Mini Shell
#!/usr/bin/bash
# Short Description :Deploy imunify360/ImunifyAV
# Description :Installs imunify360/ImunifyAV repository
# Copyright :Cloud Linux Zug GmbH
# License :Cloud Linux Commercial License
# Do not edit/move/reformat this line except for actual version bump
# it is used by old versions of deploy scripts to check for update
version="2.114"
readonly package="imunify360-firewall"
readonly imunify360="imunify360-firewall"
readonly imunify_av="imunify-antivirus"
if [[ "$package" != "$imunify360" ]] && [[ "$package" != "$imunify_av" ]]; then
exit 1
fi
if [[ "$package" = "$imunify360" ]]; then
PRODUCT="Imunify360"
UI_PACKAGE="imunify-ui-firewall"
COMMAND="imunify360-agent"
STAND_ALONE_URL="https://docs.imunify360.com/control_panel_integration/#introduction"
LOG_FILE="/var/log/i360deploy.log"
LOCK="/var/lock/i360deploy.lck"
# packages mentioned in the update command in the daily cron job + PD packages
readonly additional_packages_to_remove="ai-bolit\
alt-php-hyperscan\
imunify-common\
imunify-notifier\
imunify-core\
imunify-ui\
imunify360-venv\
imunify-antivirus\
cloudlinux-backup-utils\
imunify-realtime-av\
imunify360-ossec\
imunify360-pam\
imunify360-php-i360\
imunify360-webshield-bundle\
imunify360-unified-access-logger\
alt-php-internal\
app-version-detector"
readonly additional_packages_to_remove_cl="ai-bolit\
alt-php-hyperscan\
imunify-common\
imunify-notifier\
imunify-core\
imunify-ui\
imunify360-venv\
imunify-antivirus\
cloudlinux-backup-utils\
imunify-realtime-av\
imunify360-ossec\
imunify360-pam\
imunify360-php-i360\
imunify360-webshield-bundle\
imunify360-unified-access-logger"
readonly additional_packages_to_remove_centos="imunify-auditd-log-reader\
minidaemon"
readonly additional_packages_to_remove_debian=""
fi
readonly YUM_DISABLED_PHP_REPOS_OPTION="--disablerepo=imunify360-alt-php,imunify360-ea-php-hardened"
OS_RELEASE_INFO=/etc/os-release
set -o pipefail
# fail if any error: will not
#set -e
# error for unbound variable: not for now
#set -eu
# $1 = Message prompt
# Returns ans=0 for yes, ans=1 for no
yesno() {
local YES=0
local NO=1
local PENDING=2
if [ $dry_run -eq 1 ]; then
echo "Would be asked here if you wanted to"
echo "$1 (y/n - y is assumed)"
local ans=$YES
elif [ "$assumeyes" = "true" ]; then
local ans=$YES
else
local ans=$PENDING
fi
while [ $ans -eq $PENDING ]; do
echo "Do you want to $1 (y/n) ?" ; read -r reply
case "$reply" in
Y*|y*) ans=$YES ;;
N*|n*) ans=$NO ;;
*) echo "Please answer y or n" ;;
esac
done
return "$ans"
}
prepend_timestamp() {
# Prepend current time to each line
#
# Usage: source-program | prepend_timestamp
#
# Note: it may fail if the input contains \0 bytes
while IFS= read -r line
do
printf '[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$line"
done
}
log()
{
# Run given command and append its duplicated stdout/stderr to
# $LOG_FILE.
#
# Usage: log <command> [<args>...]
#
"$@" |& prepend_timestamp | tee -a "$LOG_FILE"
return "${PIPESTATUS[0]}"
}
exit_with_error()
{
log echo -e "$@"
rm -rf "$lock"
exit 1
}
print_debug_info()
{
if [ "$DEBUG" == "true" ]; then
echo "$@"
fi
}
set_panel_detection_path()
{
readonly CPANEL_BIN="/usr/local/cpanel/cpanel"
readonly DA_BIN="/usr/local/directadmin/directadmin"
readonly PLESK_BIN="/usr/sbin/plesk"
readonly INTEGRATION_CONF_PATH="/etc/sysconfig/imunify360/integration.conf"
}
detect_python ()
{
# python executable is not present in CentOS 8
if hash python2 2>/dev/null; then
PYTHON=python2
CONFIG_PARSER="ConfigParser"
elif hash python3 2>/dev/null; then
PYTHON=python3
CONFIG_PARSER="configparser"
else
exit_with_error "Neither python2 nor python3 executables found"
fi
}
detect_panel ()
{
# note: keep the panel test order in sync with agent's get_hosting_panel(),
# to avoid detecting conflicting panels in agent vs. the deploy script
PANEL=""
if [ -f "$INTEGRATION_CONF_PATH" ] ; then
PANEL="generic"
elif [ -f "$PLESK_BIN" ]; then
PANEL="plesk"
elif [ -f "$CPANEL_BIN" ]; then
PANEL="cpanel"
elif [ -f "$DA_BIN" ]; then
PANEL="directadmin"
else
exit_with_error "$PRODUCT has not detected any compatible hosting panel as well as integration.conf file to run the installation without a panel. \
Please, follow the instructions on $STAND_ALONE_URL"
fi
print_debug_info "$PANEL panel was detected."
}
# Only for imunify360-firewall
set_low_resource_usage_mode_if_necessary()
{
local _package=$1
local _package_version=$2
imunify360_low_mem_limit=2147483648
imunify360_python38_datadir=$venv_path/share/imunify360
# total usable memory in bytes
mem_total=$(</proc/meminfo awk '$1 == "MemTotal:" { printf "%.0f", $2 * 1024 }')
if (( mem_total < imunify360_low_mem_limit )); then
# enable "Low Resource Usage" mode
local low_mem_config="$imunify360_python38_datadir/20-low-mem-settings.config"
if [ -f "$low_mem_config" ]; then
log echo "Installing $low_mem_config from $_package $_package_version"
ln -s "$low_mem_config" /etc/sysconfig/imunify360/imunify360.config.d/ && log echo "Done."
