PIONEERS Cover-Your-Asterisk

Discussion in 'Developers' Corner' started by wardmundy, Oct 2, 2014.

  1. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,432
    Likes Received:
    2,450
    In light of recent security issues, we are launching the CYA development project to help identify changes in your Asterisk 11/FreePBX 2.11 setup that may be beyond your control. These changes could be the result of legitimate FreePBX updates or nefarious intrusions of one type or another.

    Currently, this app keeps track of /etc/asterisk, /var/www/html/admin, and /var/lib/asterisk/agi-bin directory trees plus dumps of the new Asterisk DB (astdb.sqlite3) and MySQL's asterisk database (used by FreePBX and others). We may add some additional web directories as well as some Apache, FreePBX/amportal, and PHP config files as time permits. We're also simplifying the design to make it easier to turn off pieces you no longer wish to monitor. Also on the drawing board: adding periodic checking via cron, SMS or email alerts for detected changes, and off-site (secure) backups of the snapshots in tarball format (cya.tar.gz = ~75MB currently).

    INSTALLATION

    To install the latest version (0.008), log into your server as root and issue the following commands. After upgrading to a new version, ALWAYS perform Step #1 below.
    Code:
    cd /root
    wget http://incrediblepbx.com/cover-your-Asterisk.tar.gz
    tar zxvf cover-your-Asterisk.tar.gz
    rm -f cover-your-Asterisk.tar.gz
    
    OPERATION

    1. The way the latest version works is you first run /root/protect-your-ASSets.sh. It creates a new /etc/asterisk.snapshot folder (700 root only permissions) which duplicates your current /etc/asterisk, /var/www/html/admin, and /var/lib/asterisk/agi-bin directory trees plus the new Asterisk DB (astdb.sqlite3) and MySQL's asterisk database. It also creates MD5 checksums on all existing files and stores the list in /root/protect-your-ASSets.md5. All ownership, permissions, and tree structure are now preserved except for /etc/asterisk.snapshot directory itself which is restricted to root for security.

    2. Periodically, you then can run /root/check-your-ASSets.sh which creates a new checksum list based upon the current contents of /etc/asterisk, /var/www/html/admin, /var/lib/asterisk/agi-bin,MySQL's asterisk database, and the new Asterisk DB (astdb.sqlite3). This list is stored in /root/check-your-ASSets.md5. The script then compares the contents of the two checksum files and documents any changes for you to investigate. Read the following post before applying new FreePBX updates!

    HINT: diff /dirpath/filename /etc/asterisk.snapshot/dirpath/filename will tell you specifically what has been changed in any modified file. This is done automatically for the databases, but you'll need to manually do it for any other modified files of concern.

    3. When you are satisfied that the changes shown in step #2 are legit, you simply run /root/protect-your-ASSets.sh again to update the snapshot on your server.

    NOTE: Should you ever need to restore files from the snapshot to /etc/asterisk or elsewhere, remember to copy the files back into place using cp -p to preserve ownership and permissions.
    Code:
    cp -p /etc/asterisk.snapshot/etc/asterisk/filename /etc/asterisk/filename
    amportal restart
    For the /var/www/html/admin directory tree, use similar commands:
    Code:
    cp -p /etc/asterisk.snapshot/var/www/html/admin/dirtree/filename /var/www/html/admin/dirtree/filename
    WARNING: Both scripts have the MySQL root password hard-coded as passw0rd. You'll need to manually change it on the Raspberry Pi and BeagleBoneBlack to: raspberry (for both!).

