#!/bin/sh # Atomic Secured Linux # Copyright Atomicorp, 2007-2013 # Summary: Atomic Secured Linux installer # Name: asl # License: Commercial. Unauthorized redistribution prohibited. INSTALLER_VER=4.8.5 SERVER=www.atomicorp.com ARCH=`uname -i` GET=/usr/bin/wget SOURCEINSTALL=0 ROOT_UID="0" LOG=/tmp/tortix-install.log DATE=$(date +%Y%m%d-%H:%M) export LANG=C # Files for source installs MODSEC=mod_security-latest.src.rpm #Check if run as root if [ "$UID" -ne "$ROOT_UID" ] ; then echo "ERROR: You must be root to run this program." exit 1 fi if [ $0 != "sh" ]; then echo "ERROR: This program cannot be run locally. Please try again with:" echo " wget -q -O - http://www.atomicorp.com/installers/asl |sh" exit 1 fi # Logging echo "Tortix install begin: $DATE" >> $LOG if [ ! $SSH_TTY ]; then INSTALL_TTY="/dev/$(ps -p$$ --no-heading | awk '{print $2}')" else INSTALL_TTY=$SSH_TTY fi echo "Environment" >> $LOG env >>$LOG function kernel_install { # Begin Kernel install # Skip the kernel if [ -f /skipkernel ]; then echo "Forced skip of the kernel installation. " | tee -a $LOG SKIP_KERNEL=1 break fi # If this is a trixbox environment, we skip the kernel. SKIP_KERNEL=0 rpm --quiet -q trixbox && SKIP_KERNEL=1 # VPS detection if [ -f /proc/vz/veinfo ]; then SKIP_KERNEL=1 break fi # Minor detection event for EC2 clouds that use very silly configurations. if [ ! -f /boot/grub/menu.lst ]; then echo "/boot/grub/menu.lst not detected..." | tee -a $LOG SKIP_KERNEL=1 break fi echo echo if [ ! -f /sbin/grub ] && [ $SKIP_KERNEL != 1 ]; then echo " ERROR: /sbin/grub was not detected." |tee -a $LOG echo " Kernel can not be installed. Hit any key to continue." |tee -a $LOG read INPUTTEXT < $INSTALL_TTY SKIP_KERNEL=1 break fi echo echo "The ASL kernel includes extensive advanced security features including" echo " * Real-time malware detection" echo " * Active kernel intrusion prevention" echo " * Advanced firewall capabilities" echo echo check_input "Install the ASL kernel? (yes/no) [Default: yes]" "yes|no" "yes" if [ "$INPUTTEXT" == "no" ]; then SKIP_KERNEL=1 break else if [ -d /proc/xen -o -d /proc/sys/xen ]; then echo echo "Xen Detected..." echo echo "Please note, installation of xen kernels can " echo "only be supported through package management (RPM)." echo "Non-package managed environments are not supported." echo check_input "Do you understand that only package managed environments can be supported? (yes/no) [Default: yes]" "yes|no" "yes" echo if [ "$INPUTTEXT" == "no" ]; then echo "skipping kernel installation." SKIP_KERNEL=1 break fi sleep 10 echo K_TYPE="--enablerepo=tortix-kernel-xen" else K_TYPE="--enablerepo=tortix-kernel" fi fi echo echo # real kernel installation starts here if [ -f /etc/sysconfig/kernel ] && [ $SKIP_KERNEL != 1 ]; then source /etc/sysconfig/kernel echo echo "Attempting ASL kernel installation " |tee -a $LOG echo if [ "$UPDATEDEFAULT" == "yes" ]; then echo " Disabling UPDATEDEFAULT in /etc/sysconfig/kernel temporarily" |tee -a $LOG perl -p -i -e "s/UPDATEDEFAULT.*/UPDATEDEFAULT=no/" /etc/sysconfig/kernel RESTORE_UPDATEDEFAULT=1 fi echo " Attempting to install ASL kernel" if [ "$ARCH" == "x86_64" ]; then rpm --quiet -q kernel && yum $K_TYPE -y update kernel | tee -a $LOG yum $K_TYPE -y install xtables-addons kmod-dazuko | tee -a $LOG else rpm --quiet -q kernel-PAE && yum $K_TYPE -y update kernel-PAE | tee -a $LOG rpm --quiet -q kernel.i686 && yum $K_TYPE -y install kernel-PAE | tee -a $LOG yum $K_TYPE --disablerepo=asl-3.0 -y install xtables-addons kmod-dazuko-PAE | tee -a $LOG fi echo " Configuring ASL kernel to boot in test mode." | tee -a $LOG /sbin/grub --batch < /asl-install-network-info cat /asl-install-network-info >> $LOG else echo "Standard server environment not detected, likely this is a Virtual server. Skipping ASL kernel installation.." | tee -a $LOG fi if [ $SKIP_KERNEL -lt 1 ]; then # set the ASL firstboot flag perl -p -i -e "s/ASL_FIRSTBOOT.*/ASL_FIRSTBOOT=yes/" /etc/sysconfig/asl-firstboot fi } # End kernel install # Freespace check function function freespace_check { FILESYSTEM=$1 MINIMUM=$2 SIZES=($(stat -L -f -c "%a %S" ${FILESYSTEM})) FREES=$((${SIZES[0]}*${SIZES[1]})) FREESMB=$(($FREES/1024/1024)) echo "Freespace on $FILESYSTEM is: $FREESMB" >> $LOG if [ $FREESMB -lt $MINIMUM ]; then echo " Error: in order to complete installation $FILESYSTEM will need at least $MINIMUM MB free." echo " Currently: $FREESMB MB free" exit 1 fi } # Check input function # 3 vars, the message to prompt, valid responses, and default response # Example: check_input "Some question (yes/no) " "yes|no" "yes" function check_input { message=$1 validate=$2 default=$3 while [ $? -ne 1 ]; do echo -n "$message " read INPUTTEXT < $INSTALL_TTY if [ "$INPUTTEXT" == "" -a "$default" != "" ]; then INPUTTEXT=$default return 1 fi echo $INPUTTEXT | egrep -q "$validate" && return 1 echo "Invalid input" done } # Test for a valid alpha numeric string isValid() { compressed="$(echo $1 | egrep -q '^[[:alnum:]]+$')" return } # Post asl web function post_asl_web { IPADDRESS=`/sbin/ip addr | grep -v 'inet6' | grep -v '127\.