def install_mail_server(args):
app.print_verbose("Install mail-relay-server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("Install-mail-relay-server", SCRIPT_VERSION)
version_obj.check_executed()
general.shell_exec("yum -y install sendmail")
# Tell iptables that this server is configured as a mail-relay server.
general.shell_exec("touch /etc/mail/syco_mail_relay_server")
iptables.add_mail_relay_chain()
iptables.save()
hardening.network.configure_resolv_conf()
hardening.network.configure_localhost()
hardening.network.restart_network()
app.print_verbose("Configure /etc/mail/*")
# Allow all servers on localdomain to relay through this server.
set_config_property2("/etc/mail/access",
"Connect:10.100 RELAY")
x("/usr/sbin/makemap hash access < access")
# Remove the loopback address restriction to accept email from the internet or intranet.
set_config_property(
"/etc/mail/sendmail.mc",
r".*DAEMON_OPTIONS\(\`Port\=smtp\,Addr\=127\.0\.0\.1\, Name\=MTA\'\)dnl",
r"dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl")
_rebuild_sendmail_config()
_test_mail()
version_obj.mark_executed()
def install_mail_server(args):
app.print_verbose("Install mail-relay-server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("Install-mail-relay-server", SCRIPT_VERSION)
version_obj.check_executed()
general.shell_exec("yum -y install sendmail")
# Tell iptables that this server is configured as a mail-relay server.
general.shell_exec("touch /etc/mail/syco_mail_relay_server")
iptables.add_mail_relay_chain()
iptables.save()
hardening.network.configure_resolv_conf()
hardening.network.configure_localhost()
hardening.network.restart_network()
app.print_verbose("Configure /etc/mail/*")
# Allow all servers on localdomain to relay through this server.
set_config_property2("/etc/mail/access", "Connect:10.100 RELAY")
x("/usr/sbin/makemap hash access < access")
# Remove the loopback address restriction to accept email from the internet or intranet.
set_config_property(
"/etc/mail/sendmail.mc",
r".*DAEMON_OPTIONS\(\`Port\=smtp\,Addr\=127\.0\.0\.1\, Name\=MTA\'\)dnl",
r"dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl")
_rebuild_sendmail_config()
_test_mail()
version_obj.mark_executed()
def build_client_certs(args):
install.package("zip")
os.chdir("/etc/openvpn/easy-rsa/keys")
general.set_config_property(
"/etc/cronjob", "01 * * * * root run-parts syco build_client_certs",
"01 * * * * root run-parts syco build_client_certs")
# Create client.conf
clientConf = "/etc/openvpn/easy-rsa/keys/client.conf"
x("cp " + app.SYCO_PATH + "/var/openvpn/client.conf %s" % clientConf)
scOpen(clientConf).replace('${OPENVPN.HOSTNAME}',
config.general.get_openvpn_hostname())
x("cp " + app.SYCO_PATH + "/doc/openvpn/install.txt .")
for user in os.listdir("/home"):
cert_already_installed = os.access(
"/home/" + user + "/openvpn_client_keys.zip", os.F_OK)
valid_file = "lost+found" not in user
if valid_file and not cert_already_installed:
os.chdir("/etc/openvpn/easy-rsa/")
general.set_config_property("/etc/openvpn/easy-rsa/vars",
'[\s]*export KEY_CN.*',
'export KEY_CN="' + user + '"')
general.set_config_property("/etc/openvpn/easy-rsa/vars",
'[\s]*export KEY_NAME.*',
'export KEY_NAME="' + user + '"')
general.set_config_property(
"/etc/openvpn/easy-rsa/build-key-pkcs12",
'.*export EASY_RSA.*',
'source ./vars;export EASY_RSA="${EASY_RSA:-.}"')
out = general.shell_exec(
"./build-key-pkcs12 --batch " + user,
cwd="/etc/openvpn/easy-rsa/",
events={
'(?i)Enter Export Password:'******'\n',
'(?i)Verifying - Enter Export Password:'******'\n'
})
app.print_verbose(out)
# Config client.crt
general.set_config_property(
"/etc/openvpn/easy-rsa/keys/client.conf", "^cert.*crt",
"cert " + user + ".crt")
general.set_config_property(
"/etc/openvpn/easy-rsa/keys/client.conf", "^key.*key",
"key " + user + ".key")
os.chdir("/etc/openvpn/easy-rsa/keys")
x("zip /home/" + user + "/openvpn_client_keys.zip ca.crt " + user +
".crt " + user + ".key " + user +
".p12 client.conf install.txt /etc/openvpn/ta.key")
