added setup-command-canaries.sh

1 files changed, 138 insertions, 0 deletions

diff --git a/setup-command-canaries.sh b/setup-command-canaries.sh
new file mode 100644
index 0000000..60324bd
--- /dev/null
+++ b/setup-command-canaries.sh
@@ -0,0 +1,138 @@
+#!/bin/bash
+set -e
+
+if ! command -v curl &>/dev/null; then
+    printf "%s\n" "[err] curl not found"
+    exit 1
+fi
+
+function usage() {
+    printf "%s\n" \
+        "set up command canaries for early intrusion detection via webhook notifications" \
+        "usage: $(basename ${0}) <args>" \
+        "" \
+        "options" \
+        "-c <cmd>        commands to monitor; repeatable, e.g., -c whoami -c id" \
+        "-s <service>    notification service: discord|slack" \
+        "-u <url>        webhook url" \
+        "-m <method>     http method, default POST" \
+        "-x <header>     webhook headers; repeatable, e.g., -x 'key1: value1' -x 'key2: value2'" \
+        "-t <channel>    channel or destination id for notifications" \
+        "-h              print this help message and exit" \
+        "" \
+        "examples" \
+        "discord" \
+        "$(basename ${0}) -s discord -c whoami -c id -u https://discord.com/api/webhooks/xxx" \
+        "" \
+        "slack" \
+        "$(basename ${0}) -s slack -c whoami -c id -u https://slack.com/api/chat.postmessage -t mychannel -x 'authorization: bearer xoxb-a-b-c'" \
+        "" \
+        "output" \
+        "generates canaries.txt with shell functions to append to /etc/bash.bashrc or ~/.bashrc."
+    exit 1
+}
+
+function validate_url() {
+    local url="${1}"
+    if ! [[ "${url}" =~ ^https:// ]]; then
+        printf "%s\n" "[err] invalid url: ${url} (must be https)"
+        exit 1
+    fi
+}
+
+function validate_method() {
+    local method="${1}"
+    if ! [[ "${method}" =~ ^(GET|POST|PUT)$ ]]; then
+        printf "[err] invalid http method: ${method} (use GET, POST, or PUT)"
+        exit 1
+    fi
+}
+
+function validate_command() {
+    local cmd="${1}"
+    if ! command -v "${cmd}" &>/dev/null; then
+        printf "[wrn] command '${cmd}' not found in path"
+    fi
+}
+
+output_file="canaries.txt"
+method="POST"
+commands=()
+webhook_headers=()
+channel=""
+
+while getopts "c:s:u:m:x:t:h" opts; do
+    case "${opts}" in
+        c) commands+=("${OPTARG}");;
+        s) service="${OPTARG}";;
+        u) webhook_url="${OPTARG}";;
+        m) method="${OPTARG}";;
+        x) webhook_headers+=("${OPTARG}");;
+        t) channel="${OPTARG}";;
+        h) usage;;
+        *) usage;;
+    esac
+done
+
+if test ${#commands[@]} -eq 0; then
+    printf "%s\n" "[err] at least one command (-c) is required"
+    usage
+fi
+if ! test "${webhook_url}" && ! test "${service}"; then
+    printf "%s\n" "[err] webhook url (-u) or service (-s) is required"
+    usage
+fi
+
+validate_method "${method}"
+for cmd in "${commands[@]}"; do
+    validate_command "${cmd}"
+done
+
+test "${webhook_url}" && validate_url "${webhook_url}"
+
+case "${service}" in
+    discord)
+        webhook_url="${webhook_url:-}"
+        webhook_headers+=("Content-Type: application/json")
+        webhook_data="{\"username\":\"notifications-bot\", \"content\":\"**Command Canary Triggered**\nHostname: \${HOSTNAME}\nCommand: \${FUNCNAME[0]}\nTime: \$(date -u --iso-8601=seconds)\"}"
+        ;;
+
+    slack)
+        webhook_headers+=("Content-Type: application/json")
+        ! test "${channel}" || { printf "%s\n" "[err] slack requires a channel (-t)"; exit 1; }
+        webhook_data="{\"text\":\"**Command Canary Triggered**\\nHostname: \${HOSTNAME}\\nCommand: \${FUNCNAME[0]}\\nTime: \$(date -u --iso-8601=seconds)\",\"channel\":\"${channel}\"}"
+        ;;
+    *)
+        usage
+        ;;
+esac
+
+curl_headers=""
+for header in "${webhook_headers[@]}"; do
+    curl_headers+="-H '${header}' "
+done
+
+>"${output_file}"
+
+for cmd in "${commands[@]}"; do
+    sanitized_data=$(printf "%s" "${webhook_data}" | sed -e 's/"/\\"/g')
+    cat >> "${output_file}" << EOF
+function ${cmd}() {
+    (
+        $(which curl) -sSkL \\
+            -X ${method} \\
+            ${curl_headers} \\
+            --data "${sanitized_data}" \\
+            ${webhook_url} \\
+            -o /dev/null 2>&1 >/dev/null &
+    )
+    command ${cmd} "\${@}"
+}
+EOF
+done
+
+printf "%s\n" \
+    "[inf] successfully created ${output_file}" \
+    "[inf] to enable canaries, append the contents to:" \
+    "  - System-wide: /etc/bash.bashrc" \
+    "  - User-specific: ~/.bashrc"