diff --git a/roles/Sharingan/files/aide/base.conf b/roles/Sharingan/files/aide/base.conf new file mode 100644 index 0000000..e82ea55 --- /dev/null +++ b/roles/Sharingan/files/aide/base.conf @@ -0,0 +1,146 @@ +# Example configuration file for AIDE. +# More information about configuration options available in the aide.conf manpage. +@@define DBDIR /var/lib/aide +@@define LOGDIR /var/log/aide + +# The location of the database to be read. +database_in=file:@@{DBDIR}/aide.db.gz + +# The location of the database to be written. +#database_out=sql:host:port:database:login_name:passwd:table +#database_out=file:aide.db.new +database_out=file:@@{DBDIR}/aide.db.new.gz + +# Whether to gzip the output to database +gzip_dbout=yes + +# Default. +log_level=warning +report_level=changed_attributes + +report_url=file:@@{LOGDIR}/aide.log +report_url=stdout +#report_url=stderr +# +# Here are all the attributes we can check +#p: permissions +#i: inode +#n: number of links +#l: link name +#u: user +#g: group +#s: size +###b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#I: ignore changed filename +#ANF: allow new files +#ARF: allow removed files +# + +# Here are all the digests we can use +#md5: md5 checksum +#sha1: sha1 checksum +#sha256: sha256 checksum +#sha512: sha512 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum +#haval: haval checksum +#crc32: crc32 checksum +#gost: gost checksum +#whirlpool: whirlpool checksum + +# These are the default rules +#R: p+i+l+n+u+g+s+m+c+md5 +#L: p+i+l+n+u+g +#E: Empty group +#>: Growing logfile p+l+u+g+i+n+S + +# You can create custom rules - my home made rule definition goes like this +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger +# Everything but access time (Ie. all changes) +EVERYTHING = R+ALLXTRAHASHES + +# Sane, with multiple hashes +# NORMAL = R+rmd160+sha256+whirlpool +NORMAL = R+rmd160+sha256 + +# For directories, don't bother doing hashes +DIR = p+i+n+u+g+acl+xattrs + +# Access control only +PERMS = p+i+u+g+acl + +# Logfile are special, in that they often change +LOG = > + +# Just do md5 and sha256 hashes +LSPP = R+sha256 + +# Some files get updated automatically, so the inode/ctime/mtime change +# but we want to know when the data inside them changes +DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger + + +# Next decide what directories/files you want in the database. + +/boot NORMAL +/bin NORMAL +/sbin NORMAL +/lib NORMAL +/lib64 NORMAL +/opt NORMAL +/usr NORMAL +/root NORMAL +# These are too volatile +!/usr/src +!/usr/tmp + +# Check only permissions, inode, user and group for /etc, but +# cover some important files closely. +/etc PERMS +!/etc/mtab +# Ignore backup files +!/etc/.*~ +/etc/exports NORMAL +/etc/fstab NORMAL +/etc/passwd NORMAL +/etc/group NORMAL +/etc/gshadow NORMAL +/etc/shadow NORMAL +/etc/security/opasswd NORMAL + +/etc/hosts.allow NORMAL +/etc/hosts.deny NORMAL + +/etc/sudoers NORMAL +/etc/skel NORMAL + +/etc/logrotate.d NORMAL + +/etc/resolv.conf DATAONLY + +/etc/nscd.conf NORMAL +/etc/securetty NORMAL + +# Shell/X starting files +/etc/profile NORMAL +/etc/bashrc NORMAL +/etc/bash_completion.d/ NORMAL +/etc/login.defs NORMAL +/etc/zprofile NORMAL +/etc/zshrc NORMAL +/etc/zlogin NORMAL +/etc/zlogout NORMAL +/etc/profile.d/ NORMAL +/etc/X11/ NORMAL + +# Ignore logs +!/var/lib/pacman/.* +!/var/cache/.* +!/var/log/.* +!/var/run/.* +!/var/spool/.* diff --git a/roles/Sharingan/files/aide/yggdrasil.conf b/roles/Sharingan/files/aide/yggdrasil.conf new file mode 100644 index 0000000..05ae9d8 --- /dev/null +++ b/roles/Sharingan/files/aide/yggdrasil.conf @@ -0,0 +1,89 @@ +# Example configuration file for AIDE. +# More information about configuration options available in the aide.conf manpage. +@@define DBDIR /home/yggdrasil/.aide +@@define LOGDIR @@{DBDIR} + +# The location of the database to be read. +database_in=file:@@{DBDIR}/aide.db.gz +database_out=file:@@{DBDIR}/aide.new.db.gz + +# The location of the database to be written. +#database_out=sql:host:port:database:login_name:passwd:table +#database_out=file:aide.db.new +# Whether to gzip the output to database +gzip_dbout=yes + +# Default. +log_level=warning +report_level=changed_attributes + +report_url=file:@@{LOGDIR}/aide.log +report_url=stdout +#report_url=stderr +# +# Here are all the attributes we can check +#p: permissions +#i: inode +#n: number of links +#l: link name +#u: user +#g: group +#s: size +###b: block count +#m: mtime +#a: atime +#c: ctime +#S: check for growing size +#I: ignore changed filename +#ANF: allow new files +#ARF: allow removed files +# + +# Here are all the digests we can use +#md5: md5 checksum +#sha1: sha1 checksum +#sha256: sha256 checksum +#sha512: sha512 checksum +#rmd160: rmd160 checksum +#tiger: tiger checksum +#haval: haval checksum +#crc32: crc32 checksum +#gost: gost checksum +#whirlpool: whirlpool checksum + +# These are the default rules +#R: p+i+l+n+u+g+s+m+c+md5 +#L: p+i+l+n+u+g +#E: Empty group +#>: Growing logfile p+l+u+g+i+n+S + +# You can create custom rules - my home made rule definition goes like this +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+whirlpool+tiger+haval+gost+crc32 +ALLXTRAHASHES = sha1+rmd160+sha256+sha512+tiger +# Everything but access time (Ie. all changes) +EVERYTHING = R+ALLXTRAHASHES + +# Sane, with multiple hashes +# NORMAL = R+rmd160+sha256+whirlpool +NORMAL = R+rmd160+sha256 + +# For directories, don't bother doing hashes +DIR = p+i+n+u+g+acl+xattrs + +# Access control only +PERMS = p+i+u+g+acl + +# Logfile are special, in that they often change +LOG = > + +# Just do md5 and sha256 hashes +LSPP = R+sha256 + +# Some files get updated automatically, so the inode/ctime/mtime change +# but we want to know when the data inside them changes +DATAONLY = p+n+u+g+s+acl+xattrs+md5+sha256+rmd160+tiger + + +# Next decide what directories/files you want in the database. +/home/yggdrasil/ NORMAL +!/home/yggdrasil/.aide$ diff --git a/roles/Sharingan/package/LICENSE b/roles/Sharingan/package/LICENSE new file mode 100644 index 0000000..e15653d --- /dev/null +++ b/roles/Sharingan/package/LICENSE @@ -0,0 +1,31 @@ +# http://www.wtfpl.net/about/ + + DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE + Version 2, December 2004 + + Copyright (C) 2004 Sam Hocevar + + Everyone is permitted to copy and distribute verbatim or modified + copies of this license document, and changing it is allowed as long + as the name is changed. + + DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. You just DO WHAT THE FUCK YOU WANT TO. + + ANINIX ADDENDUM + + Trademark 2017 (https://aninix.net/) + + The "AniNIX" name and |> logo are trademarked as of 2017/11/21. + AniNIX materials may be reproduced and re-used (though you must + contact the admins of the network to get written permission to use + the AniNIX name or logo) so long as such reproduction or re-use + does not inhibit the original AniNIX use of the same. + + Attribution is appreciated for other materials but not legally + required or necessary. + + "AniNIX" trademark serial: 87177883 + |> Logo trademark serial: 87177887 diff --git a/roles/Sharingan/package/Makefile b/roles/Sharingan/package/Makefile new file mode 100644 index 0000000..f6889c7 --- /dev/null +++ b/roles/Sharingan/package/Makefile @@ -0,0 +1,22 @@ +compile: + @echo Nothing to do + +install: + mkdir -p ${pkgdir}/usr/local/sbin/ + for i in aidecheck aideinit; do install -m 0750 -o root -g http $$i ${pkgdir}/usr/local/sbin/; done + +test: compile + @echo Nothing to do + +clean: + git clean -fX + git clean -fd + +diff: + @echo Nothing to do. + +reverse: + @echo Nothing to do. + +checkperm: + @echo Nothing to do. diff --git a/roles/Sharingan/package/PKGBUILD b/roles/Sharingan/package/PKGBUILD new file mode 100644 index 0000000..3fb0363 --- /dev/null +++ b/roles/Sharingan/package/PKGBUILD @@ -0,0 +1,46 @@ +depends=('bash>=4.4' 'aide') +makedepends=('make>=4.2') +checkdepends=() +optdepends=() +pkgname="sharingan-scripts" +pkgver="$(git describe --tag --abbrev=0)"."