fi
fi
}
populate_os_release_vars()
{
# shellcheck source=/etc/os-release
[ -f "$OS_RELEASE_INFO" ] && source "$OS_RELEASE_INFO"
}
detect_ostype()
{
echo -n "Detecting ostype... "
if [ ! -f "$OS_RELEASE_INFO" ]; then
ostype=centos
else
populate_os_release_vars
if echo "$ID" "$ID_LIKE" | grep debian >/dev/null
then
ostype=debian
else
ostype=centos
fi
fi
echo $ostype
}
is_ubuntu()
{
populate_os_release_vars
[ "$ID" == "ubuntu" ]
}
is_debian()
{
populate_os_release_vars
[ "$ID" == "debian" ]
}
UNSUPPORTED_OS_MSG="You are running an unsupported OS. $PRODUCT supports only x86_64 processors."
check_debian_release()
{
populate_os_release_vars
if is_debian && ([ "$VERSION_ID" -lt 10 ] || [ "$VERSION_ID" -gt 12 ])
then
exit_with_error "You are running unsupported version of debian based OS. $PRODUCT supports only Debian [10, 11, 12]"
fi
if is_ubuntu && [ "$VERSION_ID" != 16.04 ] && [ "$VERSION_ID" != 18.04 ] && [ "$VERSION_ID" != 20.04 ] && [ "$VERSION_ID" != 22.04 ] && [ "$VERSION_ID" != 24.04 ]
then
exit_with_error "You are running unsupported version of debian based OS. $PRODUCT supports only Ubuntu 16.04, 18.04, 20.04, 22.04 and 24.04"
fi
if [ "$(uname -m)" != x86_64 ]
then
exit_with_error "$UNSUPPORTED_OS_MSG"
fi
}
check_centos_release()
{
rpm -q --whatprovides redhat-release > /dev/null 2>&1
check_exit_code 0 "There is no package providing /etc/redhat-release, please install redhat-release or centos-release first"
ARCH=$(uname -i)
# handle 32bit xen with x86_64 host kernel
if (! rpm -q glibc.x86_64 > /dev/null 2>&1) || [ "$ARCH" != "x86_64" ] ; then
exit_with_error "$UNSUPPORTED_OS_MSG"
fi
check_centos_compatible
check_virtuozzo_compatible
}
check_virtuozzo_compatible()
{
if [ -f /proc/vz/vestat ]; then
if version "$(uname -r)" -lt "$VZ_VERSION_BRIEF"; then
echo "You are inside VZ."
echo "Virtuozzo 7 with kernel $VZ_VERSION_LONG or later has support for ipset in Containers."
exit_with_error "Please upgrade your OpenVZ hypervisor kernel version to $VZ_VERSION_LONG or later."
fi
fi
}
check_centos_compatible()
{
local os_version="${1:-$(rpm --eval '%{rhel}')}"
# shellcheck disable=SC2015
[ "${os_version}" -lt 10 ] 2>/dev/null && [ "${os_version}" -gt 5 ] || \
exit_with_error "Only CentOS/CloudLinux 6, 7, 8 and 9 are supported at the moment, but got os_version='${os_version}'"
}
check_exit_code() { if [ $? -ne "$1" ]; then exit_with_error "$2"; fi; }
disable_3rd_party_ids()
{
if [ -d "$venv_path" ]; then
echo "imunify360-venv detected"
imunify360_python38_datadir=$venv_path/share/imunify360
fi
if [ -d "$imunify360_python38_datadir" ]; then
datadir="$imunify360_python38_datadir"
else
datadir="$imunify360_python35_datadir"
fi
$datadir/scripts/disable_3rd_party_ids
}
webshield_module_supported()
{
local CTL=/usr/share/imunify360-webshield/webshieldctl
[ -x $CTL ] || return 1
$CTL mode-supported &>/dev/null
}
install_first_install_default_overrides()
{
local first_install_package=$1
local package_version=$2
if [ -d "$venv_path" ]; then
echo "imunify360-venv detected"
imunify360_python38_datadir=$venv_path/share/imunify360
fi
local first_install_config_deprecated="$imunify360_python38_datadir/10_on_first_install.config"
local first_install_config_core="$imunify360_python38_datadir/10_on_first_install_core.config"
local first_install_config_av="$imunify360_python38_datadir/10_on_first_install_av.config"
local first_install_config_ids="$imunify360_python38_datadir/10_on_first_install_ids.config"
local first_install_config_ids_apache="$imunify360_python38_datadir/10_on_first_install_ids.apache.config"
if [ -f "$first_install_config_deprecated" ]; then
log echo "Installing $first_install_config_deprecated from $first_install_package $package_version"
cp -v "$first_install_config_deprecated" /etc/sysconfig/imunify360/imunify360.config.d/ && log echo "Done."
else
log echo "Installing $first_install_config_core from $first_install_package $package_version"
cp -v "$first_install_config_core" /etc/sysconfig/imunify360/imunify360.config.d/ && log echo "Done."
log echo "Installing $first_install_config_av from $first_install_package $package_version"
cp -v "$first_install_config_av" /etc/sysconfig/imunify360/imunify360.config.d/ && log echo "Done."
if [[ "$package" = "$imunify360" ]]; then
log echo "Installing $first_install_config_ids from $first_install_package $package_version"
cp -v "$first_install_config_ids" /etc/sysconfig/imunify360/imunify360.config.d/ && log echo "Done."
if webshield_module_supported; then
log echo "Installing $first_install_config_ids_apache from $first_install_package $package_version"
cp -v "$first_install_config_ids_apache" /etc/sysconfig/imunify360/imunify360.config.d/ && log echo "Done."
