def rsyslog_newcerts(args): """ Generate new tls certs for rsyslog server NOTE: This needs to be executed once a year. """ x("mkdir -p /etc/pki/rsyslog") # Copy certs template template_ca = "{0}template.ca".format(get_install_dir()) x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca)) hostname = "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain()) _replace_tags(template_ca, hostname) # Making CA x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key") x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key "+ "--outfile /etc/pki/rsyslog/ca.crt " + "--template {0}".format(template_ca) ) # Copy server template and cert/key generator script target_template = '/etc/pki/rsyslog/template.server' x("cp -f /opt/syco/var/rsyslog/template.server {0}".format(target_template)) _replace_tags(target_template, fqdn) # New generator script used by clients directly generator_script = "syco-gen-rsyslog-client-keys.sh" x("cp -f /opt/syco/var/rsyslog/{0} /etc/pki/rsyslog/".format(generator_script)) x("chmod 700 /etc/pki/rsyslog/{0}".format(generator_script))
def rsyslog_newcerts(args): ''' Generate new tls certs for rsyslog server and all clients defined in install.cfg. NOTE: This needs to be executed once a year. ''' x("mkdir -p /etc/pki/rsyslog") # Copy certs template template_ca = "{0}template.ca".format(get_install_dir()) x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca)) hostname = "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain()) _replace_tags(template_ca, hostname) # Making CA x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key") x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key "+ "--outfile /etc/pki/rsyslog/ca.crt " + "--template {0}".format(template_ca) ) # # Create rsyslog SERVER cert # for server in get_servers(): _create_cert(server)
def customize_shell(): app.print_verbose("Customize shell") app.print_verbose(" Add Date And Time To History Output") scOpen("/etc/bashrc").replace_add( "^export HISTTIMEFORMAT=.*$", "export HISTTIMEFORMAT=\"%h/%d - %H:%M:%S \"" ) app.print_verbose(" Add Color To Grep") root = scOpen("/root/.bash_profile") root.replace_add("^export GREP_COLOR=.*$", "export GREP_COLOR='1;32'") root.replace_add("^export GREP_OPTIONS=.*$", "export GREP_OPTIONS=--color=auto") skel = scOpen("/etc/skel/.bash_profile") skel.replace_add("^export GREP_COLOR=.*$", "export GREP_COLOR='1;32'") skel.replace_add("^export GREP_OPTIONS=.*$", "export GREP_OPTIONS=--color=auto") app.print_verbose(" Enable SSH key forwarding to work with sudo su") tmp_sudo_file = get_install_dir() + "sudoers" x("cp /etc/sudoers " + tmp_sudo_file) sudoers = scOpen(tmp_sudo_file) sudoers.remove("Defaults env_keep += \"SSH_AUTH_SOCK\"") sudoers.add("Defaults env_keep += \"SSH_AUTH_SOCK\"") xRes = x("visudo -c -f " + tmp_sudo_file) if tmp_sudo_file + ": parsed OK" in xRes: x("mv " + tmp_sudo_file + " /etc/sudoers") else: app.print_error("Temporary sudoers file corrupt, not updating")
def customize_shell(): app.print_verbose("Customize shell") app.print_verbose(" Add Date And Time To History Output") scOpen("/etc/bashrc").replace_add( "^export HISTTIMEFORMAT=.*$", "export HISTTIMEFORMAT=\"%h/%d - %H:%M:%S \"") app.print_verbose(" Add Color To Grep") root = scOpen("/root/.bash_profile") root.replace_add("^export GREP_COLOR=.*$", "export GREP_COLOR='1;32'") root.replace_add("^export GREP_OPTIONS=.*$", "export GREP_OPTIONS=--color=auto") skel = scOpen("/etc/skel/.bash_profile") skel.replace_add("^export GREP_COLOR=.*$", "export GREP_COLOR='1;32'") skel.replace_add("^export GREP_OPTIONS=.*$", "export GREP_OPTIONS=--color=auto") app.print_verbose(" Enable SSH key forwarding to work with sudo su") tmp_sudo_file = get_install_dir() + "sudoers" x("cp /etc/sudoers " + tmp_sudo_file) sudoers = scOpen(tmp_sudo_file) sudoers.remove("Defaults env_keep += \"SSH_AUTH_SOCK\"") sudoers.add("Defaults env_keep += \"SSH_AUTH_SOCK\"") xRes = x("visudo -c -f " + tmp_sudo_file) if tmp_sudo_file + ": parsed OK" in xRes: x("mv " + tmp_sudo_file + " /etc/sudoers") else: app.print_error("Temporary sudoers file corrupt, not updating")
