def install_mail_server(args): app.print_verbose("Install mail-relay-server version: %d" % SCRIPT_VERSION) version_obj = version.Version("Install-mail-relay-server", SCRIPT_VERSION) version_obj.check_executed() general.shell_exec("yum -y install sendmail") # Tell iptables that this server is configured as a mail-relay server. general.shell_exec("touch /etc/mail/syco_mail_relay_server") iptables.add_mail_relay_chain() iptables.save() hardening.network.configure_resolv_conf() hardening.network.configure_localhost() hardening.network.restart_network() app.print_verbose("Configure /etc/mail/*") # Allow all servers on localdomain to relay through this server. set_config_property2("/etc/mail/access", "Connect:10.100 RELAY") x("/usr/sbin/makemap hash access < access") # Remove the loopback address restriction to accept email from the internet or intranet. set_config_property( "/etc/mail/sendmail.mc", r".*DAEMON_OPTIONS\(\`Port\=smtp\,Addr\=127\.0\.0\.1\, Name\=MTA\'\)dnl", r"dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl") _rebuild_sendmail_config() _test_mail() version_obj.mark_executed()
def build_client_certs(args): install.package("zip") os.chdir("/etc/openvpn/easy-rsa/keys") general.set_config_property( "/etc/cronjob", "01 * * * * root run-parts syco build_client_certs", "01 * * * * root run-parts syco build_client_certs") # Create client.conf clientConf = "/etc/openvpn/easy-rsa/keys/client.conf" x("cp " + app.SYCO_PATH + "/var/openvpn/client.conf %s" % clientConf) scOpen(clientConf).replace('${OPENVPN.HOSTNAME}', config.general.get_openvpn_hostname()) x("cp " + app.SYCO_PATH + "/doc/openvpn/install.txt .") for user in os.listdir("/home"): cert_already_installed = os.access( "/home/" + user + "/openvpn_client_keys.zip", os.F_OK) valid_file = "lost+found" not in user if valid_file and not cert_already_installed: os.chdir("/etc/openvpn/easy-rsa/") general.set_config_property("/etc/openvpn/easy-rsa/vars", '[\s]*export KEY_CN.*', 'export KEY_CN="' + user + '"') general.set_config_property("/etc/openvpn/easy-rsa/vars", '[\s]*export KEY_NAME.*', 'export KEY_NAME="' + user + '"') general.set_config_property( "/etc/openvpn/easy-rsa/build-key-pkcs12", '.*export EASY_RSA.*', 'source ./vars;export EASY_RSA="${EASY_RSA:-.}"') out = general.shell_exec( "./build-key-pkcs12 --batch " + user, cwd="/etc/openvpn/easy-rsa/", events={ '(?i)Enter Export Password:'******'\n', '(?i)Verifying - Enter Export Password:'******'\n' }) app.print_verbose(out) # Config client.crt general.set_config_property( "/etc/openvpn/easy-rsa/keys/client.conf", "^cert.*crt", "cert " + user + ".crt") general.set_config_property( "/etc/openvpn/easy-rsa/keys/client.conf", "^key.*key", "key " + user + ".key") os.chdir("/etc/openvpn/easy-rsa/keys") x("zip /home/" + user + "/openvpn_client_keys.zip ca.crt " + user + ".crt " + user + ".key " + user + ".p12 client.conf install.txt /etc/openvpn/ta.key") # Set permission for the user who now owns the file. os.chmod("/home/" + user + "/openvpn_client_keys.zip", stat.S_IRUSR | stat.S_IRGRP) general.shell_exec("chown " + user + ":users /home/" + user + "/openvpn_client_keys.zip ")
def uninstall_ca(args): ''' Remove ca and all certs in the ca ''' return app.print_verbose("Uninstall CA") if (os.path.exists('/etc/ssl/ca/private/ca.key')): general.shell_exec("rm -rf /etc/ssl/") version_obj = version.Version("InstallCa", script_version) version_obj.mark_uninstalled()
def uninstall_mail(args): ''' Uninstall mail ''' #iptables.del_mail_chain() #iptables.save() general.shell_exec("rm -rf /etc/mail") general.shell_exec("yum -y reinstall sendmail") version_obj = version.Version("Install-mail-relay", SCRIPT_VERSION) version_obj.mark_uninstalled()
def install_nodejs(args): if len(args) != 2: raise Exception("syco install-nodejs 0.12.2 (or other version)") version = args[1] x('rm -rf /usr/node') x('mkdir /usr/node') os.chdir('/usr/node') #use general.shell_exec since x(wget) gives an error for each progress output general.shell_exec('wget http://nodejs.org/dist/v{0}/node-v{1}.tar.gz'.format(version, version)) x('tar xzvf node-v* && cd node-v*') x('yum install gcc gcc-c++ -y') x('cd node-v* && ./configure') x('cd node-v* && make') x('cd node-v* && make install')
def uninstall_ntp(args): ''' Uninstall NTP ''' if (os.access("/etc/ntp.conf", os.F_OK)): general.shell_exec("service ntpd stop") general.shell_exec("yum -y remove ntp ") iptables.del_ntp_chain() iptables.save() version_obj = version.Version("InstallNTP", SCRIPT_VERSION) version_obj.mark_uninstalled()
def vir_rm(args): # TODO: Check if this is a KVM host server_name = args[1] app.print_verbose("Remove virtual server %s." % server_name) app.print_verbose("Destory the kvm instance"); general.shell_exec("virsh destroy " + server_name) general.shell_exec("virsh undefine " + server_name) general.remove_file("/var/log/libvirt/qemu/" + server_name + ".log") general.shell_exec("lvremove -f /dev/VolGroup00/" + server_name) app.print_verbose("Restart libvirtd"); general.shell_exec("/etc/init.d/libvirtd restart") general.shell_exec("updatedb")
def uninstall_dhcp(args): general.shell_exec("service dhcpd stop") general.shell_exec("/sbin/chkconfig dhcpd off") general.shell_exec("rm /etc/dhcp/dhcpd.conf") general.set_config_property("/etc/sysconfig/dhcpd", ".*DHCPDARGS.*", "DHCPDARGS=") general.shell_exec("yum -y erase dhcp") version_obj = version.Version("InstallDHCPServer", SCRIPT_VERSION) version_obj.mark_uninstalled()
