Пример #1
0
def _gen_and_copy_cert(args):
    """
    Generate certs if they don't exist or if cert regen was requested with "force-new-certs"

    """
    crt_dir = "/etc/pki/rsyslog/"
    x("mkdir -p {0}".format(crt_dir))

    fqdn = "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain())
    srv = config.general.get_log_server_hostname1()

    cert_files = [
        "{0}{1}.crt".format(crt_dir, fqdn),
        "{0}{1}.key".format(crt_dir, fqdn),
        "{0}/ca.crt".format(crt_dir)
    ]

    # Determine whether to generate and copy rsyslog certificates
    if 'force-new-certs' in args or not _all_files_exist(cert_files):
        # Generate the certs on the remote machine
        general.wait_for_server_root_login(srv)
        general.run_remote_command(srv, "/etc/pki/rsyslog/syco-gen-rsyslog-client-keys.sh {0}".format(fqdn))

        # Retrieve the certs
        general.retrieve_from_server(srv, "/etc/pki/rsyslog/ca.crt", crt_dir)
        general.retrieve_from_server(srv, "/etc/pki/rsyslog/{0}*".format(net.get_hostname()), crt_dir,
                                     verify_local=cert_files, remove_remote_files=True)

        x("restorecon -r /etc/pki/rsyslog")
        x("chmod 600 /etc/pki/rsyslog/*")
        x("chown root:root /etc/pki/rsyslog/*")
    else:
        app.print_verbose("Found all certs and force-new-certs was not specified so not updating certificates")
Пример #2
0
    def __init__(self):
        server_front_ip = config.host(net.get_hostname()).get_front_ip()
        server_back_ip = config.host(net.get_hostname()).get_back_ip()

        server_network_front = net.get_network_cidr(server_front_ip, config.general.get_front_netmask())

        server_network_back = net.get_network_cidr(server_back_ip, config.general.get_back_netmask())
Пример #3
0
def install_mail_client(args):
    """
    Installs a local postfix MTA which accepts email on localhost forwards
    relays everything to mailrelay-server. Also installs mailx.
    See line comments in install_mail_server

    """

    if config.host(net.get_hostname()).has_command_re("install-postfix-server"):
        app.print_verbose("This server will later install the postfix server, abort client installation.")
        return

    version_obj = version.Version("Install-postfix-client", SCRIPT_VERSION)
    version_obj.check_executed()

    # Install required packages
    install.package("postfix")

    # Set config file parameters
    #
    general.use_original_file("/etc/postfix/main.cf")
    postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
    postfix_main_cf.replace(
        "#myhostname = host.domain.tld",
        "myhostname = {0}.{1}".format(get_hostname(), config.general.get_resolv_domain()),
    )  # monitor.syco.com
    postfix_main_cf.replace(
        "#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())
    )  # syco.com
    postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")

    # Listen only on localhost
    postfix_main_cf.replace("inet_interfaces = localhost", "inet_interfaces = localhost")
    postfix_main_cf.replace("#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = 127.0.0.1")
    postfix_main_cf.replace(
        "mydestination = $myhostname, localhost.$mydomain, localhost", "mydestination = $myhostname, localhost"
    )

    # Relay everything not for local machine to mailrelay.
    postfix_main_cf.replace(
        "#relay_domains = $mydestination", "relay_domains = {0}".format(config.general.get_resolv_domain())
    )
    postfix_main_cf.replace(
        "#relayhost = $mydomain", "relayhost = [{0}]".format(config.general.get_mail_relay_domain_name())
    )
    postfix_main_cf.replace("#home_mailbox = Maildir/", "home_mailbox = Maildir/")
    postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4")

    # Install a simple mail CLI-tool
    install_mailx()

    # Tell iptables and nrpe that this server is configured as a mail-relay server.
    iptables.add_mail_relay_chain()
    iptables.save()

    # Restart postfix
    x("service postfix restart")

    # Send test mail to the syco admin
    send_test_mail((None, config.general.get_admin_email()))
Пример #4
0
def send_test_mail(args):
  '''
  Sends a test-email either to admin email or argv email if present using mailx.

  '''
  app.print_verbose("Send testmail for " + get_hostname())

  try:
    email = args[1]
  except IndexError:
    email = config.general.get_admin_email()

  x('echo "" | mail -s "Test email from {0}" {1}'.format(get_hostname(), email))
Пример #5
0
def send_test_mail(args):
    '''
  Sends a test-email either to admin email or argv email if present using mailx.

  '''
    app.print_verbose("Send testmail for " + get_hostname())

    try:
        email = args[1]
    except IndexError:
        email = config.general.get_admin_email()

    x('echo "" | mail -s "Test email from {0}" {1}'.format(
        get_hostname(), email))
Пример #6
0
def rsyslog_newcerts(args):
    """
    Generate new tls certs for rsyslog server

    NOTE: This needs to be executed once a year.

    """
    x("mkdir -p /etc/pki/rsyslog")

    # Copy certs template
    template_ca = "{0}template.ca".format(get_install_dir())
    x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca))

    hostname = "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain())
    _replace_tags(template_ca, hostname)

    # Making CA
    x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key")
    x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key "+
      "--outfile /etc/pki/rsyslog/ca.crt " +
      "--template {0}".format(template_ca)
    )

    # Copy server template and cert/key generator script
    target_template = '/etc/pki/rsyslog/template.server'
    x("cp -f /opt/syco/var/rsyslog/template.server {0}".format(target_template))
    _replace_tags(target_template, fqdn)

    # New generator script used by clients directly
    generator_script = "syco-gen-rsyslog-client-keys.sh"
    x("cp -f /opt/syco/var/rsyslog/{0} /etc/pki/rsyslog/".format(generator_script))
    x("chmod 700 /etc/pki/rsyslog/{0}".format(generator_script))
Пример #7
0
def rsyslog_newcerts(args):
    """
    Generate new tls certs for rsyslog server and all clients defined in install.cfg.

    NOTE: This needs to be executed once a year.

    """
    x("mkdir -p /etc/pki/rsyslog")

    # Copy certs template
    template_ca = "{0}template.ca".format(get_install_dir())
    x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca))

    hostname = "{0}.{1}".format(net.get_hostname(),
                                config.general.get_resolv_domain())
    _replace_tags(template_ca, hostname)

    # Making CA
    x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key")
    x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key "
      + "--outfile /etc/pki/rsyslog/ca.crt " +
      "--template {0}".format(template_ca))

    #
    # Create rsyslog SERVER cert
    #
    for server in get_servers():
        _create_cert(server)
Пример #8
0
def rsyslog_newcerts(args):
    """
    Generate new tls certs for rsyslog server

    NOTE: This needs to be executed once a year.

    """
    x("mkdir -p /etc/pki/rsyslog")

    # Copy certs template
    template_ca = "{0}template.ca".format(get_install_dir())
    x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca))

    hostname = "{0}.{1}".format(net.get_hostname(),
                                config.general.get_resolv_domain())
    _replace_tags(template_ca, hostname)

    # Making CA
    x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key")
    x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key "
      + "--outfile /etc/pki/rsyslog/ca.crt " +
      "--template {0}".format(template_ca))

    # Copy server template and cert/key generator script
    target_template = '/etc/pki/rsyslog/template.server'
    x("cp -f /opt/syco/var/rsyslog/template.server {0}".format(
        target_template))
    _replace_tags(target_template, fqdn)

    # New generator script used by clients directly
    generator_script = "syco-gen-rsyslog-client-keys.sh"
    x("cp -f /opt/syco/var/rsyslog/{0} /etc/pki/rsyslog/".format(
        generator_script))
    x("chmod 700 /etc/pki/rsyslog/{0}".format(generator_script))
Пример #9
0
def rsyslog_newcerts(args):
    '''
    Generate new tls certs for rsyslog server and all clients defined in install.cfg.

    NOTE: This needs to be executed once a year.

    '''
    x("mkdir -p /etc/pki/rsyslog")

    # Copy certs template
    template_ca = "{0}template.ca".format(get_install_dir())
    x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca))

    hostname = "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain())
    _replace_tags(template_ca, hostname)

    # Making CA
    x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key")
    x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key "+
      "--outfile /etc/pki/rsyslog/ca.crt " +
      "--template {0}".format(template_ca)
    )

    #
    # Create rsyslog SERVER cert
    #
    for server in get_servers():
        _create_cert(server)
Пример #10
0
def add_haproxy_chain():
    del_haproxy_chain()

    if not os.path.exists('/etc/haproxy/haproxy.cfg'):
        return

    app.print_verbose("Add iptables chain for haproxy")

    # Create chains.
    iptables("-N haproxy_inout")
    iptables("-A syco_input -p tcp -j haproxy_inout")
    iptables("-A syco_output -p tcp -j haproxy_inout")

    iptables(
        "-A haproxy_inout -p tcp -m multiport --dports 80:84 -j allowed_tcp"
    )
    iptables(
        "-A haproxy_inout -p tcp -m multiport --dports 443 -j allowed_tcp"
    )

    custom_target_ports = config.host(net.get_hostname()).get_option("haproxy.target-ports", default_value="").\
        split(",")
    for port in custom_target_ports:
        if port:
            iptables("-A haproxy_inout -p tcp -m multiport --dports %s -j allowed_tcp" % port)
Пример #11
0
def _install_nrpe_plugins_dependencies():
    """Install libraries/binaries that the NRPE-plugins depend on."""
    # Dependency for check_rsyslog
    x("yum install -y MySQL-python")

    # Dependency for check_clamav
    x("yum install -y nagios-plugins-perl perl-Net-DNS-Resolver-Programmable")
    x("yum install -y perl-suidperl")

    x(
        """cat > /etc/sudoers.d/nrpe << EOF
Defaults:nrpe !requiretty
nrpe ALL=NOPASSWD:{0}check_clamav
nrpe ALL=NOPASSWD:{0}check_clamscan
nrpe ALL=NOPASSWD:{0}check_disk
nrpe ALL=NOPASSWD:{0}get_services
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs
EOF
""".format(
            PLG_PATH
        )
    )

    # Dependency for check_clamscan
    x("yum install -y perl-Proc-ProcessTable perl-Date-Calc")

    # Dependency for check_ldap
    x("yum install -y php-ldap php-cli")

    # Dependency for check_iostat
    x("yum install -y sysstat")

    # Dependency for hosts/firewall hardware checks
    host_config_object = config.host(net.get_hostname())
    if host_config_object.is_host() or host_config_object.is_firewall():
        install.hp_repo()
        x("yum -y install hp-health hpacucli")

        # Let nrpe run hpasmcli and hpacucli
    x(
        """cat >> /etc/sudoers.d/nrpe << EOF
nrpe ALL=NOPASSWD:/sbin/hpasmcli
nrpe ALL=NOPASSWD:{0}check_hpasm
nrpe ALL=NOPASSWD:/sbin/hpacucli
nrpe ALL=NOPASSWD:{0}check_hparray
EOF
""".format(
            PLG_PATH
        )
    )

    # Dependency for check_ulimit
    x("yum install -y lsof")

    # Set ulimit values to take affect after reboot
    x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf")

    # Kernel wont parse anything but read-only in sudoers. So chmod it.
    x("chmod 0440 /etc/sudoers.d/nrpe")
Пример #12
0
def install_mysql_replication(args):
    """
    Setup and start the database replication in master-master mode.

