#!/bin/sh

# Global Variables
OSSEC_HOME="/var/ossec/"
OSSEC_CONF_FILE="$OSSEC_HOME/etc/ossec.conf"
RULES_TEMPLATE="$OSSEC_HOME/etc/templates/rules.template"
SYSCHECK_TEMPLATE="$OSSEC_HOME/etc/templates/syscheck.template"
HOST_DENY_TEMPLATE="$OSSEC_HOME/etc/templates/ar-host-deny.template"
FIREWALL_DROP_TEMPLATE="$OSSEC_HOME/etc/templates/ar-firewall-drop.template"
DISABLE_ACCOUNT_TEMPLATE="$OSSEC_HOME/etc/templates/ar-disable-account.template"
ROUTENULL_TEMPLATE="$OSSEC_HOME/etc/templates/ar-routenull.template"
SYSLOG_TEMPLATE="$OSSEC_HOME//etc/templates/syslog-logs.template"
SNORT_TEMPLATE="$OSSEC_HOME/etc/templates/snort-logs.template"
APACHE_TEMPLATE="$OSSEC_HOME/etc/templates/apache-logs.template"
PGSQL_TEMPLATE="$OSSEC_HOME/etc/templates/pgsql-logs.template"
ACTIVE_RESPONSE_TEMPLATE="$OSSEC_HOME/etc/templates/active-response.template"

HOSTNAME=$(hostname)

# Module specific functions

# Input validation function 
# check_input <msg> <valid responses regex> <default>
# if <default> is passed on as null, then there is no default
# Example: check_input  "Some question (yes/no) " "yes|no"  "yes"
function check_input {
  message=$1
  validate=$2
  default=$3

  while [ $? -ne 1 ]; do
    echo -n "$message "
    read INPUTTEXT < /dev/tty
    if [ "$INPUTTEXT" == "" -a "$default" != "" ]; then
      INPUTTEXT=$default
      return 1
    fi
    echo $INPUTTEXT | egrep -q "$validate" && return 1
    echo "Invalid input"
  done
}


# Main
echo
echo "OSSEC Configuration utility v0.1"
echo

echo "<ossec_config>" > ${OSSEC_CONF_FILE}.new

# Back up config file
cp ${OSSEC_CONF_FILE} ${OSSEC_CONF_FILE}.bak

# Set language

# grabs System/User/Host

# Ossec installed? 

# server/agent/local or help
check_input "1- What kind of installation do you want? (server, agent, local) [Default: server]:" "server|agent|local" "server"
OSSEC_TYPE=$INPUTTEXT
echo

echo "2- Setting up the configuration environment."
echo

# email notification
echo "3- Configuring the OSSEC HIDS."
echo
check_input "  3.1- Do you want e-mail notification? (y/n) [Default: y]:" "y|n" "y"
EMAIL_NOTIFICATION=$INPUTTEXT

echo "  <global>" >>  ${OSSEC_CONF_FILE}.new
if [ "$EMAIL_NOTIFICATION" == "y" ]; then
  # Get default email address
  echo -n "   - What's your e-mail address? "
  read EMAIL_ADDRESS < /dev/tty
  echo "    <email_notification>yes</email_notification>" >> ${OSSEC_CONF_FILE}.new
  echo "    <email_to>$EMAIL_ADDRESS</email_to>" >> ${OSSEC_CONF_FILE}.new
 
  # find local smtp server, use it?

  # else enter it manually
  echo -n "   - What's your SMTP server ip/host? "
  read SMTP_SERVER < /dev/tty
  echo "    <smtp_server>$SMTP_SERVER</smtp_server>"  >> ${OSSEC_CONF_FILE}.new
  echo "    <email_from>ossecm@$HOSTNAME</email_from>" >> ${OSSEC_CONF_FILE}.new
else
  echo "    <email_notification>no</email_notification>" >> ${OSSEC_CONF_FILE}.new
fi
echo "  </global>" >> ${OSSEC_CONF_FILE}.new
echo "" >> ${OSSEC_CONF_FILE}.new



# update the rules?
cat $RULES_TEMPLATE >> ${OSSEC_CONF_FILE}.new
echo "" >> ${OSSEC_CONF_FILE}.new
echo



# where is ossec

# run integrity check daemon?
check_input "  3.2- Do you want to run the integrity check daemon? (y/n) [y]:" "y|n" "y"
INTEGRITY_CHECK=$INPUTTEXT
if [ "$INTEGRITY_CHECK" == "y" ]; then
  echo "" >> ${OSSEC_CONF_FILE}.new
  cat $SYSCHECK_TEMPLATE >> ${OSSEC_CONF_FILE}.new
  echo "" >> ${OSSEC_CONF_FILE}.new
fi
echo

