def configure_db_server():
'''
Bootstrapping Postgresql and needed packages on a remote host.
Supports only Debian/Ubuntu
If the Dev server is self opened for ssh it can be configured as well.
'''
with settings(warn_only=True):
fabtools.deb.update_index()
fabtools.require.postgres.server()
fabtools.require.postgres.user(dbusername, password=dbpassword)
fabtools.require.postgres.database(dbname, owner=dbusername)
postgres_conf = files.first(
'/etc/postgresql/9*/main/pg_hba.conf'
)
postgres_listen_conf = files.first(
'/etc/postgresql/9*/main/postgresql.conf'
)
if not postgres_conf or not postgres_listen_conf:
abort('Could not find Postgresql configuration file')
files.append(
postgres_conf,
'host all all 0.0.0.0/0 md5',
use_sudo=True
)
files.append(
postgres_listen_conf,
"listen_addresses = '*'",
use_sudo=True
)
sudo("service postgresql restart")
def fix_ssh_access():
''' set PasswordAuthentification and PermitRootLogin to 'no' '''
needrestart = 0
x = first('/usr/local/openssh/etc/sshd_config', '/etc/ssh/sshd_config')
if (x != "None"):
if sudo("sshd -T | grep -e '^passwordauthentication yes'", quiet=True):
sudo(
'''sed -ri 's/#?PasswordAuthentication.*yes/PasswordAuthentication no/g' '''
+ x,
quiet=True)
needrestart = 1
print "\033[92mPasswordAuthentification has been set to 'no'\033[0m"
if sudo("sshd -T | grep -e '^permitrootlogin yes'", quiet=True):
sudo('''sed -ri 's/#?PermitRootLogin.*yes/PermitRootLogin no/g' '''
+ x,
quiet=True)
needrestart = 1
print "\033[92mPermitRootLogin has been set to 'no'\033[0m"
if needrestart == 1:
x = sudo("service sshd restart", warn_only=True, quiet=True)
if x.succeeded:
print "\033[92mSSHD service restarted\033[0m"
else:
print "\033[91mFailed to restart SSHD\033[0m"
else:
print "\033[96mSSHD is correctly set\033[0m"
else:
print "\033[91mNo SSHD configuration file found\033[0m"
def sync(source, target, output):
t = string.Template(
"mk-table-sync --print --replace --algorithm=GroupBy \
h=$sh,u=$su,p=$sp,D=$sd,t=$table \
h=$th,u=$tu,p=$tp,D=$td,t=$table | sed s/'`$td`.'/''/g \
>> $output"
)
vars = {
"sh": env.dbhost,
"th": env.dbhost,
"su": env.dbuser,
"tu": env.dbuser,
"sp": env.dbpass,
"tp": env.dbpass,
"sd": source,
"td": target,
}
ignoresource = first(join(output, ".dbignore"), join(os.environ["HOME"], ".dbignore"))
if not ignoresource is None:
with open(ignoresource, "r") as itf:
ignoretables = [table for table in itf.readlines() if table.strip() == ""]
tables = get_tables(source)
for table in tables:
if not table in ignoretables:
vars["table"] = target
vars["output"] = output
cmd = t.substitute(vars)
with settings(warn_only=True):
run(cmd)
def vwrap():
"""Activates virtualenvwrapper commands"""
# This is the location if installed via:
# apt-get install virtualenvwrapper
shfile = first('/etc/bash_completion.d/virtualenvwrapper',
'/usr/local/bin/virtualenvwrapper.sh')
with prefix(once('source %s' % shfile)):
yield
def check_logmon_size():
'''check the size of logmon.cfg'''
x = first('/etc/watchdot/logmon.cfg', '/usr/local/watch/logmon.cfg')
if (x != "None"):
lines = sudo('''wc -l ''' + x, quiet=True)
print env.host + '\t' + lines
else:
print '\033[91mNo watchdog config file found !\033[0m'
