def main():

    # ensure virtuoso is using new ini file
    # os.system('service virtuoso-opensource-6.1 restart')

    d = Dialog("TurnKey Linux - First boot configuration")
    eldis = d.yesno("ELDIS data", "Mirror ELDIS data on this server, this will take some time.")

    r4d = d.yesno("R4D data", "Mirror R4D data on this server, this will take some time.")

    if eldis:
        eldis_setup()

    if r4d:
        r4d_setup()
Esempio n. 2
0
def main():
    fpcuser = ""
    fpcpassword = ""
    if not fpcpassword and not fpcuser:
        d = Dialog('Insta-Snorby - First boot configuration')
	response = d.yesno("Enable OpenFPC?","Snorby supports intergration with OpenFPC, a lightweight full-packet network traffic recorder & buffering system.\nInsta-Snorby can install and configure OpenFPC so that full pcaps of alerts will be made available inside the Snorby application.\n\n Would you like to enable OpenFPC?")

	if response:
		fpcuser = d.inputbox("Create OpenFPC Username","Please enter your desired OpenFPC username.")
		fpcpassword = d.get_password("Create OpenFPC password", "Please enter your desired OpenFPC password.")
 	

    if fpcuser and fpcpassword:
	ipaddress = get_ip_address('eth0')
	d.infobox('Installing OpenFPC 0.6-314')
	system('htpasswd -b -c /etc/openfpc/apache2.passwd %s %s > /dev/null' % (fpcuser[1], fpcpassword) )
	system('cd /root/openfpc-0.6-314/ &&  /root/openfpc-0.6-314/openfpc-install.sh install > /dev/null')
	system("sed -i 's/GUIUSER=openfpc/#GUIUSER=openfpc/g' /etc/openfpc/openfpc-default.conf")
	system("sed -i 's/GUIPASS=openfpc/#GUIUSER=openfpc/g' /etc/openfpc/openfpc-default.conf")
	system("sed -i 's/USER=openfpc=openfpc/USER=%s=%s/g' /etc/openfpc/openfpc-default.conf" % (fpcuser[1], fpcpassword))
	system("sed -i 's/AuthType Basic/#AuthType Basic/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
	system("sed -i 's/AuthName/#AuthName/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
	system("sed -i 's/AuthUserFile/#AuthUserFile/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
	system("sed -i 's/Require valid-user/#Require valid-user/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
	d.infobox('Starting OpenFPC 0.6-314')
	system("openfpc -action start > /dev/null")
	d.infobox('Configuring Snorby...')
	system("cd /var/www/snorby && /usr/local/bin/rails runner 'Setting.set(:packet_capture, 1)' > /dev/null 2>&1")
	system("cd /var/www/snorby && /usr/local/bin/rails runner \"Setting.set(:packet_capture_url, 'https://%s/openfpc/cgi-bin/extract.cgi')\" > /dev/null 2>&1" % ipaddress)
	system("cd /var/www/snorby && /usr/local/bin/rails runner \"Setting.set(:packet_capture_type, 'openfpc')\" > /dev/null 2>&1")
Esempio n. 3
0
def main():
    fpcuser = ""
    fpcpassword = ""
    if not fpcpassword and not fpcuser:
        d = Dialog('Insta-Snorby - First boot configuration')
	response = d.yesno("Enable OpenFPC?","Snorby supports intergration with OpenFPC, a lightweight full-packet network traffic recorder & buffering system.\nInsta-Snorby can install and configure OpenFPC so that full pcaps of alerts will be made available inside the Snorby application.\n\n Would you like to enable OpenFPC?")

	if response:
		fpcuser = d.inputbox("Create OpenFPC Username","Please enter your desired OpenFPC username.")
		fpcpassword = d.get_password("Create OpenFPC password", "Please enter your desired OpenFPC password.")
 	

    if fpcuser and fpcpassword:
	ipaddress = get_ip_address('eth0')
	d.infobox('Installing OpenFPC 0.6-314')
	system('htpasswd -b -c /etc/openfpc/apache2.passwd %s %s > /dev/null' % (fpcuser[1], fpcpassword) )
	system('cd /root/openfpc-0.6-314/ &&  /root/openfpc-0.6-314/openfpc-install.sh install > /dev/null')
	system("sed -i 's/GUIUSER=openfpc/#GUIUSER=openfpc/g' /etc/openfpc/openfpc-default.conf")
	system("sed -i 's/GUIPASS=openfpc/#GUIUSER=openfpc/g' /etc/openfpc/openfpc-default.conf")
	system("sed -i 's/USER=openfpc=openfpc/USER=%s=%s/g' /etc/openfpc/openfpc-default.conf" % (fpcuser[1], fpcpassword))
	system("sed -i 's/AuthType Basic/#AuthType Basic/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
	system("sed -i 's/AuthName/#AuthName/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
	system("sed -i 's/AuthUserFile/#AuthUserFile/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
	system("sed -i 's/Require valid-user/#Require valid-user/g' /etc/apache2/sites-enabled/openfpc.apache2.site")
	d.infobox('Starting OpenFPC 0.6-314')
	system("openfpc -action start > /dev/null")
	d.infobox('Configuring Snorby...')
	system("cd /var/www/snorby && /usr/local/bin/rails runner 'Setting.set(:packet_capture, 1)' > /dev/null 2>&1")
	system("cd /var/www/snorby && /usr/local/bin/rails runner \"Setting.set(:packet_capture_url, 'https://%s/openfpc/cgi-bin/extract.cgi')\" > /dev/null 2>&1" % ipaddress)
	system("cd /var/www/snorby && /usr/local/bin/rails runner \"Setting.set(:packet_capture_type, 'openfpc')\" > /dev/null 2>&1")
        system("cd /var/www/snorby && /usr/local/bin/rails runner 'Setting.set(:packet_capture_auto_auth, 1)' > /dev/null 2>&1")
	system("cd /var/www/snorby && /usr/local/bin/rails runner \"Setting.set(:packet_capture_user, '%s')\" > /dev/null 2>&1" % fpcuser[1])
	system("cd /var/www/snorby && /usr/local/bin/rails runner \"Setting.set(:packet_capture_password, '%s')\" > /dev/null 2>&1" % fpcpassword)
Esempio n. 4
0
def main():
    