# Set permission for the user who now owns the file.
os.chmod("/home/" + user + "/openvpn_client_keys.zip",
stat.S_IRUSR | stat.S_IRGRP)
general.shell_exec("chown " + user + ":users /home/" + user +
"/openvpn_client_keys.zip ")
def uninstall_ca(args):
'''
Remove ca and all certs in the ca
'''
return
app.print_verbose("Uninstall CA")
if (os.path.exists('/etc/ssl/ca/private/ca.key')):
general.shell_exec("rm -rf /etc/ssl/")
version_obj = version.Version("InstallCa", script_version)
version_obj.mark_uninstalled()
def uninstall_ca(args):
'''
Remove ca and all certs in the ca
'''
return
app.print_verbose("Uninstall CA")
if (os.path.exists('/etc/ssl/ca/private/ca.key')):
general.shell_exec("rm -rf /etc/ssl/")
version_obj = version.Version("InstallCa", script_version)
version_obj.mark_uninstalled()
def uninstall_mail(args):
'''
Uninstall mail
'''
#iptables.del_mail_chain()
#iptables.save()
general.shell_exec("rm -rf /etc/mail")
general.shell_exec("yum -y reinstall sendmail")
version_obj = version.Version("Install-mail-relay", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def uninstall_mail(args):
'''
Uninstall mail
'''
#iptables.del_mail_chain()
#iptables.save()
general.shell_exec("rm -rf /etc/mail")
general.shell_exec("yum -y reinstall sendmail")
version_obj = version.Version("Install-mail-relay", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def install_nodejs(args):
if len(args) != 2:
raise Exception("syco install-nodejs 0.12.2 (or other version)")
version = args[1]
x('rm -rf /usr/node')
x('mkdir /usr/node')
os.chdir('/usr/node')
#use general.shell_exec since x(wget) gives an error for each progress output
general.shell_exec('wget http://nodejs.org/dist/v{0}/node-v{1}.tar.gz'.format(version, version))
x('tar xzvf node-v* && cd node-v*')
x('yum install gcc gcc-c++ -y')
x('cd node-v* && ./configure')
x('cd node-v* && make')
x('cd node-v* && make install')
def uninstall_ntp(args):
'''
Uninstall NTP
'''
if (os.access("/etc/ntp.conf", os.F_OK)):
general.shell_exec("service ntpd stop")
general.shell_exec("yum -y remove ntp ")
iptables.del_ntp_chain()
iptables.save()
version_obj = version.Version("InstallNTP", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def uninstall_ntp(args):
'''
Uninstall NTP
'''
if (os.access("/etc/ntp.conf", os.F_OK)):
general.shell_exec("service ntpd stop")
general.shell_exec("yum -y remove ntp ")
iptables.del_ntp_chain()
iptables.save()
version_obj = version.Version("InstallNTP", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def vir_rm(args):
# TODO: Check if this is a KVM host
server_name = args[1]
app.print_verbose("Remove virtual server %s." % server_name)
app.print_verbose("Destory the kvm instance");
general.shell_exec("virsh destroy " + server_name)
general.shell_exec("virsh undefine " + server_name)
general.remove_file("/var/log/libvirt/qemu/" + server_name + ".log")
general.shell_exec("lvremove -f /dev/VolGroup00/" + server_name)
app.print_verbose("Restart libvirtd");
general.shell_exec("/etc/init.d/libvirtd restart")
general.shell_exec("updatedb")
def vir_rm(args):
# TODO: Check if this is a KVM host
server_name = args[1]
app.print_verbose("Remove virtual server %s." % server_name)
app.print_verbose("Destory the kvm instance");
general.shell_exec("virsh destroy " + server_name)
general.shell_exec("virsh undefine " + server_name)
general.remove_file("/var/log/libvirt/qemu/" + server_name + ".log")
general.shell_exec("lvremove -f /dev/VolGroup00/" + server_name)
app.print_verbose("Restart libvirtd");
general.shell_exec("/etc/init.d/libvirtd restart")
general.shell_exec("updatedb")
def uninstall_dhcp(args):
general.shell_exec("service dhcpd stop")
general.shell_exec("/sbin/chkconfig dhcpd off")
general.shell_exec("rm /etc/dhcp/dhcpd.conf")
general.set_config_property("/etc/sysconfig/dhcpd", ".*DHCPDARGS.*", "DHCPDARGS=")
general.shell_exec("yum -y erase dhcp")
version_obj = version.Version("InstallDHCPServer", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def uninstall_dhcp(args):
general.shell_exec("service dhcpd stop")
general.shell_exec("/sbin/chkconfig dhcpd off")
general.shell_exec("rm /etc/dhcp/dhcpd.conf")
general.set_config_property("/etc/sysconfig/dhcpd", ".*DHCPDARGS.*", "DHCPDARGS=")
general.shell_exec("yum -y erase dhcp")
version_obj = version.Version("InstallDHCPServer", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def rsync(self, from_path, to_path, extra=""):
'''
Rsync copy data from localhost to remote server.
rsync("/tmp/foobar", "/tmp/bar")
'''
self.install_ssh_key()
# Remote install rsync
self.ssh_exec('[[ "$(rpm -q rsync)" == *installed ]] && ( yum -y install rsync; exit 0)')
general.shell_exec(
'rsync --delete -az -e "ssh ' + self.ssh_options + " -p" + self.port + " -i " + self.ssh_private_key_file + '" ' +
extra + " " +
from_path + " " + self.user + "@" + self.server + ":" + to_path
)
def rsync(self, from_path, to_path, extra=""):
'''
Rsync copy data from localhost to remote server.
rsync("/tmp/foobar", "/tmp/bar")
'''
self.install_ssh_key()
# Remote install rsync
self.ssh_exec(
'[[ "$(rpm -q rsync)" == *installed ]] && ( yum -y install rsync; exit 0)'
)
general.shell_exec('rsync --delete -az -e "ssh ' + self.ssh_options +
" -p" + self.port + " -i " +
self.ssh_private_key_file + '" ' + extra + " " +
from_path + " " + self.user + "@" + self.server +
":" + to_path)
def atomic_repo():
"""
Setup ATOMIC repository.
Used for openvas, ossec etc.
"""
# Must be imported in the function, because install.py should be possible
# to import before app and general.
import app
import general
app.print_verbose("Adding atomic repo for yum.")
general.shell_exec(
"wget -q -O - http://www.atomicorp.com/installers/atomic | sh",
events={'(?i)\[Default: yes\]': '\n'})
if (not os.access("/etc/yum.repos.d/atomic.repo", os.F_OK)):
raise Exception("You need to install the atomic repo first.")
def atomic_repo():
"""
Setup ATOMIC repository.
Used for openvas, ossec etc.
"""
# Must be imported in the function, because install.py should be possible
# to import before app and general.
import app
import general
app.print_verbose("Adding atomic repo for yum.")
general.shell_exec(
"wget -q -O - http://www.atomicorp.com/installers/atomic | sh", events={"(?i)\[Default: yes\]": "\n"}
)
if not os.access("/etc/yum.repos.d/atomic.repo", os.F_OK):
raise Exception("You need to install the atomic repo first.")
def build_client_certs(args):
install.package("zip")
os.chdir("/etc/openvpn/easy-rsa/keys")
general.set_config_property("/etc/cronjob", "01 * * * * root run-parts syco build_client_certs", "01 * * * * root run-parts syco build_client_certs")
# Create client.conf
clientConf = "/etc/openvpn/easy-rsa/keys/client.conf"
x("cp " + app.SYCO_PATH + "/var/openvpn/client.conf %s" % clientConf)
x("echo auth-user-pass >> %s" % clientConf)
scOpen(clientConf).replace('${OPENVPN.HOSTNAME}', config.general.get_openvpn_hostname())
x("cp " + app.SYCO_PATH + "/doc/openvpn/install.txt .")