def rsync(self, from_path, to_path, extra=""): ''' Rsync copy data from localhost to remote server. rsync("/tmp/foobar", "/tmp/bar") ''' self.install_ssh_key() # Remote install rsync self.ssh_exec('[[ "$(rpm -q rsync)" == *installed ]] && ( yum -y install rsync; exit 0)') general.shell_exec( 'rsync --delete -az -e "ssh ' + self.ssh_options + " -p" + self.port + " -i " + self.ssh_private_key_file + '" ' + extra + " " + from_path + " " + self.user + "@" + self.server + ":" + to_path )
def rsync(self, from_path, to_path, extra=""): ''' Rsync copy data from localhost to remote server. rsync("/tmp/foobar", "/tmp/bar") ''' self.install_ssh_key() # Remote install rsync self.ssh_exec( '[[ "$(rpm -q rsync)" == *installed ]] && ( yum -y install rsync; exit 0)' ) general.shell_exec('rsync --delete -az -e "ssh ' + self.ssh_options + " -p" + self.port + " -i " + self.ssh_private_key_file + '" ' + extra + " " + from_path + " " + self.user + "@" + self.server + ":" + to_path)
def atomic_repo(): """ Setup ATOMIC repository. Used for openvas, ossec etc. """ # Must be imported in the function, because install.py should be possible # to import before app and general. import app import general app.print_verbose("Adding atomic repo for yum.") general.shell_exec( "wget -q -O - http://www.atomicorp.com/installers/atomic | sh", events={'(?i)\[Default: yes\]': '\n'}) if (not os.access("/etc/yum.repos.d/atomic.repo", os.F_OK)): raise Exception("You need to install the atomic repo first.")
def atomic_repo(): """ Setup ATOMIC repository. Used for openvas, ossec etc. """ # Must be imported in the function, because install.py should be possible # to import before app and general. import app import general app.print_verbose("Adding atomic repo for yum.") general.shell_exec( "wget -q -O - http://www.atomicorp.com/installers/atomic | sh", events={"(?i)\[Default: yes\]": "\n"} ) if not os.access("/etc/yum.repos.d/atomic.repo", os.F_OK): raise Exception("You need to install the atomic repo first.")
def build_client_certs(args): install.package("zip") os.chdir("/etc/openvpn/easy-rsa/keys") general.set_config_property("/etc/cronjob", "01 * * * * root run-parts syco build_client_certs", "01 * * * * root run-parts syco build_client_certs") # Create client.conf clientConf = "/etc/openvpn/easy-rsa/keys/client.conf" x("cp " + app.SYCO_PATH + "/var/openvpn/client.conf %s" % clientConf) x("echo auth-user-pass >> %s" % clientConf) scOpen(clientConf).replace('${OPENVPN.HOSTNAME}', config.general.get_openvpn_hostname()) x("cp " + app.SYCO_PATH + "/doc/openvpn/install.txt .") for user in os.listdir("/home"): cert_already_installed=os.access("/home/" + user +"/openvpn_client_keys.zip", os.F_OK) valid_file="lost+found" not in user if valid_file and not cert_already_installed: os.chdir("/etc/openvpn/easy-rsa/") general.set_config_property("/etc/openvpn/easy-rsa/vars", '[\s]*export KEY_CN.*', 'export KEY_CN="' + user + '"') general.set_config_property("/etc/openvpn/easy-rsa/vars", '[\s]*export KEY_NAME.*', 'export KEY_NAME="' + user + '"') general.set_config_property("/etc/openvpn/easy-rsa/build-key-pkcs12", '.*export EASY_RSA.*', 'source ./vars;export EASY_RSA="${EASY_RSA:-.}"') out = general.shell_exec("./build-key-pkcs12 --batch " + user, cwd="/etc/openvpn/easy-rsa/", events={'(?i)Enter Export Password:'******'\n', '(?i)Verifying - Enter Export Password:'******'\n'} ) app.print_verbose(out) # Config client.crt general.set_config_property("/etc/openvpn/easy-rsa/keys/client.conf", "^cert.*crt", "cert " + user + ".crt") general.set_config_property("/etc/openvpn/easy-rsa/keys/client.conf", "^key.*key", "key " + user + ".key") general.set_config_property( "/etc/openvpn/easy-rsa/keys/client.conf", "${OPENVPN.HOSTNAME}", config.general.get_openvpn_hostname() ) os.chdir("/etc/openvpn/easy-rsa/keys") x("zip /home/" + user +"/openvpn_client_keys.zip ca.crt " + user + ".crt " + user + ".key " + user + ".p12 client.conf install.txt") # Set permission for the user who now owns the file. os.chmod("/home/" + user +"/openvpn_client_keys.zip", stat.S_IRUSR | stat.S_IRGRP) general.shell_exec("chown " + user + ":users /home/" + user +"/openvpn_client_keys.zip ")
def uninstall_openvas(args): ''' Uninstall nmap ''' if (os.access("/etc/init.d/openvas-manager", os.F_OK)): general.shell_exec("/etc/init.d/openvas-manager stop") general.shell_exec("/etc/init.d/openvas-scanner stop") general.shell_exec("/etc/init.d/gsad stop") x("yum -y remove openvas-*") x("rm -rf /var/lib/openvas") #x("rm /etc/yum.repos.d/atomic.repo") iptables.del_openvas_chain() iptables.save() app.print_verbose("Enabling SELINUX") x("echo 1 > /selinux/enforce") selinuxconf = scOpen("/etc/selinux/config") selinuxconf.replace("^SELINUX=.*","SELINUX=enforcing") version_obj = version.Version("InstallOpenVAS", SCRIPT_VERSION) version_obj.mark_uninstalled()