    This function should be executed on the secondary master, after the
    primary master has been configured.

    """
    app.print_verbose("Install mysql replication version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("install-mysql-replication", SCRIPT_VERSION)
    version_obj.check_executed()

    current_host_config = config.host(net.get_hostname())
    repl_peer = current_host_config.get_option("repl_peer")

    general.wait_for_server_to_start(repl_peer, "3306")

    repl_password=general.generate_password(20)

    for ip in [current_host_config.get_front_ip(), repl_peer]:
        mysql_exec("stop slave;", True, ip)
        mysql_exec("delete from mysql.user where User = '******';", True, ip)
        mysql_exec("flush privileges;", True, ip)
        mysql_exec("GRANT REPLICATION SLAVE ON *.* TO 'repl'@'" + repl_peer + "' IDENTIFIED BY '" + repl_password + "';", True, ip)
        mysql_exec("GRANT REPLICATION SLAVE ON *.* TO 'repl'@'" + current_host_config.get_front_ip() + "' IDENTIFIED BY '" + repl_password + "';", True, ip)

        if ip==current_host_config.get_front_ip():
            mysql_exec("CHANGE MASTER TO MASTER_HOST='" + repl_peer + "', MASTER_USER='******', MASTER_PASSWORD='******'", True, ip)
        else:
            mysql_exec("CHANGE MASTER TO MASTER_HOST='" + current_host_config.get_front_ip() + "', MASTER_USER='******', MASTER_PASSWORD='******'", True, ip)
        mysql_exec("start slave;", True, ip)

    version_obj.mark_executed()
Пример #13
0
def add_haproxy_chain():
    del_haproxy_chain()

    if not os.path.exists('/etc/haproxy/haproxy.cfg'):
        return

    app.print_verbose("Add iptables chain for haproxy")

    # Create chains.
    iptables("-N haproxy_inout")
    iptables("-A syco_input -p tcp -j haproxy_inout")
    iptables("-A syco_output -p tcp -j haproxy_inout")

    iptables(
        "-A haproxy_inout -p tcp -m multiport --dports 80:84 -j allowed_tcp"
    )
    iptables(
        "-A haproxy_inout -p tcp -m multiport --dports 443 -j allowed_tcp"
    )

    custom_target_ports = config.host(net.get_hostname()).get_option("haproxy.target-ports", default_value="").\
        split(",")
    for port in custom_target_ports:
        if port:
            iptables("-A haproxy_inout -p tcp -m multiport --dports %s -j allowed_tcp" % port)
Пример #14
0
def _install_nrpe_plugins_dependencies():
    """Install libraries/binaries that the NRPE-plugins depend on."""
    # Dependency for check_rsyslog
    app.print_verbose("Install required dependency for check_rsyslog")
    install_packages("MySQL-python")

    # Dependency for check_clamav
    app.print_verbose("Install required dependencies for check_clamav")
    install_packages("perl-Net-DNS-Resolver-Programmable perl-suidperl")

    x("""cat > /etc/sudoers.d/nrpe << EOF
Defaults:nrpe !requiretty
nrpe ALL=NOPASSWD:{0}check_clamav
nrpe ALL=NOPASSWD:{0}check_clamscan
nrpe ALL=NOPASSWD:{0}check_disk
nrpe ALL=NOPASSWD:{0}get_services
nrpe ALL=NOPASSWD:{0}check_file_age
nrpe ALL=NOPASSWD:{0}check_ossec-clients.sh
nrpe ALL=NOPASSWD:{0}check_haproxy_stats.pl
nrpe ALL=NOPASSWD:/usr/sbin/rabbitmqctl
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs
EOF
""".format(PLG_PATH))

    # Dependency for check_ldap
    app.print_verbose("Install required dependencies for check_ldap")
    install_packages("php-ldap php-cli")

    # Dependency for check_iostat
    app.print_verbose("Install required dependency for check_iostat")
    install_packages("sysstat")

    # Dependency for hosts/firewall hardware checks
    host_config_object = config.host(net.get_hostname())
    if host_config_object.is_host() or host_config_object.is_firewall():
        install.hp_repo()
        app.print_verbose("Install required dependencies for Hardware checks")
        install_packages("hp-health hpssacli")

        # Let nrpe run hpasmcli and hpssacli
        x("""cat >> /etc/sudoers.d/nrpe << EOF
nrpe ALL=NOPASSWD:/sbin/hpasmcli
nrpe ALL=NOPASSWD:{0}check_hpasm
nrpe ALL=NOPASSWD:/usr/sbin/hpssacli
nrpe ALL=NOPASSWD:{0}check_hparray
EOF
""".format(PLG_PATH))

    # Dependency for check_ulimit
    app.print_verbose("Install required dependency for check_ulimit")
    install_packages("lsof")

    # Set ulimit values to take affect after reboot
    x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf"
      )

    # Kernel wont parse anything but read-only in sudoers. So chmod it.
    x("chmod 0440 /etc/sudoers.d/nrpe")
Пример #15
0
def send_test_mail(args, additional_emails_to_test=[]):
    """
    Sends a test-email either to admin email or argv email if present using mailx.

    """
    app.print_verbose("Send testmail for " + get_hostname())

    try:
        email = args[1]
    except IndexError:
        email = config.general.get_admin_email()

    x('echo "" | mail -s "Test email from {0}. Installation complete!" {1}'.format(get_hostname(), email))

    for email in additional_emails_to_test:
        app.print_verbose("Send additional test mail to: %s" % email)
        x('echo "" | mail -s "Test email to {0}" {0}.'.format(email))
Пример #16
0
 def test_general(self):
     self.assertEqual(net.get_all_interfaces(), {'sit0': None, 'lo': '127.0.0.1', 'eth0': '10.100.100.231'})
     self.assertEqual(net.get_interface_ip("eth0"), "10.100.100.231")
     self.assertEqual(net.get_lan_ip(), "10.100.100.231")
     self.assertEqual(net.reverse_ip("1.2.3.4"), "4.3.2.1")
     self.assertEqual(net.get_ip_class_c("1.2.3.4"), "1.2.3")
     self.assertEqual(net.num_of_eth_interfaces(), 1)
     self.assertEqual(net.get_hostname(), "fo-tp-dalitst")
Пример #17
0
def install_ntp_client(args):
    if config.host(net.get_hostname()).has_command_re("install-ntp-server"):
        app.print_verbose(
            "This server will later install the ntp server, abort client installation."
        )
        return
    ip = config.general.get_ntp_server_ip()
    install_ntp(ip)
Пример #18
0
def install_ntp_client(args):
  if config.host(net.get_hostname()).has_command_re("install-ntp-server"):
    app.print_verbose(
      "This server will later install the ntp server, abort client installation."
    )
    return
  ip = config.general.get_ntp_server_ip()
  install_ntp(ip)
Пример #19
0
def _install_nrpe_plugins_dependencies():
    """Install libraries/binaries that the NRPE-plugins depend on."""
    # Dependency for check_rsyslog
    app.print_verbose("Install required dependency for check_rsyslog")
    install_packages("MySQL-python")

    # Dependency for check_clamav
    app.print_verbose("Install required dependencies for check_clamav")
    install_packages("perl-Net-DNS-Resolver-Programmable perl-suidperl")

    x("""cat > /etc/sudoers.d/nrpe << EOF
Defaults:nrpe !requiretty
nrpe ALL=NOPASSWD:{0}check_clamav
nrpe ALL=NOPASSWD:{0}check_clamscan
nrpe ALL=NOPASSWD:{0}check_disk
nrpe ALL=NOPASSWD:{0}get_services
nrpe ALL=NOPASSWD:{0}check_file_age
nrpe ALL=NOPASSWD:{0}check_ossec-clients.sh
nrpe ALL=NOPASSWD:{0}check_haproxy_stats.pl
nrpe ALL=NOPASSWD:/usr/sbin/rabbitmqctl
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs
EOF
""".format(PLG_PATH))

    # Dependency for check_ldap
    app.print_verbose("Install required dependencies for check_ldap")
    install_packages("php-ldap php-cli")

    # Dependency for check_iostat
    app.print_verbose("Install required dependency for check_iostat")
    install_packages("sysstat")

    # Dependency for hosts/firewall hardware checks
    host_config_object = config.host(net.get_hostname())
    if host_config_object.is_host() or host_config_object.is_firewall():
        install.hp_repo()
        app.print_verbose("Install required dependencies for Hardware checks")
        install_packages("hp-health hpssacli")

        # Let nrpe run hpasmcli and hpssacli
        x("""cat >> /etc/sudoers.d/nrpe << EOF
nrpe ALL=NOPASSWD:/sbin/hpasmcli
nrpe ALL=NOPASSWD:{0}check_hpasm
nrpe ALL=NOPASSWD:/usr/sbin/hpssacli
nrpe ALL=NOPASSWD:{0}check_hparray
EOF
""".format(PLG_PATH))

    # Dependency for check_ulimit
    app.print_verbose("Install required dependency for check_ulimit")
    install_packages("lsof")

    # Set ulimit values to take affect after reboot
    x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf")

    # Kernel wont parse anything but read-only in sudoers. So chmod it.
    x("chmod 0440 /etc/sudoers.d/nrpe")
Пример #20
0
def send_test_mail(args, additional_emails_to_test=[]):
    """
    Sends a test-email either to admin email or argv email if present using mailx.