# run rootkit detection engine?
check_input "  3.3- Do you want to run the rootkit detection engine? (y/n) [y]:" "y|n" "y" 
ROOTCHECK=$INPUTTEXT
if [ "$ROOTCHECK" == "y" ]; then
  echo "" >> ${OSSEC_CONF_FILE}.new
  echo "  <rootcheck>" >> ${OSSEC_CONF_FILE}.new
  echo "    <rootkit_files>$OSSEC_HOME/etc/shared/rootkit_files.txt</rootkit_files>" >> ${OSSEC_CONF_FILE}.new
  echo "    <rootkit_trojans>$OSSEC_HOME/etc/shared/rootkit_trojans.txt</rootkit_trojans>" >> ${OSSEC_CONF_FILE}.new
  echo "    <system_audit>$OSSEC_HOME/etc/shared/system_audit_rcl.txt</system_audit>" >> ${OSSEC_CONF_FILE}.new
  echo "    <system_audit>$OSSEC_HOME/etc/shared/cis_rhel_linux_rcl.txt</system_audit>" >> ${OSSEC_CONF_FILE}.new
  echo "    <system_audit>$OSSEC_HOME/etc/shared/cis_rhel5_linux_rcl.txt</system_audit>" >> ${OSSEC_CONF_FILE}.new
  echo "  </rootcheck>" >> ${OSSEC_CONF_FILE}.new
  echo "" >> ${OSSEC_CONF_FILE}.new
else
  echo "" >> ${OSSEC_CONF_FILE}.new
  echo "  <rootcheck>" >> ${OSSEC_CONF_FILE}.new
  echo "    <disabled>yes</disabled>" >> ${OSSEC_CONF_FILE}.new
  echo "  </rootcheck>" >> ${OSSEC_CONF_FILE}.new
fi
echo


# enable active response
echo "  3.4- Active response allows you to execute a specific 
       command based on the events received. For example,
       you can block an IP address or disable access for
       a specific user.  
       More information at:
       http://www.ossec.net/en/manual.html#active-response
       
"
check_input "   - Do you want to enable active response? (y/n) [y]:" "y|n" "y"
ACTIVE_RESPONSE=$INPUTTEXT
if [ "$ACTIVE_RESPONSE" == "y" ]; then
  echo "     - Active response enabled.
   
   - By default, we can enable the host-deny and the 
     firewall-drop responses. The first one will add
     a host to the /etc/hosts.deny and the second one
     will block the host on iptables (if linux) or on
     ipfilter (if Solaris, FreeBSD or NetBSD).
   - They can be used to stop SSHD brute force scans, 
     portscans and some other forms of attacks. You can 
     also add them to block on snort events, for example.

  "
  check_input "   - Do you want to enable the firewall-drop response? (y/n) [y]:" "y|n" "y"
  FIREWALL_DROP=$INPUTTEXT

  if [ "$FIREWALL_DROP" == "y" ]; then
    echo "  <global>" >> ${OSSEC_CONF_FILE}.new
    echo "    <white_list>127.0.0.1</white_list>" >> ${OSSEC_CONF_FILE}.new
    echo "    <white_list>^localhost.localdomain$</white_list>" >> ${OSSEC_CONF_FILE}.new
    # Add stuff to whitelist, default w/ local IP
    for ip in `awk '/nameserver/ {print $2}' /etc/resolv.conf`; do
      echo "    <white_list>$ip</white_list>" >> ${OSSEC_CONF_FILE}.new
    done 
   
    check_input "   - Do you want to add more IPs to the white list? (y/n)? [n]:" "y|n" "n"
    if [ "$INPUTTEXT" == "y" ]; then
      echo -n "   - IPs (space separated): "
      read WHITELIST_IPS < /dev/tty

      for ip in $WHITELIST_IPS; do
        echo "<white_list>$ip</white_list>" >> ${OSSEC_CONF_FILE}.new
      done
    fi
    
    echo "  </global>" >> ${OSSEC_CONF_FILE}.new
    
  fi
  

fi
echo

# enable remote syslog?
check_input "  3.5- Do you want to enable remote syslog (port 514 udp)? (y/n) [y]:" "y|n" "y"
if [ "$INPUTTEXT" == "y" ]; then
  echo "  <remote>"  >> ${OSSEC_CONF_FILE}.new
  echo "    <connection>syslog</connection>" >> ${OSSEC_CONF_FILE}.new
  echo "  </remote>" >> ${OSSEC_CONF_FILE}.new

  echo "  <remote>"  >> ${OSSEC_CONF_FILE}.new
  echo "    <connection>secure</connection>" >> ${OSSEC_CONF_FILE}.new
  echo "  </remote>" >> ${OSSEC_CONF_FILE}.new
fi