for user in os.listdir("/home"):
cert_already_installed=os.access("/home/" + user +"/openvpn_client_keys.zip", os.F_OK)
valid_file="lost+found" not in user
if valid_file and not cert_already_installed:
os.chdir("/etc/openvpn/easy-rsa/")
general.set_config_property("/etc/openvpn/easy-rsa/vars", '[\s]*export KEY_CN.*', 'export KEY_CN="' + user + '"')
general.set_config_property("/etc/openvpn/easy-rsa/vars", '[\s]*export KEY_NAME.*', 'export KEY_NAME="' + user + '"')
general.set_config_property("/etc/openvpn/easy-rsa/build-key-pkcs12", '.*export EASY_RSA.*', 'source ./vars;export EASY_RSA="${EASY_RSA:-.}"')
out = general.shell_exec("./build-key-pkcs12 --batch " + user,
cwd="/etc/openvpn/easy-rsa/",
events={'(?i)Enter Export Password:'******'\n', '(?i)Verifying - Enter Export Password:'******'\n'}
)
app.print_verbose(out)
# Config client.crt
general.set_config_property("/etc/openvpn/easy-rsa/keys/client.conf", "^cert.*crt", "cert " + user + ".crt")
general.set_config_property("/etc/openvpn/easy-rsa/keys/client.conf", "^key.*key", "key " + user + ".key")
general.set_config_property(
"/etc/openvpn/easy-rsa/keys/client.conf", "${OPENVPN.HOSTNAME}",
config.general.get_openvpn_hostname()
)
os.chdir("/etc/openvpn/easy-rsa/keys")
x("zip /home/" + user +"/openvpn_client_keys.zip ca.crt " + user + ".crt " + user + ".key " + user + ".p12 client.conf install.txt")
# Set permission for the user who now owns the file.
os.chmod("/home/" + user +"/openvpn_client_keys.zip", stat.S_IRUSR | stat.S_IRGRP)
general.shell_exec("chown " + user + ":users /home/" + user +"/openvpn_client_keys.zip ")
def uninstall_openvas(args):
'''
Uninstall nmap
'''
if (os.access("/etc/init.d/openvas-manager", os.F_OK)):
general.shell_exec("/etc/init.d/openvas-manager stop")
general.shell_exec("/etc/init.d/openvas-scanner stop")
general.shell_exec("/etc/init.d/gsad stop")
x("yum -y remove openvas-*")
x("rm -rf /var/lib/openvas")
#x("rm /etc/yum.repos.d/atomic.repo")
iptables.del_openvas_chain()
iptables.save()
app.print_verbose("Enabling SELINUX")
x("echo 1 > /selinux/enforce")
selinuxconf = scOpen("/etc/selinux/config")
selinuxconf.replace("^SELINUX=.*","SELINUX=enforcing")
version_obj = version.Version("InstallOpenVAS", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def install_ntp(ntp_server_ip = False):
'''
Install and configure the ntp-server on the local host.
'''
app.print_verbose("Install NTP version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallNTP", SCRIPT_VERSION)
version_obj.check_executed()
# Install the NTP packages.
if (not os.access("/etc/ntp.conf", os.F_OK)):
general.shell_exec("yum -y install ntp")
general.shell_exec("/sbin/chkconfig ntpd on")
iptables.add_ntp_chain()
iptables.save()
# Set ntp-server configs
#
# For restrict info: http://www.eecis.udel.edu/~mills/ntp/html/accopt.html
#
if (ntp_server_ip):
app.print_verbose("Configure /etc/ntp.conf as a client")
# Deny packets of all kinds, including ntpq(8) and ntpdc(8) queries.
general.set_config_property("/etc/ntp.conf", "restrict default.*", "restrict default ignore")
general.set_config_property("/etc/ntp.conf", "restrict -6 default.*", "restrict -6 default ignore")
# Using only internal NTP-server.
general.set_config_property("/etc/ntp.conf", "server 0.*ntp.org", "server " + ntp_server_ip + " burst")
general.set_config_property("/etc/ntp.conf", ".*server 1.*ntp.org", "#server 1.se.pool.ntp.org")
general.set_config_property("/etc/ntp.conf", ".*server 2.*ntp.org", "#server 2.se.pool.ntp.org")
general.set_config_property("/etc/ntp.conf", ".*server 3.*ntp.org", "#server 3.se.pool.ntp.org")
# Allow access to/from the ntp-server. You may use either a hostname or IP address
# on the server line. You must use an IP address on the restrict line. Or do I??
general.set_config_property("/etc/ntp.conf", "restrict " + ntp_server_ip + " kod nomodify notrap nopeer noquery", "restrict " + ntp_server_ip + " kod nomodify notrap nopeer noquery")
# Don't use fudge server
general.set_config_property("/etc/ntp.conf", ".*server.*127.127.1.0.*", "#server 127.127.1.0")
general.set_config_property("/etc/ntp.conf", ".*fudge.*127.127.1.0.*", "#fudge 127.127.1.0 stratum 10")
# This command modifies the ntpd panic threshold (which is normally 1024
# seconds). Setting this to 0 disables the panic sanity check and a clock
# offset of any value will be accepted.
general.set_config_property("/etc/ntp.conf", ".*tinker panic.*", "tinker panic 0")
else:
app.print_verbose("Configure /etc/ntp.conf as a server")
general.set_config_property("/etc/ntp.conf", "server 0.*ntp.org", "server ntp3.sptime.se")
general.set_config_property("/etc/ntp.conf", "server 1.*ntp.org", "server ntp4.sptime.se")
general.set_config_property("/etc/ntp.conf", "server 2.*ntp.org", "server ntp1.sth.netnod.se")
general.set_config_property("/etc/ntp.conf", "server 3.*ntp.org", "server " + config.general.get_slave_ntp_server())
general.shell_exec("service ntpd start")
version_obj.mark_executed()
def install_local(args):
'''
Run all commands on the localhost.
'''
# Ask the user for all passwords that might be used in the remote install
# so the installation can go on headless.
app.init_all_passwords()
hostname = ""
if len(args) > 1:
hostname = args[1]
if hostname == "":
hostname = socket.gethostname()
app.print_verbose("Install all commands defined in install.cfg for host " + hostname + ".")
commands = config.host(hostname).get_commands(app.options.verbose >= 2)
if len(commands) > 0:
for command in commands:
general.shell_exec(command)
else:
app.print_error("No commands for this host.")
def install_local(args):
'''
Run all commands on the localhost.
'''
# Ask the user for all passwords that might be used in the remote install
# so the installation can go on headless.
app.init_all_passwords()
hostname = ""
if len(args) > 1:
hostname = args[1]
if hostname == "":
hostname = socket.gethostname()
app.print_verbose("Install all commands defined in install.cfg for host " + hostname + ".")
commands = config.host(hostname).get_commands(app.options.verbose >= 2)
if len(commands) > 0:
for command in commands:
general.shell_exec(command)
else:
app.print_error("No commands for this host.")
def install_dhcp(args):
"""
Install a dhcp server on the current server.
