File: //usr/src/csf/imav-deploy.sh
#!/bin/bash
# Short Description :Deploy imunify360/ImunifyAV
# Description :Installs imunify360/ImunifyAV repository
# Copyright :Cloud Linux Zug GmbH
# License :Cloud Linux Commercial License
# Do not edit/move/reformat this line except for actual version bump
# it is used by old versions of deploy scripts to check for update
version="2.128"
readonly package="imunify-antivirus"
readonly imunify360="imunify360-firewall"
readonly imunify_av="imunify-antivirus"
if [[ "$package" != "$imunify360" ]] && [[ "$package" != "$imunify_av" ]]; then
exit 1
fi
if [[ "$package" = "$imunify_av" ]]; then
PRODUCT="ImunifyAV"
UI_PACKAGE="imunify-ui-antivirus"
COMMAND="imunify-antivirus"
STAND_ALONE_URL="https://docs.imunifyav.com/stand_alone_mode"
LOG_FILE="/var/log/imav-deploy.log"
LOCK="/var/lock/imav-deploy.lck"
PREMIUM_REVISIUM_EXTENSION="/var/imunify360/premium_revisium_license.flag"
# packages mentioned in the update command in the daily cron job
readonly additional_packages_to_remove="ai-bolit\
alt-php-hyperscan\
imunify-common\
imunify-notifier\
imunify-core\
imunify-realtime-av\
imunify-ui\
imunify360-venv\
imunify-patchman"
readonly additional_packages_to_remove_cl="alt-php-internal\
app-version-detector"
readonly additional_packages_to_remove_centos="minidaemon"
readonly additional_packages_to_remove_debian=""
fi
readonly YUM_DISABLED_PHP_REPOS_OPTION="--disablerepo=imunify360-alt-php,imunify360-ea-php-hardened"
OS_RELEASE_INFO=/etc/os-release
set -o pipefail
# fail if any error: will not
#set -e
# error for unbound variable: not for now
#set -eu
# $1 = Message prompt
# Returns ans=0 for yes, ans=1 for no
yesno() {
local YES=0
local NO=1
local PENDING=2
if [ $dry_run -eq 1 ]; then
echo "Would be asked here if you wanted to"
echo "$1 (y/n - y is assumed)"
local ans=$YES
elif [ "$assumeyes" = "true" ]; then
local ans=$YES
else
local ans=$PENDING
fi
while [ $ans -eq $PENDING ]; do
echo "Do you want to $1 (y/n) ?" ; read -r reply
case "$reply" in
Y*|y*) ans=$YES ;;
N*|n*) ans=$NO ;;
*) echo "Please answer y or n" ;;
esac
done
return "$ans"
}
prepend_timestamp() {
# Prepend current time to each line
#
# Usage: source-program | prepend_timestamp
#
# Note: it may fail if the input contains \0 bytes
while IFS= read -r line
do
printf '[%s] %s\n' "$(date '+%Y-%m-%d %H:%M:%S')" "$line"
done
}
log()
{
# Run given command and append its duplicated stdout/stderr to
# $LOG_FILE.
#
# Usage: log <command> [<args>...]
#
"$@" |& prepend_timestamp | tee -a "$LOG_FILE"
return "${PIPESTATUS[0]}"
}
exit_with_error()
{
log echo -e "$@"
rm -rf "$lock"
exit 1
}
print_debug_info()
{
if [ "$DEBUG" == "true" ]; then
echo "$@"
fi
}
set_panel_detection_path()
{
readonly CPANEL_BIN="/usr/local/cpanel/cpanel"
readonly DA_BIN="/usr/local/directadmin/directadmin"
readonly PLESK_BIN="/usr/sbin/plesk"
readonly INTEGRATION_CONF_PATH="/etc/sysconfig/imunify360/integration.conf"
}
detect_python ()
{
# python executable is not present in CentOS 8
if hash python2 2>/dev/null; then
PYTHON=python2
CONFIG_PARSER="ConfigParser"
elif hash python3 2>/dev/null; then
PYTHON=python3
CONFIG_PARSER="configparser"
else
exit_with_error "Neither python2 nor python3 executables found"
fi
}
detect_panel ()
{
# note: keep the panel test order in sync with agent's get_hosting_panel(),
# to avoid detecting conflicting panels in agent vs. the deploy script
PANEL=""
if [ -f "$INTEGRATION_CONF_PATH" ] ; then
PANEL="generic"
elif [ -f "$PLESK_BIN" ]; then
PANEL="plesk"
elif [ -f "$CPANEL_BIN" ]; then
PANEL="cpanel"
elif [ -f "$DA_BIN" ]; then
PANEL="directadmin"
else
exit_with_error "$PRODUCT has not detected any compatible hosting panel as well as integration.conf file to run the installation without a panel. \
Please, follow the instructions on $STAND_ALONE_URL"
fi
print_debug_info "$PANEL panel was detected."
}
# Only for imunify360-firewall
set_low_resource_usage_mode_if_necessary()
{
local _package=$1
local _package_version=$2
imunify360_low_mem_limit=2147483648
imunify360_python38_datadir=$venv_path/share/imunify360
# total usable memory in bytes
mem_total=$(</proc/meminfo awk '$1 == "MemTotal:" { printf "%.0f", $2 * 1024 }')
if (( mem_total < imunify360_low_mem_limit )); then
# enable "Low Resource Usage" mode
local low_mem_config="$imunify360_python38_datadir/20-low-mem-settings.config"
if [ -f "$low_mem_config" ]; then
log echo "Installing $low_mem_config from $_package $_package_version"
ln -s "$low_mem_config" /etc/sysconfig/imunify360/imunify360.config.d/ && log echo "Done."