def install_ntp(ntp_server_ip = False): ''' Install and configure the ntp-server on the local host. ''' app.print_verbose("Install NTP version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallNTP", SCRIPT_VERSION) version_obj.check_executed() # Install the NTP packages. if (not os.access("/etc/ntp.conf", os.F_OK)): general.shell_exec("yum -y install ntp") general.shell_exec("/sbin/chkconfig ntpd on") iptables.add_ntp_chain() iptables.save() # Set ntp-server configs # # For restrict info: http://www.eecis.udel.edu/~mills/ntp/html/accopt.html # if (ntp_server_ip): app.print_verbose("Configure /etc/ntp.conf as a client") # Deny packets of all kinds, including ntpq(8) and ntpdc(8) queries. general.set_config_property("/etc/ntp.conf", "restrict default.*", "restrict default ignore") general.set_config_property("/etc/ntp.conf", "restrict -6 default.*", "restrict -6 default ignore") # Using only internal NTP-server. general.set_config_property("/etc/ntp.conf", "server 0.*ntp.org", "server " + ntp_server_ip + " burst") general.set_config_property("/etc/ntp.conf", ".*server 1.*ntp.org", "#server 1.se.pool.ntp.org") general.set_config_property("/etc/ntp.conf", ".*server 2.*ntp.org", "#server 2.se.pool.ntp.org") general.set_config_property("/etc/ntp.conf", ".*server 3.*ntp.org", "#server 3.se.pool.ntp.org") # Allow access to/from the ntp-server. You may use either a hostname or IP address # on the server line. You must use an IP address on the restrict line. Or do I?? general.set_config_property("/etc/ntp.conf", "restrict " + ntp_server_ip + " kod nomodify notrap nopeer noquery", "restrict " + ntp_server_ip + " kod nomodify notrap nopeer noquery") # Don't use fudge server general.set_config_property("/etc/ntp.conf", ".*server.*127.127.1.0.*", "#server 127.127.1.0") general.set_config_property("/etc/ntp.conf", ".*fudge.*127.127.1.0.*", "#fudge 127.127.1.0 stratum 10") # This command modifies the ntpd panic threshold (which is normally 1024 # seconds). Setting this to 0 disables the panic sanity check and a clock # offset of any value will be accepted. general.set_config_property("/etc/ntp.conf", ".*tinker panic.*", "tinker panic 0") else: app.print_verbose("Configure /etc/ntp.conf as a server") general.set_config_property("/etc/ntp.conf", "server 0.*ntp.org", "server ntp3.sptime.se") general.set_config_property("/etc/ntp.conf", "server 1.*ntp.org", "server ntp4.sptime.se") general.set_config_property("/etc/ntp.conf", "server 2.*ntp.org", "server ntp1.sth.netnod.se") general.set_config_property("/etc/ntp.conf", "server 3.*ntp.org", "server " + config.general.get_slave_ntp_server()) general.shell_exec("service ntpd start") version_obj.mark_executed()
def install_local(args): ''' Run all commands on the localhost. ''' # Ask the user for all passwords that might be used in the remote install # so the installation can go on headless. app.init_all_passwords() hostname = "" if len(args) > 1: hostname = args[1] if hostname == "": hostname = socket.gethostname() app.print_verbose("Install all commands defined in install.cfg for host " + hostname + ".") commands = config.host(hostname).get_commands(app.options.verbose >= 2) if len(commands) > 0: for command in commands: general.shell_exec(command) else: app.print_error("No commands for this host.")
def install_dhcp(args): """ Install a dhcp server on the current server. """ app.print_verbose("Install DHCP-Server version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallDHCPServer", SCRIPT_VERSION) version_obj.check_executed() general.shell_exec("yum -y install dhcp") general.shell_exec("/sbin/chkconfig dhcpd on") shutil.copyfile(app.SYCO_PATH + "/var/dhcp/dhcp3.conf", "/etc/dhcp/dhcpd.conf") general.set_config_property("/etc/dhcp/dhcpd.conf", "\$\{IP\}", net.get_ip_class_c(net.get_lan_ip())) general.set_config_property("/etc/sysconfig/dhcpd", ".*DHCPDARGS.*", "DHCPDARGS=%s" % get_back_interface()) general.shell_exec("service dhcpd restart") version_obj.mark_executed()
def install_dhcp(args): ''' Install a dhcp server on the current server. ''' app.print_verbose("Install DHCP-Server version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallDHCPServer", SCRIPT_VERSION) version_obj.check_executed() general.shell_exec("yum -y install dhcp") general.shell_exec("/sbin/chkconfig dhcpd on") shutil.copyfile(app.SYCO_PATH + "/var/dhcp/dhcp3.conf", "/etc/dhcp/dhcpd.conf") general.set_config_property("/etc/dhcp/dhcpd.conf", "\$\{IP\}", net.get_ip_class_c(net.get_lan_ip())) general.set_config_property("/etc/sysconfig/dhcpd", ".*DHCPDARGS.*", "DHCPDARGS=%s" % get_back_interface()) general.shell_exec("service dhcpd restart") version_obj.mark_executed()
def install_monitor(args): ''' Monitor installation This script install nagios-plugins-all and nrpe server to the host. the host is then setup to allow cennections from the monitor server nand to reply back results to the monitor server. Install munin-node to accept muninserver connections. ''' #Installting nagios plugins and nrpe server general.shell_exec("yum install nagios-plugins-all nrpe munin-node -y") #Setting upp nrpe config for #-Accepting connections from m#onitor-tp.* #-Adding to use fareoffice nrpe commands #-Removing all commands in nrpe.conf file general.set_config_property( "/etc/nagios/nrpe.cfg", "^allowed_hosts=.*", "allowed_hosts=" + config.general.get_monitor_server()) general.set_config_property("/etc/nagios/nrpe.cfg", "^[\#]?command.*", "#command") general.set_config_property("/etc/nagios/nrpe.cfg", "^dont_blame_nrpe=.*", "dont_blame_nrpe=1") munin_ip = config.general.get_monitor_server().split(".") general.set_config_property( "/etc/munin/munin-node.conf", "^allow.*", "allow " + munin_ip[0] + "\." + munin_ip[1] + "\." + munin_ip[2] + "\." + munin_ip[3] + "") x("rm /etc/nrpe.d/nrpe_fareoffice.cfg") x("cp /opt/syco/var/monitor/nrpe_fareoffice.cfg /etc/nrpe.d/nrpe_fareoffice.cfg" ) # Openning ports in iptabled for accepting connections from # monitor server. # Opening port 4949 munin and 5666 nrpe iptables.add_monitor_chain() #Restaring services general.shell_exec('/etc/init.d/nrpe restart') general.shell_exec('/etc/init.d/munin-node restart')
