def setup_clam_and_freshclam():
#
# Setup clamav and freshclam
#
app.print_verbose("Setup clamav and freshclam")
app.print_verbose(" Setup config files.")
clamd = scOpen("/usr/local/etc/clamd.conf")
clamd.replace("^[#]\?Example.*", "#Example")
clamd.replace("^[#]\?LogFileMaxSize.*", "LogFileMaxSize 100M")
clamd.replace("^[#]\?LogFile.*", "LogFile /var/log/clamav/clamd.log")
clamd.replace("^[#]\?LogTime.*", "LogTime yes")
clamd.replace("^[#]\?LogSyslog.*", "LogSyslog yes")
clamd.replace("^[#]\?TCPSocket.*", "TCPSocket 3310")
clamd.replace("^[#]\?TCPAddr.*", "TCPAddr 127.0.0.1")
clamd.replace("^[#]\?ExcludePath.*/proc.*", "ExcludePath ^/proc")
clamd.replace("^[#]\?ExcludePath.*/sys.*", "ExcludePath ^/sys")
clamd.replace("^[#]\?User.*", "User clamav")
clamd.replace("^[#]\?LocalSocket.*",
"LocalSocket /var/run/clamav/clamd.socket")
clamd.replace("^[#]\?PidFile.*", "PidFile /var/run/clamav/clamd.pid")
freshclam = scOpen("/usr/local/etc/freshclam.conf")
freshclam.replace("^[#]\?Example.*", "#Example")
freshclam.replace("^[#]\?LogFileMaxSize.*", "LogFileMaxSize 100M")
freshclam.replace("^[#]\?LogTime.*", "LogTime yes")
freshclam.replace("^[#]\?LogSyslog.*", "LogSyslog yes")
freshclam.replace("^[#]\?DatabaseOwner.*", "DatabaseOwner clamav")
freshclam.replace("^[#]\?PidFile.*",
"PidFile /var/run/clamav/freshclam.pid")
freshclam.replace("^[#]\?DatabaseMirror.*",
"DatabaseMirror database.clamav.net")
freshclam.replace("^[#]\?UpdateLogFile.*",
"UpdateLogFile /var/log/clamav/freshclam.log")
def install_packages():
'''
Install packages and start service.
'''
setup_hosts()
# Install all required packages.
x("yum -y install openldap-servers openldap-clients mlocate")
# Create backend database.
scOpen("/var/lib/ldap/DB_CONFIG").add(
"set_cachesize 0 268435456 1\n" +
"set_lg_regionmax 262144\n" +
"set_lg_bsize 2097152"
)
x("chown -R ldap:ldap /var/lib/ldap")
# Set password for cn=config (it's secret)
scOpen('/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif').add(
'olcRootPW: %(ldap_password)s' %
{'ldap_password': get_hashed_password(app.get_ldap_admin_password())}
)
# Autostart slapd after reboot.
x("chkconfig slapd on")
# Start ldap server
x("service slapd start")
def disable_usb():
# TODO Currently need usb dvd reader for installation.
return
app.print_verbose("Disable usb")
scOpen("/etc/modprobe.d/syco.conf").replace_add(
"^blacklist usb-storage$", "blacklist usb-storage"
)
def customize_shell():
app.print_verbose("Customize shell")
app.print_verbose(" Add Date And Time To History Output")
scOpen("/etc/bashrc").replace_add(
"^export HISTTIMEFORMAT=.*$",
"export HISTTIMEFORMAT=\"%h/%d - %H:%M:%S \""
)
app.print_verbose(" Add Color To Grep")
root = scOpen("/root/.bash_profile")
root.replace_add("^export GREP_COLOR=.*$", "export GREP_COLOR='1;32'")
root.replace_add("^export GREP_OPTIONS=.*$", "export GREP_OPTIONS=--color=auto")
skel = scOpen("/etc/skel/.bash_profile")
skel.replace_add("^export GREP_COLOR=.*$", "export GREP_COLOR='1;32'")
skel.replace_add("^export GREP_OPTIONS=.*$", "export GREP_OPTIONS=--color=auto")
app.print_verbose(" Enable SSH key forwarding to work with sudo su")
tmp_sudo_file = get_install_dir() + "sudoers"
x("cp /etc/sudoers " + tmp_sudo_file)
sudoers = scOpen(tmp_sudo_file)
sudoers.remove("Defaults env_keep += \"SSH_AUTH_SOCK\"")
sudoers.add("Defaults env_keep += \"SSH_AUTH_SOCK\"")
xRes = x("visudo -c -f " + tmp_sudo_file)
if tmp_sudo_file + ": parsed OK" in xRes:
x("mv " + tmp_sudo_file + " /etc/sudoers")
else:
app.print_error("Temporary sudoers file corrupt, not updating")
def add_kvm_chain():
del_kvm_chain()
if (not os.path.exists('/etc/init.d/libvirtd')):
return
app.print_verbose("Add iptables chain for kvm")
iptables("-N kvm")
iptables("-A syco_forward -p ALL -j kvm")
iptables("-A kvm -m physdev --physdev-is-bridged -j ACCEPT")
# DHCP / TODO: Needed??
# iptables("-A kvm -m state --state NEW -m udp -p udp --dport 67 -j allowed_udp")
# iptables("-A kvm -m state --state NEW -m udp -p udp --dport 68 -j allowed_udp")
# Controls IP packet forwarding
scOpen("/etc/sysctl.conf").replace_add("^net.ipv4.ip_forward.*$",
"net.ipv4.ip_forward = 1")
# Flush settings.
x("/sbin/sysctl -w net.ipv4.route.flush=1")
x("/sbin/sysctl -w net.ipv6.route.flush=1")
# Reload all settings.
x("service libvirtd reload")
def install_auditd():
app.print_verbose("Install auditd.")
#
# Setup auditd rules
#
app.print_verbose("CIS 5.3 Configure System Accounting (auditd)")
app.print_verbose("CIS 5.3.1 Enable auditd Service")
x("chkconfig auditd on")
app.print_verbose("Added our own audit.rules")
x("[ -f '/etc/audit/audit.rules' ] && rm /etc/audit/audit.rules")
x("cp %shardening/audit.rules /etc/audit/audit.rules" % app.SYCO_VAR_PATH)
x("chmod 700 /var/log/audit/")
x("chmod 700 /etc/audit/audit.rules")
#
# Harding audit.conf file
#
auditd = scOpen("/etc/audit/auditd.conf")
app.print_verbose("CIS 5.3.2.1 Configure Audit Log Storage Size")
auditd.replace_add("^max_log_file[\s]*\=.*", "max_log_file = 50")
app.print_verbose("CIS 5.3.2.2 Disable System on Audit Log Full")
auditd.replace_add("^space_left_action[\s]*\=.*", "space_left_action = email")
auditd.replace_add("^action_mail_acct[\s]*\=.*", "action_mail_acct = root")
auditd.replace_add("^admin_space_left_action[\s]*\=.*", "admin_space_left_action = halt")
app.print_verbose("CIS 5.3.2.3 Keep All Auditing Information")
auditd.replace_add("^max_log_file_action[\s]*\=.*", "max_log_file_action = keep_logs")
app.print_verbose("Extra auditd configs")
auditd.replace_add("^num_logs[\s]*\=.*", "num_logs = 99")
auditd.replace_add("^space_left[\s]*\=.*", "space_left = 125")
auditd.replace_add("^admin_space_left[\s]*\=.*", "admin_space_left = 75")
x("chmod 700 /etc/audit/auditd.conf")
#
app.print_verbose("CIS 5.3.3 Enable Auditing for Processes That Start Prior to auditd")
auditd = scOpen("/etc/grub.conf")
auditd.add_to_end_of_line("^[^#]*kernel", "audit=1")
# Addin audit to pam
app.print_verbose("Logging all admin Actions")
pam = scOpen("/etc/pam.d/systemauth")
pam.replace_add("^session[\s]required[\s]pam_tty_audit.so[\s]enable=","session\trequired\tpam_tty_audit.so enable=*")
# Making audit to log to syslog
app.print_verbose("Sending all admin actions to Syslog")
syslog = scOpen("/etc/audisp/plugins.d/syslog.conf")
syslog.replace_add("^active[\s]=.*","active = yes")
#
# Restarting service
#
x("service auditd restart")
def install_auditd():
app.print_verbose("Install auditd.")