[0-9]*\.[0-9]*\.[0-9]*' | sed -n -e 's/^ *inet \([0-9\.]*\).*$/\1/ p' | head -1` echo echo "ASL Web installation is complete." echo echo "To access ASL Web, point your browser to https://$IPADDRESS:30000 to log in." echo echo "Hit any key to continue" read waiting < $INSTALL_TTY } # Post asl install actions function post_asl_install { # Print out that the ASL repo is set up echo echo echo "The Atomic Secured Linux archive has now been installed and configured for your system" echo "The following channels are available:" echo " asl-3.0 - [ENABLED] - contains ASL 3.0 packages" echo " asl-3.0-testing - [DISABLED] - contains ASL 3.0 packages currently in QA " echo " asl-3.0-bleeding - [DISABLED] - contains ASL 3.0 packages untested development packages" echo echo # Redundancy #1, ensure Version exists if [ ! -f /etc/asl/VERSION ]; then cat << EOF > /etc/asl/VERSION ASL_VERSION=0 APPINV_VERSION=0 CLAMAV_VERSION=0 GEOMAP_VERSION=0 GRSEC_VERSION=0 MODSEC_VERSION=0 OSSEC_VERSION=0 EOF fi # Redundancy #2, ensure db files exist if [ ! -f /etc/asl/disabled_signatures ]; then touch /etc/asl/disabled_signatures fi if [ ! -f /etc/asl/whitelist ]; then touch /etc/asl/whitelist fi # Redundancy #3, ensure localhost is set if ! grep -q 127.0.0.1.*localhost /etc/hosts; then echo "127.0.0.1 localhost.localdomain localhost" >> /etc/hosts fi check_input "Continue with ASL configuration? (yes/no) [Default: yes]" "yes|no" "yes" if [ "$INPUTTEXT" == "no" ]; then echo "Exiting...." exit fi # set the basic config in /etc/asl/config perl -pi -e "s/\"USERNAME\"/\"$USERNAME\"/" /etc/asl/config perl -pi -e "s/\"PASSWORD\"/\"$PASSWORD\"/" /etc/asl/config # Configure the system /var/asl/bin/asl -c # bugfix #xxx, clear invalid waf config. It will be corrected by fixmode later if [ -f /etc/httpd/conf.d/00_mod_security.conf ]; then rm -f /etc/httpd/conf.d/00_mod_security.conf fi # Update event, try 3 times. COUNT=0 while [ ! -f /var/asl/rules/modsec/waf_rule_config ] ; do /var/asl/bin/aum -u COUNT=`expr $COUNT + 1` if [ $COUNT -ge 4 ]; then #echo "Error: Could not complete installation." break fi done # Kernel kernel_install # run a fix event /var/asl/bin/asl -s -f if [ -f /usr/bin/rkhunter ]; then echo echo "Updating rkhunter file properties databases..." echo /usr/bin/rkhunter --update /usr/bin/rkhunter --propupd fi if [ -f /etc/init.d/asl-firewall ]; then /etc/init.d/asl-firewall start >/dev/null 2>&1 fi # Scan the system for malware echo check_input "Would you like to scan the system for malware now? (yes/no): [Default: yes]" "yes|no" "yes" if [ "$INPUTTEXT" == "yes" ]; then echo "Updating malware definitions..." if [ -f /usr/bin/freshclam ]; then /usr/bin/freshclam else echo echo "ERROR: malware update component not found!" echo " Malware detection is broken. Unsupportable configuration" echo fi echo "Malware scanning has begun in the background" echo "a list of suspicious files will be written to:" echo "/root/asl-malware-scan.log" echo nice -n 20 clamscan --exclude-dir=^/var/ossec/ --exclude-dir=^/usr/share/doc/clamav --exclude-dir=^/var/www/vhosts/.*/statistics/logs/ --exclude-dir=^/sys --exclude-dir=^/dev --exclude-dir=^/proc --exclude-dir=^/var/lib/spamassassin --exclude-dir=^/var/asl --exclude-dir=^/usr/share/w3af --exclude-dir=^/var/lib/openvas/plugins -i -r / > /root/asl-malware-scan.log 2>/dev/null & fi if rpm --quiet -q asl-web ; then post_asl_web fi if [ $SKIP_KERNEL -lt 1 ]; then echo echo echo "Please reboot your server to complete the installation process." echo echo fi } clear echo echo "Atomic Secured Linux Installer (v$INSTALLER_VER)" echo "Further Documentation is available at: " echo "http://www.atomicorp.com/wiki/index.php/ASL_installation" echo echo "Support: support@atomicorp.com" echo echo "Hit any key to view the License agreement, or Ctrl-C to exit" echo read break < $INSTALL_TTY cat << EOF | less -e -M -Ps"Press any key to view the next page" ATOMICORP MASTER END USER