def install_ossec_client(args): ''' Install OSSEC Client on the server ''' if os.path.exists('/var/ossec/bin/manage_agents'): app.print_error("Not insalling OSSEC client since OSSEC server detected") return app.print_verbose("Install ossec client.") version_obj = version.Version("InstallOssec", SCRIPT_VERSION) version_obj.check_executed() # Initialize all passwords used by the script app.init_mysql_passwords() build_ossec('preloaded-vars-client.conf') _setup_conf() _setup_keys() # Enabling syslog logging x('/var/ossec/bin/ossec-control enable client-syslog') # Adding iptables rules iptables.add_ossec_chain() iptables.save() # Restaring OSSEC server x("service ossec restart") x('yum remove gcc perl-Time-HiRes -y') version_obj.mark_executed()
def _install_icinga(args): ''' The icinga-installation is divided into three parts - icinga core, icinga web and PNP4Nagios. Icinga core insatlls the icinga-poller (baically an exakt for of the Nagios poller except with SQL integration). Icinga-core also includes a very simple GUI that is kept as a backup in case the fancier GUI goes down for any reason. Icinga-web is the "bells and whistles" GUI which is heavier, with "improved" looks and more functionality. ''' # Initialize all used passwords. app.init_mysql_passwords() app.get_ldap_sssd_password() # Install icinga poller, web-interface and graping. icinga_db_password = _install_icinga_core(args) _install_icinga_web(icinga_db_password) _install_pnp4nagios() # Install a http index _install_http_index() # Enable SELinux _install_SELinux() # Restart all services x("service ido2db restart") x("service nrpe restart") x("service icinga restart") x("service httpd restart")
def install_ossec_client(args): ''' Install OSSEC Client on the server ''' if os.path.exists('/var/ossec/bin/manage_agents'): app.print_error( "Not insalling OSSEC client since OSSEC server detected") return app.print_verbose("Install ossec client.") version_obj = version.Version("InstallOssec", SCRIPT_VERSION) version_obj.check_executed() # Initialize all passwords used by the script app.init_mysql_passwords() build_ossec('preloaded-vars-client.conf') _setup_conf() _setup_keys() # Enabling syslog logging x('/var/ossec/bin/ossec-control enable client-syslog') # Adding iptables rules iptables.add_ossec_chain() iptables.save() # Restaring OSSEC server x("service ossec restart") x('yum remove gcc perl-Time-HiRes -y') version_obj.mark_executed()
def _reload_icinga(args, reload=True): ''' Re-probes the network for running services and updates the icinga object structure. ''' # Initialize all used passwords. app.init_mysql_passwords() app.get_ldap_sssd_password() hostList = _get_host_list() _append_services_to_hostlist(hostList) _build_icinga_config(hostList) _install_server_plugins() if reload: x("service icinga reload")
def install_rsyslogd_client(args): ''' Install rsyslog client the server ''' app.print_verbose("Install rsyslog client.") # If rsyslogd is installed, raise exception. version_obj = version.Version("InstallRsyslogd", installRsyslogd.SCRIPT_VERSION) version_obj.check_executed() # version_obj = version.Version("InstallRsyslogdClient", SCRIPT_VERSION) version_obj.check_executed() # Initialize all passwords used by the script app.init_mysql_passwords() #Enabling iptables before server has start iptables.add_rsyslog_chain("client") iptables.save() # Wating for rsyslog Server to start general.wait_for_server_to_start(config.general.get_log_server_hostname1(), "514") app.print_verbose("CIS 5.2 Configure rsyslog") app.print_verbose("CIS 5.2.1 Install the rsyslog package") general.install_packages("rsyslog rsyslog-gnutls") app.print_verbose("CIS 5.2.2 Activate the rsyslog Service") if os.path.exists('/etc/xinetd.d/syslog'): x("chkconfig syslog off") x("chkconfig rsyslog on") _configure_rsyslog_conf() _gen_and_copy_cert(args) # Restaring rsyslog x("/etc/init.d/rsyslog restart") # Configure logrotate installLogrotate.install_logrotate(args) version_obj.mark_executed()