#
# Setup auditd rules
#
app.print_verbose("CIS 5.3 Configure System Accounting (auditd)")
app.print_verbose("CIS 5.3.1 Enable auditd Service")
x("chkconfig auditd on")
app.print_verbose("Added our own audit.rules")
x("[ -f '/etc/audit/audit.rules' ] && rm /etc/audit/audit.rules")
x("cp %shardening/audit.rules /etc/audit/audit.rules" % app.SYCO_VAR_PATH)
x("cp %shardening/syslog.conf /etc/audisp/plugins.d/syslog.conf" %
app.SYCO_VAR_PATH)
x("chmod 700 /var/log/audit/")
x("chmod 700 /etc/audit/audit.rules")
#
# Harding audit.conf file
#
auditd = scOpen("/etc/audit/auditd.conf")
app.print_verbose("CIS 5.3.2.1 Configure Audit Log Storage Size")
auditd.replace_add("^max_log_file[\s]*\=.*", "max_log_file = 50")
app.print_verbose("CIS 5.3.2.2 Disable System on Audit Log Full")
auditd.replace_add("^space_left_action[\s]*\=.*",
"space_left_action = email")
auditd.replace_add("^action_mail_acct[\s]*\=.*", "action_mail_acct = root")
auditd.replace_add("^admin_space_left_action[\s]*\=.*",
"admin_space_left_action = halt")
app.print_verbose("CIS 5.3.2.3 Keep All Auditing Information")
auditd.replace_add("^max_log_file_action[\s]*\=.*",
"max_log_file_action = rotate")
app.print_verbose("Extra auditd configs")
auditd.replace_add("^num_logs[\s]*\=.*", "num_logs = 10")
auditd.replace_add("^space_left[\s]*\=.*", "space_left = 125")
auditd.replace_add("^admin_space_left[\s]*\=.*", "admin_space_left = 75")
x("chmod 700 /etc/audit/auditd.conf")
#
app.print_verbose(
"CIS 5.3.3 Enable Auditing for Processes That Start Prior to auditd")
auditd = scOpen("/etc/grub.conf")
auditd.add_to_end_of_line("^[^#]*kernel", "audit=1")
# Addin audit to pam
app.print_verbose("Logging all admin Actions")
pam = scOpen("/etc/pam.d/systemauth")
pam.replace_add("^session[\s]required[\s]pam_tty_audit.so[\s]enable=",
"session\trequired\tpam_tty_audit.so enable=*")
# Making audit to log to syslog
app.print_verbose("Sending all admin actions to Syslog")
syslog = scOpen("/etc/audisp/plugins.d/syslog.conf")
syslog.replace_add("^active[\s]=.*", "active = yes")
def setup_ssh():
app.print_verbose("Harden ssh and sshd.")
x("cp /etc/ssh/ssh_config /etc/ssh/ssh_config.sycobak")
x("cp /etc/ssh/sshd_config /etc/ssh/sshd_config.sycobak")
config = ConfigParser.SafeConfigParser()
config.read('%s/hardening/config.cfg' % app.SYCO_VAR_PATH)
#
# Hardening ssh config
#
ssh = scOpen("/etc/ssh/ssh_config")
for setting in config.options('ssh'):
ssh.replace_add("^(?#)(?i)" + setting + ".*",
config.get('ssh', setting))
#
# Hardening sshd config
#
ssh = scOpen("/etc/ssh/sshd_config")
for setting in config.options('sshd'):
ssh.replace_add(".*(?#)(?i)" + setting + ".*",
config.get('sshd', setting))
#
# Set login banner.
#
x('cp %s/hardening/issue.net /etc/issue.net' % app.SYCO_VAR_PATH)
def _install_nrpe_plugins():
'''
Install NRPE-plugins (to be executed remoteley) and SELinux-rules.
'''
# Install packages and their dependencies.
_install_nrpe_plugins_dependencies()
x("cp -p {0}lib/nagios/plugins_nrpe/* /usr/lib64/nagios/plugins/".format(constant.SYCO_PATH))
# Set the sssd password
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
nrpe_config.replace("($LDAPURL)", config.general.get_ldap_hostname())
# Change ownership of plugins to nrpe (from icinga/nagios)
x("chmod -R 750 /usr/lib64/nagios/plugins/")
x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")
# Set SELinux roles to allow NRPE execution of binaries such as python/perl/iptables
# Corresponding .te-files summarize rule content
x("mkdir -p /var/lib/syco_selinux_modules")
rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
for path in rule_path_list:
x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
x("semodule -i /var/lib/syco_selinux_modules/*.pp")
# Set MySQL password, if running MySQL.
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))
def configure_ldap_client():
scOpen("/etc/openldap/ldap.conf").add(
"uri ldaps://" + config.general.get_ldap_hostname() + "\n" + "base " +
config.general.get_ldap_dn() + "\n" +
"tls_cacertdir /etc/openldap/cacerts\n" +
"tls_cert /etc/openldap/cacerts/client.pem\n" +
"tls_key /etc/openldap/cacerts/client.pem\n")
def disable_usb():
# TODO Currently need usb dvd reader for installation.
return
app.print_verbose("Disable usb")
scOpen("/etc/modprobe.d/syco.conf").replace_add(
"^blacklist usb-storage$", "blacklist usb-storage"
)
def customize_shell():
app.print_verbose("Customize shell")
app.print_verbose(" Add Date And Time To History Output")
scOpen("/etc/bashrc").replace_add(
"^export HISTTIMEFORMAT=.*$",
"export HISTTIMEFORMAT=\"%h/%d - %H:%M:%S \"")
app.print_verbose(" Add Color To Grep")
root = scOpen("/root/.bash_profile")
root.replace_add("^export GREP_COLOR=.*$", "export GREP_COLOR='1;32'")
root.replace_add("^export GREP_OPTIONS=.*$",
"export GREP_OPTIONS=--color=auto")
skel = scOpen("/etc/skel/.bash_profile")
skel.replace_add("^export GREP_COLOR=.*$", "export GREP_COLOR='1;32'")
skel.replace_add("^export GREP_OPTIONS=.*$",
"export GREP_OPTIONS=--color=auto")
app.print_verbose(" Enable SSH key forwarding to work with sudo su")
tmp_sudo_file = get_install_dir() + "sudoers"
x("cp /etc/sudoers " + tmp_sudo_file)
sudoers = scOpen(tmp_sudo_file)
sudoers.remove("Defaults env_keep += \"SSH_AUTH_SOCK\"")
sudoers.add("Defaults env_keep += \"SSH_AUTH_SOCK\"")
xRes = x("visudo -c -f " + tmp_sudo_file)
if tmp_sudo_file + ": parsed OK" in xRes:
x("mv " + tmp_sudo_file + " /etc/sudoers")
else:
app.print_error("Temporary sudoers file corrupt, not updating")
def setup_ssh():
app.print_verbose("Harden ssh and sshd.")