"""
app.print_verbose("Install DHCP-Server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallDHCPServer", SCRIPT_VERSION)
version_obj.check_executed()
general.shell_exec("yum -y install dhcp")
general.shell_exec("/sbin/chkconfig dhcpd on")
shutil.copyfile(app.SYCO_PATH + "/var/dhcp/dhcp3.conf", "/etc/dhcp/dhcpd.conf")
general.set_config_property("/etc/dhcp/dhcpd.conf", "\$\{IP\}", net.get_ip_class_c(net.get_lan_ip()))
general.set_config_property("/etc/sysconfig/dhcpd", ".*DHCPDARGS.*", "DHCPDARGS=%s" % get_back_interface())
general.shell_exec("service dhcpd restart")
version_obj.mark_executed()
def install_dhcp(args):
'''
Install a dhcp server on the current server.
'''
app.print_verbose("Install DHCP-Server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallDHCPServer", SCRIPT_VERSION)
version_obj.check_executed()
general.shell_exec("yum -y install dhcp")
general.shell_exec("/sbin/chkconfig dhcpd on")
shutil.copyfile(app.SYCO_PATH + "/var/dhcp/dhcp3.conf", "/etc/dhcp/dhcpd.conf")
general.set_config_property("/etc/dhcp/dhcpd.conf", "\$\{IP\}", net.get_ip_class_c(net.get_lan_ip()))
general.set_config_property("/etc/sysconfig/dhcpd", ".*DHCPDARGS.*", "DHCPDARGS=%s" % get_back_interface())
general.shell_exec("service dhcpd restart")
version_obj.mark_executed()
def install_monitor(args):
'''
Monitor installation
This script install nagios-plugins-all and nrpe server to the host.
the host is then setup to allow cennections from the monitor server nand to reply
back results to the monitor server.
Install munin-node to accept muninserver connections.
'''
#Installting nagios plugins and nrpe server
general.shell_exec("yum install nagios-plugins-all nrpe munin-node -y")
#Setting upp nrpe config for
#-Accepting connections from m#onitor-tp.*
#-Adding to use fareoffice nrpe commands
#-Removing all commands in nrpe.conf file
general.set_config_property(
"/etc/nagios/nrpe.cfg", "^allowed_hosts=.*",
"allowed_hosts=" + config.general.get_monitor_server())
general.set_config_property("/etc/nagios/nrpe.cfg", "^[\#]?command.*",
"#command")
general.set_config_property("/etc/nagios/nrpe.cfg", "^dont_blame_nrpe=.*",
"dont_blame_nrpe=1")
munin_ip = config.general.get_monitor_server().split(".")
general.set_config_property(
"/etc/munin/munin-node.conf", "^allow.*", "allow " + munin_ip[0] +
"\." + munin_ip[1] + "\." + munin_ip[2] + "\." + munin_ip[3] + "")
x("rm /etc/nrpe.d/nrpe_fareoffice.cfg")
x("cp /opt/syco/var/monitor/nrpe_fareoffice.cfg /etc/nrpe.d/nrpe_fareoffice.cfg"
)
# Openning ports in iptabled for accepting connections from
# monitor server.
# Opening port 4949 munin and 5666 nrpe
iptables.add_monitor_chain()
#Restaring services
general.shell_exec('/etc/init.d/nrpe restart')
general.shell_exec('/etc/init.d/munin-node restart')
def install_monitor(args):
"""
Monitor installation
This script install nagios-plugins-all and nrpe server to the host.
the host is then setup to allow cennections from the monitor server nand to reply
back results to the monitor server.
Install munin-node to accept muninserver connections.
"""
# Installting nagios plugins and nrpe server
general.shell_exec("yum install nagios-plugins-all nrpe munin-node -y")
# Setting upp nrpe config for
# -Accepting connections from m#onitor-tp.*
# -Adding to use fareoffice nrpe commands
# -Removing all commands in nrpe.conf file
general.set_config_property(
"/etc/nagios/nrpe.cfg", "^allowed_hosts=.*", "allowed_hosts=" + config.general.get_monitor_server()
)
general.set_config_property("/etc/nagios/nrpe.cfg", "^[\#]?command.*", "#command")
general.set_config_property("/etc/nagios/nrpe.cfg", "^dont_blame_nrpe=.*", "dont_blame_nrpe=1")
munin_ip = config.general.get_monitor_server().split(".")
general.set_config_property(
"/etc/munin/munin-node.conf",
"^allow.*",
"allow " + munin_ip[0] + "\." + munin_ip[1] + "\." + munin_ip[2] + "\." + munin_ip[3] + "",
)
x("rm /etc/nrpe.d/nrpe_fareoffice.cfg")
x("cp /opt/syco/var/monitor/nrpe_fareoffice.cfg /etc/nrpe.d/nrpe_fareoffice.cfg")
# Openning ports in iptabled for accepting connections from
# monitor server.
# Opening port 4949 munin and 5666 nrpe
iptables.add_monitor_chain()
# Restaring services
general.shell_exec("/etc/init.d/nrpe restart")
general.shell_exec("/etc/init.d/munin-node restart")
def uninstall_openvas(args):
'''
Uninstall nmap
'''
if (os.access("/etc/init.d/openvas-manager", os.F_OK)):
general.shell_exec("/etc/init.d/openvas-manager stop")
general.shell_exec("/etc/init.d/openvas-scanner stop")
general.shell_exec("/etc/init.d/gsad stop")
x("yum -y remove openvas-*")
x("rm -rf /var/lib/openvas")
#x("rm /etc/yum.repos.d/atomic.repo")
iptables.del_openvas_chain()
iptables.save()
app.print_verbose("Enabling SELINUX")
x("echo 1 > /selinux/enforce")
selinuxconf = scOpen("/etc/selinux/config")
selinuxconf.replace("^SELINUX=.*", "SELINUX=enforcing")
version_obj = version.Version("InstallOpenVAS", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def _rebuild_sendmail_config():
general.shell_exec("yum -y install sendmail-cf")
os.chdir("/etc/mail")
general.shell_exec('make')
general.shell_exec('service sendmail start')
general.shell_exec("yum -y remove sendmail-cf")
def install_dns(args):
'''
DNS Bind 9 Chrooted installation
This will install the dns server on the host chrooted.
This command is used only for Centos servers.
