├── LICENSE.md ├── README.md └── raspi-corelight /LICENSE.md: -------------------------------------------------------------------------------- 1 | Copyright (c) 2020 by Corelight, Inc 2 | 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions are met: 5 | 6 | (1) Redistributions of source code must retain the above copyright 7 | notice, this list of conditions and the following disclaimer. 8 | 9 | (2) Redistributions in binary form must reproduce the above copyright 10 | notice, this list of conditions and the following disclaimer in 11 | the documentation and/or other materials provided with the 12 | distribution. 13 | 14 | (3) Neither the name of Corelight, Inc, nor the names of contributors 15 | may be used to endorse or promote products derived from this software 16 | without specific prior written permission. 17 | 18 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 19 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 20 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 21 | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE 22 | LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 23 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 24 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 25 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 26 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 27 | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 | POSSIBILITY OF SUCH DAMAGE. 29 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Corelight@Home (`raspi-corelight` v3.2) 2 | 3 | ### Configure the Pi to Run Corelight Software Sensor 4 | 5 | The Corelight Software Sensor is a 64-bit application, so we have created a configuration tool `raspi-corelight` to perform initial configuration of the sensor and Raspberry Pi OS. To install and run this tool, perform the following from a terminal window on your Raspberry Pi: 6 | 7 | **For official Raspberry Pi OS (64bit)** 8 | 9 | Install `raspi-corelight` from Github by executing the following (all on one line): 10 | 11 | source <( curl https://raw.githubusercontent.com/corelight/raspi-corelight/main/raspi-corelight) 12 | 13 | The script will then download the Software Sensor package from the repository and install it. 14 | 15 | Press Enter to start the configuration tool. There will be errors in the Status section of the main menu since you have not installed a license and the service is not yet started. 16 | 17 | Select option 6 (Quick Config) to configure monitor port, enter your license information, and set up Falcon LogScale or Splunk export. 18 | Note that to define the monitor port, you must enter a value (such as `eth0`) at the prompt, and you will be prompted to accept any changes entered. 19 | 20 | You can execute the script at any time with the following command: 21 | 22 | raspi-corelight 23 | 24 | This completes the installation of the Corelight Software Sensor for Corelight@Home. You should have network metadata and alerts flowing into your configured data repository. For any installation questions, comments or technical support issues, please read (and contribute to) the `#Corelight_at_Home` channel on Corelight's Community Slack workspace (https://corelightcommunity.slack.com). For issues downloading a license or accessing the Slack space, email CorelightAtHome@corelight.com. 25 | 26 | 27 | -------------------------------------------------------------------------------- /raspi-corelight: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # source <( curl https://raw.githubusercontent.com/corelight/raspi-corelight/main/raspi-corelight) 3 | 4 | 5 | corelightAtHomeVer="3.2" 6 | corelight="corelight-softsensor" 7 | corelightAtHome="raspi-corelight" 8 | gitRepo="https://github.com/corelight/raspi-corelight.git" 9 | gitBranch="main" 10 | installPath="/opt/raspi-corelight" 11 | logo="Corelight@Home Software Sensor Menu" 12 | licenseFile="/etc/corelight-license.txt" 13 | corelightCfg="/etc/corelight-softsensor.conf" 14 | editor="nano" 15 | 16 | 17 | colorize () { 18 | # Reads from stdin and if no argument then automatically colors certain words or lines 19 | # containing certain words. 20 | # With arguments the input is colored as desired. 