x("cp /etc/ssh/ssh_config /etc/ssh/ssh_config.sycobak")
x("cp /etc/ssh/sshd_config /etc/ssh/sshd_config.sycobak")
config = ConfigParser.SafeConfigParser()
config.read('%s/hardening/config.cfg' % app.SYCO_VAR_PATH)
#
# Hardening ssh config
#
ssh = scOpen("/etc/ssh/ssh_config")
for setting in config.options('ssh'):
ssh.replace_add("^(?#)(?i)" + setting + ".*", config.get('ssh',setting))
#
# Hardening sshd config
#
ssh = scOpen("/etc/ssh/sshd_config")
for setting in config.options('sshd'):
ssh.replace_add(".*(?#)(?i)" + setting + ".*", config.get('sshd',setting))
#
# Set login banner.
#
x('cp %s/hardening/issue.net /etc/issue.net' % app.SYCO_VAR_PATH)
def setup_clam_and_freshclam():
#
# Setup clamav and freshclam
#
app.print_verbose("Setup clamav and freshclam")
app.print_verbose(" Setup config files.")
clamd = scOpen("/usr/local/etc/clamd.conf")
clamd.replace("^[#]\?Example.*", "#Example")
clamd.replace("^[#]\?LogFileMaxSize.*", "LogFileMaxSize 100M")
clamd.replace("^[#]\?LogFile.*", "LogFile /var/log/clamav/clamd.log")
clamd.replace("^[#]\?LogTime.*", "LogTime yes")
clamd.replace("^[#]\?LogSyslog.*", "LogSyslog yes")
clamd.replace("^[#]\?TCPSocket.*", "TCPSocket 3310")
clamd.replace("^[#]\?TCPAddr.*", "TCPAddr 127.0.0.1")
clamd.replace("^[#]\?ExcludePath.*/proc.*", "ExcludePath ^/proc")
clamd.replace("^[#]\?ExcludePath.*/sys.*", "ExcludePath ^/sys")
clamd.replace("^[#]\?User.*", "User clamav")
clamd.replace("^[#]\?LocalSocket.*", "LocalSocket /var/run/clamav/clamd.socket")
clamd.replace("^[#]\?PidFile.*", "PidFile /var/run/clamav/clamd.pid")
freshclam = scOpen("/usr/local/etc/freshclam.conf")
freshclam.replace("^[#]\?Example.*", "#Example")
freshclam.replace("^[#]\?LogFileMaxSize.*", "LogFileMaxSize 100M")
freshclam.replace("^[#]\?LogTime.*", "LogTime yes")
freshclam.replace("^[#]\?LogSyslog.*", "LogSyslog yes")
freshclam.replace("^[#]\?DatabaseOwner.*", "DatabaseOwner clamav")
freshclam.replace("^[#]\?PidFile.*", "PidFile /var/run/clamav/freshclam.pid")
freshclam.replace("^[#]\?DatabaseMirror.*", "DatabaseMirror database.clamav.net")
freshclam.replace("^[#]\?UpdateLogFile.*", "UpdateLogFile /var/log/clamav/freshclam.log")
def install_packages():
'''
Install packages and start service.
'''
setup_hosts()
# Install all required packages.
x("yum -y install openldap-servers openldap-clients mlocate")
# Create backend database.
scOpen("/var/lib/ldap/DB_CONFIG").add("set_cachesize 0 268435456 1\n" +
"set_lg_regionmax 262144\n" +
"set_lg_bsize 2097152")
x("chown -R ldap:ldap /var/lib/ldap")
# Set password for cn=config (it's secret)
scOpen(
'/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif'
).add(
'olcRootPW: %(ldap_password)s' %
{'ldap_password': get_hashed_password(app.get_ldap_admin_password())})
# Autostart slapd after reboot.
x("chkconfig slapd on")
# Start ldap server
x("service slapd start")
def enable_ssl():
'''
Configure slapd to only be accessible over ssl,
with client certificate.
Learn more:
http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0
http://www.openldap.org/faq/data/cache/185.html
'''
ldapadd("admin", """
dn: cn=config
changetype:modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/cacerts/slapd.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/cacerts/slapd.crt
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/cacerts/ca.crt
-
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:MEDIUM:-SSLv2
-
replace: olcTLSVerifyClient
olcTLSVerifyClient: allow""")
# Enable LDAPS and dispable LDAP
scOpen('/etc/sysconfig/ldap').replace('[#]*SLAPD_LDAPS=.*', 'SLAPD_LDAPS=yes')
scOpen('/etc/sysconfig/ldap').replace('[#]*SLAPD_LDAP=.*', 'SLAPD_LDAP=no')
x("service slapd restart")
configure_client_cert_for_ldaptools()
def add_kvm_chain():
del_kvm_chain()
if (not os.path.exists('/etc/init.d/libvirtd')):
return
app.print_verbose("Add iptables chain for kvm")
iptables("-N kvm")
iptables("-A syco_forward -p ALL -j kvm")
iptables("-A kvm -m physdev --physdev-is-bridged -j ACCEPT")
# DHCP / TODO: Needed??
# iptables("-A kvm -m state --state NEW -m udp -p udp --dport 67 -j allowed_udp")
# iptables("-A kvm -m state --state NEW -m udp -p udp --dport 68 -j allowed_udp")
# Controls IP packet forwarding
scOpen("/etc/sysctl.conf").replace_add(
"^net.ipv4.ip_forward.*$", "net.ipv4.ip_forward = 1"
)
# Flush settings.
x("/sbin/sysctl -w net.ipv4.route.flush=1")
x("/sbin/sysctl -w net.ipv6.route.flush=1")
# Reload all settings.
x("service libvirtd reload")
def build_client_certs(args):
install.package("zip")
os.chdir("/etc/openvpn/easy-rsa/keys")
general.set_config_property(
"/etc/cronjob", "01 * * * * root run-parts syco build_client_certs",
"01 * * * * root run-parts syco build_client_certs")
# Create client.conf
clientConf = "/etc/openvpn/easy-rsa/keys/client.conf"
x("cp " + app.SYCO_PATH + "/var/openvpn/client.conf %s" % clientConf)
scOpen(clientConf).replace('${OPENVPN.HOSTNAME}',
config.general.get_openvpn_hostname())
x("cp " + app.SYCO_PATH + "/doc/openvpn/install.txt .")
