def _setup_keys():
'''
Download client keys from server.
Needed for client to be allowed to communicate with server.
'''
ossecserver = config.general.get_ossec_server_ip()
hostname = socket.gethostname()
fqdn = '{0}.{1}'.format(hostname, config.general.get_resolv_domain())
# Wait until ssh is responsive on server. However this doesn't mean that
# the server is fully installed.
general.wait_for_server_to_start(ossecserver, 22)
# Loop until ossec server has created client keys and made it possible
# to copy them.
while True:
scp_from(
ossecserver,
"/var/ossec/etc/{0}_client.keys".format(fqdn),
"/var/ossec/etc/client.keys"
)
# Loop until the keys are downloaded.
if os.path.exists('/var/ossec/etc/client.keys'):
break
# Wait awhile and then try to download the files again.
time.sleep(40)
x('chown root:ossec /var/ossec/etc/client.keys')
x('chmod 640 /var/ossec/etc/client.keys')
def install_bind_client(args):
'''
Setup current server to use syco dns server as recursive name server.
'''
app.print_verbose("Install bind client.")
version_obj = version.Version("InstallBindClient", SCRIPT_VERSION)
version_obj.check_executed()
# Iptables is already configured with iptables._setup_dns_resolver_rules
general.wait_for_server_to_start(
config.general.get_resolv_nameserver_server_ip(), "53")
# Set what resolver to use (this will be rewritten by networkmanager at
# reboot)
resolv = scOpen("/etc/resolv.conf")
resolv.remove("nameserver.*")
resolv.add("nameserver {0} ".format(
config.general.get_resolv_nameserver_server_ip()))
# Change config files for networkmanager.
x("""
grep -irl dns ifcfg*|xargs \
sed -i 's/.*\(dns.*\)[=].*/\\1={0}/ig'""".format(
config.general.get_resolv_nameserver_server_ip()),
cwd="/etc/sysconfig/network-scripts")
version_obj.mark_executed()
def install_bind_client(args):
"""
Setup current server to use syco dns server as recursive name server.
"""
app.print_verbose("Install bind client.")
version_obj = version.Version("InstallBindClient", SCRIPT_VERSION)
version_obj.check_executed()
# Iptables is already configured with iptables._setup_dns_resolver_rules
general.wait_for_server_to_start(config.general.get_nameserver_server_ip(), "53")
# Set what resolver to use (this will be rewritten by networkmanager at
# reboot)
resolv = scOpen("/etc/resolv.conf")
resolv.remove("nameserver.*")
for ip in config.general.get_nameserver_server_ips():
resolv.add("nameserver {0} ".format(ip))
# Change config files for networkmanager.
x("""
grep -irl dns ifcfg*|xargs \
sed -i 's/.*\(dns.*\)[=].*/\\1={0}/ig'""".format(
config.general.get_nameserver_server_ip()
), cwd = "/etc/sysconfig/network-scripts"
)
version_obj.mark_executed()
def install_mysql_replication(args):
'''
Setup and start the database replication in master-master mode.
This function should be executed on the secondary master, after the
primary master has been configured.
'''
app.print_verbose("Install mysql replication version: %d" % SCRIPT_VERSION)
version_obj = version.Version("install-mysql-replication", SCRIPT_VERSION)
version_obj.check_executed()
general.wait_for_server_to_start(config.general.get_mysql_primary_master_ip(), "3306")
repl_password=general.generate_password(20)
for ip in [config.general.get_mysql_primary_master_ip(), config.general.get_mysql_secondary_master_ip()]:
mysql_exec("stop slave;", True, ip)
mysql_exec("delete from mysql.user where User = '******';", True, ip)
mysql_exec("flush privileges;", True, ip)
mysql_exec("GRANT REPLICATION SLAVE ON *.* TO 'repl'@'" + config.general.get_mysql_primary_master_ip() + "' IDENTIFIED BY '" + repl_password + "';", True, ip)
mysql_exec("GRANT REPLICATION SLAVE ON *.* TO 'repl'@'" + config.general.get_mysql_secondary_master_ip() + "' IDENTIFIED BY '" + repl_password + "';", True, ip)
if (ip==config.general.get_mysql_primary_master_ip()):
mysql_exec("CHANGE MASTER TO MASTER_HOST='" + config.general.get_mysql_secondary_master_ip() + "', MASTER_USER='******', MASTER_PASSWORD='******'", True, ip)
else:
mysql_exec("CHANGE MASTER TO MASTER_HOST='" + config.general.get_mysql_primary_master_ip() + "', MASTER_USER='******', MASTER_PASSWORD='******'", True, ip)
mysql_exec("start slave;", True, ip)
version_obj.mark_executed()
def install_sssd(args):
'''
Install ldap client on current host and connect to networks ldap server.
