-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinstall.sh
executable file
·296 lines (253 loc) · 9.07 KB
/
install.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
#!/bin/bash
# Function to check if the script is being run as root
checkSudo() {
if [ "$EUID" -ne 0 ]; then
echo -e "\033[31m✘ This script must be run as sudo. Please use sudo <your command>.\033[0m"
exit 1
else
echo -e "\033[32m✔ Running with sudo.\033[0m"
fi
}
# Code to execute when the script is run directly
checkSudo
set -ex # Exit immediately if a command exits with a non-zero status
function export_script_variables() {
local output_file="script_vars.env"
echo "Exporting script variables to $output_file..."
# Empty (or create) the output file
: > "$output_file"
# Iterate over all variables known to the shell
for var in $(compgen -v); do
# Skip some built-in or special Bash variables
if [[ ! "$var" =~ ^(BASH_|EUID|UID|PPID|LINENO|FUNCNAME|GROUPS|_|PWD|OLDPWD)$ ]]; then
# Write each variable in the form: export VAR="value"
echo "export $var=\"${!var}\"" >> "$output_file"
fi
done
chmod 600 script_vars.env
echo "Done. You can 'source $output_file' to re-import these variables."
}
export_script_variables
# Set up timestamps and log file paths
TIMESTAMP="$(date +"%Y-%m-%d_%H-%M-%S")"
USER_HOSTNAME_STAMP="$(hostname)_$(whoami)"
STAMP="${TIMESTAMP}_${USER_HOSTNAME_STAMP}"
CYBERMONKEY_LOG_DIR="${CYBERMONKEY_LOG_DIR:-/var/log/cyberMonkey}"
mkdir -p "$CYBERMONKEY_LOG_DIR"
EOS_LOG_FILE="${CYBERMONKEY_LOG_DIR}/eos.log"
# Colors for pretty output
GREEN="\033[0;32m"
RED="\033[0;31m"
RESET="\033[0m"
# Redirect all output (stdout and stderr) to the log file
exec > >(tee -a "$EOS_LOG_FILE") 2>&1
# Log script start with timestamp
echo -e "${RED} === Script started at $STAMP === ${RESET}"
# Variables for binary download
SYSTEM_USER="eos_user"
SYSTEM_GROUP="eos_group"
EOS_VERSION="v1.0.0"
OS="$(uname | tr '[:upper:]' '[:lower:]')"
ARCH="$(uname -m)"
INSTALLER_DIR="/opt/eos"
groupadd "$SYSTEM_GROUP"
read -p "What is your main user account?: " MAIN_USER
usermod -aG "$SYSTEM_GROUP" "$MAIN_USER"
usermod -aG "$SYSTEM_GROUP" "$SYSTEM_USER"
chown -R :"$SYSTEM_GROUP" "$INSTALLER_DIR"
chmod -R 774 "$INSTALLER_DIR"
chmod g+s "$INSTALLER_DIR"
# Download binary
echo -e "${GREEN}Downloading Eos binary...${RESET}"
curl -L -o eos "https://github.com/CodeMonkeyCybersecurity/eos/releases/download/$EOS_VERSION/eos-$OS-$ARCH"
chmod +x eos
mv eos /usr/local/bin/
echo -e "${GREEN}Eos binary installed successfully.${RESET}"
# Configuration Variables
DB_NAME="eos_db"
DB_USER="$SYSTEM_USER"
DB_HOST="localhost"
DB_PORT="5432"
PSQL_VERSION="16"
# Path to default.yaml
CONFIG_DIR="./config"
DEFAULT_YAML="${CONFIG_DIR}/default.yaml"
# Ensure the config directory exists
if [ ! -d "$CONFIG_DIR" ]; then
echo "Error: Config directory $CONFIG_DIR does not exist."
exit 1
fi
# Write variables to default.yaml
cat > "$DEFAULT_YAML" <<EOL
database:
name: "$DB_NAME"
user: "$DB_USER"
host: "$DB_HOST"
port: "$DB_PORT"
version: "$PSQL_VERSION"
logs:
directory: "$CYBERMONKEY_LOG_DIR"
file: "$EOS_LOG_FILE"
EOL
echo "Updated $DEFAULT_YAML with configuration variables."
# Create a new system user for Eos with sudo permission limitation
# Create a new system user for Eos with sudo permission limitation
function create_eos_system_user() {
echo -e "${GREEN}Creating system user ${SYSTEM_USER}...${RESET}"
if id "$SYSTEM_USER" &>/dev/null; then
echo -e "${GREEN}System user ${SYSTEM_USER} already exists.${RESET}"
else
# Create the user with a default shell and no password
useradd -m -s /usr/sbin/nologin ${SYSTEM_USER}
echo -e "${GREEN}System user ${SYSTEM_USER} created successfully.${RESET}"
# Prompt for the password
echo -e "${GREEN}Please set a password for ${SYSTEM_USER}:${RESET}"
passwd ${SYSTEM_USER}
fi
# Add user to sudoers if needed
SUDOERS_FILE="/etc/sudoers.d/${SYSTEM_USER}"
if [ ! -f "$SUDOERS_FILE" ]; then
echo -e "${GREEN}Adding ${SYSTEM_USER} to the sudoers file with limitations...${RESET}"
echo "ALL ALL=(${SYSTEM_USER}) NOPASSWD: /usr/local/bin/eos" | tee "$SUDOERS_FILE" > /dev/null
chmod 440 "$SUDOERS_FILE"
echo -e "${GREEN}${SYSTEM_USER} added to the sudoers file with limited permissions.${RESET}"
else
echo -e "${GREEN}${SYSTEM_USER} is already in the sudoers file.${RESET}"
fi
}
create_eos_system_user
function setup_ssh_key() {
echo -e "${GREEN}Setting up SSH key-based authentication...${RESET}"
SSH_KEY_DIR="/home/$SYSTEM_USER/.ssh"
SSH_KEY_FILE="$SSH_KEY_DIR/id_ed25519"
sudo -u "$SYSTEM_USER" bash <<EOF
mkdir -p "$SSH_KEY_DIR"
chmod 700 "$SSH_KEY_DIR"
if [ ! -f "$SSH_KEY_FILE" ]; then
ssh-keygen -t ed25519 -f "$SSH_KEY_FILE" -N ""
chmod 600 "$SSH_KEY_FILE"
chmod 644 "$SSH_KEY_FILE.pub"
else
echo "SSH key already exists at $SSH_KEY_FILE"
fi
EOF
}
# Add a new PostgreSQL user for the Eos app
function create_eos_db_user() {
echo -e "${GREEN}Creating $DB_USER in PostgreSQL...${RESET}"
# **IMPORTANT**: any psql command as $DB_USER must be run as the system user too
sudo -u postgres psql <<EOF
DO \$\$
BEGIN
IF NOT EXISTS (
SELECT FROM pg_catalog.pg_roles WHERE rolname = '${DB_USER}'
) THEN
CREATE ROLE ${DB_USER} WITH LOGIN;
END IF;
END
\$\$;
EOF
if [ $? -eq 0 ]; then
echo -e "${GREEN}Successfully created or ensured existence of eos_user.${RESET}"
else
echo -e "${RED}Error: Failed to create or check eos_user.${RESET}"
exit 1
fi
}
# Configure peer authentication for eos_user
function configure_peer_authentication() {
local PG_HBA_CONF="/etc/postgresql/${PSQL_VERSION}/main/pg_hba.conf"
echo -e "${GREEN}Updating permissions for $PG_HBA_CONF...${RESET}"
chmod 644 "$PG_HBA_CONF"
# Possibly update peer auth here
chmod 640 "$PG_HBA_CONF"
local PEER_AUTH_ENTRY="local ${DB_NAME} ${SYSTEM_USER} peer
local all ${SYSTEM_USER} reject"
if ! grep -qF "$PEER_AUTH_ENTRY" "$PG_HBA_CONF"; then
echo -e "${GREEN}Adding peer authentication for ${SYSTEM_USER} to pg_hba.conf...${RESET}"