    """
    app.print_verbose("Send testmail for " + get_hostname())

    try:
        email = args[1]
    except IndexError:
        email = config.general.get_admin_email()

    x('echo "" | mail -s "Test email from {0}. Installation complete!" {1}'.format(get_hostname(), email))

    for email in additional_emails_to_test:
        app.print_verbose("Send additional test mail to: %s" % email)
        x('echo "" | mail -s "Test email from {0} to {1}" {1}'.format(get_hostname(),
                                                               email))
Пример #21
0
def add_rsyslog_chain(context=None):
    """
    Rsyslog IPtables rules

    Rsyslog Server
    Servers in network -> IN -> tcp -> 514 -> Rsyslog Server

    Rsyslog Client
    Rsyslog Server <- OUT <- tcp <- 514 <- Rsyslog Client

    """
    del_rsyslog_chain()

    app.print_verbose("Add iptables chain for rsyslog")
    iptables("-N rsyslog_in")
    iptables("-N rsyslog_out")
    iptables("-A syco_input  -p all -j rsyslog_in")
    iptables("-A syco_output -p all -j rsyslog_out")

    # Reference to syco.py commands
    global _commands_obj_reference

    all_rules = []
    syco_command_names = config.host(net.get_hostname()).get_syco_command_names()

    # On rsyslog server
    if "install-rsyslogd" in syco_command_names or context is "server":
        back_subnet = config.general.get_back_subnet()
        front_subnet = config.general.get_front_subnet()
        iptables(
            " -A rsyslog_in -m state --state NEW -p tcp -s %s --dport 514 -j allowed_tcp" %
            back_subnet
        )
        iptables(
            " -A rsyslog_in -m state --state NEW -p tcp -s %s --dport 514 -j allowed_tcp" %
            front_subnet
        )
        iptables(
            " -A rsyslog_in -m state --state NEW -p udp -s %s --dport 514 -j allowed_udp" %
            back_subnet
        )
        iptables(
            " -A rsyslog_in -m state --state NEW -p udp -s %s --dport 514 -j allowed_udp" %
            front_subnet
        )

    # On rsyslog client
    elif "install-rsyslogd-client" in syco_command_names or context is "client" :
        iptables(
            "-A rsyslog_out -m state --state NEW -p tcp -d %s --dport 514 -j allowed_tcp" %
            config.general.get_log_server_hostname1()
        )
        iptables(
            "-A rsyslog_out -m state --state NEW -p tcp -d %s --dport 514 -j allowed_tcp" %
            config.general.get_log_server_hostname2()
        )
Пример #22
0
def add_rsyslog_chain(context=None):
    """
    Rsyslog IPtables rules

    Rsyslog Server
    Servers in network -> IN -> tcp -> 514 -> Rsyslog Server

    Rsyslog Client
    Rsyslog Server <- OUT <- tcp <- 514 <- Rsyslog Client

    """
    del_rsyslog_chain()

    app.print_verbose("Add iptables chain for rsyslog")
    iptables("-N rsyslog_in")
    iptables("-N rsyslog_out")
    iptables("-A syco_input  -p all -j rsyslog_in")
    iptables("-A syco_output -p all -j rsyslog_out")

    # Reference to syco.py commands
    global _commands_obj_reference

    all_rules = []
    syco_command_names = config.host(net.get_hostname()).get_syco_command_names()

    # On rsyslog server
    if "install-rsyslogd" in syco_command_names or context is "server":
        back_subnet = config.general.get_back_subnet()
        front_subnet = config.general.get_front_subnet()
        iptables(
            " -A rsyslog_in -m state --state NEW -p tcp -s %s --dport 514 -j allowed_tcp" %
            back_subnet
        )
        iptables(
            " -A rsyslog_in -m state --state NEW -p tcp -s %s --dport 514 -j allowed_tcp" %
            front_subnet
        )
        iptables(
            " -A rsyslog_in -m state --state NEW -p udp -s %s --dport 514 -j allowed_udp" %
            back_subnet
        )
        iptables(
            " -A rsyslog_in -m state --state NEW -p udp -s %s --dport 514 -j allowed_udp" %
            front_subnet
        )

    # On rsyslog client
    elif "install-rsyslogd-client" in syco_command_names or context is "client" :
        iptables(
            "-A rsyslog_out -m state --state NEW -p tcp -d %s --dport 514 -j allowed_tcp" %
            config.general.get_log_server_hostname1()
        )
        iptables(
            "-A rsyslog_out -m state --state NEW -p tcp -d %s --dport 514 -j allowed_tcp" %
            config.general.get_log_server_hostname2()
        )
Пример #23
0
    def __init__(self):

        netmasks = {}

        #Add localhost IP/netmask
        local_ip = "127.0.0.1"
        self.server_ips.append(local_ip)
        netmasks[local_ip] = "255.0.0.0"

        #Add IPs for front/back net if they exist.
        front_ip = config.host(net.get_hostname()).get_front_ip()
        if front_ip:
            self.server_ips.append(front_ip)
            netmasks[front_ip] = config.general.get_front_netmask()
        back_ip = config.host(net.get_hostname()).get_back_ip()
        if config.general.is_back_enabled() and back_ip:
            self.server_ips.append(back_ip)
            netmasks[back_ip] = config.general.get_back_netmask()

        if len(self.server_ips) < 2:
            app.print_error(
                "Didn't find any valid IP addresses from front or back net. Exiting"
            )
            sys.exit(1)

        for ip in self.server_ips:
            self.server_networks.append(net.get_network_cidr(ip, netmasks[ip]))

        self.virtual_alias_domains = config.general.get_option(
            "mailrelay.virtual_alias_domains", "")

        for alias_row in config.general.get_option("mailrelay.virtual_aliases",
                                                   "").split(";"):
            if len(alias_row.strip()) == 0:
                #Don't process empty rows
                break
            split_row = alias_row.split(" ", 1)
            if len(split_row) != 2:
                app.print_error(
                    "Expected mailrelay.virtual_alias to be two words separated by space, several entries "
                    "separated by semicolon. Found \"%s\"" % alias_row)
                sys.exit(1)
            self.virtual_aliases[split_row[0]] = split_row[1]
Пример #24
0
def _configure_squid():
    x("rm -rf /etc/squid/*")
    x("cp %s/*.conf %s" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
    x("mkdir -p %s/acl" % (SQUID_CONF_DIR))
    x("mkdir -p %s/services" % (SQUID_CONF_DIR))
    x("cp %s/acl/* %sacl/" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
    x("cp %s/services/* %sservices/" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))

    env_ip = config.host(net.get_hostname()).get_front_ip()
    if config.general.is_back_enabled():
        #prefer backnet if enabled
        env_ip = config.host(net.get_hostname()).get_back_ip()

    scopen.scOpen(SQUID_CONF_DIR + "squid.conf").replace("${ENV_IP}", env_ip)
    #Some setups require the front IP as well
    scopen.scOpen(SQUID_CONF_DIR + "squid.conf").replace("${FRONT_IP}", config.host(net.get_hostname()).get_front_ip())

    _chkconfig("squid", "on")
    _service("squid", "restart")
Пример #25
0
def _gen_and_copy_cert(args):
    """
    Generate certs if they don't exist or if cert regen was requested with "force-new-certs"

    """
    crt_dir = "/etc/pki/rsyslog/"
    x("mkdir -p {0}".format(crt_dir))

    fqdn = "{0}.{1}".format(net.get_hostname(),
                            config.general.get_resolv_domain())
    srv = config.general.get_log_server_hostname1()

    cert_files = [
        "{0}{1}.crt".format(crt_dir, fqdn), "{0}{1}.key".format(crt_dir, fqdn),
        "{0}/ca.crt".format(crt_dir)
    ]

    # Determine whether to generate and copy rsyslog certificates
    if 'force-new-certs' in args or not _all_files_exist(cert_files):
        # Generate the certs on the remote machine
        general.wait_for_server_root_login(srv)
        general.run_remote_command(
            srv, "/etc/pki/rsyslog/syco-gen-rsyslog-client-keys.sh {0}".format(
                fqdn))

        # Retrieve the certs
        general.retrieve_from_server(srv, "/etc/pki/rsyslog/ca.crt", crt_dir)
        general.retrieve_from_server(srv,
                                     "/etc/pki/rsyslog/{0}*".format(
                                         net.get_hostname()),
                                     crt_dir,
                                     verify_local=cert_files,
                                     remove_remote_files=True)

        x("restorecon -r /etc/pki/rsyslog")
        x("chmod 600 /etc/pki/rsyslog/*")
        x("chown root:root /etc/pki/rsyslog/*")
    else:
        app.print_verbose(
            "Found all certs and force-new-certs was not specified so not updating certificates"
        )
Пример #26
0
def _configure_squid():
    x("rm -rf /etc/squid/*")
    x("cp %s/*.conf %s" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
    x("mkdir -p %s/acl" % (SQUID_CONF_DIR))
    x("mkdir -p %s/services" % (SQUID_CONF_DIR))
    x("cp %s/acl/* %sacl/" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))
    x("cp %s/services/* %sservices/" % (SYCO_PLUGIN_PATH, SQUID_CONF_DIR))

    env_ip = config.host(net.get_hostname()).get_front_ip()
    if config.general.is_back_enabled():
        #prefer backnet if enabled
        env_ip = config.host(net.get_hostname()).get_back_ip()

    scopen.scOpen(SQUID_CONF_DIR + "squid.conf").replace("${ENV_IP}", env_ip)
    #Some setups require the front IP as well
    scopen.scOpen(SQUID_CONF_DIR + "squid.conf").replace(
        "${FRONT_IP}",
        config.host(net.get_hostname()).get_front_ip())

    _chkconfig("squid", "on")
    _service("squid", "restart")
Пример #27
0
def _install_nrpe_plugins_dependencies():
    """Install libraries/binaries that the NRPE-plugins depend on."""
    # Dependency for check_rsyslog
    x("yum install -y MySQL-python")

    # Dependency for check_clamav
    x("yum install -y nagios-plugins-perl perl-Net-DNS-Resolver-Programmable")
    x("yum install -y perl-suidperl")

    x("""cat > /etc/sudoers.d/nrpe << EOF
Defaults:nrpe !requiretty
nrpe ALL=NOPASSWD:{0}check_clamav
nrpe ALL=NOPASSWD:{0}check_clamscan
nrpe ALL=NOPASSWD:{0}check_disk
nrpe ALL=NOPASSWD:{0}get_services
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files
nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs
EOF
""".format(PLG_PATH))

    # Dependency for check_clamscan
    x("yum install -y perl-Proc-ProcessTable perl-Date-Calc")

    # Dependency for check_ldap
    x("yum install -y php-ldap php-cli")

    # Dependency for check_iostat
    x("yum install -y sysstat")

    # Dependency for hosts/firewall hardware checks
    host_config_object = config.host(net.get_hostname())
    if host_config_object.is_host() or host_config_object.is_firewall():
        install.hp_repo()
        x("yum -y install hp-health hpacucli")

        # Let nrpe run hpasmcli and hpacucli
    x("""cat >> /etc/sudoers.d/nrpe << EOF
nrpe ALL=NOPASSWD:/sbin/hpasmcli
nrpe ALL=NOPASSWD:{0}check_hpasm
nrpe ALL=NOPASSWD:/sbin/hpacucli
nrpe ALL=NOPASSWD:{0}check_hparray
EOF
""".format(PLG_PATH))

    # Dependency for check_ulimit
    x("yum install -y lsof")

    # Set ulimit values to take affect after reboot
    x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf"
      )

    # Kernel wont parse anything but read-only in sudoers. So chmod it.
    x("chmod 0440 /etc/sudoers.d/nrpe")
Пример #28
0
def _replace_tags():
    '''
    Replace all tags in template files with apropriate values.

