-
Notifications
You must be signed in to change notification settings - Fork 3
/
boot.sh
613 lines (513 loc) · 24.2 KB
/
boot.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
#!/bin/bash
# var - start
# Colored text
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
OFF='\033[0m'
WHOAMI=`id -u`
LOGDIR='/home/hunter/pihunter-install.log'
EPASSWD='pihunter'
# var - stop
# def func - start
# func for printing start of new task in a specific color
# func to add start of task to log
logStart() {
echo "[`date`] $1 - Started Install/Configuration" >> $LOGDIR
}
# func to check for errors on tasks and output information to log file
logEnd() {
if [ $? = 0 ];
then
echo "[`date`] $1 - completed successfully" >> $LOGDIR
else
echo "[`date`] $1 - FAILED to complete" >> $LOGDIR
return 1
fi
}
# ascii art
asciiArt() {
echo ' ___ ___ ___ ___ ___ ___ ___ '
echo ' /\ \ ___ /\__\ /\__\ /\__\ /\ \ /\ \ /\ \ '
echo ' /::\ \ /\ \ /:/ / /:/ / /::| | \:\ \ /::\ \ /::\ \ '
echo ' /:/\:\ \ \:\ \ /:/__/ /:/ / /:|:| | \:\ \ /:/\:\ \ /:/\:\ \ '
echo ' /::\~\:\ \ /::\__\ /::\ \ ___ /:/ / ___ /:/|:| |__ /::\ \ /::\~\:\ \ /::\~\:\ \ '
echo ' /:/\:\ \:\__\ __/:/\/__/ /:/\:\ /\__\ /:/__/ /\__\ /:/ |:| /\__\ /:/\:\__\ /:/\:\ \:\__\ /:/\:\ \:\__\'
echo ' \/__\:\/:/ / /\/:/ / \/__\:\/:/ / \:\ \ /:/ / \/__|:|/:/ / /:/ \/__/ \:\~\:\ \/__/ \/_|::\/:/ /'
echo ' \::/ / \::/__/ \::/ / \:\ /:/ / |:/:/ / /:/ / \:\ \:\__\ |:|::/ / '
echo ' \/__/ \:\__\ /:/ / \:\/:/ / |::/ / \/__/ \:\ \/__/ |:|\/__/ '
echo ' \/__/ /:/ / \::/ / /:/ / \:\__\ |:| | '
echo ' \/__/ \/__/ \/__/ \/__/ \|__| '
}
# def func - end
# script - start
echo -e "\n\n\n"
asciiArt
echo -e "\n\n\n"
sleep 2
if [ $WHOAMI -gt 0 ]; then
echo -e "${RED}You must use sudo to run this script.${OFF}"
echo "sudo $0"
exit 1
fi
echo -e "Do you want to use the deafult password?"
read -p "[y/n]: " ANS
case $ANS in
y | Y | yes | YES | Yes)
echo "Selected default password: $EPASSWD"
;;
n | N | no | NO | No)
read -p "Enter new password: " EPASSWD
echo -e "New password is: $EPASSWD"
;;
*)
echo -e "Incorrect selection. Exiting boot script."