    #ensure virtuoso is using new ini file
    #os.system('service virtuoso-opensource-6.1 restart')
    
    d = Dialog('TurnKey Linux - First boot configuration')
    eldis = d.yesno(
        "ELDIS data",
        "Mirror ELDIS data on this server, this will take some time.")
    
    r4d = d.yesno(
        "R4D data",
        "Mirror R4D data on this server, this will take some time.")
    
    if eldis:
        eldis_setup()
        
    if r4d:
        r4d_setup()
Esempio n. 5
0
def main():
    response = ""
    if not response:
        d = Dialog('Insta-Snorby - First boot configuration')
	response = d.yesno("Automatically Update Rules Everyday?","Snorby can update the configured ruleset on a daily basis. Snorby supports this through intergration with Pulled Pork, a simple popular Snort rule update script\n\nEnable Pulled Pork?")

	if response:
		d.infobox('Configuring Pulled Pork to run everyday at 2:00AM local time')
		system("crontab -l > /root/crontmp")
		system("echo '0 2 * * * /root/pulledpork-0.6.1/pulledpork.pl -c /root/pulledpork-0.6.1/etc/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1 #Update Snort Rules' >> /root/crontmp")
		system("crontab /root/crontmp")

		d.infobox('Running Pulled Pork now! Logs are stored at /var/log/pulledpork')
		system("/root/pulledpork-0.6.1/pulledpork.pl -c /root/pulledpork-0.6.1/etc/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1")
Esempio n. 6
0
def main():
    signal.signal(signal.SIGINT, signal.SIG_IGN)
    try:
        opts, args = getopt.gnu_getopt(sys.argv[1:], "h", ['help'])
    except getopt.GetoptError as e:
        usage(e)

    for opt, val in opts:
        if opt in ('-h', '--help'):
            usage()

    d = Dialog("TurnKey GNU/Linux - Reboot after kernel update")
    reboot = d.yesno("Reboot now?", TEXT, "Reboot", "Skip")

    if not reboot:
        sys.exit(1)
Esempio n. 7
0
def main():
    signal.signal(signal.SIGINT, signal.SIG_IGN)
    try:
        l_opts = ["help", "email=", "email-placeholder="]
        opts, args = getopt.gnu_getopt(sys.argv[1:], "h", l_opts)
    except getopt.GetoptError as e:
        usage(e)

    email = ""
    email_placeholder = ""
    for opt, val in opts:
        if opt in ("-h", "--help"):
            usage()
        elif opt == "--email":
            email = val
        elif opt == "--email-placeholder":
            email_placeholder = val

    if email and not email_re.match(email):
        fatal("email is not valid")

    if not email:
        d = Dialog("TurnKey Linux - First boot configuration")
        email = email_placeholder
        while 1:
            retcode, email = d.inputbox(TITLE, TEXT, email, "Enable", "Skip")

            dia_log(("secalerts.main():\n\tretcode:`{}'\n\temail:`{}'").format(
                retcode, email))
            if retcode == 'cancel':
                email = ""
                break

            if not email_re.match(email):
                d.error('Email is not valid')
                continue

            if d.yesno("Is your email correct?", email):
                break

    if email:
        cmd = os.path.join(os.path.dirname(__file__), 'secalerts.sh')
        dia_log("\tcmd:`{}'".format(cmd))
        subprocess.run([cmd, email], check=True)
Esempio n. 8
0
def main():
    signal.signal(signal.SIGINT, signal.SIG_IGN)
    try:
        opts, args = getopt.gnu_getopt(sys.argv[1:], "h", ['help'])
    except getopt.GetoptError as e:
        usage(e)

    for opt, val in opts:
        if opt in ('-h', '--help'):
            usage()

    d = Dialog("TurnKey GNU/Linux - First boot configuration")
    install = d.yesno("Security updates", TEXT, "Install", "Skip")

    if not install:
        sys.exit(1)

    try:
        check_output(["host", "-W", "2", "archive.turnkeylinux.org"])
    except CalledProcessError as e:
        d.error(CONNECTIVITY_ERROR)
        sys.exit(1)
Esempio n. 9
0
def main():
    response = ""
    if not response:
        d = Dialog('Insta-Snorby - First boot configuration')
        response = d.yesno(
            "Automatically Update Rules Everyday?",
            "Snorby can update the configured ruleset on a daily basis. Snorby supports this through intergration with Pulled Pork, a simple popular Snort rule update script\n\nEnable Pulled Pork?"
        )

        if response:
            d.infobox(
                'Configuring Pulled Pork to run everyday at 2:00AM local time')
            system("crontab -l > /root/crontmp")
            system(
                "echo '0 2 * * * /root/pulledpork-0.6.1/pulledpork.pl -c /root/pulledpork-0.6.1/etc/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1 #Update Snort Rules' >> /root/crontmp"
            )
            system("crontab /root/crontmp")

            d.infobox(
                'Running Pulled Pork now! Logs are stored at /var/log/pulledpork'
            )
            system(
                "/root/pulledpork-0.6.1/pulledpork.pl -c /root/pulledpork-0.6.1/etc/pulledpork.conf -H -v >> /var/log/pulledpork 2>&1"
            )
Esempio n. 10
0
def main():
    try:
        opts, args = getopt.gnu_getopt(sys.argv[1:], 'h',
                ['help', 'gameserver-repo=', 'gameserver-branch='])
    except getopt.GetoptError as e:
        usage(e)

    default_gameserver_repo = 'https://github.com/jesinmat/linux-gameservers.git'
    default_gameserver_branch = 'master'