def _create_cert(hostname): ''' Create certificate for one rsyslog client. ''' fqdn = "{0}.{1}".format(hostname, config.general.get_resolv_domain()) app.print_verbose("Create cert for host: {0}".format(fqdn)) template_server = "{0}template.{1}".format(get_install_dir(), fqdn) x("cp -f /opt/syco/var/rsyslog/template.server {0}".format(template_server)) _replace_tags(template_server, fqdn) # Create key x("certtool --generate-privkey " + "--outfile /etc/pki/rsyslog/{0}.key".format(fqdn) ) # Create cert x("certtool --generate-request " + "--load-privkey /etc/pki/rsyslog/{0}.key ".format(fqdn) + "--outfile /etc/pki/rsyslog/{0}.csr ".format(fqdn) + "--template {0}".format(template_server) ) # Sign cert x("certtool --generate-certificate " + "--load-request /etc/pki/rsyslog/{0}.csr ".format(fqdn) + "--outfile /etc/pki/rsyslog/{0}.crt ".format(fqdn) + "--load-ca-certificate /etc/pki/rsyslog/ca.crt " + "--load-ca-privkey /etc/pki/rsyslog/ca.key " + "--template {0}".format(template_server) )
def rsyslog_newcerts(args): """ Generate new tls certs for rsyslog server and all clients defined in install.cfg. NOTE: This needs to be executed once a year. """ x("mkdir -p /etc/pki/rsyslog") # Copy certs template template_ca = "{0}template.ca".format(get_install_dir()) x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca)) hostname = "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain()) _replace_tags(template_ca, hostname) # Making CA x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key") x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key " + "--outfile /etc/pki/rsyslog/ca.crt " + "--template {0}".format(template_ca)) # # Create rsyslog SERVER cert # for server in get_servers(): _create_cert(server)
def _create_cert(hostname): """ Create certificate for one rsyslog client. """ fqdn = "{0}.{1}".format(hostname, config.general.get_resolv_domain()) app.print_verbose("Create cert for host: {0}".format(fqdn)) template_server = "{0}template.{1}".format(get_install_dir(), fqdn) x("cp -f /opt/syco/var/rsyslog/template.server {0}".format( template_server)) _replace_tags(template_server, fqdn) # Create key x("certtool --generate-privkey " + "--outfile /etc/pki/rsyslog/{0}.key".format(fqdn)) # Create cert x("certtool --generate-request " + "--load-privkey /etc/pki/rsyslog/{0}.key ".format(fqdn) + "--outfile /etc/pki/rsyslog/{0}.csr ".format(fqdn) + "--template {0}".format(template_server)) # Sign cert x("certtool --generate-certificate " + "--load-request /etc/pki/rsyslog/{0}.csr ".format(fqdn) + "--outfile /etc/pki/rsyslog/{0}.crt ".format(fqdn) + "--load-ca-certificate /etc/pki/rsyslog/ca.crt " + "--load-ca-privkey /etc/pki/rsyslog/ca.key " + "--template {0}".format(template_server))
def rsyslog_newcerts(args): """ Generate new tls certs for rsyslog server NOTE: This needs to be executed once a year. """ x("mkdir -p /etc/pki/rsyslog") # Copy certs template template_ca = "{0}template.ca".format(get_install_dir()) x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca)) hostname = "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain()) _replace_tags(template_ca, hostname) # Making CA x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key") x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key " + "--outfile /etc/pki/rsyslog/ca.crt " + "--template {0}".format(template_ca)) # Copy server template and cert/key generator script target_template = '/etc/pki/rsyslog/template.server' x("cp -f /opt/syco/var/rsyslog/template.server {0}".format( target_template)) _replace_tags(target_template, fqdn) # New generator script used by clients directly generator_script = "syco-gen-rsyslog-client-keys.sh" x("cp -f /opt/syco/var/rsyslog/{0} /etc/pki/rsyslog/".format( generator_script)) x("chmod 700 /etc/pki/rsyslog/{0}".format(generator_script))
def _setup_default_database(): ''' Create sqllite default database for openvas. Sql file is a dumpo of the database after reqular openvas installation. ''' app.print_verbose('Setup default database') x("cp -f {0}var/openvas/sql_init.sql {1}sql_init.sql".format( app.SYCO_PATH, get_install_dir())) sql = scOpen("{0}sql_init.sql".format(get_install_dir())) sql.replace("${SYCO_HOSTS}", config.general.get_subnet()) sql.replace("${SYCO_ALERT_EMAIL}", config.general.get_admin_email()) x("cat {0}sql_init.sql | sqlite3 /var/lib/openvas/mgr/tasks.db".format( get_install_dir()))