exit 1
;;
esac
# creat user hunter
useradd -m hunter
if [ $? = 0 ];
then
echo "New user - hunter - created"
echo "[`date`] piHunter install log - Started" > $LOGDIR
else
echo "Failed to create user"
exit 1
fi
echo -e "$EPASSWD\n$EPASSWD\n" | passwd hunter
usermod -aG adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi hunter
sleep 2
# add ascii Art to hunter login
echo -e "\n" >> /home/hunter/.profile
echo "# ascii Art piHunter on login" >> /home/hunter/.profile
echo "echo ''" >> /home/hunter/.profile
echo "echo ''" >> /home/hunter/.profile
echo "echo ''" >> /home/hunter/.profile
echo "echo ' ___ ___ ___ ___ ___ ___ ___ '" >> /home/hunter/.profile
echo "echo ' /\ \ ___ /\__\ /\__\ /\__\ /\ \ /\ \ /\ \ '" >> /home/hunter/.profile
echo "echo ' /::\ \ /\ \ /:/ / /:/ / /::| | \:\ \ /::\ \ /::\ \ '" >> /home/hunter/.profile
echo "echo ' /:/\:\ \ \:\ \ /:/__/ /:/ / /:|:| | \:\ \ /:/\:\ \ /:/\:\ \ '" >> /home/hunter/.profile
echo "echo ' /::\~\:\ \ /::\__\ /::\ \ ___ /:/ / ___ /:/|:| |__ /::\ \ /::\~\:\ \ /::\~\:\ \ '" >> /home/hunter/.profile
echo "echo ' /:/\:\ \:\__\ __/:/\/__/ /:/\:\ /\__\ /:/__/ /\__\ /:/ |:| /\__\ /:/\:\__\ /:/\:\ \:\__\ /:/\:\ \:\__\'" >> /home/hunter/.profile
echo "echo ' \/__\:\/:/ / /\/:/ / \/__\:\/:/ / \:\ \ /:/ / \/__|:|/:/ / /:/ \/__/ \:\~\:\ \/__/ \/_|::\/:/ /'" >> /home/hunter/.profile
echo "echo ' \::/ / \::/__/ \::/ / \:\ /:/ / |:/:/ / /:/ / \:\ \:\__\ |:|::/ / '" >> /home/hunter/.profile
echo "echo ' \/__/ \:\__\ /:/ / \:\/:/ / |::/ / \/__/ \:\ \/__/ |:|\/__/ '" >> /home/hunter/.profile
echo "echo ' \/__/ /:/ / \::/ / /:/ / \:\__\ |:| | '" >> /home/hunter/.profile
echo "echo ' \/__/ \/__/ \/__/ \/__/ \|__| '" >> /home/hunter/.profile
echo "echo ''" >> /home/hunter/.profile
echo "echo ''" >> /home/hunter/.profile
echo "echo ''" >> /home/hunter/.profile
echo -e "\n" >> /home/hunter/.profile
# add conditional to delete user pi
echo "# conditional to delete user pi after piHunter install" >> /home/hunter/.profile
echo 'if [[ -n `cat /etc/passwd | grep pi` ]]' >> /home/hunter/.profile
echo 'then' >> /home/hunter/.profile
echo ' sudo userdel -r pi' >> /home/hunter/.profile
echo 'else' >> /home/hunter/.profile
echo ' echo "user pi already deleted" > /dev/null' >> /home/hunter/.profile
echo 'fi' >> /home/hunter/.profile
# set variable for external storage setup
echo -e "Review the list of all storage connected to your RaspberryPi\n"
lsblk
read -p 'Enter the external storage device name from the above list (i.e. if there is sda and sda1, enter sda): ' XS
# change into new user home dir for rest of script
cd /home/hunter
logEnd "Changed into hunter's home dir"
echo "# Generated by piHunter" > pihunter.passwd
echo "" >> pihunter.passwd
echo "RaspberryPi -> hunter:$EPASSWD" >> pihunter.passwd
echo "Elastic Stack -> elastic:$EPASSWD" >> pihunter.passwd
echo "Arkime -> hunter:$EPASSWD" >> pihunter.passwd
echo "" >> pihunter.passwd
echo " END OF FILE " >> pihunter.passwd
# assign static IP
logStart "Assigning Static IP"
read -p 'Enter the hostname for this RaspberryPi: ' HNAME
read -p 'Enter an static IP address: ' HIP
read -p 'Enter a DNS server address: ' HDNS
read -p 'Enter the router IP: ' ROUTERIP
echo "[!] Select an interface from the following list:"
ifconfig | grep -E 'eth[0-9]' | cut -d : -f 1
sleep 1
read -p 'Select a management interface from list above [ if using a USB ethernet adaptor, this is the recommended interface ]: ' INTERFACE
read -p 'Select a monitor interface from list above [ built in ethernet interface is recommended ]: ' MONINTERFACE
echo ""
# update pi / install required packages
logStart "Begin updates and package dependencies installation"
apt update -y
apt install htop gdisk whois dnsutils tmux vim git tcpdump net-tools scapy nmap tshark foremost yara libunwind8 network-manager -y && sudo apt upgrade -y