fi
fi
fi
}
remove_first_install_default_overrides()
{
unlink /etc/sysconfig/imunify360/imunify360.config.d/10_on_first_install.config 2>/dev/null || true
unlink /etc/sysconfig/imunify360/imunify360.config.d/10_on_first_install_core.config 2>/dev/null || true
unlink /etc/sysconfig/imunify360/imunify360.config.d/10_on_first_install_av.config 2>/dev/null || true
unlink /etc/sysconfig/imunify360/imunify360.config.d/10_on_first_install_ids.config 2>/dev/null || true
unlink /etc/sysconfig/imunify360/imunify360.config.d/10_on_first_install_ids.apache.config 2>/dev/null || true
}
init_vars()
{
wget="/usr/bin/wget"
wget_options="-q --retry-connrefused --waitretry=15 --read-timeout=20 --timeout=15 -t 15"
uninstall=false
conversion=false
beta=false
install_vendors=false
freemium=false
# get full path to the current script
script="$1"
case "$script" in
./*) script="$(pwd)/${script#*/}" ;;
/*) script="$script" ;;
*) script="$(pwd)/$script" ;;
esac
scriptname=$(basename "$script")
script_run_args="$2"
# Update checker URL
checksite="https://repo.imunify360.cloudlinux.com/defense360/"
checksite_forcurl='https://defense360:nraW!F%40%24x4Xd6HHQ@repo.imunify360.cloudlinux.com/defense360/'
upgradeurl="$checksite$scriptname"
dry_run="0"
assumeyes=false
modifying_call=false
yum_beta_option=""
yum_beta_repo_enable=0
apt_force=""
apt_allow_unauthenticated=""
if [[ "$package" = "$imunify360" ]]; then
# Virtuozzo 7 with kernel 3.10.0 or later has support for ipset in Container
VZ_VERSION_LONG=3.10.0-327.10.1.vz7.12.8
# Inside VZ version is provided without release
VZ_VERSION_BRIEF=3.10.0
readonly imunify360_python35_datadir=/opt/alt/python35/share/imunify360
fi
imunify360_python38_datadir=/opt/alt/python38/share/imunify360
venv_path=/opt/imunify360/venv
}
version()
{
local lhs=$1
local op=$2
local rhs=$3
case $op in
-lt) test "$(echo -e "$lhs\\n$rhs" | sort --version-sort | head -1)" = "$lhs" && \
test "$lhs" != "$rhs"
return $?
;;
*) echo "function version(): operator $op is not supported."
return 2
;;
esac
}
check_package_version()
{
version="$1"
if [ -z "$version" ]; then
echo "No available package detected"
return 1
else
echo "$version"
fi
}
get_available_debian_package_version()
{
version=$(apt-cache policy "$1" 2>/dev/null | sed -n '3p' | awk '{split($0, candidate); print candidate[2]}')
check_package_version "$version"
return $?
}
get_available_centos_package_version()
{
version=$(yum $yum_beta_option $YUM_DISABLED_PHP_REPOS_OPTION list available "$1" 2>/dev/null | grep -E "$1.x86_64|$1.noarch" | awk '{split($0, candidate); print candidate[2]}' | sort --version-sort | tail -n 1)
check_package_version "$version"
return $?
}
check_integration_conf()
{
#
# Check whether $INTEGRATION_CONF_PATH is sufficiently valid to continue the installation, exit with an error message otherwise
#
# Globals:
# Uses (reads) $INTEGRATION_CONF_PATH;
# Populates (writes) $PYTHON, $CONFIG_PARSER and uses them to parse $INTEGRATION_CONF_PATH ini-file
#
detect_python
# sanity check: the integration.conf is a valid ini-like file
$PYTHON -c "from $CONFIG_PARSER import ConfigParser; conf = ConfigParser(); conf.read('$INTEGRATION_CONF_PATH')" 2>/dev/null
check_exit_code 0 "syntax error in $INTEGRATION_CONF_PATH \
Read the manual $STAND_ALONE_URL on how to create a valid config file.
"
# sanity check: ui_path should be present in the config
local ui_path="$($PYTHON -c "from $CONFIG_PARSER import ConfigParser; conf = ConfigParser(); conf.read('$INTEGRATION_CONF_PATH'); print(conf.get('paths', 'ui_path'))" 2>/dev/null)"
check_exit_code 0 "$PRODUCT has detected $INTEGRATION_CONF_PATH file from the stand-alone version of $PRODUCT. \
Stand-alone version requires \"ui_path\" parameter specified in the $INTEGRATION_CONF_PATH. \
Read the manual $STAND_ALONE_URL on how to create a valid config file.
"
# ui_path must not be empty
if [ -z "$ui_path" ]; then
exit_with_error "Could not get ui_path from $INTEGRATION_CONF_PATH. UI will not be installed. \
Please ensure that you have provided ui_path in $INTEGRATION_CONF_PATH \
More details is at $STAND_ALONE_URL."
# even if ui_path doesn't refer to a directory (first install),
# its parent directory must exist
elif [ ! -d "$ui_path" ]; then
# first install
log mkdir -m 0700 "$ui_path"
check_exit_code 0 "An error occurred during creating $ui_path directory. \
Possibly parent directory doesn't exist or path point to file"
# symlinks are not supported (current behavior)
elif [[ -L "$ui_path" ]]; then
exit_with_error "ui_path specified in $INTEGRATION_CONF_PATH file $ui_path points to an existing symlink. \
Installation is aborted, to avoid overwriting it. \
ui_path must point to an empty web directory. More details is at $STAND_ALONE_URL."
# ui_path dir must be empty or point to an existing imunify installation;
# use bin/execute.py as a heuristic for detecting the agent install
elif [[ -n "$(ls -A "$ui_path" 2>/dev/null)" ]] && [[ ! -e "$ui_path/bin/execute.py" ]]; then
exit_with_error "ui_path specified in $INTEGRATION_CONF_PATH file $ui_path points to a non-empty directory. \
Installation is aborted, to avoid overwriting data in it. \
ui_path must point to an empty web directory. More details is at $STAND_ALONE_URL."
fi
# sanity check: panel_info should be present in the config
$PYTHON -c "from $CONFIG_PARSER import ConfigParser; conf = ConfigParser(); conf.read('$INTEGRATION_CONF_PATH'); print(conf.get('integration_scripts', 'panel_info'))" 2>/dev/null
if [ $? -ne "0" ]; then
yesno "WARNING: integration_scripts.panel_info field will be mandatory soon, please refer to [documentation](https://docs.imunify360.com/control_panel_integration/#specifying-panel-information) and fill it! Do you want to continue? [y/N]"
else
# sanity check: panel_info must be a valid json with name and version fields in data object
local panel_info=$($PYTHON -c "from $CONFIG_PARSER import ConfigParser; conf = ConfigParser(); conf.read('$INTEGRATION_CONF_PATH'); print(conf.get('integration_scripts', 'panel_info'))" 2>/dev/null)
$panel_info | $PYTHON -c 'import sys,json; d=json.load(sys.stdin); print("Panel info:", d["data"]["name"], d["data"]["version"]);'
check_exit_code 0 "panel_info script should be executable and return valid json with name and version fields in data object. Please refer to the [documentation](https://docs.imunify360.com/control_panel_integration/#specifying-panel-information)."
fi
}
install_plugin() {
local plugin_package=$1
local panel=$2
echo "Installing $PRODUCT $panel plugin..."
install_${ostype}_pkgs "$plugin_package-$panel"
check_exit_code 0 "Failed to install $PRODUCT $panel plugin."