fi
fi
}
populate_os_release_vars()
{
# shellcheck source=/etc/os-release
[ -f "$OS_RELEASE_INFO" ] && source "$OS_RELEASE_INFO"
}
detect_ostype()
{
echo -n "Detecting ostype... "
if [ ! -f "$OS_RELEASE_INFO" ]; then
ostype=centos
else
populate_os_release_vars
if echo "$ID" "$ID_LIKE" | grep debian >/dev/null
then
ostype=debian
else
ostype=centos
fi
fi
echo $ostype
}
is_ubuntu()
{
populate_os_release_vars
[ "$ID" == "ubuntu" ]
}
is_debian_like()
{
populate_os_release_vars
[[ "$ID" == "debian" || "$ID" == "ubuntu" ]]
}
is_debian()
{
populate_os_release_vars
[ "$ID" == "debian" ]
}
UNSUPPORTED_OS_MSG="You are running an unsupported OS. $PRODUCT supports only x86_64 processors."
check_debian_release()
{
populate_os_release_vars
if is_debian && ([ "$VERSION_ID" -lt 10 ] || [ "$VERSION_ID" -gt 12 ])
then
exit_with_error "You are running unsupported version of debian based OS. $PRODUCT supports only Debian [10, 11, 12]"
fi
if is_ubuntu && [ "$VERSION_ID" != 16.04 ] && [ "$VERSION_ID" != 18.04 ] && [ "$VERSION_ID" != 20.04 ] && [ "$VERSION_ID" != 22.04 ] && [ "$VERSION_ID" != 24.04 ]
then
exit_with_error "You are running unsupported version of debian based OS. $PRODUCT supports only Ubuntu 16.04, 18.04, 20.04, 22.04 and 24.04"
fi
if [ "$(uname -m)" != x86_64 ]
then
exit_with_error "$UNSUPPORTED_OS_MSG"
fi
}
check_centos_release()
{
rpm -q --whatprovides redhat-release > /dev/null 2>&1
check_exit_code 0 "There is no package providing /etc/redhat-release, please install redhat-release or centos-release first"
ARCH=$(uname -i)
# handle 32bit xen with x86_64 host kernel
if (! rpm -q glibc.x86_64 > /dev/null 2>&1) || [ "$ARCH" != "x86_64" ] ; then
exit_with_error "$UNSUPPORTED_OS_MSG"
fi
check_centos_compatible
check_virtuozzo_compatible
}
check_virtuozzo_compatible()
{
if [ -f /proc/vz/vestat ]; then
if version "$(uname -r)" -lt "$VZ_VERSION_BRIEF"; then
echo "You are inside VZ."
echo "Virtuozzo 7 with kernel $VZ_VERSION_LONG or later has support for ipset in Containers."
exit_with_error "Please upgrade your OpenVZ hypervisor kernel version to $VZ_VERSION_LONG or later."
fi
fi
}
check_centos_compatible()
{
local os_version="${1:-$(rpm --eval '%{rhel}')}"
# shellcheck disable=SC2015
[ "${os_version}" -lt 10 ] 2>/dev/null && [ "${os_version}" -gt 5 ] || \
exit_with_error "Only CentOS/CloudLinux 6, 7, 8 and 9 are supported at the moment, but got os_version='${os_version}'"
}
check_exit_code() { if [ $? -ne "$1" ]; then exit_with_error "$2"; fi; }
disable_3rd_party_ids()
{
if [ -d "$venv_path" ]; then
echo "imunify360-venv detected"
imunify360_python38_datadir=$venv_path/share/imunify360
fi
if [ -d "$imunify360_python38_datadir" ]; then
datadir="$imunify360_python38_datadir"
else
datadir="$imunify360_python35_datadir"
fi
$datadir/scripts/disable_3rd_party_ids
}
install_first_install_default_overrides()
{
local first_install_package=$1
local package_version=$2
if [ -d "$venv_path" ]; then
echo "imunify360-venv detected"
imunify360_python38_datadir=$venv_path/share/imunify360
fi
local first_install_config_deprecated="$imunify360_python38_datadir/10_on_first_install.config"
local first_install_config_core="$imunify360_python38_datadir/10_on_first_install_core.config"
local first_install_config_av="$imunify360_python38_datadir/10_on_first_install_av.config"
local first_install_config_ids="$imunify360_python38_datadir/10_on_first_install_ids.config"
if [ -f "$first_install_config_deprecated" ]; then
log echo "Installing $first_install_config_deprecated from $first_install_package $package_version"
cp -v "$first_install_config_deprecated" /etc/sysconfig/imunify360/imunify360.config.d/ && log echo "Done."
else
log echo "Installing $first_install_config_core from $first_install_package $package_version"
cp -v "$first_install_config_core" /etc/sysconfig/imunify360/imunify360.config.d/ && log echo "Done."
log echo "Installing $first_install_config_av from $first_install_package $package_version"
cp -v "$first_install_config_av" /etc/sysconfig/imunify360/imunify360.config.d/ && log echo "Done."
if [[ "$package" = "$imunify360" ]]; then
log echo "Installing $first_install_config_ids from $first_install_package $package_version"
cp -v "$first_install_config_ids" /etc/sysconfig/imunify360/imunify360.config.d/ && log echo "Done."