'''
app.print_verbose("Install sssd script-version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallSssd", SCRIPT_VERSION)
version_obj.check_executed()
# Get all passwords from installation user at the start of the script.
app.get_ldap_sssd_password()
install_packages()
installOpenLdap.setup_hosts()
iptables.add_ldap_chain()
iptables.save()
ip = config.general.get_ldap_server_ip()
general.wait_for_server_to_start(ip, "636")
install_certs()
# For some reason it needs to be executed twice.
authconfig()
authconfig()
installOpenLdap.configure_client_cert_for_ldaptools()
configured_sssd()
configured_sudo()
version_obj.mark_executed()
def install_sssd(args):
"""
Install ldap client on current host and connect to networks ldap server.
"""
app.print_verbose("Install sssd script-version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallSssd", SCRIPT_VERSION)
version_obj.check_executed()
# Get all passwords from installation user at the start of the script.
app.get_ldap_sssd_password()
install_packages()
installOpenLdap.setup_hosts()
iptables.add_ldap_chain()
iptables.save()
ip = config.general.get_ldap_server_ip()
general.wait_for_server_to_start(ip, "636")
install_certs()
# For some reason it needs to be executed twice.
authconfig()
authconfig()
installOpenLdap.configure_client_cert_for_ldaptools()
augeas = Augeas(x)
create_sss_folders()
configure_sssd(augeas)
configure_sudo(augeas)
version_obj.mark_executed()
def wait_for_installation_server_to_start():
'''
Todo: Check on the cobbler werb repo folder instead of port 22.
Install something with refresh_repo
'''
general.wait_for_server_to_start(config.general.get_installation_server_ip(), 22)
def install_rsyslogd_client(args):
'''
Install rsyslog client the server
'''
app.print_verbose("Install rsyslog client.")
# If rsyslogd is installed, raise exception.
version_obj = version.Version("InstallRsyslogd",
installRsyslogd.SCRIPT_VERSION)
version_obj.check_executed()
#
version_obj = version.Version("InstallRsyslogdClient", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords used by the script
app.init_mysql_passwords()
#Enabling iptables before server has start
iptables.add_rsyslog_chain("client")
iptables.save()
# Wating for rsyslog Server to start
general.wait_for_server_to_start(config.general.get_log_server_hostname1(),
"514")
app.print_verbose("CIS 5.2 Configure rsyslog")
app.print_verbose("CIS 5.2.1 Install the rsyslog package")
general.install_packages("rsyslog rsyslog-gnutls")
app.print_verbose("CIS 5.2.2 Activate the rsyslog Service")
if os.path.exists('/etc/xinetd.d/syslog'):
x("chkconfig syslog off")
x("chkconfig rsyslog on")
_configure_rsyslog_conf()
_gen_and_copy_cert(args)
# Restaring rsyslog
x("/etc/init.d/rsyslog restart")
# Configure logrotate
installLogrotate.install_logrotate(args)
version_obj.mark_executed()
def install_mysql_replication(args):
'''
Setup and start the database replication in master-master mode.
This function should be executed on the secondary master, after the
primary master has been configured.