def wat_remote():
"""launch wat -remote"""
watcmd = first('/usr/bin/wat', '/usr/local/bin/wat')
state.output.everything = True
if sudo(watcmd + ' -remote', quiet=False).failed:
print red('wat -remote is not working')
else:
print('ok')
def vwrap():
"""Activates virtualenvwrapper commands"""
# This are the virtualenvwrapper shell aliases file location
# if installed via:
# apt-get install virtualenvwrapper or pip install virtualenvwrapper
shfile = first('/etc/bash_completion.d/virtualenvwrapper',
'/usr/local/bin/virtualenvwrapper.sh')
with prefix(once('source %s' % shfile)):
yield
def update_watchdot():
''' update watchdot to latest version, set @muteLoginuid in /etc/watchdot/watchdog.config, chkconfig and (re)start if needed '''
set_available_trusted_sources()
update_rpm(rpm='watchdot',confirm='n')
if sudo('/sbin/chkconfig --list watchdot',warn_only=True).failed:
sudo('/sbin/chkconfig --add watchdot')
wconfig=first('/etc/watchdot/watchdog.config','/usr/local/watch/watchdog.config')
if sudo('''grep -qE '^@muteLoginuid' '''+wconfig ,warn_only=True).failed:
#x=sed(wconfig,'# Prefix','#@muteLoginuid to prevent auditd tracing watchdog\\n@muteLoginuid\\n&',backup='.fabric')
mute=[]
mute.append('#@muteLoginuid to prevent auditd tracing watchdog')
mute.append('@muteLoginuid')
append(wconfig,mute,use_sudo=True)
watcmd=first('/usr/bin/wat','/usr/local/bin/wat')
sudo(watcmd +' -stop',warn_only=True)
time.sleep(1)
with settings(show('running','debug', 'status','stdout','stderr','warnings','aborts')):
sudo(watcmd +' -start',warn_only=True)
sudo(watcmd +' -who')
def apt_source():
''' auto setup apt source '''
f = files.first('/etc/apt/sources.list', '/etc/apt/sources.list.d/debian.list')
for i, l in enumerate(apt_src): print i + 1, l
chooses = [int(i.strip()) for i in operations.prompt('choose> ').split(',')]
s = ['deb %s %s main contrib non-free' % (l.strip(), debian_release)
for i, l in enumerate(apt_src) if i+1 in chooses]
operations.put(
StringIO('# from fab init.py\n' + '\n'.join(s)),
f, use_sudo=True)
api.sudo('aptitude update')
def check_watchdog_logmon_apply_syst_patches():
'''display where is located apply_system_patche lines in logmon.conf'''
x = first('/etc/watchdot/logmon.cfg', '/usr/local/watch/logmon.cfg')
if (x != "None"):
lines = sudo('''grep -b5 'WARNING_APPLY_PATCHES_SYSTEM' ''' + x +
''' | grep -v 'ERROR' ''',
warn_only=True,
quiet=True)
if "/var/log/messages" not in lines:
print '\033[91mProblem with line /var/log/messages\n\n' + lines + '\033[0m'
else:
print '\033[91mNo watchdog config file found !\033[0m'
def check_watchdog_logmon_var_log_messages():
'''check how many times File /var/log/messages is defined in logmon.conf'''
x = first('/etc/watchdot/logmon.cfg', '/usr/local/watch/logmon.cfg')
if (x != "None"):
#state.output.everything = True
lines = sudo('''grep 'File /var/log/messages' ''' + x +
''' | grep -v '#' | wc -l ''',
warn_only=True,
quiet=True)
print env.host + '\t' + lines
else:
print '\033[91mNo watchdog config file found !\033[0m'
def configure_db_server():
'''
Bootstrapping Postgresql and needed packages on a remote host.
Supports only Debian/Ubuntu
If the Dev server is self opened for ssh it can be configured as well.