# add prads ^^ ?
logEnd "Updates and package dependencies installation"
echo "##########################################################################"
echo "#### install Docker ####"
echo "##########################################################################"
logStart "Docker"
# get install script
curl -fsSL https://get.docker.com -o get-docker.sh
# install
sh get-docker.sh
logEnd "Docker"
logStart "Docker configure/test"
# add hunter to docker group to run commands without sudo
usermod -aG docker hunter
# test docker
docker run --name hello-world hello-world
sleep 5
docker stop hello-world
docker container rm hello-world
rm -rf /home/hunter/get-docker.sh
logEnd "Docker configure/test"
echo "##########################################################################"
echo "#### configure System ####"
echo "##########################################################################"
# Disable auto-run daemons from recent installs
#systemctl stop prads
#systemctl disable prads
# Optimize RaspberryPiOS
logStart "Begin system optimization"
# Disable HW at boot
echo "" >> /boot/config.txt
echo "# Disable WiFi" >> /boot/config.txt
echo "dtoverlay=disable-wifi" >> /boot/config.txt
echo "# Disable Bluetooth" >> /boot/config.txt
echo "dtoverlay=disable-bt" >> /boot/config.txt
echo "# Disable HDMI" >> /boot/config.txt
echo "hdmi_blanking=2" >> /boot/config.txt
# Disable Audio
echo "blacklist snd_bcm2835" > /etc/modprobe.d/alsa-blacklist.conf
systemctl stop alsa-state.service
systemctl stop alsa-restore.service
systemctl disable alsa-restore.service
systemctl disable alsa-state.service
systemctl mask alsa-state.service
systemctl mask alsa-restore.service
# Disable Bluetooth
systemctl stop bluetooth.service
systemctl disable bluetooth.service
systemctl mask bluetooth.service
systemctl stop bluetooth.target
systemctl disable bluetooth.target
systemctl mask bluetooth.target
# Disable wpasupplicant
systemctl stop wpa_supplicant
systemctl disable wpa_supplicant
#systemctl mask wpa_supplicant
# Disable Randmon number generator process
systemctl disable rng-tools.service
systemctl stop rng-tools.service
logStart "System configuration"
# Set Hostname
hostnamectl set-hostname $HNAME
echo "127.0.0.1 localhost" > /etc/hosts
echo "::1 localhost ip6-localhost ip6-loopback" >> /etc/hosts
echo "ff02::1 ip6-allnodes" >> /etc/hosts
echo "ff02::02 ip6-allrouters" >> /etc/hosts
echo "" >> /etc/hosts
echo "127.0.0.1 $HNAME" >> /etc/hosts
echo "127.0.1.1 $HNAME" >> /etc/hosts
# Set Static IP,Router,DNS // Disable ipv6
logStart "Network specs"
# sudo vi /etc/resolv.conf
echo "# Generated by piHunter" > /etc/resolv.conf
echo "domain home" >> /etc/resolve.conf
echo "nameserver $HDNS" >> /etc/resolv.conf
# set static IPs
echo "interface $INTERFACE" >> /etc/dhcpcd.conf
echo "static ip_address=$HIP/24" >> /etc/dhcpcd.conf
echo "static routers=$ROUTERIP" >> /etc/dhcpcd.conf
echo "static domain_name_servers=$HDNS" >> /etc/dhcpcd.conf
# setup monitor interface
echo -e "\n" >> /etc/dhcpcd.conf
echo "# setup monitor interface" >> /etc/dhcpcd.conf
echo "denyinterfaces eth0" >> /etc/dhcpcd.conf
echo -e "\n" >> /etc/network/interfaces
echo "# setup monitor interface" >> /etc/network/interfaces
echo "auto $MONINTERFACE" >> /etc/network/interfaces
echo "iface $MONINTERFACE inet manual" >> /etc/network/interfaces
