def main():
response = ""
if not response:
d = Dialog('Insta-Snorby - First boot configuration')
response = d.yesno("Automatically Update Rules Everyday?","Snorby can update the configured ruleset on a daily basis. Snorby supports this through intergration with Pulled Pork, a simple popular Snort rule update script\n\nEnable Pulled Pork?")
if response:
d.infobox('Configuring Pulled Pork to run everyday at 2:00AM local time')
system("crontab -l > /root/crontmp")
system("echo '0 2 * * * /root/pulledpork-0.6.1/pulledpork.pl -c /root/pulledpork-0.6.1/etc/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1 #Update Snort Rules' >> /root/crontmp")
system("crontab /root/crontmp")
d.infobox('Running Pulled Pork now! Logs are stored at /var/log/pulledpork')
system("/root/pulledpork-0.6.1/pulledpork.pl -c /root/pulledpork-0.6.1/etc/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1")
def main():
fpcuser = ""
fpcpassword = ""
if not fpcpassword and not fpcuser:
d = Dialog('Insta-Snorby - First boot configuration')
response = d.yesno("Enable OpenFPC?","Snorby supports intergration with OpenFPC, a lightweight full-packet network traffic recorder & buffering system.\nInsta-Snorby can install and configure OpenFPC so that full pcaps of alerts will be made available inside the Snorby application.\n\n Would you like to enable OpenFPC?")
if response:
fpcuser = d.inputbox("Create OpenFPC Username","Please enter your desired OpenFPC username.")
fpcpassword = d.get_password("Create OpenFPC password", "Please enter your desired OpenFPC password.")
if fpcuser and fpcpassword:
ipaddress = get_ip_address('eth0')
d.infobox('Installing OpenFPC 0.6-314')
system('htpasswd -b -c /etc/openfpc/apache2.passwd %s %s > /dev/null' % (fpcuser[1], fpcpassword) )
system('cd /root/openfpc-0.6-314/ && /root/openfpc-0.6-314/openfpc-install.sh install > /dev/null')
system("sed -i 's/GUIUSER=openfpc/#GUIUSER=openfpc/g' /etc/openfpc/openfpc-default.conf")
system("sed -i 's/GUIPASS=openfpc/#GUIUSER=openfpc/g' /etc/openfpc/openfpc-default.conf")
system("sed -i 's/USER=openfpc=openfpc/USER=%s=%s/g' /etc/openfpc/openfpc-default.conf" % (fpcuser[1], fpcpassword))
system("sed -i 's/AuthType Basic/#AuthType Basic/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
system("sed -i 's/AuthName/#AuthName/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
system("sed -i 's/AuthUserFile/#AuthUserFile/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
system("sed -i 's/Require valid-user/#Require valid-user/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
d.infobox('Starting OpenFPC 0.6-314')
system("openfpc -action start > /dev/null")
d.infobox('Configuring Snorby...')
system("cd /var/www/snorby && /usr/local/bin/rails runner 'Setting.set(:packet_capture, 1)' > /dev/null 2>&1")
system("cd /var/www/snorby && /usr/local/bin/rails runner \"Setting.set(:packet_capture_url, 'https://%s/openfpc/cgi-bin/extract.cgi')\" > /dev/null 2>&1" % ipaddress)
system("cd /var/www/snorby && /usr/local/bin/rails runner \"Setting.set(:packet_capture_type, 'openfpc')\" > /dev/null 2>&1")
system("cd /var/www/snorby && /usr/local/bin/rails runner 'Setting.set(:packet_capture_auto_auth, 1)' > /dev/null 2>&1")
system("cd /var/www/snorby && /usr/local/bin/rails runner \"Setting.set(:packet_capture_user, '%s')\" > /dev/null 2>&1" % fpcuser[1])
system("cd /var/www/snorby && /usr/local/bin/rails runner \"Setting.set(:packet_capture_password, '%s')\" > /dev/null 2>&1" % fpcpassword)
def main():
fpcuser = ""
fpcpassword = ""
if not fpcpassword and not fpcuser:
d = Dialog('Insta-Snorby - First boot configuration')
response = d.yesno("Enable OpenFPC?","Snorby supports intergration with OpenFPC, a lightweight full-packet network traffic recorder & buffering system.\nInsta-Snorby can install and configure OpenFPC so that full pcaps of alerts will be made available inside the Snorby application.\n\n Would you like to enable OpenFPC?")