def _setup_default_database(): ''' Create sqllite default database for openvas. Sql file is a dumpo of the database after reqular openvas installation. ''' app.print_verbose('Setup default database') x("cp -f {0}var/openvas/sql_init.sql {1}sql_init.sql".format( app.SYCO_PATH, get_install_dir() )) sql = scOpen("{0}sql_init.sql".format(get_install_dir())) sql.replace("${SYCO_HOSTS}", config.general.get_subnet()) sql.replace("${SYCO_ALERT_EMAIL}",config.general.get_admin_email()) x("cat {0}sql_init.sql | sqlite3 /var/lib/openvas/mgr/tasks.db".format( get_install_dir() ))
def copy_easy_rsa(): # Downloading and md5 checking download_file(EASY_RSA_DOWNLOAD, "v2.2.0.zip",md5=EASY_RSA_MD5) # Unzipping and moving easy-rsa files install_dir = get_install_dir() x("yum -y install unzip") x("unzip {0}{1} -d {0}".format(install_dir,"v2.2.0.zip")) x("mv {0}easy-rsa-2.2.0/easy-rsa/2.0 /etc/openvpn/easy-rsa".format(install_dir)) x("yum -y remove unzip")
def copy_easy_rsa(): # Downloading and md5 checking download_file(EASY_RSA_DOWNLOAD, "v2.2.0.zip", md5=EASY_RSA_MD5) # Unzipping and moving easy-rsa files install_dir = get_install_dir() x("yum -y install unzip") x("unzip {0}{1} -d {0}".format(install_dir, "v2.2.0.zip")) x("mv {0}easy-rsa-2.2.0/easy-rsa/2.0 /etc/openvpn/easy-rsa".format( install_dir)) x("yum -y remove unzip")
def _install_nrpe_plugins_dependencies(): ''' Install libraries/binaries that the NRPE-plugins depend on. ''' # Dependency for check_rsyslog x("yum install -y MySQL-python") # Dependency for check_clamav x("yum install -y nagios-plugins-perl perl-Net-DNS-Resolver-Programmable sudo yum install perl-suidperl") nrpe_sudoers_file = scopen.scOpen("/etc/sudoers.d/nrpe") nrpe_sudoers_file.add("Defaults:nrpe !requiretty") nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_clamav".format(PLG_PATH)) nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_clamscan".format(PLG_PATH)) nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_disk".format(PLG_PATH)) nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}get_services".format(PLG_PATH)) nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files".format(PLG_PATH)) nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs".format(PLG_PATH)) # Dependency for check_clamscan x("yum install -y perl-Proc-ProcessTable perl-Date-Calc") # Dependency for check_ldap x("yum install -y php-ldap php-cli") # Dependency for hosts/firewall hardware checks host_config_object = config.host(net.get_hostname()) if host_config_object.is_host() or host_config_object.is_firewall(): # Create an installname and filenames install_dir = general.get_install_dir() # Download and install HP health monitoring package general.download_file( HP_HEALTH_URL, HP_HEALTH_FILENAME, md5=HP_HEALTH_MD5 ) x("yum install {0} -y".format(HP_HEALTH_FILENAME)) # Remove their evil crontab x("rm -f /etc/cron.d/hp-health") # Let nrpe run hpasmcli nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:/sbin/hpasmcli") nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_hpasm".format(PLG_PATH)) x("service hp-health start") # Kernel wont parse anything but read-only in sudoers. So chmod it. x("chmod 0440 /etc/sudoers.d/nrpe")
def build_ossec(preloaded_conf): x('yum install gcc make perl-Time-HiRes -y') # Downloading and md5 checking download_file(OSSEC_DOWNLOAD, "ossec-hids.tar.gz",md5=OSSEC_MD5) # Preparing OSSEC for building install_dir = get_install_dir() x("tar -C {0} -zxf {0}ossec-hids.tar.gz".format(install_dir)) x("mv {0}ossec-hids-* {0}ossecbuild".format(install_dir)) # Coping in ossec settings before build x('\cp -f /opt/syco/var/ossec/osseconf/{0} {1}ossecbuild/etc/preloaded-vars.conf'.format(preloaded_conf, install_dir)) # Building OSSEC x('{0}ossecbuild/install.sh'.format(install_dir)) # Autostart ossec. x("chkconfig ossec on")
