#!/bin/sh # Copyright Atomicorp, Inc # 2020 INSTALLER_VERSION=6.0.7 if [[ ! $BETA ]]; then BETA=0 fi LOG=/root/awp-install.log ARCH=$(uname -i) ALT_REPO_DISABLED=0 echo "`date -u` --------------------------------------------------" >> $LOG echo "`date -u` AWP installation started" >> $LOG echo echo echo "Atomic Workload Protection Hub installer (v$INSTALLER_VERSION)" echo " By Atomicorp: https://www.atomicorp.com" echo " Beginning unattended installation of the AWP Hub platform" echo if [ ! $SSH_TTY ]; then INSTALL_TTY="/dev/$(ps -p$$ --no-heading | awk '{print $2}')" else INSTALL_TTY=$SSH_TTY fi function app_exit { EXIT_CODE=$1 # re-enable disabled repos if [ $ALT_REPO_DISABLED -ge 1 ]; then for reponame in $ALT_REPO; do /usr/bin/yum-config-manager --enable $reponame > /dev/null done fi # remove lock file rm -f /awp-installer.lock # exit echo "`date -u` ERROR: abnormal exit $EXIT_CODE" >> $LOG exit $EXIT_CODE } rawurlencode() { local string="${1}" local strlen=${#string} local encoded="" for (( pos=0 ; pos> $LOG fi # backup /etc/asl to /etc/asl.backup if rpm -q --quiet asl; then mv /etc/asl /etc/asl.backup fi } # Main # is this unattended if [ -f awp.cfg ]; then source ./awp.cfg AUTO=1 echo "`date -u` awp.cfg detected, running in unattended mode" >> $LOG fi # if not unattended, force CONFIGURED to no if [ ! $AUTO ]; then CONFIGURED=no echo "`date -u` CONFIGURED forced to no" >> $LOG fi # if not unattended if [ ! $AUTO ]; then # source existing v5 config if present if [ -f /etc/asl/config ] ; then source /etc/asl/config echo "`date -u` sourced /etc/asl/config" >> $LOG # Hub install upgrades, inherit ASL config cp /etc/asl/config /root/awp.cfg fi # source existing v6 config if present if [ -f /var/awp/etc/config ] ; then source /var/awp/etc/config echo "`date -u` sourced /var/awp/etc/config" >> $LOG fi fi # ask for credentials, determine TC_TARGET if [ "$CONFIGURED" != "yes" ]; then # --------- from tortix.key if [ -f /var/awp/etc/tortix.key ] && [ -s /var/awp/etc/tortix.key ]; then if [ ! -f /usr/bin/php ]; then yum -y install php fi echo "`date -u` credentials derived from /var/awp/etc/tortix.key " >> $LOG TC_TARGET="updates.atomicorp.com/channels/rules/plesk/README" STEXT=`base64 -d /var/awp/etc/tortix.key` USERNAME=$(php -r "\$z = unserialize('"$STEXT"'); echo \$z[\"login\"] ; ") PASSWORD=$(php -r "\$z = unserialize('"$STEXT"'); echo \$z[\"pass\"] ; ") if [ "$USERNAME" == "" ]; then echo "`date -u` ERROR: username was empty (encoding error)" >> $LOG app_exit 1 fi if [ "$PASSWORD" == "" ]; then echo "`date -u` ERROR: password was empty (encoding error)" >> $LOG app_exit 1 fi export USERNAME echo "`date -u` username: $USERNAME" >> $LOG # --------- from stdin else echo "`date -u` fetching credentials from stdin" >> $LOG TC_TARGET="updates.atomicorp.com/channels/asl-3.0/README" echo -n "Enter subscription Username: " read USERNAME < $INSTALL_TTY export USERNAME if [ "$USERNAME" == "" ]; then echo "Exiting: Username is blank. " echo echo "`date -u` ERROR: empty username provided" >> $LOG app_exit 1 fi PASSCONFIRMED=0 failed=0 while [ $PASSCONFIRMED -lt 1 ]; do if [ $failed -gt 2 ]; then echo "Exiting: too many failed attempts." echo echo "`date -u` ERROR: too many failed attempts" >> $LOG app_exit 1 fi echo -n "Enter Subscription Password: " unset PASSWORD read -sr PASSWORD < $INSTALL_TTY echo if [ "$PASSWORD" == "" ]; then echo "Exiting: Password is blank..." echo "`date -u` ERROR: empty password provided" >> $LOG app_exit 1 fi unset PASSWORD2 echo -n "Re-Enter Subscription Password: " read -sr PASSWORD2 < $INSTALL_TTY echo if [ "$PASSWORD" == "$PASSWORD2" ]; then PASSCONFIRMED=1 else failed=$(( $failed + 1 )) echo "Sorry, passwords do not match." echo echo "`date -u` ERROR: password mismatch" >> $LOG fi done fi fi ENCPASSWORD=$(rawurlencode $PASSWORD) echo "`date -u` testing credentials" >> $LOG TEST_CREDENTIALS=$($GET -nv https://$USERNAME:$ENCPASSWORD@$TC_TARGET -O - 2>&1) echo -n "Verifying account: " if [ "$TEST_CREDENTIALS" == "Authorization