if response:
fpcuser = d.inputbox("Create OpenFPC Username","Please enter your desired OpenFPC username.")
fpcpassword = d.get_password("Create OpenFPC password", "Please enter your desired OpenFPC password.")
if fpcuser and fpcpassword:
ipaddress = get_ip_address('eth0')
d.infobox('Installing OpenFPC 0.6-314')
system('htpasswd -b -c /etc/openfpc/apache2.passwd %s %s > /dev/null' % (fpcuser[1], fpcpassword) )
system('cd /root/openfpc-0.6-314/ && /root/openfpc-0.6-314/openfpc-install.sh install > /dev/null')
system("sed -i 's/GUIUSER=openfpc/#GUIUSER=openfpc/g' /etc/openfpc/openfpc-default.conf")
system("sed -i 's/GUIPASS=openfpc/#GUIUSER=openfpc/g' /etc/openfpc/openfpc-default.conf")
system("sed -i 's/USER=openfpc=openfpc/USER=%s=%s/g' /etc/openfpc/openfpc-default.conf" % (fpcuser[1], fpcpassword))
system("sed -i 's/AuthType Basic/#AuthType Basic/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
system("sed -i 's/AuthName/#AuthName/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
system("sed -i 's/AuthUserFile/#AuthUserFile/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
system("sed -i 's/Require valid-user/#Require valid-user/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
d.infobox('Starting OpenFPC 0.6-314')
system("openfpc -action start > /dev/null")
d.infobox('Configuring Snorby...')
system("cd /var/www/snorby && /usr/local/bin/rails runner 'Setting.set(:packet_capture, 1)' > /dev/null 2>&1")
system("cd /var/www/snorby && /usr/local/bin/rails runner \"Setting.set(:packet_capture_url, 'https://%s/openfpc/cgi-bin/extract.cgi')\" > /dev/null 2>&1" % ipaddress)
system("cd /var/www/snorby && /usr/local/bin/rails runner \"Setting.set(:packet_capture_type, 'openfpc')\" > /dev/null 2>&1")
def main():
response = ""
if not response:
d = Dialog('Insta-Snorby - First boot configuration')
response = d.yesno(
"Automatically Update Rules Everyday?",
"Snorby can update the configured ruleset on a daily basis. Snorby supports this through intergration with Pulled Pork, a simple popular Snort rule update script\n\nEnable Pulled Pork?"
)
if response:
d.infobox(
'Configuring Pulled Pork to run everyday at 2:00AM local time')
system("crontab -l > /root/crontmp")
system(
"echo '0 2 * * * /root/pulledpork-0.6.1/pulledpork.pl -c /root/pulledpork-0.6.1/etc/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1 #Update Snort Rules' >> /root/crontmp"
)
system("crontab /root/crontmp")
d.infobox(
'Running Pulled Pork now! Logs are stored at /var/log/pulledpork'
)
system(
"/root/pulledpork-0.6.1/pulledpork.pl -c /root/pulledpork-0.6.1/etc/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1"
)
if fqdn:
system('hubdns-init', apikey, fqdn)
system('hubdns-update')
return
initialized_tklbam = False
d = Dialog('TurnKey Linux - First boot configuration')
while 1:
retcode, apikey = d.inputbox("Initialize Hub services", TEXT_SERVICES,
apikey, "Apply", "Skip")
if not apikey or retcode == 1:
break
d.infobox("Linking TKLBAM to the TurnKey Hub...")
try:
getoutput("host -W 2 hub.turnkeylinux.org")
except ExecError, e:
d.error(CONNECTIVITY_ERROR)
break
try:
getoutput('tklbam-init', apikey)
d.msgbox('Success! Linked TKLBAM to Hub', SUCCESS_TKLBAM)
initialized_tklbam = True
break
except ExecError, e:
d.msgbox('Failure', e.output)
if not email:
email = d.get_email(
"Email of the gmail account",
"Emails from the server are sent through the SMTP of a GMAIL account.\n" +
"Please enter the full email of the gmail account:",
"*****@*****.**")
if not passw:
passw = d.get_password(
"Password of the gmail account",
"Emails from the server are sent through the SMTP of a GMAIL account.\n" +
"Please enter the password of the gmail account:")
domain = email.split('@')[1]
try:
d.infobox("Modifying ssmtp configuration files...")
