summarylogtreecommitdiffstats
diff options
context:
space:
mode:
authormesmer2023-12-15 02:22:01 -0300
committermesmer2023-12-15 02:23:05 -0300
commit2d34ff69b764741c2206e50c4406c2168e6c76bc (patch)
treef57159c6b45dbb84f6cd34c456ce3ec9e5820801
downloadaur-2d34ff69b764741c2206e50c4406c2168e6c76bc.tar.gz
v23.3.2.12
Diffstat
-rw-r--r--.SRCINFO15
-rw-r--r--PKGBUILD28
-rw-r--r--sentinelagent.install467
3 files changed, 510 insertions, 0 deletions
diff --git a/.SRCINFO b/.SRCINFO
new file mode 100644
index 000000000000..c6548bcdcefb
--- /dev/null
+++ b/.SRCINFO
@@ -0,0 +1,15 @@
+pkgbase = sentinelagent
+ pkgdesc = SentinelOne | Next-Generation Endpoint Protection Software.
+ pkgver = 23.3.2.12
+ pkgrel = 1
+ install = sentinelagent.install
+ arch = i686
+ arch = x86_64
+ groups =
+ license =
+ depends = kmod
+ depends = zlib
+ options = !strip
+ options = !emptydirs
+
+pkgname = sentinelagent
diff --git a/PKGBUILD b/PKGBUILD
new file mode 100644
index 000000000000..9906b938285d
--- /dev/null
+++ b/PKGBUILD
@@ -0,0 +1,28 @@
+# Generated by debtap
+# Maintainer: sentinel-agent
+# Contributor: sentinel-agent
+pkgname=sentinelagent
+pkgver=23.3.2.12
+pkgrel=1
+pkgdesc="SentinelOne | Next-Generation Endpoint Protection Software."
+arch=('i686' 'x86_64')
+url=""
+license=('')
+groups=('')
+depends=('kmod' 'zlib')
+options=('!strip' '!emptydirs')
+install=${pkgname}.install
+source_x86_64=()
+sha512sums_x86_64=()
+
+package(){
+
+ tar -xJ -f data.tar.xz -C "${pkgdir}"
+
+ install -D -m0644 ${pkgdir}/opt/sentinelone/configuration/sentinelone.service "${pkgdir}/usr/lib/systemd/system/sentinelone.service"
+
+ mkdir -p ${pkgdir}/usr/bin/
+ ln -s /opt/sentinelone/bin/sentinelctl ${pkgdir}/usr/bin/sentinelctl
+
+
+}
diff --git a/sentinelagent.install b/sentinelagent.install
new file mode 100644
index 000000000000..c11a94007f09
--- /dev/null
+++ b/sentinelagent.install
@@ -0,0 +1,467 @@
+umask 0022
+sentinel_name="sentinelone"
+group_name="${sentinel_name}"
+user_name="${group_name}"
+
+agent_directory="/opt/sentinelone"
+binaries_directory=${agent_directory}/bin
+home_directory=${agent_directory}/home
+configuration_directory=${agent_directory}/configuration
+crash_dumps_directory=${agent_directory}/crash_dumps
+current_crash_dumps_directory=${crash_dumps_directory}/.current
+tracefs_path=${agent_directory}/mount
+cgroups_directory=${agent_directory}/cgroups/memory
+
+agent_binary="sentinelone-agent"
+
+default_no_login_location="/usr/sbin/nologin"
+
+installation_persistent_configuration=${configuration_directory}/install_config
+installation_persistent_configuration_post_uninst="/tmp/install_config"
+
+s1_agent_management_proxy="undefined"
+s1_agent_management_url="undefined"
+s1_agent_dv_proxy="undefined"
+s1_agent_management_token="undefined"
+s1_agent_device_type="undefined"
+s1_agent_auto_start="undefined"