LICENSE AGREEMENT NOTICE: BY DOWNLOADING AND INSTALLING, COPYING OR OTHERWISE USING THE SOFTWARE, YOU AGREE TO BE BOUND BY THE TERMS OF THIS EULA. IF YOU DO NOT AGREE TO THE TERMS OF THIS EULA, YOU MAY NOT DOWNLOAD, INSTALL, COPY OR USE THE SOFTWARE, AND YOU MAY RETURN THE UNUSED SOFTWARE TO THE VENDOR FROM WHICH YOU ACQUIRED IT WITHIN THIRTY (30) DAYS AND REQUEST A REFUND OF THE LICENSE FEE, IF ANY, ALREADY PAID UPON SHOWING PROOF OF PAYMENT. "YOU" MEANS THE NATURAL PERSON OR THE ENTITY THAT IS AGREEING TO BE BOUND BY THIS EULA, THEIR EMPLOYEES AND THIRD PARTY CONTRACTORS THAT PROVIDE SERVICES TO YOU. YOU SHALL BE LIABLE FOR ANY FAILURE BY SUCH EMPLOYEES AND THIRD PARTY CONTRACTORS TO COMPLY WITH THE TERMS OF THIS AGREEMENT. 1.0 GRANT AND USE RIGHTS FOR SOFTWARE. 1.1 License. The Software is licensed, not sold. Subject to the terms of this EULA, Atomicorp hereby grants you a non-exclusive, non-transferable license, without rights to sublicense, to use the object code of the Software for the purpose as set forth in the applicable documentation for the Software and to the extent permitted by your payment of applicable license fees under an Atomicorp approved licensing model and/or your Software License Key subject to the software product specific terms specified in this EULA. Depending upon the model utilized to compute the applicable license fees paid by you to use the Software (whether per physical server, per Virtual server, per user, or any other Atomicorp approved licensing model), an applicable Software License subscription may limit your usage of the Software accordingly. You may use the documentation accompanying the Software in connection with permitted uses of the Software. 1.2 License Limitations. You may not copy the Software except for a reasonable number of machine-readable copies of the Software for backup or archival purposes and except as expressly permitted in this EULA. You may not remove any titles, trademarks or trade names, copyright notices, legends, or other proprietary markings on the Software. You are not granted any rights to any trademarks or service marks of Atomicorp. Atomicorp retains all rights not expressly granted to you. 1.3 Restrictions. You may not (i) sell, lease, license, sublicense, distribute or otherwise transfer in whole or in part the Software or the Software License subscription to another party; (ii) provide, disclose, divulge or make available to, or permit use of the Software in whole or in part by, any third party (except Designated Administrative Access) without Atomicorp's prior written consent; or (iii) modify or create derivative works based upon the Software. Except to the extent expressly permitted by applicable law, and to the extent that Atomicorp is not permitted by that applicable law to exclude or limit the following rights, you may not decompile, disassemble, reverse engineer, or otherwise attempt to derive source code from the Software, in whole or in part. You may use the Software to conduct internal performance testing and benchmarking studies, the results of which you (and not unauthorized third parties) may publish or publicly disseminate; provided that Atomicorp has reviewed and approved of the methodology, assumptions and other parameters of the study. Please contact Atomicorp at support@atomicorp.com to request such review. 1.4 GPL Software. You can redistribute and/or modify the GPL Software under the terms of the GPL. You may obtain a copy of the source code corresponding to the binaries for the GPL Software (the "GPL Source Files") by downloading the GPL Source Files from Atomicorp's Web site at http://www.atomicorp.com/download/, or by sending a request, with your name and address, to Atomicorp at the address specified under the heading "Contact Information" below, in which case Atomicorp will mail a copy of the GPL Source Files to you on a CD or equivalent physical medium. This offer to obtain a copy of the GPL Source Files is valid for one year from the date you acquired this Software product. 