# Email/log alerts
echo "  <alerts>" >> ${OSSEC_CONF_FILE}.new
echo "    <log_alert_level>1</log_alert_level>" >>${OSSEC_CONF_FILE}.new
if [ "$EMAIL_NOTIFICATION" == "y" ]; then
  echo "    <email_alert_level>7</email_alert_level>" >> ${OSSEC_CONF_FILE}.new
fi
echo "  </alerts>" >> ${OSSEC_CONF_FILE}.new

if [ "$ACTIVE_RESPONSE" == "y" ]; then
  # Add commands in here
  echo "" >> ${OSSEC_CONF_FILE}.new
  cat ${HOST_DENY_TEMPLATE} >> ${OSSEC_CONF_FILE}.new
  echo "" >> ${OSSEC_CONF_FILE}.new
  cat ${FIREWALL_DROP_TEMPLATE} >> ${OSSEC_CONF_FILE}.new
  echo "" >> ${OSSEC_CONF_FILE}.new
  cat ${DISABLE_ACCOUNT_TEMPLATE} >> ${OSSEC_CONF_FILE}.new
  echo "" >> ${OSSEC_CONF_FILE}.new
  cat ${ROUTENULL_TEMPLATE} >> ${OSSEC_CONF_FILE}.new
  echo "" >> ${OSSEC_CONF_FILE}.new

  if [ "$FIREWALL_DROP" = "y" ]; then
    echo "" >> ${OSSEC_CONF_FILE}.new
    cat ${ACTIVE_RESPONSE_TEMPLATE} >> ${OSSEC_CONF_FILE}.new
    echo "" >> ${OSSEC_CONF_FILE}.new
  fi

fi

# detect log files
echo "" >> ${OSSEC_CONF_FILE}.new
echo

# Syslog
for i in `cat $SYSLOG_TEMPLATE`; do
  if [ -f $i ] ; then
    echo "    -- $i (syslog)"
    echo "" >> ${OSSEC_CONF_FILE}.new
    echo "  <localfile>" >> ${OSSEC_CONF_FILE}.new
    echo "    <log_format>syslog</log_format>" >> ${OSSEC_CONF_FILE}.new
    echo "    <location>$i</location>" >> ${OSSEC_CONF_FILE}.new
    echo "  </localfile>" >> ${OSSEC_CONF_FILE}.new

  fi
done

# Snort
SNORT_FILES=`cat ${SNORT_TEMPLATE}`
for i in ${SNORT_FILES}; do
    ls $i > /dev/null 2>&1
    if [ $? = 0 ]; then
        echo "" >> ${OSSEC_CONF_FILE}.new
        echo "  <localfile>" >> ${OSSEC_CONF_FILE}.new

        head -n 1 $i|grep "\[**\] "|grep -v "Classification:" > /dev/null
        if [ $? = 0 ]; then
            echo "    <log_format>snort-full</log_format>" >> ${OSSEC_CONF_FILE}.new
            echo "    -- $i (snort-full file)"
        else
            echo "    <log_format>snort-fast</log_format>" >> ${OSSEC_CONF_FILE}.new
            echo "    -- $i (snort-fast file)"
        fi
        echo "    <location>$i</location>" >>${OSSEC_CONF_FILE}.new
        echo "  </localfile>" >> ${OSSEC_CONF_FILE}.new
    fi
done

# Apache
APACHE_FILES=`cat ${APACHE_TEMPLATE}`
for i in ${APACHE_FILES}; do
    ls $i > /dev/null 2>&1
    if [ $? = 0 ]; then
      echo "" >> ${OSSEC_CONF_FILE}.new
      echo "  <localfile>" >> ${OSSEC_CONF_FILE}.new
      echo "    <log_format>apache</log_format>" >> ${OSSEC_CONF_FILE}.new
      echo "    <location>$i</location>" >>${OSSEC_CONF_FILE}.new
      echo "  </localfile>" >> ${OSSEC_CONF_FILE}.new

      echo "    -- $i (apache log)"
    fi
done

# Postgres
PGSQL_FILES=`cat ${PGSQL_TEMPLATE}`
for i in ${PGSQL_FILES}; do
    ls $i > /dev/null 2>&1
    if [ $? = 0 ]; then
      echo "" >> ${OSSEC_CONF_FILE}.new
      echo "  <localfile>" >> ${OSSEC_CONF_FILE}.new
      echo "    <log_format>postgresql_log</log_format>" >> ${OSSEC_CONF_FILE}.new
      echo "    <location>$i</location>" >>${OSSEC_CONF_FILE}.new
      echo "  </localfile>" >> ${OSSEC_CONF_FILE}.new

      echo "    -- $i (postgresql log)"
    fi
done

# 

echo "</ossec_config>" >> ${OSSEC_CONF_FILE}.new
mv ${OSSEC_CONF_FILE} ${OSSEC_CONF_FILE}.bak
mv ${OSSEC_CONF_FILE}.new ${OSSEC_CONF_FILE}
echo "Configuration complete."
echo

