def _setup_keys(): ''' Download client keys from server. Needed for client to be allowed to communicate with server. ''' ossecserver = config.general.get_ossec_server_ip() hostname = socket.gethostname() fqdn = '{0}.{1}'.format(hostname, config.general.get_resolv_domain()) # Wait until ssh is responsive on server. However this doesn't mean that # the server is fully installed. general.wait_for_server_to_start(ossecserver, 22) # Loop until ossec server has created client keys and made it possible # to copy them. while True: scp_from( ossecserver, "/var/ossec/etc/{0}_client.keys".format(fqdn), "/var/ossec/etc/client.keys" ) # Loop until the keys are downloaded. if os.path.exists('/var/ossec/etc/client.keys'): break # Wait awhile and then try to download the files again. time.sleep(40) x('chown root:ossec /var/ossec/etc/client.keys') x('chmod 640 /var/ossec/etc/client.keys')
def install_bind_client(args): ''' Setup current server to use syco dns server as recursive name server. ''' app.print_verbose("Install bind client.") version_obj = version.Version("InstallBindClient", SCRIPT_VERSION) version_obj.check_executed() # Iptables is already configured with iptables._setup_dns_resolver_rules general.wait_for_server_to_start( config.general.get_resolv_nameserver_server_ip(), "53") # Set what resolver to use (this will be rewritten by networkmanager at # reboot) resolv = scOpen("/etc/resolv.conf") resolv.remove("nameserver.*") resolv.add("nameserver {0} ".format( config.general.get_resolv_nameserver_server_ip())) # Change config files for networkmanager. x(""" grep -irl dns ifcfg*|xargs \ sed -i 's/.*\(dns.*\)[=].*/\\1={0}/ig'""".format( config.general.get_resolv_nameserver_server_ip()), cwd="/etc/sysconfig/network-scripts") version_obj.mark_executed()
def install_bind_client(args): """ Setup current server to use syco dns server as recursive name server. """ app.print_verbose("Install bind client.") version_obj = version.Version("InstallBindClient", SCRIPT_VERSION) version_obj.check_executed() # Iptables is already configured with iptables._setup_dns_resolver_rules general.wait_for_server_to_start(config.general.get_nameserver_server_ip(), "53") # Set what resolver to use (this will be rewritten by networkmanager at # reboot) resolv = scOpen("/etc/resolv.conf") resolv.remove("nameserver.*") for ip in config.general.get_nameserver_server_ips(): resolv.add("nameserver {0} ".format(ip)) # Change config files for networkmanager. x(""" grep -irl dns ifcfg*|xargs \ sed -i 's/.*\(dns.*\)[=].*/\\1={0}/ig'""".format( config.general.get_nameserver_server_ip() ), cwd = "/etc/sysconfig/network-scripts" ) version_obj.mark_executed()
def install_mysql_replication(args): ''' Setup and start the database replication in master-master mode. This function should be executed on the secondary master, after the primary master has been configured. ''' app.print_verbose("Install mysql replication version: %d" % SCRIPT_VERSION) version_obj = version.Version("install-mysql-replication", SCRIPT_VERSION) version_obj.check_executed() general.wait_for_server_to_start(config.general.get_mysql_primary_master_ip(), "3306") repl_password=general.generate_password(20) for ip in [config.general.get_mysql_primary_master_ip(), config.general.get_mysql_secondary_master_ip()]: mysql_exec("stop slave;", True, ip) mysql_exec("delete from mysql.user where User = '******';", True, ip) mysql_exec("flush privileges;", True, ip) mysql_exec("GRANT REPLICATION SLAVE ON *.* TO 'repl'@'" + config.general.get_mysql_primary_master_ip() + "' IDENTIFIED BY '" + repl_password + "';", True, ip) mysql_exec("GRANT REPLICATION SLAVE ON *.* TO 'repl'@'" + config.general.get_mysql_secondary_master_ip() + "' IDENTIFIED BY '" + repl_password + "';", True, ip) if (ip==config.general.get_mysql_primary_master_ip()): mysql_exec("CHANGE MASTER TO MASTER_HOST='" + config.general.get_mysql_secondary_master_ip() + "', MASTER_USER='******', MASTER_PASSWORD='******'", True, ip) else: mysql_exec("CHANGE MASTER TO MASTER_HOST='" + config.general.get_mysql_primary_master_ip() + "', MASTER_USER='******', MASTER_PASSWORD='******'", True, ip) mysql_exec("start slave;", True, ip) version_obj.mark_executed()
def install_sssd(args): ''' Install ldap client on current host and connect to networks ldap server. ''' app.print_verbose("Install sssd script-version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallSssd", SCRIPT_VERSION) version_obj.check_executed() # Get all passwords from installation user at the start of the script. app.get_ldap_sssd_password() install_packages() installOpenLdap.setup_hosts() iptables.add_ldap_chain() iptables.save() ip = config.general.get_ldap_server_ip() general.wait_for_server_to_start(ip, "636") install_certs() # For some reason it needs to be executed twice. authconfig() authconfig() installOpenLdap.configure_client_cert_for_ldaptools() configured_sssd() configured_sudo() version_obj.mark_executed()