1.5 Audit Rights. You will maintain accurate records as to your use of the Software as authorized by this Agreement, for at least two (2) years from the last day on which support and subscription services ("Services") expired for the applicable Software. Atomicorp, or persons designated by Atomicorp, will, at any time during the period when you are obliged to maintain such records, be entitled to inspect such records and your computing devices, in order to verify that the Software is used by you in accordance with the terms of this Agreement and that you have paid the applicable license fees and Services fees for the Software; provided that Atomicorp may conduct no more than one (1) audit in any twelve (12) month period. You shall promptly pay to Atomicorp any underpayments revealed by any such audit. Any such audit will be performed at Atomicorp's expense during normal business hours, provided that you shall promptly reimburse Atomicorp for the cost of such audit and any applicable fees if such audit reveals an underpayment by you of more than five percent (5%) of the amounts payable by you to Atomicorp for the period audited. 2.0 TITLE Atomicorp retains all right, title, and interest in and to the Software and the Software License Key and in all related copyrights, trade secrets, patents, trademarks, and any other intellectual and industrial property and proprietary rights, including registrations, applications, renewals, and extensions of such rights. 3.0 SUPPORT AND SUBSCRIPTION SERVICES Atomicorp will provide email support services under this EULA. Extended support services may be negotiated with Atomicorp directly. Email support is available between the hours of 9am and 5pm EST. If you use spam filtering, please ensure that you allow support@atomicorp.com to enable us to respond to your support requests. It is your responsibility to ensure that this is allowed. By agreeing to this EULA you are accepting full risk and responsibility for communication from our support organization, and lose any any all rights of rebuke therein. This EULA does not give you any rights to any updates or upgrades to the Software or to any extensions or enhancements to the Software developed by Atomicorp outside of the Atomic Secured Linux subscription period. in the future. If you have purchased Atomicorp support and subscription services with the Software, these services are provided to you under the Support Contract Terms and Conditions posted on Atomicorp's Web site at http://www.atomicorp.com/support/ and by accepting the terms of this EULA you are accepting these Support Contract Terms and Conditions. Any supplemental software code or related materials that Atomicorp provides to you as part of any support and subscription services are to be considered part of the Software and are subject to the terms and conditions of this EULA. Atomicorp may use any technical information you provide to Atomicorp for any Atomicorp business purposes without restriction, including for product support and development. Atomicorp will not use information in a form that personally identifies you. 4.0 TERMINATION 4.1 Termination. Atomicorp may terminate this EULA immediately and without notice if you fail to comply with any term of this EULA. 4.2 Effect of Termination. In the event of termination, you must destroy all copies of the Software. In addition you must remove all copies of the Software, including all backup copies, from all computers and terminals on which it is installed. From time to time, Atomicorp may change the terms of this EULA. Atomicorp will notify you of such change. Your continued use of the Software will indicate your agreement to the change. 5. LIMITED WARRANTY AND LIMITATION OF LIABILITY 5.1 Limited Warranty. Atomicorp warrants that the media, if any, on which the Software is delivered will be free of defects and that the Software will substantially conform to the description contained in the applicable end user documentation in each case for a period of 90 days after the date of activation of the Software subscription. EXCEPT FOR THE PRECEDING EXPRESS LIMITED WARRANTY, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, ATOMICORP AND ITS LICENSORS PROVIDE THE SOFTWARE WITHOUT ANY WARRANTIES OF ANY KIND, EXPRESS, IMPLIED, STATUTORY, OR IN ANY OTHER PROVISION OF THIS EULA OR COMMUNICATION WITH YOU, AND ATOMICORP AND ITS LICENSORS SPECIFICALLY DISCLAIM ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT. 5.2 TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT WILL ATOMICORP AND ITS LICENSORS BE LIABLE FOR ANY LOST PROFITS OR BUSINESS OPPORTUNITIES, LOSS OF USE, BUSINESS INTERRUPTION, LOSS OF DATA, OR ANY OTHER INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES UNDER ANY THEORY OF LIABILITY, WHETHER BASED IN CONTRACT, TORT, NEGLIGENCE, PRODUCT LIABILITY, OR OTHERWISE. BECAUSE SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE PRECEDING LIMITATION MAY NOT APPLY TO YOU. ATOMICORP AND ITS LICENSORS' LIABILITY UNDER THIS EULA WILL NOT, IN ANY EVENT, EXCEED THE LICENSE FEES, IF ANY, PAID BY YOU FOR THE SOFTWARE LICENSED TO YOU UNDER THIS EULA. THE FOREGOING LIMITATIONS SHALL APPLY TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, REGARDLESS OF WHETHER ATOMICORP OR ITS LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND REGARDLESS OF WHETHER ANY REMEDY FAILS OF ITS ESSENTIAL PURPOSE. 