+s1_agent_customer_id="undefined"
+s1_agent_package_was_repacked="undefined"
+s1_agent_create_user="undefined"
+s1_agent_custom_install_path="undefined"
+s1_agent_should_register_service="undefined"
+s1_agent_fips_enabled="undefined"
+
+shell_rc_files=(".profile" ".login" ".shrc" ".bashrc" ".zshrc" ".tcshrc" ".kshrc")
+
+root_files_folders=("home" "bin" "lib" "configuration/sentineld" "configuration/sentinelone.service" "ebpfs")
+
+
+register_service() {
+ service_type="systemd"
+ "${binaries_directory}/sentinelctl" control set-service-type ${service_type}
+}
+
+
+assert_user_access() {
+ command -v setpriv > /dev/null 2>&1
+ if [[ $? -ne 0 ]]; then
+ return
+ fi
+
+ uid=`id --user $1`
+ gid=`id --group $1`
+
+ setpriv --reuid $uid --regid $gid --clear-groups /bin/sh -c exit 0 > /dev/null 2>&1
+ if [[ $? -ne 0 ]]; then
+ return
+ fi
+
+ setpriv --reuid $uid --regid $gid --clear-groups ls $2 > /dev/null 2>&1
+ if [[ $? -ne 0 ]]; then
+ exit 110
+ fi
+}
+
+read_env_var() {
+ ret_value="undefined"
+ if [[ $# -ne 1 ]] ; then
+ return
+ fi
+ env_var_name=${1}
+ s1_var="${!env_var_name}"
+
+ if [[ ! -z ${s1_var} ]]; then
+ ret_value="${s1_var}"
+ fi
+}
+
+read_config_from_file() {
+ ret_value="undefined"
+ if [[ $# -ne 2 ]] ; then
+ return
+ fi
+ if [[ -f "${2}" ]]; then
+ result=$(grep "${1}" "${2}")
+
+ value=$(echo "$result" | tail -1 | cut -d= -f2-)
+ if [[ $value != "" ]]; then
+ ret_value=$value
+ fi
+ fi
+}
+
+
+
+read_configs(){
+ if [[ $# -ne 2 && $# -ne 1 ]]; then
+ return
+ fi
+ if [[ "${1}" == "config_file" ]]; then
+ if [[ $# -ne 2 ]] ; then
+ return
+ fi
+ read_config_from_file "S1_AGENT_MANAGEMENT_PROXY" "${2}"
+ s1_agent_management_proxy=$ret_value
+ read_config_from_file "S1_AGENT_DV_PROXY" "${2}"
+ s1_agent_dv_proxy=$ret_value
+ read_config_from_file "S1_AGENT_MANAGEMENT_URL" "${2}"
+ s1_agent_management_url=$ret_value
+ read_config_from_file "S1_AGENT_MANAGEMENT_TOKEN" "${2}"
+ s1_agent_management_token=$ret_value
+ read_config_from_file "S1_AGENT_DEVICE_TYPE" "${2}"
+ s1_agent_device_type=$ret_value
+ read_config_from_file "S1_AGENT_AUTO_START" "${2}"
+ s1_agent_auto_start=$ret_value
+ read_config_from_file "S1_AGENT_CUSTOMER_ID" "${2}"
+ s1_agent_customer_id=$ret_value
+ read_config_from_file "S1_AGENT_CREATE_USER" "${2}"
+ s1_agent_create_user=$ret_value
+ read_config_from_file "S1_AGENT_CUSTOM_INSTALL_PATH" "${2}"
+ s1_agent_custom_install_path=$ret_value
+ read_config_from_file "S1_AGENT_SHOULD_REGISTER_SERVICE" "${2}"
+ s1_agent_should_register_service=$ret_value
+ read_config_from_file "S1_AGENT_FIPS_ENABLED" "${2}"
+ s1_agent_fips_enabled=$ret_value
+ else
+ read_env_var "S1_AGENT_MANAGEMENT_PROXY"
+ s1_agent_management_proxy=$ret_value
+ read_env_var "S1_AGENT_DV_PROXY"
+ s1_agent_dv_proxy=$ret_value
+ read_env_var "S1_AGENT_MANAGEMENT_URL"
+ s1_agent_management_url=$ret_value