fi
fi
}
remove_first_install_default_overrides()
{
unlink /etc/sysconfig/imunify360/imunify360.config.d/10_on_first_install.config 2>/dev/null || true
unlink /etc/sysconfig/imunify360/imunify360.config.d/10_on_first_install_core.config 2>/dev/null || true
unlink /etc/sysconfig/imunify360/imunify360.config.d/10_on_first_install_av.config 2>/dev/null || true
unlink /etc/sysconfig/imunify360/imunify360.config.d/10_on_first_install_ids.config 2>/dev/null || true
}
init_vars()
{
wget="/usr/bin/wget"
wget_options="-q --retry-connrefused --waitretry=15 --read-timeout=20 --timeout=15 -t 15"
uninstall=false
conversion=false
beta=false
install_vendors=false
freemium=false
downgrade=false
# get full path to the current script
script="$1"
case "$script" in
./*) script="$(pwd)/${script#*/}" ;;
/*) script="$script" ;;
*) script="$(pwd)/$script" ;;
esac
scriptname=$(basename "$script")
script_run_args="$2"
# Update checker URL
checksite="https://repo.imunify360.cloudlinux.com/defense360/"
upgradeurl="$checksite$scriptname"
dry_run="0"
assumeyes=false
modifying_call=false
yum_beta_option=""
yum_beta_repo_enable=0
apt_force=""
apt_allow_unauthenticated=""
if [[ "$package" = "$imunify360" ]]; then
# Virtuozzo 7 with kernel 3.10.0 or later has support for ipset in Container
VZ_VERSION_LONG=3.10.0-327.10.1.vz7.12.8
# Inside VZ version is provided without release
VZ_VERSION_BRIEF=3.10.0
readonly imunify360_python35_datadir=/opt/alt/python35/share/imunify360
fi
imunify360_python38_datadir=/opt/alt/python38/share/imunify360
venv_path=/opt/imunify360/venv
}
version()
{
local lhs=$1
local op=$2
local rhs=$3
case $op in
-lt) test "$(echo -e "$lhs\\n$rhs" | sort --version-sort | head -1)" = "$lhs" && \
test "$lhs" != "$rhs"
return $?
;;
*) echo "function version(): operator $op is not supported."
return 2
;;
esac
}
check_package_version()
{
version="$1"
if [ -z "$version" ]; then
echo "No available package detected"
return 1
else
echo "$version"
fi
}
get_available_debian_package_version()
{
version=$(apt-cache policy "$1" 2>/dev/null | sed -n '3p' | awk '{split($0, candidate); print candidate[2]}')
check_package_version "$version"
return $?
}
get_available_centos_package_version()
{
version=$(yum $yum_beta_option $YUM_DISABLED_PHP_REPOS_OPTION list available "$1" 2>/dev/null | grep -E "$1.x86_64|$1.noarch" | awk '{split($0, candidate); print candidate[2]}' | sort --version-sort | tail -n 1)
check_package_version "$version"
return $?
}
check_integration_conf()
{
#
# Check whether $INTEGRATION_CONF_PATH is sufficiently valid to continue the installation, exit with an error message otherwise
#
# Globals:
# Uses (reads) $INTEGRATION_CONF_PATH;
# Populates (writes) $PYTHON, $CONFIG_PARSER and uses them to parse $INTEGRATION_CONF_PATH ini-file
#
detect_python
# sanity check: the integration.conf is a valid ini-like file
$PYTHON -c "from $CONFIG_PARSER import ConfigParser; conf = ConfigParser(); conf.read('$INTEGRATION_CONF_PATH')" 2>/dev/null
check_exit_code 0 "syntax error in $INTEGRATION_CONF_PATH \
Read the manual $STAND_ALONE_URL on how to create a valid config file.
"
# sanity check: ui_path should be present in the config
local ui_path="$($PYTHON -c "from $CONFIG_PARSER import ConfigParser; conf = ConfigParser(); conf.read('$INTEGRATION_CONF_PATH'); print(conf.get('paths', 'ui_path'))" 2>/dev/null)"
check_exit_code 0 "$PRODUCT has detected $INTEGRATION_CONF_PATH file from the stand-alone version of $PRODUCT. \
Stand-alone version requires \"ui_path\" parameter specified in the $INTEGRATION_CONF_PATH. \
Read the manual $STAND_ALONE_URL on how to create a valid config file.
"
# ui_path must not be empty
if [ -z "$ui_path" ]; then
exit_with_error "Could not get ui_path from $INTEGRATION_CONF_PATH. UI will not be installed. \
Please ensure that you have provided ui_path in $INTEGRATION_CONF_PATH \
More details is at $STAND_ALONE_URL."
# even if ui_path doesn't refer to a directory (first install),
# its parent directory must exist
elif [ ! -d "$ui_path" ]; then
# first install
log mkdir -m 0700 "$ui_path"
check_exit_code 0 "An error occurred during creating $ui_path directory. \
Possibly parent directory doesn't exist or path point to file"
# symlinks are not supported (current behavior)
elif [[ -L "$ui_path" ]]; then
exit_with_error "ui_path specified in $INTEGRATION_CONF_PATH file $ui_path points to an existing symlink. \
Installation is aborted, to avoid overwriting it. \
ui_path must point to an empty web directory. More details is at $STAND_ALONE_URL."
# ui_path dir must be empty or point to an existing imunify installation;
# use bin/execute.py as a heuristic for detecting the agent install
elif [[ -n "$(ls -A "$ui_path" 2>/dev/null)" ]] && [[ ! -e "$ui_path/bin/execute.py" ]]; then
exit_with_error "ui_path specified in $INTEGRATION_CONF_PATH file $ui_path points to a non-empty directory. \
Installation is aborted, to avoid overwriting data in it. \
ui_path must point to an empty web directory. More details is at $STAND_ALONE_URL."
fi
# sanity check: panel_info should be present in the config
$PYTHON -c "from $CONFIG_PARSER import ConfigParser; conf = ConfigParser(); conf.read('$INTEGRATION_CONF_PATH'); print(conf.get('integration_scripts', 'panel_info'))" 2>/dev/null
if [ $? -ne "0" ]; then
yesno "WARNING: integration_scripts.panel_info field will be mandatory soon, please refer to [documentation](https://docs.imunify360.com/control_panel_integration/#specifying-panel-information) and fill it! Do you want to continue? [y/N]"
else
# sanity check: panel_info must be a valid json with name and version fields in data object
local panel_info=$($PYTHON -c "from $CONFIG_PARSER import ConfigParser; conf = ConfigParser(); conf.read('$INTEGRATION_CONF_PATH'); print(conf.get('integration_scripts', 'panel_info'))" 2>/dev/null)
$panel_info | $PYTHON -c 'import sys,json; d=json.load(sys.stdin); print("Panel info:", d["data"]["name"], d["data"]["version"]);'
check_exit_code 0 "panel_info script should be executable and return valid json with name and version fields in data object. Please refer to the [documentation](https://docs.imunify360.com/control_panel_integration/#specifying-panel-information)."
fi
}
install_plugin() {
local plugin_package=$1
local panel=$2
echo "Installing $PRODUCT $panel plugin..."
install_${ostype}_pkgs "$plugin_package-$panel"
check_exit_code 0 "Failed to install $PRODUCT $panel plugin."
