#!/bin/sh
# erase database and other meta information
# database size over 500mb drastically affects perfomance

miscdir='/var/osquery/'
logdir='/var/log/osquery/'
dbdir='/usr/share/osquery/osquery.dbq/'
/usr/bin/env bash -c "/usr/bin/env find $miscdir -mindepth 1 -delete >/dev/null 2>&1 || /usr/bin/env true"
/usr/bin/env bash -c "/usr/bin/env find $logdir -mindepth 1 -delete >/dev/null 2>&1 || /usr/bin/env true"
/usr/bin/env bash -c "/usr/bin/env find $dbdir -mindepth 1 -delete >/dev/null 2>&1 || /usr/bin/env true"

tag_file='/etc/osquery.tag'
flags_file='/etc/osquery/osquery.flags'
conf_file='/etc/osquery/osquery.conf'
paths_file='/etc/osquery/osquery.conf.d/40_file_paths.conf'
tag_decorator_file='/etc/osquery/osquery.conf.d/59_decorator_tag.conf'
packs_file='/etc/osquery/osquery.conf.d/60_packs.conf'
sysd_dropin='/etc/osquery/limits/osquery-systemd-drop-in.service'
extensions_path='/usr/local/bin'
extensions_load='/etc/osquery/extensions.load'
extensions_sock='/var/osquery/osquery.em'

append_packs_after_line=2
append_paths_after_line=2
append_flags_after_line=1
append_shadow_paths_after_line=1

set_cpu_level () {
    sed -i "s/--watchdog_level=1/--watchdog_level=$1/g" $flags_file
}

set_ram_level () {
    sed -i "s/--watchdog_memory_limit=150/--watchdog_memory_limit=$1/g" $flags_file
}

set_tls_hostname() {
    # dumbo.sec.yandex.net
    sed -i "s/--tls_hostname=.*/--tls_hostname=$1/g" $flags_file
}

set_cgroups_level () {
    CGROUPS_CPU_QUOTA=${1:-80}
    CGROUPS_MEMORY_LIMIT=${2:-512}
    CGROUPS_CPU_SHARES=${3:-200}
    # $1 -> 80 -> systemd(80%) -> upstart(80000)
    # $2 -> 512 -> systemd(512M) -> upstart(512.000.000)
    # $3 -> 200 -> systemd(-) -> upstart(200)
    # systemd
        CGROUPS_SYSTEMD_FILE="${sysd_dropin}"
        echo '[Service]' >> "${CGROUPS_SYSTEMD_FILE}"
        # CPUQuota 1% = 1000
        echo "CPUQuota=${CGROUPS_CPU_QUOTA}%" >> "${CGROUPS_SYSTEMD_FILE}"
        echo "MemoryLimit=${CGROUPS_MEMORY_LIMIT}M" >> "${CGROUPS_SYSTEMD_FILE}"
    # upstart
        # convert values to upstart format
            CGROUPS_CPU_QUOTA="$(($CGROUPS_CPU_QUOTA * 1000))"
            CGROUPS_MEMORY_LIMIT="$(($CGROUPS_MEMORY_LIMIT * 1000000))"
        CGROUPS_UPDSTART_FILE='/etc/osquery/limits/upstart.conf'
        echo "CGROUPS_CPU_QUOTA=${CGROUPS_CPU_QUOTA}" >> "${CGROUPS_UPDSTART_FILE}"
        echo "CGROUPS_CPU_SHARES=${CGROUPS_CPU_SHARES}" >> "${CGROUPS_UPDSTART_FILE}"
        echo "CGROUPS_MEMORY_LIMIT=${CGROUPS_MEMORY_LIMIT}" >> "${CGROUPS_UPDSTART_FILE}"
    # else - report error
        # ???
}

add_pack () {
    sed -i "$append_packs_after_line a \         \"$1\":\"/etc/osquery/packs/$2.conf\"," $packs_file
}

del_pack_by_name () {
    # deleting pack with any preceding comma
    # 1. set label - :a
    # 2. push next line to buffer - N
    # 3. replace on buffer
    # 4. repeat if any unprocessed lines in file
    sed -i -e ":a" -e "N" -Ee "s/,?\n\s*\"$1\": \".*?\"//g" -e '$!ba' $packs_file
}