def install_monitor(args): """ Monitor installation This script install nagios-plugins-all and nrpe server to the host. the host is then setup to allow cennections from the monitor server nand to reply back results to the monitor server. Install munin-node to accept muninserver connections. """ # Installting nagios plugins and nrpe server general.shell_exec("yum install nagios-plugins-all nrpe munin-node -y") # Setting upp nrpe config for # -Accepting connections from m#onitor-tp.* # -Adding to use fareoffice nrpe commands # -Removing all commands in nrpe.conf file general.set_config_property( "/etc/nagios/nrpe.cfg", "^allowed_hosts=.*", "allowed_hosts=" + config.general.get_monitor_server() ) general.set_config_property("/etc/nagios/nrpe.cfg", "^[\#]?command.*", "#command") general.set_config_property("/etc/nagios/nrpe.cfg", "^dont_blame_nrpe=.*", "dont_blame_nrpe=1") munin_ip = config.general.get_monitor_server().split(".") general.set_config_property( "/etc/munin/munin-node.conf", "^allow.*", "allow " + munin_ip[0] + "\." + munin_ip[1] + "\." + munin_ip[2] + "\." + munin_ip[3] + "", ) x("rm /etc/nrpe.d/nrpe_fareoffice.cfg") x("cp /opt/syco/var/monitor/nrpe_fareoffice.cfg /etc/nrpe.d/nrpe_fareoffice.cfg") # Openning ports in iptabled for accepting connections from # monitor server. # Opening port 4949 munin and 5666 nrpe iptables.add_monitor_chain() # Restaring services general.shell_exec("/etc/init.d/nrpe restart") general.shell_exec("/etc/init.d/munin-node restart")
def uninstall_openvas(args): ''' Uninstall nmap ''' if (os.access("/etc/init.d/openvas-manager", os.F_OK)): general.shell_exec("/etc/init.d/openvas-manager stop") general.shell_exec("/etc/init.d/openvas-scanner stop") general.shell_exec("/etc/init.d/gsad stop") x("yum -y remove openvas-*") x("rm -rf /var/lib/openvas") #x("rm /etc/yum.repos.d/atomic.repo") iptables.del_openvas_chain() iptables.save() app.print_verbose("Enabling SELINUX") x("echo 1 > /selinux/enforce") selinuxconf = scOpen("/etc/selinux/config") selinuxconf.replace("^SELINUX=.*", "SELINUX=enforcing") version_obj = version.Version("InstallOpenVAS", SCRIPT_VERSION) version_obj.mark_uninstalled()
def _rebuild_sendmail_config(): general.shell_exec("yum -y install sendmail-cf") os.chdir("/etc/mail") general.shell_exec('make') general.shell_exec('service sendmail start') general.shell_exec("yum -y remove sendmail-cf")
def install_dns(args): ''' DNS Bind 9 Chrooted installation This will install the dns server on the host chrooted. This command is used only for Centos servers. ''' if os.path.exists('/opt/syco/lock/dns'): ''' If dns server is locked from this script ''' app.print_verbose( "This server has an lock stopping you from installing the DNS server " ) else: ''' Installinb server package needed for dns ''' general.shell_exec( "yum install bind bind-chroot bind-libs bind-utils caching-nameserver -y" ) os.chdir("/tmp/") ''' Getting argument from command line master = setting upp master server slave = setting upp slave server ''' if len(args) == 2: role = args[1] if (role != "master" and role != "slave"): sys.exit( "use choose master ore slave server 'syco install-dns master'") #raise Exception("You can only enter master or slave, you entered " + args[1]) else: sys.exit( "use choose master ore slave server 'syco install-dns master'") role = str(args[1]) ''' Reading zone.cfg file conting In zone.cfg is all config options neede for setting upp DNS Server This file is readed and the the options are saved and used when generating new config files ''' config_f = ConfigParser.SafeConfigParser() config_zone = ConfigParser.SafeConfigParser() config_f.read(app.SYCO_PATH + 'var/dns/zone.cfg') dnsrange = config_f.get('config', 'range') forward1 = config_f.get('config', 'forward1') forward2 = config_f.get('config', 'forward2') ipmaster = config_f.get('config', 'ipmaster') ipslave = config_f.get('config', 'ipslave') localnet = config_f.get('config', 'localnet') data_center = config_f.get('config', 'data_center') #Creating data dir x("mkdir /var/named/chroot/var/named/data") ''' Depending if the server is an master then new rndc keys are genertaed if now old are done. If the server is slave the keys have to bee fetch from the master server. ''' if os.path.exists('/var/named/chroot/etc/rndc_new.key'): _copy_rndc() else: if role == "master": os.chdir("/tmp") os.system( "/usr/sbin/rndc-confgen > /var/named/chroot/etc/rndc_new.key") general.shell_exec("chown root:named rndc.key") _copy_rndc() else: os.chdir("/var/named/chroot/etc") scp_from(ipmaster, "/var/named/chroot/etc/rndc_new.key", "/var/named/chroot/etc/") def _generate_zone(location): p = re.compile('[\s]*([\d]*)[\s]*[;][\s]*Serial') if location == "internal": o = open("/var/named/chroot/etc/named.conf", "a") #open for append o.write("view 'internt' {\n") o.write("match-clients { " + localnet + "; };\n") o.close() else: o = open("/var/named/chroot/etc/named.conf", "a") #open for append o.write("view 'external' {\n") o.write("match-clients { any; };\n") o.close() ''' Getting records from zone files and creating zone file for records ''' for zone