}
install_ui_part() {
local ui_package=$1
local panel=$2
echo "Installing UI part of $PRODUCT $panel plugin..."
install_${ostype}_pkgs "$ui_package-$panel"
check_exit_code 0 "Failed to install UI part of $PRODUCT $panel plugin."
}
check_and_install() {
local package_to_install=$1
local package_version=$2
local ui_package=$3
local panel=$4
if version "$package_version" -lt "7.3"; then
install_plugin "$package_to_install" "$panel"
else
if [[ "$package_to_install" = "$imunify360" ]]; then
install_plugin $package_to_install $panel
fi
install_ui_part "$ui_package" "$panel"
fi
}
check_hardened_php_status()
{
local agent_bin='/usr/bin/imunify360-agent'
local python_bin='/opt/imunify360/venv/bin/python'
local status=$(\
${agent_bin} features status hardened-php --json |\
${python_bin} -c 'import json; print(json.loads(input()).get("items", {}).get("status"))'\
)
echo ${status}
}
remove_hardened_php_feature()
{
local agent_bin='/usr/bin/imunify360-agent'
local python_bin='/opt/imunify360/venv/bin/python'
# sometimes it takes a long time to remove hardened-php
# especially in the Plesk environment
local timeout=1500
if [ ! -f ${agent_bin} ] || [ ! -f ${python_bin} ]; then
return
fi
if [ "$(check_hardened_php_status)" != "installed" ]; then
return
fi
echo "Warning: Hardened PHP packages will be removed"\
"and replaced with the default ones if possible."\
"Some sites may stop working"
echo -n "Starting removal, this may take a couple of minutes"
local logfile="$(${agent_bin} features remove hardened-php)"
local start_ts=$(date +%s)
while true; do
removal_status="$(check_hardened_php_status)"
[ "${removal_status}" = "not_installed" ] && echo OK && break
local current_ts=$(date +%s)
if [ $((current_ts - start_ts)) -gt ${timeout} ]; then
echo TIMEOUT
exit_with_error "Error occured while trying to remove Hardened PHP packages."\
"See log: ${logfile}"
fi
echo -n "."
sleep 5
done
}
install_vendors_in_cw_environment()
{
# log output but hide it from stdout
log echo "Run vendor installation in background for Cloudways"
file_path="/var/imunify360/files/modsec/v2/description.json"
while [ ! -f "$file_path" ]; do
log echo "Waiting for $file_path to appear"
sleep 5
done
log echo "Installing vendors"
log /usr/bin/imunify360-agent --console-log-level=WARNING install-vendors
}
do_migrate_patchman()
{
log echo "Run patchman migration..."
log imunify-antivirus patchman migrate
check_exit_code 0 "Failed to migrate patchman service."
}
run_with_retries()
{
cmd=$1
expected_error_text=$2
ignore_res=$3
min_timeout=2
max_timeout=30
nattempts=10
for ((i=1;i<=nattempts;i++)); do
output=$( { $cmd ; } 2>&1 )
res=$?
if [ $res -eq 0 ] && [[ "$ignore_res" != "true" ]]; then
echo "$output"
break
else
if echo "$output" | grep -q "$expected_error_text"; then
echo "$output"
echo "Attempt #$i/$nattempts: to run $cmd."
timeout=$(($RANDOM%($max_timeout-$min_timeout+1)+$min_timeout))
[ $i -ne $nattempts ] && echo "Retrying in $timeout seconds.."
sleep $timeout
else
echo "$output"
break
fi
fi
done
return $res
}
reopen_log()
{
echo "-- $(date -R): $script $script_run_args --" >> "$LOG_FILE"
chmod 0600 "$LOG_FILE"
}
check_debian_pkg_presence()
{
test "$(dpkg-query --show --showformat='${db:Status-Status}\n' "$1" 2>/dev/null)" = "installed"
}
check_centos_pkg_presence()
{
rpm --query "$1" >/dev/null
}
should_perform_downgrade() {
if [[ "$package" = "$imunify_av" ]]; then
downgrade=false
return 1
# https://cloudlinux.atlassian.net/browse/DEF-33180 Decided to postpone having this as default action for plesk/cpanel
# elif [ "$downgrade" = "true" ] || [ "$PANEL" = "plesk" ] || [ "$PANEL" = "cpanel" ]; then
elif [ "$downgrade" = "true" ]; then
# downgrade=true
return 0
else
return 1
fi
}
verify_imunify_av() {
log echo "Verifying ImunifyAV installation..."
# Get the list of packages to verify from additional_packages_to_remove_av
# and remove imunify-realtime-av from the list
local packages_to_verify=""
for _package in $additional_packages_to_remove_av; do
if [ "$_package" != "imunify-realtime-av" ] && [ "$_package" != "imunify-patchman" ]; then
packages_to_verify="$packages_to_verify $_package"
fi
done
packages_to_verify="$packages_to_verify imunify-antivirus-$PANEL"
packages_to_verify="$packages_to_verify imunify-antivirus-$PANEL"
# UI package if panel is detected
if [ "$PANEL" = generic ]; then
packages_to_verify="$packages_to_verify imunify-ui-$PANEL"
else
packages_to_verify="$packages_to_verify imunify-ui-antivirus-$PANEL"
fi
# Flag to track if any package is missing
local missing_packages=0
# Check each package
for _package in $packages_to_verify; do
if ! check_${ostype}_pkg_presence "$_package"; then
log echo "WARNING: Package $_package is missing."
missing_packages=1
fi
done
# Return status based on missing packages
if [ $missing_packages -eq 0 ]; then
log echo "All ImunifyAV packages are properly installed."
return 0
else
log echo "ERROR: Some ImunifyAV packages are missing. Manual intervention may be required."
exit 1
fi
}
# Function to mark ImunifyAV packages as manually installed for Debian
mark_debian_av_manual() {
echo "Marking ImunifyAV as manually installed to preserve it and its dependencies..."