echo " up ifconfig $MONINTERFACE 0.0.0.0 up" >> /etc/network/interfaces
echo " up ip link set $MONINTERFACE promisc on" >> /etc/network/interfaces
echo " down ip link set $MONINTERFACE promisc off" >> /etc/network/interfaces
echo " down ip link set $MONINTERFACE down" >> /etc/network/interfaces
# disable ipv6
echo "net.ipv6.conf.$INTERFACE.disable_ipv6 = 1" >> /etc/sysctl.conf
echo "net.ipv6.conf.$MONINTERFACE.disable_ipv6 = 1" >> /etc/sysctl.conf
# edit network/interfaces file
echo "" >> /etc/network/interfaces
echo "auto $INTERFACE" >> /etc/network/interfaces
echo "iface $INTERFACE inet manual" >> /etc/network/interfaces
echo " address $HIP/24" >> /etc/network/interfaces
echo " gateway $ROUTERIP" >> /etc/network/interfaces
# disable WiFi
echo "nohook wpa_supplicant" >> /etc/dhcpcd.conf
# change swappiness value
echo "vm.swappiness = 10" >> /etc/sysctl.conf
# adjust additional config for elastic stack
echo "vm.max_map_count = 262144" >> /etc/sysctl.conf
# reload sysctl configs
sysctl -p
# make adjustments for elastic stack
echo "hunter - nofile 65536" >> /etc/security/limits.conf
# external storage setup
logStart "Mount point directory and External Storage setup"
# delete any existing partition, then format the disk
echo -e "d\n1\d\nd\nn\n\r\n\r\n\r\n8300\nw\nY" | sudo gdisk /dev/$XS
# create label for partition
echo -e "y" | sudo mkfs.ext4 -L piHunter-xs /dev/${XS}1
# grab UUID
XSUUID=$(blkid | grep ${XS}1 | awk '{print $3}')
# add to fstab for persistence on reboot
echo "$XSUUID /hunt-xs ext4 defaults,nofail 0 0" >> /etc/fstab
# make dir for mount point
mkdir /hunt-xs
# mount external storage
mount -a
logEnd "Mount point directory and External Storage setup"
# Download and extract PowerShell
logStart "PowerShell"
# Grab the latest tar.gz
wget https://github.com/PowerShell/PowerShell/releases/download/v7.1.3/powershell-7.1.3-linux-arm64.tar.gz
# Make folder to put powershell
mkdir /usr/bin/powershell
# Unpack the tar.gz file
tar -xzvf ./powershell-7.1.3-linux-arm64.tar.gz -C /usr/bin/powershell
logEnd "PowerShell"
# remove pwsh install file
rm -rf powershell-7.1.3-linux-arm64.tar.gz
echo "##########################################################################"
echo "#### install Zeek/Bro ####"
echo "##########################################################################"
logStart "Zeek"
apt install cmake make gcc g++ flex bison libpcap-dev libssl-dev python3-dev swig zlib1g-dev libmaxminddb-dev postfix curl git -y
mkdir -p /hunt-xs/zeek
chown hunter:hunter -R /hunt-xs/zeek
git clone --recursive https://github.com/zeek/zeek
cd zeek
echo "This next part is going to take 2+ hours. Get comfortable..."
sudo ./configure --prefix=/hunt-xs/zeek && sudo make && sudo make install
logEnd "Zeek build from source"
echo "PATH=/hunt-xs/zeek/bin:/usr/local/go/bin:/usr/bin/powershell:$PATH" >> /home/hunter/.profile
echo "PATH=/hunt-xs/zeek/bin:/usr/local/go/bin:/usr/bin/powershell:$PATH" >> /root/.profile
echo "alias zeekctl='/hunt-xs/zeek/bin/zeekctl'" >> /root/.bashrc
source /home/hunter/.profile
source /root/.profile
echo "$ROUTERIP/24 Home Network" > /hunt-xs/zeek/etc/networks.cfg
chown hunter:hunter -R /hunt-xs/zeek
# configure Zeek to output JSON
echo "@load policy/tuning/json-logs.zeek" >> /hunt-xs/zeek/share/zeek/site/local.zeek
# start zeek
/hunt-xs/zeek/bin/zeekctl install
/hunt-xs/zeek/bin/zeekctl cron enable
echo ""
echo ""
cd ..