    gameserver_repo = ""
    gameserver_branch = ""
    for opt, val in opts:
        if opt in ('-h', '--help'):
            usage()
        elif opt == '--gameserver-repo':
            gameserver_repo = val
        elif opt == '--gameserver-branch':
            gameserver_branch = val

    dialog = Dialog('TurnKey Linux - First boot configuration')

    if not gameserver_repo or not gameserver_branch:
        choose_gameserver_upstream = dialog.yesno(
                'TKL Gameserver',
                'Do you want to choose a custom repo?')
        if choose_gameserver_upstream:
            if not gameserver_repo:
                ok, gameserver_repo = dialog.inputbox(
                    'TKL Gameserver',
                    'Choose gameserver repo url',
                    default_gameserver_repo)
                if not ok:
                    gameserver_repo = default_gameserver_repo
            if not gameserver_branch:
                ok, gameserver_branch = dialog.inputbox(
                    'TKL Gameserver',
                    'Choose gameserver branch',
                    default_gameserver_branch)
                if not ok:
                    gameserver_branch = default_gameserver_branch

        else:
            gameserver_repo = default_gameserver_repo
            gameserver_branch = default_gameserver_branch

    needs_pull = False
    old_dir = os.getcwd()
    if gameserver_repo != default_gameserver_repo:
        os.chdir('/root/gameservers')
        subprocess.run([
            'git', 'remote', 'set-url', 'origin',
            gameserver_repo
        ])
        needs_pull = True
    if gameserver_branch != default_gameserver_branch:
        os.chdir('/root/gameservers')
        subprocess.run([
            'git', 'fetch'
        ])
        subprocess.run([
            'git', 'checkout', '--track',
            f'origin/{gameserver_branch}',
        ])
        needs_pull = True

    if needs_pull:
        os.chdir('/root/gameservers')
        subprocess.run([
            'git', 'pull'
        ])
        
    os.chdir(old_dir)
Esempio n. 11
0
    if not email:
        d = Dialog("TurnKey Linux - First boot configuration")
        email = email_placeholder
        while 1:
            retcode, email = d.inputbox(
                TITLE,
                TEXT,
                email,
                "Enable",
                "Skip")

            if retcode == 1:
                email = ""
                break

            if not email_re.match(email):
                d.error('Email is not valid')
                continue

            if d.yesno("Is your email correct?", email):
                break

    if email:
        cmd = os.path.join(os.path.dirname(__file__), 'secalerts.sh')
        system(cmd, email)


if __name__ == "__main__":
    main()

Esempio n. 12
0
    if not password:
        d = Dialog('TurnKey Linux - First boot configuration')
        password = d.get_password(
            "Redis-commander password",
            "Enter password to access redis-commander UI")
    if not range:
        d = Dialog('TurnKey Linux - First boot configuration')
        range = d.get_input("IP Range to access Redis",
                            ("Enter IP range that would be allowed"
                             "to access the Redis instance."), DEFAULT_RANGE)
    if not protected_mode:
        d = Dialog('TurnKey Linux - First boot configuration')
        protected_mode = d.yesno('Keep protected-mode enabled?', (
            "In this mode Redis only replies to queries from the loopback interfaces, and reply to other clients connecting from other"
            "addresses with an error, explaining what is"
            "happening and how to configure Redis properly. (disabled by-default)"
        ), 'Yes', 'No')

    protected_mode_string = {True: "yes", False: "no"}
    conf = "/etc/redis/redis.conf"
    redis_commander_conf = "/etc/init.d/redis-commander"
    system("sed -i \"s|^bind .*|bind %s|\" %s" % (range, conf))
    system("""
            sed -i \"s|^protected-mode .*|protected-mode %s|\" %s""" %
           (protected_mode_string[protected_mode], conf))
    system("""
            sed -i \"s|--http-auth-password=.*|--http-auth-password=%s|\" %s"""
           % (password, redis_commander_conf))

    # restart redis and redis commander if running so change takes effect
def main():

    DEFAULT_REALM = "DOMAIN.LAN"
    DEFAULT_DOMAIN = "DOMAIN"
    DEFAULT_NS = ""

    try:
        opts, args = getopt.gnu_getopt(
            sys.argv[1:], "h",
            ['help', 'pass='******'domain=', 'realm=', 'join_ns='])
    except getopt.GetoptError as e:
        usage(e)

    interactive = False
    domain = ""
    realm = ""
    admin_password = ""
    join_nameserver = ""

    for opt, val in opts:
        if opt in ('-h', '--help'):
            usage()
        elif opt == '--pass':
            admin_password = val
        elif opt == '--realm':
            realm = val
        elif opt == '--domain':
            domain = val
        elif opt == '--join_ns':
            join_nameserver = val
            DEFAULT_NS = join_nameserver

    if ((not (realm and domain and admin_password))
            or (join_nameserver and not valid_ip(join_nameserver))
            or TURNKEY_INIT):
        interactive = True
        if join_nameserver:
            create = True
    elif realm and domain and admin_password and join_nameserver:
        join_nameserver = valid_ip(join_nameserver)
        create = False
    elif realm and domain and admin_password and not join_nameserver:
        create = True

    while True:
        if TURNKEY_INIT:
            d = Dialog('Turnkey Linux - First boot configuration')
            do_it = d.yesno(
                "Reconfigure Samba?",
                "Existing Samba config will be removed.\n\n"
                "Cancelling will leave existing config in place.\n"
                "\nContinue?", "Reconfigure", "Cancel")
            if not do_it:
                sys.exit(0)

        if interactive and not join_nameserver:
            d = Dialog('Turnkey Linux - First boot configuration')
            create = d.yesno(
                "Create new AD or join existing?",
                "You can create new Active Directory or join existing one.",
                "Create", "Join")
            if create:
                create = True