# Check if ImunifyAV is installed before marking
if check_debian_pkg_presence "imunify-antivirus"; then
apt-mark manual imunify-antivirus-$PANEL
if [ "$PANEL" = "generic" ]; then
apt-mark manual imunify-ui-generic
else
apt-mark manual imunify-ui-antivirus-$PANEL
fi
fi
}
# Function to mark ImunifyAV packages as user-installed for CentOS
mark_centos_av_manual() {
echo "Marking ImunifyAV as user-installed to preserve it and its dependencies..."
# Check if ImunifyAV is installed before marking
if ! rpm -q imunify-antivirus &>/dev/null; then
return
fi
local ui_package="imunify-ui-${PANEL}"
[[ "$PANEL" != "generic" ]] && ui_package="imunify-ui-antivirus-${PANEL}"
if [[ "$VERSION_ID" == 7* ]]; then
yumdb set reason user "imunify-antivirus-${PANEL}"
yumdb set reason user "${ui_package}"
else
yum mark install "imunify-antivirus-${PANEL}"
yum mark install "${ui_package}"
fi
}
remove_debian_imunify()
{
local pkgs_to_remove="$package $additional_packages_to_remove $additional_packages_to_remove_debian"
if [ "$downgrade" = "false" ]; then
pkgs_to_remove="$pkgs_to_remove $additional_packages_to_remove_av"
fi
# shellcheck disable=SC2086
apt-get remove --autoremove --ignore-missing --dry-run $pkgs_to_remove
yesno "apt-get --AUTOREMOVE to remove $pkgs_to_remove plus \
aforementioned packages [y] or just $pkgs_to_remove [n]"
local res=$?
if [ $res = 0 ]; then
local autoremove="--autoremove"
else
local autoremove=""
fi
# --ignore-missing doesn't work if apt doesn't know about package
# shellcheck disable=SC2086
apt-get remove $autoremove -y --ignore-missing $(dpkg-query -W -f='${binary:Package}\n' $pkgs_to_remove 2>/dev/null)
}
remove_centos_imunify()
{
local pkgs_to_remove="$package $additional_packages_to_remove $additional_packages_to_remove_centos"
if [ "$downgrade" = "false" ]; then
if rpm -q cloudlinux-release &>/dev/null; then
# if it is CLOS leave "alt-php-internal" and "app-version-detector" as is
local pkgs_to_remove="$pkgs_to_remove $additional_packages_to_remove_av"
else
# Otherwise the also could be removed
local pkgs_to_remove="$pkgs_to_remove $additional_packages_to_remove_av $additional_packages_to_remove_cl"
fi
fi
yum remove -y $yum_beta_option $YUM_DISABLED_PHP_REPOS_OPTION \
$pkgs_to_remove --setopt=clean_requirements_on_remove=1
}
remove_freemium_flag()
{
if [ ! -f "/var/imunify360/myimunify-freemium.flag" ]; then
return
fi
rm -f "/var/imunify360/myimunify-freemium.flag"
}
get_debian_pkgs_manager() {
pkgs_manager="apt-get"
}
get_centos_pkgs_manager() {
pkgs_manager="yum"
}
remove_debian_pkgs()
{
run_with_retries "apt-get remove -y $*" "Could not get lock"
}
remove_centos_pkgs()
{
yum remove -y "$@"
}
install_debian_pkgs()
{
local pkgs=$*
run_with_retries "apt-get $apt_opts install -y $apt_allow_unauthenticated $apt_force $pkgs" ""
}
install_centos_pkgs()
{
local pkgs=$*
yum install -y $yum_beta_option $YUM_DISABLED_PHP_REPOS_OPTION $pkgs
}
install_debian_ipset()
{
install_debian_pkgs ipset
}
install_centos_ipset()
{
yum install -y ipset
}
detect_first_install()
{
if check_${ostype}_pkg_presence "$package" >/dev/null
then
first_install=false
else
first_install=true
fi
}
is_systemctl_avail()
{
command -v systemctl >/dev/null 2>&1
}
# $1 = Full URL to download
# $2 = Optional basename to save to (if omitted, then = basename $1)
# Also allow download to fail without exit if $2 is set
download_file() {
if [ "$2" = "" ]; then
dlbase="$(basename "$1")"
else
dlbase="$2"
fi
if [ $dry_run -eq 1 ]; then
echo "Would download this URL to $dlbase :"
echo "$1" ; echo
return
fi
old_dlbase="$dlbase.old"
if [ -f "$dlbase" ]; then
rm -f "$old_dlbase"
mv -f "$dlbase" "$old_dlbase"
fi
echo "Downloading $dlbase (please wait)"
$wget $wget_options -O "$dlbase" "$1"
if [ ! -s "$dlbase" ]; then
if [ -f "$old_dlbase" ]; then
mv -f "$old_dlbase" "$dlbase"
fi
if [ "$2" = "" ]; then
echo "Failed to download $dlbase"
exit 1
fi
fi
}
# Make sure that we are running the latest version
# $* = Params passed to script
check_version() {
echo "Checking for an update to $scriptname"
script_from_repo="$scriptname.repo_version"
download_file "$upgradeurl" "$script_from_repo"
newversion=$(grep "^version=" "$script_from_repo" | sed 's/[^0-9.]*//g')
if [ -z "$newversion" ]; then
newversion=$version
fi
if [ $dry_run -eq 1 ]; then
echo -e "Would check if this running script (version $version) is out of date. \n" \
"If it's been superseded, the new version would be downloaded and you'd be asked \n" \
"if you want to upgrade to it and run the new version. \n"
return
fi
local latest_version
latest_version=$(echo -e "$version\\n$newversion" | sort --reverse --version-sort | head -1)
if [ "$latest_version" = "$version" ]; then