}
install_ui_part() {
local ui_package=$1
local panel=$2
echo "Installing UI part of $PRODUCT $panel plugin..."
install_${ostype}_pkgs "$ui_package-$panel"
check_exit_code 0 "Failed to install UI part of $PRODUCT $panel plugin."
}
check_and_install() {
local package_to_install=$1
local package_version=$2
local ui_package=$3
local panel=$4
if version "$package_version" -lt "7.3"; then
install_plugin "$package_to_install" "$panel"
else
if [[ "$package_to_install" = "$imunify360" ]]; then
install_plugin $package_to_install $panel
fi
install_ui_part "$ui_package" "$panel"
fi
}
check_hardened_php_status()
{
local agent_bin='/usr/bin/imunify360-agent'
local python_bin='/opt/imunify360/venv/bin/python'
local status=$(\
${agent_bin} features status hardened-php --json |\
${python_bin} -c 'import json; print(json.loads(input()).get("items", {}).get("status"))'\
)
echo ${status}
}
remove_hardened_php_feature()
{
local agent_bin='/usr/bin/imunify360-agent'
local python_bin='/opt/imunify360/venv/bin/python'
local timeout=900
if [ ! -f ${agent_bin} ] || [ ! -f ${python_bin} ]; then
return
fi
if [ "$(check_hardened_php_status)" != "installed" ]; then
return
fi
echo "Warning: Hardened PHP packages will be removed"\
"and replaced with the default ones if possible."\
"Some sites may stop working"
echo -n "Starting removal, this may take a couple of minutes"
local logfile="$(${agent_bin} features remove hardened-php)"
local start_ts=$(date +%s)
while true; do
removal_status="$(check_hardened_php_status)"
[ "${removal_status}" = "not_installed" ] && echo OK && break
local current_ts=$(date +%s)
if [ $((current_ts - start_ts)) -gt ${timeout} ]; then
echo TIMEOUT
exit_with_error "Error occured while trying to remove Hardened PHP packages."\
"See log: ${logfile}"
fi
echo -n "."
sleep 5
done
}
install_vendors_in_cw_environment()
{
# log output but hide it from stdout
log echo "Run vendor installation in background for Cloudways"
file_path="/var/imunify360/files/modsec/v2/description.json"
while [ ! -f "$file_path" ]; do
log echo "Waiting for $file_path to appear"
sleep 5
done
log echo "Installing vendors"
log /usr/bin/imunify360-agent --console-log-level=WARNING install-vendors
}
run_with_retries()
{
cmd=$1
expected_error_text=$2
ignore_res=$3
min_timeout=2
max_timeout=30
nattempts=10
for ((i=1;i<=nattempts;i++)); do
output=$( { $cmd ; } 2>&1 )
res=$?
if [ $res -eq 0 ] && [[ "$ignore_res" != "true" ]]; then
echo "$output"
break
else
if echo "$output" | grep -q "$expected_error_text"; then
echo "$output"
echo "Attempt #$i/$nattempts: to run $cmd."
timeout=$(($RANDOM%($max_timeout-$min_timeout+1)+$min_timeout))
[ $i -ne $nattempts ] && echo "Retrying in $timeout seconds.."
sleep $timeout
else
echo "$output"
break
fi
fi
done
return $res
}
reopen_log()
{
echo "-- $(date -R): $script $script_run_args --" >> "$LOG_FILE"
chmod 0600 "$LOG_FILE"
}
check_debian_pkg_presence()
{
test "$(dpkg-query --show --showformat='${db:Status-Status}\n' "$1" 2>/dev/null)" = "installed"
}
check_centos_pkg_presence()
{
rpm --query "$1" >/dev/null
}
remove_debian_imunify()
{
local pkgs_to_remove="$package $additional_packages_to_remove $additional_packages_to_remove_debian"
# shellcheck disable=SC2086
apt-get remove --autoremove --ignore-missing --dry-run $pkgs_to_remove
yesno "apt-get --AUTOREMOVE to remove $pkgs_to_remove plus \
aforementioned packages [y] or just $pkgs_to_remove [n]"
local res=$?