in config_f.options('zone'): rzone = config_f.get('zone', zone) config_zone.read(app.SYCO_PATH + 'var/dns/' + zone) print zone ''' Crating zone file and setting right settings form zone.cfg file ''' o = open("/var/named/chroot/var/named/data/" + location + "." + zone + ".zone", "w") #open for write for line in open(app.SYCO_PATH + "var/dns/template.zone"): line = line.replace("$IPMASTER$", ipmaster) line = line.replace("$IPSLAVE$", ipslave) line = line.replace("$NAMEZONE$", zone) serial = p.findall(line) print line if len(serial) > 0: line = str(int(serial[0]) + 1) + " ; Serial\n" o.write(line + "\n") #Wrinting out arecord to zone file if location == "internal": ''' Getting internal network address if thy are any else go back to use external address Generating A record from domain file and adding them to zone file. ''' try: config_zone.options("internal_" + zone + "_arecords") except ConfigParser.NoSectionError: for option in config_zone.options(zone + "_arecords"): o.write(option + "." + zone + "." + " IN A " + config_zone.get(zone + "_arecords", option) + " \n") print option + "." + zone + "." + "A" + config_zone.get( zone + "_arecords", option) + "." if zone == config.general.get_resolv_domain(): servers = config.get_servers() for hostname in servers: o.write(hostname + "." + zone + "." + " IN A " + config.host(hostname).get_back_ip() + " \n") print "INTERNAL" + hostname + config.host( hostname).get_back_ip() else: for option in config_zone.options("internal_" + zone + "_arecords"): o.write(option + "." + zone + "." + " IN A " + config_zone.get( "internal_" + zone + "_arecords", option) + " \n") print option + "." + zone + "." + "A" + config_zone.get( "internal_" + zone + "_arecords", option) + "." ''' If domain is the same as local domain Gett all ip from local servers and add them to records. ''' if zone == config.general.get_resolv_domain(): servers = config.get_servers() for hostname in servers: o.write(hostname + "." + zone + "." + " IN A " + config.host(hostname).get_back_ip() + " \n") print hostname + config.host( hostname).get_back_ip() ''' Getting all Cnames from domain file If there exist any names for internal network then they are used for inernal viem Else external names are used. Cnames are the added to file ''' try: config_zone.options("internal_" + zone + "_cname") except ConfigParser.NoSectionError: for option in config_zone.options(zone + "_cname"): out = str( option) + " IN CNAME " + config_zone.get( zone + "_cname", option) + "\n" out2 = out.replace('$DATA_CENTER$', data_center) o.write(out2) print out2 else: for option in config_zone.options("internal_" + zone + "_cname"): out = str(option) + " IN CNAME " + str( config_zone.get("internal_" + zone + "_cname", option)) + "\n" out2 = out.replace('$DATA_CENTER$', data_center) o.write(out2) print out2 else: for option in config_zone.options(zone + "_arecords"): o.write(option + "." + zone + "." + " IN A " + config_zone.get(zone + "_arecords", option) + " \n") print option + "." + zone + "." + "A" + config_zone.get( zone + "_arecords", option) + "." for option in config_zone.options(zone + "_cname"): out = str(option) + " IN CNAME " + str( config_zone.get(zone + "_cname", option)) + "\n" out2 = out.replace('$DATA_CENTER$', data_center) o.write(out2) print out2 o.close() ''' Creating zone revers file for recursive getting if domain names. ''' o = open("/var/named/chroot/var/named/data/" + location + "." + rzone + ".zone", "w") #open for append for line in open(app.SYCO_PATH + "var/dns/recursiv-template.zone"): line = line.replace("$IPMASTER$", ipmaster[::-1]) line = line.replace("$IPSLAVE$", ipslave[::-1]) line = line.replace("$NAMEZONE$", zone) line = line.replace("$RZONE$", rzone) serial = p.findall(line) if len(serial) > 0: line = str(int(serial[0]) + 1) + " ; Serial\n" o.write(line + "\n") o.close() ''' Adding the new zreated zone files to named.com to be used ''' o = open("/var/named/chroot/etc/named.conf", "a") #open for append for line in open(app.SYCO_PATH + "var/dns/" + role + "-zone.conf"): line = line.replace("$IPMASTER$", ipmaster) line = line.replace("$IPSLAVE$", ipslave) line = line.replace("$NAMEZONE$", zone) line = line.replace("$RZONE$", rzone) line = line.replace("$LOCATION$", location) o.write(line + "\n") o.close() ''' Adding differin view to the config file ''' if location == "internal": o = open("/var/named/chroot/etc/named.conf", "a") #open for append o.write("}; \n") o.close() else: o = open("/var/named/chroot/etc/named.conf", "a") #open for append o.write("};\n") o.close() ''' Getting namd.conf tamplate and generting new file with right config. ''' ''' Setting upp named.conf with right settings ''' o = open("/var/named/chroot/etc/named.conf", "a") #open for append for line in open(app.SYCO_PATH + "var/dns/" + role + "-named.conf"): line = line.replace("$IPSLAVE$", ipslave) line = line.replace("$IPMASTER$", ipmaster) line = line.replace("$RANGE$", dnsrange) line = line.replace("$FORWARD1$", forward1) line = line.replace("$FORWARD2$", forward2) line = line.replace("$LOCALNET$", localnet) line = line.replace("$DOMAIN$", config.general.get_resolv_domain()) o.write(line) o.close() ''' Chnagin order if ip to match recusrsive lookup ''' ''' Generating the zone files IMPORTAND that internal is first ''' _generate_zone("internal") _generate_zone("external") ''' Adding serial number to template ''' _add_serial("recursiv-template") _add_serial("template") ''' Restaring DNS server for action to be loaded ''' general.shell_exec("/etc/init.d/named restart")