    SAMPLE OUTPUT

    Here is a sample listing from running check-your-ASSets.sh after changing a couple files and deleting one:
    Code:
    Checksumming current /etc/asterisk files...
    Checksumming current /var/www/html/admin directory tree and files...
    Checking for new file changes...
    MISMATCH: 9cef544d8e7ef96677659b413d29cd38  /etc/asterisk/212.inc
    MISMATCH: cc506788b8b5d58365c64a3761729df1  /etc/asterisk/221.inc
    MISMATCH: dd7f4b10459818b2aa76c69b2e7dddc1  /etc/asterisk/308.inc
    Checking for old file changes...
    MISMATCH: 9cef533d8e7ef96677659b413d29cd38  /etc/asterisk/212.inc
    MISMATCH: cc506733b8b5d58365c64a3761729df1  /etc/asterisk/221.inc
    grep: /etc/asterisk/modules.conf.2.8.0-1.bak: No such file or directory
    MISMATCH: 3306a3d98fcdfb61e0ac7ea852d7ee09  /etc/asterisk/modules.conf.2.8.0-1.bak
    Processing diff analysis of checksum files...
    3c3
    < 9cef544d8e7ef96677659b413d29cd38  /etc/asterisk/212.inc
    ---
    > 9cef533d8e7ef96677659b413d29cd38  /etc/asterisk/212.inc
    11c11
    < cc506788b8b5d58365c64a3761729df1  /etc/asterisk/221.inc
    ---
    > cc506733b8b5d58365c64a3761729df1  /etc/asterisk/221.inc
    19,20d18
    < dd7f4b10459818b2aa76c69b2e7dddc1  /etc/asterisk/308.inc
    <
    289a288,289
    > 3306a3d98fcdfb61e0ac7ea852d7ee09  /etc/asterisk/modules.conf.2.8.0-1.bak
    >
    Asterisk DB changes, if any:
    MySQL asterisk database changes, if any:
    Done.
    
    A clean bill of health running check-your-ASSets.sh would look like this:
    Code:
    Checksumming current /etc/asterisk files...
    Checksumming current /var/www/html/admin directory tree and files...
    Checking for new file changes...
    Checking for old file changes...
    Processing diff analysis of checksum files...
    Asterisk DB changes, if any:
    MySQL asterisk database changes, if any:
    Done.
    
    SUGGESTIONS

    Suggestions for additions/improvements are welcomed as well as identification of any bugs. Thanks.

    Today on Nerd Vittles...

    Zero Day Vulnerability Protection and More: Introducing Cover Your Asterisk
     
    Huckda, markrmcs and rentpbx like this.
  2. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,432
    Likes Received:
    2,450
    This will require a change in discipline obviously. What we would recommend is to run check-your-ASSets.sh before and after making changes in FreePBX. On most production systems, these are not daily occurrences. The time to run the scripts is less than 10 seconds so it's not overly burdensome. Once you're sure that updates did what you expected, you can refresh the snapshot by rerunning protect-your-ASSets.sh.
     
  3. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,432
    Likes Received:
    2,450
    p.s. Obviously, imparting the wisdom of what should change and what was actually changed would be desirable. We're still thinking about that. Suggestions are more than welcome. One of my concerns with WebMin is all of the under-the-covers stuff that goes on. This obviously applies with FreePBX as well. Documentation goes a long way toward eliminating anxiety, but we also appreciate the costs and time constraints.
     
  4. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,432
    Likes Received:
    2,450
    Anything ARI could change would obviously warrant a careful look sniff. :001 9898:

    Version .002 (and above) now adds Asterisk DB protection to the equation for Asterisk 11 and beyond.
     
  5. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,432
    Likes Received:
    2,450
    Version 0.005 adds a dump of MySQL's asterisk database to the collection. This covers all of the FreePBX stuff stored in MySQL except for CDR logs.
     
  6. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,432
    Likes Received:
    2,450
    Version 0.007 reworks the directory structure for /etc/asterisk.snapshot to exactly match where the snapshot files came from. For example, you'll find /etc/asterisk snapshot in /etc/asterisk.snapshot/etc/asterisk. All ownership and permissions in the snapshot now are identical to their source with the exception of the main /etc/asterisk.snapshot directory itself. It is only accessible by root. This keeps everyone other than root out of the entire snapshot directory tree without damaging any of the permissions of the individual files and folders. This in turn simplifies restoration using cp -p which will preserve ownership and permissions of individual files and directories in the snapshot. It also gets things better organized for future additions.

    See the first post for some major changes in future direction.
     
  7. wardmundy

    wardmundy Nerd Uno

    Joined:
    Oct 12, 2007
    Messages:
    14,432
    Likes Received:
    2,450
    Version 0.008 adds /var/lib/asterisk/agi-bin to the collection.