21 | # 22 | # Usage: 23 | # colorize {--red|--yellow|--green|--blue|--bold|--reverse|--underline|--reset} 24 | 25 | local IFS= 26 | clr= 27 | bld= 28 | rvs= 29 | und= 30 | red=$(tput setaf 1) 31 | yellow=$(tput setaf 3) 32 | green=$(tput setaf 2) 33 | blue=$(tput setaf 4) 34 | cyan=$(tput setaf 6) 35 | bold=$(tput bold) 36 | reverse=$(tput smso) 37 | underline=$(tput smul) 38 | reSet=$(tput sgr0) 39 | 40 | if [[ $# -eq 0 ]]; then 41 | while read -r dataIn || [[ -n "$dataIn" ]]; do 42 | case $dataIn in 43 | 44 | # Exact matches 45 | active*|enabled|*running*|*ENTER*|*Enter*|*Enabling*|*y/n*|*Expires*) 46 | echo "$green$dataIn$reSet" 47 | ;; 48 | activating) 49 | echo "$yellow$dataIn$reSet" 50 | ;; 51 | disabled|unknown|*inactive*|*dead*) 52 | echo "$red$dataIn$reSet" 53 | ;; 54 | 55 | # Lines containing certain words (error, critical, warning, etc.) 56 | *error*|*ERROR*|*Error*|*cannot*|*CANNOT*|*Cannot*|*can\'t*|*CAN\'T*|*Can\'t*|*critical*|*CRITICAL*|*Critical*|*warning*|*WARNING*|*Warning*|*fail*|*FAIL*|*Fail*|*unsuccessful*|*UNSUCCESSFUL*|*Unsuccessful*|*abnormal*|*ABNORMAL*|*Abnormal*) 57 | echo "$red$dataIn$reSet" 58 | ;; 59 | 60 | # Reset settings for all else 61 | *) 62 | echo "$reSet$dataIn" 63 | ;; 64 | esac 65 | done 66 | else 67 | while [[ $# -gt 0 ]]; do 68 | key="$1" 69 | 70 | # Manual color settings via arguments 71 | case $key in 72 | --red) 73 | clr=$red 74 | shift 75 | ;; 76 | --yellow) 77 | clr=$yellow 78 | shift 79 | ;; 80 | --green) 81 | clr=$green 82 | shift 83 | ;; 84 | --blue) 85 | clr=$blue 86 | shift 87 | ;; 88 | --cyan) 89 | clr=$cyan 90 | shift 91 | ;; 92 | --bold) 93 | bld=$bold 94 | shift 95 | ;; 96 | --reverse) 97 | rvs=$reverse 98 | shift 99 | ;; 100 | --underline) 101 | und=$underline 102 | shift 103 | ;; 104 | --reset) 105 | clr=$reSet 106 | shift 107 | ;; 108 | esac 109 | done 110 | while read -r dataIn || [[ -n "$dataIn" ]]; do 111 | echo "$und$bld$rvs$clr$dataIn$reSet" 112 | done 113 | fi 114 | } 115 | 116 | # Function to resize the terminal before displaying certain information if tty is a serial console 117 | resizeTerm () { 118 | myTerm=$(tty) 119 | if [[ $myTerm == "/dev/ttyS0" ]] || [[ $myTerm == "/dev/ttyS1" ]] ; then 120 | old=$(stty -g) 121 | stty raw -echo min 0 time 5 122 | 123 | printf '\0337\033[r\033[999;999H\033[6n\0338' > /dev/tty 124 | IFS='[;R' read -r _ rows cols _ < /dev/tty 125 | 126 | stty "$old" 127 | stty cols "$cols" rows "$rows" 128 | fi 129 | } 130 | 131 | # Menu selection prompt 132 | currentHostname=$(hostnamectl | grep "Static hostname:" | cut -f2 -d ":" | cut -f1 -d "." | cut -f2 -d " " | colorize --cyan) 133 | PS3="[$currentHostname] Selection: " 134 | 135 | # menuPath and menuDisplay 136 | menuPath= 137 | 138 | menuDisplay () { 139 | corelightStatus 140 | echo 141 | echo "$menuPath" | colorize --reverse --cyan 142 | echo "Hit ENTER for Menu" 143 | echo 144 | } 145 | 146 | pressEnter () { 147 | echo [Press ENTER] | colorize ; read DUMMY 148 | } 149 | 150 | corelightStat () { 151 | myIpStat= 152 | myGatewayStat= 153 | myDnsStat= 154 | 155 | # Network info 156 | myIpStat=$(ip -4 addr list wlan0 | grep inet | cut -f 6 -d " ") 157 | srcIp=$(echo $myIpStat | cut -f 1 -d "/") 158 | myGatewayStat=$(ip route | grep default | grep wlan0 | cut -f 3 -d " ") 159 | myDnsStat=$(grep ^nameserver /etc/resolv.conf | cut -f 2 -d " ") 160 | 161 | # Sensor info 162 | sensorStat=$(systemctl is-active $corelight | colorize) 163 | sensorEnabledStat=$(systemctl is-enabled $corelight | colorize) 164 | sensorVersion=`$corelight -v` 165 | 166 | # Auto Update info 167 | #sysAutoUpdateStat=$(systemctl is-active apt-daily-upgrade.timer | colorize) 168 | #sysAutoUpdateEnabledStat=$(systemctl is-enabled apt-daily-upgrade.timer | colorize) 169 | 170 | # System info 171 | timezoneStat=$(timedatectl | grep "Time zone:" | cut -f 2 -d ":") 172 | ntpEnabledStat=$(systemctl status ntp | grep "Active" | awk '{ print $2 }' | colorize) 173 | currentHostname=$(hostnamectl | grep "Static hostname:" | cut -f2 -d ":" | cut -f1 -d "." | cut -f2 -d " ") 174 | currentDomain=$(hostnamectl | grep "Static hostname:" | cut -f2 -d ":" | cut -f2- -d ".") 175 | fqdn=$(echo "$currentHostname.