def install_keepalived(args):
global SYCO_PLUGIN_PATH, ACCEPTED_KA_ENV, ka_env
SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/keepalived/").next()
ACCEPTED_KA_ENV = get_environments()
if len(args) != 2:
print_killmessage()
else:
ka_env = args[1]
if ka_env.lower() not in ACCEPTED_KA_ENV:
print_killmessage()
app.print_verbose("Install Keepalived version: %d" % script_version)
version_obj = version.Version("InstallKeepalived", script_version)
version_obj.check_executed()
os.chdir("/")
install_packages("keepalived")
_configure_keepalived()
# Adding iptables rules
iptables_setup()
save()
version_obj.mark_executed()
def install_rsyslogd(args):
"""
Install rsyslogd on the server.
"""
app.print_verbose("Install rsyslogd.")
version_obj = version.Version("InstallRsyslogd", SCRIPT_VERSION)
version_obj.check_executed()
# Installing packages
install_packages("rsyslog rsyslog-gnutls gnutls-utils")
# Autostart rsyslog at boot
x("chkconfig rsyslog on")
# Generation new certs if no certs exsists
if not os.path.exists('/etc/pki/rsyslog/ca.crt'):
rsyslog_newcerts(args)
_setup_rsyslogd()
# Add iptables chains
iptables.add_rsyslog_chain("server")
iptables.save()
# Restarting service
x("service rsyslog restart")
install_compress_logs()
# Configure logrotate
installLogrotate.install_logrotate(args)
version_obj.mark_executed()
def install_docker(args):
"""Install and configure docker on the local host."""
app.print_verbose("Install docker version: %d" % SCRIPT_VERSION)
version_obj = version.Version("Installdocker", SCRIPT_VERSION)
version_obj.check_executed()
proxy_host = config.general.get_proxy_host()
proxy_port = config.general.get_proxy_port()
x("cp %s/docker/docker.repo /etc/yum.repos.d/docker.repo" % app.SYCO_VAR_PATH)
general.install_packages("docker-engine")
x("cp %s/docker/docker /etc/sysconfig/docker" % app.SYCO_VAR_PATH)
# http://stackoverflow.com/questions/23111631/cannot-download-docker-images-behind-a-proxy
docker_conf = scOpen(filename="/etc/sysconfig/docker")
if proxy_host and proxy_port:
docker_conf.replace("%HTTP_PROXY%", 'export HTTP_PROXY="http://%s:%s"' % (proxy_host, proxy_port))
docker_conf.replace("%HTTPS_PROXY%", 'export HTTPS_PROXY="https://%s:%s"' % (proxy_host, proxy_port))
else:
docker_conf.replace("%HTTP_PROXY%", "")
docker_conf.replace("%HTTPS_PROXY%", "")
x("chkconfig docker on")
x("service docker start")
version_obj.mark_executed()
# FW rule needed to access container through ports
# Sleep for docker to start completely before setting rule
x("sleep 10 && iptables -A syco_output -j DOCKER")
x("service iptables save")
version_obj.mark_executed()
def install_keepalived(args):
global SYCO_PLUGIN_PATH, ACCEPTED_KA_ENV, ka_env
SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/keepalived/").next()
ACCEPTED_KA_ENV = get_environments()
if len(args) != 2:
print_killmessage()
else:
ka_env = args[1]
if ka_env.lower() not in ACCEPTED_KA_ENV:
print_killmessage()
app.print_verbose("Install Keepalived version: %d" % script_version)
version_obj = version.Version("InstallKeepalived", script_version)
version_obj.check_executed()
os.chdir("/")
install_packages("keepalived")
_configure_keepalived()
# Adding iptables rules
iptables_setup()
save()
version_obj.mark_executed()
def install_docker(args):
"""Install and configure docker on the local host."""