def install_rsyslogd(args): ''' Install rsyslogd on the server. ''' app.print_verbose("Install rsyslogd.") version_obj = version.Version("InstallRsyslogd", SCRIPT_VERSION) version_obj.check_executed() # Initialize all passwords used by the script app.init_mysql_passwords() # Setup syco dependencies. if not os.path.exists('/etc/init.d/mysqld'): install_mysql(["", "1", "1G"]) # Installing packages x("yum install rsyslog rsyslog-gnutls rsyslog-mysql gnutls-utils -y") # Autostart rsyslog at boot x("chkconfig rsyslog on") # Generation new certs if no certs exsists if not os.path.exists('/etc/pki/rsyslog/ca.crt'): rsyslog_newcerts(args) sql_password = generate_password(20, string.letters + string.digits) _setup_database(sql_password) _setup_rsyslogd(sql_password) # Add iptables chains iptables.add_rsyslog_chain("server") iptables.save() # Restarting service x("/etc/init.d/rsyslog restart") install_purge_db() install_compress_logs() # Configure logrotate installLogrotate.install_logrotate(args) version_obj.mark_executed()
def install_rsyslogd(args): ''' Install rsyslogd on the server. ''' app.print_verbose("Install rsyslogd.") version_obj = version.Version("InstallRsyslogd", SCRIPT_VERSION) version_obj.check_executed() # Initialize all passwords used by the script app.init_mysql_passwords() # Setup syco dependencies. if not os.path.exists('/etc/init.d/mysqld'): install_mysql(["","1","1G"]) # Installing packages x("yum install rsyslog rsyslog-gnutls rsyslog-mysql gnutls-utils -y") # Autostart rsyslog at boot x("chkconfig rsyslog on") # Generation new certs if no certs exsists if not os.path.exists('/etc/pki/rsyslog/ca.crt'): rsyslog_newcerts(args) sql_password = generate_password(20, string.letters + string.digits) _setup_database(sql_password) _setup_rsyslogd(sql_password) # Add iptables chains iptables.add_rsyslog_chain("server") iptables.save() # Restarting service x("/etc/init.d/rsyslog restart") install_purge_db() install_compress_logs() # Configure logrotate installLogrotate.install_logrotate(args) version_obj.mark_executed()
def install_loganalyzer(args): ''' Install and configure adiscon.com loganalyzer. ''' app.print_verbose("Install loganalyzer version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallLoganalyzer", SCRIPT_VERSION) version_obj.check_executed() # Initialize all passwords used by the script app.init_mysql_passwords() _install_packages(args) _download_loganalyzer() sql_password = general.generate_password(20, string.letters + string.digits) _create_db_user(sql_password) _configure_loganalyzer(sql_password) _configure_apache() _set_permissions() version_obj.mark_executed()
def install_mysql(args): ''' Install and configure the mysql-server on the local host. ''' app.print_verbose("Install mysql version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallMysql", SCRIPT_VERSION) version_obj.check_executed() if (len(args) != 3): raise Exception("syco install-mysql [server-id] [innodb-buffer-pool-size]") server_id=args[1] innodb_buffer_pool_size=args[2] # Initialize all passwords used by the script app.init_mysql_passwords() # Install the mysql-server packages. if (not os.access("/usr/bin/mysqld_safe", os.W_OK|os.X_OK)): x("yum -y install mysql-server hdparm") x("/sbin/chkconfig mysqld on ") if (not os.access("/usr/bin/mysqld_safe", os.F_OK)): raise Exception("Couldn't install mysql-server") # Configure iptables iptables.add_mysql_chain() iptables.save() # Disable mysql history logging if (os.access("/root/.mysql_history", os.F_OK)): x("rm /root/.mysql_history") x("ln -s /dev/null /root/.mysql_history") # Used to log slow queries, configed in my.cnf with log-slow-queries= x("touch /var/log/mysqld-slow.log") x("chown mysql:mysql /var/log/mysqld-slow.log") x("chmod 0640 /var/log/mysqld-slow.log") x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log") # Not used at the moment, just preventing mysql to load any modules. if (not os.access("/usr/share/mysql/plugins", os.W_OK|os.X_OK)): os.mkdir("/usr/share/mysql/plugins") os.chmod("/usr/share/mysql/plugins", 0) os.chown("/usr/share/mysql/plugins", 0, 0) # Under Linux, it is advisable to disable the write-back cache. Otherwise data # can get lost when computer get power-failures. Beware that some drives or # disk controllers may be unable to disable the write-back cache. # # TODO: Might need to be done from bios? x("hdparm -W0 /dev/mapper/VolGroup00-var") app.print_verbose("Install /etc/my.cnf") shutil.copy(app.SYCO_PATH + "var/mysql/my.cnf", "/etc/my.cnf") for line in fileinput.FileInput("/etc/my.cnf", inplace=1): line=line.replace("${server-id}", server_id) line=line.replace("${innodb_buffer_pool_size}", innodb_buffer_pool_size) print line, # When the innodb files are configured to be large, it takes some time to # generate the files. app.print_verbose("Increaste timeout for /etc/init.d/mysqld to 120 seconds.") for line in fileinput.FileInput("/etc/init.d/mysqld", inplace=1): line=line.replace("STARTTIMEOUT=30", "STARTTIMEOUT=120") print line, x("service mysqld start") # Secure the mysql installation. mysql_exec("truncate mysql.db") mysql_exec("truncate mysql.user") mysql_exec("GRANT ALL PRIVILEGES ON *.* " + "TO 'root'@'127.0.0.1' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "', " "'root'@'localhost' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "', " "'root'@'" + config.general.get_mysql_primary_master_ip() + "' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "', " "'root'@'" + config.general.get_mysql_secondary_master_ip() + "' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "' " "WITH GRANT OPTION " ) mysql_exec("DROP DATABASE test;") mysql_exec("SELECT host,user FROM mysql.db;") mysql_exec("SELECT host,user FROM mysql.user;") mysql_exec("RESET MASTER;") mysql_exec("FLUSH PRIVILEGES;") version_obj.mark_executed()
def install_mysql(args): """ Install and configure the mysql-server on the local host. """ app.print_verbose("Install mysql version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallMysql", SCRIPT_VERSION) version_obj.check_executed() if len(args) != 3: raise Exception( "syco install-mysql [server-id] [innodb-buffer-pool-size]") server_id = args[1] innodb_buffer_pool_size = args[2] # Initialize all passwords used by the script app.init_mysql_passwords() # Install the mysql-server packages. if not os.access("/usr/bin/mysqld_safe", os.W_OK | os.X_OK): x("yum -y install mysql-server hdparm") x("/sbin/chkconfig mysqld on ") if not os.access("/usr/bin/mysqld_safe", os.F_OK): raise Exception("Couldn't install mysql-server") # Configure iptables iptables.add_mysql_chain() iptables.save() # Disable mysql history logging if os.access("/root/.mysql_history", os.F_OK): x("rm /root/.mysql_history") x("ln -s /dev/null /root/.mysql_history") # Used to log slow queries, configured in my.cnf with log-slow-queries= x("touch /var/log/mysqld-slow.log") x("chown mysql:mysql /var/log/mysqld-slow.log") x("chmod 0640 /var/log/mysqld-slow.log") x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log") # Not used at the moment, just preventing mysql to load any modules. if not os.access("/usr/share/mysql/plugins", os.W_OK | os.X_OK): os.mkdir("/usr/share/mysql/plugins") os.chmod("/usr/share/mysql/plugins", 0) os.chown("/usr/share/mysql/plugins", 0, 0) # Under Linux, it is advisable to disable the write-back cache. Otherwise data # can get lost when computer get power-failures. Beware that some drives or # disk controllers may be unable to disable the write-back cache. # app.print_verbose("TODO: Might need to be done from bios?") x("hdparm -W0 /dev/mapper/VolGroup00-var") app.print_verbose("Install /etc/my.cnf") shutil.copy(app.SYCO_PATH + "var/mysql/my.cnf", "/etc/my.cnf") x("chown mysql:mysql /etc/my.cnf") x("chmod 600 /etc/my.cnf") for line in fileinput.FileInput("/etc/my.cnf", inplace=1): line = line.replace("${server-id}", server_id) line = line.replace("${innodb_buffer_pool_size}", innodb_buffer_pool_size) print line, # When the innodb files are configured to be large, it takes some time to # generate the files. app.print_verbose( "Increaste timeout for /etc/init.d/mysqld to 120 seconds.") for line in fileinput.FileInput("/etc/init.d/mysqld", inplace=1): line = line.replace("STARTTIMEOUT=30", "STARTTIMEOUT=120") print line, x("service mysqld start") # Secure the mysql installation. mysql_exec("truncate mysql.db") mysql_exec("truncate mysql.user") current_host_config = config.host(net.get_hostname()) # Used by monitor services (icingas nrpe plugin etc.) mysql_exec("GRANT REPLICATION CLIENT ON *.* " + "TO 'monitor'@'127.0.0.1' IDENTIFIED BY '%s'" % (app.get_mysql_monitor_password())) # Required by nrpe plugins mysql_exec("GRANT SHOW DATABASES ON *.