    '''
    sc = scOpen("/etc/rsyslog.conf")
    sc.replace('${MASTER}', config.general.get_log_server_hostname1())
    sc.replace('${SLAVE}',  config.general.get_log_server_hostname2())
    sc.replace('${DOMAIN}', config.general.get_resolv_domain())

    fqdn = "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain())
    sc.replace('${SERVERNAME}', fqdn)
Пример #29
0
 def test_general(self):
     self.assertEqual(net.get_all_interfaces(), {
         'sit0': None,
         'lo': '127.0.0.1',
         'eth0': '10.100.100.231'
     })
     self.assertEqual(net.get_interface_ip("eth0"), "10.100.100.231")
     self.assertEqual(net.get_lan_ip(), "10.100.100.231")
     self.assertEqual(net.reverse_ip("1.2.3.4"), "4.3.2.1")
     self.assertEqual(net.get_ip_class_c("1.2.3.4"), "1.2.3")
     self.assertEqual(net.num_of_eth_interfaces(), 1)
     self.assertEqual(net.get_hostname(), "fo-tp-dalitst")
Пример #30
0
def _install_nrpe_plugins():
    """Install NRPE-plugins (to be executed remoteley) and SELinux-rules."""
    # Install packages and their dependencies.
    _install_nrpe_plugins_dependencies()
    x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH,
                                                      PLG_PATH))

    # Set the sssd password
    nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
    nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
    nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname())
    nrpe_config.replace(
        "$(SQLPASS)",
        app.get_mysql_monitor_password().replace("&", "\&").replace("/", "\/"))

    # Set name of main disk
    host_config = config.host(net.get_hostname())
    if host_config.is_guest():
        nrpe_config.replace("${MAINDISK}", "vda")
    elif host_config.is_firewall() or host_config.is_host():
        nrpe_config.replace("${MAINDISK}", "sda")

    # Change ownership of plugins to nrpe (from icinga/nagios)
    x("chmod -R 550 /usr/lib64/nagios/plugins/")
    x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")

    # Set SELinux roles to allow NRPE execution of binaries such as python/perl.
    # Corresponding .te-files summarize rule content
    x("mkdir -p /var/lib/syco_selinux_modules")
    rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
    for path in rule_path_list:
        x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
    x("semodule -i /var/lib/syco_selinux_modules/*.pp")

    # Fix some SELinux rules on custom plugins.
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk")
    _fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php")
    _fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*")
    # TODO??
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*")
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py")
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py")
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl")

    # New in centos 6.7
    x("setsebool -P nagios_run_sudo 1")
Пример #31
0
    def __init__(self):

        netmasks = {}

        # Add localhost IP/netmask
        local_ip = "127.0.0.1"
        self.server_ips.append(local_ip)
        netmasks[local_ip] = "255.0.0.0"

        # Add IPs for front/back net if they exist.
        front_ip = config.host(net.get_hostname()).get_front_ip()
        if front_ip:
            self.server_ips.append(front_ip)
            netmasks[front_ip] = config.general.get_front_netmask()
        back_ip = config.host(net.get_hostname()).get_back_ip()
        if config.general.is_back_enabled() and back_ip:
            self.server_ips.append(back_ip)
            netmasks[back_ip] = config.general.get_back_netmask()

        if len(self.server_ips) < 2:
            app.print_error("Didn't find any valid IP addresses from front or back net. Exiting")
            sys.exit(1)

        for ip in self.server_ips:
            self.server_networks.append(net.get_network_cidr(ip, netmasks[ip]))

        self.virtual_alias_domains = config.general.get_option("mailrelay.virtual_alias_domains", "")

        for alias_row in config.general.get_option("mailrelay.virtual_aliases", "").split(";"):
            if len(alias_row.strip()) == 0:
                # Don't process empty rows
                break
            split_row = alias_row.split(" ", 1)
            if len(split_row) != 2:
                app.print_error(
                    "Expected mailrelay.virtual_alias to be two words separated by space, several entries "
                    'separated by semicolon. Found "%s"' % alias_row
                )
                sys.exit(1)
            self.virtual_aliases[split_row[0]] = split_row[1]
Пример #32
0
def _install_nrpe_plugins():
    """Install NRPE-plugins (to be executed remoteley) and SELinux-rules."""
    # Install packages and their dependencies.
    _install_nrpe_plugins_dependencies()
    x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH, PLG_PATH))
    for plugin_path in app.get_syco_plugin_paths("/var/icinga/plugins/"):
        x("cp -p {0}* {1}".format(plugin_path, PLG_PATH))

    # Set the sssd password
    nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
    nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
    nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname())
    nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))

    # Set name of main disk
    host_config = config.host(net.get_hostname())
    if host_config.is_guest():
        nrpe_config.replace("${MAINDISK}", "vda")
    elif host_config.is_firewall() or host_config.is_host():
        nrpe_config.replace("${MAINDISK}", "sda")

    # Change ownership of plugins to nrpe (from icinga/nagios)
    x("chmod -R 550 /usr/lib64/nagios/plugins/")
    x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")

    # Set SELinux roles to allow NRPE execution of binaries such as python/perl.
    # Corresponding .te-files summarize rule content
    x("mkdir -p /var/lib/syco_selinux_modules")
    rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
    for path in rule_path_list:
        x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
    x("semodule -i /var/lib/syco_selinux_modules/*.pp")

    # Fix some SELinux rules on custom plugins.
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk")
    _fix_selinux("nagios_services_plugin_exec_t",   "check_ldap.php")
    _fix_selinux("nagios_services_plugin_exec_t",   "check_iptables.py")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*")
    # TODO??
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*")
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py")
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py")
    #_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray")
    _fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl")

    # New in centos 6.7
    x("setsebool -P nagios_run_sudo 1")
Пример #33
0
def _copy_cert():
    '''
    Coping certs for tls from rsyslog server

    '''
    crt_dir = "/etc/pki/rsyslog"
    x("mkdir -p {0}".format(crt_dir))
    srv = config.general.get_log_server_hostname1()
    scp_from(srv, "/etc/pki/rsyslog/{0}*".format(net.get_hostname()), crt_dir)
    scp_from(srv, "/etc/pki/rsyslog/ca.crt", crt_dir)
    x("restorecon -r /etc/pki/rsyslog")
    x("chmod 600 /etc/pki/rsyslog/*")
    x("chown root:root /etc/pki/rsyslog/*")
Пример #34
0
def _copy_cert():
    '''
    Coping certs for tls from rsyslog server

    '''
    crt_dir ="/etc/pki/rsyslog"
    x("mkdir -p {0}".format(crt_dir))
    srv = config.general.get_log_server_hostname1()
    scp_from(srv, "/etc/pki/rsyslog/{0}*".format(net.get_hostname()), crt_dir)
    scp_from(srv, "/etc/pki/rsyslog/ca.crt", crt_dir)
    x("restorecon -r /etc/pki/rsyslog")
    x("chmod 600 /etc/pki/rsyslog/*")
    x("chown root:root /etc/pki/rsyslog/*")
Пример #35
0
def _replace_tags():
    '''
    Replace all tags in template files with apropriate values.

    '''
    sc = scOpen("/etc/rsyslog.conf")
    sc.replace('${MASTER}', config.general.get_log_server_hostname1())
    sc.replace('${SLAVE}', config.general.get_log_server_hostname2())
    sc.replace('${DOMAIN}', config.general.get_resolv_domain())

    fqdn = "{0}.{1}".format(net.get_hostname(),
                            config.general.get_resolv_domain())
    sc.replace('${SERVERNAME}', fqdn)
Пример #36
0
def install_mail_client(args):
    """
    Installs a local postfix MTA which accepts email on localhost forwards
    relays everything to mailrelay-server. Also installs mailx.
    See line comments in install_mail_server

    """

    if config.host(net.get_hostname()).has_command_re("install-postfix-server"):
        app.print_verbose(
            "This server will later install the postfix server, abort client installation."
        )
        return

    version_obj = version.Version("Install-postfix-client", SCRIPT_VERSION)
    version_obj.check_executed()

    # Install required packages
    install.package("postfix")

    # Set config file parameters
    #
    general.use_original_file("/etc/postfix/main.cf")
    postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
    postfix_main_cf.replace("#myhostname = host.domain.tld", "myhostname = {0}.{1}".format(get_hostname(), config.general.get_resolv_domain())) # monitor.syco.com
    postfix_main_cf.replace("#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())) # syco.com
    postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")

    # Listen only on localhost
    postfix_main_cf.replace("inet_interfaces = localhost", "inet_interfaces = localhost")
    postfix_main_cf.replace("#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = 127.0.0.1")
    postfix_main_cf.replace("mydestination = $myhostname, localhost.$mydomain, localhost", "mydestination = $myhostname, localhost")

    # Relay everything not for local machine to mailrelay.
    postfix_main_cf.replace("#relay_domains = $mydestination", "relay_domains = {0}".format(config.general.get_resolv_domain()))
    postfix_main_cf.replace("#relayhost = $mydomain","relayhost = [{0}]".format(config.general.get_mail_relay_domain_name()))
    postfix_main_cf.replace("#home_mailbox = Maildir/","home_mailbox = Maildir/")
    postfix_main_cf.replace("inet_protocols = all","inet_protocols = ipv4")

    # Install a simple mail CLI-tool
    install_mailx()

    # Tell iptables and nrpe that this server is configured as a mail-relay server.
    iptables.add_mail_relay_chain()
    iptables.save()

    # Restart postfix
    x("service postfix restart")

    # Send test mail to the syco admin
    send_test_mail((None, config.general.get_admin_email()))
Пример #37
0
def _install_nrpe_plugins_dependencies():
    '''
    Install libraries/binaries that the NRPE-plugins depend on.