app.print_verbose("Install docker version: %d" % SCRIPT_VERSION)
version_obj = version.Version("Installdocker", SCRIPT_VERSION)
version_obj.check_executed()
proxy_host = config.general.get_proxy_host()
proxy_port = config.general.get_proxy_port()
x('cp %s/docker/docker.repo /etc/yum.repos.d/docker.repo' % app.SYCO_VAR_PATH)
general.install_packages("docker-engine")
x('cp %s/docker/docker /etc/sysconfig/docker' % app.SYCO_VAR_PATH)
# http://stackoverflow.com/questions/23111631/cannot-download-docker-images-behind-a-proxy
docker_conf = scOpen(filename='/etc/sysconfig/docker')
if proxy_host and proxy_port:
docker_conf.replace('%HTTP_PROXY%', 'export HTTP_PROXY="http://%s:%s"' % (proxy_host, proxy_port))
docker_conf.replace('%HTTPS_PROXY%', 'export HTTPS_PROXY="https://%s:%s"' % (proxy_host, proxy_port))
else:
docker_conf.replace('%HTTP_PROXY%', '')
docker_conf.replace('%HTTPS_PROXY%', '')
x('chkconfig docker on')
x('service docker start')
version_obj.mark_executed()
#FW rule needed to access container through ports
#Sleep for docker to start completely before setting rule
x('sleep 10 && iptables -A syco_output -j DOCKER')
x('service iptables save')
version_obj.mark_executed()
def install_rsyslogd(args):
"""
Install rsyslogd on the server.
"""
app.print_verbose("Install rsyslogd.")
version_obj = version.Version("InstallRsyslogd", SCRIPT_VERSION)
version_obj.check_executed()
# Installing packages
install_packages("rsyslog rsyslog-gnutls gnutls-utils")
# Autostart rsyslog at boot
x("chkconfig rsyslog on")
# Generation new certs if no certs exsists
if not os.path.exists('/etc/pki/rsyslog/ca.crt'):
rsyslog_newcerts(args)
_setup_rsyslogd()
# Add iptables chains
iptables.add_rsyslog_chain("server")
iptables.save()
# Restarting service
x("service rsyslog restart")
install_compress_logs()
# Configure logrotate
installLogrotate.install_logrotate(args)
version_obj.mark_executed()
def _install_nrpe(args):
"""
The nrpe installation is quite standard . Except that the stock NRPE.conf
is replaced with a prepped one. Server only listens to this IP. Not super
safe but better than nothing. Also, argument parsing is _disabled_.
"""
# Initialize all used passwords at the beginning of the script.
app.get_ldap_sssd_password()
app.get_mysql_monitor_password()
install.epel_repo()
# Confusing that nagios-plugins-all does not really include all plugins
# WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At
# the moment EPEL has the latest version but RPMForge obsolete the EPEL
# package. Because of that, exclude nagios-nrpe from RPMForge.
app.print_verbose("Install required packages for NRPE")
install_packages(
"nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap nagios-plugins-perl perl-Net-DNS "
"perl-Proc-ProcessTable perl-Date-Calc policycoreutils-python")
# Move object structure and prepare conf-file
x("rm -rf /etc/nagios/nrpe.d")
x("rm -rf /etc/nagios/nrpe.cfg")
x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(
constant.SYCO_USR_PATH))
x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(
constant.SYCO_USR_PATH))
# Extra plugins installed
_install_nrpe_plugins()
# Allow only monitor to query NRPE
monitor_server_front_ip = config.general.get_monitor_server_ip()
app.print_verbose("Set monitor server: %s" % monitor_server_front_ip)
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg")
nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip)
# Set permissions for read/execute under nagios-user
x("chown -R root:nrpe /etc/nagios/")
# Allow nrpe to listen on UDP port 5666
iptables.add_nrpe_chain()
iptables.save()
# Make nrpe-server startup stateful and restart
x("/sbin/chkconfig --level 3 nrpe on")
x("service nrpe restart")
def install_rsyslogd_client(args):
'''
Install rsyslog client the server
'''
app.print_verbose("Install rsyslog client.")
# If rsyslogd is installed, raise exception.
version_obj = version.Version("InstallRsyslogd",
installRsyslogd.SCRIPT_VERSION)
version_obj.check_executed()
#
version_obj = version.Version("InstallRsyslogdClient", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords used by the script
app.init_mysql_passwords()
#Enabling iptables before server has start
iptables.add_rsyslog_chain("client")
iptables.save()
# Wating for rsyslog Server to start
general.wait_for_server_to_start(config.general.get_log_server_hostname1(),
"514")
app.print_verbose("CIS 5.2 Configure rsyslog")
app.print_verbose("CIS 5.2.1 Install the rsyslog package")
general.install_packages("rsyslog rsyslog-gnutls")
app.print_verbose("CIS 5.2.2 Activate the rsyslog Service")
if os.path.exists('/etc/xinetd.d/syslog'):
x("chkconfig syslog off")
x("chkconfig rsyslog on")
_configure_rsyslog_conf()
_gen_and_copy_cert(args)
# Restaring rsyslog
x("/etc/init.d/rsyslog restart")
# Configure logrotate
installLogrotate.install_logrotate(args)
version_obj.mark_executed()
def _install_nrpe(args):
"""
The nrpe installation is quite standard . Except that the stock NRPE.conf
is replaced with a prepped one. Server only listens to this IP. Not super
safe but better than nothing. Also, argument parsing is _disabled_.