        if not realm:
            while True:
                d = Dialog('Turnkey Linux - First boot configuration')
                realm = d.get_input(
                    "Samba Kerberos Realm / AD DNS zone",
                    "Kerberos Realm should be 2 or more groups of 63 or less"
                    " ASCII characters, separated by dot(s). Kerberos realm"
                    " will be stored as uppercase; DNS zone as"
                    " lowercase\n\n"
                    "Enter the Realm / DNS zone you would like to use.",
                    DEFAULT_REALM)
                realm = validate_realm(realm, interactive)
                if realm[0]:
                    break
                else:
                    d.error(realm[1])
                    continue
        else:
            realm = validate_realm(realm, interactive)

        if not domain:
            while True:
                d = Dialog('TurnKey Linux - First boot configuration')
                domain = d.get_input(
                    "Samba NetBIOS Domain (aka workgroup)",
                    "The NetBIOS domain (aka workgroup) should be 15 or less"
                    " ASCII characters.\n\n"
                    "Enter NetBIOS domain (aka 'WORKGROUP') to use.",
                    DEFAULT_DOMAIN)
                domain = validate_netbios(domain, interactive)
                if domain[0]:
                    break
                else:
                    d.error(domain[1])
                    continue
        else:
            domain = validate_netbios(domain, interactive)

        if not admin_password:
            d = Dialog('TurnKey Linux - First boot configuration')
            admin_password = d.get_password(
                "Samba Password",
                "Enter password for the samba 'Administrator' account.",
                pass_req=8,
                min_complexity=3,
                blacklist=['(', ')'])

        if interactive and not create:
            d = Dialog('Turnkey Linux - First boot configuration')
            while True:
                join_nameserver = d.get_input(
                    "Add nameserver",
                    "Set DNS server IPv4 for existing AD domain DNS server",
                    DEFAULT_NS)
                if not valid_ip(join_nameserver):
                    d.error("IP: '{}' is not valid.".format(join_nameserver))
                    join_nameserver = ""
                    continue
                else:
                    break

        # Stop any Samba services
        services = ['samba', 'samba-ad-dc', 'smbd', 'nmbd']
        for service in services:
            subprocess.run(['systemctl', 'stop', service], stderr=PIPE)
        # Remove Samba & Kerberos conf
        rm_f('/etc/samba/smb.conf')
        rm_f('/etc/krb5.conf')
        # Remove Samba DBs
        dirs = [
            '/var/run/samba', '/var/lib/samba', '/var/cache/samba',
            '/var/lib/samba/private'
        ]
        for _dir in dirs:
            for _db_file in ['*.tdb', '*.ldb']:
                rm_glob('/'.join([_dir, _db_file]))

        if create:
            samba_domain = [
                'samba-tool', 'domain', 'provision', '--server-role=dc',
                '--use-rfc2307', '--dns-backend=SAMBA_INTERNAL',
                '--realm={}'.format(realm), '--domain={}'.format(domain),
                '--adminpass={}'.format(admin_password),
                '--option=dns forwarder=8.8.8.8',
                '--option=interfaces=127.0.0.1 {}'.format(NET_IP)
            ]
        else:  # join
            samba_domain = [
                'samba-tool', 'domain', 'join', realm, 'DC',
                '-U"{}\\Administrator"'.format(domain),
                '--password={}'.format(admin_password),
                '--option=idmap_ldb:use rfc2307 = yes'
            ]

        set_expiry = [
            'samba-tool', 'user', 'setexpiry', ADMIN_USER, '--noexpiry'
        ]
        export_krb = [
            'samba-tool', 'domain', 'exportkeytab', '/etc/krb5.keytab'
        ]

        finalize = False
        for samba_command in [samba_domain, set_expiry, export_krb]:
            samba_run_code, samba_run_out = run_command(samba_command)
            if samba_run_code != 0:
                if interactive:
                    d = Dialog('Turnkey Linux - First boot configuration')
                    retry = d.error("{}\n\n".format(samba_run_out))
                    finalize = False
                    DEFAULT_REALM = realm
                    realm = ""
                    DEFAULT_DOMAIN = domain
                    domain = ""
                    admin_password = ""
                    DEFAULT_NS = join_nameserver
                    join_nameserver = ""
                    break
                else:
                    fatal("Errors in processing domain-controller inithook"
                          " data.")
            else:
                finalize = True

        if finalize:
            os.chown('/etc/krb5.keytab', 0, 0)
            os.chmod('/etc/krb5.keytab', 0o600)
            shutil.copy2('/var/lib/samba/private/krb5.conf', '/etc/krb5.conf')
            update_resolvconf(realm.lower())
            subprocess.run(['systemctl', 'restart', 'resolvconf.service'])
            update_hosts(NET_IP, HOSTNAME.lower(), realm.lower())
            subprocess.run(['systemctl', 'start', 'samba-ad-dc'])
            while subprocess.run([
                    'systemctl', 'is-active', '--quiet', 'samba-ad-dc'
            ]).returncode != 0:
                time.sleep(1)
            subprocess.check_output(['kinit', ADMIN_USER],
                                    encoding='utf-8',
                                    input=admin_password)
            msg = "\nPlease ensure that you have set a static IP. If you" \
                  " haven't already, please ensure that you do that ASAP," \
                  " and update IP addresses in DNS and hosts file (please" \
                  " see docs for more info)."
            if interactive:
                d = Dialog('Turnkey Linux - First boot configuration')
                d.infobox(msg)
            else:
                print(msg)
            break
Esempio n. 14
0
        d = Dialog('TurnKey Linux - First boot configuration')
        while True:
            ip_bind = d.get_input("IPv4 Address to access Redis",
                                  ("Enter IPv4 Address that will be allowed "
                                   "to access the Redis instance."),
                                  DEFAULT_BIND)
            if validate_ip(ip_bind):
                break
            d.msgbox("Invalid IPv4 Address",
                     "\"{}\" is not a valid IPv4 address!".format(ip_bind))

    if not protected_mode:
        d = Dialog('TurnKey Linux - First boot configuration')
        protected_mode = d.yesno('Keep protected-mode enabled?', (
            "In this mode Redis only replies to queries from the loopback "
            "interfaces. Reply to other clients connecting from other addresses "
            "will receive an error, noting why & how to configure Redis. "
            "(disabled by-default)"), 'Yes', 'No')

    protected_mode_string = {True: "yes", False: "no"}
    conf = "/etc/redis/redis.conf"
    redis_commander_conf = "/etc/init.d/redis-commander"
    system("sed -i \"s|^bind .*|bind %s|\" %s" % (ip_bind, conf))
    system("""
            sed -i \"s|^protected-mode .*|protected-mode %s|\" %s""" %
           (protected_mode_string[protected_mode], conf))
    system("""
            sed -i \"s|--http-auth-password=.*|--http-auth-password=%s|\" %s"""
           % (password, redis_commander_conf))