failed." ]; then echo " Failed" echo echo " ERROR: AWP Username/Password credentials are incorrect or this license has expired." echo " For more information, please see this FAQ:" echo " https://wiki.atomicorp.com/wiki/index.php/ASL_FAQ#HTTP_Error_401:_Authorization_Required_Trying_other_mirror " echo echo "`date -u` ERROR: authorization failed" >> $LOG app_exit 1 else echo " Passed" echo "`date -u` authorization test passed" >> $LOG fi # get os release file if [ -f /etc/system-release ]; then RELEASE_FILE=/etc/system-release elif [ -f /etc/redhat-release ] ; then RELEASE_FILE=/etc/redhat-release elif [ -f /etc/openvz-release ]; then RELEASE_FILE=/etc/openvz-release elif [ -f /etc/virtuozzo-release ]; then RELEASE_FILE=/etc/openvz-release else echo echo "Error: /etc/redhat-release was not detected" echo echo "`date -u` ERROR: could not determine release file" >> $LOG app_exit 1 fi # EL5 if egrep -q "release 5|release 2011" $RELEASE_FILE ; then DIST="el5" DIR=centos/5 # EL6 elif egrep -q "release 6|release 2012" $RELEASE_FILE ; then DIST="el6" DIR=centos/6 # EL7 elif egrep -q "release 7" $RELEASE_FILE ; then DIST="el7" DIR=centos/7 else echo "Error: Unable to determine distribution type. Please send the contents of $RELEASE_FILE to support@atomicorp.com" echo "`date -u` ERROR: unable to determine distribution type" >> $LOG app_exit 1 fi echo "`date -u` distribution determined as $DIST" >> $LOG echo -n "Installing the Atomic GPG key: " if [ ! -f /etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt ]; then if [ ! -d /etc/pki/rpm-gpg ]; then mkdir -p /etc/pki/rpm-gpg/ fi wget -q https://www.atomicorp.com/RPM-GPG-KEY.art.txt -O /etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt # >> #$LOG 2>&1 RETVAL=$? if [ ! "$RETVAL" = 0 ]; then echo FAIL echo echo " Could not download the Legacy Atomicorp gpg key" echo echo "`date -u` ERROR: failed to download the legacy Atomicorp gpg key" >> $LOG app_exit 1 fi rm -f RPM-GPG-KEY.art.txt fi echo "OK" /bin/rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt echo "`date -u` legacy Atomicorp GPG key imported" >> $LOG if [ ! -f /etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt ]; then if [ ! -d /etc/pki/rpm-gpg ]; then mkdir -p /etc/pki/rpm-gpg/ fi wget -q https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt -O /etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt # >> #$LOG 2>&1 RETVAL=$? if [ ! "$RETVAL" = 0 ]; then echo FAIL wget https://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt echo echo " Could not download the Atomicorp gpg key" echo echo "`date -u` ERROR: failed to download the Atomicorp GPG key" >> $LOG app_exit 1 fi fi /bin/rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt echo "`date -u` Atomicorp GPG key imported" >> $LOG if [ ! -d /var/awp/etc ]; then mkdir -p /var/awp/etc echo "`date -u` created /var/awp/etc" >> $LOG fi # repo files #--------------------------------------------------------- # asl6.repo cat << EOF > /etc/yum.repos.d/awp.repo [asl-6.0] name=Atomicorp - $releasever - Atomic Web Protection 6.0 mirrorlist=file:///var/awp/etc/asl-6.0-mirrorlist priority=1 enabled=1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt gpgcheck=1 $KERNEL [asl-6.0-testing] name=Atomicorp - $releasever - Atomic Web Protection 6.0 (Testing) mirrorlist=file:///var/awp/etc/asl-6.0-testing-mirrorlist priority=1 enabled=$BETA gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt gpgcheck=1 $KERNEL EOF # asl.repo cat << EOF > /etc/yum.repos.d/asl.repo [asl-4.0] name=Atomicorp - $releasever - Atomic Secured Linux 4.0 mirrorlist=file:///var/awp/etc/asl-4.0-mirrorlist priority=1 enabled=1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt gpgcheck=1 $KERNEL [asl-4.0-testing] name=Atomicorp - $releasever - Atomic Secured Linux 4.0 (Testing) mirrorlist=file:///var/awp/etc/asl-4.0-testing-mirrorlist priority=1 enabled=0 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt gpgcheck=1 $KERNEL EOF # tortix.repo cat << EOF > /etc/yum.repos.d/tortix.repo # Name: Atomicorp RPM Repository for - # URL: http://www.atomicorp.com/ [tortix] name = $releasever - atomicorp.com mirrorlist = file:///var/awp/etc/tortix-mirrorlist enabled = 1 priority = 1 protect = 0 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt gpgcheck = 1 # Almost Stable, release candidates for [tortix] [tortix-testing] name = $releasever - atomicorp.com - (Testing) mirrorlist = file:///etc/asl/tortix-testing-mirrorlist enabled = 0 priority = 1 protect = 0 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt gpgcheck = 1 EOF # tortix-kernel.repo cat << EOF > /etc/yum.repos.d/tortix-kernel.repo # Name: Atomicorp kernel RPM Repository for - # URL: http://www.atomicorp.com/ [tortix-kernel] name = $releasever - atomicorp.com mirrorlist = file:///var/awp/etc/tortix-kernel-mirrorlist enabled = 0 priority = 1 protect = 0 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt gpgcheck = 1 # Almost Stable, release candidates for [tortix-kernel] [tortix-kernel-testing] name = $releasever - atomicorp.com - (Testing) mirrorlist = file:///var/awp/etc/tortix-kernel-testing-mirrorlist enabled = 0 priority = 1 protect = 0 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt gpgcheck = 1 [tortix-kernel-xen] name = $releasever - atomicorp.com mirrorlist = file:///var/awp/etc/tortix-kernel-xen-mirrorlist enabled = 0 priority = 1 protect = 0 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt gpgcheck = 1 # Almost Stable, release candidates for [tortix-kernel] [tortix-kernel-xen-testing] name = $releasever - atomicorp.com - (Testing) mirrorlist = file:///var/awp/etc/tortix-kernel-xen-testing-mirrorlist enabled = 0 priority = 1 protect = 0 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt gpgcheck = 1 EOF #--------------------------------------------------------- echo "`date -u` created .repo files" >> $LOG # mirrorlist files #--------------------------------------------------------- cat << EOF > /var/awp/etc/asl-6.0-mirrorlist https://$USERNAME:$ENCPASSWORD@www4.atomicorp.com/channels/asl-6.0/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www5.atomicorp.com/channels/asl-6.0/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www6.atomicorp.com/channels/asl-6.0/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www7.atomicorp.com/channels/asl-6.0/$DIR/$ARCH EOF cat << EOF > /var/awp/etc/asl-6.0-testing-mirrorlist https://$USERNAME:$ENCPASSWORD@www4.atomicorp.com/channels/asl-6.0-testing/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www5.atomicorp.com/channels/asl-6.0-testing/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www6.atomicorp.com/channels/asl-6.0-testing/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www7.atomicorp.com/channels/asl-6.0-testing/$DIR/$ARCH EOF cat << EOF > /var/awp/etc/asl-4.0-mirrorlist https://$USERNAME:$ENCPASSWORD@www4.atomicorp.com/channels/asl-4.0/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www5.atomicorp.com/channels/asl-4.0/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www6.atomicorp.com/channels/asl-4.0/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www7.atomicorp.com/channels/asl-4.0/$DIR/$ARCH EOF cat << EOF > /var/awp/etc/asl-4.0-testing-mirrorlist https://$USERNAME:$ENCPASSWORD@www4.atomicorp.com/channels/asl-4.0-testing/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www5.atomicorp.com/channels/asl-4.0-testing/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www6.atomicorp.com/channels/asl-4.0-testing/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www7.atomicorp.com/channels/asl-4.0-testing/$DIR/$ARCH EOF cat << EOF > /var/awp/etc/tortix-mirrorlist https://$USERNAME:$ENCPASSWORD@www4.atomicorp.com/channels/tortix/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www5.atomicorp.com/channels/tortix/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www6.atomicorp.com/channels/tortix/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www7.atomicorp.com/channels/tortix/$DIR/$ARCH EOF cat << EOF > /var/awp/etc/tortix-kernel-mirrorlist