$currentDomain" | colorize --cyan) 176 | currentUptime=$(uptime | cut -f 2- -d " ") 177 | 178 | resizeTerm 179 | 180 | echo 181 | echo "System Status for $fqdn:" 182 | echo 183 | echo " $currentUptime" 184 | echo " Timezone: $timezoneStat (NTP $ntpEnabledStat)" 185 | echo 186 | printf " Sensor Service: %-25s%-25s%-25s\n" "$sensorStat" "$sensorEnabledStat" "v$sensorVersion" 187 | 188 | #printf " System Auto-Update: %-25s%-25s%-25s\n" "$sysAutoUpdateStat" "$sysAutoUpdateEnabledStat" "$sysAutoUpdateConfig" 189 | echo 190 | echo "Management Interface:" 191 | echo 192 | echo " IP: " $myIpStat 193 | echo " Gateway: " $myGatewayStat 194 | echo " DNS: " $myDnsStat 195 | } 196 | 197 | corelightStatus () { 198 | clear 199 | echo $logo \(v$corelightAtHomeVer\) | colorize --reverse --cyan 200 | echo 201 | echo "Hostname:" $currentHostname 202 | echo "Host IP:" `hostname -I | colorize --cyan` 203 | echo "WAN IP:" `wanIP | colorize --cyan` 204 | echo "Corelight Version:" `$corelight -v | colorize --cyan ` 205 | echo "Corelight License:" `licensed | colorize --cyan` 206 | echo "Corelight Service:" `sensorStatus | colorize` 207 | echo 208 | echo 209 | } 210 | 211 | runCorelightAtHome () { 212 | AARCH64=`uname -m` 213 | 214 | if [[ ! "$AARCH64" == "aarch64" ]] ; then 215 | echo "### ------------------------------------------------------------------------------------------ ###" | colorize --red ; 216 | echo "### This is not a 64 bit architecture. Please load Raspberry Pi OS 64bit (do not use Lite) ###" | colorize --red ; 217 | echo "### ------------------------------------------------------------------------------------------ ###" | colorize --red ; 218 | echo "[Press Enter]" | colorize; read DUMMY ; 219 | exit 0 220 | fi 221 | 222 | # Test for old package repo, re-run setup to add new repo, then remove old repo 223 | if [ -f /etc/apt/sources.list.d/corelight-softsensor.list ]; then 224 | echo "[Removing old package repository]" 225 | sudo rm /etc/apt/sources.list.d/corelight-softsensor.list 226 | echo "[Re-running repository setup to add new package repository]" 227 | setupRepo 228 | fi 229 | 230 | 231 | 232 | if ! [ -x $installPath/$corelightAtHome ]; then 233 | # This cleans up v1.0. 234 | if [ -x /usr/bin/raspi-corelight ]; then 235 | sudo rm /usr/bin/raspi-corelight 236 | fi 237 | 238 | # clone the c@h git repo 239 | git --version 2>&1 >/dev/null || 240 | { echo >&2 "[Git is not installed. Installing..]"; 241 | sudo apt -y install git 242 | } 243 | if sudo git clone --depth 1 -b $gitBranch $gitRepo $installPath ; then 244 | echo [Initial CorelightAtHome install...] 245 | sudo chmod 755 $installPath/$corelightAtHome 246 | sudo ln -s $installPath/$corelightAtHome /usr/bin/$corelightAtHome 247 | echo "[Installed Corelight@Home to $installPath ]" 248 | echo "[Created symbolic link to /usr/bin/$corelightAtHome ]" 249 | else 250 | echo "[ERROR git clone for $corelightAtHome failed]" | colorize 251 | pressEnter 252 | fi 253 | fi 254 | 255 | # Launch menu if everything checks out 256 | if [[ -x /usr/bin/$corelight ]] ; then 257 | mainMenu 258 | elif [[ "$AARCH64" == "aarch64" ]] && [[ ! -x /usr/bin/$corelight ]] ; then 259 | echo "[Finishing Corelight@Home installation ]" | colorize --green 260 | setupRepo ; 261 | sudo apt -y install ntp 262 | installCorelight 263 | echo "[Launching Corelight@Home. Run Quick Config (option 6) to finish initial configuration.]" | colorize --green 264 | pressEnter 265 | mainMenu 266 | else 267 | if [[ ! -x /usr/bin/$corelight ]] ; then 268 | echo "[Finishing Corelight@Home installation ]" | colorize --green 269 | setupRepo ; 270 | sudo apt install -y ntp 271 | installCorelight 272 | echo "[Launching Corelight@Home. Run Quick Config (option 6) to finish initial configuration.]" | colorize --green 273 | pressEnter 274 | mainMenu 275 | fi 276 | fi 277 | } 278 | 279 | # function to update Corelight@Home 280 | updateAtHome () { 281 | if [ -x $installPath/$corelightAtHome ]; then 282 | echo "[Checking Corelight@Home github...]" 283 | cd $installPath 284 | if sudo git pull; then 285 | echo "[git update completed]"; sleep 5 286 | /usr/bin/$corelightAtHome 287 | exit 0 288 | else 289 | echo "[ERROR during Corelight@Home update]" | colorize 290 | pressEnter 291 | fi 292 | else 293 | echo [Initial CorelightAtHome install...] 