echo "$scriptname is already the latest version ($version) - continuing"
rm -f "$script_from_repo"
else
echo "New version ($newversion) of $scriptname detected"
if yesno "run $scriptname $newversion now"
then
echo "OK, executing $script_from_repo $*"
# replace the current script with a new one
mv -f "$script_from_repo" "$script"
chmod u+x "$script"
echo "Download of $scriptname $newversion successful"
rm "$LOCK"
echo "Run $script $script_run_args"
# use $script_run_args without quotes to avoid error
# `getopt: unrecognized option` if there are more than 1 arguments
# shellcheck disable=SC2086
exec "$script" --skip-version-check $script_run_args
error "Failed to run $script $script_run_args"
else
echo -e "New version of script is available: $upgradeurl \n" \
"It was downloaded to $script_from_repo \n" \
"If you prefer to use current version, run it with \"--skip-version-check\" key. \n"
exit 1
fi
fi
}
save_debian_repo()
{
log install_debian_pkgs gnupg
$wget $wget_options -O- https://repo.imunify360.cloudlinux.com/defense360/RPM-GPG-KEY-CloudLinux \
| gpg --dearmor > /etc/apt/trusted.gpg.d/RPM-GPG-KEY-CloudLinux.gpg
echo "deb [arch=amd64] https://repo.imunify360.cloudlinux.com/imunify360/$ID/$VERSION_ID/ $VERSION_CODENAME main" \
> /etc/apt/sources.list.d/imunify360.list
if [ "$beta" = "true" ]; then
echo "deb [arch=amd64] https://repo.imunify360.cloudlinux.com/imunify360/$ID-testing/$VERSION_ID/ $VERSION_CODENAME main" \
> /etc/apt/sources.list.d/imunify360-testing.list
fi
if ! log run_with_retries "apt-get update" ""; then
test "$dev_install" = true
check_exit_code 0 "apt-get update error."
fi
}
save_centos_repo()
{
local RPM_KEY=$checksite/RPM-GPG-KEY-CloudLinux
cat >/etc/yum.repos.d/imunify360.repo <<-EOF
[imunify360]
name=EL-\$releasever - Imunify360
baseurl=$checksite/el/\$releasever/updates/x86_64/
enabled=1
gpgcheck=1
gpgkey=$RPM_KEY
EOF
# add testing repo as disabled by default
cat >/etc/yum.repos.d/imunify360-testing.repo <<-EOF
[imunify360-testing]
name=EL-\$releasever - Imunify360
baseurl=$checksite/el/\$releasever/updates-testing/x86_64/
enabled=$yum_beta_repo_enable
gpgcheck=1
gpgkey=$RPM_KEY
EOF
log rpm --import "$RPM_KEY"
check_exit_code 0 "RPM import error."
modifying_call=true
}
remove_debian_repo()
{
rm /etc/apt/sources.list.d/imunify360.list \
/etc/apt/sources.list.d/imunify360-testing.list \
/etc/apt/sources.list.d/imunify360-alt-php.list 2>/dev/null
}
remove_centos_repo()
{
rm /etc/yum.repos.d/imunify360.repo \
/etc/yum.repos.d/imunify360-testing.repo \
/etc/yum.repos.d/imunify360-ea-php-hardened \
/etc/yum.repos.d/imunify360-alt-php 2>/dev/null
}
remove_acronis_agent()
{
[ ! -e /usr/bin/restore_infected ] && return
if /usr/bin/restore_infected acronis extra is_installed 2> /dev/null; then
# If Acronis installation logs are present in restore_infected folder,
# then remove Acronis and the logs
if ls /var/restore_infected/acronis_installation*.log; then
/usr/bin/restore_infected acronis extra uninstall > /dev/null || :
rm -f /var/restore_infected/acronis_installation*.log
fi
fi
}
terminate_detached_scans ()
{
for file in /var/imunify360/aibolit/run/*/pid; do
test -e "$file" && kill -9 "$(cat "$file")"
done
rm -rf /var/imunify360/aibolit/run/
rm -rf /var/imunify360/aibolit/scans.pickle
}
# Only for imunify360-firewall
check_users() {
CHECK_GROUPS="ossec"
CHECK_USERS="ossec ossecr ossecm ossece"
SYS_GID_MAX=$(awk '/^SYS_GID_MAX/ {print $2}' /etc/login.defs)
SYS_UID_MAX=$(awk '/^SYS_UID_MAX/ {print $2}' /etc/login.defs)
# detect SYS_GID_MAX, SYS_UID_MAX indirectly (Ubuntu 16.04)
GID_MIN=$(awk '/^GID_MIN/ {print $2}' /etc/login.defs)
UID_MIN=$(awk '/^UID_MIN/ {print $2}' /etc/login.defs)
if [ "$SYS_GID_MAX" = "" -a "$GID_MIN" != "" ]; then
SYS_GID_MAX=$((GID_MIN - 1))
fi
if [ "$SYS_UID_MAX" = "" -a "$UID_MIN" != "" ]; then
SYS_UID_MAX=$((UID_MIN - 1))
fi
for grp in $CHECK_GROUPS; do
gid=$(getent group $grp 2> /dev/null | cut -d ':' -f 3)
if [ -z "$gid" ]; then
gid='-1'
fi
if [ "$SYS_GID_MAX" != "" ]; then
if [ "$gid" -gt "$SYS_GID_MAX" ]; then
exit_with_error "Non-system group $grp already exists"
fi
elif [ "$first_install" = "true" -a "$gid" != "-1" ]; then
exit_with_error "Group $grp already exists"
fi
done
for usr in $CHECK_USERS; do
uid=$(id -u "$usr" 2>/dev/null || echo -1)
if [ "$SYS_UID_MAX" != "" ]; then
if [ "$uid" -gt "$SYS_UID_MAX" ]; then
exit_with_error "Non-system user $usr already exists"
fi
elif [ "$first_install" = "true" -a "$uid" != "-1" ]; then
exit_with_error "User $usr already exists"
fi
done
}
# Only for imunify360-firewall
remove_hardened_php_repos()
{
if [[ $ostype = centos ]]; then
ALT_PHP=imunify360-alt-php.repo
EA_PHP=imunify360-ea-php-hardened.repo
REPOS_DIR=/etc/yum.repos.d