    # restart redis and redis commander if running so change takes effect
Esempio n. 15
0
    if not email:
        d = Dialog("TurnKey Linux - First boot configuration")
        email = email_placeholder
        while 1:
            retcode, email = d.inputbox(
                TITLE,
                TEXT,
                email,
                "Enable",
                "Skip")

            if retcode == 1:
                email = ""
                break

            if not email_re.match(email):
                d.error('Email is not valid')
                continue

            if d.yesno("Is your email correct?", email):
                break

    if email:
        cmd = os.path.join(os.path.dirname(__file__), 'secalerts.sh')
        system(cmd, email)


if __name__ == "__main__":
    main()

Esempio n. 16
0
For maximum protection, we recommend rebooting now.
"""

def usage(s=None):
    if s:
        print >> sys.stderr, "Error:", s
    print >> sys.stderr, "Syntax: %s [options]" % sys.argv[0]
    print >> sys.stderr, __doc__
    sys.exit(1)

def main():
    signal.signal(signal.SIGINT, signal.SIG_IGN)
    try:
        opts, args = getopt.gnu_getopt(sys.argv[1:], "h", ['help'])
    except getopt.GetoptError, e:
        usage(e)

    for opt, val in opts:
        if opt in ('-h', '--help'):
            usage()

    d = Dialog("TurnKey GNU/Linux - Reboot after kernel update")
    reboot  = d.yesno("Reboot now?", TEXT, "Reboot", "Skip")

    if not reboot:
        sys.exit(1)

if __name__ == "__main__":
    main()

Esempio n. 17
0
def main():

    HOSTNAME = subprocess.run(['hostname', '-s'],
                              encoding='utf-8',
                              stdout=PIPE).stdout.strip()
    NET_IP = subprocess.run(['hostname', '-I'], encoding='utf-8',
                            stdout=PIPE).stdout.strip()

    # disabled for now, will reimplment at some point...
    # NET_IP321 = NET_IP.split('.')[:-1]
    # NET_IP321.reverse()
    # NET_IP321 = '.'.join(NET_IP321)
    # NET_IP4 = NET_IP.split('.')[-1]

    DEFAULT_HOSTNAME = "dc1"
    DEFAULT_REALM = "DOMAIN.LAN"
    DEFAULT_DOMAIN = "DOMAIN"
    DEFAULT_NS = ""
    DEFAULT_NEW_HOSTNAME = "dc2"

    try:
        opts, args = getopt.gnu_getopt(
            sys.argv[1:], "h",
            ['help', 'pass='******'domain=', 'realm=', 'join_ns=', 'hostname='])
    except getopt.GetoptError as e:
        usage(e)

    interactive = False
    domain = ""
    realm = ""
    admin_password = ""
    join_nameserver = ""
    hostname = ""

    for opt, val in opts:
        if opt in ('-h', '--help'):
            usage()
        elif opt == '--pass':
            admin_password = val
        elif opt == '--realm':
            realm = val
        elif opt == '--domain':
            domain = val
        elif opt == '--join_ns':
            join_nameserver = val
            DEFAULT_NS = join_nameserver
        elif opt == '--hostname':
            hostname = val

    if ((not (realm and domain and admin_password))
            or (join_nameserver and not valid_ip(join_nameserver) or
                (join_nameserver and not hostname)) or TURNKEY_INIT):
        interactive = True
        if join_nameserver:
            create = True
    elif realm and domain and admin_password and join_nameserver and hostname:
        join_nameserver = valid_ip(join_nameserver)
        update_resolvconf(realm.lower(), join_nameserver, interactive)
        hostname = validate_hostname(hostname, realm, interactive,
                                     DEFAULT_HOSTNAME)
        if join_nameserver and hostname[0]:  # both valid
            create = False
        elif join_nameserver:  # invalid hostname
            restore_resolvconf()
            interactive = True
            hostname = ""
        elif hostname[0]:  # invalid nameserver IPv4
            interactive = True
        else:  # both invalid
            restore_resolvconf()
            interactive = True
            hostname = ""
            join_nameserver = ""
    elif realm and domain and admin_password and not join_nameserver:
        create = True

    while True:
        if TURNKEY_INIT:
            d = Dialog('Turnkey Linux - First boot configuration')
            do_it = d.yesno(
                "Reconfigure Samba?",
                "Existing Samba config will be removed.\n\n"
                "Cancelling will leave existing config in place.\n"
                "\nContinue?", "Reconfigure", "Cancel")
            if not do_it:
                sys.exit(0)

        if interactive and not join_nameserver:
            d = Dialog('Turnkey Linux - First boot configuration')
            create = d.yesno(
                "Create new AD or join existing?",
                "You can create new Active Directory or join existing one."
                "\n\nNote that joining a non-TurnKey existing AD domain not is"
                " experimental and may fail. If so, please manually configure"
                " using the 'samba-tool' commandline tool.", "Create", "Join")
            if create:
                create = True
            else:
                create = False