'''
if os.path.exists('/opt/syco/lock/dns'):
'''
If dns server is locked from this script
'''
app.print_verbose(
"This server has an lock stopping you from installing the DNS server "
)
else:
'''
Installinb server package needed for dns
'''
general.shell_exec(
"yum install bind bind-chroot bind-libs bind-utils caching-nameserver -y"
)
os.chdir("/tmp/")
'''
Getting argument from command line
master = setting upp master server
slave = setting upp slave server
'''
if len(args) == 2:
role = args[1]
if (role != "master" and role != "slave"):
sys.exit(
"use choose master ore slave server 'syco install-dns master'")
#raise Exception("You can only enter master or slave, you entered " + args[1])
else:
sys.exit(
"use choose master ore slave server 'syco install-dns master'")
role = str(args[1])
'''
Reading zone.cfg file conting
In zone.cfg is all config options neede for setting upp DNS Server
This file is readed and the the options are saved and used when generating new config files
'''
config_f = ConfigParser.SafeConfigParser()
config_zone = ConfigParser.SafeConfigParser()
config_f.read(app.SYCO_PATH + 'var/dns/zone.cfg')
dnsrange = config_f.get('config', 'range')
forward1 = config_f.get('config', 'forward1')
forward2 = config_f.get('config', 'forward2')
ipmaster = config_f.get('config', 'ipmaster')
ipslave = config_f.get('config', 'ipslave')
localnet = config_f.get('config', 'localnet')
data_center = config_f.get('config', 'data_center')
#Creating data dir
x("mkdir /var/named/chroot/var/named/data")
'''
Depending if the server is an master then new rndc keys are genertaed if now old are done.
If the server is slave the keys have to bee fetch from the master server.
'''
if os.path.exists('/var/named/chroot/etc/rndc_new.key'):
_copy_rndc()
else:
if role == "master":
os.chdir("/tmp")
os.system(
"/usr/sbin/rndc-confgen > /var/named/chroot/etc/rndc_new.key")
general.shell_exec("chown root:named rndc.key")
_copy_rndc()
else:
os.chdir("/var/named/chroot/etc")
scp_from(ipmaster, "/var/named/chroot/etc/rndc_new.key",
"/var/named/chroot/etc/")
def _generate_zone(location):
p = re.compile('[\s]*([\d]*)[\s]*[;][\s]*Serial')
if location == "internal":
o = open("/var/named/chroot/etc/named.conf", "a") #open for append
o.write("view 'internt' {\n")
o.write("match-clients { " + localnet + "; };\n")
o.close()
else:
o = open("/var/named/chroot/etc/named.conf", "a") #open for append
o.write("view 'external' {\n")
o.write("match-clients { any; };\n")
o.close()
'''
Getting records from zone files
and creating zone file for records
'''
for zone in config_f.options('zone'):
rzone = config_f.get('zone', zone)
config_zone.read(app.SYCO_PATH + 'var/dns/' + zone)
print zone
'''
Crating zone file and setting right settings form zone.cfg file
'''
o = open("/var/named/chroot/var/named/data/" + location + "." +
zone + ".zone", "w") #open for write
for line in open(app.SYCO_PATH + "var/dns/template.zone"):
line = line.replace("$IPMASTER$", ipmaster)
line = line.replace("$IPSLAVE$", ipslave)
line = line.replace("$NAMEZONE$", zone)
serial = p.findall(line)
print line
if len(serial) > 0:
line = str(int(serial[0]) + 1) + " ; Serial\n"
o.write(line + "\n")
#Wrinting out arecord to zone file
if location == "internal":
'''
Getting internal network address if thy are any else go back to use external address
Generating A record from domain file and adding them to zone file.
'''
try:
config_zone.options("internal_" + zone + "_arecords")
except ConfigParser.NoSectionError:
for option in config_zone.options(zone + "_arecords"):
o.write(option + "." + zone + "." +
" IN A " +
config_zone.get(zone + "_arecords", option) +
" \n")
print option + "." + zone + "." + "A" + config_zone.get(
zone + "_arecords", option) + "."
if zone == config.general.get_resolv_domain():
servers = config.get_servers()
for hostname in servers:
o.write(hostname + "." + zone + "." +
" IN A " +
config.host(hostname).get_back_ip() +
" \n")
print "INTERNAL" + hostname + config.host(
hostname).get_back_ip()
else:
for option in config_zone.options("internal_" + zone +
"_arecords"):
o.write(option + "." + zone + "." +
" IN A " + config_zone.get(
"internal_" + zone + "_arecords", option) +
" \n")
print option + "." + zone + "." + "A" + config_zone.get(
"internal_" + zone + "_arecords", option) + "."
'''
If domain is the same as local domain
Gett all ip from local servers and add them to records.
'''
if zone == config.general.get_resolv_domain():
servers = config.get_servers()
for hostname in servers:
o.write(hostname + "." + zone + "." +
" IN A " +
config.host(hostname).get_back_ip() +
" \n")
print hostname + config.host(
hostname).get_back_ip()
'''
Getting all Cnames from domain file
If there exist any names for internal network then they are used for inernal viem
Else external names are used.
Cnames are the added to file
'''
try:
config_zone.options("internal_" + zone + "_cname")
except ConfigParser.NoSectionError:
for option in config_zone.options(zone + "_cname"):
out = str(
option) + " IN CNAME " + config_zone.get(
zone + "_cname", option) + "\n"
out2 = out.replace('$DATA_CENTER$', data_center)
o.write(out2)
print out2
else:
for option in config_zone.options("internal_" + zone +
"_cname"):
out = str(option) + " IN CNAME " + str(
config_zone.get("internal_" + zone + "_cname",
option)) + "\n"
out2 = out.replace('$DATA_CENTER$', data_center)
o.write(out2)
print out2
else:
for option in config_zone.options(zone + "_arecords"):
o.write(option + "." + zone + "." + " IN A " +
config_zone.get(zone + "_arecords", option) +
" \n")
print option + "." + zone + "." + "A" + config_zone.get(
zone + "_arecords", option) + "."
for option in config_zone.options(zone + "_cname"):
out = str(option) + " IN CNAME " + str(
config_zone.get(zone + "_cname", option)) + "\n"
out2 = out.replace('$DATA_CENTER$', data_center)
o.write(out2)
print out2
o.close()
'''
Creating zone revers file for recursive getting if domain names.