for user in os.listdir("/home"):
cert_already_installed = os.access(
"/home/" + user + "/openvpn_client_keys.zip", os.F_OK)
valid_file = "lost+found" not in user
if valid_file and not cert_already_installed:
os.chdir("/etc/openvpn/easy-rsa/")
general.set_config_property("/etc/openvpn/easy-rsa/vars",
'[\s]*export KEY_CN.*',
'export KEY_CN="' + user + '"')
general.set_config_property("/etc/openvpn/easy-rsa/vars",
'[\s]*export KEY_NAME.*',
'export KEY_NAME="' + user + '"')
general.set_config_property(
"/etc/openvpn/easy-rsa/build-key-pkcs12",
'.*export EASY_RSA.*',
'source ./vars;export EASY_RSA="${EASY_RSA:-.}"')
out = general.shell_exec(
"./build-key-pkcs12 --batch " + user,
cwd="/etc/openvpn/easy-rsa/",
events={
'(?i)Enter Export Password:'******'\n',
'(?i)Verifying - Enter Export Password:'******'\n'
})
app.print_verbose(out)
# Config client.crt
general.set_config_property(
"/etc/openvpn/easy-rsa/keys/client.conf", "^cert.*crt",
"cert " + user + ".crt")
general.set_config_property(
"/etc/openvpn/easy-rsa/keys/client.conf", "^key.*key",
"key " + user + ".key")
os.chdir("/etc/openvpn/easy-rsa/keys")
x("zip /home/" + user + "/openvpn_client_keys.zip ca.crt " + user +
".crt " + user + ".key " + user +
".p12 client.conf install.txt /etc/openvpn/ta.key")
# Set permission for the user who now owns the file.
os.chmod("/home/" + user + "/openvpn_client_keys.zip",
stat.S_IRUSR | stat.S_IRGRP)
general.shell_exec("chown " + user + ":users /home/" + user +
"/openvpn_client_keys.zip ")
def syslog():
app.print_verbose("CIS 5.2 Configure rsyslog")
#
app.print_verbose("CIS 5.2.1 Install the rsyslog package")
x("yum install rsyslog")
#
app.print_verbose("CIS 5.2.2 Activate the rsyslog Service")
if os.path.exists('/etc/xinetd.d/syslog'):
x("chkconfig syslog off")
x("chkconfig rsyslog on")
#
app.print_verbose("CIS 5.2.3 Configure /etc/rsyslog.conf")
# >> etc/rsyslog.conf
# auth,user.* /var/log/messages
# kern.* /var/log/kern.log
# daemon.* /var/log/daemon.log
# syslog.* /var/log/syslog
# lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log
# x("pkill -HUP rsyslogd")
#
app.print_verbose("CIS 5.2.4 Create and Set Permissions on rsyslog Log Files")
# for logfile in all_files_in_rsyslog.conf
# touch logfile
# chown root:root logfile
# chmod og-rwx logfile
#
# Enable autpriv in rsyslog.conf
#
rsyslog = scOpen('/etc/rsyslog.conf')
rsyslog.remove("^authpriv\\.\\*")
rsyslog.add("authpriv.*\t\t\t\t/var/log/secure\n")
#
# Enable auth in rsyslog.conf
#
rsyslog.remove("^auth\\.\\*")
rsyslog.add("auth.*\t\t\t\t/var/log/messages\n")
#
# Secure VSFTP if installed.
#
if os.path.isfile("/etc/vsftpd.conf"):
app.print_verbose("Enable user logining for vsftpd.")
ftp = scOpen("/etc/vsftpd.conf")
ftp.replace("^([\#]?)xferlog_std_format=NO.*", "xferlog_std_format=NO")
ftp.replace("^([\#]?)log_ftp_protocol=YES.*", "log_ftp_protocol=YES")
if os.path.isfile("/etc/vsftpd/vsftpd.conf"):
app.print_verbose("Enable user logining for vsftpd.")
ftp = scOpen("/etc/vsftpd.conf")
ftp.replace("^([\#]?)xferlog_std_format=NO", "xferlog_std_format=NO")
ftp.replace("^([\#]?)log_ftp_protocol=YES", "log_ftp_protocol=YES")
def syslog():
app.print_verbose("CIS 5.2 Configure rsyslog")
#
app.print_verbose("CIS 5.2.1 Install the rsyslog package")
x("yum install rsyslog")
#
app.print_verbose("CIS 5.2.2 Activate the rsyslog Service")
if os.path.exists('/etc/xinetd.d/syslog'):
x("chkconfig syslog off")
x("chkconfig rsyslog on")
#
app.print_verbose("CIS 5.2.3 Configure /etc/rsyslog.conf")
# >> etc/rsyslog.conf
# auth,user.* /var/log/messages
# kern.* /var/log/kern.log
# daemon.* /var/log/daemon.log
# syslog.* /var/log/syslog
# lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log
# x("pkill -HUP rsyslogd")
#
app.print_verbose(
"CIS 5.2.4 Create and Set Permissions on rsyslog Log Files")
# for logfile in all_files_in_rsyslog.conf
# touch logfile
# chown root:root logfile
# chmod og-rwx logfile
#
# Enable autpriv in rsyslog.conf
#
rsyslog = scOpen('/etc/rsyslog.conf')
rsyslog.remove("^authpriv\\.\\*")
rsyslog.add("authpriv.*\t\t\t\t/var/log/secure\n")
#
# Enable auth in rsyslog.conf
#
rsyslog.remove("^auth\\.\\*")
rsyslog.add("auth.*\t\t\t\t/var/log/messages\n")
#
# Secure VSFTP if installed.
#
if os.path.isfile("/etc/vsftpd.conf"):
app.print_verbose("Enable user logining for vsftpd.")
ftp = scOpen("/etc/vsftpd.conf")
ftp.replace("^([\#]?)xferlog_std_format=NO.*", "xferlog_std_format=NO")
ftp.replace("^([\#]?)log_ftp_protocol=YES.*", "log_ftp_protocol=YES")
if os.path.isfile("/etc/vsftpd/vsftpd.conf"):
app.print_verbose("Enable user logining for vsftpd.")
ftp = scOpen("/etc/vsftpd.conf")
ftp.replace("^([\#]?)xferlog_std_format=NO", "xferlog_std_format=NO")
ftp.replace("^([\#]?)log_ftp_protocol=YES", "log_ftp_protocol=YES")
def configure_ldap_client():
scOpen("/etc/openldap/ldap.conf").add(
"uri ldaps://" + config.general.get_ldap_hostname() + "\n" +
"base " + config.general.get_ldap_dn() + "\n" +
"tls_cacertdir /etc/openldap/cacerts\n" +
"tls_cert /etc/openldap/cacerts/client.pem\n" +
"tls_key /etc/openldap/cacerts/client.pem\n"
)
def disable_ip6_support():
app.print_verbose("Disable IP6 support")
modprobe = scOpen("/etc/modprobe.d/syco.conf")
modprobe.replace_add("^options ipv6.*", "options ipv6 disable=1")
modprobe.replace_add("^alias net-pf-10 off$", "alias net-pf-10 off")
network = scOpen("/etc/sysconfig/network")
network.replace_add("^NETWORKING_IPV6=.*$", "NETWORKING_IPV6=no")
def setup_crontab():
#
# Setup crontab
#
app.print_verbose("Setup crontab")
x("cp %s/clam/viruscan.sh /etc/cron.daily/" % app.SYCO_VAR_PATH)
scOpen("/etc/cron.daily/viruscan.sh").replace(
"${ADMIN_EMAIL}", config.general.get_admin_email())
def install_gitweb():
'''
Install the git web interface gitweb.
'''
x("yum -y install gitweb")
scOpen("/var/www/git/gitweb.cgi").replace(
"^our.*projectroot.*", 'our $projectroot = "/var/lib/git";')
def configure_localhost():
app.print_verbose("Configure /etc/hosts")
localhost = (
"127.0.0.1" +
" %s.%s" % (gethostname(), general.get_resolv_domain()) +
" localhost.localdomain localhost %s" % gethostname()
)
scOpen("/etc/hosts").replace_add("127.0.0.1.*", localhost)
def disable_ip6_support():
app.print_verbose("Disable IP6 support")
modprobe = scOpen("/etc/modprobe.d/syco.conf")
modprobe.replace_add("^options ipv6.*", "options ipv6 disable=1")
modprobe.replace_add("^alias net-pf-10 off$", "alias net-pf-10 off")
network = scOpen("/etc/sysconfig/network")
network.replace_add("^NETWORKING_IPV6=.*$", "NETWORKING_IPV6=no")
def install_logmgmt(args):
'''
Install and configure log management tools on the local host.
'''
app.print_verbose("Install LogManagement version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallLogMgmt", SCRIPT_VERSION)
version_obj.check_executed()
x("mkdir -p /var/lib/logmgmt")
shutil.copy(app.SYCO_PATH + "var/logmgmt/compress_logs.sh", "/var/lib/logmgmt/")
x("chmod +x /var/lib/logmgmt/compress_logs.sh")
shutil.copy(app.SYCO_PATH + "var/logmgmt/logmgmt_cron", "/etc/cron.daily/")
x("chmod +x /etc/cron.daily/logmgmt_cron")
logMgmtCron = scOpen("/etc/cron.daily/logmgmt_cron")
logMgmtCron.replace("${alert_email}",config.general.get_admin_email())
x("yum -y install php")
x("yum -y install php-mysql")
x("yum -y install php-gd")
x("cd /tmp/; wget http://download.adiscon.com/loganalyzer/loganalyzer-3.5.6.tar.gz")
x("cd /tmp; tar xzf loganalyzer-3.5.6.tar.gz")
x("cp -rp /tmp/loganalyzer-3.5.6/src /var/www/html/loganalyzer")
x("chown -R apache /var/www/html/loganalyzer")
shutil.copy(app.SYCO_PATH + "var/logmgmt/config.php", "/var/www/html/loganalyzer/")
logConfig = scOpen("/var/www/html/loganalyzer/config.php")
logConfig.replace("${mysql_user}","root")
logConfig.replace("${mysql_password}",app.get_mysql_root_password())
x("chown -R apache /var/www/html/loganalyzer")
x("rm -rf /tmp/loganalyzer*")
shutil.copy(app.SYCO_PATH + "var/logmgmt/remove_sql.sh", "/var/lib/logmgmt/")
x("chmod +x /var/lib/logmgmt/remove_sql.sh")
logSql = scOpen("/var/lib/logmgmt/remove_sql.sh")
logSql.replace("${mysql_user}","root")
logSql.replace("${mysql_password}",app.get_mysql_root_password())
shutil.copy(app.SYCO_PATH + "var/logmgmt/loganalyzer.conf", "/etc/httpd/conf.d/")
htconf = scOpen("/etc/httpd/conf.d/loganalyzer.conf")
htconf.replace("${bind_dn}","cn=sssd,%s" % config.general.get_ldap_dn() )
htconf.replace("${bind_password}","%s" % app.get_ldap_sssd_password() )
htconf.replace("${ldap_url}","ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(),config.general.get_ldap_dn()) )
x("service httpd restart")
version_obj.mark_executed()
def _configure_haproxy():
x("mv {0}haproxy.cfg {0}org.haproxy.cfg".format(HAPROXY_CONF_DIR))
x("cp {0}/{1}.haproxy.cfg {2}haproxy.cfg".format(SYCO_PLUGIN_PATH, HAPROXY_ENV, HAPROXY_CONF_DIR))
x("cp {0}/error.html {1}error.html".format(SYCO_PLUGIN_PATH, HAPROXY_CONF_DIR))
scopen.scOpen(HAPROXY_CONF_DIR + "haproxy.cfg").replace("${ENV_IP}", get_ip_address('eth1'))
_chkconfig("haproxy","on")
_service("haproxy","restart")
def install_logmgmt(args):
'''
Install and configure log management tools on the local host.
'''
app.print_verbose("Install LogManagement version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallLogMgmt", SCRIPT_VERSION)
version_obj.check_executed()
x("mkdir -p /var/lib/logmgmt")
shutil.copy(app.SYCO_PATH + "var/logmgmt/compress_logs.sh",
"/var/lib/logmgmt/")
x("chmod +x /var/lib/logmgmt/compress_logs.sh")
shutil.copy(app.SYCO_PATH + "var/logmgmt/logmgmt_cron", "/etc/cron.daily/")
x("chmod +x /etc/cron.daily/logmgmt_cron")
logMgmtCron = scOpen("/etc/cron.daily/logmgmt_cron")
logMgmtCron.replace("${alert_email}", config.general.get_admin_email())
x("yum -y install php")
x("yum -y install php-mysql")
x("yum -y install php-gd")
x("cd /tmp/; wget http://download.adiscon.com/loganalyzer/loganalyzer-3.5.6.tar.gz"
)
x("cd /tmp; tar xzf loganalyzer-3.5.6.tar.gz")
x("cp -rp /tmp/loganalyzer-3.5.6/src /var/www/html/loganalyzer")
x("chown -R apache /var/www/html/loganalyzer")
shutil.copy(app.SYCO_PATH + "var/logmgmt/config.php",
"/var/www/html/loganalyzer/")
logConfig = scOpen("/var/www/html/loganalyzer/config.php")
logConfig.replace("${mysql_user}", "root")
logConfig.replace("${mysql_password}", app.get_mysql_root_password())
x("chown -R apache /var/www/html/loganalyzer")
x("rm -rf /tmp/loganalyzer*")
shutil.copy(app.SYCO_PATH + "var/logmgmt/remove_sql.sh",
"/var/lib/logmgmt/")
x("chmod +x /var/lib/logmgmt/remove_sql.sh")
logSql = scOpen("/var/lib/logmgmt/remove_sql.sh")
logSql.replace("${mysql_user}", "root")
logSql.replace("${mysql_password}", app.get_mysql_root_password())
shutil.copy(app.SYCO_PATH + "var/logmgmt/loganalyzer.conf",
"/etc/httpd/conf.d/")
htconf = scOpen("/etc/httpd/conf.d/loganalyzer.conf")
htconf.replace("${bind_dn}", "cn=sssd,%s" % config.general.get_ldap_dn())
htconf.replace("${bind_password}", "%s" % app.get_ldap_sssd_password())
htconf.replace(
"${ldap_url}", "ldaps://%s:636/%s?uid" %
(config.general.get_ldap_hostname(), config.general.get_ldap_dn()))
x("service httpd restart")
version_obj.mark_executed()
def install_gitweb():
'''
Install the git web interface gitweb.
'''
x("yum -y install gitweb")
scOpen("/var/www/git/gitweb.cgi").replace(
"^our.*projectroot.*", 'our $projectroot = "/var/lib/git";'
)
def setup_crontab():
#
# Setup crontab
#
app.print_verbose("Setup crontab")
x("cp %s/clam/viruscan.sh /etc/cron.daily/" % app.SYCO_VAR_PATH)
scOpen("/etc/cron.daily/viruscan.sh").replace(
"${ADMIN_EMAIL}", config.general.get_admin_email()
)
def install_cgit():
'''
Install the git web interface cgit.
'''
x("yum -y install cgit")
x("setsebool -P httpd_enable_cgi 1")
scOpen("/etc/cgitrc").remove("^include=.*")
scOpen("/etc/cgitrc").add("include=/etc/cgitrepos")
configure_repos_for_cgit()
def install_cgit():
'''
Install the git web interface cgit.