+ read_env_var "S1_AGENT_MANAGEMENT_TOKEN"
+ s1_agent_management_token=$ret_value
+ read_env_var "S1_AGENT_DEVICE_TYPE"
+ s1_agent_device_type=$ret_value
+ read_env_var "S1_AGENT_AUTO_START"
+ s1_agent_auto_start=$ret_value
+ read_env_var "S1_AGENT_CUSTOMER_ID"
+ s1_agent_customer_id=$ret_value
+ read_env_var "S1_AGENT_CREATE_USER"
+ s1_agent_create_user=$ret_value
+ read_env_var "S1_AGENT_CUSTOM_INSTALL_PATH"
+ s1_agent_custom_install_path=$ret_value
+ read_env_var "S1_AGENT_SHOULD_REGISTER_SERVICE"
+ s1_agent_should_register_service=$ret_value
+ read_env_var "S1_AGENT_FIPS_ENABLED"
+ s1_agent_fips_enabled=$ret_value
+ fi
+
+ s1_agent_auto_start=$(echo -n "$s1_agent_auto_start" | tr -d '[:space:]')
+ s1_agent_should_register_service=$(echo -n "$s1_agent_should_register_service" | tr -d '[:space:]')
+ s1_agent_fips_enabled=$(echo -n "$s1_agent_fips_enabled" | tr -d '[:space:]')
+}
+
+__read_configs()
+{
+
+ if [[ ! -z "${S1_AGENT_INSTALL_CONFIG_PATH}" ]]; then
+ if [[ -f "${S1_AGENT_INSTALL_CONFIG_PATH}" ]]; then
+ read_configs "config_file" "${S1_AGENT_INSTALL_CONFIG_PATH}"
+ fi
+ else
+ read_configs "env_var"
+ fi
+}
+
+write_config_to_file () {
+ if [[ $# -ne 3 ]]; then
+ return
+ fi
+
+ if [[ "${1}" != "undefined" && "${1}" != "" ]]; then
+ echo "${2}=${1}" >> ${3}
+ fi
+}
+
+write_configs (){
+ echo "" > ${installation_persistent_configuration}
+ write_config_to_file ${s1_agent_management_proxy} "S1_AGENT_MANAGEMENT_PROXY" ${installation_persistent_configuration}
+ write_config_to_file ${s1_agent_dv_proxy} "S1_AGENT_DV_PROXY" ${installation_persistent_configuration}
+ write_config_to_file ${s1_agent_management_url} "S1_AGENT_MANAGEMENT_URL" ${installation_persistent_configuration}
+ write_config_to_file ${s1_agent_management_token} "S1_AGENT_MANAGEMENT_TOKEN" ${installation_persistent_configuration}
+ write_config_to_file ${s1_agent_device_type} "S1_AGENT_DEVICE_TYPE" ${installation_persistent_configuration}
+ write_config_to_file ${s1_agent_auto_start} "S1_AGENT_AUTO_START" ${installation_persistent_configuration}
+ write_config_to_file ${s1_agent_customer_id} "S1_AGENT_CUSTOMER_ID" ${installation_persistent_configuration}
+ write_config_to_file ${s1_agent_create_user} "S1_AGENT_CREATE_USER" ${installation_persistent_configuration}
+ write_config_to_file ${s1_agent_custom_install_path} "S1_AGENT_CUSTOM_INSTALL_PATH" ${installation_persistent_configuration}
+ write_config_to_file ${s1_agent_should_register_service} "S1_AGENT_SHOULD_REGISTER_SERVICE" ${installation_persistent_configuration}
+ write_config_to_file ${s1_agent_fips_enabled} "S1_AGENT_FIPS_ENABLED" ${installation_persistent_configuration}
+}
+
+
+get_nologin() {
+ if command -v which > /dev/null 2>&1; then
+ no_login=$(which nologin)
+ else
+ no_login="$default_no_login_location"
+ fi
+}
+
+create_user() {
+ get_nologin
