forked from socfortress/Wazuh-Rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
wazuh_socfortress_rules.sh
205 lines (187 loc) · 7.86 KB
/
wazuh_socfortress_rules.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
#!/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
clear
## Continue?
## Check if system is based on yum or apt-get
while true; do
read -p "Do you wish to configure Wazuh with the SOCFortress ruleset? WARNING - This script will replace all of your current custom Wazuh Rules. Please proceed with caution and it is recommended to manually back up your rules... continue? " yn
case $yn in
[Yy]* ) break;;
[Nn]* ) exit;;
* ) echo "Please answer yes or no.";;
esac
done
if [ -n "$(command -v yum)" ]; then
sys_type="yum"
sep="-"
elif [ -n "$(command -v zypper)" ]; then
sys_type="zypper"
sep="-"
elif [ -n "$(command -v apt-get)" ]; then
sys_type="apt-get"
sep="="
fi
## Prints information
logger() {
now=$(date +'%m/%d/%Y %H:%M:%S')
case $1 in
"-e")
mtype="INFO:"
message="$2"
;;
"-w")
mtype="WARNING:"
message="$2"
;;
*)
mtype="INFO:"
message="$1"
;;
esac
echo "$now $mtype $message"
}
## Check if Git exists
if ! command -v git &> /dev/null
then
logger -e "git package could not be found. Please install with yum/apt-get install git."
exit
else
logger -e "git package found. Continuing..."
fi
checkArch() {
arch=$(uname -m)
if [ "$arch" != "x86_64" ]; then
logger -e "Incompatible system. This script must be run on a 64-bit system."
exit 1
fi
}
restartService() {
if [ -n "$(ps -e | egrep '^\s*1\s.*systemd$')" ]; then
eval "systemctl restart $1.service ${debug}"
if [ "$?" != 0 ]; then
logger -e "${1^} could not be restarted. Please check /var/ossec/logs/ossec.log for details."
logger -e "An error has occurred. Attempting to restore backed up rules"
\cp -r /tmp/wazuh_rules_backup/* /var/ossec/etc/rules/
chown wazuh:wazuh /var/ossec/etc/rules/*
chmod 660 /var/ossec/etc/rules/*
systemctl restart wazuh-manager
rm -rf /tmp/Wazuh-Rules
else
sleep 1
fi
elif [ -n "$(ps -e | egrep '^\s*1\s.*init$')" ]; then
eval "chkconfig $1 on ${debug}"
eval "service $1 restart ${debug}"
eval "/etc/init.d/$1 start ${debug}"
if [ "$?" != 0 ]; then
logger -e "${1^} could not be restarted. Please check /var/ossec/logs/ossec.log for details."
logger -e "An error has occurred. Attempting to restore backed up rules"
\cp -r /tmp/wazuh_rules_backup/* /var/ossec/etc/rules/
chown wazuh:wazuh /var/ossec/etc/rules/*
chmod 660 /var/ossec/etc/rules/*
systemctl restart wazuh-manager
rm -rf /tmp/Wazuh-Rules
else
sleep 1
fi
elif [ -x "/etc/rc.d/init.d/$1" ]; then
eval "/etc/rc.d/init.d/$1 start ${debug}"
if [ "$?" != 0 ]; then
logger -e "${1^} could not be restarted. Please check /var/ossec/logs/ossec.log for details."
else
logger "${1^} restarted"
fi
else
logger -e "${1^} could not restart. No service found on the system."
fi
}
healthCheck() {
cd /var/ossec || exit 1 # Set the current working directory to /var/ossec
logger "Performing a health check"
eval "service wazuh-manager restart ${debug}"
sleep 20
if [ -n "$(/var/ossec/bin/wazuh-control status | grep 'wazuh-logcollector not running...')" ]; then
logger -e "Wazuh-Manager Service is not healthy. Please check /var/ossec/logs/ossec.log for details."
else
logger -e "Wazuh-Manager Service is healthy. Thanks for checking us out :) Get started with our free-for-life tier here: https://www.socfortress.co/trial.html Happy Defending!"