add_flag () {
    sed -i "$append_flags_after_line a \\$1" $flags_file
}

false_flag () {
    sed -i "s/--$1=true/--$1=false/g" $flags_file
}

true_flag () {
    sed -i "s/--$1=false/--$1=true/g" $flags_file
}

add_yql_file_paths () {
    sed -i "$append_paths_after_line a \    \"CLOUD13284\": [ \"/Berkanavt/kikimr_%/secrets/%\", \"/var/lib/kikimr_secrets/%%\", \"/var/lib/yc/compute-node/keys/%\", \"/etc/ssl/%%\", \"/etc/yc/access-service/server.pem\", \"/etc/yc/access-service/server.key\", \"/etc/yc/access-service/server.crt\", \"/var/lib/yc/scms/master.key\", \"/var/lib/yc/access-service/master.key\" ]," $paths_file
    sed -i "$append_paths_after_line a \    \"CLOUD16895\": [ \"/Berkanavt/yql/cfg/%%\", \"/Berkanavt/yql/bin/%\", \"/Berkanavt/yql/api-service/run.sh\", \"/Berkanavt/yql/api-service/etc/%%\", \"/Berkanavt/yql/api-service/libs/%%\", \"/Berkanavt/yql/api-service/etc/api-secret.conf\" , \"/etc/yandex/statbox-push-client/push-client.%\" , \"/etc/nginx/yql-api/cert.%\", \"/usr/bin/push-client\", \"/usr/sbin/nginx\", \"/usr/local/bin/solomon-agent\"]," $paths_file
}

add_afisha_file_paths () {
    sed -i "$append_paths_after_line a \    \"AS307\": [ \"/boot/%%\", \"/root/%%\", \"/lib/%%\", \"/lib64/%%\", \"/usr/lib/yandex-tickets-widget/%%\", \"/etc/nginx/%%\", \"/etc/iptables/%\", \"/etc/osquery/osquery.conf\", \"/etc/osquery/osquery.conf.d/%\", \"/etc/osquery/packs/%\" ]," $paths_file
    sed -i "$append_paths_after_line a \    \"etcshadow\": [ \"/etc/shadow%\" ]," $paths_file
    sed -i "$append_paths_after_line a \    \"iptables\": [ \"/var/cache/iptables-dump/%\" ]," $paths_file
    # sed -i "$append_shadow_paths_after_line a \    \"file_accesses\": [ \"etcshadow\" ]," $paths_file
}

add_apparmor_pack () {
    true_flag audit_allow_apparmor_events
    true_flag audit_allow_selinux_events
    add_pack apparmor selinux
}

add_seccomp_pack () {
    true_flag audit_allow_seccomp_events
    add_pack seccomp seccomp
}

add_bastion_pack () {
    add_pack bastion bastion
}

add_docker_pack () {
    add_pack docker docker
}

add_file_op_pack () {
    add_pack file file_operations
}

add_malware_pack () {
    add_pack malware malware
}

add_afisha_packs () {
    add_pack file file_operations_afisha
    add_pack integrity file_integrity_afisha
}

add_file_integrity_pack () {
    add_pack integrity file_integrity
}

set_svc_standart_settings () {
    set_cpu_level 0
    set_ram_level 512
}

set_splunk_tag () {
    sed -i "s/\"SELECT .* AS tag;\"/\"SELECT '$1' AS tag;\"/g" $tag_decorator_file
}

set_decorator () {
    set_splunk_tag "ycloud-$1-$2-config"
}

set_undefined_yandex_decorator (){
    set_splunk_tag "yandex-$1-undefined-conf"
}

set_undefined_ycloud_decorator (){
    set_splunk_tag "ycloud-$1-undefined-conf"
}

enable_extension() {
    false_flag "disable_extensions"

    local ext_fullpath="${extensions_path}/$1.ext"
    if ! grep -Fxq "${ext_fullpath}" "${extensions_load}"; then
        echo "${extensions_path}/$1.ext" >> "${extensions_load}"
    fi
}

