#!/bin/bash
# =============================================================================
# Monitoring and Logging for Security Scanner VM
# Run this inside the VM as root
# =============================================================================
set -euo pipefail

echo "============================================"
echo " Monitoring & Logging - Security Scanner VM"
echo "============================================"

# --- 1. Configure rsyslog for centralized logging ---
echo "[+] Configuring rsyslog..."
cat > /etc/rsyslog.d/99-scanner.conf << 'EOF'
# Log all scanner-related activity to dedicated file
:programname, startswith, "nmap" /var/log/scanner/nmap.log
:programname, startswith, "nuclei" /var/log/scanner/nuclei.log
:programname, startswith, "nft" /var/log/scanner/firewall.log

# Log auth separately with more detail
auth,authpriv.*  /var/log/scanner/auth.log

# Uncomment to forward to remote syslog server
# *.* @@syslog.internal.lan:514
EOF

mkdir -p /var/log/scanner
systemctl restart rsyslog

# --- 2. Log rotation ---
echo "[+] Configuring log rotation..."
cat > /etc/logrotate.d/scanner << 'EOF'
/var/log/scanner/*.log {
    daily
    missingok
    rotate 30
    compress
    delaycompress
    notifempty
    create 0640 root adm
    sharedscripts
    postrotate
        systemctl reload rsyslog > /dev/null 2>&1 || true
    endscript
}

/opt/scans/results/*/*.txt {
    weekly
    missingok
    rotate 12
    compress
    notifempty
}
EOF

# --- 3. Logwatch (daily summary reports) ---
echo "[+] Configuring Logwatch..."
cat > /etc/logwatch/conf/logwatch.conf << 'EOF'
LogDir = /var/log
MailTo = root
MailFrom = scanner@localhost
Range = yesterday
Detail = Med
Service = All
Format = text
EOF

# --- 4. Disk usage monitoring ---
echo "[+] Setting up disk usage monitoring..."
cat > /opt/scans/scripts/check-disk.sh << 'DISKEOF'
#!/bin/bash
set -euo pipefail
# Alert if disk usage exceeds threshold
THRESHOLD=85
USAGE=$(df / | tail -1 | awk '{print $5}' | sed 's/%//')

if [ "${USAGE}" -ge "${THRESHOLD}" ]; then
    echo "[ALERT] Disk usage at ${USAGE}% on security scanner" | \
        logger -t disk-monitor -p user.warning
    echo "[ALERT] Disk usage at ${USAGE}% - consider cleaning /opt/scans/results/"
fi
DISKEOF
chmod +x /opt/scans/scripts/check-disk.sh

# --- 5. Docker health check ---
cat > /opt/scans/scripts/check-openvas.sh << 'HEALTHEOF'
#!/bin/bash
set -euo pipefail
# Check if OpenVAS containers are healthy

if [[ ! -d /opt/greenbone ]]; then
    echo "[!] /opt/greenbone not found - skipping health check"
    exit 0
fi

UNHEALTHY=$(docker compose -f /opt/greenbone/docker-compose.yml ps --format json 2>/dev/null | jq -r 'select(.State != "running") | .Name' 2>/dev/null || true)

if [ -n "${UNHEALTHY}" ]; then
    echo "[ALERT] Unhealthy OpenVAS containers: ${UNHEALTHY}" | \
        logger -t openvas-health -p user.warning
    echo "[ALERT] Restarting unhealthy containers..."
    docker compose -f /opt/greenbone/docker-compose.yml up -d
fi
HEALTHEOF
chmod +x /opt/scans/scripts/check-openvas.sh

# --- 6. Cron jobs ---
echo "[+] Setting up monitoring cron jobs..."
cat > /etc/cron.d/scanner-monitoring << 'EOF'
# Disk check every 6 hours
0 */6 * * * root /opt/scans/scripts/check-disk.sh

# OpenVAS health check every 30 minutes
*/30 * * * * root /opt/scans/scripts/check-openvas.sh

# AIDE integrity check daily at 3am
0 3 * * * root /usr/bin/aide --check 2>&1 | logger -t aide-check -p user.info

# Lynis security audit weekly (Sunday 2am)
0 2 * * 0 root /usr/sbin/lynis audit system --quick --no-colors 2>&1 | logger -t lynis-audit -p user.info

# Clean scan results older than 90 days (maxdepth 1 for safety, log to syslog)
0 4 * * 0 root find /opt/scans/results -maxdepth 1 -type d -mtime +90 -print -exec rm -rf {} + 2>&1 | logger -t scan-cleanup

# Update Nuclei templates weekly
0 5 * * 1 root /usr/local/bin/nuclei -update-templates 2>&1 | logger -t nuclei-update -p user.info
EOF

# --- 7. Login banner ---
echo "[+] Setting login banner..."
cat > /etc/motd << 'EOF'
+=====================================================+
|  SECURITY SCANNER - AUTHORIZED ACCESS ONLY          |
|                                                     |
|  All activity on this system is logged and audited. |
|  Unauthorized access is prohibited.                 |
+=====================================================+

  Tools: nmap | nuclei | httpx | nikto | testssl | OpenVAS
  Scans: /opt/scans/scripts/quick-scan.sh <target>
  Logs:  /var/log/scanner/
  OpenVAS: http://localhost:9392

EOF

cat > /etc/issue.net << 'EOF'
*************************************************************
* WARNING: This is a restricted system.                     *
* All connections are monitored and recorded.                *
* Disconnect IMMEDIATELY if you are not authorized.         *
*************************************************************
EOF

# Banner is configured in /etc/ssh/sshd_config.d/99-scanner-hardening.conf by 03-ssh-harden.sh
systemctl reload ssh 2>/dev/null || systemctl reload sshd 2>/dev/null || true

echo ""
echo "[+] Monitoring and logging configured."
echo ""
echo "Summary:"
echo "  Logs:        /var/log/scanner/"
echo "  Scan results: /opt/scans/results/"
echo "  Cron jobs:   /etc/cron.d/scanner-monitoring"
echo "  Logwatch:    Daily email summary to root"
echo "  AIDE:        File integrity check daily at 3am"
echo "  Lynis:       Security audit weekly (Sunday 2am)"