File: /var/lib/dpkg/info/imunify360-webshield-bundle.postinst
#!/bin/sh
# postinst script for imunify360-webshield-bundle
if [ "$IM360_DEBUG_SHELL" = "1" ]; then
echo "IM360_ARGV: <$0 [$@]>"
set -x
else
:
fi
set -e
reconfigure() {
mkdir -p /var/log/imunify360
touch /var/log/imunify360/imunify360-wafd.log
if [ -d /var/log/imunify360-webshield ]; then
if [ ! -e /var/log/imunify360-webshield/access.log ]; then
touch /var/log/imunify360-webshield/access.log
chmod 640 /var/log/imunify360-webshield/access.log
chown imunify360-webshield:adm /var/log/imunify360-webshield/access.log
fi
if [ ! -e /var/log/imunify360-webshield/error.log ]; then
touch /var/log/imunify360-webshield/error.log
chmod 640 /var/log/imunify360-webshield/error.log
chown imunify360-webshield:adm /var/log/imunify360-webshield/error.log
fi
fi
if ! grep -qs ^wscheck_untrusted_key /etc/imunify360-webshield/webshield-http.conf.d/wscheckdata.conf; then
WSUSERID_KEY=$(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null)
echo >> /etc/imunify360-webshield/webshield-http.conf.d/wscheckdata.conf
echo "wscheck_untrusted_key $WSUSERID_KEY;" >> /etc/imunify360-webshield/webshield-http.conf.d/wscheckdata.conf
fi
if ! grep -qs ^wscheck_trusted_key /etc/imunify360-webshield/webshield-http.conf.d/wscheckdata.conf; then
WSUSERID_T_KEY=$(cat /dev/urandom | base64 | tr -d "=+/" | dd bs=32 count=1 2> /dev/null)
echo >> /etc/imunify360-webshield/webshield-http.conf.d/wscheckdata.conf
echo "wscheck_trusted_key $WSUSERID_T_KEY;" >> /etc/imunify360-webshield/webshield-http.conf.d/wscheckdata.conf
fi
# applying user customizations, if any (no more relevant, subject for removal)
#if [ -e /var/imunify360/www/captcha/templates/head.tpl ];then
# cp --preserve=timestamps /var/imunify360/www/captcha/templates/head.tpl /usr/share/imunify360-webshield/captcha/templates/head.tpl
#fi
#
#if [ -e /var/imunify360/www/captcha/templates/body.tpl ];then
# cp --preserve=timestamps /var/imunify360/www/captcha/templates/body.tpl /usr/share/imunify360-webshield/captcha/templates/body.tpl
#fi
#
#if [ -d /var/imunify360/www/captcha/static ];then
# cp --preserve=timestamps /var/imunify360/www/captcha/static/* /usr/share/imunify360-webshield/captcha/static/
#fi
if [ -d /opt/imunify360-webshield/shared_data ]; then
chown imunify360-webshield:imunify360-webshield /opt/imunify360-webshield/shared_data
fi
if [ -d /opt/imunify360-webshield/bin ]; then
chown -R imunify360-webshield:imunify360-webshield /opt/imunify360-webshield/bin
fi
if [ ! -f /var/cache/imunify360-webshield/ssl.cache ];then
touch /var/cache/imunify360-webshield/ssl.cache
chmod 600 /var/cache/imunify360-webshield/ssl.cache
chown imunify360-webshield:imunify360-webshield /var/cache/imunify360-webshield/ssl.cache
fi
OSSEC_HIDS=$(systemctl list-unit-files | awk '/[o]ssec-hids/ {print}')
if [ -n "$OSSEC_HIDS" ];then
systemctl restart ossec-hids > /dev/null || true
fi
# Generate self-signed certificate
TEMP_DUMMY_PEM=/etc/imunify360-webshield/ssl_certs/dummy_.pem
DUMMY_PEM=/etc/imunify360-webshield/ssl_certs/dummy.pem
OPENSSL_BIN=/opt/imunify360-webshield/openssl/bin/openssl
$OPENSSL_BIN req -x509 -newkey rsa:4096 -keyout $TEMP_DUMMY_PEM -out $TEMP_DUMMY_PEM -days 365 -subj "/CN=$(uname -n)" -nodes > /dev/null 2>&1
mv $TEMP_DUMMY_PEM $DUMMY_PEM
# reserve ports for webshield
if [ -e /proc/sys/net/ipv4/ip_local_reserved_ports ];then
RESERVED_PORTS=$(sysctl -n net.ipv4.ip_local_reserved_ports)