    '''
    # Dependency for check_rsyslog
    x("yum install -y MySQL-python")

    # Dependency for check_clamav
    x("yum install -y nagios-plugins-perl perl-Net-DNS-Resolver-Programmable sudo yum install perl-suidperl")

    nrpe_sudoers_file = scopen.scOpen("/etc/sudoers.d/nrpe")
    nrpe_sudoers_file.add("Defaults:nrpe !requiretty")
    nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_clamav".format(PLG_PATH))
    nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_clamscan".format(PLG_PATH))
    nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_disk".format(PLG_PATH))
    nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}get_services".format(PLG_PATH))
    nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files".format(PLG_PATH))
    nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs".format(PLG_PATH))
    
    # Dependency for check_clamscan
    x("yum install -y perl-Proc-ProcessTable perl-Date-Calc")

    # Dependency for check_ldap
    x("yum install -y php-ldap php-cli")

    # Dependency for hosts/firewall hardware checks
    host_config_object = config.host(net.get_hostname())
    if host_config_object.is_host() or host_config_object.is_firewall():

        # Create an installname and filenames
        install_dir = general.get_install_dir()

        # Download and install HP health monitoring package
        general.download_file(
            HP_HEALTH_URL, HP_HEALTH_FILENAME, md5=HP_HEALTH_MD5
        )
        x("yum install {0} -y".format(HP_HEALTH_FILENAME))

        # Remove their evil crontab
        x("rm -f /etc/cron.d/hp-health")

        # Let nrpe run hpasmcli
        nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:/sbin/hpasmcli")
        nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_hpasm".format(PLG_PATH))

        x("service hp-health start")


    # Kernel wont parse anything but read-only in sudoers. So chmod it.
    x("chmod 0440 /etc/sudoers.d/nrpe")
Пример #38
0
def add_mail_relay_chain():
  del_mail_relay_chain()

  app.print_verbose("Add iptables chain for mail relay")

  iptables("-N incoming_mail")
  iptables("-N outgoing_mail")
  iptables("-A syco_input -p tcp -j incoming_mail")
  iptables("-A syco_output -p tcp -j outgoing_mail")

  # Allow mailrelay to receive email
  if config.general.get_mail_relay_server() == get_hostname():
    iptables("-A incoming_mail -m state --state NEW -p tcp --dport 25 -j allowed_tcp")

  # Allow all hosts to send mail on DMZ
  iptables("-A outgoing_mail -m state --state NEW -p tcp --dport 25 -j allowed_tcp")
Пример #39
0
def add_mail_relay_chain():
    del_mail_relay_chain()

    app.print_verbose("Add iptables chain for mail relay")

    iptables("-N incoming_mail")
    iptables("-N outgoing_mail")
    iptables("-A syco_input -p tcp -j incoming_mail")
    iptables("-A syco_output -p tcp -j outgoing_mail")

    # Allow mailrelay to receive email
    if config.general.get_mail_relay_server() == get_hostname():
        iptables("-A incoming_mail -m state --state NEW -p tcp --dport 25 -j allowed_tcp")

    # Allow all hosts to send mail on DMZ
    iptables("-A outgoing_mail -m state --state NEW -p tcp --dport 25 -j allowed_tcp")
Пример #40
0
def install_mariadb_replication(args):
    """
    Setup and start the database replication in master-master mode.

    This function should be executed on the secondary master, after the
    primary master has been configured.

    """
    app.print_verbose(
        "Install MariaDB replication version: %d" % SCRIPT_VERSION
    )
    version_obj = version.Version("install-mariadb-replication", SCRIPT_VERSION)
    version_obj.check_executed()

    current_host_config = config.host(net.get_hostname())
    repl_peer = current_host_config.get_option("repl_peer")
    general.wait_for_server_to_start(repl_peer, "3306")

    repl_password = general.generate_password(20)
    front_ip = current_host_config.get_front_ip()
    for ip in ["127.0.0.1", repl_peer]:
        mysql_exec("stop slave;", True, ip)
        mysql_exec("delete from mysql.user where User = '******'", True, ip)
        mysql_exec("flush privileges;", True, ip)
        mysql_exec(
            "GRANT REPLICATION SLAVE ON *.* TO " +
            "'repl'@'%s' IDENTIFIED BY '%s'," % (repl_peer, repl_password) +
            "'repl'@'%s' IDENTIFIED BY '%s'" % (front_ip, repl_password),
            True, ip)

        if ip == "127.0.0.1":
            mysql_exec(
                "CHANGE MASTER TO MASTER_HOST='%s', " % repl_peer +
                "MASTER_USER='******', MASTER_PASSWORD='******'" % repl_password,
                True, ip
            )
        else:
            mysql_exec(
                "CHANGE MASTER TO MASTER_HOST='%s', " % front_ip +
                "MASTER_USER='******', MASTER_PASSWORD='******'" % repl_password,
                True, ip
            )

        mysql_exec("start slave;", True, ip)

    version_obj.mark_executed()
Пример #41
0
def _setup_rsyslogd():
    """
    Setup rsyslogd config files.

    """
    x("cp -f /opt/syco/var/rsyslog/rsyslogd.conf /etc/rsyslog.conf")
    x("chmod 640 /etc/rsyslog.conf")

    sc = scOpen("/etc/rsyslog.conf")
    sc.replace("${SERVERNAME}", "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain()))
    sc.replace("${DOMAIN}", config.general.get_resolv_domain())

    # Setup folder to store logs from clients.
    app.print_verbose("CIS 5.2.4 Create and Set Permissions on rsyslog Log Files")
    app.print_verbose("  Will not create individual files.")
    x("mkdir -p /var/log/rsyslog/")
    x("chown root:root /var/log/rsyslog/")
    x("chmod 700 /var/log/rsyslog/")
    x("restorecon /var/log/rsyslog/")
Пример #42
0
def generate_report(app, fullpacket=False, pcapfile=''):
    '''
    Print report based on collected data
    '''

    report = {}
    report['app'] = app
    report['testtime'] = os.path.getmtime(pcapfile)
    # This is an un-failable test
    report['failedtest'] = False
    report['targets'] = net.targets
    report['dnsreqs'] = net.dnsreqs

    if app.endswith('.pcap'):
        app_or_pcap = 'pcap'
        jsonfile = '%s.%s' % (app, json_output)
    else:
        app_or_pcap = 'application'
        jsonfile = os.path.join(os.path.dirname(pcapfile), 'net.json')

    print('')
    print('Summary for %s: %s' % (app_or_pcap, color.bright(color.cyan(app))))
    print('')
    print(color.bright('Hosts contacted:'))
    # For each target (unsorted)
    for target in net.targets:
        # Get protocols used
        if fullpacket:
            protos = get_protos_full(net.targets[target])
        else:
            protos = get_protos(net.targets[target])
        # Get host name
        host = net.get_hostname(target)
        protolist = ', '.join(protos)
        print('%s : %s : %s' % (color.bright('CONNECT'), host, protolist))
    print('')
    print(color.bright('DNS queries made:'))
    for dnsreq in net.dnsreqs:
        print('%s : %s' % (color.bright('LOOKUP'), dnsreq))

    with open(jsonfile, 'w') as fp:
        json.dump(report, fp)
Пример #43
0
def add_httpd_chain():
    del_httpd_chain()

    if (not os.path.exists('/etc/init.d/httpd')):
        return

    app.print_verbose("Add iptables chain for httpd")
    iptables("-N httpd_input")
    iptables("-N httpd_output")
    iptables("-A syco_input  -p ALL -j httpd_input")
    iptables("-A syco_output  -p ALL -j httpd_output")

    app.print_verbose("Setup httpd input rule.")
    iptables("-A httpd_input -p TCP -m multiport --dports 80,443 -j allowed_tcp")

    # We assume this is an application server that requires connection to the
    # syco mysql server.
    mysql_servers = config.host(net.get_hostname()).get_option("mysql_servers", "").split(",")
    for mysql_server in mysql_servers:
        if mysql_server:
            iptables("-A httpd_output -p TCP -m multiport -d %s --dports 3306 -j allowed_tcp" % mysql_server)
Пример #44
0
def _setup_rsyslogd():
    """
    Setup rsyslogd config files.

    """
    x("cp -f /opt/syco/var/rsyslog/rsyslogd.conf /etc/rsyslog.conf")
    x("chmod 640 /etc/rsyslog.conf")

    sc = scOpen("/etc/rsyslog.conf")
    sc.replace('${SERVERNAME}', '{0}.{1}'.format(
        net.get_hostname(), config.general.get_resolv_domain())
    )
    sc.replace('${DOMAIN}', config.general.get_resolv_domain())

    # Setup folder to store logs from clients.
    app.print_verbose("CIS 5.2.4 Create and Set Permissions on rsyslog Log Files")
    app.print_verbose("  Will not create individual files.")
    x("mkdir -p /var/log/rsyslog/")
    x("chown root:root /var/log/rsyslog/")
    x("chmod 700 /var/log/rsyslog/")
    x("restorecon /var/log/rsyslog/")
Пример #45
0
def add_httpd_chain():
    del_httpd_chain()

    if (not os.path.exists('/etc/init.d/httpd')):
        return

    app.print_verbose("Add iptables chain for httpd")
    iptables("-N httpd_input")
    iptables("-N httpd_output")
    iptables("-A syco_input  -p ALL -j httpd_input")
    iptables("-A syco_output  -p ALL -j httpd_output")

    app.print_verbose("Setup httpd input rule.")
    iptables("-A httpd_input -p TCP -m multiport --dports 80,443 -j allowed_tcp")