if [ $res = 0 ]; then
local autoremove="--autoremove"
else
local autoremove=""
fi
# --ignore-missing doesn't work if apt doesn't know about package
# shellcheck disable=SC2086
apt-get remove $autoremove -y --ignore-missing $(dpkg-query -W -f='${binary:Package}\n' $pkgs_to_remove 2>/dev/null)
}
remove_centos_imunify()
{
if rpm -q cloudlinux-release &>/dev/null; then
local pkgs_to_remove="$package $additional_packages_to_remove_cl $additional_packages_to_remove_centos"
else
local pkgs_to_remove="$package $additional_packages_to_remove $additional_packages_to_remove_centos"
fi
yum remove -y $yum_beta_option $YUM_DISABLED_PHP_REPOS_OPTION \
$pkgs_to_remove --setopt=clean_requirements_on_remove=1
}
remove_freemium_flag()
{
if [ ! -f "/var/imunify360/myimunify-freemium.flag" ]; then
return
fi
rm -f "/var/imunify360/myimunify-freemium.flag"
}
get_debian_pkgs_manager() {
pkgs_manager="apt-get"
}
get_centos_pkgs_manager() {
pkgs_manager="yum"
}
remove_debian_pkgs()
{
run_with_retries "apt-get remove -y $*" "Could not get lock"
}
remove_centos_pkgs()
{
yum remove -y "$@"
}
install_debian_pkgs()
{
local pkgs=$*
run_with_retries "apt-get $apt_opts install -y $apt_allow_unauthenticated $apt_force $pkgs" ""
}
install_centos_pkgs()
{
local pkgs=$*
yum install -y $yum_beta_option $YUM_DISABLED_PHP_REPOS_OPTION $pkgs
}
install_debian_ipset()
{
install_debian_pkgs ipset
}
install_centos_ipset()
{
yum install -y ipset
}
detect_first_install()
{
if check_${ostype}_pkg_presence "$package" >/dev/null
then
first_install=false
else
first_install=true
fi
}
is_systemctl_avail()
{
command -v systemctl >/dev/null 2>&1
}
# $1 = Full URL to download
# $2 = Optional basename to save to (if omitted, then = basename $1)
# Also allow download to fail without exit if $2 is set
download_file() {
if [ "$2" = "" ]; then
dlbase="$(basename "$1")"
else
dlbase="$2"
fi
if [ $dry_run -eq 1 ]; then
echo "Would download this URL to $dlbase :"
echo "$1" ; echo
return
fi
old_dlbase="$dlbase.old"
if [ -f "$dlbase" ]; then
rm -f "$old_dlbase"
mv -f "$dlbase" "$old_dlbase"
fi
echo "Downloading $dlbase (please wait)"
$wget $wget_options -O "$dlbase" "$1"
if [ ! -s "$dlbase" ]; then
if [ -f "$old_dlbase" ]; then
mv -f "$old_dlbase" "$dlbase"
fi
if [ "$2" = "" ]; then
echo "Failed to download $dlbase"
exit 1
fi
fi
}
# Make sure that we are running the latest version
# $* = Params passed to script
check_version() {
echo "Checking for an update to $scriptname"
script_from_repo="$scriptname.repo_version"
download_file "$upgradeurl" "$script_from_repo"
newversion=$(grep "^version=" "$script_from_repo" | sed 's/[^0-9.]*//g')
if [ -z "$newversion" ]; then
newversion=$version
fi
if [ $dry_run -eq 1 ]; then
echo -e "Would check if this running script (version $version) is out of date. \n" \
"If it's been superseded, the new version would be downloaded and you'd be asked \n" \
"if you want to upgrade to it and run the new version. \n"
return
fi
local latest_version
latest_version=$(echo -e "$version\\n$newversion" | sort --reverse --version-sort | head -1)
if [ "$latest_version" = "$version" ]; then
echo "$scriptname is already the latest version ($version) - continuing"
rm -f "$script_from_repo"
else
echo "New version ($newversion) of $scriptname detected"
if yesno "run $scriptname $newversion now"
then
echo "OK, executing $script_from_repo $*"
# replace the current script with a new one
mv -f "$script_from_repo" "$script"
chmod u+x "$script"
echo "Download of $scriptname $newversion successful"
rm "$LOCK"
echo "Run $script $script_run_args"
# use $script_run_args without quotes to avoid error
# `getopt: unrecognized option` if there are more than 1 arguments
# shellcheck disable=SC2086
exec "$script" --skip-version-check $script_run_args
error "Failed to run $script $script_run_args"
else
echo -e "New version of script is available: $upgradeurl \n" \
"It was downloaded to $script_from_repo \n" \
"If you prefer to use current version, run it with \"--skip-version-check\" key. \n"
exit 1
fi
fi
}
save_debian_repo()
{
log install_debian_pkgs gnupg
$wget $wget_options -O- https://repo.imunify360.cloudlinux.com/defense360/RPM-GPG-KEY-CloudLinux \
| gpg --dearmor > /etc/apt/trusted.gpg.d/RPM-GPG-KEY-CloudLinux.gpg
echo "deb [arch=amd64] https://repo.imunify360.cloudlinux.com/imunify360/$ID/$VERSION_ID/ $VERSION_CODENAME main" \
> /etc/apt/sources.list.d/imunify360.list
if [ "$beta" = "true" ]; then
echo "deb [arch=amd64] https://repo.imunify360.cloudlinux.com/imunify360/$ID-testing/$VERSION_ID/ $VERSION_CODENAME main" \
> /etc/apt/sources.list.d/imunify360-testing.list
fi
if ! log run_with_retries "apt-get update" ""; then
test "$dev_install" = true
check_exit_code 0 "apt-get update error."
fi
}
save_centos_repo()
{
local RPM_KEY=$checksite/RPM-GPG-KEY-CloudLinux
local RPM_KEY_forcurl=$checksite_forcurl/RPM-GPG-KEY-CloudLinux
cat >/etc/yum.repos.d/imunify360.repo <<-EOF
[imunify360]
name=EL-\$releasever - Imunify360
baseurl=$checksite/el/\$releasever/updates/x86_64/
enabled=1
gpgcheck=1
gpgkey=$RPM_KEY
EOF
# add testing repo as disabled by default
cat >/etc/yum.repos.d/imunify360-testing.repo <<-EOF
[imunify360-testing]
name=EL-\$releasever - Imunify360
baseurl=$checksite/el/\$releasever/updates-testing/x86_64/
enabled=$yum_beta_repo_enable
gpgcheck=1
gpgkey=$RPM_KEY
EOF
log rpm --import "$RPM_KEY_forcurl"
check_exit_code 0 "RPM import error."
