#!/bin/bash # ============================================================================== # WALLARM BULLETPROOF STEALTH DEPLOYER - V1.8 (LXC & CENTOS OPTIMIZED) # ============================================================================== # Features: # - OS-agnostic binary deployment (CentOS, RHEL, Ubuntu, Debian, Alpine) # - LXC Hardening: cgroupfs driver + VFS storage for nested container support # - Stealth Proxy support (ct.sechpoint.app & hub.ct.sechpoint.app) # - Comprehensive Pre-flight: EU/US cloud connectivity, CPU/RAM, Architecture # - Reliability: Socket readiness loops, ExecStartPre cleanup, and libseccomp # - Verification: Handshake testing, Cloud sync checks, and Attack simulation # - Persistence: Systemd service management and log rotation # ============================================================================== # Color definitions RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' CYAN='\033[0;36m' MAGENTA='\033[0;35m' BOLD='\033[1m' NC='\033[0m' # SECHPOINT STEALTH CONFIGURATION BASE_DOMAIN="ct.sechpoint.app" HUB_DOMAIN="hub.ct.sechpoint.app" DOCKER_VERSION="29.2.1" LOG_FILE="/var/log/wallarm-deployment.log" # Cloud endpoints (Wallarm documentation) EU_DATA_NODES=("api.wallarm.com" "node-data0.eu1.wallarm.com" "node-data1.eu1.wallarm.com") US_DATA_NODES=("us1.api.wallarm.com" "node-data0.us1.wallarm.com") # Deployment Defaults INSTANCE_NAME="wallarm-node" INSTANCE_DIR="/opt/wallarm" # --- LOGGING ENGINE --- log_message() { local level="$1" local message="$2" local timestamp=$(date '+%Y-%m-%d %H:%M:%S') echo -e "${timestamp} [${level}] ${message}" | sudo tee -a "$LOG_FILE" > /dev/null case "$level" in "INFO") echo -e "${BLUE}${BOLD}[INFO]${NC} ${message}" ;; "SUCCESS") echo -e "${GREEN}${BOLD}[SUCCESS]${NC} ${message}" ;; "WARNING") echo -e "${YELLOW}${BOLD}[WARNING]${NC} ${message}" ;; "ERROR") echo -e "${RED}${BOLD}[ERROR]${NC} ${message}" ;; esac } fail_with_remediation() { local error="$1" local remediation="$2" log_message "ERROR" "$error" echo -e "\n${RED}${BOLD}REMEDIATION:${NC} ${remediation}\n" exit 1 } # --- PHASE 1: PRE-FLIGHT & DEPENDENCIES --- check_pre_flight() { log_message "INFO" "=== PHASE 1: PRE-FLIGHT CHECKS ===" if [[ $EUID -ne 0 ]]; then fail_with_remediation "Root privileges required" "Run as sudo." fi # Check for core utilities and auto-install on CentOS/RHEL log_message "INFO" "Checking system dependencies..." for dep in tar gzip curl libseccomp iptables procps-ng; do if ! rpm -q $dep >/dev/null 2>&1 && ! command -v $dep >/dev/null 2>&1; then log_message "WARNING" "Missing $dep. Attempting auto-fix..." sudo yum install -y $dep || sudo dnf install -y $dep fi done # Architecture validation ARCH=$(uname -m) case "$ARCH" in x86_64) D_ARCH="x86_64" ;; aarch64) D_ARCH="aarch64" ;; *) fail_with_remediation "Architecture $ARCH not supported." "Use x86_64 or ARM64." ;; esac # Resource validation local total_ram=$(free -m | awk '/^Mem:/{print $2}') if [ "$total_ram" -lt 1500 ]; then log_message "WARNING" "System has less than 2GB RAM ($total_ram MB). Performance may be degraded." fi # Stealth Connectivity Check log_message "INFO" "Verifying Stealth Proxy connectivity ($BASE_DOMAIN)..." if ! curl -IsL --connect-timeout 10 "https://$BASE_DOMAIN" > /dev/null; then fail_with_remediation "Proxy Unreachable" "Check /etc/hosts or DNS resolver for $BASE_DOMAIN" fi # Wallarm Cloud Connectivity Check log_message "INFO" "Checking Wallarm Cloud reachability..." for node in "${EU_DATA_NODES[@]}"; do if curl -IsL --connect-timeout 5 "https://$node" > /dev/null 2>&1; then log_message "SUCCESS" "Connected to EU Cloud node: $node" WALLARM_API_CA="EU" break fi done if [ -z "$WALLARM_API_CA" ]; then for node in "${US_DATA_NODES[@]}"; do if curl -IsL --connect-timeout 5 "https://$node" > /dev/null 2>&1; then log_message "SUCCESS" "Connected to US Cloud node: $node" WALLARM_API_CA="US" break fi done fi if [ -z "$WALLARM_API_CA" ]; then log_message "WARNING" "Direct Wallarm Cloud access failed. Ensuring Stealth Proxy handles API calls." fi } # --- PHASE 2: DOCKER ENGINE (LXC OPTIMIZED) --- setup_docker_engine() { log_message "INFO" "=== PHASE 2: DOCKER ENGINE SETUP ===" if command -v docker >/dev/null 2>&1 && sudo docker info >/dev/null 2>&1; then log_message "SUCCESS" "Functional Docker Engine detected." return 0 fi local binary_file="docker-$DOCKER_VERSION.tgz" local download_url="https://$BASE_DOMAIN/linux/static/stable/$D_ARCH/$binary_file" if [[ ! -f "/usr/bin/dockerd" ]]; then log_message "INFO" "Fetching binaries from $download_url" curl -fL "$download_url" -o "/tmp/$binary_file" || fail_with_remediation "Download failed" "Check Stealth Proxy mapping." log_message "INFO" "Extracting and installing binaries..." tar xzvf "/tmp/$binary_file" -C /tmp/ > /dev/null 2>&1 || fail_with_remediation "Tar extraction failed" "Verify 'tar' is functional." sudo cp /tmp/docker/* /usr/bin/ rm -rf /tmp/docker "/tmp/$binary_file" fi # LXC Hardening: Force cgroupfs and VFS sudo mkdir -p /etc/docker sudo tee /etc/docker/daemon.json > /dev/null < /dev/null < /dev/null 2>&1; then log_message "WARNING" "LXC Runtime test failed. This often indicates Cgroup issues." else log_message "SUCCESS" "Container execution test passed." fi # Persistence check if systemctl is-active --quiet docker; then log_message "SUCCESS" "Docker persistence verified via systemd." fi } main() { clear echo -e "${CYAN}${BOLD}╔══════════════════════════════════════════════════════════════╗${NC}" echo -e "${CYAN}${BOLD}║ SECHPOINT WALLARM BULLETPROOF DEPLOYER ║${NC}" echo -e "${CYAN}${BOLD}║ VERSION 1.8 (LXC) ║${NC}" echo -e "${CYAN}${BOLD}╚══════════════════════════════════════════════════════════════╝${NC}\n" check_pre_flight setup_docker_engine deploy_wallarm_node verify_deployment echo -e "\n${GREEN}${BOLD}=== DEPLOYMENT COMPLETED SUCCESSFULLY ===${NC}" echo -e "${CYAN}Log File: ${NC} $LOG_FILE" echo -e "${CYAN}Docker: ${NC} $(docker --version)" echo -e "${CYAN}Platform: ${NC} CentOS LXC (Hardened)" echo -e "\n${YELLOW}Next Step: Configure Wallarm API Tokens and start the container.${NC}" } main "$@"