6.0 GENERAL 6.1 Entire Agreement. This Agreement sets forth Atomicorp's entire liability and your exclusive remedy with respect to the Software and supersedes the terms of any purchase orders and any other communications or advertising with respect to the Software. You acknowledge that this Agreement is a complete statement of the agreement between you and Atomicorp with respect to the Software, and that there are no other prior or contemporaneous understandings, promises, representations, or descriptions with respect to the Software. 6.2 Headings. Headings under this EULA are intended only for convenience and shall not affect the interpretation of this EULA. 6.3 Waiver and Modification. No failure of either party to exercise or enforce any of its rights under this EULA will act as a waiver of those rights. This EULA may only be modified, or any rights under it waived, by a written document executed by the party against which it is asserted. 6.4 Severability. If any provision of this EULA is found illegal or unenforceable, it will be enforced to the maximum extent permissible, and the legality and enforceability of the other provisions of this EULA will not be affected. 6.5 Governing Law. This EULA will be governed by Virginia law and the United States of America, without regard to its choice of law principles. The United Nations Convention for the International Sale of Goods shall not apply. 6.6 Government Restrictions. You may not export or re- export the Software except in compliance with the United States Export Administration Act and the related rules and regulations and similar non-U.S. government restrictions, if applicable. The Software and accompanying documentation are deemed to be "commercial computer software" and "commercial computer software documentation," respectively, pursuant to DFAR Section 227.7202 and FAR Section 12.212(b), as applicable. Any use, modification, reproduction, release, performing, displaying, or disclosing of the Software by the U.S. Government shall be governed solely by the terms of this EULA. 6.7 Contact Information. If you have any questions about this EULA, or if you want to contact Atomicorp for any reason, please direct all correspondence to: Atomicorp, Inc., 14121 Parke-long Court, Suite 220 Chantilly, Virginia 20151 or email support@atomicorp.com. 6.8 Other. Atomicorp and Atomic Secured Linux are trademarks and/or registered trademarks of Atomicorp, Inc. in the United States and/or various jurisdictions. EOF check_input "Do you agree to these terms (yes/no) [Default: yes]" "yes|no" "yes" if [ $INPUTTEXT != "yes" ]; then echo " Exiting install, License was not accepted " | tee -a $LOG exit 1 fi echo "User accepted License" >> $LOG echo echo -n "Checking for free space:" freespace_check "/var" "4000" freespace_check "/usr" "500" freespace_check "/tmp" "10" freespace_check "/etc" "100" # FR#1166 if [ ! -f /proc/vz/veinfo ] || [ ! -f /skipkernel ]; then freespace_check "/boot" "70" fi echo " Done" echo -n "Checking for memory requirements:" memory=$(free |awk '/Mem:/ {print $2}') if [ $memory -lt 981584 ]; then echo "Failed" | tee -a $LOG echo " a minimuim of 1G of memory is required for ASL." tee -a $LOG exit 1 else echo "PASS" fi if [ -f /etc/yum.repos.d/asl.repo ]; then rm -f /etc/yum.repos.d/asl.repo fi echo -n "Checking for core updates: " Y_LIST=$(yum list updates |wc -l) if [ $Y_LIST -gt 50 ]; then echo "Pending updates FAIL (count: $Y_LIST)" >> $LOG echo FAIL echo echo "The system appears to be significantly out of date. ($Y_LIST updates pending)" echo "This environment may be so out of date that it will not be supportable." echo echo "Recommendation: Halt the installation, and investigate the unapplied updates to the system" echo check_input " This environment is UNSUPPORTED. Do you wish to continue? (yes/no) [Default: no]" "yes|no" "no" if [ "$INPUTTEXT" == "no" ]; then echo echo "Exiting..." echo exit 1 fi echo echo echo echo "Pending updates, user accepted risk " >> $LOG else echo "OK" echo "Pending updates OK (count: $Y_LIST)" >> $LOG fi echo -n "Performing Basic environment