modifying_call=true
}
remove_debian_repo()
{
rm /etc/apt/sources.list.d/imunify360.list \
/etc/apt/sources.list.d/imunify360-testing.list \
/etc/apt/sources.list.d/imunify360-alt-php.list 2>/dev/null
}
remove_centos_repo()
{
rm /etc/yum.repos.d/imunify360.repo \
/etc/yum.repos.d/imunify360-testing.repo \
/etc/yum.repos.d/imunify360-ea-php-hardened \
/etc/yum.repos.d/imunify360-alt-php 2>/dev/null
}
remove_acronis_agent()
{
[ ! -e /usr/bin/restore_infected ] && return
if /usr/bin/restore_infected acronis extra is_installed 2> /dev/null; then
# If Acronis installation logs are present in restore_infected folder,
# then remove Acronis and the logs
if ls /var/restore_infected/acronis_installation*.log; then
/usr/bin/restore_infected acronis extra uninstall > /dev/null || :
rm -f /var/restore_infected/acronis_installation*.log
fi
fi
}
terminate_detached_scans ()
{
for file in /var/imunify360/aibolit/run/*/pid; do
test -e "$file" && kill -9 "$(cat "$file")"
done
rm -rf /var/imunify360/aibolit/run/
rm -rf /var/imunify360/aibolit/scans.pickle
}
# Only for imunify360-firewall
check_users() {
CHECK_GROUPS="ossec"
CHECK_USERS="ossec ossecr ossecm ossece"
SYS_GID_MAX=$(awk '/^SYS_GID_MAX/ {print $2}' /etc/login.defs)
SYS_UID_MAX=$(awk '/^SYS_UID_MAX/ {print $2}' /etc/login.defs)
# detect SYS_GID_MAX, SYS_UID_MAX indirectly (Ubuntu 16.04)
GID_MIN=$(awk '/^GID_MIN/ {print $2}' /etc/login.defs)
UID_MIN=$(awk '/^UID_MIN/ {print $2}' /etc/login.defs)
if [ "$SYS_GID_MAX" = "" -a "$GID_MIN" != "" ]; then
SYS_GID_MAX=$((GID_MIN - 1))
fi
if [ "$SYS_UID_MAX" = "" -a "$UID_MIN" != "" ]; then
SYS_UID_MAX=$((UID_MIN - 1))
fi
for grp in $CHECK_GROUPS; do
gid=$(getent group $grp 2> /dev/null | cut -d ':' -f 3)
if [ -z "$gid" ]; then
gid='-1'
fi
if [ "$SYS_GID_MAX" != "" ]; then
if [ "$gid" -gt "$SYS_GID_MAX" ]; then
exit_with_error "Non-system group $grp already exists"
fi
elif [ "$first_install" = "true" -a "$gid" != "-1" ]; then
exit_with_error "Group $grp already exists"
fi
done
for usr in $CHECK_USERS; do
uid=$(id -u "$usr" 2>/dev/null || echo -1)
if [ "$SYS_UID_MAX" != "" ]; then
if [ "$uid" -gt "$SYS_UID_MAX" ]; then
exit_with_error "Non-system user $usr already exists"
fi
elif [ "$first_install" = "true" -a "$uid" != "-1" ]; then
exit_with_error "User $usr already exists"
fi
done
}
# Only for imunify360-firewall
remove_hardened_php_repos()
{
if [[ $ostype = centos ]]; then
ALT_PHP=imunify360-alt-php.repo
EA_PHP=imunify360-ea-php-hardened.repo
REPOS_DIR=/etc/yum.repos.d
# fix permissions
for REPO in $ALT_PHP $EA_PHP; do
test -f $REPOS_DIR/$REPO || continue
chattr -i $REPOS_DIR/$REPO
chmod 644 $REPOS_DIR/$REPO
done
# remove unconditionally
rm -f $REPOS_DIR/$ALT_PHP
rm -f $REPOS_DIR/$EA_PHP
fi
}
print_help ()
{
cat << EOF >&2
Usage:
-h, --help Print this message
--version Print script's version and exit
-k, --key <key> Deploy $PRODUCT with activation key
-c, --uninstall Uninstall $PRODUCT
--skip-version-check Do not check for script updates
--skip-registration Do not register, just install (the default)
--dev-install Turn off software defect reporting
--beta Install packages from 'testing' repo
--check Check if imunify360 Agent can be installed and exit
-y, --yes Assume "yes" as answer to all prompts and run non-interactively
EOF
}
print_version()
{
echo "$scriptname $version"
}
check_centos_iptables_compatibility() {
# dummy function that does nothing
:
}
check_debian_iptables_compatibility() {
if is_debian && [ "$VERSION_ID" == "10" ]
then
local apt_opts="-t buster-backports"
log install_debian_pkgs iptables
check_exit_code 0 "iptables >= 1.8.5 required on Debian 10. \n\
Please, turn on buster-backports repository and run the script/installation again. \n\
Buster-backports repository may be turned on by following command: \n\
echo "deb http://ftp.debian.org/debian buster-backports main" > /etc/apt/sources.list.d/buster-backports.list \n\
Then run: \n\
apt-get update \n"
fi
}
detect_cloudways_environment() {
hostname=$(hostname -f)
lowercase_hostname=$(echo "$hostname" | tr '[:upper:]' '[:lower:]')
if echo "$lowercase_hostname" | grep -Eq "\.cloudwaysapps\.com|cloudwaysstagingapps\.com"; then
is_cloudways=true
log echo "Cloudways environment detected"
touch /etc/sysconfig/imunify360/.cloudways_environment
elif [ -f /usr/local/sbin/apm ]; then
if /usr/local/sbin/apm info | grep -q "Cloudways"; then
is_cloudways=true
log echo "Cloudways environment detected"
mkdir -p /var/imunify360
touch /etc/sysconfig/imunify360/.cloudways_environment
else
is_cloudways=false
fi
else
is_cloudways=false
fi
}
setup_imunify360_dir() {
if [ ! -d "/var/imunify360/" ]; then
mkdir -m 2755 -p /var/imunify360
fi
}
disable_firewall() {
setup_imunify360_dir
touch /var/imunify360/firewall_disabled
}
special_config_cloudways()
{
log echo "Installing cloudways configuration"
imunify360_python38_datadir=$venv_path/share/imunify360
local first_install_cloudways="$imunify360_python38_datadir/11_on_first_install_cloudways.config"
cp -v "$first_install_cloudways" /etc/sysconfig/imunify360/imunify360.config.d/ && log echo "Done."