if [ -z "$RESERVED_PORTS" ];then
echo "# Reserve ports for webshield services" > /etc/sysctl.d/90-webshield-ip-local-reserved.conf
echo "net.ipv4.ip_local_reserved_ports = 52223,52224,52227-52235" >> /etc/sysctl.d/90-webshield-ip-local-reserved.conf
sysctl -w net.ipv4.ip_local_reserved_ports=52223,52224,52227-52235
fi
fi
# Exclude webshield services from CSF PT_USERKILL
CSF_IGNORE_FILE=/etc/csf/csf.pignore
if which csf >/dev/null 2>&1; then
should_restart=0
for LINE in "exe:/usr/sbin/imunify360-webshield" "exe:/usr/sbin/wsshdict";do
if ! grep -s -q $LINE $CSF_IGNORE_FILE;then
echo $LINE >> $CSF_IGNORE_FILE
should_restart=1
fi
done
if [ $should_restart -eq 1 ];then
csf --restartall > /dev/null ||:
fi
fi
if dpkg-maintscript-helper supports rm_conffile 2>/dev/null; then
dpkg-maintscript-helper rm_conffile /etc/imunify360-webshield/webshield-http.conf.d/wsuserid.conf 1.7-5 -- "$@"
fi
NEW_WSCHK=/etc/imunify360-webshield/wscheck.conf
SAVED_WSCHK=/usr/share/imunify360-webshield/.wscheck.conf
TMP_WSCHK=/usr/share/imunify360-webshield/._wscheck.conf
if [ -s $SAVED_WSCHK ] && [ -e $NEW_WSCHK ]; then
awk '{if ($1 !~ /^#/) {key = $1; sep = index($0, " "); val = substr($0, sep+1);}
if (FILENAME == ARGV[1]) {src[key] = val}
else {
if ($1 ~ /^#/ || !(key in src)) { print $0 }
else { if (val == src[key]) print key, val; else print key, src[key] }
}}' $SAVED_WSCHK $NEW_WSCHK > $TMP_WSCHK
if [ -s $TMP_WSCHK ]; then
mv $TMP_WSCHK $NEW_WSCHK
fi
rm $SAVED_WSCHK
fi
# Applying user captcha customizations if any
if [ -d /usr/share/imunify360-webshield/.captcha_mods ];then
if [ -e /usr/share/imunify360-webshield/.captcha_mods/head.tpl ];then
cp --preserve=timestamps /usr/share/imunify360-webshield/.captcha_mods/head.tpl /usr/share/imunify360-webshield/captcha/templates
fi
if [ -e /usr/share/imunify360-webshield/.captcha_mods/body.tpl ];then
cp --preserve=timestamps /usr/share/imunify360-webshield/.captcha_mods/body.tpl /usr/share/imunify360-webshield/captcha/templates
fi
if [ -d /usr/share/imunify360-webshield/.captcha_mods/static ];then
cp --preserve=timestamps /usr/share/imunify360-webshield/.captcha_mods/static/* /usr/share/imunify360-webshield/captcha/static
fi
rm -rf /usr/share/imunify360-webshield/.captcha_mods
fi
CONF_FILE="/etc/imunify360-webshield/whitelisted-domains.conf"
BACKUP_FILE="/etc/imunify360-webshield/whitelisted-domains.conf.imunify360-backup"
if [ -f "$BACKUP_FILE" ]; then
# Move the backup back into place, overwriting the default from the package
mv -v "$BACKUP_FILE" "$CONF_FILE"
fi
# wafd
SECRET_FILE=/opt/i360_wafd_imunify/key
if [ ! -e ${SECRET_FILE} ]; then
#NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)
NEW_UUID=$(cat /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | dd bs=16 count=1 2> /dev/null)
echo "${NEW_UUID}" > ${SECRET_FILE}
chown root:root ${SECRET_FILE}
chmod 400 ${SECRET_FILE}
fi
dirpath=/var/lib/imunify360-webshield-ssl-cache
[ -d $dirpath ] && chmod -R o-rwx $dirpath || install --directory --mode=0750 $dirpath
/bin/systemctl daemon-reload ||:
/usr/share/imunify360-webshield/webshieldctl configure || true
# We moved command below from 'webshieldctl configure' to avoid deadlocking
/bin/systemctl restart imunify360-wafd ||:
}
case "$1" in
configure)
reconfigure "$@"
;;
triggered)
case "$2" in
*/nginx)
reconfigure "$@"
;;
*)
;;
esac
;;
abort-upgrade|abort-remove|abort-deconfigure)
;;
*)
echo "postinst called with unknown argument \`$1'" >&2
exit 1
;;
esac
exit 0