'''
with settings(warn_only=True):
fabtools.deb.update_index()
fabtools.require.postgres.server()
fabtools.require.postgres.user(dbusername, password=dbpassword)
fabtools.require.postgres.database(dbname, owner=dbusername)
postgres_conf = files.first('/etc/postgresql/9*/main/pg_hba.conf')
postgres_listen_conf = files.first(
'/etc/postgresql/9*/main/postgresql.conf')
if not postgres_conf or not postgres_listen_conf:
abort('Could not find Postgresql configuration file')
files.append(
postgres_conf,
'host all all 0.0.0.0/0 md5',
use_sudo=True)
files.append(postgres_listen_conf, "listen_addresses = '*'", use_sudo=True)
sudo("service postgresql restart")
def apt_source():
''' auto setup apt source '''
f = files.first('/etc/apt/sources.list',
'/etc/apt/sources.list.d/debian.list')
for i, l in enumerate(apt_src):
print i + 1, l
chooses = [
int(i.strip()) for i in operations.prompt('choose> ').split(',')
]
s = [
'deb %s %s main contrib non-free' % (l.strip(), debian_release)
for i, l in enumerate(apt_src) if i + 1 in chooses
]
operations.put(StringIO('# from fab init.py\n' + '\n'.join(s)),
f,
use_sudo=True)
api.sudo('aptitude update')
def config_rsyslog():
''' configure rsyslog (if needed) and restart his service'''
x = first('/etc/rsyslog.d/50_remote.conf', '/etc/rsyslog.conf')
if (x != "None"):
if sudo("grep -P 'syslog-pci-mutv|new-syslog-pci-mutv' " + x,
quiet=True):
print "\033[96mRsyslog is configured properly\033[0m"
else:
print "\033[91mRsyslog is not configured properly\033[0m"
elif exists('/etc/rsyslog.d/50_remote.conf_NONPCI', use_sudo=True):
if sudo("grep -P 'syslog-pci-mutv|new-syslog-pci-mutv' /etc/rsyslog.d/50_remote.conf_NONPCI",
quiet=True):
sudo(
"mv /etc/rsyslog.d/50_remote.conf_NONPCI /etc/rsyslog.d/50_remote.conf",
quiet=True)
sudo("service rsyslog restart", quiet=True)
print "\033[92mRsyslog has been configured and restarted\033[0m"
else:
print "\033[91mRsyslog is not configured properly...\033[0m"
else:
print "\033[91m No Rsyslog configuration file found\033[0m"
def check_clamav_tripwire_logmon():
'''Check duplicates CLAMAV and tripwire lines in logmon.cfg'''
x = first('/etc/watchdot/logmon.cfg', '/usr/local/watch/logmon.cfg')
if (x != "None"):
clamavcheck = sudo('grep /var/log/clamav/clamscan.log ' + x +
' | wc -l',
warn_only=True,
quiet=True)
if clamavcheck == '0':
print "\033[91mClamAV conf not found !\033[0m"
elif clamavcheck != '1':
print "\033[91mClamAV conf found " + clamavcheck + " times !\033[0m"
if sudo('''grep -E '^[^\#].+/usr/local/tripwire/tfs/report/tripwire_check' '''
+ x,
warn_only=True,
quiet=True).succeeded:
print "\033[91mTripwire conf found !\033[0m"
if sudo('''ps -ef | grep -iE 'watchdot.*start' | grep -v grep''',
warn_only=True,
quiet=True).failed:
print "\033[91mWatchdog is not started !\033[0m"
else:
print '\033[91mNo watchdog config file found !\033[0m'
def conf_logmon():
"""add apply_patches_system surveillance in logmon.cfg"""
logmon = first('/etc/watchdot/logmon.cfg', '/usr/local/watch/logmon.cfg')
if (logmon != "None"):
if sudo('grep -sqi _APPLY_PATCHES_SYSTEM ' + logmon,
quiet=True).succeeded:
print cyan('logmon.cfg is already configured properly')
#return 1
elif env.host[1] == 'p':
append(logmon, '\n## apply_patches_system', use_sudo=True)
append(logmon, 'File /var/log/messages', use_sudo=True)