+ id -u $user_name &>/dev/null || useradd -r -U -d "${home_directory}" -s "${no_login}" "${user_name}"
+ getent group ${group_name} &> /dev/null || groupadd ${group_name}
+}
+
+create_symlink() {
+ if [ ! -d "$1" ]; then
+ mkdir -p "$1"
+ fi
+
+ base_dir="${agent_directory%/*}"
+
+ if [ ! -d "$base_dir" ]; then
+ mkdir -p "$base_dir"
+ fi
+
+ assert_user_access ${user_name} "$1"
+ ln -s "$1" "$agent_directory"
+}
+
+
+pre_install() {
+
+ __read_configs
+ apply_config_on_agent
+ create_user
+
+}
+
+apply_config_on_agent() {
+ if [[ "${s1_agent_custom_install_path}" != "undefined" ]]; then
+ create_symlink "${s1_agent_custom_install_path}"
+ fi
+}
+
+
+pre_upgrade() {
+ read_configs "config_file" "${installation_persistent_configuration}"
+ umount "${agent_directory}/mount" > /dev/null 2> /dev/null
+ umount "${agent_directory}/rpm_mount" > /dev/null 2> /dev/null
+ create_user
+}
+
+
+
+apply_config_on_agent_post() {
+ if [[ "${s1_agent_management_proxy}" != "undefined" ]]; then
+ "${binaries_directory}/sentinelctl" management proxy set "${s1_agent_management_proxy}"
+ fi
+
+ if [[ "${s1_agent_dv_proxy}" != "undefined" ]]; then
+ "${binaries_directory}/sentinelctl" management dv proxy set "${s1_agent_dv_proxy}"
+ fi
+
+ if [[ "${s1_agent_management_token}" != "undefined" ]]; then
+ "${binaries_directory}/sentinelctl" management token set "${s1_agent_management_token}"
+ fi
+
+ if [[ "${s1_agent_management_url}" != "undefined" ]]; then
+ "${binaries_directory}/sentinelctl" management url set "${s1_agent_management_url}"
+ fi
+
+ if [[ "${s1_agent_device_type}" != "undefined" ]]; then
+ "${binaries_directory}/sentinelctl" management type set "${s1_agent_device_type}"
+ fi
+
+ if [[ "${s1_agent_customer_id}" != "undefined" ]]; then
+ "${binaries_directory}/sentinelctl" management customer_id set "${s1_agent_customer_id}"
+ fi
+
+ if [[ "${s1_agent_fips_enabled}" == "true" ]]; then
+ "${binaries_directory}/sentinelctl" fips enable
+ fi
+
+ if [[ "${s1_agent_auto_start}" == "true" ]]; then
+ "${binaries_directory}/sentinelctl" control start
+ fi
+}
+
+
+post_install() {
+
+ __read_configs
+ write_configs
+
+ disable_account_login
+ register_service
+ fix_root_owner
+ create_folders
+
+ validate_desktop
+
+ apply_config_on_agent_post
+
+
+ systemctl enable --now sentinelone
+
+}
+
+create_folders(){
+
+ mkdir ${cgroups_directory} -p
+ mkdir ${current_crash_dumps_directory} -p
+ mkdir ${tracefs_path} -p
+
+}
+
+post_upgrade() {
+ read_configs "config_file" "${installation_persistent_configuration}"
+
+ create_folders
+ disable_account_login
+ register_service
+ fix_root_owner
+ systemctl enable --now sentinelone
+
+}
+
+enable_crash_dumps() {
+ chmod g+r+x "${binaries_directory}"
+ chmod g+r "${binaries_directory}/${agent_binary}"
+}
+
+fix_root_owner() {
+ chown ${user_name}:${group_name} "${agent_directory}/" -R