rm -rf zeek
# create cronjob
#echo "@reboot sleep 15 && /hunt-xs/zeek/bin/zeekctl start" >> /var/spool/cron/crontabs/root
echo "*/5 * * * * /hunt-xs/zeek/bin/zeekctl cron" >> /var/spool/cron/crontabs/root
logEnd "Zeek install"
echo "##########################################################################"
echo "#### install Suricata ####"
echo "##########################################################################"
logStart "Suricata"
apt install -y python3-pip libnss3-dev liblz4-dev libnspr4-dev libcap-ng-dev git libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev make libmagic-dev libjansson-dev rustc cargo python3-yaml liblua5.1-dev
mkdir /hunt-xs/suricata
wget https://www.openinfosecfoundation.org/download/suricata-6.0.2.tar.gz
tar -xzvf suricata-6.0.2.tar.gz
rm -rf suricata-6.0.2.tar.gz
cd suricata-6.0.2/
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/hunt-xs/suricata --enable-nfqueue --enable-lua
#make && sudo make install
make && make install
logEnd "Suricata build from source"
cd suricata-update/
python setup.py build
python setup.py install
cd ..
make install-full
logEnd "Suricata setup"
cd ..
rm -rf suricata-6.0.2
# set HOME_NET var
cp /home/pi/piHunter/suricata.yml.original /etc/suricata/suricata.yml
# change ring buffer size
echo "Edit /etc/suricata/suricata.yaml file # Avoid Packet Loss"
echo "Increase the Ring Buffer Size to 30000"
sed -i "s/#ring-size: 2048/ring-size: 30000/" /etc/suricata/suricata.yaml
# Update Suricata Rules
suricata-update
chown hunter:hunter -R /hunt-xs/suricata
# create service systemd unit file
touch /etc/systemd/system/suricata.service
echo "[Unit]" >> /etc/systemd/system/suricata.service
echo "Description=Suricata Intrusion Detection Service" >> /etc/systemd/system/suricata.service
echo "After=network.target syslog.target" >> /etc/systemd/system/suricata.service
echo "" >> /etc/systemd/system/suricata.service
echo "[Service]" >> /etc/systemd/system/suricata.service
echo "ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 -S /hunt-xs/suricata/lib/suricata/rules/suricata.rules" >> /etc/systemd/system/suricata.service
echo "ExecReload=/bin/kill -HUP $MAINPID" >> /etc/systemd/system/suricata.service
echo "ExecStop=/bin/kill $MAINPID" >> /etc/systemd/system/suricata.service
echo "" >> /etc/systemd/system/suricata.service
echo "[Install]" >> /etc/systemd/system/suricata.service
echo "WantedBy=multi-user.target" >> /etc/systemd/system/suricata.service
# Logrotate
echo "/var/log/suricata/*.log /var/log/suricata/*.json" >> /etc/logrotate.d/suricata
echo "{" >> /etc/logrotate.d/suricata
echo " daily" >> /etc/logrotate.d/suricata
echo " maxsize 10G" >> /etc/logrotate.d/suricata
echo " rotate 10" >> /etc/logrotate.d/suricata
echo " missingok" >> /etc/logrotate.d/suricata
echo " nocompress" >> /etc/logrotate.d/suricata
echo " create" >> /etc/logrotate.d/suricata
echo " sharedscripts" >> /etc/logrotate.d/suricata
echo " postrotate" >> /etc/logrotate.d/suricata
echo " systemctl restart suricata.service" >> /etc/logrotate.d/suricata
echo " endscript" >> /etc/logrotate.d/suricata
echo "}" >> /etc/logrotate.d/suricata
# setup cron job update
echo "37 1 * * * sudo suricata-update –disable-conf=/etc/suricata/disable.conf && sudo systemctl restart suricata.service" >> /var/spool/cron/crontabs/hunter
ldconfig /lib
logEnd "Suricata install"
echo "##########################################################################"
echo "#### install Elastic Stack ####"