'''
x("yum -y install cgit")
x("setsebool -P httpd_enable_cgi 1")
scOpen("/etc/cgitrc").remove("^include=.*")
scOpen("/etc/cgitrc").add("include=/etc/cgitrepos")
configure_repos_for_cgit()
def enable_ip_forward(enable=1):
"""
Controls IP packet forwarding
"""
scOpen("/etc/sysctl.conf").replace_add("^net.ipv4.ip_forward.*$", "net.ipv4.ip_forward = {0}".format(enable))
x("/sbin/sysctl -w net.ipv4.ip_forward={0}".format(enable))
# Flush settings.
x("/sbin/sysctl -w net.ipv4.route.flush=1")
x("/sbin/sysctl -w net.ipv6.route.flush=1")
def setup_crontab():
#
# Setup crontab
#
app.print_verbose("Setup crontab")
x("cp %s/clam/viruscan.sh /etc/cron.daily/" % app.SYCO_VAR_PATH)
scOpen("/etc/cron.daily/viruscan.sh").replace(
"${ADMIN_EMAIL}", config.general.get_admin_email())
# https://redmine.fareoffice.com/issues/61041
x("/bin/chmod 0755 /etc/cron.daily/viruscan.sh")
def _install_glassfish():
'''
Installation of the glassfish application server.
'''
if (not os.access(GLASSFISH_INSTALL_PATH + "/glassfish", os.F_OK)):
os.chdir(app.INSTALL_DIR)
if (not os.access(GLASSFISH_INSTALL_FILE, os.F_OK)):
general.download_file(GLASSFISH_REPO_URL, user="******")
# Create installation dir
if (not os.access(GLASSFISH_INSTALL_PATH, os.F_OK)):
x("mkdir -p " + GLASSFISH_INSTALL_PATH)
x("chmod 770 " + GLASSFISH_INSTALL_PATH)
x("chown 200:200 " + GLASSFISH_INSTALL_PATH)
# Set executeion permissions and run the installation.
if ".zip" in GLASSFISH_INSTALL_FILE:
install.package("unzip")
x("unzip " + GLASSFISH_INSTALL_FILE + " -d " +
GLASSFISH_INSTALL_PATH,
user="******")
x("mv " + GLASSFISH_INSTALL_PATH + "glassfish3/* " +
GLASSFISH_INSTALL_PATH,
user="******")
x("rm -rf " + GLASSFISH_INSTALL_PATH + "glassfish3",
user="******")
else:
raise Exception("Only installing zip version of glassfish")
# Install the start script
# It's possible to do this from glassfish with "asadmin create-service",
# but our own script is a little bit better. It creates startup log files
# and has a better "start user" functionality.
if (not os.access("/etc/init.d/" + GLASSFISH_VERSION, os.F_OK)):
x("cp " + app.SYCO_PATH + "var/glassfish/" + GLASSFISH_VERSION +
" /etc/init.d/" + GLASSFISH_VERSION)
x("chmod 0755 " + "/etc/init.d/" + GLASSFISH_VERSION)
x("/sbin/chkconfig --add " + GLASSFISH_VERSION)
x("/sbin/chkconfig --level 3 " + GLASSFISH_VERSION + " on")
scOpen("/etc/init.d/" + GLASSFISH_VERSION).replace(
"${MYSQL_PRIMARY}",
config.general.get_mysql_primary_master_ip())
scOpen("/etc/init.d/" + GLASSFISH_VERSION).replace(
"${MYSQL_SECONDARY}",
config.general.get_mysql_secondary_master_ip())
if (not os.access(GLASSFISH_DOMAINS_PATH + "domain1/config/domain.xml",
os.F_OK)):
raise Exception("Failed to install " + GLASSFISH_INSTALL_PATH)
if (not os.access("/etc/init.d/" + GLASSFISH_VERSION, os.F_OK)):
raise Exception("Failed to install /etc/init.d/" + GLASSFISH_VERSION)
def setup_crontab():
#
# Setup crontab
#
app.print_verbose("Setup crontab")
x("cp %s/clam/viruscan.sh /etc/cron.daily/" % app.SYCO_VAR_PATH)
scOpen("/etc/cron.daily/viruscan.sh").replace(
"${ADMIN_EMAIL}", config.general.get_admin_email()
)
# https://redmine.fareoffice.com/issues/61041
x("/bin/chmod 0755 /etc/cron.daily/viruscan.sh")
def enable_ip_forward(enable=1):
'''
Controls IP packet forwarding
'''
scOpen("/etc/sysctl.conf").replace_add(
"^net.ipv4.ip_forward.*$", "net.ipv4.ip_forward = {0}".format(enable)
)
x("/sbin/sysctl -w net.ipv4.ip_forward={0}".format(enable))
# Flush settings.
x("/sbin/sysctl -w net.ipv4.route.flush=1")
def install_auditd():
app.print_verbose("Install auditd.")
#
# Setup auditd rules
#
app.print_verbose("CIS 5.3 Configure System Accounting (auditd)")
app.print_verbose("CIS 5.3.1 Enable auditd Service")
x("chkconfig auditd on")
app.print_verbose("Added our own audit.rules")
x("[ -f '/etc/audit/audit.rules' ] && rm /etc/audit/audit.rules")
x("cp %shardening/audit.rules /etc/audit/audit.rules" % app.SYCO_VAR_PATH)
x("chmod 700 /var/log/audit/")
x("chmod 700 /etc/audit/audit.rules")
#
# Harding audit.conf file
#
auditd = scOpen("/etc/audit/auditd.conf")
app.print_verbose("CIS 5.3.2.1 Configure Audit Log Storage Size")
auditd.replace_add("^max_log_file[\s]*\=.*", "max_log_file = 50")
app.print_verbose("CIS 5.3.2.2 Disable System on Audit Log Full")
auditd.replace_add("^space_left_action[\s]*\=.*",
"space_left_action = email")
auditd.replace_add("^action_mail_acct[\s]*\=.*", "action_mail_acct = root")
auditd.replace_add("^admin_space_left_action[\s]*\=.*",
"admin_space_left_action = halt")
app.print_verbose("CIS 5.3.2.3 Keep All Auditing Information")
auditd.replace_add("^max_log_file_action[\s]*\=.*",
"max_log_file_action = keep_logs")
app.print_verbose("Extra auditd configs")
auditd.replace_add("^num_logs[\s]*\=.*", "num_logs = 99")
auditd.replace_add("^space_left[\s]*\=.*", "space_left = 125")
auditd.replace_add("^admin_space_left[\s]*\=.*", "admin_space_left = 75")
x("chmod 700 /etc/audit/auditd.conf")
#
app.print_verbose(
"CIS 5.3.3 Enable Auditing for Processes That Start Prior to auditd")
auditd = scOpen("/etc/grub.conf")
auditd.add_to_end_of_line("^[^#]*kernel", "audit=1")
#
# Restarting service
#
x("service auditd restart")
def setup_clam_and_freshclam():
#
# Setup clamav and freshclam
#
app.print_verbose("Setup clamav and freshclam")
app.print_verbose(" Setup config files.")