        if not realm:
            while True:
                d = Dialog('Turnkey Linux - First boot configuration')
                realm = d.get_input(
                    "Samba Kerberos Realm / AD DNS zone",
                    "Kerberos Realm should be 2 or more groups of 63 or less"
                    " ASCII characters, separated by dot(s). Kerberos realm"
                    " will be stored as uppercase; DNS zone as"
                    " lowercase\n\n"
                    "Enter the Realm / DNS zone you would like to use.",
                    DEFAULT_REALM)
                realm = validate_realm(realm, interactive)
                if realm[0]:
                    break
                else:
                    d.error(realm[1])
                    continue
        else:
            realm = validate_realm(realm, interactive)

        if not domain:
            while True:
                d = Dialog('TurnKey Linux - First boot configuration')
                domain = d.get_input(
                    "Samba NetBIOS Domain (aka workgroup)",
                    "The NetBIOS domain (aka workgroup) should be 15 or less"
                    " ASCII characters.\n\n"
                    "Enter NetBIOS domain (aka 'WORKGROUP') to use.",
                    DEFAULT_DOMAIN)
                domain = validate_netbios(domain, interactive)
                if domain[0]:
                    break
                else:
                    d.error(domain[1])
                    continue
        else:
            domain = validate_netbios(domain, interactive)

        if not admin_password:
            d = Dialog('TurnKey Linux - First boot configuration')
            server_status = 'new' if create else 'existing'
            admin_password = d.get_password(
                "Samba Password",
                "Enter password for the {} samba Domain 'Administrator'"
                " account.".format(server_status),
                pass_req=8,
                min_complexity=3,
                blacklist=['(', ')'])
        if interactive and not create:
            d = Dialog('Turnkey Linux - First boot configuration')
            if not join_nameserver:
                while True:
                    join_nameserver = d.get_input(
                        "Add nameserver",
                        "Set DNS server IPv4 for existing AD domain DNS"
                        " server", DEFAULT_NS)
                    if not valid_ip(join_nameserver):
                        d.error("IP: '{}' not valid.".format(join_nameserver))
                        join_nameserver = ""
                        continue
                    else:
                        break
            update_resolvconf(realm.lower(), join_nameserver, interactive)
            if not hostname:
                while True:
                    hostname = d.get_input(
                        "Set new hostname",
                        "Set new unique hostname for this domain-controller.",
                        DEFAULT_NEW_HOSTNAME)
                    hostname = validate_hostname(hostname, realm.lower(),
                                                 interactive, DEFAULT_HOSTNAME)
                    if not hostname[0]:
                        d.error(hostname[1])
                        continue
                    else:
                        set_hostname(hostname)
                        break

        # Stop any Samba services
        services = ['samba', 'samba-ad-dc', 'smbd', 'nmbd']
        for service in services:
            subprocess.run(['systemctl', 'stop', service], stderr=PIPE)
        # Remove Samba & Kerberos conf
        rm_f('/etc/samba/smb.conf')
        rm_f('/etc/krb5.conf')
        # Remove Samba DBs
        dirs = [
            '/var/run/samba', '/var/lib/samba', '/var/cache/samba',
            '/var/lib/samba/private'
        ]
        for _dir in dirs:
            for _db_file in ['*.tdb', '*.ldb']:
                rm_glob('/'.join([_dir, _db_file]))

        set_expiry = [
            'samba-tool', 'user', 'setexpiry', ADMIN_USER, '--noexpiry'
        ]
        export_krb = [
            'samba-tool', 'domain', 'exportkeytab', '/etc/krb5.keytab'
        ]

        krb_pass = None
        if create:
            ip = NET_IP  # will add to hosts file
            samba_domain = [
                'samba-tool', 'domain', 'provision', '--server-role=dc',
                '--use-rfc2307', '--dns-backend=SAMBA_INTERNAL',
                '--realm={}'.format(realm), '--domain={}'.format(domain),
                '--adminpass={}'.format(admin_password),
                '--option=dns forwarder=8.8.8.8',
                '--option=interfaces=127.0.0.1 {}'.format(NET_IP)
            ]
            commands = [samba_domain, set_expiry, export_krb]
            nameserver = '127.0.0.1'
            hostname = HOSTNAME
        else:  # join
            with open('/etc/krb5.conf', 'w') as fob:
                fob.write('[libdefaults]\n')
                fob.write('    dns_lookup_realm = false\n')
                fob.write('    dns_lookup_kdc = true\n')
                fob.write('    default_realm = {}'.format(realm))
            ip = None  # will update 127.0.1.1 hosts entry only
            config_krb = ['kinit', 'administrator']
            krb_pass = admin_password
            samba_domain = [
                'samba-tool', 'domain', 'join',
                realm.lower(), 'DC', "--option='idmap_ldb:use rfc2307 = yes'"
            ]
            commands = [config_krb, samba_domain, export_krb]
            nameserver = join_nameserver

        finalize = False

        update_resolvconf(realm.lower(), nameserver, interactive)
        print('hostname', hostname, 'realm', realm)
        update_hosts('127.0.1.1', hostname, realm)
        if ip:
            update_hosts(ip, hostname, realm)

        for samba_command in commands:
            print('Running command: {}'.format(' '.join(samba_command)))
            if krb_pass:
                samba_run_code, samba_run_out = run_command(samba_command,
                                                            stdin=krb_pass)
                krb_pass = None
            else:
                samba_run_code, samba_run_out = run_command(samba_command)
            if samba_run_code != 0:
                os.makedirs(os.path.dirname(COMMAND_LOG), exist_ok=True)
                with open(COMMAND_LOG, 'a') as fob:
                    fob.write("Command: {}\n\n".format(
                        " ".join(samba_command)))
                    fob.write("\n")
                    fob.write("{}\n".format(samba_run_out))

                if interactive:
                    d = Dialog('Turnkey Linux - First boot configuration')
                    # handle incorrect details
                    lines_to_print = []
                    end = False
                    for line in samba_run_out.split('\n'):
                        if line.startswith('Failed to bind'):
                            lines_to_print.append("-".join(
                                line.split("-", 2)[:2]))
                        elif line.startswith('Failed to connect'):
                            lines_to_print.append(line.split("-", 1)[:1][0])