append(
logmon,
'WARNING_APPLY_PATCHES_SYSTEM.*Dependence [ident=SYS-PAT-0002] [criticity=MAJ] MSG=error dependence during system patch management',
use_sudo=True)
append(
logmon,
'ERROR_APPLY_PATCHES_SYSTEM.*Manual blocking [ident=SYS-PAT-0002] [criticity=MAJ] MSG=error manual blocking during system patch management',
use_sudo=True)
append(
logmon,
'ERROR_APPLY_PATCHES_SYSTEM.*Error func_pre_control [ident=SYS-PAT-0001] [criticity=CRI] MSG=error pre_control during system patch management',
use_sudo=True)
append(
logmon,
'ERROR_APPLY_PATCHES_SYSTEM.*Error func_apply_patches [ident=SYS-PAT-0001] [criticity=CRI] MSG=error apply_patches during system patch management',
use_sudo=True)
append(
logmon,
'ERROR_APPLY_PATCHES_SYSTEM.*Error func_post_control [ident=SYS-PAT-0001] [criticity=CRI] MSG=error post_control during system patch management',
use_sudo=True)
append(
logmon,
'ERROR_APPLY_PATCHES_SYSTEM.*Error func_monitoring [ident=SYS-PAT-0001] [criticity=CRI] MSG=error monitoring during system patch management',
use_sudo=True)
print green('logmon.cfg has been configured properly (Production)')
else:
append(logmon, '\n## apply_patches_system', use_sudo=True)
append(logmon, 'File /var/log/messages', use_sudo=True)
append(
logmon,
'WARNING_APPLY_PATCHES_SYSTEM.*Dependence [ident=SYS-PAT-0000] [criticity=WAR] MSG=error during system patch management',
use_sudo=True)
append(
logmon,
'ERROR_APPLY_PATCHES_SYSTEM.*Error func_pre_control [ident=SYS-PAT-0000] [criticity=WAR] MSG=error during system patch management',
use_sudo=True)
append(
logmon,
'ERROR_APPLY_PATCHES_SYSTEM.*Error func_apply_patches [ident=SYS-PAT-0000] [criticity=WAR] MSG=error during system patch management',
use_sudo=True)
append(
logmon,
'ERROR_APPLY_PATCHES_SYSTEM.*Error func_post_control [ident=SYS-PAT-0000] [criticity=WAR] MSG=error during system patch management',
use_sudo=True)
print green('logmon.cfg has been configured properly')
else:
print red('No watchdog config file found !')
return 1
sudo('''sed -i 'N;/^\\n$/D;P;D;' ''' + logmon, quiet=True)
watcmd = first('/usr/bin/wat', '/usr/local/bin/wat')
if sudo(watcmd + ' -v | grep "fhs 2"', quiet=True).succeeded:
print red('Watchdog 2.x')
#return 1
if sudo(watcmd + ' -local 20', quiet=True).failed:
print red('wat local is not working')
if run('''cat /etc/redhat-release | grep 'release 7' ''', quiet=True):
if sudo('systemctl restart watchdot.service', quiet=True).succeeded:
print green('Watchdog service has been restarted (7)')
else:
print red('Problem when restarting Watchdog service (7)')
else:
sudo(watcmd + ' -stop', quiet=True)
sudo('sleep 10', quiet=True)
if sudo(watcmd + ' -start', quiet=True).succeeded:
sudo('sleep 3', quiet=True)
if sudo('''ps -ef | grep -iE 'watchdot.*start' | grep -v grep''',
warn_only=True,
quiet=True).failed:
print "\033[91mWatchdog is not started !\033[0m"
else:
print green('Watchdog service has been restarted (6)')
sudo(watcmd + ' -remote', quiet=True)
else:
print red('Problem when restarting Watchdog service (6)')
def config_clamav():
'''Push the good configuration for CLAMAV with new PCI CLAMAV mirror'''
if run('''cat /etc/redhat-release | grep 'release 7' ''', quiet=True):
user = '******'
else:
user = '******'
#Push configuration files with good rights and specific user depending os version