use_ycloud_fim() {
    del_pack_by_name integrity
    del_pack_by_name file

    add_flag "--extensions_autoload=${extensions_load}"
    enable_extension "osquery-fim"
    add_pack "yc-integrity" file_integrity_ycloud
}


if [ -f $tag_file ] && [ -f $flags_file ] && [ -f $conf_file ] && [ -f $tag_decorator_file ]; then
    tag_value=$(echo $(cat $tag_file)) # read tag
    case $tag_value in
        yandex-passport*) # yandex passport
            set_cpu_level 0
            set_ram_level 512
            set_cgroups_level 80 1024 200
            set_undefined_yandex_decorator passport
            case $tag_value in
                yandex-passport-jump-config)
                    set_splunk_tag "$tag_value"
                    set_tls_hostname 'dumbo.sec.yandex.net'
                    ;;
                *)
                    # ???
                    ;;
                esac
            ;;
        yandex-bu*) # yandex business-units
            set_cpu_level 0
            set_ram_level 512
            set_cgroups_level 80 1024 200
            set_undefined_yandex_decorator bu
            set_tls_hostname 'os.sec.yandex.net'
            case $tag_value in
                yandex-bu-afisha-config)
                    set_splunk_tag "$tag_value"
                    set_cgroups_level 80 1024 200
                    add_afisha_file_paths
                    add_afisha_packs
                    ;;
                yandex-bu-taxi-config)
                    set_splunk_tag "$tag_value"
                    ;;
                yandex-bu-taxilxc-config)
                    set_splunk_tag "$tag_value"
                    ;;
                yandex-bu-taxidom0-config)
                    set_splunk_tag "$tag_value"
                    false_flag audit_allow_selinux_events
                    false_flag audit_allow_sockets
                    true_flag disable_audit
                    set_cgroups_level 80 1024 200
                    ;;
                yandex-bu-eda-config)
                    set_splunk_tag "$tag_value"
                    false_flag audit_allow_selinux_events
                    false_flag audit_allow_sockets
                    set_cgroups_level 40 1024 200
                    ;;
                yandex-bu-vertis-config)
                    set_splunk_tag "$tag_value"
                    false_flag audit_allow_selinux_events
                    false_flag audit_allow_sockets
                    set_cgroups_level 40 1024 200
                    ;;
                yandex-bu-vertislxc-config)
                    set_splunk_tag "$tag_value"
                    false_flag audit_allow_apparmor_events
                    false_flag audit_allow_selinux_events
                    false_flag audit_allow_sockets
                    set_cgroups_level 40 1024 200
                    add_pack kernel kernel
                    ;;
                yandex-bu-vertisdom0-config)
                    set_splunk_tag "$tag_value"
                    false_flag audit_allow_apparmor_events
                    false_flag audit_allow_selinux_events
                    false_flag audit_allow_sockets
                    set_cgroups_level 80 1024 200
                    add_pack kernel kernel
                    ;;
                yandex-bu-market-config)
                    set_splunk_tag "$tag_value"
                    false_flag audit_allow_apparmor_events
                    false_flag audit_allow_selinux_events
                    false_flag audit_allow_sockets
                    set_cgroups_level 80 1024 200
                    add_pack kernel kernel
                    ;;
                *)
                    # ???
                    ;;
                esac
            ;;
        yc-int-svc*) # Yandex.Cloud internal
            set_undefined_ycloud_decorator int-svc
            set_cgroups_level 80 768 200
            set_tls_hostname 'cos.sec.yandex.net'
            add_pack goss goss
            case $tag_value in
                yc-int-svc-iam)
                    set_decorator int-svc iam
                    set_cpu_level 0
                    set_ram_level 512
                    ;;
                *)
                    ;;
                esac
            ;;
        ycloud-hv*) # hv
            set_cpu_level 0
            set_ram_level 512
            set_cgroups_level 80 1024 200
            set_undefined_ycloud_decorator hv
            add_apparmor_pack
            add_malware_pack
            add_pack kernel kernel
            add_pack hardware hardware
            add_pack goss goss
            # explicitely turn off new fim on prod
            environment="$(test -f /etc/debian_chroot && (cat /etc/debian_chroot | tr a-z A-Z) || echo UKNWN)"
            case $environment in
                DEV | TESTING | "PRE-PROD" | PROD)
                    use_ycloud_fim
                    set_tls_hostname 'osquery.cloud.yandex.net'
                    ;;
                # GPN and other stands
                *)
                    add_file_op_pack
                    set_tls_hostname 'cos.sec.yandex.net'
                    ;;
                esac