}
create_upgrade_process_marker()
{
touch /var/imunify360/upgrade_process_started
trap "rm -f /var/imunify360/upgrade_process_started" SIGTERM SIGINT SIGHUP EXIT
}
cleanup()
{
rm -f "$LOCK"
}
rapid_scan_basedir_override() {
touch /var/imunify360/rapid_scan_basedir_override
}
# Lets start
# if environment has umask=0000 (if called from plesk extension), all created files have -rw-rw-rw- permission
umask 0022
init_vars "$0" "$*"
reopen_log
if [ -f "$LOCK" ] ; then
if [ -d "/proc/$(cat "$LOCK")" ] ; then
exit_with_error "$scriptname is already running"
fi
fi
echo $$ > "$LOCK"
check_exit_code 0 "Please run $scriptname as root"
trap cleanup SIGTERM SIGINT SIGHUP EXIT
options=$(getopt -o ychk: -l yes,uninstall,help,version,check,skip-version-check,skip-registration,beta,dev-install,force,apt-force,freemium,key: -- "$@")
res=$?
if [ "$res" != 0 ]; then
print_help
exit 1
fi
eval set -- "$options"
while true; do
case "$1" in
-h|--help)
print_help
exit 0
;;
--version)
print_version
exit 0
;;
-y|--yes)
assumeyes=true
shift
;;
-c|--uninstall)
uninstall=true
shift
;;
-k|--key)
conversion=true
activationkey="$2"
shift 2
;;
--skip-version-check)
skipversioncheck=true
shift
;;
--skip-registration)
registration=false
shift
;;
--beta)
beta=true
yum_beta_option="--enablerepo=imunify360-testing"
yum_beta_repo_enable=1
shift
;;
--freemium)
freemium=true
shift
;;
--dev-install)
dev_install=true
apt_allow_unauthenticated=--allow-unauthenticated
shift
;;
--force|--apt-force) # used for Plesk extension installation
export DEBIAN_FRONTEND=noninteractive
apt_force='-o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confnew'
shift
;;
--check)
detect_ostype
check_${ostype}_release
EXIT_CODE=$?
exit $EXIT_CODE
;;
--)
shift
break
;;
-*)
echo "$0: error - unrecognized option $1" 1>&2
print_help
exit 1
;;
*) exit_with_error "Internal error!" ;;
esac
done
if [ "$skipversioncheck" = "true" ]; then
log echo "Skipping check version"
else
log check_version "$*"
fi
detect_ostype
check_${ostype}_release
detect_first_install
if [[ "$package" = "$imunify360" ]]; then
check_users
remove_hardened_php_repos
# install vendors only for imunify360
install_vendors="true"
detect_cloudways_environment
fi
if [ "$conversion" = "true" ] && [ "$uninstall" = "true" ] ; then
exit_with_error "invalid combination";
fi
if [ "$conversion" = "false" ] && [ "$registration" != "false" ] ; then
# Register by IP is the default now
conversion=true
activationkey=false
fi
if [ "$uninstall" = "true" ]; then
remove_acronis_agent
remove_hardened_php_feature
remove_freemium_flag
log remove_${ostype}_imunify
terminate_detached_scans
remove_${ostype}_repo
log remove_first_install_default_overrides
log echo "Uninstall complete."
exit 0
fi
set_panel_detection_path
detect_panel
if [[ "$package" = "$imunify360" ]]; then
if ! check_${ostype}_pkg_presence ipset
then
log install_${ostype}_ipset
check_exit_code 0 "Package ipset was not installed."
fi
if ! ipset list -n -t >/dev/null
then
exit_with_error "Your OS virtualization technology $(systemd-detect-virt 2>/dev/null || virt-what >/dev/null || echo of unknown type) has limited support for ipset in containers. Please, contact Imunify360 Support Team."
fi
check_${ostype}_iptables_compatibility
# Do not remove AV explicitly after moving 6.10 version into stable repo
if check_${ostype}_pkg_presence imunify-antivirus \
&& ! (check_${ostype}_pkg_presence imunify360-firewall);
then
# remove imunify-antivirus package for old imunify360 (due to conflict)
# for new imunify360 versions AV is a dependency of imunify360
package_version=$(get_available_${ostype}_package_version "$package")
check_exit_code 0 "Failed to get package version"
log echo "$package $package_version is available"
if [[ "$is_cloudways" != "true" && "$PANEL" != "plesk" ]]; then
# Marker file for UI for tracking the upgrade process
create_upgrade_process_marker
fi
if version "$package_version" -lt "6.10" ; then
get_${ostype}_pkgs_manager
log echo "You are about to uninstall ImunifyAV and install Imunify360 that includes Malware Scanner. To get ImunifyAV back run the following commands:
# $pkgs_manager remove 'imunify360-firewall*'
# wget https://repo.imunify360.cloudlinux.com/defence360/imav-deploy.sh -O imav-deploy.sh
# bash imav-deploy.sh"
if yesno "Do you agree to proceed with uninstalling ImunifyAV?"; then
log remove_${ostype}_pkgs 'imunify-antivirus'
else
exit 1
fi
fi
fi
fi
if [[ "$package" = "$imunify360" ]]; then
log echo "Checking prerequisites..."
case "$PANEL" in
cpanel)
if [ -f '/etc/cpanel/ea4/is_ea4' ] ; then
# modsec3 conflicts with mod_security2. Do not try to install
# mod_security2 if modsec3 exists
if ! check_${ostype}_pkg_presence ea-modsec30
then
log echo "Installing mod_security2"
if [[ "$ostype" = "debian" ]]; then
# '-' (hyphen)
modsec_package=ea-apache24-mod-security2
else
# '_' (underscore)
modsec_package=ea-apache24-mod_security2
fi
log "install_${ostype}_pkgs" "$modsec_package"
fi
fi
# "activate" Freemium license: just feature flag for now
if [[ "${freemium}" = "true" ]]; then
log echo "Creating Imunify Freemium feature flag"
setup_imunify360_dir
touch "/var/imunify360/myimunify-freemium.flag"
fi
;;
directadmin)
pushd /usr/local/directadmin/custombuild/
da_webserver="$(grep ^webserver= options.conf | sed s/webserver=//)"
da_modsecurity="$(grep ^modsecurity= options.conf | sed s/modsecurity=//)"
if [ "$da_webserver" != apache -a "$da_webserver" != litespeed ]
then
log echo "Imunify modsecurity ruleset is not supported for $da_webserver webserver."
else
if [ "$da_modsecurity" != yes ]; then
log echo "Installing DirectAdmin modsecurity..."
