# Security tool definitions for the Setec Manager # Each entry provides check/install/scan/uninstall command strings # that app.py executes via ssh_run() SECURITY_APPS = [ { "name": "ClamAV", "desc": "Open-source antivirus engine for detecting trojans, viruses, malware", "cat": "antivirus", "check": "clamdscan --version 2>/dev/null", "install": ( "DEBIAN_FRONTEND=noninteractive apt-get update -qq && " "DEBIAN_FRONTEND=noninteractive apt-get install -y clamav clamav-daemon 2>&1 && " "systemctl stop clamav-freshclam 2>/dev/null; " "freshclam 2>&1 && " "systemctl enable clamav-freshclam 2>&1 && " "systemctl start clamav-freshclam 2>&1 && " "systemctl enable clamav-daemon 2>&1 && " "systemctl start clamav-daemon 2>&1 && " "echo 'ClamAV installed and running'" ), "scan": "clamscan -r --bell -i /var/www /home /tmp 2>&1 | tail -30", "uninstall": ( "systemctl stop clamav-daemon clamav-freshclam 2>/dev/null; " "systemctl disable clamav-daemon clamav-freshclam 2>/dev/null; " "apt-get remove -y clamav clamav-daemon clamav-freshclam 2>&1 && " "apt-get autoremove -y 2>&1 && " "echo 'ClamAV removed'" ), }, { "name": "rkhunter", "desc": "Rootkit detection tool - scans for rootkits, backdoors, and local exploits", "cat": "rootkit", "check": "rkhunter --version 2>/dev/null", "install": ( "DEBIAN_FRONTEND=noninteractive apt-get update -qq && " "DEBIAN_FRONTEND=noninteractive apt-get install -y rkhunter 2>&1 && " "rkhunter --update 2>&1 && " "rkhunter --propupd 2>&1 && " "echo 'rkhunter installed and database initialized'" ), "scan": "rkhunter --check --skip-keypress --report-warnings-only 2>&1", "uninstall": ( "apt-get remove -y rkhunter 2>&1 && " "apt-get autoremove -y 2>&1 && " "echo 'rkhunter removed'" ), }, { "name": "chkrootkit", "desc": "Another rootkit detection tool - checks for signs of rootkits on the system", "cat": "rootkit", "check": "chkrootkit -V 2>/dev/null", "install": ( "DEBIAN_FRONTEND=noninteractive apt-get update -qq && " "DEBIAN_FRONTEND=noninteractive apt-get install -y chkrootkit 2>&1 && " "echo 'chkrootkit installed'" ), "scan": "chkrootkit 2>&1 | grep -v 'not found' | grep -v 'nothing found' | tail -40", "uninstall": ( "apt-get remove -y chkrootkit 2>&1 && " "apt-get autoremove -y 2>&1 && " "echo 'chkrootkit removed'" ), }, { "name": "Lynis", "desc": "Security auditing tool - comprehensive system hardening scanner", "cat": "audit", "check": "lynis --version 2>/dev/null", "install": ( "DEBIAN_FRONTEND=noninteractive apt-get update -qq && " "DEBIAN_FRONTEND=noninteractive apt-get install -y lynis 2>&1 && " "echo 'Lynis installed'" ), "scan": "lynis audit system --quick --no-colors 2>&1 | tail -80", "uninstall": ( "apt-get remove -y lynis 2>&1 && " "apt-get autoremove -y 2>&1 && " "echo 'Lynis removed'" ), }, { "name": "OSSEC", "desc": "Host-based intrusion detection system (HIDS) - log analysis, integrity checking, rootkit detection", "cat": "ids", "check": "/var/ossec/bin/ossec-control status 2>/dev/null", "install": ( "DEBIAN_FRONTEND=noninteractive apt-get update -qq && " "DEBIAN_FRONTEND=noninteractive