294 | if sudo git clone --depth 1 -b $gitBranch $gitRepo $installPath ; then 295 | sudo chmod 755 $installPath/$corelightAtHome 296 | sudo ln -s $installPath/$corelightAtHome /usr/bin/$corelightAtHome 297 | echo "[Installed Corelight@Home to $installPath ]" 298 | echo "[Created symbolic link to /usr/bin/$corelightAtHome ]" 299 | else 300 | echo "[ERROR git clone for $corelightAtHome failed]" | colorize 301 | pressEnter 302 | fi 303 | fi 304 | } 305 | 306 | wanIP () { 307 | host myip.opendns.com resolver1.opendns.com | grep "myip.opendns.com has" | awk '{print $4}' 308 | } 309 | 310 | licensed () { 311 | if [ -f "$licenseFile" ]; then 312 | CUSTOMER_LIC_NAME=`$corelight license | grep "ccs.customer=" | cut -f2 -d=` 313 | CUSTOMER_LIC_EXPIRE=`$corelight license | grep "sensor.expire" | cut -f2 -d=` 314 | echo "$CUSTOMER_LIC_NAME - Expires: $CUSTOMER_LIC_EXPIRE" ; 315 | else 316 | echo " ###NO - $licenseFile does not exist###" | colorize --red ; 317 | fi 318 | } 319 | 320 | # Display Corelight Sensor status 321 | sensorStatus () { 322 | sudo systemctl status $corelight | grep "Active:" | cut -d: -f 2-; 323 | } 324 | 325 | # Restart Corelight Sensor 326 | sensorRestart () { 327 | clear ; echo [Restarting Corelight...] ; sudo systemctl restart $corelight ; wait 4 328 | sudo systemctl enable corelight-softsensor 329 | } 330 | 331 | # Stop Corelight Sensor 332 | sensorStop () { 333 | clear ; echo [Stopping Corelight...] ; sudo systemctl stop $corelight ; wait 4 334 | } 335 | 336 | healthCheck () { 337 | clear 338 | echo "[### Checking Interfaces ###]" 339 | echo 340 | ifconfig -s 341 | echo 342 | echo "[### Checking Diskspace ###]" 343 | echo 344 | df -h 345 | echo 346 | echo "[### Checking Connectivity and DNS ###]" 347 | echo 348 | ping -c 3 www.google.com 349 | echo 350 | echo "[### CPU & GPU Temperature ###]" 351 | CPU_TEMP=`cat /sys/class/thermal/thermal_zone0/temp` 352 | echo "$(date) @ $(hostname)" 353 | echo "-------------------------------------------" 354 | echo "GPU => $(/opt/vc/bin/vcgencmd measure_temp)" 355 | echo "CPU => temp=$((CPU_TEMP / 1000 ))'C" 356 | pressEnter ; 357 | } 358 | 359 | defineSniff () { 360 | monitorInterface="" 361 | echo "[Interface Lists:]" ; 362 | echo `ifconfig -s | awk '{print $1}'` ; 363 | echo 364 | echo "Define Interface for Corelight to monitor [eth0~2]:" ; read monitorInterface ; 365 | monitorInterface=${monitorInterface:-eth0~2} 366 | echo 367 | echo "New monitor interface is: [$monitorInterface]" 368 | echo 369 | read -p "Accept Configuration (y/n): " acceptConfig 370 | if [[ "$acceptConfig" == "y" ]] || [[ "$acceptConfig" == "yes" ]]; then 371 | sudo sed -i -e "s/^\([^#]*\)Corelight::sniff.*/Corelight::sniff\t\t$monitorInterface/" $corelightCfg ; 372 | else 373 | echo 374 | echo "Cancelling Configuration Change" 375 | echo 376 | fi 377 | } 378 | 379 | installCorelight () { 380 | sudo apt-get update && sudo apt-get -y install $corelight ; 381 | if [ -f $corelightCfg ]; then 382 | echo "[Found existing Corelight SoftSensor config at $corelightCfg]"; 383 | else 384 | echo "[Copying sample Corelight SoftSensor config to $corelightCfg]"; 385 | sudo cp /etc/corelight-softsensor.conf.example $corelightCfg; 386 | fi 387 | sudo systemctl enable corelight-softsensor 388 | } 389 | 390 | installLicense () { 391 | CORELIGHT_LICENSE="" 392 | ANSWER="" 393 | if [ -f $licenseFile ] ; then 394 | echo "[ALERT: Corelight License File Exist] Overwrite (y/n):" ; read ANSWER ; 395 | if [ "$ANSWER" == "y" ]; then 396 | echo "[Please enter Corelight License String]:" ; read license ; 397 | echo $license | sudo tee $licenseFile ; 398 | sensorRestart 399 | fi 400 | else 401 | echo "[Please enter Corelight License String]:" ; read license ; 402 | echo $license | sudo tee $licenseFile ; 403 | fi 404 | } 405 | 406 | enableSshd () { 407 | echo "[Enabling SSHD]" | colorize --cyan; 408 | sudo systemctl enable ssh ; 409 | sudo systemctl start ssh ; 410 | sleep 3 ; 411 | } 412 | 413 | sshdStatus () { 414 | sudo systemctl status sshd | grep Active: | cut -f2 -d: 415 | } 416 | 417 | denyEth0 () { 418 | clear 419 | echo "[Removing IP on eth0 interface. ]" 420 | echo "[This will add [denyinterfaces eth0] to [/etc/dhcpcd.conf] ]" 421 | echo "[This will add [link up-down commands] to [/etc/network/interfaces] ]" 422 | echo "[Do this if the monitor interface is exposed to the internet. ]" 423 | echo "[THIS SHOULD ONLY BE RUN ONCE. EDIT FILES MANUALLY AFTER. ]" 424 | echo "" 425 | echo "[Proceed (y/n)]:" | colorize ; read ANSWER ; 426 | if [ $ANSWER = y ]; then 427 | if ! grep -q '^denyinterfaces eth0' /etc/dhcpcd.conf ; then 428 | echo 'denyinterfaces eth0' | sudo tee -a /etc/dhcpcd.conf >/dev/null 429 | sudo more /etc/dhcpcd.conf 430 | echo "[Press Enter]" | colorize; read DUMMY ; 431 | echo "auto eth0" | sudo tee -a /etc/network/interfaces ; 432 | echo "iface eth0 inet manual" | sudo tee -a /etc/network/interfaces ; 433 | echo "up ifconfig 0.0.0.0 up" | sudo tee -a /etc/network/interfaces ; 434 | echo "up ip link set eth0 promisc on" | sudo tee -a /etc/network/interfaces ; 435 | echo "down ip link set eth0 promisc off" | sudo tee -a /etc/network/interfaces ; 436 | echo "down ip link set eth0 down" | sudo tee -a /etc/network/interfaces ; 437 | sudo more /etc/network/interfaces 438 | pressEnter ; 439 | else 440 | echo "[This has already been done.]" 441 | pressEnter ; 442 | fi 443 | fi 444 | } 445 | 446 | # Setup iDaptive authentication File 447 | #idaptive () { 448 | # echo "machine pkgs.corelight.com/deb/stable" | sudo tee /etc/apt/auth.conf.d/corelight-softsensor.conf 1> /dev/null; 449 | # read -p "[Please Enter iDaptive Username]:" REPO_USERNAME; 450 | # echo " login $REPO_USERNAME" | sudo tee -a /etc/apt/auth.conf.d/corelight-softsensor.conf 1> /dev/null; 451 | # read -p "[Please Enter iDaptive Password]:" REPO_PASSWORD; 452 | # echo " password $REPO_PASSWORD" | sudo tee -a /etc/apt/auth.conf.d/corelight-softsensor.conf 1> /dev/null; 453 | #} 454 | 455 | setupRepo () { 456 | clear ; 457 | # Install PackageCloud prereqs 458 | echo "[Installing PackageCloud prerequisites (debian-archive-keyring, curl, gnupg, apt-transport-https)]"; 459 | sudo apt install debian-archive-keyring curl gnupg apt-transport-https -y 460 | # Download and run the Debian setup script for PackageCloud 461 | echo "[Downloading and executing PackageCloud setup script]"; 462 | curl -s https://packages.corelight.com/install/repositories/corelight/stable/script.deb.sh | sudo bash 463 | 464 | # Commented out 2022-10-12 because repo is not authenticated yet 465 | # echo "[This requires your iDaptive Username and Password. ]"; 466 | # if [ ! -f /etc/apt/auth.conf.d/corelight-softsensor.conf ]; then 467 | # #idaptive 468 | # # Added to preserve the structure 469 | # : #NOP 470 | # else 471 | # read -p "[iDaptive password has been set. Would you like to reconfigure? (y/N)" acceptConfig 472 | # if [[ "$acceptConfig" == "y" ]] || [[ "$acceptConfig" == "yes" ]]; then 473 | # idaptive 474 | # sudo apt update 475 | # fi 476 | # fi 477 | } 478 | 479 | editCorelightCfg () { 480 | sudo $editor $corelightCfg 481 | } 482 | setupLogScale () { 483 | logScaleEnabledStatus=`grep Corelight\:\:hec_enable $corelightCfg | awk '{print $2}'` 484 | logScaleHecUrl=`grep Corelight\:\:hec_url $corelightCfg | awk '{print $2}'` 485 | echo "Current Config:"; 486 | echo "Export target is [$logScaleHecUrl]"; 487 | echo "Export enable is [$logScaleEnabledStatus]"; 488 | echo ""; 489 | logScaleToken="" ; 490 | logScaleHecUrl=""; 491 | echo "[Please enter Falcon LogScale URL (Default=https://cloud.community.humio.com)]:" ; 492 | echo "[Enter https://cloud.community.humio.com or https://cloud.us.humio.com or https://cloud.humio.com]:" ; read logScaleHecUrl ; 493 | echo "[Please enter Falcon LogScale API token]:" ; read logScaleToken ; 494 | echo "" 495 | echo "New Export target is [${logScaleHecUrl:-https://cloud.community.humio.com/services/collector}]"; 496 | echo "New Export token is [$logScaleToken]"; 497 | echo "New Export enable is [T]"; 498 | echo "" 499 | read -p "Accept Configuration (y/n): " acceptConfig 500 | if [[ "$acceptConfig" == "y" ]] || [[ "$acceptConfig" == "yes" ]]; then 501 | sudo sed -i -e "s|.*Corelight::hec_token.*|Corelight::hec_token\t\t$logScaleToken|" "$corelightCfg"; 502 | sudo sed -i -e "s|.*Corelight::hec_url.*|Corelight::hec_url\t\t${logScaleHecUrl:-https://cloud.community.humio.com}/services/collector|" "$corelightCfg"; 503 | sudo sed -i -e "s|.*Corelight::hec_enable.*|Corelight::hec_enable\t\tT|" "$corelightCfg"; 504 | sudo sed -i -e "s|.*Corelight::hec_verify_cert.*|Corelight::hec_verify_cert\tT|" "$corelightCfg"; 505 | sudo sed -i -e "s|.*Corelight::hec_sourcetype_prefix.