# create options.conf backup file before edit
# with name e.g. options.conf.bak_2018-03-29.1522323911
sed -i.bak_"$(date +%F.%s)" \
-e "s/^modsecurity=.*/modsecurity=yes/" \
-e "s/^modsecurity_ruleset=.*/modsecurity_ruleset=no/" options.conf
./build modsecurity
else
log echo "Installing DirectAdmin modsecurity... already installed!"
fi
modifying_call=true
fi
popd
;;
generic)
if [ "$is_cloudways" != "true" ]; then
check_integration_conf
fi
;;
plesk)
if ! /usr/local/psa/bin/server_pref --show-web-app-firewall >/dev/null 2>&1 \
|| ! ls /usr/local/psa/admin/sbin/modsecurity_ctl >/dev/null 2>&1
then
# There appears to be a bug in Plesk - when installation is triggered via UI, using Plesk extension,
# i360deploy process somehow receives a SIGTERM from `plesk installer` process.
# See comments in https://cloudlinux.atlassian.net/browse/DEF-7450 for details.
# TODO: re-check this bug after installation is re-worked in https://cloudlinux.atlassian.net/browse/DEF-9061
if [ "$I360_FROM_PLESK_EXTENSION" != 1 ]; then
log echo "Installing mod_security"
log run_with_retries "plesk installer --select-release-current --install-component modsecurity" "BUSY: Update operation was locked by another update process" "true"
fi
fi
;;
esac
fi
if [ "$first_install" = "true" ]; then
log echo "In a few moments the script will install latest $package" \
"package (w/dependencies)... (Ctrl-C to cancel)"
sleep 4
save_${ostype}_repo
if [ "$is_cloudways" = "true" ]; then
disable_firewall
fi
package_version=$(get_available_${ostype}_package_version "$package")
check_exit_code 0 "Failed to get package version"
log install_${ostype}_pkgs $package
rc=$?
# try installing the config overrides regardless of the installation success
log install_first_install_default_overrides "$package" "$package_version"
if [[ "$package" = "$imunify360" ]]; then
log set_low_resource_usage_mode_if_necessary "$package" "$package_version"
fi
# fail
if [ $rc -ne 0 ]; then
exit_with_error "Package $package $package_version was not installed."
fi
if [ "$is_cloudways" = "true" ]; then
special_config_cloudways
rapid_scan_basedir_override
fi
modifying_call=true
fi
log echo "Installing ui packages..."
case "$PANEL" in
cpanel)
log check_and_install "$package" "$package_version" "$UI_PACKAGE" "$PANEL"
check_exit_code 0 "Failed to install $PRODUCT $PANEL plugin."
modifying_call=true
;;
directadmin)
log check_and_install "$package" "$package_version" "$UI_PACKAGE" "$PANEL"
check_exit_code 0 "Failed to install $PRODUCT $PANEL plugin."
modifying_call=true
;;
generic)
log check_and_install "$package" "$package_version" "imunify-ui" "$PANEL"
check_exit_code 0 "Failed to install $PRODUCT $PANEL plugin."
modifying_call=true
;;
plesk)
log check_and_install "$package" "$package_version" "$UI_PACKAGE" "$PANEL"
check_exit_code 0 "Failed to install $PRODUCT $PANEL plugin."
# disable ImunifyAV(revisium-antivirus) if it was installed
extensionsList=$(/usr/local/psa/bin/extension --list 2>/dev/null)
log echo "Checking if ImunifyAV is installed..."
log echo "Extensions List: $extensionsList"
if [[ "$extensionsList" == *"revisium-antivirus"* ]]; then
log echo "Disable ImunifyAV"
/usr/local/psa/bin/extension --disable revisium-antivirus
fi
modifying_call=true
;;
*)
log echo "UI plugin is not installed."
log echo "No supported hosted panel detected and $INTEGRATION_CONF_PATH file is missing."
install_vendors=false
;;
esac
if [ "$conversion" = "true" ] ; then
if [[ "$package" = "$imunify360" ]]; then
if [ "$is_cloudways" != "true" ]; then
log echo "Checking if has already been registered... "
log imunify360-agent --console-log-level ERROR rstatus
rstatus=$?
if [ "$rstatus" = 11 ] ; then
exit_with_error "Registration server general error."
fi
if [ "$rstatus" = 0 -a "$activationkey" != false ] ; then
log echo "Unregister the previous registration key... "
log imunify360-agent --console-log-level WARNING unregister
fi
if [ "$activationkey" != false ] ; then
log echo "Register by key... "
log imunify360-agent --console-log-level WARNING register "$activationkey"
check_exit_code 0 "Registration was not successful. Exiting."
elif [ "$rstatus" != 0 ] ; then
# "$rstatus" != 0 check because it is no sense to re-register
# by IP (in comparison with re-register by activation key)
log echo "Register by IP... "
log imunify360-agent --console-log-level WARNING register IPL
fi
if [[ $? != 0 ]]; then
log echo "Registration was not successful."
else
log echo "Successfully registered"
fi
disable_3rd_party_ids
fi
if is_systemctl_avail; then
log systemctl enable imunify360.service
log systemctl start imunify360
else
log /sbin/chkconfig --add imunify360
log /sbin/service imunify360 start
fi
fi
check_exit_code 0 "Failed to start $package service."
agent_start_success=false
if [ "$is_cloudways" != "true" ]; then
log echo "Waiting for $PRODUCT to start..."
for i in {1..10}; do
if log $COMMAND version
then
log echo "$PRODUCT is started"
agent_start_success=true
break
else
sleep 60
fi
done
if ! $agent_start_success; then
log echo "Something went wrong during $PRODUCT start up"
exit_with_error "See /var/log/imunify360/error.log for details"
fi
if [[ "$package" = "$imunify360" ]]; then
# agent is started
#force-disable WebShield
if [ "$PANEL" = "generic" ] ; then
imunify360-agent config update '{"WEBSHIELD": {"enable": false}}'
fi
# turn on MyImunify
if [[ "${freemium}" = "true" && "$PANEL" = "cpanel" ]]; then
log echo "Turning on MyImunify"
imunify360-agent config update '{"MY_IMUNIFY": {"enable": true}}'
fi
fi
if [ "$install_vendors" = "true" ]; then
/usr/bin/imunify360-agent --console-log-level=WARNING install-vendors
fi
else
install_vendors_in_cw_environment >/dev/null &
disown
fi
elif ! $COMMAND rstatus >/dev/null 2>&1
then
log echo "You have to register this software with registration key:"
log echo " $script --key <key>"
fi
if $modifying_call; then
log echo "Success"
log echo "You can find complete log in $LOG_FILE"
fi
exit 0
Zerion Mini Shell 1.0