            case $tag_value in
                ycloud-hv-config)
                    set_splunk_tag "$tag_value"
                    add_seccomp_pack
                    ;;
                ycloud-hv-seed-config)
                    set_splunk_tag "$tag_value"
                    ;;
                ycloud-hv-head-config)
                    set_splunk_tag "$tag_value"
                    ;;
                ycloud-hv-seccomp-config)
                    set_splunk_tag "$tag_value"
                    add_seccomp_pack
                    ;;
                *)
                    # ???
                    ;;
                esac
            ;;
        ycloud-mdb*) # mdb
            set_splunk_tag "$tag_value"
            set_cpu_level 1
            set_ram_level 150
            add_apparmor_pack
            add_malware_pack
            add_pack kernel kernel
            add_pack goss goss
            set_cgroups_level 60 650 200
            set_tls_hostname 'osquery.cloud.yandex.net'
            use_ycloud_fim
            case $tag_value in
                ycloud-mdb-ch-config)
                    ;;
                ycloud-mdb-elastic)
                    ;;
                ycloud-mdb-greenplum)
                    ;;
                ycloud-mdb-kafka)
                    ;;
                ycloud-mdb-mg-config)
                    ;;
                ycloud-mdb-mysql-config)
                    ;;
                ycloud-mdb-pg-config)
                    ;;
                ycloud-mdb-rd-config)
                    set_cpu_level 0
                    set_ram_level 512
                    ;;
                ycloud-mdb-zookeeper-config)
                    ;;
                ycloud-mdb-k8master-config)
                    ;;
                ycloud-mdb-controlplane-config)
                    ;;
                *)
                    # ???
                    ;;
                esac
            ;;
        ycloud-svc*) # svc
            set_undefined_ycloud_decorator svc
            add_malware_pack
            add_pack kernel kernel
            add_pack goss goss
            set_cgroups_level 80 768 200
            set_tls_hostname 'osquery.cloud.yandex.net'
            case $tag_value in
                ycloud-svc-ai-config)
                    set_decorator svc ai
                    set_svc_standart_settings
                    set_cgroups_level 20 768 200
                    use_ycloud_fim
                    ;;
                ycloud-svc-apiadapter-config)
                    set_decorator svc apiadapter
                    set_svc_standart_settings
                    ;;
                ycloud-svc-apigw-config)
                    set_decorator svc apigw
                    set_svc_standart_settings
                    ;;
                ycloud-svc-assembly-workshop-config)
                    set_decorator svc assembly-workshop
                    set_svc_standart_settings
                    ;;
                ycloud-svc-bastion-config)
                    set_decorator svc bastion
                    set_svc_standart_settings
                    use_ycloud_fim
                    ;;
                ycloud-svc-bastion)
                    set_splunk_tag "$tag_value"
                    set_svc_standart_settings
                    use_ycloud_fim
                    ;;
                ycloud-svc-iap)
                    set_splunk_tag "$tag_value"
                    set_svc_standart_settings
                    use_ycloud_fim
                    ;;
                ycloud-svc-billing-config)
                    set_decorator svc billing
                    set_svc_standart_settings
                    use_ycloud_fim
                    ;;
                ycloud-svc-bootstrap)
                    set_decorator svc bootstrap
                    set_svc_standart_settings
                    ;;
                ycloud-svc-container_registry)
                    set_decorator svc container_registry
                    set_svc_standart_settings
                    ;;
                ycloud-svc-cgw-config)
                    set_decorator svc cgw
                    set_svc_standart_settings
                    ;;
                ycloud-svc-console-config)
                    set_decorator svc console
                    set_svc_standart_settings
                    ;;
                ycloud-svc-datalens-assessors-config)
                    set_decorator svc datalensass
                    set_svc_standart_settings
                    ;;
                ycloud-svc-disk-manager)
                    set_splunk_tag "$tag_value"
                    set_svc_standart_settings  
                    add_apparmor_pack      
                    ;;
                ycloud-svc-generic-config | ycloud-svc-dns-*)
                    set_decorator svc generic
                    add_docker_pack
                    set_svc_standart_settings
                    ;;
                ycloud-svc-hwload-config)
                    set_decorator svc hwload
                    set_svc_standart_settings
                    ;;
                ycloud-svc-iam-config)
                    set_splunk_tag "$tag_value"
                    set_cpu_level 0
                    set_ram_level 512
                    use_ycloud_fim
                    ;;
                ycloud-svc-ipmi_wb-config)
                    set_decorator svc ipmi_wb
                    set_svc_standart_settings
                    ;;
                ycloud-svc-kikimrdn-config)
                    set_decorator svc kikimrdn
                    set_svc_standart_settings
                    add_apparmor_pack
                    ;;
                ycloud-svc-extkikimrdn-config)
                    set_decorator svc extkikimrdn
                    set_cpu_level 1
