk + +# Set Splunk to start as Splunk user +./splunk enable boot-start -user splunk +#which systemd && ./splunk enable boot-start -systemd-managed 1 -user splunk +chown -R splunk /opt/splunkforwarder + +sed -i 's/"$SPLUNK_HOME\/bin\/splunk" start --no-prompt --answer-yes/su - splunk -c '\''"$SPLUNK_HOME\/bin\/splunk" start --no-prompt --answer-yes'\''/g' /etc/init.d/splunk +sed -i 's/"$SPLUNK_HOME\/bin\/splunk" stop/su - splunk -c '\''"$SPLUNK_HOME\/bin\/splunk" stop'\''/g' /etc/init.d/splunk +sed -i 's/"$SPLUNK_HOME\/bin\/splunk" restart/su - splunk -c '\''"$SPLUNK_HOME\/bin\/splunk" restart'\''/g' /etc/init.d/splunk +sed -i 's/"$SPLUNK_HOME\/bin\/splunk" status/su - splunk -c '\''"$SPLUNK_HOME\/bin\/splunk" status'\''/g' /etc/init.d/splunk + +su - splunk -c '/opt/splunkforwarder/bin/splunk restart' \ No newline at end of file diff --git a/snort-install.sh b/snort-install.sh new file mode 100644 index 0000000..77479d9 --- /dev/null +++ b/snort-install.sh @@ -0,0 +1,129 @@ +#!/bin/bash + +#written by jaerdon +if [[ $EUID -ne 0 ]]; then + printf 'Must be run as root, exiting!' + exit 1 +fi + +''' +UCI CCDC Snort Installation + _________ ______ + ___/ \ V \ + / ^ |\ |\ \ + /_O_/\ / / | ‾‾‾\ | + // \ |‾‾‾\_ | ‾‾ +// _\| _\| + + zot zot, thots. +''' +echo "Warning: This takes a long time to install!" +echo "Run this in the background, otherwise you are wasting time." + +install () { + cd ~/snort_src/$1 + ./configure + make + make install +} + +mkdir ~/snort_src && cd ~/snort_src + +if [ $(which yum) ]; then + yum update -y + yum install epel-release -y + yum install https://www.snort.org/downloads/snort/snort-2.9.14.1-1.centos7.x86_64.rpm + exit 0 +elif [ $(which apt-get) ]; then + apt-get update && apt-get upgrade -y + apt-get install -y libtool git autoconf build-essential autotools-dev libdumbnet-dev libluajit-5.1-dev libpcap-dev zlib1g-dev pkg-config libhwloc-dev cmake bison flex +elif [ $(which dnf) ]; then + dnf upgrade + dnf install flex bison gcc gcc-c++ make cmake autoconf libtool libpcap-devel pcre-devel libdnet-devel hwloc-devel openssl-devel zlib-devel luajit-devel pkgconfig libnfnetlink-devel libnetfilter_queue-devel libmnl-devel +fi + +wget https://ftp.pcre.org/pub/pcre/pcre-8.43.tar.gz \ + http://www.colm.net/files/ragel/ragel-6.10.tar.gz \ + https://github.com/gperftools/gperftools/releases/download/gperftools-2.7/gperftools-2.7.tar.gz \ + https://dl.bintray.com/boostorg/release/1.71.0/source/boost_1_71_0.tar.gz \ + https://github.com/intel/hyperscan/archive/v5.2.0.tar.gz \ + https://www.snort.org/downloads/community/snort3-community-rules.tar.gz + +for file in *.tar.gz; do tar -xzf "$file"; done + +install gperftools-2.7 +install pcre-8.43 +install ragel-6.10 + +mkdir ~/snort_src/hyperscan-5.2.0-build +cd hyperscan-5.2.0-build/ +cmake -DCMAKE_INSTALL_PREFIX=/usr/local -DBOOST_ROOT=~/snort_src/boost_1_71_0/ ../hyperscan-5.2.0 +make +make install + +cd ~/snort_src +git clone https://github.com/snort3/libdaq.git && cd libdaq +./bootstrap +install libdaq + +ldconfig + +cd ~/snort_src +git clone git://github.com/snortadmin/snort3.git +cd snort3 +./configure_cmake.sh --prefix=/usr/local --enable-tcmalloc +cd build +make +make install + +/usr/local/bin/snort -V # Snort should now be installed + +# Configure env vars +export LUA_PATH=/usr/local/include/snort/lua/\?.lua\;\; +export SNORT_LUA_PATH=/usr/local/etc/snort + +sh -c "echo 'export LUA_PATH=/usr/local/include/snort/lua/\?.lua\;\;' >> ~/.bashrc" +sh -c "echo 'export SNORT_LUA_PATH=/usr/local/etc/snort' >> ~/.bashrc" + +echo 'Defaults env_keep += "LUA_PATH SNORT_LUA_PATH"' > /etc/sudoers.d/snort-lua + + +# Configure network cards +printf('Enter interface name: ') +read iface +echo + +cat > /lib/systemd/system/ethtool.service << EOF +[Unit] +Description=Ethtool Configration for Network Interface + +[Service] +Requires=network.target +Type=oneshot +ExecStart=/sbin/ethtool -K $(iface) gro off +ExecStart=/sbin/ethtool -K ens3 lro off + +[Install] +WantedBy=multi-user.target +EOF + +systemctlenableethtool +service ethtool start + +# Install Community Rules +cd ~/snort_src/snort3-community-rules + +mkdir /usr/local/etc/snort/rules \ + /usr/local/etc/snort/builtin_rules \ + /usr/local/etc/snort/so_rules \ + /usr/local/etc/snort/lists +cp snort3-community.rules /usr/local/etc/snort/rules/ +cp sid-msg.map /usr/local/etc/snort/rules/ + +# Enable Built-in Rules +#sed '172s/\-\-//' + # TODO + +# Run Snort +snort -c /usr/local/etc/snort/snort.lua \ + -R /usr/local/etc/snort/rules/snort3-community.rules \ No newline at end of file diff --git a/splunk-ent-install.sh b/splunk-ent-install.sh new file mode 100644 index 0000000..5e23ee7 --- /dev/null +++ b/splunk-ent-install.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +### RUN BELOW SCRIPT TO DOWNLOAD +### wget -O splunk-8.0.2-a7f645ddaf91-Linux-x86_64.tgz 'https://splk.it/2TNfwRD' +### +groupadd splunk +useradd -d /opt/splunk -m -g splunk splunk +tar -xvf splunk-8.0.2-a7f645ddaf91-Linux-x86_64.tgz +cp -rp splunk/* /opt/splunk/ +chown -R splunk: /opt/splunk +echo "set up splunk user and group" +echo "see part 3 of splunk in playbook"