# modify conf file /etc/ssmtp/ssmtp.conf
config_file = '/etc/ssmtp/ssmtp.conf'
getoutput('sed -e "/^root=/ c root=%s" -i %s' % (email, config_file))
getoutput('sed -e "/^AuthUser=/ c AuthUser=%s" -i %s' % (email, config_file))
getoutput('sed -e "/^AuthPass=/ c AuthPass=%s" -i %s' % (passw, config_file))
getoutput('sed -e "/^rewriteDomain=/ c rewriteDomain=%s" -i %s' % (domain, config_file))
getoutput('sed -e "/^hostname=/ c hostname=%s" -i %s' % (email, config_file))
# modify conf file /etc/ssmtp/revaliases
config_file = '/etc/ssmtp/revaliases'
getoutput('sed -e "/^root:/ c root:%s:smtp.gmail.com:587" -i %s' % (email, config_file))
getoutput('sed -e "/^admin:/ c admin:%s:smtp.gmail.com:587" -i %s' % (email, config_file))
d.infobox("Modifying smtp drupal variables...")
def main():
HOSTNAME = subprocess.run(['hostname', '-s'],
encoding='utf-8',
stdout=PIPE).stdout.strip()
NET_IP = subprocess.run(['hostname', '-I'], encoding='utf-8',
stdout=PIPE).stdout.strip()
# disabled for now, will reimplment at some point...
# NET_IP321 = NET_IP.split('.')[:-1]
# NET_IP321.reverse()
# NET_IP321 = '.'.join(NET_IP321)
# NET_IP4 = NET_IP.split('.')[-1]
DEFAULT_HOSTNAME = "dc1"
DEFAULT_REALM = "DOMAIN.LAN"
DEFAULT_DOMAIN = "DOMAIN"
DEFAULT_NS = ""
DEFAULT_NEW_HOSTNAME = "dc2"
try:
opts, args = getopt.gnu_getopt(
sys.argv[1:], "h",
['help', 'pass='******'domain=', 'realm=', 'join_ns=', 'hostname='])
except getopt.GetoptError as e:
usage(e)
interactive = False
domain = ""
realm = ""
admin_password = ""
join_nameserver = ""
hostname = ""
for opt, val in opts:
if opt in ('-h', '--help'):
usage()
elif opt == '--pass':
admin_password = val
elif opt == '--realm':
realm = val
elif opt == '--domain':
domain = val
elif opt == '--join_ns':
join_nameserver = val
DEFAULT_NS = join_nameserver
elif opt == '--hostname':
hostname = val
if ((not (realm and domain and admin_password))
or (join_nameserver and not valid_ip(join_nameserver) or
(join_nameserver and not hostname)) or TURNKEY_INIT):
interactive = True
if join_nameserver:
create = True
elif realm and domain and admin_password and join_nameserver and hostname:
join_nameserver = valid_ip(join_nameserver)
update_resolvconf(realm.lower(), join_nameserver, interactive)
hostname = validate_hostname(hostname, realm, interactive,
DEFAULT_HOSTNAME)
if join_nameserver and hostname[0]: # both valid
create = False
elif join_nameserver: # invalid hostname
restore_resolvconf()
interactive = True
hostname = ""
elif hostname[0]: # invalid nameserver IPv4
interactive = True
else: # both invalid
restore_resolvconf()
interactive = True
hostname = ""
join_nameserver = ""
elif realm and domain and admin_password and not join_nameserver:
create = True
while True:
if TURNKEY_INIT:
d = Dialog('Turnkey Linux - First boot configuration')
do_it = d.yesno(
"Reconfigure Samba?",
"Existing Samba config will be removed.\n\n"
"Cancelling will leave existing config in place.\n"
"\nContinue?", "Reconfigure", "Cancel")
if not do_it:
sys.exit(0)
if interactive and not join_nameserver:
d = Dialog('Turnkey Linux - First boot configuration')
create = d.yesno(
"Create new AD or join existing?",
"You can create new Active Directory or join existing one."