x("cp /usr/local/etc/clamd.conf.sample /usr/local/etc/clamd.conf")
clamd = scOpen("/usr/local/etc/clamd.conf")
clamd.replace("^[#]\?Example.*", "#Example")
clamd.replace("^[#]\?LogFileMaxSize.*", "LogFileMaxSize 100M")
clamd.replace("^[#]\?LogFile.*", "LogFile /var/log/clamav/clamd.log")
clamd.replace("^[#]\?LogTime.*", "LogTime yes")
clamd.replace("^[#]\?LogSyslog.*", "LogSyslog yes")
clamd.replace("^[#]\?TCPSocket.*", "TCPSocket 3310")
clamd.replace("^[#]\?TCPAddr.*", "TCPAddr 127.0.0.1")
clamd.replace("^[#]\?ExcludePath.*/proc.*", "ExcludePath ^/proc")
clamd.replace("^[#]\?ExcludePath.*/sys.*", "ExcludePath ^/sys")
clamd.replace("^[#]\?User.*", "User clamav")
clamd.replace("^[#]\?LocalSocket.*", "LocalSocket /var/run/clamav/clamd.socket")
clamd.replace("^[#]\?PidFile.*", "PidFile /var/run/clamav/clamd.pid")
clamd.replace("^[#]\?DatabaseDirectory.*", "DatabaseDirectory /var/lib/clamav")
x("cp /usr/local/etc/freshclam.conf.sample /usr/local/etc/freshclam.conf")
freshclam = scOpen("/usr/local/etc/freshclam.conf")
freshclam.replace("^[#]\?Example.*", "#Example")
freshclam.replace("^[#]\?LogFileMaxSize.*", "LogFileMaxSize 100M")
freshclam.replace("^[#]\?LogTime.*", "LogTime yes")
freshclam.replace("^[#]\?LogSyslog.*", "LogSyslog yes")
freshclam.replace("^[#]\?DatabaseOwner.*", "DatabaseOwner clamav")
freshclam.replace("^[#]\?PidFile.*", "PidFile /var/run/clamav/freshclam.pid")
freshclam.replace("^[#]\?DatabaseMirror.*", "DatabaseMirror db.northeu.clamav.net")
freshclam.replace("^[#]\?UpdateLogFile.*", "UpdateLogFile /var/log/clamav/freshclam.log")
freshclam.replace("^[#]\?DatabaseDirectory.*", "DatabaseDirectory /var/lib/clamav")
#TODO: Change replace statements above to augeas since that tends to be more stable.
app.print_verbose(" Install augeas and add clam lens that is not available on CentOS 6")
x("yum install -y augeas")
x("cp %s/augeas/lenses/clamav.aug /usr/share/augeas/lenses/dist/" % app.SYCO_VAR_PATH)
#Help augeas find freshclam.conf
if x("readlink /etc/freshclam.conf").find("/usr/local/etc/freshclam.conf") == -1:
x("rm -f /etc/freshclam.conf")
x("ln -s /usr/local/etc/freshclam.conf /etc/")
#Initialize augeas
augeas = Augeas(x)
if config.general.get_proxy_host() and config.general.get_proxy_port():
app.print_verbose(" Configure proxy for freshclam")
augeas.set_enhanced("/files/etc/freshclam.conf/HTTPProxyPort", "%s" % config.general.get_proxy_port())
augeas.set_enhanced("/files/etc/freshclam.conf/HTTPProxyServer", "%s" % config.general.get_proxy_host())
def setup_hosts():
'''
Communication with the LDAP-server needs to be done with domain name, and not
the ip. This ensures the dns-name is configured.
'''
scOpen('/etc/hosts').remove('^' + config.general.get_ldap_server_ip() +
'.*')
scOpen('/etc/hosts').add(
'%(ldap_ip)s %(domain_name)s' % {
'ldap_ip': config.general.get_ldap_server_ip(),
'domain_name': config.general.get_ldap_hostname()
})
def configure_client_cert_for_ldaptools():
'''
Configure the client cert to be used by ldaptools (ldapsearch etc.).
This is done by setting environment variables for all users in /etc/profile
'''
scOpen("/etc/profile").remove(
"^LDAPTLS_CERT.*\|^LDAPTLS_KEY.*\|export LDAPTLS_CERT LDAPTLS_KEY.*")
scOpen(
"/etc/profile").add("LDAPTLS_CERT=/etc/openldap/cacerts/client.pem\n" +
"LDAPTLS_KEY=/etc/openldap/cacerts/client.pem\n" +
"export LDAPTLS_CERT LDAPTLS_KEY")
def setup_hosts():
'''
Communication with the LDAP-server needs to be done with domain name, and not
the ip. This ensures the dns-name is configured.
'''
scOpen('/etc/hosts').remove('^' + config.general.get_ldap_server_ip() + '.*')
scOpen('/etc/hosts').add(
'%(ldap_ip)s %(domain_name)s' % {
'ldap_ip' : config.general.get_ldap_server_ip(),
'domain_name' : config.general.get_ldap_hostname()
}
)
def del_kvm_chain():
app.print_verbose("Delete iptables chain for kvm")
iptables("-D syco_forward -p ALL -j kvm", general.X_OUTPUT_CMD)
iptables("-F kvm", general.X_OUTPUT_CMD)
iptables("-X kvm", general.X_OUTPUT_CMD)
# Controls IP packet forwarding
scOpen("/etc/sysctl.conf").replace_add("^net.ipv4.ip_forward.*$",
"net.ipv4.ip_forward = 0")
# Flush settings.
x("/sbin/sysctl -w net.ipv4.route.flush=1")
x("/sbin/sysctl -w net.ipv6.route.flush=1")
def setup_kernel():
app.print_verbose("Help kernel to prevent certain kinds of attacks")
config = ConfigParser.SafeConfigParser()
config.read('%s/hardening/config.cfg' % app.SYCO_VAR_PATH)
# Harden network config
for setting in config.options('network'):
scOpen("/etc/sysctl.conf").replace_add("^" + setting + ".*$",
config.get('network', setting))
# Flush settings.
x("/sbin/sysctl -w net.ipv4.route.flush=1")
x("/sbin/sysctl -w net.ipv6.route.flush=1")
def setup_crontab():
#
# Setup crontab
#
app.print_verbose("Setup crontab")
x("mkdir /opt/scripts")
x("cp %s/clam/viruscan.sh /opt/scripts/" % app.SYCO_VAR_PATH)
scOpen("/opt/scripts/viruscan.sh").replace(
"${ADMIN_EMAIL}", config.general.get_admin_email())
x("echo '0 3 * * * root /opt/scripts/viruscan.sh' > /etc/cron.d/viruscan")
x("/bin/chmod 0755 /opt/scripts/viruscan.sh")
def _configure_keepalived():
"""
* Keepalived needs the possibility to bind on non local adresses.
* It will replace the variables in the config file with the hostname.
* It is not enviromental dependent and can be installed on any server.
"""
x("echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf")
x("mv {0}keepalived.conf {1}org.keepalived.conf".format(KEEPALIVED_CONF_DIR, KEEPALIVED_CONF_DIR))
x("cp {0}var/redis/keepalived.conf {1}keepalived.conf".format(SYCO_FO_PATH, KEEPALIVED_CONF_DIR))
scopen.scOpen(KEEPALIVED_CONF_DIR + "keepalived.conf").replace("${REDIS_SERVER_NAME_UP}", socket.gethostname().upper())
_chkconfig("keepalived"," on")
_service("keepalived", "restart")
def _configure_keepalived():
'''
* Keepalived needs the possibility to bind on non local adresses.
* It will replace the variables in the config file with the hostname.
* It is not environmental dependent and can be installed on any server.