"""
# Initialize all used passwords at the beginning of the script.
app.get_ldap_sssd_password()
app.get_mysql_monitor_password()
install.epel_repo()
# Confusing that nagios-plugins-all does not really include all plugins
# WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At
# the moment EPEL has the latest version but RPMForge obsolete the EPEL
# package. Because of that, exclude nagios-nrpe from RPMForge.
app.print_verbose("Install required packages for NRPE")
install_packages("nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap nagios-plugins-perl perl-Net-DNS "
"perl-Proc-ProcessTable perl-Date-Calc policycoreutils-python")
# Move object structure and prepare conf-file
x("rm -rf /etc/nagios/nrpe.d")
x("rm -rf /etc/nagios/nrpe.cfg")
x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(constant.SYCO_USR_PATH))
x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(constant.SYCO_USR_PATH))
# Extra plugins installed
_install_nrpe_plugins()
# Allow only monitor to query NRPE
monitor_server_front_ip = config.general.get_monitor_server_ip()
app.print_verbose("Set monitor server: %s" % monitor_server_front_ip)
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg")
nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip)
# Set permissions for read/execute under nagios-user
x("chown -R root:nrpe /etc/nagios/")
# Allow nrpe to listen on UDP port 5666
iptables.add_nrpe_chain()
iptables.save()
# Make nrpe-server startup stateful and restart
x("/sbin/chkconfig --level 3 nrpe on")
x("service nrpe restart")
def install_rsyslogd_client(args):
'''
Install rsyslog client the server
'''
app.print_verbose("Install rsyslog client.")
# If rsyslogd is installed, raise exception.
version_obj = version.Version("InstallRsyslogd", installRsyslogd.SCRIPT_VERSION)
version_obj.check_executed()
#
version_obj = version.Version("InstallRsyslogdClient", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords used by the script
app.init_mysql_passwords()
#Enabling iptables before server has start
iptables.add_rsyslog_chain("client")
iptables.save()
# Wating for rsyslog Server to start
general.wait_for_server_to_start(config.general.get_log_server_hostname1(), "514")
app.print_verbose("CIS 5.2 Configure rsyslog")
app.print_verbose("CIS 5.2.1 Install the rsyslog package")
general.install_packages("rsyslog rsyslog-gnutls")
app.print_verbose("CIS 5.2.2 Activate the rsyslog Service")
if os.path.exists('/etc/xinetd.d/syslog'):
x("chkconfig syslog off")
x("chkconfig rsyslog on")
_configure_rsyslog_conf()
_gen_and_copy_cert(args)
# Restaring rsyslog
x("/etc/init.d/rsyslog restart")
# Configure logrotate
installLogrotate.install_logrotate(args)
version_obj.mark_executed()
def install_syco(args):
"""
Install/configure this script on the current computer.
"""
app.print_verbose("Install syco version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallSYCO", SCRIPT_VERSION)
version_obj.check_executed()
# Override base repo to one that works
x("cat %syum/CentOS-Base.repo > /etc/yum.repos.d/CentOS-Base.repo" %
app.SYCO_VAR_PATH)
# Run all yum updates through proxy if available
proxy_host = config.general.get_proxy_host()
proxy_port = config.general.get_proxy_port()
if proxy_host and proxy_port:
x('echo proxy=%s >> /etc/yum.conf' % "http://%s:%s" %
(proxy_host, proxy_port))
app.print_verbose("Install required packages for syco")
install_packages("augeas")
app.print_verbose("Create symlink /sbin/syco")
set_syco_permissions()
if not os.path.exists('/sbin/syco'):
os.symlink('%sbin/syco.py' % SYCO_PATH, '/sbin/syco')
# Use augeas to set max kernels to 2 since more won't fit on /boot
from augeas import Augeas
augeas = Augeas(x)
augeas.set_enhanced("/files/etc/yum.conf/main/installonly_limit", "2")
# Set Swappiness to 0 on all hosts to avoid excessive swapping
augeas.set_enhanced("/files/etc/sysctl.conf/vm.swappiness", "0")
if proxy_host and proxy_port:
# Set proxy again with augeas to ensure there are no duplicates/inconsistencies
augeas.set_enhanced("/files/etc/yum.conf/main/proxy",
"http://%s:%s" % (proxy_host, proxy_port))
version_obj.mark_executed()
def install_syco(args):
"""
Install/configure this script on the current computer.