# fix permissions
for REPO in $ALT_PHP $EA_PHP; do
test -f $REPOS_DIR/$REPO || continue
chattr -i $REPOS_DIR/$REPO
chmod 644 $REPOS_DIR/$REPO
done
# remove unconditionally
rm -f $REPOS_DIR/$ALT_PHP
rm -f $REPOS_DIR/$EA_PHP
fi
}
print_help ()
{
cat << EOF >&2
Usage:
-h, --help Print this message
--version Print script's version and exit
-k, --key <key> Deploy $PRODUCT with activation key
-c, --uninstall Uninstall $PRODUCT
--skip-version-check Do not check for script updates
--skip-registration Do not register, just install (the default)
--dev-install Turn off software defect reporting
--beta Install packages from 'testing' repo
--check Check if imunify360 Agent can be installed and exit
--downgrade Preserve ImunifyAV when uninstalling Imunify360
-y, --yes Assume "yes" as answer to all prompts and run non-interactively
EOF
}
print_version()
{
echo "$scriptname $version"
}
check_centos_iptables_compatibility() {
# dummy function that does nothing
:
}
check_debian_iptables_compatibility() {
if is_debian && [ "$VERSION_ID" == "10" ]
then
local apt_opts="-t buster-backports"
log install_debian_pkgs iptables
check_exit_code 0 "iptables >= 1.8.5 required on Debian 10. \n\
Please, turn on buster-backports repository and run the script/installation again. \n\
Buster-backports repository may be turned on by following command: \n\
echo "deb http://ftp.debian.org/debian buster-backports main" > /etc/apt/sources.list.d/buster-backports.list \n\
Then run: \n\
apt-get update \n"
fi
}
detect_cloudways_environment() {
hostname=$(hostname -f)
lowercase_hostname=$(echo "$hostname" | tr '[:upper:]' '[:lower:]')
if echo "$lowercase_hostname" | grep -Eq "\.cloudwaysapps\.com|cloudwaysstagingapps\.com"; then
is_cloudways=true
log echo "Cloudways environment detected"
touch /etc/sysconfig/imunify360/.cloudways_environment
elif [ -f /usr/local/sbin/apm ]; then
if /usr/local/sbin/apm info | grep -q "Cloudways"; then
is_cloudways=true
log echo "Cloudways environment detected"
mkdir -p /var/imunify360
touch /etc/sysconfig/imunify360/.cloudways_environment
else
is_cloudways=false
fi
else
is_cloudways=false
fi
}
setup_imunify360_dir() {
if [ ! -d "/var/imunify360/" ]; then
mkdir -m 2755 -p /var/imunify360
fi
}
install_revisium_premium_marker ()
{
local key_directory="/etc/sw/keys/keys"
local imunify_keytype="ImunifyAV+"
if [ -d "$key_directory" ]; then
# Search for the specified keytype in the keys
if grep -q "<core:keytype>$imunify_keytype</core:keytype>" "$key_directory"/*; then
# Create the flag
setup_imunify360_dir
touch "$PREMIUM_REVISIUM_EXTENSION"
echo "AV+ license is detected in Revisium extension, creating marker file $PREMIUM_REVISIUM_EXTENSION"
fi
fi
}
remove_revisium_premium_marker ()
{
if [ -f "$PREMIUM_REVISIUM_EXTENSION" ]; then
rm -f "$PREMIUM_REVISIUM_EXTENSION"
fi
}
cleanup()
{
rm -f "$LOCK"
}
rapid_scan_basedir_override() {
touch /var/imunify360/rapid_scan_basedir_override
}
uninstall_plesk_extension() {
if [ "$PANEL" = "plesk" ] && [ "$I360_FROM_PLESK_EXTENSION" != "1" ]; then
if [ -x /usr/local/psa/bin/extension ]; then
log echo "Uninstalling Plesk extension for $PRODUCT..."
SKIP_PREUNINSTALL_CHECK=true log /usr/local/psa/bin/extension --uninstall imunify360 || true
fi
fi
}
# Lets start
# if environment has umask=0000 (if called from plesk extension), all created files have -rw-rw-rw- permission
umask 0022
init_vars "$0" "$*"
reopen_log
if [ -f "$LOCK" ] ; then
if [ -d "/proc/$(cat "$LOCK")" ] ; then
exit_with_error "$scriptname is already running"
fi
fi
echo $$ > "$LOCK"
check_exit_code 0 "Please run $scriptname as root"
trap cleanup SIGTERM SIGINT SIGHUP EXIT
options=$(getopt -o ychk: -l yes,uninstall,help,version,check,skip-version-check,skip-registration,beta,dev-install,force,apt-force,freemium,migrate-patchman,downgrade,key: -- "$@")
res=$?
if [ "$res" != 0 ]; then
print_help
exit 1
fi
eval set -- "$options"
while true; do
case "$1" in
-h|--help)
print_help
exit 0
;;
--version)
print_version
exit 0
;;
-y|--yes)
assumeyes=true
shift
;;
-c|--uninstall)
uninstall=true
shift
;;
-k|--key)
conversion=true
activationkey="$2"
shift 2
;;
--skip-version-check)
skipversioncheck=true
shift
;;
--skip-registration)
registration=false
shift
;;
--beta)
beta=true
yum_beta_option="--enablerepo=imunify360-testing"
yum_beta_repo_enable=1
shift
;;
--freemium)
freemium=true
shift
;;
--dev-install)
dev_install=true
apt_allow_unauthenticated=--allow-unauthenticated
shift
;;
--force|--apt-force) # used for Plesk extension installation
export DEBIAN_FRONTEND=noninteractive
apt_force='-o Dpkg::Options::=--force-confdef -o Dpkg::Options::=--force-confnew'
shift
;;
--check)
detect_ostype
check_${ostype}_release
EXIT_CODE=$?
