-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathSUM.sh
More file actions
84 lines (75 loc) · 2.97 KB
/
SUM.sh
File metadata and controls
84 lines (75 loc) · 2.97 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#!/bin/bash
#SUM detection script
#© 2016 Patrick M. Womack - Niceville High School - womackp@blacksector.tech
#A special thanks to Jacob Salmela - None of this would have been possible without him.
#----------VARIABLES---------
# Capture date for storing in custom plist
currentDate=$(date "+%Y-%m-%d %H:%M:%S")
# Organization name (reverse-domain plist format)
orgName="orgname.org.com"
#----------FUNCTIONS---------
#######################
function mountAndLoad()
{
/sbin/mount -uw /
# Loads daemons needed for networking in SUM
launchctl load /System/Library/LaunchDaemons/com.apple.configd.plist
sleep 5
#loads daemons needed for curl notifications
launchctl load -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
launchctl load /System/Library/LaunchDaemons/com.apple.securityd.plist
# Needed to send messages to the system log
launchctl load /System/Library/LaunchDaemons/com.apple.syslogd.plist
}
##########################
function notify
{
curl -d 'to=example@example.com&toname=Destination&subject=ALERT: SINGLE USER MODE ACCESSED&text=Please check the logs on <Server Name> It will tell you the MAC address of the machine, you can then consult documentation to determine the correct Mac, and its location. Please do not reply, this email is unmonitored.&from=example@example.com&api_user=sendgrid user&api_key=sendgrid' https://api.sendgrid.com/api/mail.send.json
curl -d -X http://textbelt.com/text -d number=<Numbr> -d "message=Single User Mode has been accessed, check the logs on <servername>. Please do not reply, this number is unmonitored."
}
##########################
function setPromptCommand()
{
# Appends any commands entered into the syslog with the tag SUM-IDS
PROMPT_COMMAND='history -a;tail -n1 ~/.sh_history | logger -t SUM-IDS'
}
##########################
function logDateInPlist()
{
# Delete previous value if it exits
/usr/libexec/PlistBuddy -c "Print :SingleUserModeAccessedOn" /Library/Preferences/"$orgName".plist &>/dev/null
# If the last command exited with 0 (meaning the key exists)
if [ $? = 0 ];then
# Delete previous value and write in the updated date
/usr/libexec/PlistBuddy -c "Delete :SingleUserModeAccessedOn" /Library/Preferences/"$orgName".plist &>/dev/null
/usr/libexec/PlistBuddy -c "Add :SingleUserModeAccessedOn string '$currentDate'" /Library/Preferences/"$orgName".plist &>/dev/null
else
# Otherwise, create an entry with the current date
/usr/libexec/PlistBuddy -c "Add :SingleUserModeAccessedOn string '$currentDate'" /Library/Preferences/"$orgName".plist &>/dev/null
fi
}
####################
function networkalert
{
ifconfig en0 192.168.1.243
}
####################
function warnUser()
{
clear
echo "You Shouldn't be here."
afplay /.shared/alarm.mp3
}
#---------------------------------#
#---------------------------------#
#----------SCRIPT BEGINS----------#
#---------------------------------#
#---------------------------------#
if [ $TERM = "vt100" ];then
mountAndLoad
notify
setPromptCommand
logDateInPlist
networkalert
warnUser
fi