'''
x("echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf")
x("sysctl -p")
x("mv {0}keepalived.conf {0}org.keepalived.conf".format(KA_CONF_DIR))
x("cp {0}/{1}.keepalived.conf {2}keepalived.conf".format(SYCO_PLUGIN_PATH, HAPROXY_ENV, KA_CONF_DIR))
scopen.scOpen(KA_CONF_DIR + "keepalived.conf").replace("${KA_SERVER_NAME_UP}", socket.gethostname().upper())
scopen.scOpen(KA_CONF_DIR + "keepalived.conf").replace("${KA_SERVER_NAME_DN}", socket.gethostname().lower())
_chkconfig("keepalived","on")
_service("keepalived","restart")
def disable_singel_user_mode():
'''
Disable singel user mode.
Which let a user start the server in "recoverymode" and change password.
'''
app.print_verbose("Enable Authentication for Single-User Mode")
inittab = scOpen("/etc/inittab")
inittab.replace_add("^([\#]?)id:3:initdefault:", "#id:3:initdefault:")
inittab.replace_add("^~~:S:wait:/sbin/sulogin.*", "~~:S:wait:/sbin/sulogin")
app.print_verbose("Disable Interactive Hotkey Startup at Boot")
scOpen("/etc/sysconfig/init").replace_add("^PROMPT.*", "PROMPT=no")
def _configure_keepalived():
"""
* Keepalived needs the possibility to bind on non local adresses.
* It will replace the variables in the config file with the hostname.
* It is not environmental dependent and can be installed on any server.
"""
x("echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf")
x("sysctl -p")
x("mv {0}keepalived.conf {0}org.keepalived.conf".format(KA_CONF_DIR))
x("cp {0}/{1}.keepalived.conf {2}keepalived.conf".format(SYCO_PLUGIN_PATH, ka_env, KA_CONF_DIR))
scopen.scOpen(KA_CONF_DIR + "keepalived.conf").replace("${KA_SERVER_NAME_UP}", socket.gethostname().upper())
scopen.scOpen(KA_CONF_DIR + "keepalived.conf").replace("${KA_SERVER_NAME_DN}", socket.gethostname().lower())
_chkconfig("keepalived","on")
_service("keepalived","restart")
def setup_kernel():
app.print_verbose("Help kernel to prevent certain kinds of attacks")
config = ConfigParser.SafeConfigParser()
config.read('%s/hardening/config.cfg' % app.SYCO_VAR_PATH)
# Harden network config
for setting in config.options('network'):
scOpen("/etc/sysctl.conf").replace_add(
"^" + setting + ".*$", config.get('network', setting)
)
# Flush settings.
x("/sbin/sysctl -w net.ipv4.route.flush=1")
x("/sbin/sysctl -w net.ipv6.route.flush=1")
def disable_ip6_support():
app.print_verbose("Disable IP6 support")
modprobe = scOpen("/etc/modprobe.d/syco.conf")
modprobe.replace_add("^options ipv6.*", "options ipv6 disable=1")
modprobe.replace_add("^alias net-pf-10 off$", "alias net-pf-10 off")
network = scOpen("/etc/sysconfig/network")
network.replace_add("^NETWORKING_IPV6=.*$", "NETWORKING_IPV6=no")
#Disable ipv6 if module is already loaded
ipv6module = x('lsmod | grep ipv6 |cut -f21 -d" "')
if int(ipv6module) == 1:
x("/sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1")
x("/sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1")
def configured_sudo():
scOpen("/etc/nsswitch.conf").remove("^sudoers.*")
scOpen("/etc/nsswitch.conf").add("sudoers: ldap files")
x("touch /etc/ldap.conf")
x("chown root:root /etc/ldap.conf")
x("chmod 644 /etc/ldap.conf")
scOpen("/etc/ldap.conf").remove(
"^sudoers_base.*\|^binddn.*\|^bindpw.*\|^ssl.*\|^tls_cacertdir.*\|" +
"^tls_cert.*\|^tls_key.*\|sudoers_debug.*")
scOpen("/etc/ldap.conf").add(
"uri ldaps://" + config.general.get_ldap_hostname() + "\n" + "base " +
config.general.get_ldap_dn() + "\n" + "ssl on\n" +
"tls_cacertdir /etc/openldap/cacerts\n" +
"tls_cert /etc/openldap/cacerts/client.pem\n" +
"tls_key /etc/openldap/cacerts/client.pem\n" +
"sudoers_base ou=SUDOers," + config.general.get_ldap_dn() + "\n" +
"binddn cn=sssd," + config.general.get_ldap_dn() + "\n" + "bindpw " +
app.get_ldap_sssd_password())
# SUDO now uses it's own ldap config file.
x("cp /etc/ldap.conf /etc/sudo-ldap.conf")
x("chmod 440 /etc/sudo-ldap.conf")
x("chown root:root /etc/sudo-ldap.conf")
x("restorecon /etc/sudo-ldap.conf")
def _configure_haproxy_state(state):
if state == 'active':
scopen.scOpen(HAPROXY_CONF).replace("${TCSTATE}", '')
scopen.scOpen(HAPROXY_CONF).replace("${AVSTATE}", 'backup')
else:
scopen.scOpen(HAPROXY_CONF).replace("${TCSTATE}", 'backup')
scopen.scOpen(HAPROXY_CONF).replace("${AVSTATE}", '')
def disable_ip6_support():
app.print_verbose("Disable IP6 support")
modprobe = scOpen("/etc/modprobe.d/syco.conf")
modprobe.replace_add("^options ipv6.*", "options ipv6 disable=1")
modprobe.replace_add("^alias net-pf-10 off$", "alias net-pf-10 off")
network = scOpen("/etc/sysconfig/network")
network.replace_add("^NETWORKING_IPV6=.*$", "NETWORKING_IPV6=no")
#Disable ipv6 if module is already loaded
ipv6module = x('lsmod | grep ipv6 |cut -f21 -d" "')
if int(ipv6module) == 1:
x("/sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1")
x("/sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1")
def configured_sudo():
scOpen("/etc/nsswitch.conf").remove("^sudoers.*")
scOpen("/etc/nsswitch.conf").add("sudoers: ldap files")
x("touch /etc/ldap.conf")
x("chown root:root /etc/ldap.conf")
x("chmod 644 /etc/ldap.conf")
scOpen("/etc/ldap.conf").remove(
"^sudoers_base.*\|^binddn.*\|^bindpw.*\|^ssl.*\|^tls_cacertdir.*\|" +
"^tls_cert.*\|^tls_key.*\|sudoers_debug.*"
)
scOpen("/etc/ldap.conf").add(
"uri ldaps://" + config.general.get_ldap_hostname() + "\n" +
"base " + config.general.get_ldap_dn() + "\n" +
"ssl on\n" +
"tls_cacertdir /etc/openldap/cacerts\n" +
"tls_cert /etc/openldap/cacerts/client.pem\n" +
"tls_key /etc/openldap/cacerts/client.pem\n" +
"sudoers_base ou=SUDOers," + config.general.get_ldap_dn() + "\n" +
"binddn cn=sssd," + config.general.get_ldap_dn() + "\n" +
"bindpw " + app.get_ldap_sssd_password()
)
# Needed to fix a but in Centos 6.2, will be fixed in 6.3.
# https://bugzilla.redhat.com/show_bug.cgi?id=760843
x("cp /etc/ldap.conf /etc/nslcd.conf")
def _configure_haproxy_state():
if haproxy_state() == 'active':
scopen.scOpen(HAPROXY_CONF).replace("${TCSTATE}", '')
scopen.scOpen(HAPROXY_CONF).replace("${AVSTATE}", 'backup')
else:
scopen.scOpen(HAPROXY_CONF).replace("${TCSTATE}", 'backup')
scopen.scOpen(HAPROXY_CONF).replace("${AVSTATE}", '')