echo "$PEER_AUTH_ENTRY" | tee -a "$PG_HBA_CONF" > /dev/null
echo -e "${GREEN}Peer authentication entry added.${RESET}"
else
echo -e "${GREEN}Peer authentication for ${SYSTEM_USER} is already configured.${RESET}"
fi
echo -e "${GREEN}Restarting PostgreSQL to apply changes...${RESET}"
systemctl restart postgresql
}
function check_prerequisites() {
echo -e "${GREEN}Checking prerequisites...${RESET}"
if ! command -v go &>/dev/null; then
echo -e "${RED}Error: Go is not installed. Please install Go first.${RESET}"
exit 1
fi
if ! command -v psql &>/dev/null; then
echo -e "${RED}Error: PostgreSQL is not installed. Please install PostgreSQL first.${RESET}"
exit 1
fi
}
# Step 2: Install Go PostgreSQL Driver
function install_go_driver() {
echo -e "${GREEN}Installing Go PostgreSQL driver...${RESET}"
go get github.com/lib/pq
echo -e "${GREEN}Go PostgreSQL driver installed successfully.${RESET}"
}
# Step 3: Setup PostgreSQL Database peer authentication
function setup_eos_db() {
sudo -u postgres psql <<EOF
DO \$\$
BEGIN
IF NOT EXISTS (
SELECT FROM pg_database WHERE datname = '${DB_NAME}'
) THEN
CREATE DATABASE ${DB_NAME} OWNER ${DB_USER};
END IF;
END
\$\$;
EOF
echo -e "${GREEN}PostgreSQL database setup complete.${RESET}"
# Grant privileges to eos_user on the public schema
sudo -u postgres psql -d "$DB_NAME" <<EOF
GRANT ALL ON SCHEMA public TO ${DB_USER};
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO ${DB_USER};
GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO ${DB_USER};
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT ALL PRIVILEGES ON TABLES TO ${DB_USER};
ALTER DEFAULT PRIVILEGES IN SCHEMA public
GRANT ALL PRIVILEGES ON SEQUENCES TO ${DB_USER};
EOF
# Create required tables
sudo -u "$DB_USER" psql -d "$DB_NAME" <<EOF
CREATE TABLE IF NOT EXISTS logs (
id SERIAL PRIMARY KEY,
timestamp TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
level VARCHAR(10),
message TEXT
);
CREATE TABLE IF NOT EXISTS configurations (
id SERIAL PRIMARY KEY,
key VARCHAR(255) UNIQUE NOT NULL,
value TEXT NOT NULL
);
EOF
if [ $? -ne 0 ]; then
echo -e "${RED}Error: Failed to create tables in eos_db.${RESET}"
exit 1
fi
echo -e "${GREEN}Schema setup complete.${RESET}"
}
function main() {
check_prerequisites
setup_ssh_key
create_eos_system_user
create_eos_db_user
configure_peer_authentication
install_go_driver
setup_eos_db
echo -e "${GREEN}Setup complete! Use 'eos' as needed.${RESET}"
}
main
chown -R :"$SYSTEM_GROUP" "$INSTALLER_DIR"
chown -R :"$SYSTEM_GROUP" "$CYBERMONKEY_LOG_DIR" # Change the ownership of the /var/log/cyberMonkey directory to eos_user. This will allow eos_user to write to the directory and manage the log files.
ls -ld "$CYBERMONKEY_LOG_DIR" # Verify the ownership:
ls -ld "$INSTALLER_DIR"
reboot
set +x