"\n\nNote that joining a non-TurnKey existing AD domain not is"
" experimental and may fail. If so, please manually configure"
" using the 'samba-tool' commandline tool.", "Create", "Join")
if create:
create = True
else:
create = False
if not realm:
while True:
d = Dialog('Turnkey Linux - First boot configuration')
realm = d.get_input(
"Samba Kerberos Realm / AD DNS zone",
"Kerberos Realm should be 2 or more groups of 63 or less"
" ASCII characters, separated by dot(s). Kerberos realm"
" will be stored as uppercase; DNS zone as"
" lowercase\n\n"
"Enter the Realm / DNS zone you would like to use.",
DEFAULT_REALM)
realm = validate_realm(realm, interactive)
if realm[0]:
break
else:
d.error(realm[1])
continue
else:
realm = validate_realm(realm, interactive)
if not domain:
while True:
d = Dialog('TurnKey Linux - First boot configuration')
domain = d.get_input(
"Samba NetBIOS Domain (aka workgroup)",
"The NetBIOS domain (aka workgroup) should be 15 or less"
" ASCII characters.\n\n"
"Enter NetBIOS domain (aka 'WORKGROUP') to use.",
DEFAULT_DOMAIN)
domain = validate_netbios(domain, interactive)
if domain[0]:
break
else:
d.error(domain[1])
continue
else:
domain = validate_netbios(domain, interactive)
if not admin_password:
d = Dialog('TurnKey Linux - First boot configuration')
server_status = 'new' if create else 'existing'
admin_password = d.get_password(
"Samba Password",
"Enter password for the {} samba Domain 'Administrator'"
" account.".format(server_status),
pass_req=8,
min_complexity=3,
blacklist=['(', ')'])
if interactive and not create:
d = Dialog('Turnkey Linux - First boot configuration')
if not join_nameserver:
while True:
join_nameserver = d.get_input(
"Add nameserver",
"Set DNS server IPv4 for existing AD domain DNS"
" server", DEFAULT_NS)
if not valid_ip(join_nameserver):
d.error("IP: '{}' not valid.".format(join_nameserver))
join_nameserver = ""
continue
else:
break
update_resolvconf(realm.lower(), join_nameserver, interactive)
if not hostname:
while True:
hostname = d.get_input(
"Set new hostname",
"Set new unique hostname for this domain-controller.",
DEFAULT_NEW_HOSTNAME)
hostname = validate_hostname(hostname, realm.lower(),
interactive, DEFAULT_HOSTNAME)
if not hostname[0]:
d.error(hostname[1])
continue
else:
set_hostname(hostname)
break
# Stop any Samba services
services = ['samba', 'samba-ad-dc', 'smbd', 'nmbd']
for service in services:
subprocess.run(['systemctl', 'stop', service], stderr=PIPE)
# Remove Samba & Kerberos conf
rm_f('/etc/samba/smb.conf')
rm_f('/etc/krb5.conf')
# Remove Samba DBs
dirs = [
'/var/run/samba', '/var/lib/samba', '/var/cache/samba',
'/var/lib/samba/private'
]
for _dir in dirs:
for _db_file in ['*.tdb', '*.ldb']:
rm_glob('/'.join([_dir, _db_file]))
set_expiry = [
'samba-tool', 'user', 'setexpiry', ADMIN_USER, '--noexpiry'
]
export_krb = [
'samba-tool', 'domain', 'exportkeytab', '/etc/krb5.keytab'
]
krb_pass = None
if create:
ip = NET_IP # will add to hosts file
samba_domain = [
'samba-tool', 'domain', 'provision', '--server-role=dc',
'--use-rfc2307', '--dns-backend=SAMBA_INTERNAL',
'--realm={}'.format(realm), '--domain={}'.format(domain),
'--adminpass={}'.format(admin_password),
'--option=dns forwarder=8.8.8.8',
'--option=interfaces=127.0.0.1 {}'.format(NET_IP)
]
commands = [samba_domain, set_expiry, export_krb]
nameserver = '127.0.0.1'
hostname = HOSTNAME
else: # join
with open('/etc/krb5.conf', 'w') as fob:
fob.write('[libdefaults]\n')
fob.write(' dns_lookup_realm = false\n')