https://$USERNAME:$ENCPASSWORD@www4.atomicorp.com/channels/tortix-kernel/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www5.atomicorp.com/channels/tortix-kernel/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www6.atomicorp.com/channels/tortix-kernel/$DIR/$ARCH https://$USERNAME:$ENCPASSWORD@www7.atomicorp.com/channels/tortix-kernel/$DIR/$ARCH EOF #--------------------------------------------------------- # HUB Installation #--------------------------------------------------------- # is this unattended ESCAPED_PASSWORD=$(echo $PASSWORD | sed -e 's/[\/&]/\\&/g') if [ ! -f awp.cfg ]; then echo "USERNAME=\"$USERNAME\"" >> awp.cfg echo "PASSWORD=\"$ESCAPED_PASSWORD\"" >> awp.cfg echo "KERNEL_CHANNEL=\"disabled\"" >> awp.cfg echo "CONFIGURED=\"yes\"" >> awp.cfg echo "FW_INBOUND_TCP_SERVICES=\"22,80,443,1514,1515,1516,30001\"" >> awp.cfg echo "OPENID_CONNECT_INTEGRATION=\"on\"" >> awp.cfg echo "OSSEC_ACTIVE_RESPONSE=\"yes\"" >> awp.cfg echo "OSSEC_NOTIFY=\"no\"" >> awp.cfg fi source ./awp.cfg echo "`date -u` installing the awp package" >> $LOG PACKAGES="awp awp-web httpd mod_ssl awp-hub-utils aeo-python-utils ansible wget wireshark rsync nmap telnet net-tools vim-enhanced jq php" yum install -y $PACKAGES | tee -a $LOG if [ $? -eq 0 ]; then AWP_CONFIG=/var/awp/etc/config RULES_CONFIG=/var/awp/etc/rules.json # reload for service files if el7 if [ $DIST == "el7" ] ; then echo "`date -u` reloading systemctl daemon" >> $LOG systemctl daemon-reload fi # set username and password in file sed -i "s/\"USERNAME\"/\"$USERNAME\"/" $AWP_CONFIG sed -i "s/\"PASSWORD\"/\"$ESCAPED_PASSWORD\"/" $AWP_CONFIG echo "`date -u` updated /var/awp/etc/config" >> $LOG echo "`date -u` running /var/awp/bin/setup" >> $LOG echo "Initializing setup, please be patient..." /var/awp/bin/setup >/dev/null 2>&1 systemctl stop awpd # Enable services jq '. + {"syslog": [{"setting_type": "S", "rule_type": "secure", "port": "1514", "protocol": "udp", "ips_allowed": [],"ips_denied": [] }, { "setting_type": "S", "rule_type": "syslog", "port": "514", "protocol": "udp", "ips_allowed": [ "0.0.0.0/0" ], "ips_denied": [] }]}' $RULES_CONFIG > /tmp/rules.json && cp -f /tmp/rules.json $RULES_CONFIG /var/awp/bin/aum -uf | tee -a $LOG if [ $? -eq 0 ] ; then sed -i "s/\"CONFIGURED\"/\"YES\"/" /var/awp/etc/config echo echo "Stopping AWP" systemctl stop awpd /var/awp/bin/awp_indexgen -f echo echo "Starting AWP" systemctl start awpd echo -n "Starting AWPwebd: " while ! /usr/bin/pgrep awpwebd >/dev/null; do echo -n "." sleep 3 done echo " Done" # Creating installer repos if [ ! -d /var/www/html/installers ]; then mkdir -p /var/www/html/installers fi # Run mirror creation step echo echo "Creating agent mirror" eval /etc/cron.daily/awp-mirror-update &> /dev/null &disown; eval /etc/cron.daily/awp-docs-update &> /dev/null &disown; if [ -f /etc/httpd/conf.d/welcome.conf ]; then rm -f /etc/httpd/conf.d/welcome.conf fi if pidof httpd >/dev/null; then killall -9 httpd >/dev/null 2>&1 fi # test this next, we did that stop above it might be enough echo "Final setup tasks" n=0 until [ $n -ge 5 ]; do /var/awp/bin/awp -s -f && break n=$[$n+1] echo "Retrying in 5s..." sleep 5 done systemctl enable httpd systemctl start httpd # Issue444 echo echo "Stopping AWP" systemctl stop awpd /var/awp/bin/awp_indexgen -f echo echo "Starting AWP" systemctl start awpd echo -n "Starting AWPwebd: " while ! /usr/bin/pgrep awpwebd >/dev/null; do echo -n "." sleep 3 done echo " Done" echo "Access the AWP web console at https://:30001" # Enable EULA #if [ -f /var/awp/data/.regform ]; then # rm -f /var/awp/data/.regform #fi fi v5Backup # Symlink, in case the above fails for some reason, we can revision it if [[ -d /etc/asl ]]; then mv /etc/asl /etc/asl.upgrade.$(date +%s) fi # v5 path emulation ln -sf /var/awp/etc /etc/asl else echo echo "ERROR: There was a problem with the Yum installation" echo "`date -u` ERROR: base package installation failed" >> $LOG echo echo app_exit 1 fi echo "`date -u` installation complete" >> $LOG