checks: " | tee -a $LOG if [ -d /usr/local/directadmin ] ; then echo " DirectAdmin detected..." | tee -a $LOG DIRECTADMIN=1 SOURCEINSTALL=1 if [ -f /usr/sbin/httpd ] ; then HTTPD=/usr/sbin/httpd else echo " Path to apache could not be determined. This is a custom environment" | tee -a $LOG echo " Please contact the services group at support@atomicorp.com for a custom" | tee -a $LOG echo " installation quote." | tee -a $LOG echo exit 1 fi # Test X: determine httpd config file location if [ -f /etc/httpd/conf/httpd.conf ]; then HTTP_CONF="/etc/httpd/conf/httpd.conf" fi elif [ -d /usr/local/cpanel ]; then echo " cpanel Detected..." | tee -a $LOG CPANEL=1 SOURCEINSTALL=1 if [ -f /usr/local/apache/bin/httpd ] ; then HTTPD=/usr/local/apache/bin/httpd else echo " Path to apache could not be determined. This is a custom environment" | tee -a $LOG echo " Please contact the services group at support@atomicorp.com for a custom" | tee -a $LOG echo " installation quote." | tee -a $LOG echo exit 1 fi # Test X: determine httpd config file location HTTP_CONF="/usr/local/apache/conf/httpd.conf" else echo "Standard environment..." | tee -a $LOG fi echo | tee -a $LOG # Main CONFIGURED=no if [ -f /etc/asl/config ] ; then source /etc/asl/config fi if [ "$CONFIGURED" != "yes" ]; then echo -n "Enter subscription Username: " | tee -a $LOG read USERNAME < $INSTALL_TTY export USERNAME echo "Username: $USERNAME" >> $LOG if [ "$USERNAME" == "" ]; then echo "Exiting: Username is blank. " | tee -a $LOG echo exit 1 fi PASSCONFIRMED=0 failed=0 while [ $PASSCONFIRMED -lt 1 ]; do if [ $failed -gt 2 ]; then echo "Exiting: too many failed attempts." |tee -a $LOG echo exit 1 fi #echo -n "Enter Subscription Password: " #read PASSWORD < $INSTALL_TTY #export PASSWORD read -p "Enter Subscription Password: " -s PASSWORD < $INSTALL_TTY echo if [ "$PASSWORD" == "" ]; then echo "Exiting: Password is blank..." | tee -a $LOG echo exit 1 fi if ! isValid "$PASSWORD"; then echo "Exiting: Only Alpha-Numeric passwords are supported..." | tee -a $LOG echo exit 1 fi #echo -n "Re-Enter Subscription password: " #read PASSWORD2 < $INSTALL_TTY read -p "Re-Enter Subscription Password: " -s PASSWORD2 < $INSTALL_TTY echo if [ "$PASSWORD" == "$PASSWORD2" ]; then PASSCONFIRMED=1 else failed=$(( $failed + 1 )) echo "Sorry, passwords do not match." | tee -a $LOG echo fi done fi TEST_CREDENTIALS=$($GET -nv https://$USERNAME:$PASSWORD@www.atomicorp.com/channels/asl-3.0/README -O - 2>&1) echo -n "Verifying account: " | tee -a $LOG if [ "$TEST_CREDENTIALS" == "Authorization failed." ]; then echo " Failed" | tee -a $LOG echo echo " ERROR: ASL Username/Password credentials are incorrect or this license has expired." | tee -a $LOG echo " For more information, please see this FAQ:" | tee -a $LOG echo " https://www.atomicorp.com/wiki/index.php/ASL_FAQ#HTTP_Error_401:_Authorization_Required_Trying_other_mirror. " | tee -a $LOG echo exit 1 else echo " Passed" | tee -a $LOG fi # Amazon EL clone. Fix missing redhat-release if [ -f /etc/system-release ]; then if [ ! -f /etc/redhat-release ]; then echo "Fix for missing redhat-release" >> $LOG ln -sf /etc/system-release /etc/redhat-release fi fi if [ ! -f /etc/redhat-release ]; then echo echo "Error: /etc/redhat-release was not detected" | tee -a $LOG echo exit 1 fi RELEASE=`cat /etc/redhat-release | awk -F\( '{print $1}'` echo "Release is: $RELEASE" >> $LOG # EL3, EL4, and Fedora if egrep -q "^Fedora|release 3|release 4" /etc/redhat-release ; then cat /etc/redhat-release echo "This platform is no longer supported..." | tee -a $LOG echo "Exiting..." exit 1 # EL5 elif egrep -q "release 5|release 2011" /etc/redhat-release ; then DIST="el5" DIR=centos/5 # EL6 elif egrep -q "release 6|release 2012" /etc/redhat-release ; then DIST="el6" DIR=centos/6 else echo "Error: Unable to determine distribution type. Please send the contents of /etc/redhat-release to support@atomicorp.com" | tee -a $LOG exit 1 fi if [ ! -f /usr/bin/yum ]; then echo echo "Error: Yum was not detected. Contact your provider for support." | tee -a $LOG echo exit 1 else YUM=1 fi ## yum, make sure yum is up to date echo -n "Ensuring yum is up to date: " | tee -a $LOG /usr/bin/yum -y upgrade yum >> $LOG 2>&1 echo "Done" | tee -a $LOG ## check for perl (minimal installs) echo -n "Checking for perl: " | tee -a $LOG if [ ! -f /usr/bin/perl ]; then /usr/bin/yum -y install perl >> $LOG 2>&1|| exit 1 fi echo "Done" | tee -a $LOG # Make sure selinux is as off as we can make it if [ -x /usr/sbin/setenforce ]; then /usr/sbin/setenforce 0 >/dev/null 2>&1 if [ -f /etc/sysconfig/selinux ]; then /usr/bin/perl -p -i -e "s/SELINUX=.