def build_ossec(preloaded_conf): x('yum install gcc make perl-Time-HiRes -y') # Downloading and md5 checking download_file(OSSEC_DOWNLOAD, "ossec-hids.tar.gz", md5=OSSEC_MD5) # Preparing OSSEC for building install_dir = get_install_dir() x("tar -C {0} -zxf {0}ossec-hids.tar.gz".format(install_dir)) x("mv {0}ossec-hids-* {0}ossecbuild".format(install_dir)) # Coping in ossec settings before build x('\cp -f /opt/syco/var/ossec/osseconf/{0} {1}ossecbuild/etc/preloaded-vars.conf' .format(preloaded_conf, install_dir)) # Building OSSEC x('{0}ossecbuild/install.sh'.format(install_dir)) # Autostart ossec. x("chkconfig ossec on")
def _generate_client_keys(): ''' Generating keys for all ossec clients. And prepare separate key files that can be downloaded by each client. ''' install_dir = get_install_dir() for server in get_servers(): fqdn = '{0}'.format(server) fqdn2 = '{0}.{1}'.format(server, config.general.get_resolv_domain()) x("{0}ossecbuild/contrib/ossec-batch-manager.pl -a --name {1} --ip {2}" .format(install_dir, fqdn, config.host(server).get_front_ip())) # Prepare separate key files that can be downloaded by each client. x("grep {0} /var/ossec/etc/client.keys > ".format(fqdn) + "/var/ossec/etc/{0}_client.keys".format(fqdn2)) x('chmod 640 /var/ossec/etc/*.keys') x('chown ossec:ossec /var/ossec/etc/*.keys')
def _generate_client_keys(): ''' Generating keys for all ossec clients. And prepare separate key files that can be downloaded by each client. ''' install_dir = get_install_dir() for server in get_servers(): fqdn = '{0}.{1}'.format(server, config.general.get_resolv_domain()) x("{0}ossecbuild/contrib/ossec-batch-manager.pl -a -n {1} -p {2}".format( install_dir, fqdn, config.host(server).get_front_ip()) ) # Prepare separate key files that can be downloaded by each client. x( "grep {0} /var/ossec/etc/client.keys > ".format(fqdn) + "/var/ossec/etc/{0}_client.keys".format(fqdn) ) x('chmod 640 /var/ossec/etc/*.keys') x('chown ossec:ossec /var/ossec/etc/*.keys')
def install_ossec_server(args): ''' Install OSSEC server on the server ''' app.print_verbose("Install ossecd.") version_obj = version.Version("InstallOssecd", SCRIPT_VERSION) version_obj.check_executed() install_dir = get_install_dir() build_ossec("preloaded-vars-server.conf") _generate_client_keys() # Setup server config and local rules from syco x('\cp -f ' + SYCO_FO_PATH + 'var/ossec/ossec_server.conf /var/ossec/etc/ossec.conf') x('chown root:ossec /var/ossec/etc/ossec.conf') x('chmod 640 /var/ossec/etc/ossec.conf') # Configure rules x('cp -f ' + SYCO_FO_PATH + 'var/ossec/local_rules.xml /var/ossec/rules/local_rules.xml') #x("find /var/ossec/rules -type d -print0 | xargs -0 chmod 750") #x("find /var/ossec/rules -type f -print0 | xargs -0 chmod 640") x('chown root:ossec /var/ossec/rules/local_rules.xml') x('chmod 640 /var/ossec/rules/local_rules.xml') # Enabling syslog logging x('/var/ossec/bin/ossec-control enable client-syslog') # Adding iptables rules iptables.add_ossec_chain() iptables.save() x("service ossec restart") # Clean up install x('yum remove gcc perl-Time-HiRes -y') version_obj.mark_executed()
def install_ossec_server(args): ''' Install OSSEC server on the server ''' app.print_verbose("Install ossecd.") version_obj = version.Version("InstallOssecd", SCRIPT_VERSION) version_obj.check_executed() install_dir = get_install_dir() build_ossec("preloaded-vars-server.conf") _generate_client_keys() # Setup server config and local rules from syco x('\cp -f /opt/syco/var/ossec/ossec_server.conf /var/ossec/etc/ossec.conf') x('chown root:ossec /var/ossec/etc/ossec.conf') x('chmod 640 /var/ossec/etc/ossec.conf') # Configure rules x('cp -f /opt/syco/var/ossec/local_rules.xml /var/ossec/rules/local_rules.xml') #x("find /var/ossec/rules -type d -print0 | xargs -0 chmod 750") #x("find /var/ossec/rules -type f -print0 | xargs -0 chmod 640") x('chown root:ossec /var/ossec/rules/local_rules.xml') x('chmod 640 /var/ossec/rules/local_rules.xml') # Enabling syslog logging x('/var/ossec/bin/ossec-control enable client-syslog') # Adding iptables rules iptables.add_ossec_chain() iptables.save() x("service ossec restart") # Clean up install x('yum remove gcc make perl-Time-HiRes -y') version_obj.mark_executed()