+ for ((i = 0; i<${#root_files_folders[@]}; i++)); do
+ chown -R root:root "${agent_directory}/${root_files_folders[$i]}"
+ done
+ enable_crash_dumps
+}
+
+disable_account_login() {
+ for ((i = 0; i<${#shell_rc_files[@]}; i++)); do
+ rm -f "${home_directory}/${shell_rc_files[$i]}"
+ ln -s "${home_directory}/login.sh" "${home_directory}/${shell_rc_files[$i]}"
+ done
+}
+
+
+validate_desktop() {
+ if [ -f "/etc/os-release" ]; then
+ if grep -q -i "desktop" "/etc/os-release"; then
+ "${binaries_directory}"/sentinelctl management type set desktop > /dev/null 2>&1
+ fi
+
+ if grep -q -i "workstation" "/etc/os-release"; then
+ "${binaries_directory}"/sentinelctl management type set desktop > /dev/null 2>&1
+ fi
+ fi
+}
+
+remove_kprobes() {
+ kprobe_names=(
+ "s1chdirenter"
+ "s1dsoenter"
+ "s1fcreate"
+ "s1unlinkenter"
+ "s1unlinkatenter"
+ "s1dounlinkatenter"
+ "s1dounlinkatexit"
+ "s1renameenter"
+ "s1renameatenter"
+ "s1renameat2enter"
+ "s1dorenameat2enter"
+ "s1dorenameat2exit"
+ "s1execve_enter"
+ "s1execve_exit"
+ "s1compatexecve_enter"
+ "s1compatexecve_exit"
+ "s1_tcp_connect_enter"
+ "s1_tcp_connect_exit"
+ "s1_inet_csk_accept_exit"
+ "s1chmodenter"
+ "s1fchmodatenter"
+ "s1dofchmodatenter"
+ "s1dofchmodatexit"
+ "s1umount_exit"
+ "s1dofilpopen_enter"
+ "s1readdir_enter"
+ "s1dofilpopen_exit"
+ "s1dsoexit"
+ "s1pivotroot_enter"
+ "s1mount_exit"
+ "s1readdir_exit"
+ "s1pivotroot_exit"
+ "s1imafilefree"
+ "s1fchdir_enter"
+ "s1mount_enter"
+ "s1doaddmount_enter"
+ "s1umount_enter"
+ )
+
+ fs_type="$(cat /proc/self/mounts | grep sentitrace | cut -d' ' -f3)"
+ if [ -z "$fs_type" ]; then
+ return
+ elif [ "$fs_type" == "debugfs" ]; then
+ tracefs_path="$tracefs_path/tracing"
+ fi
+
+ for kprobe in ${kprobe_names[@]}; do
+ current_path="$tracefs_path/events/kprobes/$kprobe"
+ if [ ! -d "$current_path" ]; then
+ continue
+ fi
+
+ echo 0 > "$current_path/enable"
+ done
+
+ for kprobe in ${kprobe_names[@]}; do
+ current_path="$tracefs_path/events/kprobes/$kprobe"
+ if [ ! -d "$current_path" ]; then
+ continue
+ fi
+
+ echo "-:$kprobe" > "$tracefs_path/kprobe_events" 2>/dev/null
+ done
+
+}
+
+
+pre_remove(){
+
+ systemctl disable --now sentinelone
+
+ remove_kprobes
+ umount_mountpoint
+ umount_rpm
+ umount_bpffs
+
+ remove_user
+
+}
+post_remove() {
+
+ read_configs "config_file" "${installation_persistent_configuration_post_uninst}"
+
+ rm ${agent_directory} -R
+
+}
+
+
+remove_user() {
+
+ userdel "${user_name}"
+ if [ $(getent group ${group_name}) ]; then
+ groupdel "${group_name}"
+ fi
+
+}
+
+
+umount_mountpoint_impl() {
+ mount_dir="${agent_directory}/$1"
+ umount "${mount_dir}" >/dev/null 2>/dev/null
+}
+
+umount_mountpoint() {
+ umount_mountpoint_impl "mount"
+}
+umount_rpm() {
+ umount_mountpoint_impl "rpm_mount"
+}
+umount_bpffs() {
+ umount_mountpoint_impl "ebpfs/bpf_mount"
+}