def install_sssd(args): """ Install ldap client on current host and connect to networks ldap server. """ app.print_verbose("Install sssd script-version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallSssd", SCRIPT_VERSION) version_obj.check_executed() # Get all passwords from installation user at the start of the script. app.get_ldap_sssd_password() install_packages() installOpenLdap.setup_hosts() iptables.add_ldap_chain() iptables.save() ip = config.general.get_ldap_server_ip() general.wait_for_server_to_start(ip, "636") install_certs() # For some reason it needs to be executed twice. authconfig() authconfig() installOpenLdap.configure_client_cert_for_ldaptools() augeas = Augeas(x) create_sss_folders() configure_sssd(augeas) configure_sudo(augeas) version_obj.mark_executed()
def wait_for_installation_server_to_start(): ''' Todo: Check on the cobbler werb repo folder instead of port 22. Install something with refresh_repo ''' general.wait_for_server_to_start(config.general.get_installation_server_ip(), 22)
def install_rsyslogd_client(args): ''' Install rsyslog client the server ''' app.print_verbose("Install rsyslog client.") # If rsyslogd is installed, raise exception. version_obj = version.Version("InstallRsyslogd", installRsyslogd.SCRIPT_VERSION) version_obj.check_executed() # version_obj = version.Version("InstallRsyslogdClient", SCRIPT_VERSION) version_obj.check_executed() # Initialize all passwords used by the script app.init_mysql_passwords() #Enabling iptables before server has start iptables.add_rsyslog_chain("client") iptables.save() # Wating for rsyslog Server to start general.wait_for_server_to_start(config.general.get_log_server_hostname1(), "514") app.print_verbose("CIS 5.2 Configure rsyslog") app.print_verbose("CIS 5.2.1 Install the rsyslog package") general.install_packages("rsyslog rsyslog-gnutls") app.print_verbose("CIS 5.2.2 Activate the rsyslog Service") if os.path.exists('/etc/xinetd.d/syslog'): x("chkconfig syslog off") x("chkconfig rsyslog on") _configure_rsyslog_conf() _gen_and_copy_cert(args) # Restaring rsyslog x("/etc/init.d/rsyslog restart") # Configure logrotate installLogrotate.install_logrotate(args) version_obj.mark_executed()
def install_mysql_replication(args): ''' Setup and start the database replication in master-master mode. This function should be executed on the secondary master, after the primary master has been configured. ''' app.print_verbose("Install mysql replication version: %d" % SCRIPT_VERSION) version_obj = version.Version("install-mysql-replication", SCRIPT_VERSION) version_obj.check_executed() general.wait_for_server_to_start( config.general.get_mysql_primary_master_ip(), "3306") repl_password = general.generate_password(20) for ip in [ config.general.get_mysql_primary_master_ip(), config.general.get_mysql_secondary_master_ip() ]: mysql_exec("stop slave;", True, ip) mysql_exec("delete from mysql.user where User = '******';", True, ip) mysql_exec("flush privileges;", True, ip) mysql_exec( "GRANT REPLICATION SLAVE ON *.* TO 'repl'@'" + config.general.get_mysql_primary_master_ip() + "' IDENTIFIED BY '" + repl_password + "';", True, ip) mysql_exec( "GRANT REPLICATION SLAVE ON *.* TO 'repl'@'" + config.general.get_mysql_secondary_master_ip() + "' IDENTIFIED BY '" + repl_password + "';", True, ip) if (ip == config.general.get_mysql_primary_master_ip()): mysql_exec( "CHANGE MASTER TO MASTER_HOST='" + config.general.get_mysql_secondary_master_ip() + "', MASTER_USER='******', MASTER_PASSWORD='******'", True, ip) else: mysql_exec( "CHANGE MASTER TO MASTER_HOST='" + config.general.get_mysql_primary_master_ip() + "', MASTER_USER='******', MASTER_PASSWORD='******'", True, ip) mysql_exec("start slave;", True, ip) version_obj.mark_executed()
def install_mariadb_replication(args): """ Setup and start the database replication in master-master mode. This function should be executed on the secondary master, after the primary master has been configured. """ app.print_verbose( "Install MariaDB replication version: %d" % SCRIPT_VERSION ) version_obj = version.Version("install-mariadb-replication", SCRIPT_VERSION) version_obj.check_executed() current_host_config = config.host(net.get_hostname()) repl_peer = current_host_config.get_option("repl_peer") general.wait_for_server_to_start(repl_peer, "3306") repl_password = general.generate_password(20) front_ip = current_host_config.get_front_ip() for ip in ["127.0.0.1", repl_peer]: mysql_exec("stop slave;", True, ip) mysql_exec("delete from mysql.user where User = '******'", True, ip) mysql_exec("flush privileges;", True, ip) mysql_exec( "GRANT REPLICATION SLAVE ON *.* TO " + "'repl'@'%s' IDENTIFIED BY '%s'," % (repl_peer, repl_password) + "'repl'@'%s' IDENTIFIED BY '%s'" % (front_ip, repl_password), True, ip) if ip == "127.0.0.1": mysql_exec( "CHANGE MASTER TO MASTER_HOST='%s', " % repl_peer + "MASTER_USER='******', MASTER_PASSWORD='******'" % repl_password, True, ip ) else: mysql_exec( "CHANGE MASTER TO MASTER_HOST='%s', " % front_ip + "MASTER_USER='******', MASTER_PASSWORD='******'" % repl_password, True, ip ) mysql_exec("start slave;", True, ip) version_obj.mark_executed()