"""
app.print_verbose("Install syco version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallSYCO", SCRIPT_VERSION)
version_obj.check_executed()
# Override base repo to one that works
x("cat %syum/CentOS-Base.repo > /etc/yum.repos.d/CentOS-Base.repo" % app.SYCO_VAR_PATH)
# Run all yum updates through proxy if available
proxy_host = config.general.get_proxy_host()
proxy_port = config.general.get_proxy_port()
if proxy_host and proxy_port:
x('echo proxy=%s >> /etc/yum.conf' % "http://%s:%s" % (proxy_host,proxy_port))
app.print_verbose("Install required packages for syco")
install_packages("augeas")
app.print_verbose("Create symlink /sbin/syco")
set_syco_permissions()
if not os.path.exists('/sbin/syco'):
os.symlink('%sbin/syco.py' % SYCO_PATH, '/sbin/syco')
# Use augeas to set max kernels to 2 since more won't fit on /boot
from augeas import Augeas
augeas = Augeas(x)
augeas.set_enhanced("/files/etc/yum.conf/main/installonly_limit", "2")
# Set Swappiness to 0 on all hosts to avoid excessive swapping
augeas.set_enhanced("/files/etc/sysctl.conf/vm.swappiness", "0")
if proxy_host and proxy_port:
# Set proxy again with augeas to ensure there are no duplicates/inconsistencies
augeas.set_enhanced("/files/etc/yum.conf/main/proxy", "http://%s:%s" % (proxy_host,proxy_port))
version_obj.mark_executed()
def download_and_install(clam_version):
#
# Download and extract clamav
#
app.print_verbose("Download and extract clamav")
dst_path = urlretrive(
CLAM_AV_URL.format(clam_version),
"clamav_latest.tar.gz")
x("tar -C %s -zxf %s" % (app.INSTALL_DIR, dst_path))
compile_dir = "%scompile-clamav" % app.INSTALL_DIR
x("mkdir -p %s" % compile_dir)
x("mv %s/clamav-*/* %s" % (app.INSTALL_DIR, compile_dir))
#
# Install packages required for compiling and coreutils to get nice and ionice
#
general.install_packages("gcc gcc-c++ zlib-devel bzip2-devel ncurses-devel file openssl-devel coreutils")
#
# Build and install clamav and freshclam
#
app.print_verbose("Build and install clamav and freshclam")
x("chown -R root:root %s" % compile_dir)
x("./configure", cwd=compile_dir)
x("make", cwd=compile_dir)
x("make install", cwd=compile_dir)
x("ldconfig")
#
# Remove packages needed for compilation.
#
x(
"yum remove -y zlib-devel bzip2-devel ncurses-devel " +
"gcc cloog-ppl cpp glibc-devel glibc-headers kernel-headers " +
"mpfr ppl gcc-c++ libstdc++-devel"
)
def install_haproxy(args):
app.print_verbose("Install HA Proxy version: %d" % script_version)
version_obj = version.Version("InstallHaproxy", script_version)
version_obj.check_executed()
# Prompt for syco pw early, certificate copy requires root pw
app.get_root_password()
setup_global_vars()
# Validate all command line parameters.
if len(args) != 3:
print_killmessage()
env = haproxy_env(args)
state = haproxy_state(args)
install_packages("tcl haproxy")
iptables.add_haproxy_chain()
iptables.save()
_copy_certificate_files(env)
_configure_haproxy(env, state)
version_obj.mark_executed()
def install_haproxy(args):
app.print_verbose("Install HA Proxy version: %d" % script_version)
version_obj = version.Version("InstallHaproxy", script_version)
version_obj.check_executed()
# Prompt for syco pw early, certificate copy requires root pw
app.get_root_password()
setup_global_vars()
# Validate all command line parameters.
if len(args) != 3:
print_killmessage()
env = haproxy_env(args)
state = haproxy_state(args)
install_packages("tcl haproxy")
iptables.add_haproxy_chain()
iptables.save()
_copy_certificate_files(env)
_configure_haproxy(env, state)
version_obj.mark_executed()
def _install_nrpe_plugins_dependencies():
"""Install libraries/binaries that the NRPE-plugins depend on."""