* TO 'monitor'@'127.0.0.1' ") # Used by backup scripts to flush master and check slave status etc. when # doing an lvm backup. mysql_exec("GRANT RELOAD,SUPER,REPLICATION CLIENT ON *.* " + "TO 'backup'@'localhost' IDENTIFIED BY '%s'" % (app.get_mysql_backup_password())) mysql_exec("DROP DATABASE test;") mysql_exec("SELECT host,user FROM mysql.db;") mysql_exec("SELECT host,user FROM mysql.user;") mysql_exec( "GRANT ALL PRIVILEGES ON *.* TO " "'root'@'127.0.0.1' IDENTIFIED BY '%s', " "'root'@'localhost' IDENTIFIED BY '%s', " "'root'@'%s' IDENTIFIED BY '%s'" " WITH GRANT OPTION" % (app.get_mysql_root_password(), app.get_mysql_root_password(), current_host_config.get_front_ip(), app.get_mysql_root_password())) mysql_exec("flush privileges;", ) repl_peer = current_host_config.get_option("repl_peer", 'None') if repl_peer and repl_peer.lower != 'None': mysql_exec("GRANT ALL PRIVILEGES ON *.* TO " "'root'@'%s' IDENTIFIED BY '%s'" " WITH GRANT OPTION" % (repl_peer, app.get_mysql_root_password()), with_user=True) mysql_exec("RESET MASTER;", with_user=True) mysql_exec("FLUSH PRIVILEGES;", with_user=True) version_obj.mark_executed()
def install_mysql(args): ''' Install and configure the mysql-server on the local host. ''' app.print_verbose("Install mysql version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallMysql", SCRIPT_VERSION) version_obj.check_executed() if (len(args) != 3): raise Exception( "syco install-mysql [server-id] [innodb-buffer-pool-size]") server_id = args[1] innodb_buffer_pool_size = args[2] # Initialize all passwords used by the script app.init_mysql_passwords() # Install the mysql-server packages. if (not os.access("/usr/bin/mysqld_safe", os.W_OK | os.X_OK)): x("yum -y install mysql-server hdparm") x("/sbin/chkconfig mysqld on ") if (not os.access("/usr/bin/mysqld_safe", os.F_OK)): raise Exception("Couldn't install mysql-server") # Configure iptables iptables.add_mysql_chain() iptables.save() # Disable mysql history logging if (os.access("/root/.mysql_history", os.F_OK)): x("rm /root/.mysql_history") x("ln -s /dev/null /root/.mysql_history") # Used to log slow queries, configed in my.cnf with log-slow-queries= x("touch /var/log/mysqld-slow.log") x("chown mysql:mysql /var/log/mysqld-slow.log") x("chmod 0640 /var/log/mysqld-slow.log") x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log") # Not used at the moment, just preventing mysql to load any modules. if (not os.access("/usr/share/mysql/plugins", os.W_OK | os.X_OK)): os.mkdir("/usr/share/mysql/plugins") os.chmod("/usr/share/mysql/plugins", 0) os.chown("/usr/share/mysql/plugins", 0, 0) # Under Linux, it is advisable to disable the write-back cache. Otherwise data # can get lost when computer get power-failures. Beware that some drives or # disk controllers may be unable to disable the write-back cache. # # TODO: Might need to be done from bios? x("hdparm -W0 /dev/mapper/VolGroup00-var") app.print_verbose("Install /etc/my.cnf") shutil.copy(app.SYCO_PATH + "var/mysql/my.cnf", "/etc/my.cnf") for line in fileinput.FileInput("/etc/my.cnf", inplace=1): line = line.replace("${server-id}", server_id) line = line.replace("${innodb_buffer_pool_size}", innodb_buffer_pool_size) print line, # When the innodb files are configured to be large, it takes some time to # generate the files. app.print_verbose( "Increaste timeout for /etc/init.d/mysqld to 120 seconds.") for line in fileinput.FileInput("/etc/init.d/mysqld", inplace=1): line = line.replace("STARTTIMEOUT=30", "STARTTIMEOUT=120") print line, x("service mysqld start") # Secure the mysql installation. mysql_exec("truncate mysql.db") mysql_exec("truncate mysql.user") mysql_exec("GRANT ALL PRIVILEGES ON *.* " + "TO 'root'@'127.0.0.1' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "', " "'root'@'localhost' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "', " "'root'@'" + config.general.get_mysql_primary_master_ip() + "' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "', " "'root'@'" + config.general.get_mysql_secondary_master_ip() + "' " + "IDENTIFIED BY '" + app.get_mysql_root_password() + "' " "WITH GRANT OPTION ") mysql_exec("DROP DATABASE test;") mysql_exec("SELECT host,user FROM mysql.db;") mysql_exec("SELECT host,user FROM mysql.user;") mysql_exec("RESET MASTER;") mysql_exec("FLUSH PRIVILEGES;") version_obj.mark_executed()