*/SELINUX=disabled/g" /etc/sysconfig/selinux fi fi echo -n "Installing the Atomic GPG key: " |tee -a $LOG if [ ! -f /etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt ]; then if [ ! -d /etc/pki/rpm-gpg ]; then mkdir -p /etc/pki/rpm-gpg/ fi wget -q http://www.atomicorp.com/RPM-GPG-KEY.art.txt -O /etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt >> $LOG 2>&1 rm -f RPM-GPG-KEY.art.txt fi echo "OK" | tee -a $LOG if [ ! -f /etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt ]; then if [ ! -d /etc/pki/rpm-gpg ]; then mkdir -p /etc/pki/rpm-gpg/ fi wget -q http://www.atomicorp.com/RPM-GPG-KEY.atomicorp.txt -O /etc/pki/rpm-gpg/RPM-GPG-KEY.atomicorp.txt >> $LOG 2>&1 fi # Source install if [ $SOURCEINSTALL -ge 1 ]; then # Litespeed check if [ -f /usr/local/cpanel/whostmgr/docroot/cgi/lsws/chkLSRunning.sh ]; then LITESPEED=1 echo echo "Litespeed installation detected." | tee -a $LOG echo " UNSUPPORTED: Litespeed is not supported." | tee -a $LOG echo check_input " This environment is UNSUPPORTED. Do you wish to continue? (yes/no) [Default: no]" "yes|no" "no" if [ "$INPUTTEXT" == "no" ]; then echo " Exiting...." | tee -a $LOG echo exit fi echo "User accepted unsupported litespeed risk." >> $LOG else # Module check echo -n "Verifying mod_unique_id: " |tee -a $LOG $HTTPD -l |grep -q unique >> $LOG RETVAL=$? if [ ! "$RETVAL" = 0 ]; then echo "Not found." if [ $CPANEL ]; then echo echo " ASL will attempt to rebuild apache with uniqueid support later " |tee -a $LOG echo " in the installation" |tee -a $LOG echo BUILD_UNIQUEID=1 else echo " mod_unique_id support in apache is required. You will need to" |tee -a $LOG echo " rebuild apache with support to continue installing ASL." |tee -a $LOG echo exit 1 fi echo echo else echo "passed." |tee -a $LOG echo fi fi # Clear work directory if [ -d /root/atomic ]; then rm -rf /root/atomic fi mkdir /root/atomic cd /root/atomic/ # Prep yum yum clean all >> $LOG # Prep dev tools yum -y --disableexcludes=all --skip-broken groupinstall "Development Tools" |tee -a $LOG if [ ${PIPESTATUS[0]} -ge 1 ]; then echo "Yum Development Tools installation failed." |tee -a $LOG exit 1 fi # secondary error checking if [ ! -f /usr/bin/rpmbuild ]; then echo " ERROR: Development Tools could not be installed. Contact your OS vendor for further assistance." | tee -a $LOG exit 1 fi # Fix 1: Correct bash profile, move cpanel functions to a separate file if [ $CPANEL ]; then if [ "$DIST" == "el6" ]; then yum -y --disableexcludes=all --skip-broken install libcurl-devel | tee -a $LOG if [ ${PIPESTATUS[0]} -ge 1 ]; then echo "Yum libcurl-devel install failed." | tee -a $LOG exit 1 fi fi # copy over mangled bashrc $GET -q http://www.atomicorp.com/installers/cpanel/bashrc | tee -a $LOG if [ ${PIPESTATUS[0]} -ge 1 ]; then exit 1 fi $GET -q http://www.atomicorp.com/installers/cpanel/profile-cpanel.sh | tee -a $LOG if [ ${PIPESTATUS[0]} -ge 1 ]; then exit 1 fi # import cpanel functions to /etc/profile.d/cpanel.sh chattr -i /etc/bashrc install -m 0755 bashrc /etc/bashrc install -m 0755 profile-cpanel.sh /etc/profile.d/cpanel.sh source /etc/profile source /etc/bashrc >/dev/null 2>&1 # Fix 2: Correct /etc/init.d/mysqld script ln -sf /etc/init.d/mysql /etc/init.d/mysqld fi fi if [ ! -d /etc/asl ]; then mkdir /etc/asl fi cat << EOF > /etc/yum.repos.d/asl.repo [asl-3.0] name=Atomicorp - $releasever - Atomic Secured Linux 3.0 mirrorlist=file:///etc/asl/mirrorlist priority=1 enabled=1 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt gpgcheck=1 $KERNEL [asl-3.0-testing] name=Atomicorp - $releasever - Atomic Secured Linux 3.0 (Testing) mirrorlist=file:///etc/asl/asl-3.0-testing-mirrorlist priority=1 enabled=0 gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY.art.txt gpgcheck=1 $KERNEL EOF cat << EOF > /etc/asl/mirrorlist https://$USERNAME:$PASSWORD@www2.atomicorp.com/channels/asl-3.0/$DIR/$ARCH https://$USERNAME:$PASSWORD@www3.atomicorp.com/channels/asl-3.0/$DIR/$ARCH https://$USERNAME:$PASSWORD@www5.atomicorp.com/channels/asl-3.0/$DIR/$ARCH https://$USERNAME:$PASSWORD@www6.atomicorp.com/channels/asl-3.0/$DIR/$ARCH EOF cat << EOF > /etc/asl/asl-3.0-testing-mirrorlist https://$USERNAME:$PASSWORD@www2.atomicorp.com/channels/asl-3.0-testing/$DIR/$ARCH https://$USERNAME:$PASSWORD@www3.atomicorp.com/channels/asl-3.0-testing/$DIR/$ARCH https://$USERNAME:$PASSWORD@www5.atomicorp.com/channels/asl-3.0-testing/$DIR/$ARCH