# Dependency for check_rsyslog
app.print_verbose("Install required dependency for check_rsyslog")
install_packages("MySQL-python")
# Dependency for check_clamav
app.print_verbose("Install required dependencies for check_clamav")
install_packages("perl-Net-DNS-Resolver-Programmable perl-suidperl")
x("""cat > /etc/sudoers.d/nrpe << EOF
Defaults:nrpe !requiretty
nrpe ALL=NOPASSWD:{0}check_clamav
nrpe ALL=NOPASSWD:{0}check_clamscan
nrpe ALL=NOPASSWD:{0}check_disk
nrpe ALL=NOPASSWD:{0}get_services
nrpe ALL=NOPASSWD:{0}check_file_age
nrpe ALL=NOPASSWD:{0}check_ossec-clients.sh
nrpe ALL=NOPASSWD:{0}check_haproxy_stats.pl
nrpe ALL=NOPASSWD:/usr/sbin/rabbitmqctl
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs
EOF
""".format(PLG_PATH))
# Dependency for check_ldap
app.print_verbose("Install required dependencies for check_ldap")
install_packages("php-ldap php-cli")
# Dependency for check_iostat
app.print_verbose("Install required dependency for check_iostat")
install_packages("sysstat")
# Dependency for hosts/firewall hardware checks
host_config_object = config.host(net.get_hostname())
if host_config_object.is_host() or host_config_object.is_firewall():
install.hp_repo()
app.print_verbose("Install required dependencies for Hardware checks")
install_packages("hp-health hpssacli")
# Let nrpe run hpasmcli and hpssacli
x("""cat >> /etc/sudoers.d/nrpe << EOF
nrpe ALL=NOPASSWD:/sbin/hpasmcli
nrpe ALL=NOPASSWD:{0}check_hpasm
nrpe ALL=NOPASSWD:/usr/sbin/hpssacli
nrpe ALL=NOPASSWD:{0}check_hparray
EOF
""".format(PLG_PATH))
# Dependency for check_ulimit
app.print_verbose("Install required dependency for check_ulimit")
install_packages("lsof")
# Set ulimit values to take affect after reboot
x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf")
# Kernel wont parse anything but read-only in sudoers. So chmod it.
x("chmod 0440 /etc/sudoers.d/nrpe")
def _install_nrpe_plugins_dependencies():
"""Install libraries/binaries that the NRPE-plugins depend on."""
# Dependency for check_rsyslog
app.print_verbose("Install required dependency for check_rsyslog")
install_packages("MySQL-python")
# Dependency for check_clamav
app.print_verbose("Install required dependencies for check_clamav")
install_packages("perl-Net-DNS-Resolver-Programmable perl-suidperl")
x("""cat > /etc/sudoers.d/nrpe << EOF
Defaults:nrpe !requiretty
nrpe ALL=NOPASSWD:{0}check_clamav
nrpe ALL=NOPASSWD:{0}check_clamscan
nrpe ALL=NOPASSWD:{0}check_disk
nrpe ALL=NOPASSWD:{0}get_services
nrpe ALL=NOPASSWD:{0}check_file_age
nrpe ALL=NOPASSWD:{0}check_ossec-clients.sh
nrpe ALL=NOPASSWD:{0}check_haproxy_stats.pl
nrpe ALL=NOPASSWD:/usr/sbin/rabbitmqctl
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs
EOF
""".format(PLG_PATH))
# Dependency for check_ldap
app.print_verbose("Install required dependencies for check_ldap")
install_packages("php-ldap php-cli")
# Dependency for check_iostat
app.print_verbose("Install required dependency for check_iostat")
install_packages("sysstat")
# Dependency for hosts/firewall hardware checks
host_config_object = config.host(net.get_hostname())
if host_config_object.is_host() or host_config_object.is_firewall():
install.hp_repo()
app.print_verbose("Install required dependencies for Hardware checks")
install_packages("hp-health hpssacli")
# Let nrpe run hpasmcli and hpssacli
x("""cat >> /etc/sudoers.d/nrpe << EOF
nrpe ALL=NOPASSWD:/sbin/hpasmcli
nrpe ALL=NOPASSWD:{0}check_hpasm
nrpe ALL=NOPASSWD:/usr/sbin/hpssacli
nrpe ALL=NOPASSWD:{0}check_hparray
EOF
""".format(PLG_PATH))
# Dependency for check_ulimit
app.print_verbose("Install required dependency for check_ulimit")
install_packages("lsof")
# Set ulimit values to take affect after reboot
x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf"
)
# Kernel wont parse anything but read-only in sudoers. So chmod it.
x("chmod 0440 /etc/sudoers.d/nrpe")