echo "##########################################################################"
logStart "Elastic Stack"
#sysctl -w vm.max_map_count=600000
#if [[ `cat /proc/sys/vm/max_map_count` = 600000 ]]
#then
# echo "Successfully changed vm.max_map_count"
#else
# echo "Failed to change vm.max_map_count"
#fi
# get elastic stack docker images
docker pull docker.elastic.co/elasticsearch/elasticsearch:7.13.1-arm64
docker pull docker.elastic.co/kibana/kibana:7.13.1-arm64
# setup docker network
docker network create huntnet
# create mount point for storgae
mkdir -p /hunt-xs/elastic/es-logs
mkdir -p /hunt-xs/elastic/es-data
mkdir -p /hunt-xs/elastic/kb-logs
mkdir -p /hunt-xs/elastic/kb-data
chown hunter:hunter -R /hunt-xs/elastic
chmod 777 -R /hunt-xs/elastic
docker run -d --name elasticsearch --net huntnet -p 9200:9200 -p 9300:9300 -v /hunt-xs/elastic/es-data:/usr/share/elasticsearch/data -v /hunt-xs/elastic/es-logs:/usr/share/elasticsearch/logs -e "discovery.type=single-node" -e "xpack.security.enabled=true" -e "ES_JAVA_OPTS=-Xms2g -Xmx2g" -e ELASTIC_PASSWORD=$EPASSWD -e "cluster.name=piHunter" -e "node.name=piHunter.es" docker.elastic.co/elasticsearch/elasticsearch:7.13.1-arm64
# docker run -d --name elasticsearch --net huntnet -p 9200:9200 -p 9300:9300 -v /hunt-xs/elastic/es-data:/usr/share/elasticsearch/data -v /hunt-xs/elastic/es-logs:/usr/share/elasticsearch/logs -e "discovery.type=single-node" -e "xpack.security.enabled=true" -e ELASTIC_PASSWORD=$EPASSWD -e "cluster.name=piHunter" -e "node.name=piHunter.es" docker.elastic.co/elasticsearch/elasticsearch:7.13.1-arm64
# sleep to allow elasticsearch container to spin up
sleep 120
docker run -d --name kibana --net huntnet -p 5601:5601 -v /hunt-xs/elastic/kb-data:/usr/share/kibana/data -v /hunt-xs/elastic/kb-logs:/var/log -e "ELASTICSEARCH_HOSTS=http://elasticsearch:9200" -e "ELASTICSEARCH_URL=http://elasticsearch:9200" -e "xpack.security.enabled=true" -e "ELASTICSEARCH_USERNAME=elastic" -e "ELASTICSEARCH_PASSWORD=$EPASSWD" -e "node.name=piHunter.kb" docker.elastic.co/kibana/kibana:7.13.1-arm64
# sleep to allow kibana container to spin up
sleep 90
docker stop kibana
docker stop elasticsearch
logEnd "Elastic Stack"
echo "##########################################################################"
echo "#### install Arkime ####"
echo "##########################################################################"
logStart "Arkime"
sudo apt install git python3-pip re2c cmake openjdk-11-jre -y
git clone https://github.com/arkime/arkime
cd arkime
./easybutton-build.sh --install
echo -e "$MONINTERFACE\nno\nhttp://localhost:9200\npihunter\nyes" | make config
logEnd "Arkime build from source"
mkdir -p /hunt-xs/arkime/raw
# create Arkime dir and change permissions
chown hunter:hunter -R /hunt-xs/arkime/
chmod 777 -R /hunt-xs/arkime
# copy custom config file
cp /home/pi/piHunter/config.ini.original /opt/arkime/etc/config.ini
# initiate Arkime
docker start elasticsearch
sleep 120
cd db
./db.pl http://elastic:pihunter@localhost:9200 init
# create default admin user
/opt/arkime/bin/arkime_add_user.sh hunter "Admin User" $EPASSWD --admin
# Setup IP Geo Location service
## instructions @ https://arkime.com/faq#maxmind
sudo apt install geoipupdate -y
cp /etc/GeoIP.conf /etc/GeoIP.conf.original
mv /home/pi/piHunter/GeoIP.conf /etc/GeoIP.conf
geoipupdate
# remove Git repo for Arkime
cd /home/hunter
rm -rf arkime
logEnd "Arkime"
echo "##########################################################################"