fob.write(' dns_lookup_kdc = true\n')
fob.write(' default_realm = {}'.format(realm))
ip = None # will update 127.0.1.1 hosts entry only
config_krb = ['kinit', 'administrator']
krb_pass = admin_password
samba_domain = [
'samba-tool', 'domain', 'join',
realm.lower(), 'DC', "--option='idmap_ldb:use rfc2307 = yes'"
]
commands = [config_krb, samba_domain, export_krb]
nameserver = join_nameserver
finalize = False
update_resolvconf(realm.lower(), nameserver, interactive)
print('hostname', hostname, 'realm', realm)
update_hosts('127.0.1.1', hostname, realm)
if ip:
update_hosts(ip, hostname, realm)
for samba_command in commands:
print('Running command: {}'.format(' '.join(samba_command)))
if krb_pass:
samba_run_code, samba_run_out = run_command(samba_command,
stdin=krb_pass)
krb_pass = None
else:
samba_run_code, samba_run_out = run_command(samba_command)
if samba_run_code != 0:
os.makedirs(os.path.dirname(COMMAND_LOG), exist_ok=True)
with open(COMMAND_LOG, 'a') as fob:
fob.write("Command: {}\n\n".format(
" ".join(samba_command)))
fob.write("\n")
fob.write("{}\n".format(samba_run_out))
if interactive:
d = Dialog('Turnkey Linux - First boot configuration')
# handle incorrect details
lines_to_print = []
end = False
for line in samba_run_out.split('\n'):
if line.startswith('Failed to bind'):
lines_to_print.append("-".join(
line.split("-", 2)[:2]))
elif line.startswith('Failed to connect'):
lines_to_print.append(line.split("-", 1)[:1][0])
elif line.startswith('ERROR'):
lines_to_print.append("-".join(
line.split("-", 2)[:2]))
end = True
else:
if not end:
lines_to_print.append(line)
continue
lines_to_print.append('')
lines_to_print.append(
"See {} for full output".format(COMMAND_LOG))
retry = d.error("{}\n\n".format('\n'.join(lines_to_print)))
finalize = False
DEFAULT_REALM = realm
realm = ""
DEFAULT_DOMAIN = domain
domain = ""
admin_password = ""
DEFAULT_NS = join_nameserver
join_nameserver = ""
break
else:
fatal("Errors in processing domain-controller inithook"
" data:\n{}".format(samba_run_out))
else:
finalize = True
if finalize:
os.chown('/etc/krb5.keytab', 0, 0)
os.chmod('/etc/krb5.keytab', 0o600)
shutil.copy2('/var/lib/samba/private/krb5.conf', '/etc/krb5.conf')
subprocess.run(['systemctl', 'start', 'samba-ad-dc'])
while subprocess.run([
'systemctl', 'is-active', '--quiet', 'samba-ad-dc'
]).returncode != 0:
time.sleep(1)
subprocess.check_output(['kinit', ADMIN_USER],
encoding='utf-8',
input=admin_password)
msg = "\nPlease ensure that you have set a static IP. If you" \
" haven't already, please ensure that you do that ASAP," \
" and update IP addresses in DNS and hosts file (please" \
" see docs for more info).\n"
if create:
msg = msg + \
"\nWhen adding clients, you'll need this info:\n" \
" nameserver: {}\n" \
" * - set client to use this nameserver first!\n" \
" AD DNS domain: {}\n" \
" AD admin account name: {}\n" \
" AD admin user password: (what you set)\n" \
"".format(nameserver, realm.lower(), ADMIN_USER)
if interactive:
d = Dialog('Turnkey Linux - First boot configuration')
d.infobox(msg)
else:
print(msg)
cleanup()
break
else:
restore_resolvconf()
restore_hosts()
usage()
elif opt in ('-o', '--oink'):
oinkcode = val
if not oinkcode:
d = Dialog('Insta-Snorby - First boot configuration')
response = d.yesno("Enter Oinkcode?","Snorby can automatically download and install Sourcefire's VRT rules. In order to do this, you need obtain and enter your Oinkcode from snort.org. \n\nWould you like to enter your oink code?")