*|Corelight::hec_sourcetype_prefix|" "$corelightCfg"; 506 | sensorRestart ; 507 | else 508 | echo 509 | echo "Cancelling Configuration Change" 510 | echo 511 | fi 512 | } 513 | setupSplunk () { 514 | splunkEnabledStatus=`grep Corelight\:\:hec_enable $corelightCfg | awk '{print $2}'` 515 | splunkHecUrl=`grep Corelight\:\:hec_url $corelightCfg | awk '{print $2}'` 516 | splunkPrefix=`grep Corelight\:\:hec_sourcetype_prefix $corelightCfg | awk '{print $2}'` 517 | echo "Current Config:"; 518 | echo "Export target is [$splunkHecUrl]"; 519 | echo "Export enable is [$splunkEnabledStatus]"; 520 | echo "Export prefix is [$splunkPrefix]"; 521 | echo ""; 522 | splunkToken="" ; 523 | splunkHecUrl="" ; 524 | splunkPrefix=${splunkPrefix:-corelight_}; 525 | echo "[Please enter Splunk URL]:" ; 526 | echo "[http://:8088/services/collector/event]:" ; read splunkHecUrl; 527 | echo "[Please enter Splunk API token]:" ; read splunkToken ; 528 | echo "[Please enter prefix (Default: corelight_)]:" ; read splunkPrefix ; 529 | echo "----------" 530 | echo "New Export target is [$splunkHecUrl/services/collector]"; 531 | echo "New Export token is [$splunkToken];" 532 | echo "New Export enable is [$splunkEnabledStatus]"; 533 | echo "New Export prefix is [${splunkPrefix:-corelight_}]"; 534 | echo "" 535 | read -p "Accept Configuration (y/n): " acceptConfig 536 | if [[ "$acceptConfig" == "y" ]] || [[ "$acceptConfig" == "yes" ]]; then 537 | sudo sed -i -e "s|.*Corelight::hec_token.*|Corelight::hec_token\t\t$splunkToken|" "$corelightCfg"; 538 | sudo sed -i -e "s|.*Corelight::hec_url.*|Corelight::hec_url\t\t$splunkHecUrl|" "$corelightCfg"; 539 | sudo sed -i -e "s|.*Corelight::hec_enable.*|Corelight::hec_enable\t\tT|" "$corelightCfg"; 540 | sudo sed -i -e "s|.*Corelight::hec_verify_cert.*|Corelight::hec_verify_cert\tF|" "$corelightCfg"; 541 | sudo sed -i -e "s|.*Corelight::hec_sourcetype_prefix.*|Corelight::hec_sourcetype_prefix\t${splunkPrefix:-corelight_}|" "$corelightCfg"; 542 | sensorRestart ; 543 | else 544 | echo 545 | echo "Cancelling Configuration Change" 546 | echo 547 | fi 548 | } 549 | 550 | # Quick Config function. The idea for this function is to have a working config by the end and sensor started. 551 | quickConfig () { 552 | clear 553 | echo "###########################################################" 554 | echo "# This is a quick config walk-through and will restart #" 555 | echo "# the Corelight Sensor software. Completing this wizard #" 556 | echo "# should provide a running Corelight sensor with export #" 557 | echo "# to Falcon LogScale Cloud or Splunk HEC:HTTP. #" 558 | echo "# #" 559 | echo "# The following is required to complete setup: #" 560 | echo "# -Monitor Interface (Probably eth0) #" 561 | echo "# -Valid Corelight License for Software Sensor #" 562 | echo "# -if Falcon LogScale Need: API Ingest Token #" 563 | echo "# -if Splunk Need: splunk HEC URL & API Token #" 564 | echo "# #" 565 | echo "###########################################################" 566 | echo "" 567 | echo "[Press Enter to Continue]" ; read DUMMY ; 568 | 569 | defineSniff 570 | installLicense 571 | setupRepo 572 | enableSshd 573 | ANSWER="" 574 | echo "Configre Falcon LogScale HEC Export? (y/n):" ; read ANSWER ; 575 | if [ $ANSWER = y ]; then 576 | setupLogScale 577 | else 578 | ANSWER1="" 579 | echo "Configure Splunk HEC Export? (y/n):" ; read ANSWER1 ; 580 | if [ $ANSWER1 = y ]; then 581 | setupSplunk 582 | fi 583 | fi 584 | sensorRestart 585 | } 586 | 587 | #showDateAndTime () { 588 | # 589 | #echo 590 | #echo "Date and Time Configuration" | colorize --underline 591 | #echo 592 | # 593 | #timedatectl 594 | #echo "NTP Client is: `systemctl status ntp | grep "Active" | awk '{ print $2 }' | colorize`" 595 | #pressEnter 596 | #} 597 | 598 | setDate () { 599 | echo 600 | echo "$selection" | colorize --underline 601 | echo 602 | 603 | read -p "Format YYYY-MM-DD: " myDate 604 | echo 605 | echo "Confirm Date: $myDate" 606 | echo 607 | 608 | read -p "Accept Configuration (y/n): " acceptConfig 609 | 610 | if [[ "$acceptConfig" == "y" ]] || [[ "$acceptConfig" == "yes" ]]; then 611 | sudo timedatectl set-time "$myDate" 612 | echo "$selection complete." 613 | echo 614 | else 615 | echo 616 | echo "Cancelling Configuration Change" 617 | echo 618 | fi 619 | } 620 | 621 | setTime () { 622 | echo 623 | echo "$selection" | colorize --underline 624 | echo 625 | 626 | read -p "Format HH:MM:SS (24 hour): " myTime 627 | echo 628 | echo "Confirm Time: $myTime" 629 | echo 630 | 631 | read -p "Accept Configuration (y/n): " acceptConfig 632 | 633 | if [[ "$acceptConfig" == "y" ]] || [[ "$acceptConfig" == "yes" ]]; then 634 | sudo timedatectl set-time "$myTime" 635 | echo "$selection complete." 