echo "#### install Filebeat ####"
echo "##########################################################################"
logStart "Filebeat"
wget https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.13.1-arm64.deb
apt install ./filebeat-7.13.1-arm64.deb
rm -rf filebeat-7.13.1-arm64.deb
logEnd "Filebeat"
logStart "Filebeat config and data ingestion"
cp /home/pi/piHunter/filebeat.yml.original /etc/filebeat/filebeat.yml
# Zeek filebeat setup
filebeat modules enable zeek
cp /home/pi/piHunter/zeek.yml /etc/filebeat/modules.d/zeek.yml
# Suricata filebeat setup
filebeat modules enable suricata
cp /home/pi/piHunter/suricata.filebeat.yml /etc/filebeat/modules.d/suricata.yml
# Finish Filebeat Setup
filebeat setup
sleep 30
logEnd "Filebeat config and data ingestion"
echo "##########################################################################"
echo "#### install RITA ####"
echo "##########################################################################"
logStart "RITA install"
mkdir /hunt-xs/rita
chown -R hunter:hunter /hunt-xs/rita/
docker pull mongo:4.0.27-rc0
docker pull nginx
docker run -d --name mongodb --network huntnet -p 27017:27017 -v /hunt-xs/rita:/data/db mongo:4.2-rc
mkdir /home/hunter/rita-html-report
echo '<b>Hello, this is the default page installed by piHunter. After you have rita data in your MongoDB, use run-rita-run -r to generate an HTML report.</b>' > /home/hunter/rita-html-report/index.html
docker run -d --name rita-web -p 8080:80 -v /home/hunter/rita-html-report:/usr/share/nginx/html nginx
# install Go Language
wget https://golang.org/dl/go1.14.linux-arm64.tar.gz
sudo tar -C /usr/local -xvzf go1.14.linux-arm64.tar.gz
rm -rf /home/hunter/go1.14.linux-arm64.tar.gz
# added /usr/local/go/bin to $PATH for both hunter and ROOT during Zeek install
# clone RITA repo
git clone https://github.com/activecm/rita.git
cd rita
make && make install
# create config directory
mkdir /etc/rita && chmod 755 /etc/rita
mkdir -p /var/lib/rita/logs && chmod -R 755 /var/lib/rita
# copy RITA config file into /etc/rita
cp /home/pi/piHunter/rita.yaml /etc/rita/config.yaml && chmod 666 /etc/rita/config.yaml
cd /home/hunter
rm -rf /home/hunter/rita
# python -m SimpleHTTPServer 8080 > /dev/null 2>&1 &
logEnd "RITA install"
logStart "Run-RITA-Run install"
# install Run-RITA-Run
git clone https://github.com/jeffvader84/run-rita-run
cd run-rita-run
chmod +x run-rita-run.sh
cp run-rita-run.sh /usr/local/bin/run-rita-run
cd ..
rm -rf run-rita-run
logEnd "Run-RITA-Run"
echo "##########################################################################"
echo "#### configure Persistence ####"
echo "##########################################################################"
# Setup Cron Job to bring services up from a system reboot
logStart "Setup Cron Job to startup services from system boot"
chmod +x /home/pi/piHunter/pihunter-startup.sh
mv /home/pi/piHunter/pihunter-startup.sh /home/hunter
chown hunter:hunter /home/hunter/pihunter-startup.sh
echo "@reboot sleep 10 && /home/hunter/pihunter-startup.sh" >> /var/spool/cron/crontabs/root
echo "5 0 * * * run-rita-run -ir" >> /var/spool/cron/crontab/root
echo "10 0 * * * run-rita-run -i" >> /var/spool/cron/crontab/root
sudo chmod -R 600 /var/spool/cron/crontabs/root
sudo chmod -R 600 /var/spool/cron/crontabs/hunter
logEnd "Setup Cron Job to startup services from system boot"
echo "[!] reboot the system, login as user hunter and run the following command"
#echo "[!] sudo userdel -r pi"
reboot
# script - stop