                    set_ram_level 300
                    set_cgroups_level 10 300 200
                    add_apparmor_pack
                    ;;
                ycloud-svc-kikimruydb-config)
                    set_decorator svc kikimruydb
                    set_cpu_level 1
                    set_ram_level 300
                    add_apparmor_pack
                    ;;
                ycloud-svc-locallb-xds)
                    set_splunk_tag "$tag_value"
                    set_svc_standart_settings
                    ;;
                ycloud-svc-locallb-proxy)
                    set_splunk_tag "$tag_value"
                    set_svc_standart_settings
                    false_flag audit_allow_sockets
                    ;;
                ycloud-svc-logbroker)
                    set_splunk_tag "$tag_value"
                    set_svc_standart_settings
                    ;;
                ycloud-svc-lb-config)
                    set_decorator svc lb
                    set_svc_standart_settings
                    false_flag audit_allow_sockets
                    ;;
                ycloud-svc-ml-config)
                    set_decorator svc ml
                    set_svc_standart_settings
                    ;;
                ycloud-svc-mrkt-config)
                    set_decorator svc mrkt
                    set_svc_standart_settings
                    add_docker_pack
                    ;;
                ycloud-svc-nbs-control)
                    set_splunk_tag "$tag_value"
                    set_svc_standart_settings        
                    ;;
                ycloud-svc-netinfra-config)
                    set_decorator svc netinfra
                    set_svc_standart_settings
                    use_ycloud_fim
                    ;;
                ycloud-svc-phy_netinfra-config)
                    set_decorator svc phy_netinfra
                    set_svc_standart_settings
                    ;;
                ycloud-svc-oct-config)
                    set_decorator svc oct
                    set_svc_standart_settings
                    false_flag audit_allow_sockets
                    use_ycloud_fim
                    ;;
                ycloud-svc-oct-control)
                    set_splunk_tag "$tag_value"
                    set_svc_standart_settings
                    false_flag audit_allow_sockets
                    use_ycloud_fim
                    ;;
                ycloud-svc-portal)
                    set_decorator svc portal
                    set_svc_standart_settings
                    ;;
                ycloud-svc-s3-config)
                    set_decorator svc s3
                    set_svc_standart_settings
                    add_apparmor_pack
                    false_flag audit_allow_sockets
                    ;;
                ycloud-svc-s3-elliptics)
                    set_splunk_tag "$tag_value"
                    set_svc_standart_settings
                    use_ycloud_fim
                    add_apparmor_pack
                    ;;
                ycloud-svc-schecker)
                    set_splunk_tag "$tag_value"
                    set_svc_standart_settings
                    use_ycloud_fim
                    ;;
                ycloud-svc-certmanager-config)
                    set_decorator svc certmanager
                    set_svc_standart_settings
                    use_ycloud_fim
                    ;;
                ycloud-svc-serialssh-config)
                    set_decorator svc serialssh
                    set_svc_standart_settings
                    add_apparmor_pack
                    use_ycloud_fim
                    ;;
                ycloud-svc-sflowcollector-config)
                    set_decorator svc sflowcollector
                    set_svc_standart_settings
                    ;;             
                ycloud-svc-slbadapter-config)
                    set_decorator svc slbadapter
                    set_svc_standart_settings
                    ;;
                ycloud-svc-snapshot-config)
                    set_decorator svc snapshot
                    set_svc_standart_settings
                    ;;
                ycloud-svc-solomon-config)
                    set_decorator svc solomon
                    set_svc_standart_settings
                    add_apparmor_pack
                    ;;
                ycloud-svc-sqs-config)
                    set_decorator svc sqs
                    set_svc_standart_settings
                    add_apparmor_pack
                    ;;
                ycloud-svc-vpc-api-config)
                    set_decorator svc vpc-api
                    set_svc_standart_settings
                    ;;
                ycloud-svc-yclogbroker-back)
                    set_decorator svc yclogbroker-back
                    set_svc_standart_settings
                    ;;
                ycloud-svc-ydb-control-plane)
                    set_splunk_tag "$tag_value"
                    set_svc_standart_settings
                    ;; 
                ycloud-svc-yql-prod-config)
                    set_decorator svc yql-prod
                    add_file_op_pack
                    set_svc_standart_settings
                    add_apparmor_pack
                    add_yql_file_paths
                    ;;
                ycloud-svc-yql-preprod-config)
                    set_decorator svc yql-preprod
                    add_file_op_pack
                    set_svc_standart_settings
                    add_apparmor_pack
                    add_yql_file_paths
                    ;;
                *)
                    # ???
                    ;;
                esac
            ;;
        *)
            # ???
            ;;
    esac