def install_mail_client(args): app.print_verbose("Install mail-relay-server version: %d" % SCRIPT_VERSION) version_obj = version.Version("Install-mail-relay-client", SCRIPT_VERSION) version_obj.check_executed() general.shell_exec("yum -y install sendmail") file = "/etc/mail/sendmail.mc" domain = config.general.get_mail_relay_domain_name() app.print_verbose("Configure /etc/mail/*") # Set the mail-relay server. set_config_property(file, ".*define\(\`SMART_HOST\'\, \`.*\'\)dnl", "define(`SMART_HOST', `" + domain + "')dnl" ) # FEATURE always_add_domain always masquerades email addresses, even if the # mail is sent from a user on the mail server to another user on the same # mail server. set_config_property2(file, "FEATURE(always_add_domain)dnl") # FEATURE masquerade_entire_domain makes sendmail masquerade servers named # *my-site.com, and *another-site.com as my-site.com. In other words, mail # from sales.my-site.com would be masqueraded as my-site.com. If this wasn't # selected, then only servers named my-site.com and my-othersite.com would be # masqueraded. Use this with caution when you are sure you have the necessary # authority to do this. set_config_property2(file, "FEATURE(masquerade_entire_domain)dnl") # FEATURE masquerade_envelope rewrites the email envelope just as # MASQUERADE_AS rewrote the header. set_config_property2(file, "FEATURE(masquerade_envelope)dnl") # FEATURE allmasquerade makes sendmail rewrite both recipient addresses and # sender addresses relative to the local machine. If you cc: yourself on an # outgoing mail, the other recipient sees a cc: to an address he knows instead # of one on localhost.localdomain. # TODO: need to be before MAILER #set_config_property2(file, "FEATURE(allmasquerade)dnl") # The MASQUERADE_AS directive makes all mail originating on # client appear to come from a server within the domain # DOMAIN by rewriting the email header. set_config_property(file, ".*MASQUERADE_AS\(\`.*\'\)dnl.*", "MASQUERADE_AS(`" + domain + "')dnl") # The MASQUERADE_DOMAIN directive makes mail relayed via mail-relay server # from all machines in the localdomain domains appear to come from the # MASQUERADE_AS domain. Using DNS, sendmail checks the domain name associated # with the IP address of the mail relay client sending the mail to help it # determine whether it should do masquerading or not. set_config_property2(file, "MASQUERADE_DOMAIN(localhost)dnl") set_config_property2(file, "MASQUERADE_DOMAIN(localhost.localdomain)dnl") # By default, user "root" will not be masqueraded. Removing the EXPOSED_USER # will also masqueraded root. set_config_property(file, ".*EXPOSED_USER\(\`root\'\)dnl.*", "dnl EXPOSED_USER(`root')dnl") _rebuild_sendmail_config() _test_mail() version_obj.mark_executed()
def install_ca(args): ''' Apache installation ''' return app.print_verbose("Install CA version: %d" % script_version) version_obj = version.Version("InstallCa", script_version) version_obj.check_executed() if os.path.exists('/etc/ssl/ca/private/ca.key'): app.print_verbose("CA is already installed") else: #making folders general.shell_exec("mkdir -p /etc/ssl/ca/private") general.shell_exec("mkdir -p /etc/ssl/certs") #creating certs os.chdir("/etc/ssl") general.shell_exec("openssl genrsa -out ca/private/ca.key 4096") general.shell_exec("openssl req -new -key ca/private/ca.key -out ca/ca.csr -subj '/O=syco/OU=System Console Project/CN=systemconsole.github.com'") general.shell_exec("openssl x509 -req -days 365 -in ca/ca.csr -signkey ca/private/ca.key -out ca/ca.crt ") #creating server certs general.shell_exec("openssl genrsa -out certs/www.webbserver.com.key 2048") general.shell_exec("openssl req -new -key certs/www.webbserver.com.key -out certs/www.webbserver.com.csr") general.shell_exec("openssl x509 -req -days 365 -in certs/www.webbserver.com.csr -signkey ca/private/ca.key -out certs/www.webbserver.com.crt ") version_obj.mark_executed()
def install_ca(args): ''' Apache installation ''' return app.print_verbose("Install CA version: %d" % script_version) version_obj = version.Version("InstallCa", script_version) version_obj.check_executed() if os.path.exists('/etc/ssl/ca/private/ca.key'): app.print_verbose("CA is already installed") else: #making folders general.shell_exec("mkdir -p /etc/ssl/ca/private") general.shell_exec("mkdir -p /etc/ssl/certs") #creating certs os.chdir("/etc/ssl") general.shell_exec("openssl genrsa -out ca/private/ca.key 4096") general.shell_exec( "openssl req -new -key ca/private/ca.key -out ca/ca.csr -subj '/O=syco/OU=System Console Project/CN=systemconsole.github.com'" ) general.shell_exec( "openssl x509 -req -days 365 -in ca/ca.csr -signkey ca/private/ca.key -out ca/ca.crt " ) #creating server certs general.shell_exec( "openssl genrsa -out certs/www.webbserver.com.key 2048") general.shell_exec( "openssl req -new -key certs/www.webbserver.com.key -out certs/www.webbserver.com.csr" ) general.shell_exec( "openssl x509 -req -days 365 -in certs/www.webbserver.com.csr -signkey ca/private/ca.key -out certs/www.webbserver.com.crt " ) version_obj.mark_executed()
