-
Notifications
You must be signed in to change notification settings - Fork 18
/
functions.sh
executable file
·301 lines (257 loc) · 9.88 KB
/
functions.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
#!/usr/bin/env bash
# Author: Jon Schipp <jonschipp@gmail.com>
# Written for Ubuntu Saucy and Trusty, should be adaptable to other distros.
# Installation notification (not implemented yet)
MAIL="$(which mail 2>/dev/null)"
COWSAY=/usr/games/cowsay
IRCSAY=/usr/local/bin/ircsay
IRC_CHAN="#replace_me"
HOST="$(hostname -s)"
LOGFILE=install.log
EMAIL=user@company.com
# System Configuration
USER="demo" # User account to create for that people will ssh into to enter container
PASS="demo" # Password for the account that users will ssh into
GROUP="islet" # ISLET Group, used for permissions of database
SIZE=2G # Maximum size of containers, DoS prevention
SSH_CONFIG=/etc/ssh/sshd_config
CONTAINER_DESTINATION= # Put containers on another volume e.g. /dev/sdb1 (optional). You must mkfs.$FS first!
FS="ext4" # Filesystem type for CONTAINER_DESTINATION, used for mounting
INSTALL_DIR=/opt/islet # ISLET component directory
BIN_DIR="$INSTALL_DIR/bin" # Directory to install islet scripts
SHELL="$BIN_DIR/islet_shell" # $USER's shell and container launcher
# Other Declarations
RESTART_SSH=0
RESTART_DOCKER=0
LIMITS=/etc/security/limits.d
DEFAULT=/etc/default/docker
UPSTART=/etc/init/docker.conf
# Logging
#exec > >(tee -a "$LOGFILE") 2>&1
#printf "\n --> Logging stdout & stderr to ${LOGFILE}\n"
die(){
if [[ -f "${COWSAY:-none}" ]]; then
"$COWSAY" -d "$*"
else
printf "$(tput setaf 1)$*$(tput sgr0)\n"
fi
if [[ -f "$IRCSAY" ]]; then
( set +e; "$IRCSAY" "$IRC_CHAN" "$*" 2>/dev/null || true )
fi
if [[ -f "${MAIL:-none}" ]]; then
echo "$*" | mail -s "[vagrant] Bro Sandbox install information on $HOST" "$EMAIL"
fi
exit 1
}
hi(){
if [[ -f "${COWSAY:-none}" ]]; then
"$COWSAY" "$*"
else
printf "$(tput setaf 3)$*$(tput sgr0)\n"
fi
if [[ -f "$IRCSAY" ]]; then
( set +e; "$IRCSAY" "$IRC_CHAN" "$*" 2>/dev/null || true )
fi
if [[ -f "${MAIL:-none}" ]]; then
echo "$*" | mail -s "[vagrant] Bro Sandbox install information on $HOST" "$EMAIL"
fi
}
template(){
cat <<"EOF"
# System Configuration
ENVIRONMENT="jonschipp/islet-netsniff-ng" # Launch containers from this image, must match name in Docker exactly.
DESCRIPTION="Netsniff-NG Toolkit training image" # Brief description of image, shown in selection menu
# Security Configuration
VISIBLE="yes" # This config file is visible from config selection menu
DAYS="3" # Container lifetime specified in days, removed after x days by cron jobs
REMOVE="no" # Container is removed after exit, user cannot re-attach and resume work
TIMEOUT="4h" # Max runtime of containers, accepts timeout(1) arguments
# Container Configuration
VIRTUSER="demo" # Account used when container is entered (Must exist in image!)
CPUSHARES="1024" # Proportion of cpu share allocation per container
MEMORY="256m" # Amount of memory allocated to each container
HOSTNAME="netsniff-ng" # Set hostname in container. PS1 will end up as $VIRTUSER@$HOSTNAME:~$ in shell
NETWORK="none" # Disable networking by default: none; Enable networking: bridge
DNS="127.0.0.1" # Use loopback when networking is disabled to prevent error messages from resolver
MOUNT="-v /exercises:/exercises:ro" # Mount point(s), sep. by -v: /src:/dst:attributes, ro = readonly (avoid rw if possible)
LOCAL_OPTIONS="--cap-add=NET_RAW --cap-add=NET_ADMIN" # Apply any other options you want passed to Docker run here
LOCAL_ENV="" # Variables that get passed to VIRTUSER's shell for container
# Branding & Information
MOTD="Training materials are in /exercises
e.g. $ netsniff-ng --in /exercises/pcap/traffic.pcap" # Message of the day is displayed before entering container
BANNER="
=================================================================
Welcome to Netsniff-NG Configuration!
netsniff-ng is a free, performant Linux network analyzer and
linux network analyzer and networking toolkit. If you will,
the Swiss army knife for network packets.
Web: http://netsniff-ng.org
/( )\\
./ {______} \.
\ ^, ,^ /
|'O\ /O'| _.<0101011>--
> \`' '\` < /
) ,.==., ( |
.-(|/--~~--\|)-'
( ___
\__.=|___E
A place to try out Netsniff-NG
=================================================================
"
EOF
}
logo(){
cat <<"EOF"
===============================================================
ISLET: A Linux-based Software Training System
(I)solated,
(S)calable,
& (L)ightweight (E)nvironment
for (T)raining
Web: https://github.com/jonschipp/islet
===============================================================
EOF
}
is_ubuntu(){
if ! lsb_release -s -d 2>/dev/null | egrep -q 'Ubuntu|Debian'; then
die "Debian or Ubuntu Linux is required for installation!"
fi
}
install_docker(){
is_ubuntu
hi " Installing Docker!\n"
# Check that HTTPS transport is available to APT
if [[ ! -e /usr/lib/apt/methods/https ]]; then
apt-get update -qq
apt-get install -qy apt-transport-https
echo
fi
# Add the repository to your APT sources
# Then import the repository key
if [[ ! -e /etc/apt/sources.list.d/docker.list ]]; then
echo deb https://get.docker.com/ubuntu docker main > /etc/apt/sources.list.d/docker.list
apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 36A1D7869245C8950F966E92D8576A8BA88D21E9
echo
fi
# Install docker
if ! command -v docker >/dev/null 2>&1; then
apt-get update -qq
apt-get install -qy --no-install-recommends lxc-docker cgroup-lite
#apt-get install -qy lxc-docker linux-image-extra-$(uname -r) aufs-tools
fi
}
docker_configuration(){
local RESTART=0
local SIZE="${1:-$SIZE}"
if command -v docker >/dev/null 2>&1; then
# Set devicemapper storage limit
[[ -f /etc/init.d/docker ]] && service docker stop 2>&1 >/dev/null || stop -q docker 2>/dev/null
sleep 1
[[ -d /var/lib/docker/aufs ]] && umount /var/lib/docker/aufs
[[ -d /var/lib/docker/devicemapper ]] && umount /var/lib/docker/devicemapper
rm -rf /var/lib/docker/* || die "Unable to remove /var/lib/docker!"
docker -d --storage-driver=devicemapper --storage-opt dm.basesize="$SIZE" &
sleep 3
pkill docker
sed -i '/DOCKER_OPTS/d' "$DEFAULT"
echo DOCKER_OPTS=\"--storage-driver=devicemapper --storage-opt dm.basesize=$SIZE\" >> "$DEFAULT"
[[ -f /etc/init.d/docker ]] && RESTART=1 && service docker start || die "Docker did not start correctly!"
[[ "$RESTART" -eq 0 ]] && [[ -f /etc/init/docker.conf ]] && start -q docker || hi "Docker started!" && exit 0
else
die "Docker is required for configuration!"
fi
}
user_configuration(){
local USER="${1:-$USER}"
local PASS="${2:-$PASS}"
local GROUP="${3:-$GROUP}"
local SHELL="${4:-$SHELL}"
hi " Configuring the $USER user account!\n"
if ! getent passwd "$USER" 1>/dev/null; then
useradd --create-home --shell "$SHELL" "$USER"
echo "$USER:$PASS" | chpasswd
fi
if ! getent group "$GROUP" | grep -q "$USER" 1>/dev/null; then
groupadd "$GROUP" 2>/dev/null
gpasswd -a "$USER" "$GROUP" 2>/dev/null
fi
if ! getent group docker | grep -q "$USER" 1>/dev/null; then
groupadd docker 2>/dev/null
gpasswd -a "$USER" docker 2>/dev/null
fi
}
security_configuration(){
local USER="${1:-$USER}"
local SHELL="${2:-$SHELL}"
hi " Configuring the system with security in mind!\n"
if ! grep -q "ClientAliveInterval 15" "$SSH_CONFIG"; then
printf "\nClientAliveInterval 600\nClientAliveCountMax 3\n" >> "$SSH_CONFIG"
RESTART_SSH=1
fi
if ! grep -q "Match User $USER" "$SSH_CONFIG"; then
cat <<EOF >> "$SSH_CONFIG"
Match User "$USER"
ForceCommand "$SHELL"
PasswordAuthentication yes
X11Forwarding no
AllowTcpForwarding no
GatewayPorts no
PermitTunnel no
MaxAuthTries 3
MaxSessions 1
AllowAgentForwarding no
PermitEmptyPasswords no
EOF
RESTART_SSH=1
fi
if grep -q '^Subsystem sftp' "$SSH_CONFIG"; then
sed -i '/Subsystem.*sftp/s/^/#/' "$SSH_CONFIG"
RESTART_SSH=1
fi
if [[ "$RESTART_SSH" -eq 1 ]]; then
if sshd -t 2>/dev/null; then
[[ -f /etc/init.d/sshd ]] && service sshd restart 2>/dev/null
[[ -f /etc/init.d/ssh ]] && service ssh restart 2>/dev/null
else
echo "Syntax error in ${SSH_CONFIG}."
fi
echo
fi
if [[ "$RESTART_DOCKER" -eq 1 ]]; then
local RESTART=0
[[ -f /etc/init.d/docker ]] && service docker stop 2>&1 >/dev/null || stop -q docker 2>/dev/null
sleep 2
[[ -f /etc/init.d/docker ]] && RESTART=1 && service docker start || die "Docker did not start correctly!"
[[ -f /etc/init/docker.conf ]] && [[ "$RESTART" -eq 0 ]] && start -q docker
echo
PID="$(pgrep -f "docker -d")"
[[ "$PID" ]] && cat /proc/"$PID"/limits
echo
fi
}
install_sample_configuration(){
hi " Installing sample training image for Bro!\n"
if ! docker images | grep -q brolive; then
docker pull broplatform/brolive
fi
}
install_nsm_configurations(){
install_sample_configuration
for file in $(git ls-files extra/*.conf | grep -v brolive.conf); do
F="$(basename $file .conf)"
if ! docker images | grep -q "$F"; then
hi " Installing sample training image for ${F}\n"
docker pull jonschipp/islet-"${F}"
fi
done
}
install_sample_distributions(){
DISTRO="ubuntu debian fedora centos"
for image in "$DISTRO"; do
if ! docker images | grep -q "$image"; then
hi " Installing distribution image for ${image}\n"
docker pull "$image"
fi
done
}
"$@"