636 | echo 637 | else 638 | echo 639 | echo "Cancelling Configuration Change" 640 | echo 641 | fi 642 | } 643 | 644 | setTimezone () { 645 | timezoneRegions=$(timedatectl list-timezones | cut -f 1 -d "/" | sort -u) 646 | timezoneStat=$(timedatectl | grep "Time zone:" | cut -f 2 -d ":") 647 | 648 | resizeTerm 649 | 650 | echo 651 | echo "$selection" | colorize --underline 652 | echo 653 | 654 | echo "Current Timezone: $timezoneStat" 655 | echo 656 | echo "Please select the Timezone Region:" 657 | echo 658 | 659 | select myTimezoneRegion in "BACK" ${timezoneRegions[@]}; 660 | do 661 | case "$myTimezoneRegion" in 662 | "BACK") 663 | break 664 | ;; 665 | *) 666 | timezoneLocations=$(timedatectl list-timezones | grep "^$myTimezoneRegion") 667 | echo 668 | echo "Please Select the Timezone Location:" 669 | echo 670 | 671 | select myTimezoneLocation in "BACK" ${timezoneLocations[@]}; 672 | do 673 | case "$myTimezoneLocation" in 674 | "BACK") 675 | break 2 676 | ;; 677 | *) 678 | echo 679 | echo "Timezone Selected: $myTimezoneLocation" 680 | echo 681 | read -p "Accept Configuration (y/n): " acceptConfig 682 | 683 | if [[ "$acceptConfig" == "y" ]] || [[ "$acceptConfig" == "yes" ]]; then 684 | sudo timedatectl set-timezone "$myTimezoneLocation" 685 | 686 | echo "$selection complete." 687 | echo 688 | break 2 689 | else 690 | echo 691 | echo "Cancelling Configuration Change" 692 | echo 693 | 694 | break 2 695 | fi 696 | ;; 697 | esac 698 | done 699 | ;; 700 | esac 701 | done 702 | } 703 | 704 | enableNtp () { 705 | echo 706 | echo "$selection" | colorize --underline 707 | echo 708 | 709 | read -p "Accept Configuration (y/n): " acceptConfig 710 | 711 | if [[ "$acceptConfig" == "y" ]] || [[ "$acceptConfig" == "yes" ]]; then 712 | checkNtp=`dpkg -s ntp | grep Status | awk '{ print $4}'` 713 | if [ "$checkNtp" == "installed" ]; then 714 | sudo systemctl start ntp 715 | else 716 | sudo apt-get -y install ntp 717 | sudo systemctl start ntp 718 | fi 719 | echo "$selection complete." 720 | pressEnter 721 | else 722 | echo 723 | echo "Cancelling Configuration Change" 724 | echo 725 | fi 726 | } 727 | 728 | disableNtp () { 729 | echo 730 | echo "$selection" | colorize --underline 731 | echo 732 | 733 | read -p "Accept Configuration (y/n): " acceptConfig 734 | 735 | if [[ "$acceptConfig" == "y" ]] || [[ "$acceptConfig" == "yes" ]]; then 736 | sudo systemctl stop ntp 737 | echo "$selection complete." 738 | echo 739 | else 740 | echo 741 | echo "Cancelling Configuration Change" 742 | echo 743 | fi 744 | } 745 | 746 | configureHostname () { 747 | echo 748 | echo "$selection" | colorize --underline 749 | echo 750 | 751 | currentHostname=$(hostnamectl | grep "Static hostname:" | cut -f2 -d ":" | cut -f1 -d "." | cut -f2 -d " ") 752 | currentDomain=$(hostnamectl | grep "Static hostname:" | cut -f2 -d ":" | cut -f2- -d ".") 753 | 754 | echo "Current Hostname: $currentHostname" 755 | echo "Current Domain: $currentDomain" 756 | echo 757 | read -p "New Hostname: " newHostname 758 | read -p "New Domain: " newDomain 759 | echo 760 | echo "Confirm new Hostname and Domain: $newHostname.$newDomain" 761 | 762 | read -p "Accept Configuration (y/n): " acceptConfig 763 | 764 | if [[ "$acceptConfig" == "y" ]] || [[ "$acceptConfig" == "yes" ]]; then 765 | sudo hostnamectl set-hostname "$newHostname.$newDomain" 766 | currentHostname=$(hostnamectl | grep "Static hostname:" | cut -f2 -d ":" | cut -f1 -d "." | cut -f2 -d " " | colorize --cyan) 767 | PS3="[$currentHostname] Selection: " 768 | 769 | echo "$selection complete." 770 | echo 771 | else 772 | echo 773 | echo "Cancelling Configuration Change" 774 | echo 775 | fi 776 | } 777 | 778 | # Main Menu 779 | # 780 | 781 | mainMenu () { 782 | corelightStatus 783 | menuPath="Sensor" 784 | echo 785 | echo "$menuPath" | colorize --reverse --cyan 786 | echo 787 | 788 | select selection in "System" "Access" "Export" "Updates" "Maintain" "Quick Config" "Logout" "Exit to shell" 789 | do 790 | case "$selection" in 791 | "System") 792 | systemMenu 793 | menuDisplay 794 | ;; 795 | "Access") 796 | accessMenu 797 | menuDisplay 798 | ;; 799 | "Export") 800 | exportMenu 801 | menuDisplay 802 | ;; 803 | "Updates") 804 | updatesMenu 805 | menuDisplay 806 | ;; 807 | "Maintain") 808 | maintainMenu 809 | menuDisplay 810 | ;; 811 | "Quick Config") 812 | quickConfig 813 | menuDisplay 814 | ;; 815 | "Logout") 816 | kill -HUP $PPID 817 | ;; 818 | "Exit to shell") 819 | echo 820 | echo "Exiting to shell. Run $0 to return to configuration" 821 | echo 822 | break 823 | ;; 824 | esac 825 | done 