'''
app.print_verbose("Install mysql replication version: %d" % SCRIPT_VERSION)
version_obj = version.Version("install-mysql-replication", SCRIPT_VERSION)
version_obj.check_executed()
general.wait_for_server_to_start(
config.general.get_mysql_primary_master_ip(), "3306")
repl_password = general.generate_password(20)
for ip in [
config.general.get_mysql_primary_master_ip(),
config.general.get_mysql_secondary_master_ip()
]:
mysql_exec("stop slave;", True, ip)
mysql_exec("delete from mysql.user where User = '******';", True, ip)
mysql_exec("flush privileges;", True, ip)
mysql_exec(
"GRANT REPLICATION SLAVE ON *.* TO 'repl'@'" +
config.general.get_mysql_primary_master_ip() +
"' IDENTIFIED BY '" + repl_password + "';", True, ip)
mysql_exec(
"GRANT REPLICATION SLAVE ON *.* TO 'repl'@'" +
config.general.get_mysql_secondary_master_ip() +
"' IDENTIFIED BY '" + repl_password + "';", True, ip)
if (ip == config.general.get_mysql_primary_master_ip()):
mysql_exec(
"CHANGE MASTER TO MASTER_HOST='" +
config.general.get_mysql_secondary_master_ip() +
"', MASTER_USER='******', MASTER_PASSWORD='******'", True, ip)
else:
mysql_exec(
"CHANGE MASTER TO MASTER_HOST='" +
config.general.get_mysql_primary_master_ip() +
"', MASTER_USER='******', MASTER_PASSWORD='******'", True, ip)
mysql_exec("start slave;", True, ip)
version_obj.mark_executed()
def install_mariadb_replication(args):
"""
Setup and start the database replication in master-master mode.
This function should be executed on the secondary master, after the
primary master has been configured.
"""
app.print_verbose(
"Install MariaDB replication version: %d" % SCRIPT_VERSION
)
version_obj = version.Version("install-mariadb-replication", SCRIPT_VERSION)
version_obj.check_executed()
current_host_config = config.host(net.get_hostname())
repl_peer = current_host_config.get_option("repl_peer")
general.wait_for_server_to_start(repl_peer, "3306")
repl_password = general.generate_password(20)
front_ip = current_host_config.get_front_ip()
for ip in ["127.0.0.1", repl_peer]:
mysql_exec("stop slave;", True, ip)
mysql_exec("delete from mysql.user where User = '******'", True, ip)
mysql_exec("flush privileges;", True, ip)
mysql_exec(
"GRANT REPLICATION SLAVE ON *.* TO " +
"'repl'@'%s' IDENTIFIED BY '%s'," % (repl_peer, repl_password) +
"'repl'@'%s' IDENTIFIED BY '%s'" % (front_ip, repl_password),
True, ip)
if ip == "127.0.0.1":
mysql_exec(
"CHANGE MASTER TO MASTER_HOST='%s', " % repl_peer +
"MASTER_USER='******', MASTER_PASSWORD='******'" % repl_password,
True, ip
)
else:
mysql_exec(
"CHANGE MASTER TO MASTER_HOST='%s', " % front_ip +
"MASTER_USER='******', MASTER_PASSWORD='******'" % repl_password,
True, ip
)
mysql_exec("start slave;", True, ip)
version_obj.mark_executed()
def install_rsyslogd_client(args):
'''
Install rsyslog client the server
'''
app.print_verbose("Install rsyslog client.")
# If rsyslogd is installed, raise exception.
version_obj = version.Version("InstallRsyslogd", installRsyslogd.SCRIPT_VERSION)
version_obj.check_executed()
#
version_obj = version.Version("InstallRsyslogdClient", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords used by the script
app.init_mysql_passwords()
#Enabling iptables before server has start
iptables.add_rsyslog_chain("client")
iptables.save()
# Wating for rsyslog Server to start
general.wait_for_server_to_start(config.general.get_log_server_hostname1(), "514")
app.print_verbose("CIS 5.2 Configure rsyslog")
app.print_verbose("CIS 5.2.1 Install the rsyslog package")
general.install_packages("rsyslog rsyslog-gnutls")
app.print_verbose("CIS 5.2.2 Activate the rsyslog Service")
if os.path.exists('/etc/xinetd.d/syslog'):
x("chkconfig syslog off")
x("chkconfig rsyslog on")
_configure_rsyslog_conf()
_gen_and_copy_cert(args)
# Restaring rsyslog
x("/etc/init.d/rsyslog restart")
# Configure logrotate
installLogrotate.install_logrotate(args)
version_obj.mark_executed()