def install_mysql(args): """ Install and configure the mysql-server on the local host. """ app.print_verbose("Install mysql version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallMysql", SCRIPT_VERSION) version_obj.check_executed() if len(args) != 3: raise Exception("syco install-mysql [server-id] [innodb-buffer-pool-size]") server_id=args[1] innodb_buffer_pool_size=args[2] # Initialize all passwords used by the script app.init_mysql_passwords() # Install the mysql-server packages. if not os.access("/usr/bin/mysqld_safe", os.W_OK|os.X_OK): x("yum -y install mysql-server hdparm") x("/sbin/chkconfig mysqld on ") if not os.access("/usr/bin/mysqld_safe", os.F_OK): raise Exception("Couldn't install mysql-server") # Configure iptables iptables.add_mysql_chain() iptables.save() # Disable mysql history logging if os.access("/root/.mysql_history", os.F_OK): x("rm /root/.mysql_history") x("ln -s /dev/null /root/.mysql_history") # Used to log slow queries, configured in my.cnf with log-slow-queries= x("touch /var/log/mysqld-slow.log") x("chown mysql:mysql /var/log/mysqld-slow.log") x("chmod 0640 /var/log/mysqld-slow.log") x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log") # Not used at the moment, just preventing mysql to load any modules. if not os.access("/usr/share/mysql/plugins", os.W_OK|os.X_OK): os.mkdir("/usr/share/mysql/plugins") os.chmod("/usr/share/mysql/plugins", 0) os.chown("/usr/share/mysql/plugins", 0, 0) # Under Linux, it is advisable to disable the write-back cache. Otherwise data # can get lost when computer get power-failures. Beware that some drives or # disk controllers may be unable to disable the write-back cache. # app.print_verbose("TODO: Might need to be done from bios?") x("hdparm -W0 /dev/mapper/VolGroup00-var") app.print_verbose("Install /etc/my.cnf") shutil.copy(app.SYCO_PATH + "var/mysql/my.cnf", "/etc/my.cnf") x("chown mysql:mysql /etc/my.cnf") x("chmod 600 /etc/my.cnf") for line in fileinput.FileInput("/etc/my.cnf", inplace=1): line=line.replace("${server-id}", server_id) line=line.replace("${innodb_buffer_pool_size}", innodb_buffer_pool_size) print line, # When the innodb files are configured to be large, it takes some time to # generate the files. app.print_verbose("Increaste timeout for /etc/init.d/mysqld to 120 seconds.") for line in fileinput.FileInput("/etc/init.d/mysqld", inplace=1): line=line.replace("STARTTIMEOUT=30", "STARTTIMEOUT=120") print line, x("service mysqld start") # Secure the mysql installation. mysql_exec("truncate mysql.db") mysql_exec("truncate mysql.user") current_host_config = config.host(net.get_hostname()) # Used by monitor services (icingas nrpe plugin etc.) mysql_exec( "GRANT REPLICATION CLIENT ON *.* " + "TO 'monitor'@'127.0.0.1' IDENTIFIED BY '%s'" % ( app.get_mysql_monitor_password() ) ) # Required by nrpe plugins mysql_exec("GRANT SHOW DATABASES ON *.* TO 'monitor'@'127.0.0.1' ") # Used by backup scripts to flush master and check slave status etc. when # doing an lvm backup. mysql_exec( "GRANT RELOAD,SUPER,REPLICATION CLIENT ON *.* " + "TO 'backup'@'localhost' IDENTIFIED BY '%s'" % ( app.get_mysql_backup_password() ) ) mysql_exec("DROP DATABASE test;") mysql_exec("SELECT host,user FROM mysql.db;") mysql_exec("SELECT host,user FROM mysql.user;") mysql_exec( "GRANT ALL PRIVILEGES ON *.* TO " "'root'@'127.0.0.1' IDENTIFIED BY '%s', " "'root'@'localhost' IDENTIFIED BY '%s', " "'root'@'%s' IDENTIFIED BY '%s'" " WITH GRANT OPTION" % ( app.get_mysql_root_password(), app.get_mysql_root_password(), current_host_config.get_front_ip(), app.get_mysql_root_password() ) ) mysql_exec("flush privileges;", ) repl_peer = current_host_config.get_option("repl_peer", 'None') if repl_peer and repl_peer.lower != 'None': mysql_exec( "GRANT ALL PRIVILEGES ON *.* TO " "'root'@'%s' IDENTIFIED BY '%s'" " WITH GRANT OPTION" % ( repl_peer, app.get_mysql_root_password() ), with_user=True ) mysql_exec("RESET MASTER;", with_user=True) mysql_exec("FLUSH PRIVILEGES;", with_user=True) version_obj.mark_executed()