'''
o = open("/var/named/chroot/var/named/data/" + location + "." +
rzone + ".zone", "w") #open for append
for line in open(app.SYCO_PATH + "var/dns/recursiv-template.zone"):
line = line.replace("$IPMASTER$", ipmaster[::-1])
line = line.replace("$IPSLAVE$", ipslave[::-1])
line = line.replace("$NAMEZONE$", zone)
line = line.replace("$RZONE$", rzone)
serial = p.findall(line)
if len(serial) > 0:
line = str(int(serial[0]) + 1) + " ; Serial\n"
o.write(line + "\n")
o.close()
'''
Adding the new zreated zone files to named.com to be used
'''
o = open("/var/named/chroot/etc/named.conf", "a") #open for append
for line in open(app.SYCO_PATH + "var/dns/" + role + "-zone.conf"):
line = line.replace("$IPMASTER$", ipmaster)
line = line.replace("$IPSLAVE$", ipslave)
line = line.replace("$NAMEZONE$", zone)
line = line.replace("$RZONE$", rzone)
line = line.replace("$LOCATION$", location)
o.write(line + "\n")
o.close()
'''
Adding differin view to the config file
'''
if location == "internal":
o = open("/var/named/chroot/etc/named.conf", "a") #open for append
o.write("}; \n")
o.close()
else:
o = open("/var/named/chroot/etc/named.conf", "a") #open for append
o.write("};\n")
o.close()
'''
Getting namd.conf tamplate and generting new file with right config.
'''
'''
Setting upp named.conf with right settings
'''
o = open("/var/named/chroot/etc/named.conf", "a") #open for append
for line in open(app.SYCO_PATH + "var/dns/" + role + "-named.conf"):
line = line.replace("$IPSLAVE$", ipslave)
line = line.replace("$IPMASTER$", ipmaster)
line = line.replace("$RANGE$", dnsrange)
line = line.replace("$FORWARD1$", forward1)
line = line.replace("$FORWARD2$", forward2)
line = line.replace("$LOCALNET$", localnet)
line = line.replace("$DOMAIN$", config.general.get_resolv_domain())
o.write(line)
o.close()
'''
Chnagin order if ip to match recusrsive lookup
'''
'''
Generating the zone files
IMPORTAND that internal is first
'''
_generate_zone("internal")
_generate_zone("external")
'''
Adding serial number to template
'''
_add_serial("recursiv-template")
_add_serial("template")
'''
Restaring DNS server for action to be loaded
'''
general.shell_exec("/etc/init.d/named restart")
def install_mail_client(args):
app.print_verbose("Install mail-relay-server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("Install-mail-relay-client", SCRIPT_VERSION)
version_obj.check_executed()
general.shell_exec("yum -y install sendmail")
file = "/etc/mail/sendmail.mc"
domain = config.general.get_mail_relay_domain_name()
app.print_verbose("Configure /etc/mail/*")
# Set the mail-relay server.
set_config_property(file,
".*define\(\`SMART_HOST\'\, \`.*\'\)dnl",
"define(`SMART_HOST', `" + domain + "')dnl"
)
# FEATURE always_add_domain always masquerades email addresses, even if the
# mail is sent from a user on the mail server to another user on the same
# mail server.
set_config_property2(file, "FEATURE(always_add_domain)dnl")
# FEATURE masquerade_entire_domain makes sendmail masquerade servers named
# *my-site.com, and *another-site.com as my-site.com. In other words, mail
# from sales.my-site.com would be masqueraded as my-site.com. If this wasn't
# selected, then only servers named my-site.com and my-othersite.com would be
# masqueraded. Use this with caution when you are sure you have the necessary
# authority to do this.
set_config_property2(file, "FEATURE(masquerade_entire_domain)dnl")
# FEATURE masquerade_envelope rewrites the email envelope just as
# MASQUERADE_AS rewrote the header.
set_config_property2(file, "FEATURE(masquerade_envelope)dnl")
# FEATURE allmasquerade makes sendmail rewrite both recipient addresses and
# sender addresses relative to the local machine. If you cc: yourself on an
# outgoing mail, the other recipient sees a cc: to an address he knows instead
# of one on localhost.localdomain.
# TODO: need to be before MAILER
#set_config_property2(file, "FEATURE(allmasquerade)dnl")
# The MASQUERADE_AS directive makes all mail originating on
# client appear to come from a server within the domain
# DOMAIN by rewriting the email header.
set_config_property(file, ".*MASQUERADE_AS\(\`.*\'\)dnl.*", "MASQUERADE_AS(`" + domain + "')dnl")
# The MASQUERADE_DOMAIN directive makes mail relayed via mail-relay server
# from all machines in the localdomain domains appear to come from the
# MASQUERADE_AS domain. Using DNS, sendmail checks the domain name associated
# with the IP address of the mail relay client sending the mail to help it
# determine whether it should do masquerading or not.
set_config_property2(file, "MASQUERADE_DOMAIN(localhost)dnl")
set_config_property2(file, "MASQUERADE_DOMAIN(localhost.localdomain)dnl")
# By default, user "root" will not be masqueraded. Removing the EXPOSED_USER
# will also masqueraded root.
set_config_property(file, ".*EXPOSED_USER\(\`root\'\)dnl.*", "dnl EXPOSED_USER(`root')dnl")
_rebuild_sendmail_config()
_test_mail()
version_obj.mark_executed()
def install_ca(args):
'''
Apache installation
'''
return
app.print_verbose("Install CA version: %d" % script_version)
version_obj = version.Version("InstallCa", script_version)
version_obj.check_executed()
if os.path.exists('/etc/ssl/ca/private/ca.key'):
app.print_verbose("CA is already installed")
else:
#making folders
general.shell_exec("mkdir -p /etc/ssl/ca/private")
general.shell_exec("mkdir -p /etc/ssl/certs")
#creating certs
os.chdir("/etc/ssl")
general.shell_exec("openssl genrsa -out ca/private/ca.key 4096")
general.shell_exec("openssl req -new -key ca/private/ca.key -out ca/ca.csr -subj '/O=syco/OU=System Console Project/CN=systemconsole.github.com'")
general.shell_exec("openssl x509 -req -days 365 -in ca/ca.csr -signkey ca/private/ca.key -out ca/ca.crt ")
#creating server certs
general.shell_exec("openssl genrsa -out certs/www.webbserver.com.key 2048")
general.shell_exec("openssl req -new -key certs/www.webbserver.com.key -out certs/www.webbserver.com.csr")
general.shell_exec("openssl x509 -req -days 365 -in certs/www.webbserver.com.csr -signkey ca/private/ca.key -out certs/www.webbserver.com.crt ")
version_obj.mark_executed()
def _rebuild_sendmail_config():
general.shell_exec("yum -y install sendmail-cf")
os.chdir("/etc/mail")
general.shell_exec('make')
general.shell_exec('service sendmail start')
general.shell_exec("yum -y remove sendmail-cf")
def install_ca(args):
'''
Apache installation
'''
return
app.print_verbose("Install CA version: %d" % script_version)
version_obj = version.Version("InstallCa", script_version)
version_obj.check_executed()
if os.path.exists('/etc/ssl/ca/private/ca.key'):
app.print_verbose("CA is already installed")
else:
#making folders
general.shell_exec("mkdir -p /etc/ssl/ca/private")
general.shell_exec("mkdir -p /etc/ssl/certs")
#creating certs
os.chdir("/etc/ssl")
general.shell_exec("openssl genrsa -out ca/private/ca.key 4096")
general.shell_exec(
"openssl req -new -key ca/private/ca.key -out ca/ca.csr -subj '/O=syco/OU=System Console Project/CN=systemconsole.github.com'"
)
general.shell_exec(
"openssl x509 -req -days 365 -in ca/ca.csr -signkey ca/private/ca.key -out ca/ca.crt "
)
#creating server certs
general.shell_exec(
"openssl genrsa -out certs/www.webbserver.com.key 2048")
general.shell_exec(
"openssl req -new -key certs/www.webbserver.com.key -out certs/www.webbserver.com.csr"
)
general.shell_exec(
"openssl x509 -req -days 365 -in certs/www.webbserver.com.csr -signkey ca/private/ca.key -out certs/www.webbserver.com.crt "
)
version_obj.mark_executed()
def install_dns(args):
'''
DNS Bind 9 Chrooted installation
This will install the dns server on the host chrooted.