                        elif line.startswith('ERROR'):
                            lines_to_print.append("-".join(
                                line.split("-", 2)[:2]))
                            end = True
                        else:
                            if not end:
                                lines_to_print.append(line)
                            continue
                    lines_to_print.append('')
                    lines_to_print.append(
                        "See {} for full output".format(COMMAND_LOG))
                    retry = d.error("{}\n\n".format('\n'.join(lines_to_print)))
                    finalize = False
                    DEFAULT_REALM = realm
                    realm = ""
                    DEFAULT_DOMAIN = domain
                    domain = ""
                    admin_password = ""
                    DEFAULT_NS = join_nameserver
                    join_nameserver = ""
                    break
                else:
                    fatal("Errors in processing domain-controller inithook"
                          " data:\n{}".format(samba_run_out))
            else:
                finalize = True

        if finalize:
            os.chown('/etc/krb5.keytab', 0, 0)
            os.chmod('/etc/krb5.keytab', 0o600)
            shutil.copy2('/var/lib/samba/private/krb5.conf', '/etc/krb5.conf')
            subprocess.run(['systemctl', 'start', 'samba-ad-dc'])
            while subprocess.run([
                    'systemctl', 'is-active', '--quiet', 'samba-ad-dc'
            ]).returncode != 0:
                time.sleep(1)
            subprocess.check_output(['kinit', ADMIN_USER],
                                    encoding='utf-8',
                                    input=admin_password)
            msg = "\nPlease ensure that you have set a static IP. If you" \
                  " haven't already, please ensure that you do that ASAP," \
                  " and update IP addresses in DNS and hosts file (please" \
                  " see docs for more info).\n"

            if create:
                msg = msg + \
                      "\nWhen adding clients, you'll need this info:\n" \
                      "    nameserver: {}\n" \
                      "    * - set client to use this nameserver first!\n" \
                      "    AD DNS domain: {}\n" \
                      "    AD admin account name: {}\n" \
                      "    AD admin user password: (what you set)\n" \
                      "".format(nameserver, realm.lower(), ADMIN_USER)

            if interactive:
                d = Dialog('Turnkey Linux - First boot configuration')
                d.infobox(msg)
            else:
                print(msg)
            cleanup()
            break
        else:
            restore_resolvconf()
            restore_hosts()
Esempio n. 18
0
def main():
    try:
        opts, args = getopt.gnu_getopt(
            sys.argv[1:], "h",
            ['help', 'pass='******'ip_bind=', 'protected_mode='])
    except getopt.GetoptError as e:
        usage(e)

    password = ""
    bind = ""
    protected_mode = ""
    for opt, val in opts:
        if opt in ('-h', '--help'):
            usage()
        elif opt == '--bind':
            bind = val
        elif opt == '--pass':
            password = val
        elif opt == '--protected_mode':
            protected_mode = val

    if not password:
        d = Dialog('TurnKey Linux - First boot configuration')
        password = d.get_password(
            "Redis-commander 'admin' password",
            "Enter password for 'addmin' access to redis-commander UI")

    if not bind:
        d = Dialog('TurnKey Linux - First boot configuration')
        bind = d.menu(
            "Interface(s) for Redis to bind to",
            ("Inteface for Redis to bind to?\n\nIf you wish to securely"
             " allow remote connections using 'all', ensure the system"
             " firewall is enabled & block all traffic on port 6379,"
             " except for the desired remote IP(s).\n\nManually edit the"
             " config file to set a custom interface."),
            choices=(("localhost",
                      "Redis will not respond to remote computer"),
                     ("all", "Redis will allow all connections")))
    if bind == "all":
        bind_ip = "0.0.0.0"
    else:
        bind_ip = "127.0.0.1"

    if not protected_mode:
        d = Dialog('TurnKey Linux - First boot configuration')
        protected_mode = d.yesno(
            'Keep protected-mode enabled?',
            "In protected  mode Redis only replies to queries from"
            " localhost. Clients connecting from other addresses will"
            " receive an error, noting why & how to configure Redis.\n"
            "\nUnless you set really good password, this is recommended",
            'Yes', 'No')

    protected_mode_string = {True: "yes", False: "no"}
    conf = "/etc/redis/redis.conf"
    redis_commander_conf = "/etc/init.d/redis-commander"
    subprocess.run(["sed", "-i", "s|^bind .*|bind %s|" % bind_ip, conf])
    subprocess.run([
        "sed", "-i",
        "s|^protected-mode .*|protected-mode %s|" %
        protected_mode_string[protected_mode], conf
    ])
    subprocess.run([
        "sed", "-i",
        "s|--http-auth-password=.*|--http-auth-password=%s|" % password,
        redis_commander_conf
    ])

    # restart redis and redis commander if running so change takes effect
    try:
        subprocess.run(
            ["systemctl", "is-active", "--quiet", "redis-server.service"])
        subprocess.run(["service", "redis-server", "restart"])
    except ExecError as e:
        pass

    try:
        subprocess.run(
            ["systemctl", "is-active", "--quiet", "redis-commander.service"])
        subprocess.run(["systemctl", "daemon-reload"])
        subprocess.run(["service", "redis-commander", "restart"])
    except ExecError as e:
        pass
        elif opt == '--join':
            if(val):
                join = (val in ['true', 'True'])
        elif opt == '--join_ns':
            join_nameserver = val
        elif opt == '--join_check':
            if(val):
                join_check = (val in ['true', 'True'])

    while 1:

        if join == "ask interactively":
            d = Dialog('Turnkey Linux - First boot configuration')
            join = d.yesno(
                "Join existing AD?",
                "You can create the Active Directory or join existing.",
                "Join",
                "Create")            

        if not realm:
            d = Dialog('Turnkey Linux - First boot configuration')
            realm = d.get_input(
                "Samba/Kerberos Realm",
                "Enter realm you would like to use.",
                DEFAULT_REALM)
            DEFAULT_DOMAIN = realm.split('.')[0].upper()    

        if not domain:
            d = Dialog('TurnKey Linux - First boot configuration')
            domain = d.get_input(
                "Samba Domain",
Esempio n. 20
0
            "FOG Password",
            "Enter new password for the default FOG Admin account ('fog').")
    