826 | } 827 | 828 | accessMenu () { 829 | # clear 830 | menuPath="Sensor / Access" 831 | echo 832 | echo "SSHD Service:" `sshdStatus | colorize` 833 | echo 834 | echo "$menuPath" | colorize --reverse --cyan 835 | echo 836 | 837 | select selection in "BACK" "Enable SSHD" "Remove IP eth0" 838 | do 839 | case "$selection" in 840 | "Enable SSHD") 841 | enableSshd 842 | menuDisplay 843 | ;; 844 | "Remove IP eth0") 845 | denyEth0 846 | menuDisplay 847 | ;; 848 | "BACK") 849 | menuPath="Sensor" 850 | break 851 | ;; 852 | esac 853 | done 854 | } 855 | 856 | dateAndTimeMenu () { 857 | menuPath="Sensor / System / Date and Time" 858 | echo 859 | echo "$menuPath" | colorize --reverse --cyan 860 | echo 861 | 862 | select selection in "BACK" "Set Date" "Set Time" "Set Timezone" "Enable NTP" "Disable NTP" 863 | do 864 | case "$selection" in 865 | "Set Date") 866 | setDate 867 | menuDisplay 868 | ;; 869 | "Set Time") 870 | setTime 871 | menuDisplay 872 | ;; 873 | "Set Timezone") 874 | setTimezone 875 | menuDisplay 876 | ;; 877 | "Enable NTP") 878 | enableNtp 879 | menuDisplay 880 | ;; 881 | "Disable NTP") 882 | disableNtp 883 | menuDisplay 884 | ;; 885 | "BACK") 886 | menuPath="Sensor / System" 887 | break 888 | ;; 889 | esac 890 | done 891 | } 892 | 893 | systemMenu () { 894 | menuPath="Sensor / System" 895 | echo 896 | echo "$menuPath" | colorize --reverse --cyan 897 | echo 898 | 899 | select selection in "BACK" "Show System INFO" "Date and Time" "Configure Hostname" 900 | do 901 | case "$selection" in 902 | "Show System INFO") 903 | corelightStat ; pressEnter 904 | menuDisplay 905 | ;; 906 | "Date and Time") 907 | dateAndTimeMenu 908 | menuDisplay 909 | ;; 910 | "Configure Hostname") 911 | configureHostname 912 | menuDisplay 913 | ;; 914 | "BACK") 915 | menuPath="Sensor" 916 | break 917 | ;; 918 | esac 919 | done 920 | } 921 | 922 | exportMenu () { 923 | # clear 924 | menuPath="Sensor / Export" 925 | echo 926 | echo "$menuPath" | colorize --reverse --cyan 927 | echo 928 | 929 | select selection in "BACK" "Falcon LogScale HEC" "Splunk HEC" 930 | do 931 | case "$selection" in 932 | "Falcon LogScale HEC") 933 | setupLogScale 934 | menuDisplay 935 | ;; 936 | "Splunk HEC") 937 | setupSplunk 938 | menuDisplay 939 | ;; 940 | "BACK") 941 | menuPath="Sensor" 942 | break 943 | ;; 944 | esac 945 | done 946 | } 947 | 948 | 949 | updatesMenu () { 950 | # clear 951 | menuPath="Sensor / Updates" 952 | echo 953 | echo "$menuPath" | colorize --reverse --cyan 954 | echo 955 | 956 | select selection in "BACK" "Update Corelight" "Update Corelight@Home Menu" "Update System" 957 | do 958 | case "$selection" in 959 | "Update Corelight") 960 | installCorelight ; pressEnter 961 | menuDisplay 962 | ;; 963 | "Update Corelight@Home Menu") 964 | updateAtHome 965 | menuDisplay 966 | ;; 967 | "Update System") 968 | clear ; sudo apt-get --assume-yes upgrade ; pressEnter 969 | menuDisplay 970 | ;; 971 | "BACK") 972 | menuPath="Sensor" 973 | break 974 | ;; 975 | esac 976 | done 977 | } 978 | 979 | maintainMenu () { 980 | # clear 981 | menuPath="Sensor / Maintain" 982 | echo 983 | echo "$menuPath" | colorize --reverse --cyan 984 | echo 985 | 986 | select selection in "BACK" "Restart Sensor" "Stop Sensor" "Edit Corelight Config" "Define Monitor Interface" "Install License" "Install Corelight" "Health Check" "Setup Corelight Installation Credentials" "Interface Stats" 987 | do 988 | case "$selection" in 989 | "Restart Sensor") 990 | sensorRestart 991 | menuDisplay 992 | ;; 993 | "Stop Sensor") 994 | sensorStop 995 | menuDisplay 996 | ;; 997 | "Edit Corelight Config") 998 | editCorelightCfg 999 | menuDisplay 1000 | ;; 1001 | "Define Monitor Interface") 1002 | defineSniff 1003 | menuDisplay 1004 | ;; 1005 | "Install License") 1006 | installLicense 1007 | menuDisplay 1008 | ;; 1009 | "Install Corelight") 1010 | installCorelight 1011 | menuDisplay 1012 | ;; 1013 | "Health Check") 1014 | healthCheck 1015 | menuDisplay 1016 | ;; 1017 | "Set Up Corelight Package Repository") 1018 | setupRepo 1019 | menuDisplay 1020 | ;; 1021 | "Interface Stats") 1022 | clear ; ifconfig -s | more ; pressEnter 1023 | menuDisplay 1024 | ;; 1025 | "BACK") 1026 | menuPath="Sensor" 1027 | break 1028 | ;; 1029 | esac 1030 | done 1031 | } 1032 | 1033 | 1034 | # start the menu 1035 | runCorelightAtHome --------------------------------------------------------------------------------