lscan = os.path.join(source, freshclam)
put(local_path=lscan,
remote_path='/etc/freshclam.conf',
use_sudo=True,
mode=0700)
sudo('''sed -i 's/DatabaseOwner/DatabaseOwner ''' + user +
'''/g' /etc/freshclam.conf''')
sudo('chown root: /etc/freshclam.conf')
lscan = os.path.join(source, freshdaily)
put(local_path=lscan,
remote_path='/etc/cron.daily/freshclam',
use_sudo=True,
mode=0700)
sudo('''sed -i 's/clam.clam/''' + user + ''':''' + user +
'''/g' /etc/cron.daily/freshclam''')
sudo('chown root: /etc/cron.daily/freshclam')
lscan = os.path.join(source, freshrotate)
put(local_path=lscan,
remote_path='/etc/logrotate.d/freshclam',
use_sudo=True,
mode=0644)
sudo('''sed -i 's/clam clam/''' + user + ''' ''' + user +
'''/g' /etc/logrotate.d/freshclam''')
sudo('chown root: /etc/logrotate.d/freshclam')
clamcron = StringIO.StringIO(
('%02d %02d * * sun root /usr/local/etc/clamscan &> /dev/null\n')
% (random.randint(0, 59), random.randint(6, 12)))
put(clamcron, '/etc/cron.d/clamscan', use_sudo=True, mode=0600)
sudo('chown root: /etc/cron.d/clamscan')
if run("hostname | grep sips", quiet=True):
lscan = os.path.join(source, clamscansips)
else:
lscan = os.path.join(source, clamscan)
put(local_path=lscan,
remote_path='/usr/local/etc/clamscan',
use_sudo=True,
mode=0700)
sudo('chown root: /usr/local/etc/clamscan')
if not exists('/var/lib/clamav', use_sudo=True):
sudo('mkdir -p /var/lib/clamav')
sudo('chown -R ' + user + ':' + user + ' /var/lib/clamav')
if exists('/var/log/freshclam.log', use_sudo=True):
sudo('chown ' + user + ':' + user + ' /var/log/freshclam.log')
if not exists('/var/log/clamav', use_sudo=True):
sudo('mkdir -p /var/log/clamav')
sudo('chown -R ' + user + ':' + user + ' /var/log/clamav')
if exists('/var/lib/clamav/mirrors.dat', use_sudo=True):
sudo('rm /var/lib/clamav/mirrors.dat')
if exists('/usr/share/doc/clamav-0.*/signatures.pdf', use_sudo=True):
sudo('rm /usr/share/doc/clamav-0.*/signatures.pdf')
x = first('/etc/watchdot/logmon.cfg', '/usr/local/watch/logmon.cfg')
if (x != "None"):
if sudo("grep -P '/var/log/clamav/clamscan.log' " + x, quiet=True):
pass
else:
lwat = os.path.join(source, clamwat)
put(local_path=lwat, remote_path=clamwat)
sudo('cat /home/$SUDO_USER/clamwat >> ' + x)
else:
print env.host, 'no watchdog config file found'
#Run freshclam
x = sudo('/etc/cron.daily/freshclam', warn_only=True)
if x.return_code != 0:
print "\033[91mFreshclam failed...\033[0m"
return 1
else:
print "\033[92mFreshclam succeeded\033[0m"
def _venv_root():
return first(*env.venv_roots)
def _venv_root():
return first(*env.venv_roots)
def install_clamav():
'''Install CLAMAV with new PCI CLAMAV mirror'''
if run('''cat /etc/redhat-release | grep 'release 7' ''', quiet=True):
lscan = os.path.join(source, clamavpuppet)
put(local_path=lscan,
remote_path='/etc/puppet/modules/clamav-puppet.tar',
use_sudo=True,
mode=0755)
sudo(
'tar -xf /etc/puppet/modules/clamav-puppet.tar --directory=/etc/puppet/modules'
)
sudo('''echo class { 'clamav': } > /etc/puppet/modules/test.pp''')
sudo('yum-config-manager --enable epel > /dev/null')
x = sudo('puppet apply --test /etc/puppet/modules/test.pp',
warn_only=True)
if x.return_code > 2:
print '\033[91mInstallation de CLAMAV KO\033[0m'
sudo('yum-config-manager --disable epel > /dev/null')