This command is used only for Centos servers.
'''
if os.path.exists('/opt/syco/lock/dns'):
'''
If dns server is locked from this script
'''
app.print_verbose("This server has an lock stopping you from installing the DNS server ")
else:
'''
Installinb server package needed for dns
'''
general.shell_exec("yum install bind bind-chroot bind-libs bind-utils caching-nameserver -y")
os.chdir("/tmp/")
'''
Getting argument from command line
master = setting upp master server
slave = setting upp slave server
'''
if len(args) == 2:
role = args[1]
if (role != "master" and role !="slave"):
sys.exit("use choose master ore slave server 'syco install-dns master'")
#raise Exception("You can only enter master or slave, you entered " + args[1])
else:
sys.exit("use choose master ore slave server 'syco install-dns master'")
role =str(args[1])
'''
Reading zone.cfg file conting
In zone.cfg is all config options neede for setting upp DNS Server
This file is readed and the the options are saved and used when generating new config files
'''
config_f = ConfigParser.SafeConfigParser()
config_zone = ConfigParser.SafeConfigParser()
config_f.read(app.SYCO_PATH + 'var/dns/zone.cfg')
dnsrange = config_f.get('config', 'range')
forward1 = config_f.get('config', 'forward1')
forward2 = config_f.get('config', 'forward2')
ipmaster = config_f.get('config', 'ipmaster')
ipslave = config_f.get('config', 'ipslave')
localnet = config_f.get('config', 'localnet')
data_center = config_f.get('config', 'data_center')
#Creating data dir
x("mkdir /var/named/chroot/var/named/data")
'''
Depending if the server is an master then new rndc keys are genertaed if now old are done.
If the server is slave the keys have to bee fetch from the master server.
'''
if os.path.exists('/var/named/chroot/etc/rndc_new.key'):
_copy_rndc()
else:
if role =="master":
os.chdir("/tmp")
os.system("/usr/sbin/rndc-confgen > /var/named/chroot/etc/rndc_new.key")
general.shell_exec("chown root:named rndc.key")
_copy_rndc()
else:
os.chdir("/var/named/chroot/etc")
scp_from(ipmaster,"/var/named/chroot/etc/rndc_new.key","/var/named/chroot/etc/")
def _generate_zone(location):
p = re.compile('[\s]*([\d]*)[\s]*[;][\s]*Serial')
if location == "internal":
o = open("/var/named/chroot/etc/named.conf","a") #open for append
o.write("view 'internt' {\n")
o.write("match-clients { " + localnet + "; };\n")
o.close()
else:
o = open("/var/named/chroot/etc/named.conf","a") #open for append
o.write("view 'external' {\n")
o.write("match-clients { any; };\n")
o.close()
'''
Getting records from zone files
and creating zone file for records
'''
for zone in config_f.options('zone'):
rzone = config_f.get('zone',zone)
config_zone.read(app.SYCO_PATH + 'var/dns/'+zone)
print zone
'''
Crating zone file and setting right settings form zone.cfg file
'''
o = open("/var/named/chroot/var/named/data/" + location + "." + zone + ".zone","w") #open for write
for line in open(app.SYCO_PATH + "var/dns/template.zone"):
line = line.replace("$IPMASTER$",ipmaster)
line = line.replace("$IPSLAVE$",ipslave)
line = line.replace("$NAMEZONE$",zone)
serial = p.findall (line)
print line
if len(serial) > 0:
line = str(int(serial[0]) + 1) + " ; Serial\n"
o.write(line + "\n")
#Wrinting out arecord to zone file
if location == "internal":
'''
Getting internal network address if thy are any else go back to use external address
Generating A record from domain file and adding them to zone file.
'''
try:
config_zone.options("internal_" + zone + "_arecords")
except ConfigParser.NoSectionError:
for option in config_zone.options(zone + "_arecords"):
o.write (option + "." + zone + "."+ " IN A " + config_zone.get(zone + "_arecords",option) + " \n")
print option + "." + zone+"." + "A" + config_zone.get(zone + "_arecords",option)+"."
if zone == config.general.get_resolv_domain():
servers = config.get_servers()
for hostname in servers:
o.write (hostname + "." + zone + "." + " IN A " + config.host(hostname).get_back_ip() + " \n")
print "INTERNAL"+hostname + config.host(hostname).get_back_ip()
else:
for option in config_zone.options("internal_" + zone + "_arecords"):
o.write (option + "." + zone + "."+ " IN A " + config_zone.get("internal_" + zone + "_arecords",option) + " \n")
print option + "." + zone + "." + "A" + config_zone.get("internal_" + zone+"_arecords",option) + "."
'''
If domain is the same as local domain
Gett all ip from local servers and add them to records.
'''
if zone == config.general.get_resolv_domain():
servers = config.get_servers()
for hostname in servers:
o.write (hostname + "." + zone + "."+ " IN A " + config.host(hostname).get_back_ip() + " \n")
print hostname + config.host(hostname).get_back_ip()
'''
Getting all Cnames from domain file
If there exist any names for internal network then they are used for inernal viem
Else external names are used.