if response:
oinkcode = d.inputbox("Enter Oinkcode","Please enter your 40 character Oinkcode")
if oinkcode:
system('echo %s > /root/oinkcode' % oinkcode[1])
d.infobox('VRT rules are downloading...')
try:
system('wget http://www.snort.org/reg-rules/snortrules-snapshot-edge.tar.gz/%s -o /dev/null -O /root/snortrules.tar.gz' % oinkcode[1])
except:
d.error("Could not download VRT rules.")
d.infobox('Download complete! VRT rules are extracting...')
system('tar zxf /root/snortrules.tar.gz -C /root/')
system('cp /root/rules/* /etc/snort/rules/')
system('cp -f /root/snortvrt.conf /etc/snort/snort.conf')
system('cat /root/etc/sid-msg.map >> /etc/snort/sid-msg.map')
system("sed -i 's/<oinkcode>/%s/g' /root/vrtpulledpork.conf" % oinkcode[1])
system("cp /root/vrtpulledpork.conf /root/pulledpork-0.5.0/etc/pulledpork.conf")
if __name__ == "__main__":
main()
if fqdn:
system('hubdns-init %s %s' % (apikey, fqdn))
system('hubdns-update')
return
initialized_tklbam = False
d = Dialog('TurnKey GNU/Linux - First boot configuration')
while 1:
retcode, apikey = d.inputbox("Initialize Hub services", TEXT_SERVICES,
apikey, "Apply", "Skip")
if not apikey or retcode == 1:
break
d.infobox("Linking TKLBAM to the TurnKey Hub...")
try:
getoutput("host -W 2 hub.turnkeylinux.org")
except ExecError, e:
d.error(CONNECTIVITY_ERROR)
break
try:
getoutput('tklbam-init %s' % apikey)
d.msgbox('Success! Linked TKLBAM to Hub', SUCCESS_TKLBAM)
initialized_tklbam = True
break
except ExecError, e:
d.msgbox('Failure', e.output)
def main():
signal.signal(signal.SIGINT, signal.SIG_IGN)
try:
opts, args = getopt.gnu_getopt(sys.argv[1:], "h",
['help', 'apikey=', 'fqdn='])
except getopt.GetoptError as e:
usage(e)
apikey = ""
fqdn = ""
for opt, val in opts:
if opt in ('-h', '--help'):
usage()
elif opt == '--apikey':
apikey = val
elif opt == '--fqdn':
fqdn = val
if apikey:
system('tklbam-init', apikey)
if fqdn:
system('hubdns-init', apikey, fqdn)
system('hubdns-update')
return
initialized_tklbam = False
d = Dialog('TurnKey GNU/Linux - First boot configuration')
while 1:
retcode, apikey = d.inputbox("Initialize Hub services", TEXT_SERVICES,
apikey, "Apply", "Skip")
if not apikey or retcode == 1:
break
d.infobox("Linking TKLBAM to the TurnKey Hub...")
try:
check_output(["host", "-W", "2", "hub.turnkeylinux.org"])
except CalledProcessError as e:
d.error(CONNECTIVITY_ERROR)
break
try:
check_output(['tklbam-init', apikey])
d.msgbox('Success! Linked TKLBAM to Hub', SUCCESS_TKLBAM)
initialized_tklbam = True
break
except CalledProcessError as e:
d.msgbox('Failure', e.output)
continue
if initialized_tklbam:
while 1:
retcode, fqdn = d.inputbox("Assign TurnKey DNS hostname", TEXT_HUBDNS,
fqdn, "Apply", "Skip")
if not fqdn or retcode == 1:
break
d.infobox("Linking HubDNS to the TurnKey Hub...")
