#!/usr/bin/env bash set -euo pipefail TARGET_ROOT="${1:-.}" BLACKSHIELD_API_URL="${BLACKSHIELD_API_URL:-https://api.blackshield.chaplau.com}" BLACKSHIELD_VMS_IMAGE="${BLACKSHIELD_VMS_IMAGE:-public.ecr.aws/blackshield-security/vms-scanner:1.0.6}" mkdir -p "$TARGET_ROOT/deploy/vm-scanner/systemd" cat > "$TARGET_ROOT/deploy/vm-scanner/systemd/blackshield-vms-scanner.service" <<'EOF' [Unit] Description=BlackShield VM Scanner After=docker.service network-online.target Requires=docker.service Wants=network-online.target [Service] Type=simple Restart=always RestartSec=10 ExecStartPre=-/usr/bin/docker rm -f blackshield-vms-scanner ExecStart=/usr/local/bin/blackshield-vms-scanner-run ExecStop=/usr/bin/docker stop blackshield-vms-scanner [Install] WantedBy=multi-user.target EOF if [ ! -f "$TARGET_ROOT/deploy/vm-scanner/systemd/.env.vm-scanner" ]; then cat > "$TARGET_ROOT/deploy/vm-scanner/systemd/.env.vm-scanner" < "$TARGET_ROOT/deploy/vm-scanner/systemd/.env.vm-scanner.example" < "$TARGET_ROOT/deploy/vm-scanner/systemd/blackshield-vms-scanner-run" <<'EOF' #!/usr/bin/env bash set -euo pipefail ENV_FILE="/etc/blackshield/vm-scanner.env" CONTAINER_NAME="blackshield-vms-scanner" fail() { echo "blackshield-vms-scanner: $*" >&2 exit 2 } require_env() { local name="$1" if [ -z "${!name:-}" ]; then fail "missing required ${name} in ${ENV_FILE}" fi } if [ ! -r "$ENV_FILE" ]; then fail "missing readable env file at ${ENV_FILE}; run install-systemd.sh after editing .env.vm-scanner" fi set -a . "$ENV_FILE" set +a require_env BLACKSHIELD_API_KEY require_env BLACKSHIELD_VMS_IMAGE require_env VM_ALERTS_DIR if [ "$BLACKSHIELD_API_KEY" = "sp_xxxx" ]; then fail "replace the BLACKSHIELD_API_KEY placeholder before starting the service" fi if [ ! -d "$VM_ALERTS_DIR" ]; then fail "VM_ALERTS_DIR does not exist: ${VM_ALERTS_DIR}" fi if [ ! -r "${VM_ALERTS_DIR}/alerts.json" ]; then fail "alerts.json is not readable at ${VM_ALERTS_DIR}/alerts.json" fi VM_STATE_DIR="${VM_STATE_DIR:-/var/lib/blackshield/vm-scanner}" HEALTH_PORT="${HEALTH_PORT:-8080}" mkdir -p "$VM_STATE_DIR" exec /usr/bin/docker run --rm \ --name "$CONTAINER_NAME" \ --env-file "$ENV_FILE" \ -e OSSEC_STATE_FILE=/tmp/vms-state/ossec-state.json \ -v "${VM_ALERTS_DIR}:/var/ossec/logs/alerts:ro" \ -v "${VM_STATE_DIR}:/tmp/vms-state" \ -p "${HEALTH_PORT}:8080" \ "$BLACKSHIELD_VMS_IMAGE" EOF chmod +x "$TARGET_ROOT/deploy/vm-scanner/systemd/blackshield-vms-scanner-run" cat > "$TARGET_ROOT/deploy/vm-scanner/systemd/install-systemd.sh" <<'EOF' #!/usr/bin/env bash set -euo pipefail SCRIPT_DIR="$(cd -- "$(dirname -- "$0")" && pwd)" ENV_TARGET="/etc/blackshield/vm-scanner.env" RUNNER_TARGET="/usr/local/bin/blackshield-vms-scanner-run" UNIT_TARGET="/etc/systemd/system/blackshield-vms-scanner.service" install -d -m 750 /etc/blackshield install -d -m 750 /var/lib/blackshield/vm-scanner install -d -m 755 "$(dirname "$RUNNER_TARGET")" install -m 600 "$SCRIPT_DIR/.env.vm-scanner" "$ENV_TARGET" install -m 755 "$SCRIPT_DIR/blackshield-vms-scanner-run" "$RUNNER_TARGET" install -m 644 "$SCRIPT_DIR/blackshield-vms-scanner.service" "$UNIT_TARGET" systemctl daemon-reload systemctl enable --now blackshield-vms-scanner systemctl status blackshield-vms-scanner --no-pager EOF chmod +x "$TARGET_ROOT/deploy/vm-scanner/systemd/install-systemd.sh" cat > "$TARGET_ROOT/deploy/vm-scanner/systemd/README.md" <<'EOF' # VM Scanner systemd Bundle ## Prepare OSSEC or Wazuh 1. Existing Wazuh manager, OSSEC server, or OSSEC local install: confirm JSON alerts are present and readable: ```bash sudo test -r /var/ossec/logs/alerts/alerts.json sudo tail -n 3 /var/ossec/logs/alerts/alerts.json ``` 2. Fresh single VM: install and configure Wazuh or OSSEC first, enable JSON alert output, then repeat the `alerts.json` check above. 3. Wazuh agent-only endpoints usually do not own the manager-side `alerts.json`; run this bundle on the Wazuh manager / OSSEC server or local install, or use the S3/GCS collector bundle. ## Install BlackShield 1. Open `.env.vm-scanner` and replace `BLACKSHIELD_API_KEY`. If that key was pasted into a terminal transcript, ticket, or chat, revoke it and create a new ingestion key before retesting. 2. Confirm `VM_ALERTS_DIR` points at the host directory that contains `alerts.json`. 3. Install the unit on the host: ```bash sudo ./install-systemd.sh ``` 4. Verify the service: ```bash sudo systemctl status blackshield-vms-scanner --no-pager curl http://localhost:8080/health ``` Troubleshoot startup failures: ```bash sudo journalctl -u blackshield-vms-scanner -n 100 --no-pager sudo docker logs blackshield-vms-scanner sudo test -r /var/ossec/logs/alerts/alerts.json curl http://localhost:8080/health ``` The unit runs the public `vms-scanner` image with `VMS_COLLECTOR_MODE=file` and restarts automatically after host reboots or Docker restarts. Scanner state is persisted under `VM_STATE_DIR` so restarts do not reread old alerts. EOF printf 'Wrote deploy/vm-scanner/systemd/blackshield-vms-scanner.service\n' printf 'Wrote deploy/vm-scanner/systemd/.env.vm-scanner.example\n' printf 'Wrote deploy/vm-scanner/systemd/blackshield-vms-scanner-run\n' printf 'Wrote deploy/vm-scanner/systemd/install-systemd.sh\n' printf 'Wrote deploy/vm-scanner/systemd/README.md\n'