def install_rkhunter(email=None):
"""
Install and configure RootKit Hunter
Default section: admin
:param email: Email to send reports
:type email: str
"""
opts = dict(
email=email
or get_envvar('email',section='admin')
or err('Email must be set'),
)
# install RKHunter
apt_get('rkhunter')
# send emails on warnings
uncomment('/etc/rkhunter.conf', '#MAIL-ON-WARNING=me@mydomain root@mydomain', use_sudo=True)
sed('/etc/rkhunter.conf', 'me@mydomain root@mydomain', opts['email'], use_sudo=True)
# ignore some Ubuntu specific files
uncomment('/etc/rkhunter.conf', '#ALLOWHIDDENDIR=\/dev\/.udev', use_sudo=True)
uncomment('/etc/rkhunter.conf', '#ALLOWHIDDENDIR=\/dev\/.static', use_sudo=True)
uncomment('/etc/rkhunter.conf', '#ALLOWHIDDENDIR=\/dev\/.initramfs', use_sudo=True)
def install_php():
"""Install FastCGI interface for running PHP scripts via Nginx."""
# install php-fpm, php process manager
apt_get(['php5-fpm', 'php5-curl', 'php5-mysql', 'php5-gd'])
# the command above also pulls in apache, which we cannot remove -> make id not start at bootup
sudo('update-rc.d -f apache2 remove')
# security harden PHP5
sed('/etc/php5/cgi/php.ini', ';cgi\.fix_pathinfo=1', 'cgi\.fix_pathinfo=0', use_sudo=True)
sed('/etc/php5/cgi/php.ini', '; allow_call_time_pass_reference', 'allow_call_time_pass_reference = Off', use_sudo=True)
sed('/etc/php5/cgi/php.ini', '; display_errors', 'display_errors = Off', use_sudo=True)
sed('/etc/php5/cgi/php.ini', '; html_errors', 'html_errors = Off', use_sudo=True)
sed('/etc/php5/cgi/php.ini', '; magic_quotes_gpc', 'magic_quotes_gpc = Off', use_sudo=True)
sed('/etc/php5/cgi/php.ini', '; log_errors', 'log_errors = On', use_sudo=True)
# restart for changes to apply
sudo('/etc/init.d/php5-fpm restart')
def install_sendmail(email=None):
"""
Prepare a localhost SMTP server for sending out system notifications
to admins
Default section: admin
:param email: Email to send reports
:type email: str
"""
opts = dict(
email=email
or get_envvar('email',section='admin')
or err('Email must be set'),
)
# install sendmail
apt_get('sendmail')
# all email should be sent to maintenance email
append('/etc/aliases', 'root: %(email)s' % opts, use_sudo=True)
def install_munin_node(add_to_master=True):
"""Install and configure Munin node, which gathers system information
and sends it to Munin master."""
# install munin-node
apt_get('munin-node')
# add allow IP to munin-node.conf -> allow IP must be escaped REGEX-style
ip = '%(hq)s' % env
ip.replace('.', '\\\.')
sed('/etc/munin/munin-node.conf', '127\\\.0\\\.0\\\.1', '%s' % ip, use_sudo=True)
sudo('service munin-node restart')
# add node to munin-master on Headquarters server so
# system information is actually collected
if add_to_master:
with settings(host_string='%(hq)s:22' % env):
path = '/etc/munin/munin.conf'
append(path, '[%(hostname)s]' % env, use_sudo=True)
append(path, ' address %(server_ip)s' % env, use_sudo=True)
append(path, ' ', use_sudo=True)
def raid_monitoring(email=None):
"""
Configure monitoring of our RAID-1 field. If anything goes wrong,
send an email!
Default section: admin
:param email: Email to send reports
:type email: str
"""
opts = dict(
email=email
or get_envvar('email',section='admin')
or err('Email must be set'),
)
# enable email notifications from mdadm raid monitor
append('/etc/mdadm/mdadm.conf', 'MAILADDR %(email)s' % opts, use_sudo=True)
# enable email notification for SMART disk monitoring
apt_get('smartmontools')
uncomment('/etc/default/smartmontools', '#start_smartd=yes', use_sudo=True)
def install_mysql(password=None):
"""
Install MySQL database server
Default section: mysql
:param password: Root mysql password ( ``envdefault="default_password"`` )
:type password: str
"""
opts = dict(
password=password
or get_envvar('password',section='mysql',envdefault='default_password')
or err("No password for mysql set")
)
# first set root password in advance so we don't get the package
# configuration dialog
sudo('echo "mysql-server-5.0 mysql-server/root_password password %(password)s" | debconf-set-selections' % opts)
sudo('echo "mysql-server-5.0 mysql-server/root_password_again password %(password)s" | debconf-set-selections' % opts)
# install MySQL along with php drivers for it
apt_get('mysql-server mysql-client')
def install_dnsmasq():
"""Installs local dns server"""
apt_get("dnsmasq")
add_startup("dnsmasq")
def install_aiccu():
"Installs aiccu. Hartbeat monitor for sixxs ipv6 tunnel"
apt_get("aiccu")
def install_avahi():
"""Installs avahi for mdns support"""
apt_get("avahi-daemon")
add_startup("avahi-daemon")
def install_nginx(nginx_conf=None):
"""Installs nginx webserver."""
apt_get("ngingx", "ppa:nginx/stable")
add_startup("nginx")
def install_finch():
"""Installs finch, console client port of pidgin"""
apt_get("finch")