    # We assume this is an application server that requires connection to the
    # syco mysql server.
    mysql_servers = config.host(net.get_hostname()).get_option("mysql_servers", "").split(",")

    for mysql_server in mysql_servers:
        iptables("-A httpd_output -p TCP -m multiport -d " + mysql_server + " --dports 3306 -j allowed_tcp")
Пример #46
0
def add_mysql_chain():
    del_mysql_chain()

    if (not os.path.exists('/etc/init.d/mysqld')):
        return

    app.print_verbose("Add iptables chain for mysql")
    iptables("-N mysql_input")
    iptables("-N mysql_output")
    iptables("-A syco_input  -p ALL -j mysql_input")
    iptables("-A syco_output -p ALL -j mysql_output")

    iptables("-A mysql_input -p TCP -m multiport --dports 3306 -j allowed_tcp")

    # Required for replication.
    current_host_config = config.host(net.get_hostname())
    repl_peer = current_host_config.get_option("repl_peer")

    iptables("-A mysql_output -p TCP -m multiport -d " + current_host_config.get_front_ip()   + " --dports 3306 -j allowed_tcp")
    if repl_peer is not None:
        iptables("-A mysql_output -p TCP -m multiport -d " + repl_peer + " --dports 3306 -j allowed_tcp")
Пример #47
0
def add_mysql_chain():
    del_mysql_chain()

    if not (exists('/etc/init.d/mysqld') or exists('/etc/init.d/mysql')):
        return

    app.print_verbose("Add iptables chain for mysql")
    iptables("-N mysql_input")
    iptables("-N mysql_output")
    iptables("-A syco_input  -p ALL -j mysql_input")
    iptables("-A syco_output -p ALL -j mysql_output")

    iptables("-A mysql_input -p TCP -m multiport --dports 3306 -j allowed_tcp")

    # Required for replication.
    current_host_config = config.host(net.get_hostname())
    repl_peer = current_host_config.get_option("repl_peer", 'None')

    ip = current_host_config.get_front_ip()
    if ip:
        iptables("-A mysql_output -p TCP -m multiport -d %s --dports 3306 -j allowed_tcp" % ip)
    if repl_peer and repl_peer.lower() != 'None':
        iptables("-A mysql_output -p TCP -m multiport -d " + repl_peer + " --dports 3306 -j allowed_tcp")
Пример #48
0
def add_mysql_chain():
    del_mysql_chain()

    if (not os.path.exists('/etc/init.d/mysqld')):
        return

    app.print_verbose("Add iptables chain for mysql")
    iptables("-N mysql_input")
    iptables("-N mysql_output")
    iptables("-A syco_input  -p ALL -j mysql_input")
    iptables("-A syco_output -p ALL -j mysql_output")

    iptables("-A mysql_input -p TCP -m multiport --dports 3306 -j allowed_tcp")

    # Required for replication.
    current_host_config = config.host(net.get_hostname())
    repl_peer = current_host_config.get_option("repl_peer")

    iptables("-A mysql_output -p TCP -m multiport -d " +
             current_host_config.get_front_ip() +
             " --dports 3306 -j allowed_tcp")
    if repl_peer is not None:
        iptables("-A mysql_output -p TCP -m multiport -d " + repl_peer +
                 " --dports 3306 -j allowed_tcp")
Пример #49
0
def net_setup_bond_br(args):
    """
    Setup bonded network interfaces and bridges.

    This must work together with a virtual host using KVM.

    Read more.
    http://serverfault.com/questions/316623/what-is-the-correct-way-to-setup-a-bonded-bridge-on-centos-6-for-kvm-guests
    http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge
    http://www.cyberciti.biz/faq/rhel-linux-kvm-virtualization-bridged-networking-with-libvirt/
    http://www.linux-kvm.org/page/HOWTO_BONDING
    https://fedorahosted.org/cobbler/wiki/VirtNetworkingSetupForUseWithKoan
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization/sect-Virtualization-Network_Configuration-Bridged_networking_with_libvirt.html
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-interfaces.html
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sec-Using_Channel_Bonding.html

    """
    app.print_verbose("Install bonded bridges host version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("NetSetupBondBr", SCRIPT_VERSION)
    version_obj.check_executed()

    #
    app.print_verbose(
        "Install yum package with all tools that is required to setup bridges."
    )
    install.package("bridge-utils")

    #
    print_verbose(
        "Setup modprobe alias for bonding, don't know exactly why we need to " +
        "do that. Maybe because the ifcfg files referars to bond0 instead of " +
        "bonding, or because it loads the module bonding at the same time as " +
        "the alias is created."
    )
    sycoConf = scOpen("/etc/modprobe.d/syco.conf")
    sycoConf.remove("alias bond.*")
    sycoConf.add("alias bond0 bonding")

    # Get all parameters from syco config.
    num_of_if = net.num_of_eth_interfaces()

    front_ip = config.host(net.get_hostname()).get_front_ip()
    front_netmask = config.general.get_front_netmask()
    front_gw = config.general.get_front_gateway_ip()
    front_resolver = config.general.get_front_resolver_ip()

    back_ip = config.host(net.get_hostname()).get_back_ip()
    back_netmask = config.general.get_back_netmask()
    back_gw = config.general.get_back_gateway_ip()
    back_resolver = config.general.get_back_resolver_ip()
    if (num_of_if >= 4):
        app.print_verbose(
            "{0} network interfaces was found, and 2 eth interfaces per bond " +
            "will be configured."
        )
        # Setup back-net
        setup_bridge("br0", back_ip, back_netmask, back_gw, back_resolver)
        setup_bond("bond0", "br0")
        setup_eth("eth0", "bond0")
        setup_eth("eth1", "bond0")

        # _setup front-net
        setup_bridge("br1", front_ip, front_netmask, front_gw, front_resolver)
        setup_bond("bond1", "br1")
        setup_eth("eth2", "bond1")
        setup_eth("eth3", "bond1")
    elif (num_of_if == 2):
        app.print_verbose(
            "2 network interfaces was found, and 1 eth interfaces per bond " +
            "will be configured. There is no point in bonding in this case, " +
            "except that we have the same kind of configuration on all hosts. "
        )

        # Setup back-net
        setup_bridge("br0", back_ip, back_netmask, back_gw, back_resolver)
        setup_bond("bond0", "br0")
        setup_eth("eth0", "bond0")

        # _setup front-net
        setup_bridge("br1", front_ip, front_netmask, front_gw, front_resolver)
        setup_bond("bond1", "br1")
        setup_eth("eth1", "bond1")
    else:
        app.print_error("To few network interfaces: " + str(num_of_if))
        raise Exception("To few network interfaces: " + str(num_of_if))

    #
    app.print_verbose(
        "Restart the network service so all changes will be applied."
    )
    x("service network restart")

    #
    version_obj.mark_executed()
Пример #50
0
def net_setup_bond_br(args):
    """
    Setup bonded network interfaces and bridges.

    This must work together with a virtual host using KVM.

    Read more.
    http://serverfault.com/questions/316623/what-is-the-correct-way-to-setup-a-bonded-bridge-on-centos-6-for-kvm-guests
    http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge
    http://www.cyberciti.biz/faq/rhel-linux-kvm-virtualization-bridged-networking-with-libvirt/
    http://www.linux-kvm.org/page/HOWTO_BONDING
    https://fedorahosted.org/cobbler/wiki/VirtNetworkingSetupForUseWithKoan
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization/sect-Virtualization-Network_Configuration-Bridged_networking_with_libvirt.html
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-interfaces.html
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sec-Using_Channel_Bonding.html

    """
    app.print_verbose("Install bonded bridges host version: %d" %
                      SCRIPT_VERSION)
    version_obj = version.Version("NetSetupBondBr", SCRIPT_VERSION)
    version_obj.check_executed()

    #
    app.print_verbose(
        "Install yum package with all tools that is required to setup bridges."
    )
    install.package("bridge-utils")

    #
    print_verbose(
        "Setup modprobe alias for bonding, don't know exactly why we need to "
        +
        "do that. Maybe because the ifcfg files referars to bond0 instead of "
        +
        "bonding, or because it loads the module bonding at the same time as "
        + "the alias is created.")
    sycoConf = scOpen("/etc/modprobe.d/syco.conf")
    sycoConf.remove("alias bond.*")
    sycoConf.add("alias bond0 bonding")

    # Get all parameters from syco config.
    # Check if interfaces are defined, otherwise fall back to autodetecting
    front_interfaces = config.host(net.get_hostname()).get_front_interfaces()
    back_interfaces = config.host(net.get_hostname()).get_back_interfaces()

    num_of_if = len(front_interfaces) + len(back_interfaces)
    if num_of_if == 0:
        # Autodetect
        num_of_if = net.num_of_eth_interfaces()

    front_ip = config.host(net.get_hostname()).get_front_ip()
    front_netmask = config.general.get_front_netmask()
    front_gw = config.general.get_front_gateway_ip()
    front_resolver = config.general.get_front_resolver_ip()
    net_count = 1

    if config.general.is_back_enabled():
        back_ip = config.host(net.get_hostname()).get_back_ip()
        back_netmask = config.general.get_back_netmask()
        back_gw = config.general.get_back_gateway_ip()
        back_resolver = config.general.get_back_resolver_ip()
        net_count += 1

    eth_count = 0
    if len(front_interfaces) < 1:
        # Use default eth interfaces
        # Also, if you don't specify front net interfaces, you may not specify back net interfaces.
        if_per_net_count = int(math.floor(num_of_if / net_count))

        if net_count > 1:
            back_interfaces = []
            for i in range(if_per_net_count):
                back_interfaces.append("eth" + str(eth_count))
                eth_count += 1

        front_interfaces = []
        for i in range(if_per_net_count):
            front_interfaces.append("eth" + str(eth_count))
            eth_count += 1

    app.print_verbose(
        "Configuring front net bond bond1 with interfaces: {0}".format(
            front_interfaces))
    setup_bridge("br1", front_ip, front_netmask, front_gw, front_resolver)
    setup_bond("bond1", "br1")
    for front_interface in front_interfaces:
        setup_eth(front_interface, "bond1")

    if net_count == 2:
        app.print_verbose(
            "Found back-net configuration, configuring second bond bond0 with interfaces: {0}"
            .format(back_interfaces))
        setup_bridge("br0", back_ip, back_netmask, back_gw, back_resolver)
        setup_bond("bond0", "br0")
        for back_interface in back_interfaces:
            setup_eth(back_interface, "bond0")

    #
    app.print_verbose(
        "Restart the network service so all changes will be applied.")
    x("service network restart")
    x("echo \"nameserver 8.8.8.8\" > /etc/resolv.conf")

    #
    version_obj.mark_executed()
Пример #51
0
def _setup_network_interfaces():
    """
    Setup bonded network interfaces and bridges.