try:
check_output(['hubdns-init', apikey, fqdn])
check_output(['hubdns-update'])
d.msgbox('Success! Assigned %s' % fqdn, SUCCESS_HUBDNS)
break
except CalledProcessError as e:
d.msgbox('Failure', e.output)
continue
def main():
DEFAULT_REALM = "DOMAIN.LAN"
DEFAULT_DOMAIN = "DOMAIN"
DEFAULT_NS = ""
try:
opts, args = getopt.gnu_getopt(
sys.argv[1:], "h",
['help', 'pass='******'domain=', 'realm=', 'join_ns='])
except getopt.GetoptError as e:
usage(e)
interactive = False
domain = ""
realm = ""
admin_password = ""
join_nameserver = ""
for opt, val in opts:
if opt in ('-h', '--help'):
usage()
elif opt == '--pass':
admin_password = val
elif opt == '--realm':
realm = val
elif opt == '--domain':
domain = val
elif opt == '--join_ns':
join_nameserver = val
DEFAULT_NS = join_nameserver
if ((not (realm and domain and admin_password))
or (join_nameserver and not valid_ip(join_nameserver))
or TURNKEY_INIT):
interactive = True
if join_nameserver:
create = True
elif realm and domain and admin_password and join_nameserver:
join_nameserver = valid_ip(join_nameserver)
create = False
elif realm and domain and admin_password and not join_nameserver:
create = True
while True:
if TURNKEY_INIT:
d = Dialog('Turnkey Linux - First boot configuration')
do_it = d.yesno(
"Reconfigure Samba?",
"Existing Samba config will be removed.\n\n"
"Cancelling will leave existing config in place.\n"
"\nContinue?", "Reconfigure", "Cancel")
if not do_it:
sys.exit(0)
if interactive and not join_nameserver:
d = Dialog('Turnkey Linux - First boot configuration')
create = d.yesno(
"Create new AD or join existing?",
"You can create new Active Directory or join existing one.",
"Create", "Join")
if create:
create = True
if not realm:
while True:
d = Dialog('Turnkey Linux - First boot configuration')
realm = d.get_input(
"Samba Kerberos Realm / AD DNS zone",
"Kerberos Realm should be 2 or more groups of 63 or less"
" ASCII characters, separated by dot(s). Kerberos realm"
" will be stored as uppercase; DNS zone as"
" lowercase\n\n"
"Enter the Realm / DNS zone you would like to use.",
DEFAULT_REALM)
realm = validate_realm(realm, interactive)
if realm[0]:
break
else:
d.error(realm[1])
continue
else:
realm = validate_realm(realm, interactive)
if not domain:
while True:
d = Dialog('TurnKey Linux - First boot configuration')
domain = d.get_input(
"Samba NetBIOS Domain (aka workgroup)",
"The NetBIOS domain (aka workgroup) should be 15 or less"
" ASCII characters.\n\n"
"Enter NetBIOS domain (aka 'WORKGROUP') to use.",
DEFAULT_DOMAIN)
domain = validate_netbios(domain, interactive)
if domain[0]:
break
else:
d.error(domain[1])
continue
else:
domain = validate_netbios(domain, interactive)
if not admin_password:
d = Dialog('TurnKey Linux - First boot configuration')
admin_password = d.get_password(
"Samba Password",
"Enter password for the samba 'Administrator' account.",
pass_req=8,
min_complexity=3,
blacklist=['(', ')'])
if interactive and not create:
d = Dialog('Turnkey Linux - First boot configuration')
while True:
join_nameserver = d.get_input(
"Add nameserver",
"Set DNS server IPv4 for existing AD domain DNS server",
DEFAULT_NS)
if not valid_ip(join_nameserver):
d.error("IP: '{}' is not valid.".format(join_nameserver))
join_nameserver = ""
continue
else:
break
# Stop any Samba services
services = ['samba', 'samba-ad-dc', 'smbd', 'nmbd']
for service in services:
subprocess.run(['systemctl', 'stop', service], stderr=PIPE)