rm -rf /tmp/Wazuh-Rules
fi
}
## Install the required packages for the installation
cloneRules() {
logger "Beginning the Install"
if [ "$sys_type" == "yum" ]; then
logger -e "Verifying that Wazuh-Manager software is installed... continued"
if rpm -qa | grep -q wazuh-manager; then
mkdir /tmp/wazuh_rules_backup
logger -e "Backing up current rules into /tmp/wazuh_rules_backup/"
\cp -r /var/ossec/etc/rules/* /tmp/wazuh_rules_backup/
git clone https://github.com/socfortress/Wazuh-Rules.git /tmp/Wazuh-Rules
cd /tmp/Wazuh-Rules || exit 1
find . -name '*xml' -exec mv {} /var/ossec/etc/rules/ \;
find /var/ossec/etc/rules/ -name 'decoder-linux-sysmon.xml' -exec mv {} /var/ossec/etc/decoders/ \;
find /var/ossec/etc/rules/ -name 'yara_decoders.xml' -exec mv {} /var/ossec/etc/decoders/ \;
find /var/ossec/etc/rules/ -name 'auditd_decoders.xml' -exec mv {} /var/ossec/etc/decoders/ \;
find /var/ossec/etc/rules/ -name 'naxsi-opnsense_decoders.xml' -exec mv {} /var/ossec/etc/decoders/ \;
find /var/ossec/etc/rules/ -name 'maltrail_decoders.xml' -exec mv {} /var/ossec/etc/decoders/ \;
find /var/ossec/etc/rules/ -name 'decoder-manager-logs.xml' -exec mv {} /var/ossec/etc/decoders/ \;
/var/ossec/bin/wazuh-control info 2>&1 | tee /tmp/version.txt
chown wazuh:wazuh /var/ossec/etc/rules/*
chmod 660 /var/ossec/etc/rules/*
systemctl restart wazuh-manager
cd /var/ossec || exit 1
rm -rf /tmp/Wazuh-Rules
else
logger -e "Wazuh-Manager software could not be found or is not installed"
fi
elif [ "$sys_type" == "apt-get" ]; then
logger -e "Verifying that Wazuh-Manager software is installed... continued"
if apt list --installed | grep -q wazuh-manager; then
mkdir /tmp/wazuh_rules_backup
logger -e "Backing up current rules into /tmp/wazuh_rules_backup/"
\cp -r /var/ossec/etc/rules/* /tmp/wazuh_rules_backup/
git clone https://github.com/socfortress/Wazuh-Rules.git /tmp/Wazuh-Rules
cd /tmp/Wazuh-Rules || exit 1
find . -name '*xml' -exec mv {} /var/ossec/etc/rules/ \;
find /var/ossec/etc/rules/ -name 'decoder-linux-sysmon.xml' -exec mv {} /var/ossec/etc/decoders/ \;
find /var/ossec/etc/rules/ -name 'yara_decoders.xml' -exec mv {} /var/ossec/etc/decoders/ \;
find /var/ossec/etc/rules/ -name 'auditd_decoders.xml' -exec mv {} /var/ossec/etc/decoders/ \;
find /var/ossec/etc/rules/ -name 'naxsi-opnsense_decoders.xml' -exec mv {} /var/ossec/etc/decoders/ \;
find /var/ossec/etc/rules/ -name 'maltrail_decoders.xml' -exec mv {} /var/ossec/etc/decoders/ \;
find /var/ossec/etc/rules/ -name 'decoder-manager-logs.xml' -exec mv {} /var/ossec/etc/decoders/ \;
/var/ossec/bin/wazuh-control info 2>&1 | tee /tmp/version.txt
chown wazuh:wazuh /var/ossec/etc/rules/*
chmod 660 /var/ossec/etc/rules/*
systemctl restart wazuh-manager
cd /var/ossec || exit 1
rm -rf /tmp/Wazuh-Rules
else
logger -e "Wazuh-Manager software could not be found or is not installed"
fi
else
logger "Continuing"
fi
if [ "$?" != 0 ]; then
logger -e "An error has occurred. Attempting to restore backed up rules"
\cp -r /tmp/wazuh_rules_backup/* /var/ossec/etc/rules/
chown wazuh:wazuh /var/ossec/etc/rules/*
chmod 660 /var/ossec/etc/rules/*
systemctl restart wazuh-manager
cd /var/ossec || exit 1
rm -rf /tmp/Wazuh-Rules
else
logger -e "Rules downloaded, attempting to restart the Wazuh-Manager service"
restartService "wazuh-manager"
sleep 5
fi
}
main() {
if [ "$EUID" -ne 0 ]; then
logger -e "This script must be run as root."
exit 1
fi
checkArch
cloneRules
healthCheck
}
main "$@"