    Read more.
    http://serverfault.com/questions/316623/what-is-the-correct-way-to-setup-a-bonded-bridge-on-centos-6-for-kvm-guests
    http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge
    http://www.cyberciti.biz/faq/rhel-linux-kvm-virtualization-bridged-networking-with-libvirt/
    http://www.linux-kvm.org/page/HOWTO_BONDING
    https://fedorahosted.org/cobbler/wiki/VirtNetworkingSetupForUseWithKoan
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization/sect-Virtualization-Network_Configuration-Bridged_networking_with_libvirt.html
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-interfaces.html
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sec-Using_Channel_Bonding.html

    """
    # Remove the virbr0, "NAT-interface".
    # http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization/chap-Virtualization-Network_Configuration.html
    x("virsh net-destroy default")
    x("virsh net-undefine default")
    x("service libvirtd restart")

    # Install network bridge
    install.package("bridge-utils")

    general.set_config_property2("/etc/modprobe.d/syco.conf",
                                 "alias bond0 bonding")

    num_of_if = net.num_of_eth_interfaces()

    front_gw = config.general.get_front_gateway_ip()
    front_resolver = config.general.get_front_resolver_ip()
    front_netmask = config.general.get_front_netmask()
    front_ip = config.host(net.get_hostname()).get_front_ip()

    back_gw = config.general.get_back_gateway_ip()
    back_resolver = config.general.get_back_resolver_ip()
    back_netmask = config.general.get_back_netmask()
    back_ip = config.host(net.get_hostname()).get_back_ip()
    if (num_of_if >= 4):
        # Setup back-net
        _setup_bridge("br0", back_ip, back_netmask, back_gw, back_resolver)
        _setup_bond("bond0", "br0")
        _setup_eth("eth0", "bond0")
        _setup_eth("eth1", "bond0")

        # _setup front-net
        _setup_bridge("br1", front_ip, front_netmask, front_gw, front_resolver)
        _setup_bond("bond1", "br1")
        _setup_eth("eth2", "bond1")
        _setup_eth("eth3", "bond1")
    elif (num_of_if == 2):
        # Setup back-net
        _setup_bridge("br0", back_ip, back_netmask, back_gw, back_resolver)
        _setup_bond("bond0", "br0")
        _setup_eth("eth0", "bond0")

        # _setup front-net
        _setup_bridge("br1", front_ip, front_netmask, front_gw, front_resolver)
        _setup_bond("bond1", "br1")
        _setup_eth("eth1", "bond1")
    else:
        app.print_error("To few network interfaces: " + str(num_of_if))
        _abort_kvm_host_installation()
Пример #52
0
def install_mysql(args):
    """
    Install and configure the mysql-server on the local host.

    """
    app.print_verbose("Install mysql version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("InstallMysql", SCRIPT_VERSION)
    version_obj.check_executed()

    if len(args) != 3:
        raise Exception("syco install-mysql [server-id] [innodb-buffer-pool-size]")

    server_id=args[1]
    innodb_buffer_pool_size=args[2]

    # Initialize all passwords used by the script
    app.init_mysql_passwords()

    # Install the mysql-server packages.
    if not os.access("/usr/bin/mysqld_safe", os.W_OK|os.X_OK):
        x("yum -y install mysql-server hdparm")

        x("/sbin/chkconfig mysqld on ")
        if not os.access("/usr/bin/mysqld_safe", os.F_OK):
            raise Exception("Couldn't install mysql-server")

    # Configure iptables
    iptables.add_mysql_chain()
    iptables.save()

    # Disable mysql history logging
    if os.access("/root/.mysql_history", os.F_OK):
        x("rm /root/.mysql_history")
    x("ln -s /dev/null /root/.mysql_history")

    # Used to log slow queries, configured in my.cnf with log-slow-queries=
    x("touch /var/log/mysqld-slow.log")
    x("chown mysql:mysql /var/log/mysqld-slow.log")
    x("chmod 0640 /var/log/mysqld-slow.log")
    x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log")

    # Not used at the moment, just preventing mysql to load any modules.
    if not os.access("/usr/share/mysql/plugins", os.W_OK|os.X_OK):
        os.mkdir("/usr/share/mysql/plugins")
        os.chmod("/usr/share/mysql/plugins", 0)
        os.chown("/usr/share/mysql/plugins", 0, 0)

    # Under Linux, it is advisable to disable the write-back cache. Otherwise data
    # can get lost when computer get power-failures. Beware that some drives or
    # disk controllers may be unable to disable the write-back cache.
    #
    app.print_verbose("TODO: Might need to be done from bios?")
    x("hdparm -W0 /dev/mapper/VolGroup00-var")

    app.print_verbose("Install /etc/my.cnf")
    shutil.copy(app.SYCO_PATH + "var/mysql/my.cnf",  "/etc/my.cnf")
    x("chown mysql:mysql /etc/my.cnf")
    x("chmod 600 /etc/my.cnf")
    for line in fileinput.FileInput("/etc/my.cnf", inplace=1):
        line=line.replace("${server-id}", server_id)
        line=line.replace("${innodb_buffer_pool_size}", innodb_buffer_pool_size)
        print line,

    # When the innodb files are configured to be large, it takes some time to
    # generate the files.
    app.print_verbose("Increaste timeout for /etc/init.d/mysqld to 120 seconds.")
    for line in fileinput.FileInput("/etc/init.d/mysqld", inplace=1):
        line=line.replace("STARTTIMEOUT=30", "STARTTIMEOUT=120")
        print line,

    x("service mysqld start")

    # Secure the mysql installation.
    mysql_exec("truncate mysql.db")
    mysql_exec("truncate mysql.user")

    current_host_config = config.host(net.get_hostname())

    # Used by monitor services (icingas nrpe plugin etc.)
    mysql_exec(
        "GRANT REPLICATION CLIENT ON *.* " +
        "TO 'monitor'@'127.0.0.1' IDENTIFIED BY '%s'" % (
            app.get_mysql_monitor_password()
        )
    )

    # Used by backup scripts to flush master and check slave status etc. when
    # doing an lvm backup.
    mysql_exec(
        "GRANT RELOAD,SUPER,REPLICATION CLIENT ON *.* " +
        "TO 'backup'@'127.0.0.1' IDENTIFIED BY '%s'" % (
            app.get_mysql_backup_password()
        )
    )

    mysql_exec("DROP DATABASE test;")
    mysql_exec("SELECT host,user FROM mysql.db;")
    mysql_exec("SELECT host,user FROM mysql.user;")
    mysql_exec(
        "GRANT ALL PRIVILEGES ON *.* TO "
        "'root'@'127.0.0.1' IDENTIFIED BY '%s', "
        "'root'@'localhost' IDENTIFIED BY '%s', "
        "'root'@'%s' IDENTIFIED BY '%s'"
        " WITH GRANT OPTION" % (
           app.get_mysql_root_password(),
           app.get_mysql_root_password(),
           current_host_config.get_front_ip(),
           app.get_mysql_root_password()
        )
    )

    repl_peer = current_host_config.get_option("repl_peer")
    if repl_peer:
        mysql_exec(
            "GRANT ALL PRIVILEGES ON *.* TO "
            "'root'@'%s' IDENTIFIED BY '%s'"
            "WITH GRANT OPTION" % (
                repl_peer,
                app.get_mysql_root_password()
            ),
            with_user=True
        )

    mysql_exec("RESET MASTER;", with_user=True)
    mysql_exec("FLUSH PRIVILEGES;", with_user=True)

    version_obj.mark_executed()
Пример #53
0
def net_setup_bond_br(args):
    """
    Setup bonded network interfaces and bridges.

    This must work together with a virtual host using KVM.

    Read more.
    http://serverfault.com/questions/316623/what-is-the-correct-way-to-setup-a-bonded-bridge-on-centos-6-for-kvm-guests
    http://www.linuxfoundation.org/collaborate/workgroups/networking/bridge
    http://www.cyberciti.biz/faq/rhel-linux-kvm-virtualization-bridged-networking-with-libvirt/
    http://www.linux-kvm.org/page/HOWTO_BONDING
    https://fedorahosted.org/cobbler/wiki/VirtNetworkingSetupForUseWithKoan
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Virtualization/sect-Virtualization-Network_Configuration-Bridged_networking_with_libvirt.html
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/s1-networkscripts-interfaces.html
    http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sec-Using_Channel_Bonding.html

    """
    app.print_verbose("Install bonded bridges host version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("NetSetupBondBr", SCRIPT_VERSION)
    version_obj.check_executed()

    #
    app.print_verbose(
        "Install yum package with all tools that is required to setup bridges."
    )
    install.package("bridge-utils")

    #
    print_verbose(
        "Setup modprobe alias for bonding, don't know exactly why we need to " +
        "do that. Maybe because the ifcfg files referars to bond0 instead of " +
        "bonding, or because it loads the module bonding at the same time as " +
        "the alias is created."
    )
    sycoConf = scOpen("/etc/modprobe.d/syco.conf")
    sycoConf.remove("alias bond.*")
    sycoConf.add("alias bond0 bonding")

    # Get all parameters from syco config.
    # Check if interfaces are defined, otherwise fall back to autodetecting
    front_interfaces = config.host(net.get_hostname()).get_front_interfaces()
    back_interfaces = config.host(net.get_hostname()).get_back_interfaces()

    num_of_if = len(front_interfaces) + len(back_interfaces)
    if num_of_if == 0:
        # Autodetect
        num_of_if = net.num_of_eth_interfaces()
        
    front_ip = config.host(net.get_hostname()).get_front_ip()
    front_netmask = config.general.get_front_netmask()
    front_gw = config.general.get_front_gateway_ip()
    front_resolver = config.general.get_front_resolver_ip()
    net_count = 1

    if config.general.is_back_enabled():
        back_ip = config.host(net.get_hostname()).get_back_ip()
        back_netmask = config.general.get_back_netmask()
        back_gw = config.general.get_back_gateway_ip()
        back_resolver = config.general.get_back_resolver_ip()
        net_count += 1

    eth_count = 0;
    if len(front_interfaces) < 1:
        # Use default eth interfaces
        # Also, if you don't specify front net interfaces, you may not specify back net interfaces.
        if_per_net_count = int(math.floor(num_of_if / net_count))

        if net_count > 1:
            back_interfaces = []
            for i in range(if_per_net_count):
                back_interfaces.append("eth" + str(eth_count))
                eth_count += 1

        front_interfaces = []
        for i in range(if_per_net_count):
            front_interfaces.append("eth" + str(eth_count))
            eth_count += 1

    app.print_verbose("Configuring front net bond bond1 with interfaces: {0}".format(front_interfaces))
    setup_bridge("br1", front_ip, front_netmask, front_gw, front_resolver)
    setup_bond("bond1", "br1")
    for front_interface in front_interfaces:
        setup_eth(front_interface, "bond1")

    if net_count == 2:
        app.print_verbose("Found back-net configuration, configuring second bond bond0 with interfaces: {0}".format(back_interfaces))
        setup_bridge("br0", back_ip, back_netmask, back_gw, back_resolver)
        setup_bond("bond0", "br0")
        for back_interface in back_interfaces:
            setup_eth(back_interface, "bond0")

    #
    app.print_verbose(
        "Restart the network service so all changes will be applied."
    )
    x("service network restart")
    x("echo \"nameserver 8.8.8.8\" > /etc/resolv.conf")

    #
    version_obj.mark_executed()
Пример #54
0
def install_mariadb(args):
    """
    Install and configure the MariaDB-server on the local host.

