Merge pull request #9 from Jigsaw-Code/install-with-pip

use `pip3 install ...rids@main` in the install script

install.sh

@@ -16,31 +16,53 @@
 
 # Install script for RIDS, the Remote Intrusion Detection System.
 
-# install script
-add-apt-repository --assume-yes ppa:wireshark-dev/stable
+# use the dev/stable version of tshark to get ja3/ja3s signatures
+add-apt-repository ppa:wireshark-dev/stable
 apt --assume-yes update
+
+# install system dependencies
 apt --assume-yes install tshark python3-pip
 
-# download repo with scripts
-git clone https://github.com/Jigsaw-Code/rids
-pushd rids
 
-pip3 install absl-py
+# PIP doesn't like installing as root; check user and switch if needed
+if [[ $EUID -eq 0 ]]; then
+  RIDS_USER="${RIDS_USER:-rids}"
+
+  echo "PIP will not install as root; run as ${RIDS_USER}? (y/n) "
+  read ANSWER
+  ANSWER=$(echo "${ANSWER}" | tr '[:upper:]' '[:lower:]')
+  if [[ $ANSWER == "y" ]]; then
+    # check for existing user
+    if [[ $(id "${RIDS_USER}" >/dev/null; echo $?) -ne 0 ]]; then
+      echo "There is no user called ${RIDS_USER}; create one? (y/n)"
+      read ANSWER
+      ANSWER=$(echo "${ANSWER}" | tr '[:upper:]' '[:lower:]')
+      if [[ $ANSWER == "y" ]]; then
+        sudo useradd -s /bin/bash -m -G adm,sudo,dip,plugdev,www-data $RIDS_USER
+        # system should prompt user for password, otherwise add `chpasswd` call here
+        SUDO_COMMAND="sudo -u ${RIDS_USER}"
+      else
+        echo "cannot install RIDS as root; aborting."
+        exit 1
+      fi
+    fi
 
-# copy wrapper script into a bin/ path
-cp detect.sh /usr/local/sbin
-chmod +x /usr/local/sbin/detect.sh
-cp rids/network_capture.py /usr/local/sbin
-cp rids/rids.py /usr/local/sbin
+    # install RIDS from repo, including its python dependencies
+    ${SUDO_COMMAND} pip3 install --upgrade git+https://github.com/Jigsaw-Code/rids.git@main
 
-# Define sysctl .service config to /etc/systemd and start service
+  else
+    echo "cannot install RIDS as root; specify RIDS_USER env-var for the user to install as."
+    echo "aborting."
+    exit 1
+  fi
+fi
 
-# first, stop the service if it exists and is running
+RIDS_INSTALL_PATH="$(python3 -m pip show rids | grep Location | cut -d" " -f 2)"
+
+# this may be an upgrade, stop the service if it exists and is running
 systemctl stop rids.service >& /dev/null
 
-cp rids.service /etc/systemd/system/
+# Define sysctl .service config for /etc/systemd and start service
+cp "${RIDS_INSTALL_PATH}/rids.service" /etc/systemd/system/
 systemctl daemon-reload
 systemctl enable rids.service --now
-
-# return to previous directory
-popd

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "rids"
-version = "0.1.0"
+version = "0.2.0"
 description = "Remote Intrusion Detection System"
 readme = "README.md"
 requires-python = ">=3.7"
@@ -20,9 +20,12 @@ dependencies = [
 requires = ["setuptools>=42", "wheel"]
 build-backend = "setuptools.build_meta"
 
-[tools.setuptools]
+[tool.setuptools]
 packages = ["rids"]
 
+[tool.setuptools.package-data]
+"*" = ["*.service", "*.json"]
+
 [project.scripts]
 rids = "rids.rids:main"
 

rids.service

@@ -2,9 +2,9 @@
 Description=Remote Intrusion Detection System daemon
 
 [Service]
-User=root
+User=rids
 WorkingDirectory=/usr/local/sbin
-ExecStart="/usr/local/sbin/rids.py --eventlog_path=/var/rids/events.log --config_path=/etc/rids/config.json"
+ExecStart="python3 -m rids --eventlog_path=/var/rids/events.log --config_path=/etc/rids/config.json"
 Restart=always
 
 [Install]

rids/iocs.py

@@ -17,7 +17,7 @@
 
 import collections
 from dataclasses import dataclass
-from types import Set
+from typing import Set
 
 from rids.ioc_formats import allowed_sni_port
 from rids.ioc_formats import bad_ip_list