# Remove Samba & Kerberos conf
rm_f('/etc/samba/smb.conf')
rm_f('/etc/krb5.conf')
# Remove Samba DBs
dirs = [
'/var/run/samba', '/var/lib/samba', '/var/cache/samba',
'/var/lib/samba/private'
]
for _dir in dirs:
for _db_file in ['*.tdb', '*.ldb']:
rm_glob('/'.join([_dir, _db_file]))
if create:
samba_domain = [
'samba-tool', 'domain', 'provision', '--server-role=dc',
'--use-rfc2307', '--dns-backend=SAMBA_INTERNAL',
'--realm={}'.format(realm), '--domain={}'.format(domain),
'--adminpass={}'.format(admin_password),
'--option=dns forwarder=8.8.8.8',
'--option=interfaces=127.0.0.1 {}'.format(NET_IP)
]
else: # join
samba_domain = [
'samba-tool', 'domain', 'join', realm, 'DC',
'-U"{}\\Administrator"'.format(domain),
'--password={}'.format(admin_password),
'--option=idmap_ldb:use rfc2307 = yes'
]
set_expiry = [
'samba-tool', 'user', 'setexpiry', ADMIN_USER, '--noexpiry'
]
export_krb = [
'samba-tool', 'domain', 'exportkeytab', '/etc/krb5.keytab'
]
finalize = False
for samba_command in [samba_domain, set_expiry, export_krb]:
samba_run_code, samba_run_out = run_command(samba_command)
if samba_run_code != 0:
if interactive:
d = Dialog('Turnkey Linux - First boot configuration')
retry = d.error("{}\n\n".format(samba_run_out))
finalize = False
DEFAULT_REALM = realm
realm = ""
DEFAULT_DOMAIN = domain
domain = ""
admin_password = ""
DEFAULT_NS = join_nameserver
join_nameserver = ""
break
else:
fatal("Errors in processing domain-controller inithook"
" data.")
else:
finalize = True
if finalize:
os.chown('/etc/krb5.keytab', 0, 0)
os.chmod('/etc/krb5.keytab', 0o600)
shutil.copy2('/var/lib/samba/private/krb5.conf', '/etc/krb5.conf')
update_resolvconf(realm.lower())
subprocess.run(['systemctl', 'restart', 'resolvconf.service'])
update_hosts(NET_IP, HOSTNAME.lower(), realm.lower())
subprocess.run(['systemctl', 'start', 'samba-ad-dc'])
while subprocess.run([
'systemctl', 'is-active', '--quiet', 'samba-ad-dc'
]).returncode != 0:
time.sleep(1)
subprocess.check_output(['kinit', ADMIN_USER],
encoding='utf-8',
input=admin_password)
msg = "\nPlease ensure that you have set a static IP. If you" \
" haven't already, please ensure that you do that ASAP," \
" and update IP addresses in DNS and hosts file (please" \
" see docs for more info)."
if interactive:
d = Dialog('Turnkey Linux - First boot configuration')
d.infobox(msg)
else:
print(msg)
break
if not oinkcode:
d = Dialog('Insta-Snorby - First boot configuration')
response = d.yesno(
"Enter Oinkcode?",
"Snorby can automatically download and install Sourcefire's VRT rules. In order to do this, you need obtain and enter your Oinkcode from snort.org. \n\nWould you like to enter your oink code?"
)
if response:
oinkcode = d.inputbox("Enter Oinkcode",
"Please enter your 40 character Oinkcode")
if oinkcode:
system('echo %s > /root/oinkcode' % oinkcode[1])
d.infobox('VRT rules are downloading...')
try:
system(
'wget http://www.snort.org/reg-rules/snortrules-snapshot-edge.tar.gz/%s -o /dev/null -O /root/snortrules.tar.gz'
% oinkcode[1])
except:
d.error("Could not download VRT rules.")
d.infobox('Download complete! VRT rules are extracting...')
system('tar zxf /root/snortrules.tar.gz -C /root/')
system('cp /root/rules/* /etc/snort/rules/')
system('cp -f /root/snortvrt.conf /etc/snort/snort.conf')
system('cat /root/etc/sid-msg.map >> /etc/snort/sid-msg.map')
system("sed -i 's/<oinkcode>/%s/g' /root/vrtpulledpork.conf" %
oinkcode[1])
system(