else
    echo "File not found!"
fi

case "$1" in
  configure|2)
    if which /bin/systemctl >/dev/null && pidof systemd-journald >/dev/null 2>&1 ; then
        mkdir -p "/etc/systemd/system/osqueryd.service.d"
        ln -s "${sysd_dropin}" "/etc/systemd/system/osqueryd.service.d/20-osquery-yandex-generic.conf"
        /bin/systemctl mask systemd-journald-audit.socket >/dev/null 2>&1
        /bin/systemctl restart systemd-journald-audit.socket >/dev/null 2>&1
    	/bin/systemctl daemon-reload >/dev/null 2>&1
    	/bin/systemctl enable osqueryd >/dev/null 2>&1
        /bin/systemctl enable osqueryd-cleanup.timer 2>&1
    	/bin/systemctl stop osqueryd >/dev/null 2>&1
        /bin/systemctl stop osqueryd-cleanup.timer 2>&1
        /usr/bin/find /tmp -type f -name "osqueryd*" -delete >/dev/null 2>&1
        /usr/bin/find /var/osquery/osquery.db/ -type f -delete >/dev/null 2>&1
        /bin/systemctl restart osqueryd || exit $?
        /bin/systemctl restart osqueryd-cleanup.timer || exit $?
    elif which invoke-rc.d >/dev/null && which update-rc.d >/dev/null 2>&1 ; then
    	update-rc.d osqueryd defaults >/dev/null 2>&1
        invoke-rc.d osqueryd stop >/dev/null 2>&1
        /usr/bin/find /tmp -type f -name "osqueryd*" -delete >/dev/null 2>&1
        /usr/bin/find /var/osquery/osquery.db/ -type f -delete >/dev/null 2>&1
    	invoke-rc.d osqueryd restart || exit $?
    elif which initctl >/dev/null 2>&1 ; then
    	initctl reload-configuration >/dev/null 2>&1
        initctl stop osqueryd >/dev/null 2>&1
        /usr/bin/find /tmp -type f -name "osqueryd*" -delete >/dev/null 2>&1
        /usr/bin/find /var/osquery/osquery.db/ -type f -delete >/dev/null 2>&1
    	initctl restart osqueryd || exit $?
    else
        service osqueryd stop >/dev/null 2>&1
        /usr/bin/find /tmp -type f -name "osqueryd*" -delete >/dev/null 2>&1
        /usr/bin/find /var/osquery/osquery.db/ -type f -delete >/dev/null 2>&1
        service osqueryd restart || exit $?
    fi
    ;;
  *)
    exit 0
    ;;
esac

exit 0