return 1
sudo('yum-config-manager --disable epel > /dev/null')
sudo('rm -f /etc/puppet/modules/clamav-puppet.tar')
user = '******'
else:
if not exists('/etc/yum.repos.d/pvm.repo', use_sudo=True):
sudo('yum install -y repositories-pvm --enablerepo=awl-main')
sudo(
'yum-config-manager --disable pvm-main --disable pvm-external > /dev/null'
)
x = sudo('rpm -q clamav', warn_only=True, quiet=True)
if x.succeeded:
sudo(
'yum update -y clamav --enablerepo=pvm-main --enablerepo=pvm-external'
)
else:
sudo(
'yum install -y clamav --enablerepo=pvm-main --enablerepo=pvm-external'
)
user = '******'
#Push configuration files with good rights and specific user depending os version
lscan = os.path.join(source, freshclam)
put(local_path=lscan,
remote_path='/etc/freshclam.conf',
use_sudo=True,
mode=0700)
sudo('''sed -i 's/DatabaseOwner/DatabaseOwner ''' + user +
'''/g' /etc/freshclam.conf''')
sudo('chown root: /etc/freshclam.conf')
lscan = os.path.join(source, freshdaily)
put(local_path=lscan,
remote_path='/etc/cron.daily/freshclam',
use_sudo=True,
mode=0700)
sudo('''sed -i 's/clam.clam/''' + user + ''':''' + user +
'''/g' /etc/cron.daily/freshclam''')
sudo('chown root: /etc/cron.daily/freshclam')
lscan = os.path.join(source, freshrotate)
put(local_path=lscan,
remote_path='/etc/logrotate.d/freshclam',
use_sudo=True,
mode=0644)
sudo('''sed -i 's/clam clam/''' + user + ''' ''' + user +
'''/g' /etc/logrotate.d/freshclam''')
sudo('chown root: /etc/logrotate.d/freshclam')
clamcron = StringIO.StringIO(
('%02d %02d * * sun root /usr/local/etc/clamscan &> /dev/null\n')
% (random.randint(0, 59), random.randint(6, 12)))
put(clamcron, '/etc/cron.d/clamscan', use_sudo=True, mode=0600)
sudo('chown root: /etc/cron.d/clamscan')
if run("hostname | grep sips", quiet=True):
lscan = os.path.join(source, clamscansips)
else:
lscan = os.path.join(source, clamscan)
put(local_path=lscan,
remote_path='/usr/local/etc/clamscan',
use_sudo=True,
mode=0700)
sudo('chown root: /usr/local/etc/clamscan')
if not exists('/var/lib/clamav', use_sudo=True):
sudo('mkdir -p /var/lib/clamav')
sudo('chown -R ' + user + ':' + user + ' /var/lib/clamav')
if exists('/var/log/freshclam.log', use_sudo=True):
sudo('chown ' + user + ':' + user + ' /var/log/freshclam.log')
if not exists('/var/log/clamav', use_sudo=True):
sudo('mkdir -p /var/log/clamav')
sudo('chown -R ' + user + ':' + user + ' /var/log/clamav')
if exists('/var/lib/clamav/mirrors.dat', use_sudo=True):
sudo('rm /var/lib/clamav/mirrors.dat')
if exists('/usr/share/doc/clamav-0.*/signatures.pdf', use_sudo=True):
sudo('rm /usr/share/doc/clamav-0.*/signatures.pdf')
x = first('/etc/watchdot/logmon.cfg', '/usr/local/watch/logmon.cfg')
if (x != "None"):
print "logmon.cfg present"
if sudo("grep -P '/var/log/clamav/clamscan.log' " + x, quiet=True):
print "entree clamav trouvee dans logmon.cfg"
pass
else:
print "entree clamav non trouvee dans logmon.cfg"
lwat = os.path.join(source, clamwat)
put(local_path=lwat, remote_path=clamwat)
sudo('cat /home/$SUDO_USER/clamwat >> ' + x)
else:
print env.host, 'no watchdog config file found'
#Run freshclam
x = sudo('/etc/cron.daily/freshclam', warn_only=True)
if x.return_code != 0:
print "\033[91mFreshclam failed...\033[0m"
return 1
else:
print "\033[92mFreshclam succeeded\033[0m"