apt-get install -y build-essential make gcc libevent-dev zlib1g-dev " "libssl-dev libpcre2-dev wget 2>&1 && " "cd /tmp && " "wget -q https://github.com/ossec/ossec-hids/archive/refs/tags/3.7.0.tar.gz -O ossec-3.7.0.tar.gz 2>&1 && " "tar xzf ossec-3.7.0.tar.gz 2>&1 && " "cd ossec-hids-3.7.0 && " "echo -e '\\nlocal\\n\\n/var/log/syslog\\n/var/log/auth.log\\n\\n\\n\\n\\n' " "| ./install.sh 2>&1 && " "/var/ossec/bin/ossec-control start 2>&1 && " "rm -rf /tmp/ossec-3.7.0.tar.gz /tmp/ossec-hids-3.7.0 && " "echo 'OSSEC HIDS installed in local mode and started'" ), "scan": ( "/var/ossec/bin/ossec-control status 2>&1 && " "echo '' && echo '=== RECENT ALERTS ===' && " "tail -30 /var/ossec/logs/alerts/alerts.log 2>/dev/null || echo 'No alerts yet'" ), "uninstall": ( "/var/ossec/bin/ossec-control stop 2>/dev/null; " "rm -rf /var/ossec 2>&1 && " "userdel ossec 2>/dev/null; userdel ossecm 2>/dev/null; userdel ossecr 2>/dev/null; " "groupdel ossec 2>/dev/null; " "echo 'OSSEC removed'" ), }, { "name": "ModSecurity", "desc": "Web Application Firewall (WAF) for Nginx - OWASP Core Rule Set", "cat": "waf", "check": "nginx -V 2>&1 | grep -i modsecurity", "install": ( "DEBIAN_FRONTEND=noninteractive apt-get update -qq && " "DEBIAN_FRONTEND=noninteractive apt-get install -y libmodsecurity3 libmodsecurity-dev " "nginx-module-modsecurity 2>&1 || " "DEBIAN_FRONTEND=noninteractive apt-get install -y libmodsecurity3 2>&1 && " "mkdir -p /etc/nginx/modsec && " "cp /etc/modsecurity/modsecurity.conf-recommended /etc/nginx/modsec/modsecurity.conf 2>/dev/null || " "wget -q https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended " "-O /etc/nginx/modsec/modsecurity.conf 2>&1 && " "sed -i 's/SecRuleEngine DetectionOnly/SecRuleEngine On/' /etc/nginx/modsec/modsecurity.conf && " "sed -i 's|SecAuditLog /var/log/modsec_audit.log|SecAuditLog /var/log/modsec_audit.log|' " "/etc/nginx/modsec/modsecurity.conf && " "cd /etc/nginx/modsec && " "git clone --depth 1 https://github.com/coreruleset/coreruleset.git owasp-crs 2>&1 && " "cp owasp-crs/crs-setup.conf.example owasp-crs/crs-setup.conf && " "cat > /etc/nginx/modsec/main.conf << 'MODSECEOF'\n" "Include /etc/nginx/modsec/modsecurity.conf\n" "Include /etc/nginx/modsec/owasp-crs/crs-setup.conf\n" "Include /etc/nginx/modsec/owasp-crs/rules/*.conf\n" "MODSECEOF\n" "echo 'ModSecurity installed with OWASP CRS. Add modsecurity on; modsecurity_rules_file /etc/nginx/modsec/main.conf; to your nginx server blocks.'" ), "scan": "tail -30 /var/log/modsec_audit.log 2>/dev/null || echo 'No ModSecurity logs yet'", "uninstall": ( "rm -rf /etc/nginx/modsec 2>&1 && " "apt-get remove -y libmodsecurity3 nginx-module-modsecurity 2>/dev/null; " "apt-get autoremove -y 2>&1 && " "echo 'ModSecurity removed - remember to remove modsecurity directives from nginx configs'" ), }, { "name": "AIDE", "desc": "Advanced Intrusion Detection Environment - file integrity monitoring", "cat": "integrity", "check": "aide --version 2>/dev/null", "install": ( "DEBIAN_FRONTEND=noninteractive apt-get update -qq && " "DEBIAN_FRONTEND=noninteractive apt-get install -y aide 2>&1 && " "aideinit 2>&1 && " "cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db 2>/dev/null || " "cp /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz 2>/dev/null && " "echo 'AIDE installed and database initialized. Run scan to check for changes.'" ), "scan": "aide --check 2>&1 | tail -40", "uninstall": ( "apt-get remove -y aide 2>&1 && " "apt-get autoremove -y 2>&1 && " "rm -rf /var/lib/aide 2>/dev/null; " "echo 'AIDE removed'" ), }, { "name": "Cowrie", "desc": "SSH/Telnet honeypot - logs brute force attacks and attacker shell interactions", "cat": "honeypot", "check": "systemctl is-active cowrie 2>/dev/null", "install": ( "DEBIAN_FRONTEND=noninteractive apt-get update -qq && " "DEBIAN_FRONTEND=noninteractive apt-get install -y git python3-venv python3-dev " "libssl-dev libffi-dev build-essential 2>&1 && " "id cowrie >/dev/null 2>&1 || useradd -r -m -d /opt/cowrie -s /bin/bash cowrie && " "cd /opt/cowrie && " "if [ ! -d /opt/cowrie/cowrie-git ]; then " " sudo -u cowrie git clone https://github.com/cowrie/cowrie.git cowrie-git 2>&1; " "fi && " "cd /opt/cowrie/cowrie-git && " "sudo -u cowrie python3 -m venv cowrie-env 2>&1 && " "sudo -u cowrie ./cowrie-env/bin/pip install --upgrade pip 2>&1 && " "sudo -u cowrie ./cowrie-env/bin/pip install -r requirements.txt 2>&1 && " "sudo -u cowrie cp etc/cowrie.cfg.dist etc/cowrie.cfg && " "sudo -u cowrie sed -i 's/^#\\?listen_endpoints = tcp:2222/listen_endpoints = tcp:2222/' etc/cowrie.cfg && " "cat > /etc/systemd/system/cowrie.service << 'COWRIEEOF'\n" "[Unit]\n" "Description=Cowrie SSH/Telnet Honeypot\n" "After=network.target\n" "\n" "[Service]\n" "Type=simple\n" "User=cowrie\n" "Group=cowrie\n" "WorkingDirectory=/opt/cowrie/cowrie-git\n" "ExecStart=/opt/cowrie/cowrie-git/cowrie-env/bin/python /opt/cowrie/cowrie-git/bin/cowrie start -n\n" "Restart=on-failure\n" "\n" "[Install]\n" "WantedBy=multi-user.target\n" "COWRIEEOF\n" "systemctl daemon-reload 2>&1 && " "systemctl enable cowrie 2>&1 && " "systemctl start cowrie 2>&1 && " "echo 'Cowrie honeypot installed and listening on port 2222. " "Consider redirecting port 22 traffic with: iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222'" ), "scan": ( "echo '=== COWRIE STATUS ===' && " "systemctl status cowrie --no-pager 2>&1 | head -10 && " "echo '' && echo '=== RECENT HONEYPOT ACTIVITY ===' && " "tail -50 /opt/cowrie/cowrie-git/var/log/cowrie/cowrie.log 2>/dev/null || " "tail -50 /opt/cowrie/var/log/cowrie/cowrie.log 2>/dev/null || " "echo 'No honeypot logs yet'" ), "uninstall": ( "systemctl stop cowrie 2>/dev/null; " "systemctl disable cowrie 2>/dev/null; " "rm -f /etc/systemd/system/cowrie.service && " "systemctl daemon-reload 2>&1 && " "rm -rf /opt/cowrie 2>&1 && " "userdel -r cowrie 2>/dev/null; " "echo 'Cowrie removed'" ), }, ] CATEGORIES = { "antivirus": "Antivirus", "rootkit": "Rootkit Detection", "audit": "Security Auditing", "ids": "Intrusion Detection", "waf": "Web Application Firewall", "integrity": "File Integrity", "honeypot": "Honeypot", }