$(git rev-parse --short HEAD)" +pkgrel=1 +pkgrel() { + echo $(( `git log "$(git describe --tag --abbrev=0)"..HEAD | grep -c commit` + 1 )) +} +epoch="$(git log | grep -c commit)" +pkgdesc="$(head -n 1 README.md)" +arch=("x86_64") +url="$(git config remote.origin.url | sed 's/.git$//')" +license=('custom') +groups=() +provides=("${pkgname}") +conflicts=() +replaces=("${pkgname,,}", "aninix-${pkgname,,}") +backup=() +options=() +install= +changelog= +source=() +noextract=() +md5sums=() +validpgpkeys=() + +prepare() { + git pull +} + +build() { + make -C .. +} + +check() { + chmod -R u+r ../pkg + make -C .. test +} + +package() { + export pkgdir="${pkgdir}" + make -C .. install + install -D -m644 ../../../../LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE" +} diff --git a/roles/Sharingan/package/README.md b/roles/Sharingan/package/README.md new file mode 100644 index 0000000..ddea15b --- /dev/null +++ b/roles/Sharingan/package/README.md @@ -0,0 +1,4 @@ +This is a collection of scripts we use for managing HIDS data. + +1. aideinit: Initialize, record, and sign a database +1. aidecheck: Verify there are no discrepancies from a database diff --git a/roles/Sharingan/package/aidecheck b/roles/Sharingan/package/aidecheck new file mode 100755 index 0000000..0c24fa6 --- /dev/null +++ b/roles/Sharingan/package/aidecheck @@ -0,0 +1,59 @@ +#!/usr/bin/bash + +# File: aidecheck +# +# Description: This script checks a signed AIDE DB. +# +# Package: AniNIX/Sharingan +# Copyright: WTFPL +# +# Author: DarkFeather + +function usage() { + echo "Usage: $0 [ config reference ]" + exit $1 +} + +function main() { + ### Initialize the DB + base="$1" + dbdir="$(grep -m 1 -E '^@@define DBDIR' "$base" | cut -f 3 -d ' ')" + dbin="$(grep -m 1 -E '^database_in' "$base" | cut -f 2 -d '=' | sed "s#file:...DBDIR.#${dbdir}#")" + dbout="$(grep -m 1 -E '^database_out' "$base" | cut -f 2 -d '=' | sed "s#file:...DBDIR.#${dbdir}#")" + + set -x + + if ! gpg --verify "$dbin".sig "$dbin"; then + echo "$dbin doesn't match signature." + exit 1 + fi + + sudo aide -c "$base" -C + +} + +### MAIN +if [ `basename "$0"` == "aidecheck" ]; then + + # Allow -h for helptext + if [ "$1" == '-h' ]; then + echo "Checks an AIDE DB" + usage 0 + else + + # Find the config + if [ -z "${1}" ]; then + base='/etc/aide.conf' + else + base="/etc/aide/${1}.conf" + fi + if [ -f "$base" ]; then + main "$base" + else + + # If it doesn't, explain and exit. + echo "$base does not exist" + usage 1 + fi + fi +fi diff --git a/roles/Sharingan/package/aideinit b/roles/Sharingan/package/aideinit new file mode 100755 index 0000000..d64cc7f --- /dev/null +++ b/roles/Sharingan/package/aideinit @@ -0,0 +1,59 @@ +#!/usr/bin/bash + +# File: aideinit +# +# Description: This script initializes an AIDE DB and signs it +# +# Package: AniNIX/Sharingan +# Copyright: WTFPL +# +# Author: DarkFeather + +function usage() { + echo "Usage: $0 [ config reference ]" + exit $1 +} + +function main() { + ### Initialize the DB + base="$1" + dbdir="$(grep -m 1 -E '^@@define DBDIR' "$base" | cut -f 3 -d ' ')" + dbin="$(grep -m 1 -E '^database_in' "$base" | cut -f 2 -d '=' | sed "s#file:...DBDIR.#${dbdir}#")" + dbout="$(grep -m 1 -E '^database_out' "$base" | cut -f 2 -d '=' | sed "s#file:...DBDIR.#${dbdir}#")" + + # sudo chattr -i "$dbin"* + + sudo aide -c "$base" -i 2>&1 | sudo tee "$dbin".out + sudo mv "$dbout" "$dbin" + sudo chmod 0644 "$dbin" + gpg -bs --output - "$dbin" | sudo tee "$dbin".sig &>/dev/null + sudo chown root: "$dbin"* + sudo chmod 0755 "$dbin"* + # sudo chattr +i "$dbin"* +} + +### MAIN +if [ `basename "$0"` == "aideinit" ]; then + + # Allow -h for helptext + if [ "$1" == '-h' ]; then + echo "Initializes an AIDE DB" + usage 0 + else + + # Find the config + if [ -z "${1}" ]; then + base='/etc/aide.conf' + else + base="/etc/aide/${1}.conf" + fi + if [ -f "$base" ]; then + main "$base" + else + + # If it doesn't, explain and exit. + echo "$base does not exist" + usage 1 + fi + fi +fi diff --git a/roles/Sharingan/tasks/ids.yml b/roles/Sharingan/tasks/ids.yml index 4fa0d53..82d5138 100644 --- a/roles/Sharingan/tasks/ids.yml +++ b/roles/Sharingan/tasks/ids.yml @@ -5,6 +5,7 @@ register: package_install package: name: + - aide - sshguard - suricata - oinkmaster @@ -73,6 +74,15 @@ group: root mode: 0644 + - name: Create aide conf folder + become: yes + copy: + src: "aide/" + dest: /etc/aide + owner: root + group: root + mode: 0755 + # Network IDS - name: Copy oinkmaster conf register: oinkmaster_conf