https://$USERNAME:$PASSWORD@www6.atomicorp.com/channels/asl-3.0-testing/$DIR/$ARCH EOF cat << EOF > /etc/asl/tortix-mirrorlist https://$USERNAME:$PASSWORD@www2.atomicorp.com/channels/tortix/$DIR/$ARCH https://$USERNAME:$PASSWORD@www3.atomicorp.com/channels/tortix/$DIR/$ARCH https://$USERNAME:$PASSWORD@www5.atomicorp.com/channels/tortix/$DIR/$ARCH https://$USERNAME:$PASSWORD@www6.atomicorp.com/channels/tortix/$DIR/$ARCH EOF if [ $SOURCEINSTALL -ge 1 ]; then # mysqlclient? if rpm -q MySQL-server; then # ver check mysqlver=$(rpm -q MySQL-server |awk -F. '{print $1 "." $2}') if [ "$mysqlver" == "MySQL-server-5.1" ]; then yum --disableexcludes=all -y install mysqlclient18 | tee -a $LOG elif [ "$mysqlver" == "MySQL-server-5.5" ]; then yum --disableexcludes=all -y install mysqlclient16 | tee -a $LOG #for el6 yum --disableexcludes=all -y install mysqlclient18 | tee -a $LOG #for el6 fi fi if rpm -q MySQL50-server; then yum --disableexcludes=all -y install mysqlclient18 | tee -a $LOG fi if rpm -q MySQL51-server; then yum --disableexcludes=all -y install mysqlclient18 | tee -a $LOG fi if rpm -q MySQL55-server; then yum --disableexcludes=all -y install mysqlclient16 | tee -a $LOG #for el6 fi # Test X: install tortix web daemon if [ -f /etc/yum.repos.d/atomic.repo ]; then rpm --quiet -q tortixd || yum --disableexcludes=all --disablerepo=atomic -y install tortixd tortixd-mod_ssl asl-php asl-php-mysql asl-php-gd | tee -a $LOG else rpm --quiet -q tortixd || yum --disableexcludes=all -y install tortixd tortixd-mod_ssl asl-php asl-php-mysql asl-php-gd | tee -a $LOG fi # WAF build Start # Test X: install pcre & pcre-devel rpm --quiet -q pcre || yum --disableexcludes=all -y install pcre | tee -a $LOG rpm --quiet -q pcre-devel || yum --disableexcludes=all -y install pcre-devel | tee -a $LOG # Fix X: Reduce spurious header files that cause conflicts if [ -f /usr/local/apache/include/pcre.h ]; then echo "/usr/local/apache/include/pcre.h detected.... removing deprecated file" | tee -a $LOG rm -f /usr/local/apache/include/pcre.h fi # TODO: Test X: Configure rule storage directory location & default config if [ ! -d /etc/httpd/modsecurity.d ]; then mkdir -p /etc/httpd/modsecurity.d fi if [ ! -d /etc/httpd/conf.d ]; then mkdir -p /etc/httpd/conf.d fi # Test X: Support packages rpm --quiet -q asl-stream-client || yum --disableexcludes=all -y install asl-stream-client clamd rkhunter chkrootkit paxtest| tee -a $LOG # Test X: OSSEC DISABLEREPO="" if [ -f /etc/yum.repos.d/atomic.repo ]; then DISABLEREPO="--disablerepo=atomic" fi rpm --quiet -q ossec-hids-server || yum $DISABLEREPO -y --disableexcludes=all install ossec-hids-server | tee -a $LOG rpm --quiet -q ossec-hids-server && yum $DISABLEREPO -y --disableexcludes=all upgrade ossec-hids-server | tee -a $LOG # Test X: download & install asl rpm --quiet -q asl || yum -y --disableexcludes=all install asl | tee -a $LOG # Permissions check if [ $CPANEL ]; then chown nobody.nobody /var/asl/data/msa chown nobody.nobody /var/asl/data/audit chown nobody.nobody /var/asl/data/suspicious chmod o-rx -R /var/asl/data/* chmod ug+rwx -R /var/asl/data/* if [ ! $LITESPEED ]; then if [ -f /scripts/preeasyapache ]; then if ! egrep "template-cpanel-preeasyapache-hook.*ASL_HOOK" /scripts/preeasyapache ; then echo "/var/asl/data/templates/template-cpanel-preeasyapache-hook #ASL_HOOK" >> /scripts/preeasyapache fi else install -m0755 /var/asl/data/templates/template-cpanel-preeasyapache /scripts/preeasyapache fi if [ -f /scripts/posteasyapache ]; then if ! egrep "template-cpanel-apache-hook.*ASL_HOOK" /scripts/posteasyapache ; then echo "/var/asl/data/templates/template-cpanel-apache-hook #ASL_HOOK" >> /scripts/posteasyapache fi else install -m0755 /var/asl/data/templates/template-cpanel-posteasyapache /scripts/posteasyapache fi # Install modules /scripts/easyapache --build | tee -a $LOG fi elif [ $DIRECTADMIN ]; then /var/asl/data/templates/template-cpanel-apache-hook | tee -a $LOG fi cd /root if [ ! -d /etc/httpd/conf.d ]; then mkdir /etc/httpd/conf.d touch /etc/httpd/conf.d/00_mod_security.conf fi if [ ! -d /etc/httpd/modsecurity.d ]; then mkdir /etc/httpd/modsecurity.d touch /etc/httpd/modsecurity.d//modsecurity_crs_10_config.conf fi else # Standard Installation starts here (Recommended) yum -y install asl psmon mod_security mod_evasive mod_sed | tee -a $LOG fi post_asl_install | tee -a $LOG # Install the tortix-release package rpm --quiet -q tortix-release || yum -y install tortix-release echo "Installation completed" >> $LOG