#Network setup inc IP address
# set FOG server static IP address, netmask, router/gateway, nameserver
# leverages a slightly modified version of TKL confconsole
    
    configure = tklconf.networking()
    configure = tklconf._ifconf_staticip()
    ipaddr, netmask, router, nameserver = configure

#Use FOG DHCP?
# If yes configure DHCP, if no disable DHCP
    d = Dialog('TurnKey Linux - First boot configuration')
    dhcpused = d.yesno(
        "FOG server integrated DHCP",
        "Use the FOG server for your network DHCP? \n \nIf 'Yes' then disable all other network DHCP servers. \nIf 'No' then configure your current DHCP server to use the FOG PXE boot image. See \nhttp://www.fogproject.org/wiki/index.php?title=Modifying_existing_DHCP_server_to_work_with_FOG \nfor more info.")

    #set some variables
    CONF_DIR = "/etc/dhcp3/"
    CONF_FILE = CONF_DIR+"dhcpd.conf"
    
    if dhcpused == True:
    # if DHCP used then... otherwise skip this bit
        networkbase = ipaddr.split(".")
        networkbase = networkbase[0]+"."+networkbase[1]+"."+networkbase[2]+"."
        ipexample = networkbase+"x"

        d = Dialog('TurnKey Linux - First boot configuration')
        startrange = d.get_input(
            "Set FOG DHCP IP range",
Esempio n. 21
0
def main():
    try:
        opts, args = getopt.gnu_getopt(sys.argv[1:], "hp:", ['help', 'oink='])
    except getopt.GetoptError, e:
        usage(e)

    oinkcode = ""
    for opt, val in opts:
        if opt in ('-h', '--help'):
            usage()
        elif opt in ('-o', '--oink'):
            oinkcode = val

    if not oinkcode:
        d = Dialog('Insta-Snorby - First boot configuration')
	response = d.yesno("Enter Oinkcode?","Snorby can automatically download and install Sourcefire's VRT rules. In order to do this, you need obtain and enter your Oinkcode from snort.org. \n\nWould you like to enter your oink code?")

	if response:
		oinkcode = d.inputbox("Enter Oinkcode","Please enter your 40 character Oinkcode")
 	

    if oinkcode:
        
	system('echo %s > /root/oinkcode' % oinkcode[1])
	d.infobox('VRT rules are downloading...')
	try:
		 system('wget http://www.snort.org/reg-rules/snortrules-snapshot-edge.tar.gz/%s -o /dev/null -O /root/snortrules.tar.gz' % oinkcode[1])
	except:
		d.error("Could not download VRT rules.")
	
	d.infobox('Download complete! VRT rules are extracting...')
Esempio n. 22
0
        print >> sys.stderr, "Error:", s
    print >> sys.stderr, "Syntax: %s [options]" % sys.argv[0]
    print >> sys.stderr, __doc__
    sys.exit(1)

def main():
    try:
        opts, args = getopt.gnu_getopt(sys.argv[1:], "h", ['help'])
    except getopt.GetoptError, e:
        usage(e)

    for opt, val in opts:
        if opt in ('-h', '--help'):
            usage()

    d = Dialog("Insta-Snorby - First boot configuration")
    install = d.yesno("Security updates", TEXT, "Install", "Skip")

    if not install:
        sys.exit(1)

    try:
        getoutput("host -W 2 archive.turnkeylinux.org")
    except ExecError, e:
        d.error(CONNECTIVITY_ERROR)
        sys.exit(1)

if __name__ == "__main__":
    main()

Esempio n. 23
0
        elif opt == '--realm':
            realm = val
            DEFAULT_DOMAIN = realm.split('.')[0].upper()
        elif opt == '--domain':
            domain = val
        elif opt == '--join':
            join = val
        elif opt == '--join_ns':
            join_nameserver = val

    while 1:

        if not join:
            d = Dialog('Turnkey Linux - First boot configuration')
            join = d.yesno(
                "Join existing AD?",
                "You can create the Active Directory or join existing.",
                "Join", "Create")

        if not realm:
            d = Dialog('Turnkey Linux - First boot configuration')
            realm = d.get_input("Samba/Kerberos Realm",
                                "Enter realm you would like to use.",
                                DEFAULT_REALM)
            DEFAULT_DOMAIN = realm.split('.')[0].upper()

        if not domain:
            d = Dialog('TurnKey Linux - First boot configuration')
            domain = d.get_input("Samba Domain",
                                 "Enter domain you would like to use.",
                                 DEFAULT_DOMAIN)
Esempio n. 24
0
    try:
        opts, args = getopt.gnu_getopt(sys.argv[1:], "hp:", ['help', 'oink='])
    except getopt.GetoptError, e:
        usage(e)

    oinkcode = ""
    for opt, val in opts:
        if opt in ('-h', '--help'):
            usage()
        elif opt in ('-o', '--oink'):
            oinkcode = val

    if not oinkcode:
        d = Dialog('Insta-Snorby - First boot configuration')
        response = d.yesno(
            "Enter Oinkcode?",
            "Snorby can automatically download and install Sourcefire's VRT rules. In order to do this, you need obtain and enter your Oinkcode from snort.org. \n\nWould you like to enter your oink code?"
        )

        if response:
            oinkcode = d.inputbox("Enter Oinkcode",
                                  "Please enter your 40 character Oinkcode")

    if oinkcode:

        system('echo %s > /root/oinkcode' % oinkcode[1])
        d.infobox('VRT rules are downloading...')
        try:
            system(
                'wget http://www.snort.org/reg-rules/snortrules-snapshot-edge.tar.gz/%s -o /dev/null -O /root/snortrules.tar.gz'
                % oinkcode[1])
        except: