MyTreeHoles

安装wazuh|clamav|auditd

安装wazuh|clamav|auditd

安装wazuh|clamav|auditd,支持ubantu和centos,需要结合pubapi接口来下载安装软件,要sudo ./运行

#!/ bin/ bash
set -e
# Check root privileges
[[ $EUID - ne θ ]] && { echo" Please run as root: sudo $θ"; exit 1; }
# Define software list and URLs
software_list=(" Wazuh" "ClamAV" " audit")
declare - A urls=(
  [wazuh]="https://pubapi.hmxpr.com/client/wazuh"
  [jq]="https://pubapi.hmxpr.com/client/jq"
  [wazuhdeb]="https://pubapi.hmxpr.com/client/wazuhdeb"
  [wazuhaudit]="https://pubapi.hmxpr.com/client/wazuhaudit"
  [clamavdeb]="https://pubapi.hmxpr.com/client/clamavdeb"
  [clamav]="https://pubapi.hmxpr.com/client/clamav"
  [clamconf]="https://pubapi.hmxpr.com/conf/clamav"
  [audit_rules]="https://pubapi.hmxpr.com/conf/audit"
  [audit]="https://pubapi.hmxpr.com/client/audit"
  [lib]="https://pubapi.hmxpr.com/client/lib"
  [tools]="https://pubapi.hmxpr.com/client/"
  )
# Initialize variables for command line arguments
WAZUH_MANAGER=""
WAZUH_AGENT_GROUP="default"
INSTALL_WAZUH=false
INSTALL_CLAMAV=false
INSTALL_AUDIT=false
# Function to display usage information
usage() {
    echo "Usage: $θ [-w] [-c] [-a] [-m MANAGER_ADDRESS] [-g AGENT_GROUP]"
    echo "-w: Install Wazuh"
    echo "-c: Install ClamAV"
    echo "-a: Install audit"
    echo "-m MANAGER_ADDRESS: Specify Wazuh manager address"
    echo "-g AGENT_GROUP: Specify Wazuh agent group"
    echo "-h: Display this help message"
    exit 1
    }
# Parse command line arguments
while getopts ":wcam:g:h" opt; do
  case ${opt} in
    w) INSTALL_WAZUH=true ;;
    c) INSTALL_CLAMAV=true ;;
    a) INSTALL_AUDIT=true ;;
    m) WAZUH_MANAGER=$OPTARG ;;
    g) WAZUH_AGENT_GROUP=$OPTARG ;;
    h) usage ;;
    \?) echo "Invalid option: $OPTARG" 1>&2; usage ;;
    :) echo "Invalid option: $OPTARG requires an argument" 1>&2; usage ;;
    esac
done
shift $((OPTIND - 1))
# Helper functions
download_file(){
  local url="$1"
  local output_file="$2"
  if command -v wget &> /dev/null; then
    wget -0 "$output_file" "$url" || return 1
  elif command -v curl &> /dev/null; then
    curl -k -o "$ output_file" "$url" || return 1
  elif command -v fetch &> /dev/null; then
    fetch -o "$ output_file" "$url" || return 1
  else
    echo "Error: No suitable download tool found. Please install wget, curl, or fetch. "
    exit 1
  fi
}
ensure_download_tool() {
  for tool in wget unzip; do
    if ! command -v "$tool" > /dev/null 2>&1; then
      echo "Installing $tool…"
      if [[ -f /etc/os-release ]]; then
        ./etc/os-release
        case "$ID" in
          ubuntu|debian)
            case "${VERSION_ID}" in
              20.04|22.04|24.04)
                download_file "${urls[tools]}${tool}${VERSION_ID/./}" "${tool}.deb"
                dpkg -i "${tool}.deb" || {echo "$tool install failed"; exit 1; }
                rm - fr "${tool}.deb"
            ;;
              *)
                echo "不支持的 Ubuntu 版本: $VERSION_ID"
                exit 1
            ;;
            esac
        ;;
          centos|rhel|fedora|amzn)
            download_file "${urls[tools]}${tool}c7" "${tool}.rpm"
            rpm -ivh ${tool}.rpm
        ;;
          rocky)
            download_file "${urls[tools]}${tool}r9" "${tool}.rpm"
            rpm -ivh ${tool}.rpm
        ;;
        esac
    rm - fr ${tool}.*
    else
      echo "Unable to determine OS version"
      exit 1
      fi
    fi
  done
}
check_software_installed() {
  if [[ -f /etc/os-release ]]; then
    ./etc/os-release
    case "$ID" in
      ubuntu|debian) dpkg -s "$1" &> /dev/null ;;
      centos|rocky|rhel|fedora|amzn) rpm -q "$1" &> /dev/null ;;
      *) echo "Unsupported OS: $ID"; exit 1 ;;
    esac
  else
    echo "Unable to determine OS type"
    exit 1
  fi
}
get_user_choice() {
  if [[ $INSTALL_WAZUH == false && $INSTALL_CLAMAV == false && $INSTALL_AUDIT == false ]]; then
    echo "Select software to install (comma-separated):"
    for i in "${!software_list[@]}"; do
      echo"$((i+1)). ${software_list[$i]}"
    done
    read -p "Enter numbers: " choices_raw
    IFS=',' read -ra choices_array <<< "$choices_raw"
    selected_software=()
    for choice in "${choices_array[@]}"; do
      selected_software+=("${software_list[$((choice-1))]}")
    done
    echo "Selected: ${selected_software[*]}"
  else
    selected_software=()
    $INSTALL_WAZUH && selected_software+=("Wazuh")
    $INSTALL_CLAMAV && selected_software+=("ClamAV")
    $INSTALL_AUDIT && selected_software+=("audit")
    echo "Selected from command line: ${selected_software[*]}"
  fi
}
install_wazuh() {
  local pkg="wazuh-agent"
  if check_software_installed "$pkg"; then
    read -p "$pkg already installed. Reinstall? (y/n): " confirm
    if [[ "$confirm" != "y" ]]; then
      echo "Skipping Wazuh installation."
      return
    fi
    echo "Removing existing Wazuh installation..."
    ./etc/os-release
    case"$ID" in
      ubuntu|debian)
        dpkg --purge wazuh-agent
      ;;
      centos|rocky|rhel|fedora|amzn)
        rpm -e wazuh-agent
      ;;
      *)
        echo "Unsupported OS for Wazuh removal: $ID"
        exit 1
      ;;
    esac
    echo "Existing Wazuh installation removed. "
  fi
  if [[ -z $WAZUH_MANAGER ]]; then
    read -p " Enter manager address: " WAZUH_MANAGER
    read -p " Enter agent group: " WAZUH_AGENT_GROUP
    read -p " Confirm manager: $WAZUH_MANAGER, group: $WAZUH_AGENT_GROUP (y/n): " confirm
    [[ "$confirm" != "y" ]] && return
  fi
  ./etc/os-release
  case "$ID" in
    ubuntu|debian)
      download_file "${urls[wazuhdeb]}" "wazuh-agent.deb"
      WAZUH_MANAGER=$WAZUH_MANAGER WAZUH_AGENT_GROUP=$WAZUH_AGENT_GROUP dpkg -i wazuh-agent.deb
    ;;
    centosIrocky|rhel|fedora|amzn)
      download_file "${urls[wazuh]}" " wazuh-agent.rpm"
      WAZUH_MANAGER=$WAZUH_MANAGER WAZUH_AGENT_GROUP=$WAZUH_AGENT_GROUP rpm -ivh wazuh-agent.rpm
    ;;
  esac
  echo -e"wazuh_command.remote_commands=1\nlogcollector.remote_commands=1" >> /var/ossec/etc/local_internal_options.conf
  download_file "${urls[wazuhaudit]}" "editrule.sh"
  yes|mv editrule.sh /var/ossec/active-response/bin/
  chown -R root:wazuh /var/ossec/active-response/bin/editrule.sh
  chmod 750 /var/ossec/active-response/bin/editrule.sh
  systemctl daemon-reload
  systemctl enable --now wazuh-agent
  if check_software_installed jq; then
    echo "jq is already installed."
  else
    ./etc/os-release
    case "$ID" in
      ubuntu|debian)
        download_file "${urls[jq]}${VERSION_ID/./}" "jj${VERSION_ID/./}.zip"
        case "${VERSION_ID}" in
          20.04)
            unzip jq2004.zip
            dpkg -i libonig5_6.9.4-1_amd64.deb
            dpkg -i libjq1_1.6-1_amd64.deb
            dpkg -i jq_1.6-1_amd64.deb
          ;;
          22.04)
            unzip jq2204.zip
            dpkg -i libonig5_6.9.7.1-2build1_amd64.deb
            dpkg -i libjq1_1.6-2.1ubuntu3_amd64.deb
            dpkg -i jq_1.6-2.1ubuntu3_amd64.deb
          ;;
          24.04)
            unzip jq2404.zip
            dpkg -i libonig5_6.9.9-1build1_amd64.deb
            dpkg -i libjq1_1.7.1-3build1_amd64.deb
            dpkg -i jq_1.7.1-3build1_amd64.deb
          ;;
        esac
      ;;
      centos|rhel|fedora|amzn)
        download_file "${urls[jq]}c7" "jq.zip"
        unzip jq.zip
        rpm -ivh oniguruma-6.8.2-2.el7.x86_64.rpm
        rpm -ivh jq-1.6-2.el7.x86_64.rpm
      ;;
      rocky)
        download_file "${urls[jq]}c9" "jq.rpm"
        rpm -ivh jq.rpm
      ;;
      *)
        echo "Unsupported OS for jq removal: $ID"
        exit 1
      ;;
    esac
  fi
  echo "Wazuh installed successfully"
  rm -fr wazuh-agent.*
  rm -fr oniguruma-6.8.2-2.el7.x86_64.rpm
  rm -fr lib*
  rm -fr jq*
}
install_clamav() {
  local pkg="clamav"
  if check_software_installed "$pkg"; then
  read -p "$pkg already installed. Reinstall? (y/n): " confirm
    if [[ "$confirm" != "y" ]]: then
      echo "Skipping $pkg installation. "
      return
    fi
    echo "Removing existing $pkg installation... "
    ./etc/os-release
    case "$ID" in
      ubuntu|debian)
        dpkg --purge $pkg
      ;;
      centos|rocky|rhel|fedora|amzn)
        rpm -e $pkg
      ;;
      *)
        echo "Unsupported OS for $pkg removal: $ID"
        exit 1
      ;;
    esac
    echo "Existing $pkg installation removed. "
  fi
  ./etc/os-release
  case "$ID" in
    ubuntu|debian)
      download_file "${urls[clamavdeb]}" "clamav.deb"
      dpkg -i clamav.deb
    ;;
    centos|rocky|rhel|fedora|amzn)
      download_file "${urls[clamav]}" "clamav.rpm"
      rpm -ivh clamav.rpm
    ;;
    *)
      echo "Error! Can't detect the OS Version!"
      exit 1
    ;;
  esac
  download_file "${urls[clamconf]}" "clamav.zip"
  unzip clamav.zip
  yes|mv clamd.conf /usr/local/etc/
  yes|mv freshclam.conf /usr/local/etc/
  yes|mv clamd.service /etc/systemd/system/
  getent group clamav > /dev/null || groupadd clamav
  id -u clamav > /dev/null 2>&1 || useradd -g clamav clamav
  if [[ ! -d /usr/local/clamav ]]; then
    mkdir -p /usr/local/clamav
    chown clamav:clamav /usr/local/clamav
  fi
  for log_file in /var/log/freshclam.log /var/log/clamav.log; do
    if [[ ! -f $log_file ]]; then
      touch $log_file
      chmod 644 $log_file
      chown clamav:clamav $log_file
    else
      chmod 644 $log_file
      chown clamav:clamav $log_file
    fi
  done
  /usr/local/bin/freshclam
  echo "pls wait for few seconds"
  sleep 10
  systemctl daemon-reload
  systemctl enable clamd
  systemctl restart clamd
  echo "$pkg installed and configured"
  CRON_JOB="0 12 * * * /usr/local/bin/freshclam --quiet"
  EXISTING_CRONTAB=$(crontab - l 2>/dev/null)
  if echo "$EXISTING_CRONTAB" |grep - Fq "$CRON_JOB"; then
    echo "cron 任务已存在, 无需添加。"
    exit θ
  fi
  (echo "$EXISTING_CRONTAB"; echo "$CRON_JOB") | crontab -
  if crontab -l |grep -Fq "$CRON_JOB"; then
    echo "cron 任务成功添加。"
  else
    echo "添加 cron 任务失败。" 1>&2
    exit 1
  fi
  rm -fr clamav.*
}
  install_audit() {
    download_file "${urls[audit_rules]}" "audit.rules"
    local pkg="auditd"
    if check_software_installed "$pkg"; then
      read -p "$pkg already installed. Reinstall? (y/n): " confirm
      if [[ "$confirm" != "y" ]]; then
        echo "Skipping audit installation. "
        return
      fi
      echo "Removing existing audit installation... "
      ./etc/os-release
      case "$ID" in
        ubuntu|debian)
          dpkg --purge $pkg
          echo "Existing $pkg installation removed. "
          download_file "${urls[audit]}${VERSION_ID/./}" "audit.deb"
          download_file "${urls[lib]}${VERSION_ID/./}" "libauparseθ.deb"
          dpkg -i libauparse0.deb audit.deb
          if [[ ! -d /etc/audit/rules.d ]]; then
            mkdir -p /etc/audit/rules.d
          fi
          yes|mv audit.rules/etc/audit/rules.d/
          sed -i 's/^#?RestartPreventExitStatus=.*/RestartPreventExitStatus=255/' /usr/lib/system/system/auditd.service
          systemctl daemon-reload
          systemctl enable --now auditd
        ;;
        centos|rocky|rhel|fedora|amzn)
          echo "Audit don't need to re-installed on CentOS/RHEL/Fedora. "
          output=$(systemctl status audit d 2>&1)
          if echo "$output" |grep -q "Warning: Journal has been rotated since unit was started. Log output isincomplete or unavailable."; then
            echo "检测到 auditd服务异常,尝试修复。。。。"
            sed -i 's/RefuseManualStop=yes/RefuseManualStop=no/' /usr/lib/systemd/system/auditd.service
            systemctl daemon-reload
            systemctl restart auditd
            sed -i 's/RefuseManualStop=no/RefuseManualStop=yes/' /usr/lib/systemd/system/auditd.service
            systemctl daemon-reload
            echo "auditd服务修复完成, 请检查日志"
          else
            echo "audit服务正常,继续下一步"
          fi
        ;;
      esac
    fi
    yes|mv audit.rules /etc/audit/rules.d/augenrules --load
    echo "Audit installed and configured"
    rm -fr audit.deb
    rm -fr libauparse0.deb
}
# Main program
ensure_download_tool
get_user_choice
for software in "${selected_software[@]}"; do
  case $software in
    "Wazuh")
      install_wazuh 
    ;;
    "ClamAV")
      install_clamav
    ;;
    "audit")
      install_audit
    ;;
  esac
done

收集linux上软件安装信息

收集linux上软件安装信息

收集linux上软件安装信息 需要用到pubapi来写入数据库 由于wazuh有同样的功能可以替代,故本脚本只做技术储备

#!/bin/bash
softwarelist=$(rpm -qa --qf "%{NAME} % {VERSION}\\n")
computerName=$(hostname)
ipAddress=$(hostname -I | cut -d' ' -f1)
osVersionFull=$(cat /etc/redhat-release)
osName=$(echo $osVersionFull | cut -d" " - f1)
osVersion=$(echo $osVersionFull | cut -d" " -f4)
date=$(date +%Y%m%d)
#之前是本地生成csv文件再手工发回给安全人员,现在不需要了,所以注释掉
#fileName="$computerName-$ipAddress-$date.csv"
csvFile="./$fileName"
#测试的时候可以调整这个数值,保留是因为服务端是flask写的,怕量太大崩掉
DELAY=$((1 + RANDOM %1200))
echo "Delaying for $DELAY seconds"
sleep $DELAY
# echo"$osName,$osVersion" > $csvFile
rpm -qa --queryformat '%{NAME} %{VERSION}\n' |sort |grep -v "^acl" |grep -v "^acpid" |grep -v "^ad" | grep - v "^xorg" |grep -v "^yajl" |grep -v "^yajl" |grep -v "^zbar" |grep -v "^zeromq3" |grep -v "^zip" |while read line
do
  echo $line
  software=$(echo $line |awk '{print $1}')
  version=$(echo $line |awk '{print $2}')
  #将软件名和版本写入CSV文件
  #echo"$ software,$ version" >> $csvFile
  #创建一个JSON对象
  json=$(
    jq -n \
      --arg ip "$ipAddress" \n
      --arg hn "$computerName" \n
      --arg os "$osName" \n
      --arg ov "$osVersion" \n
      --arg sw "$software" \n
      --arg ver "$version" \n
      '{ip: $ ip, hostname: $ hn, osname: $ os, osversion: $ ov, software: $ sw, version: $ ver}')
  curl -k -X POST -H "Content-Type:application/json" -d "$json"  https//<server>/insert
done