def install_dns(args): ''' DNS Bind 9 Chrooted installation This will install the dns server on the host chrooted. This command is used only for Centos servers. ''' if os.path.exists('/opt/syco/lock/dns'): ''' If dns server is locked from this script ''' app.print_verbose("This server has an lock stopping you from installing the DNS server ") else: ''' Installinb server package needed for dns ''' general.shell_exec("yum install bind bind-chroot bind-libs bind-utils caching-nameserver -y") os.chdir("/tmp/") ''' Getting argument from command line master = setting upp master server slave = setting upp slave server ''' if len(args) == 2: role = args[1] if (role != "master" and role !="slave"): sys.exit("use choose master ore slave server 'syco install-dns master'") #raise Exception("You can only enter master or slave, you entered " + args[1]) else: sys.exit("use choose master ore slave server 'syco install-dns master'") role =str(args[1]) ''' Reading zone.cfg file conting In zone.cfg is all config options neede for setting upp DNS Server This file is readed and the the options are saved and used when generating new config files ''' config_f = ConfigParser.SafeConfigParser() config_zone = ConfigParser.SafeConfigParser() config_f.read(app.SYCO_PATH + 'var/dns/zone.cfg') dnsrange = config_f.get('config', 'range') forward1 = config_f.get('config', 'forward1') forward2 = config_f.get('config', 'forward2') ipmaster = config_f.get('config', 'ipmaster') ipslave = config_f.get('config', 'ipslave') localnet = config_f.get('config', 'localnet') data_center = config_f.get('config', 'data_center') #Creating data dir x("mkdir /var/named/chroot/var/named/data") ''' Depending if the server is an master then new rndc keys are genertaed if now old are done. If the server is slave the keys have to bee fetch from the master server. ''' if os.path.exists('/var/named/chroot/etc/rndc_new.key'): _copy_rndc() else: if role =="master": os.chdir("/tmp") os.system("/usr/sbin/rndc-confgen > /var/named/chroot/etc/rndc_new.key") general.shell_exec("chown root:named rndc.key") _copy_rndc() else: os.chdir("/var/named/chroot/etc") scp_from(ipmaster,"/var/named/chroot/etc/rndc_new.key","/var/named/chroot/etc/") def _generate_zone(location): p = re.compile('[\s]*([\d]*)[\s]*[;][\s]*Serial') if location == "internal": o = open("/var/named/chroot/etc/named.conf","a") #open for append o.write("view 'internt' {\n") o.write("match-clients { " + localnet + "; };\n") o.close() else: o = open("/var/named/chroot/etc/named.conf","a") #open for append o.write("view 'external' {\n") o.write("match-clients { any; };\n") o.close() ''' Getting records from zone files and creating zone file for records ''' for zone in config_f.options('zone'): rzone = config_f.get('zone',zone) config_zone.read(app.SYCO_PATH + 'var/dns/'+zone) print zone ''' Crating zone file and setting right settings form zone.cfg file ''' o = open("/var/named/chroot/var/named/data/" + location + "." + zone + ".zone","w") #open for write for line in open(app.SYCO_PATH + "var/dns/template.zone"): line = line.replace("$IPMASTER$",ipmaster) line = line.replace("$IPSLAVE$",ipslave) line = line.replace("$NAMEZONE$",zone) serial = p.findall (line) print line if len(serial) > 0: line = str(int(serial[0]) + 1) + " ; Serial\n" o.write(line + "\n") #Wrinting out arecord to zone file if location == "internal": ''' Getting internal network address if thy are any else go back to use external address Generating A record from domain file and adding them to zone file. ''' try: config_zone.options("internal_" + zone + "_arecords") except ConfigParser.NoSectionError: for option in config_zone.options(zone + "_arecords"): o.write (option + "." + zone + "."+ " IN A " + config_zone.get(zone + "_arecords",option) + " \n") print option + "." + zone+"." + "A" + config_zone.get(zone + "_arecords",option)+"." if zone == config.general.get_resolv_domain(): servers = config.get_servers() for hostname in servers: o.write (hostname + "." + zone + "." + " IN A " + config.host(hostname).get_back_ip() + " \n") print "INTERNAL"+hostname + config.host(hostname).get_back_ip() else: for option in config_zone.options("internal_" + zone + "_arecords"): o.write (option + "." + zone + "."+ " IN A " + config_zone.get("internal_" + zone + "_arecords",option) + " \n") print option + "." + zone + "." + "A" + config_zone.get("internal_" + zone+"_arecords",option) + "." ''' If domain is the same as local domain Gett all ip from local servers and add them to records. ''' if zone == config.general.get_resolv_domain(): servers = config.get_servers() for hostname in servers: o.write (hostname + "." + zone + "."+ " IN A " + config.host(hostname).get_back_ip() + " \n") print hostname + config.host(hostname).get_back_ip() ''' Getting all Cnames from domain file If there exist any names for internal network then they are used for inernal viem Else external names are used. Cnames are the added to file ''' try: config_zone.options("internal_" + zone + "_cname") except ConfigParser.NoSectionError: for option in config_zone.options(zone + "_cname"): out = str(option) + " IN CNAME " + config_zone.get(zone + "_cname",option) + "\n" out2 =out.replace('$DATA_CENTER$',data_center) o.write(out2) print out2 else: for option in config_zone.options("internal_" + zone + "_cname"): out= str(option) + " IN CNAME "+ str(config_zone.get("internal_" + zone + "_cname",option)) + "\n" out2 = out.replace('$DATA_CENTER$',data_center) o.write(out2) print out2 else: for option in config_zone.options(zone + "_arecords"): o.write (option + "." + zone + "." + " IN A " + config_zone.get(zone + "_arecords",option) + " \n") print option+"." + zone + "." + "A" + config_zone.get(zone + "_arecords",option) + "." for option in config_zone.options(zone+"_cname"): out= str(option) + " IN CNAME " + str(config_zone.get(zone + "_cname",option)) + "\n" out2 = out.replace('$DATA_CENTER$',data_center) o.write(out2) print out2 o.close() ''' Creating zone revers file for recursive getting if domain names. ''' o = open("/var/named/chroot/var/named/data/" + location + "." + rzone + ".zone","w") #open for append for line in open(app.SYCO_PATH + "var/dns/recursiv-template.zone"): line = line.replace("$IPMASTER$",ipmaster[::-1]) line = line.replace("$IPSLAVE$",ipslave[::-1]) line = line.replace("$NAMEZONE$", zone) line = line.replace("$RZONE$" ,rzone) serial = p.findall (line) if len(serial) > 0: line = str(int(serial[0]) + 1) + " ; Serial\n" o.write(line + "\n") o.close() ''' Adding the new zreated zone files to named.com to be used ''' o = open("/var/named/chroot/etc/named.conf","a") #open for append for line in open(app.SYCO_PATH + "var/dns/" + role + "-zone.conf"): line = line.replace("$IPMASTER$",ipmaster) line = line.replace("$IPSLAVE$",ipslave) line = line.replace("$NAMEZONE$",zone) line = line.replace("$RZONE$" ,rzone) line = line.replace("$LOCATION$" ,location) o.write(line + "\n") o.close() ''' Adding differin view to the config file ''' if location == "internal": o = open("/var/named/chroot/etc/named.conf","a") #open for append o.write("}; \n") o.close() else: o = open("/var/named/chroot/etc/named.conf","a") #open for append o.write("};\n") o.close() ''' Getting namd.conf tamplate and generting new file with right config. ''' ''' Setting upp named.conf with right settings ''' o = open("/var/named/chroot/etc/named.conf","a") #open for append for line in open(app.SYCO_PATH + "var/dns/" + role + "-named.conf"): line = line.replace("$IPSLAVE$",ipslave) line = line.replace("$IPMASTER$",ipmaster) line = line.replace("$RANGE$",dnsrange) line = line.replace("$FORWARD1$",forward1) line = line.replace("$FORWARD2$",forward2) line = line.replace("$LOCALNET$",localnet) line = line.replace("$DOMAIN$",config.general.get_resolv_domain()) o.write(line) o.close() ''' Chnagin order if ip to match recusrsive lookup ''' ''' Generating the zone files IMPORTAND that internal is first ''' _generate_zone("internal") _generate_zone("external") ''' Adding serial number to template ''' _add_serial("recursiv-template") _add_serial("template") ''' Restaring DNS server for action to be loaded ''' general.shell_exec("/etc/init.d/named restart")
def install_mail_client(args): app.print_verbose("Install mail-relay-server version: %d" % SCRIPT_VERSION) version_obj = version.Version("Install-mail-relay-client", SCRIPT_VERSION) version_obj.check_executed() general.shell_exec("yum -y install sendmail") file = "/etc/mail/sendmail.mc" domain = config.general.get_mail_relay_domain_name() app.print_verbose("Configure /etc/mail/*") # Set the mail-relay server. set_config_property(file, ".*define\(\`SMART_HOST\'\, \`.*\'\)dnl", "define(`SMART_HOST', `" + domain + "')dnl") # FEATURE always_add_domain always masquerades email addresses, even if the # mail is sent from a user on the mail server to another user on the same # mail server. set_config_property2(file, "FEATURE(always_add_domain)dnl") # FEATURE masquerade_entire_domain makes sendmail masquerade servers named # *my-site.com, and *another-site.com as my-site.com. In other words, mail # from sales.my-site.com would be masqueraded as my-site.com. If this wasn't # selected, then only servers named my-site.com and my-othersite.com would be # masqueraded. Use this with caution when you are sure you have the necessary # authority to do this. set_config_property2(file, "FEATURE(masquerade_entire_domain)dnl") # FEATURE masquerade_envelope rewrites the email envelope just as # MASQUERADE_AS rewrote the header. set_config_property2(file, "FEATURE(masquerade_envelope)dnl") # FEATURE allmasquerade makes sendmail rewrite both recipient addresses and # sender addresses relative to the local machine. If you cc: yourself on an # outgoing mail, the other recipient sees a cc: to an address he knows instead # of one on localhost.localdomain. # TODO: need to be before MAILER #set_config_property2(file, "FEATURE(allmasquerade)dnl") # The MASQUERADE_AS directive makes all mail originating on # client appear to come from a server within the domain # DOMAIN by rewriting the email header. set_config_property(file, ".*MASQUERADE_AS\(\`.*\'\)dnl.*", "MASQUERADE_AS(`" + domain + "')dnl") # The MASQUERADE_DOMAIN directive makes mail relayed via mail-relay server # from all machines in the localdomain domains appear to come from the # MASQUERADE_AS domain. Using DNS, sendmail checks the domain name associated # with the IP address of the mail relay client sending the mail to help it # determine whether it should do masquerading or not. set_config_property2(file, "MASQUERADE_DOMAIN(localhost)dnl") set_config_property2(file, "MASQUERADE_DOMAIN(localhost.localdomain)dnl") # By default, user "root" will not be masqueraded. Removing the EXPOSED_USER # will also masqueraded root. set_config_property(file, ".*EXPOSED_USER\(\`root\'\)dnl.*", "dnl EXPOSED_USER(`root')dnl") _rebuild_sendmail_config() _test_mail() version_obj.mark_executed()