Cnames are the added to file
'''
try:
config_zone.options("internal_" + zone + "_cname")
except ConfigParser.NoSectionError:
for option in config_zone.options(zone + "_cname"):
out = str(option) + " IN CNAME " + config_zone.get(zone + "_cname",option) + "\n"
out2 =out.replace('$DATA_CENTER$',data_center)
o.write(out2)
print out2
else:
for option in config_zone.options("internal_" + zone + "_cname"):
out= str(option) + " IN CNAME "+ str(config_zone.get("internal_" + zone + "_cname",option)) + "\n"
out2 = out.replace('$DATA_CENTER$',data_center)
o.write(out2)
print out2
else:
for option in config_zone.options(zone + "_arecords"):
o.write (option + "." + zone + "." + " IN A " + config_zone.get(zone + "_arecords",option) + " \n")
print option+"." + zone + "." + "A" + config_zone.get(zone + "_arecords",option) + "."
for option in config_zone.options(zone+"_cname"):
out= str(option) + " IN CNAME " + str(config_zone.get(zone + "_cname",option)) + "\n"
out2 = out.replace('$DATA_CENTER$',data_center)
o.write(out2)
print out2
o.close()
'''
Creating zone revers file for recursive getting if domain names.
'''
o = open("/var/named/chroot/var/named/data/" + location + "." + rzone + ".zone","w") #open for append
for line in open(app.SYCO_PATH + "var/dns/recursiv-template.zone"):
line = line.replace("$IPMASTER$",ipmaster[::-1])
line = line.replace("$IPSLAVE$",ipslave[::-1])
line = line.replace("$NAMEZONE$", zone)
line = line.replace("$RZONE$" ,rzone)
serial = p.findall (line)
if len(serial) > 0:
line = str(int(serial[0]) + 1) + " ; Serial\n"
o.write(line + "\n")
o.close()
'''
Adding the new zreated zone files to named.com to be used
'''
o = open("/var/named/chroot/etc/named.conf","a") #open for append
for line in open(app.SYCO_PATH + "var/dns/" + role + "-zone.conf"):
line = line.replace("$IPMASTER$",ipmaster)
line = line.replace("$IPSLAVE$",ipslave)
line = line.replace("$NAMEZONE$",zone)
line = line.replace("$RZONE$" ,rzone)
line = line.replace("$LOCATION$" ,location)
o.write(line + "\n")
o.close()
'''
Adding differin view to the config file
'''
if location == "internal":
o = open("/var/named/chroot/etc/named.conf","a") #open for append
o.write("}; \n")
o.close()
else:
o = open("/var/named/chroot/etc/named.conf","a") #open for append
o.write("};\n")
o.close()
'''
Getting namd.conf tamplate and generting new file with right config.
'''
'''
Setting upp named.conf with right settings
'''
o = open("/var/named/chroot/etc/named.conf","a") #open for append
for line in open(app.SYCO_PATH + "var/dns/" + role + "-named.conf"):
line = line.replace("$IPSLAVE$",ipslave)
line = line.replace("$IPMASTER$",ipmaster)
line = line.replace("$RANGE$",dnsrange)
line = line.replace("$FORWARD1$",forward1)
line = line.replace("$FORWARD2$",forward2)
line = line.replace("$LOCALNET$",localnet)
line = line.replace("$DOMAIN$",config.general.get_resolv_domain())
o.write(line)
o.close()
'''
Chnagin order if ip to match recusrsive lookup
'''
'''
Generating the zone files
IMPORTAND that internal is first
'''
_generate_zone("internal")
_generate_zone("external")
'''
Adding serial number to template
'''
_add_serial("recursiv-template")
_add_serial("template")
'''
Restaring DNS server for action to be loaded
'''
general.shell_exec("/etc/init.d/named restart")
def install_mail_client(args):
app.print_verbose("Install mail-relay-server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("Install-mail-relay-client", SCRIPT_VERSION)
version_obj.check_executed()
general.shell_exec("yum -y install sendmail")
file = "/etc/mail/sendmail.mc"
domain = config.general.get_mail_relay_domain_name()
app.print_verbose("Configure /etc/mail/*")
# Set the mail-relay server.
set_config_property(file, ".*define\(\`SMART_HOST\'\, \`.*\'\)dnl",
"define(`SMART_HOST', `" + domain + "')dnl")
# FEATURE always_add_domain always masquerades email addresses, even if the
# mail is sent from a user on the mail server to another user on the same
# mail server.
set_config_property2(file, "FEATURE(always_add_domain)dnl")
# FEATURE masquerade_entire_domain makes sendmail masquerade servers named
# *my-site.com, and *another-site.com as my-site.com. In other words, mail
# from sales.my-site.com would be masqueraded as my-site.com. If this wasn't
# selected, then only servers named my-site.com and my-othersite.com would be
# masqueraded. Use this with caution when you are sure you have the necessary
# authority to do this.
set_config_property2(file, "FEATURE(masquerade_entire_domain)dnl")
# FEATURE masquerade_envelope rewrites the email envelope just as
# MASQUERADE_AS rewrote the header.
set_config_property2(file, "FEATURE(masquerade_envelope)dnl")
# FEATURE allmasquerade makes sendmail rewrite both recipient addresses and
# sender addresses relative to the local machine. If you cc: yourself on an
# outgoing mail, the other recipient sees a cc: to an address he knows instead
# of one on localhost.localdomain.
# TODO: need to be before MAILER
#set_config_property2(file, "FEATURE(allmasquerade)dnl")
# The MASQUERADE_AS directive makes all mail originating on
# client appear to come from a server within the domain
# DOMAIN by rewriting the email header.
set_config_property(file, ".*MASQUERADE_AS\(\`.*\'\)dnl.*",
"MASQUERADE_AS(`" + domain + "')dnl")
# The MASQUERADE_DOMAIN directive makes mail relayed via mail-relay server
# from all machines in the localdomain domains appear to come from the
# MASQUERADE_AS domain. Using DNS, sendmail checks the domain name associated
# with the IP address of the mail relay client sending the mail to help it
# determine whether it should do masquerading or not.
set_config_property2(file, "MASQUERADE_DOMAIN(localhost)dnl")
set_config_property2(file, "MASQUERADE_DOMAIN(localhost.localdomain)dnl")
# By default, user "root" will not be masqueraded. Removing the EXPOSED_USER
# will also masqueraded root.
set_config_property(file, ".*EXPOSED_USER\(\`root\'\)dnl.*",
"dnl EXPOSED_USER(`root')dnl")
_rebuild_sendmail_config()
_test_mail()
version_obj.mark_executed()
