#!/bin/bash
# Configure FSF for Odin

echo -e "\e[93m"

log() {
    echo -e "\t\e[96m[*]${1}\e[93m"
}

export VT_KEY=99dfd41c7ff9cd406982f801f2393907678f562fb149a8e538d0680c14e0060a
export FSF_URL="https://github.com/EmersonElectricCo/fsf/archive/master.zip"
export IP=$(ip route | awk '/src/{print $9}')
echo "fsf" >/etc/hostname
echo -e "${IP}\tfsf" >> /etc/hosts

deluser -q --remove-home ubuntu

apt-get update || exit 1
apt-get --purge remove snapd lxd -y
apt-get upgrade -y
apt-get install -y jq htop wget python-pip

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | apt-key add -
echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" >/etc/apt/sources.list.d/elastic-5.x.list
apt-get update
apt-get install -y filebeat

apt-get install -y python-yara autoconf dh-autoreconf python-dev \
  libpython2.7-stdlib python-pip libffi-dev ssdeep python-ssdeep upx unrar \
  libfuzzy-dev unzip libssl-dev net-tools cabextract python-pefile \
  python-cffi yara python-yara

pip install czipfile hachoir-parser hachoir-core hachoir-regex \
  hachoir-metadata hachoir-subfile ConcurrentLogHandler pypdf2 xmltodict \
  rarfile pylzma oletools pyasn1_modules pyasn1 pyelftools javatools \
  requests git+https://github.com/aaronst/macholibre.git

useradd -r -c "File Scanner" -m -d /opt/fsf -s /bin/true fsf
cd /opt/fsf
wget -O fsf.zip ${FSF_URL}
unzip fsf.zip && rm fsf.zip
touch scan.log
mv fsf-master bin && chown -R fsf:fsf bin scan.log
cd bin

sed -i 's/FULL\/PATH\/TO\/fsf/opt\/fsf\/bin/g' /opt/fsf/bin/fsf-server/conf/config.py
sed -i 's/tmp/opt\/fsf/g' /opt/fsf/bin/fsf-server/conf/config.py

if [ ! -z ${VT_KEY} ]; then
  echo " [*] Enabling VirusTotal Checks for PE and ELF files."
  sed -i "s/YOUR API KEY HERE/${VT_KEY}/g" /opt/fsf/bin/fsf-server/modules/META_VT_INSPECT.py
  sed -i "s/META_PE'/META_PE', 'META_VT_INSPECT'/g" /opt/fsf/bin/fsf-server/conf/disposition.py
  sed -i "s/META_ELF'/META_ELF', 'META_VT_INSPECT'/g" /opt/fsf/bin/fsf-server/conf/disposition.py
fi

cat >/etc/logrotate.d/scanner <<EOF
compress
copytruncate

/opt/fsf/*.log {
        weekly
        create 0664 fsf
        rotate 3
}
EOF

cat >/etc/systemd/system/fsf.service <<EOF
[Unit]
Description=Odin File Scanner
Requires=network.target
After=network.target

[Service]
Type=forking
User=fsf
Group=fsf
PIDFile=/opt/fsf/scanner.pid
ExecStart=/opt/fsf/bin/fsf-server/main.py start
ExecStop=/opt/fsf/bin/fsf-server/main.py stop

[Install]
WantedBy=multi-user.target
EOF

cat > /etc/logrotate.d/scanner <<EOF
compress
copytruncate

/opt/fsf/*.log {
        weekly
        create 0664 fsf
        rotate 3
}
EOF

cat > /etc/filebeat/filebeat.yml <<EOF
filebeat.prospectors:
- input_type: log
  paths:
    - /opt/fsf/scan.log
  encoding: utf-8
  tags: ["fsf"]
  json.keys_under_root: true

output.kafka:
  hosts: ["kafka:9092"]
  topic: 'fsf'

  required_acks: 1
  compression: gzip
  max_message_bytes: 1000000
EOF

apt-get install -y prometheus-node-exporter

systemctl daemon-reload
systemctl enable fsf && systemctl enable filebeat 
systemctl start fsf && systemctl start filebeat
echo -e "\e[0m"