exit $EXIT_CODE
;;
--migrate-patchman)
migrate_patchman=true
shift
;;
--)
shift
break
;;
-*)
echo "$0: error - unrecognized option $1" 1>&2
print_help
exit 1
;;
*) exit_with_error "Internal error!" ;;
esac
done
if [ "$skipversioncheck" = "true" ]; then
log echo "Skipping check version"
else
log check_version "$*"
fi
detect_ostype
check_${ostype}_release
detect_first_install
if [ "$conversion" = "true" ] && [ "$uninstall" = "true" ] ; then
exit_with_error "invalid combination";
fi
if [ "$conversion" = "false" ] && [ "$registration" != "false" ] ; then
# Register by IP is the default now
conversion=true
activationkey=false
fi
set_panel_detection_path
detect_panel
if [ "$uninstall" = "true" ]; then
remove_acronis_agent
remove_hardened_php_feature
remove_freemium_flag
# Check if we need to downgrade
if should_perform_downgrade; then
log echo "Starting downgrade from Imunify360 to ImunifyAV..."
# Mark ImunifyAV packages as manually installed
log mark_${ostype}_av_manual
fi
log remove_${ostype}_imunify
if should_perform_downgrade; then
# Don't remove the repository as ImunifyAV uses the same one
# Verify ImunifyAV is still installed
verify_imunify_av
log echo "Downgrade to ImunifyAV complete."
else
remove_${ostype}_repo
terminate_detached_scans
log remove_first_install_default_overrides
uninstall_plesk_extension
log echo "Uninstall complete."
fi
exit 0
fi
if [[ "$package" = "$imunify_av" ]]; then
if check_${ostype}_pkg_presence imunify360-firewall; then
log echo "You are trying to install ImunifyAV over Imunify360 that already includes it. You can open Malware Scanner via UI Imunify360 -> Malware Scanner."
exit 1
fi
if [[ "$PANEL" = "plesk" ]]; then
install_revisium_premium_marker
fi
fi
if [ "$first_install" = "true" ]; then
log echo "In a few moments the script will install latest $package" \
"package (w/dependencies)... (Ctrl-C to cancel)"
sleep 4
save_${ostype}_repo
package_version=$(get_available_${ostype}_package_version "$package")
check_exit_code 0 "Failed to get package version"
log install_${ostype}_pkgs $package
rc=$?
# try installing the config overrides regardless of the installation success
log install_first_install_default_overrides "$package" "$package_version"
# fail
if [ $rc -ne 0 ]; then
exit_with_error "Package $package $package_version was not installed."
fi
if [ "$is_cloudways" = "true" ]; then
rapid_scan_basedir_override
fi
modifying_call=true
fi
log echo "Installing ui packages..."
case "$PANEL" in
cpanel)
log check_and_install "$package" "$package_version" "$UI_PACKAGE" "$PANEL"
check_exit_code 0 "Failed to install $PRODUCT $PANEL plugin."
modifying_call=true
;;
directadmin)
log check_and_install "$package" "$package_version" "$UI_PACKAGE" "$PANEL"
check_exit_code 0 "Failed to install $PRODUCT $PANEL plugin."
modifying_call=true
;;
generic)
log check_and_install "$package" "$package_version" "imunify-ui" "$PANEL"
check_exit_code 0 "Failed to install $PRODUCT $PANEL plugin."
modifying_call=true
;;
plesk)
log check_and_install "$package" "$package_version" "$UI_PACKAGE" "$PANEL"
check_exit_code 0 "Failed to install $PRODUCT $PANEL plugin."
if is_debian_like; then
plugin_path="/var/imunify360/plesk/imunify-plugin.zip"
else
SYS_CONF_DIR="$(rpm --eval '%{_sysconfdir}')"
plugin_path="$SYS_CONF_DIR/sysconfig/imunify360/plesk/imunify-plugin.zip"
fi
if [ -f "$plugin_path" ]; then
log echo "Trying to install/upgrade Imunify360 Plesk extension..."
SKIP_PREINSTALL_HOOK=true log /usr/local/psa/bin/extension --upgrade "$plugin_path" || true
fi
modifying_call=true
;;
*)
log echo "UI plugin is not installed."
log echo "No supported hosted panel detected and $INTEGRATION_CONF_PATH file is missing."
install_vendors=false
;;
esac
if [ "$conversion" = "true" ] ; then
if [[ "$package" = "$imunify_av" ]]; then
# try to migrate the old patchman agent
if [[ "$migrate_patchman" = "true" ]] ; then
do_migrate_patchman
fi
if imunify-antivirus rstatus --paid >/dev/null 2>&1; then
if [ "$activationkey" == false ]; then
log echo "Already registered"
exit 0
fi
imunify-antivirus unregister >/dev/null 2>&1
fi
if [ "$activationkey" != false ] && imunify-antivirus register "$activationkey" >/dev/null 2>&1; then
log echo "Registered by key"
else
log echo "Not registered"
fi
imunify-antivirus rstatus >/dev/null 2>&1
if is_systemctl_avail; then
log systemctl start "$package"
else
log /sbin/service minidaemon start
fi
if [[ "$PANEL" = "plesk" ]]; then
remove_revisium_premium_marker
fi
fi
check_exit_code 0 "Failed to start $package service."
agent_start_success=false
if [ "$is_cloudways" != "true" ]; then
log echo "Waiting for $PRODUCT to start..."
for i in {1..10}; do
if log $COMMAND version
then
log echo "$PRODUCT is started"
agent_start_success=true
break
else
sleep 60
fi
done
if ! $agent_start_success; then
log echo "Something went wrong during $PRODUCT start up"
exit_with_error "See /var/log/imunify360/error.log for details"
fi
fi
elif ! $COMMAND rstatus >/dev/null 2>&1
then
log echo "You have to register this software with registration key:"
log echo " $script --key <key>"
fi
if $modifying_call; then
log echo "Success"
log echo "You can find complete log in $LOG_FILE"
fi
exit 0