    """
    app.print_verbose("Install MariaDB version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("InstallMariaDB", SCRIPT_VERSION)
    version_obj.check_executed()

    if len(args) != 3:
        raise Exception(
            "syco install-mariadb [server-id] [innodb-buffer-pool-size]"
        )

    # Collect command line parameters
    server_id = args[1]
    innodb_buffer_pool_size = args[2]

    # Initialize all passwords used by the script
    app.get_mysql_root_password()
    app.get_mysql_monitor_password()
    app.get_mysql_backup_password()

    # Install yum packages.
    x(
        "curl -x 10.101.10.17:3128 -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | " 
        "bash"
    )
    x("yum -y install MariaDB-server")
    x("/sbin/chkconfig mysql on")
    if not os.access("/usr/bin/mysqld_safe", os.F_OK):
        raise Exception("Couldn't install mariadb-server")

    # Configure iptables
    iptables.add_mysql_chain()
    iptables.save()

    # Disable mariadb history logging
    if os.access("/root/.mysql_history", os.F_OK):
        x("rm /root/.mysql_history")
    x("ln -s /dev/null /root/.mysql_history")

    # Used to log slow queries, configured in my.cnf with log-slow-queries=
    x("touch /var/log/mysqld-slow.log")
    x("chown mysql:mysql /var/log/mysqld-slow.log")
    x("chmod 0640 /var/log/mysqld-slow.log")
    x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log")

    app.print_verbose("Install /etc/my.cnf")
    shutil.copy(app.SYCO_PATH + "var/mariadb/my.cnf", "/etc/my.cnf.d/")
    x("chown root:root /etc/my.cnf.d/my.cnf")
    x("chmod 644 /etc/my.cnf.d/my.cnf")
    for line in fileinput.FileInput("/etc/my.cnf.d/my.cnf", inplace=1):
        line = line.replace("${server-id}", server_id)
        line = line.replace("${innodb_buffer_pool_size}",
                            innodb_buffer_pool_size)
        print line,

    x("service mysql start")

    # Secure the mysql installation.
    mysql_exec("truncate mysql.db")
    mysql_exec("truncate mysql.user")

    # Used by monitor services (icingas nrpe plugin etc.)
    mysql_exec(
        "GRANT REPLICATION CLIENT ON *.* " +
        "TO 'monitor'@'localhost' IDENTIFIED BY '%s'" % (
            app.get_mysql_monitor_password()
        )
    )
    # Required by nrpe plugins
    mysql_exec("GRANT SHOW DATABASES ON *.* TO 'monitor'@'localhost' ")

    # Used by backup scripts to flush master and check slave status etc. when
    # doing an lvm backup.
    mysql_exec(
        "GRANT RELOAD,SUPER,REPLICATION CLIENT ON *.* " +
        "TO 'backup'@'localhost' IDENTIFIED BY '%s'" % (
            app.get_mysql_backup_password()
        )
    )

    mysql_exec("DROP DATABASE test;")
    mysql_exec(
        "GRANT ALL PRIVILEGES ON *.* TO "
        "'root'@'localhost' IDENTIFIED BY '%s' "
        " WITH GRANT OPTION" % (
            app.get_mysql_root_password()
        )
    )

    # Setup Replication user
    current_host_config = config.host(net.get_hostname())
    repl_peer = current_host_config.get_option("repl_peer", 'None')
    if repl_peer and repl_peer.lower != 'none':
        mysql_exec(
            "GRANT ALL PRIVILEGES ON *.* TO "
            "'root'@'%s' IDENTIFIED BY '%s'"
            " WITH GRANT OPTION" % (
                repl_peer,
                app.get_mysql_root_password()
            )
        )

    # Flush all data
    mysql_exec("RESET MASTER")
    mysql_exec("flush privileges")

    # Display current user setttings
    app.print_verbose("Display mysql.db")
    mysql_exec("SELECT host, user FROM mysql.db", with_user=True)
    app.print_verbose("Display mysql.user")
    mysql_exec("SELECT host, user FROM mysql.user", with_user=True)

    version_obj.mark_executed()
Пример #55
0
def install_mysql(args):
    """
    Install and configure the mysql-server on the local host.

    """
    app.print_verbose("Install mysql version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("InstallMysql", SCRIPT_VERSION)
    version_obj.check_executed()

    if len(args) != 3:
        raise Exception(
            "syco install-mysql [server-id] [innodb-buffer-pool-size]")

    server_id = args[1]
    innodb_buffer_pool_size = args[2]

    # Initialize all passwords used by the script
    app.init_mysql_passwords()

    # Install the mysql-server packages.
    if not os.access("/usr/bin/mysqld_safe", os.W_OK | os.X_OK):
        x("yum -y install mysql-server hdparm")

        x("/sbin/chkconfig mysqld on ")
        if not os.access("/usr/bin/mysqld_safe", os.F_OK):
            raise Exception("Couldn't install mysql-server")

    # Configure iptables
    iptables.add_mysql_chain()
    iptables.save()

    # Disable mysql history logging
    if os.access("/root/.mysql_history", os.F_OK):
        x("rm /root/.mysql_history")
    x("ln -s /dev/null /root/.mysql_history")

    # Used to log slow queries, configured in my.cnf with log-slow-queries=
    x("touch /var/log/mysqld-slow.log")
    x("chown mysql:mysql /var/log/mysqld-slow.log")
    x("chmod 0640 /var/log/mysqld-slow.log")
    x("chcon system_u:object_r:mysqld_log_t:s0 /var/log/mysqld-slow.log")

    # Not used at the moment, just preventing mysql to load any modules.
    if not os.access("/usr/share/mysql/plugins", os.W_OK | os.X_OK):
        os.mkdir("/usr/share/mysql/plugins")
        os.chmod("/usr/share/mysql/plugins", 0)
        os.chown("/usr/share/mysql/plugins", 0, 0)

    # Under Linux, it is advisable to disable the write-back cache. Otherwise data
    # can get lost when computer get power-failures. Beware that some drives or
    # disk controllers may be unable to disable the write-back cache.
    #
    app.print_verbose("TODO: Might need to be done from bios?")
    x("hdparm -W0 /dev/mapper/VolGroup00-var")

    app.print_verbose("Install /etc/my.cnf")
    shutil.copy(app.SYCO_PATH + "var/mysql/my.cnf", "/etc/my.cnf")
    x("chown mysql:mysql /etc/my.cnf")
    x("chmod 600 /etc/my.cnf")
    for line in fileinput.FileInput("/etc/my.cnf", inplace=1):
        line = line.replace("${server-id}", server_id)
        line = line.replace("${innodb_buffer_pool_size}",
                            innodb_buffer_pool_size)
        print line,

    # When the innodb files are configured to be large, it takes some time to
    # generate the files.
    app.print_verbose(
        "Increaste timeout for /etc/init.d/mysqld to 120 seconds.")
    for line in fileinput.FileInput("/etc/init.d/mysqld", inplace=1):
        line = line.replace("STARTTIMEOUT=30", "STARTTIMEOUT=120")
        print line,

    x("service mysqld start")

    # Secure the mysql installation.
    mysql_exec("truncate mysql.db")
    mysql_exec("truncate mysql.user")

    current_host_config = config.host(net.get_hostname())

    # Used by monitor services (icingas nrpe plugin etc.)
    mysql_exec("GRANT REPLICATION CLIENT ON *.* " +
               "TO 'monitor'@'127.0.0.1' IDENTIFIED BY '%s'" %
               (app.get_mysql_monitor_password()))
    # Required by nrpe plugins
    mysql_exec("GRANT SHOW DATABASES ON *.* TO 'monitor'@'127.0.0.1' ")

    # Used by backup scripts to flush master and check slave status etc. when
    # doing an lvm backup.
    mysql_exec("GRANT RELOAD,SUPER,REPLICATION CLIENT ON *.* " +
               "TO 'backup'@'localhost' IDENTIFIED BY '%s'" %
               (app.get_mysql_backup_password()))

    mysql_exec("DROP DATABASE test;")
    mysql_exec("SELECT host,user FROM mysql.db;")
    mysql_exec("SELECT host,user FROM mysql.user;")
    mysql_exec(
        "GRANT ALL PRIVILEGES ON *.* TO "
        "'root'@'127.0.0.1' IDENTIFIED BY '%s', "
        "'root'@'localhost' IDENTIFIED BY '%s', "
        "'root'@'%s' IDENTIFIED BY '%s'"
        " WITH GRANT OPTION" %
        (app.get_mysql_root_password(), app.get_mysql_root_password(),
         current_host_config.get_front_ip(), app.get_mysql_root_password()))

    mysql_exec("flush privileges;", )

    repl_peer = current_host_config.get_option("repl_peer", 'None')
    if repl_peer and repl_peer.lower != 'None':
        mysql_exec("GRANT ALL PRIVILEGES ON *.* TO "
                   "'root'@'%s' IDENTIFIED BY '%s'"
                   " WITH GRANT OPTION" %
                   (repl_peer, app.get_mysql_root_password()),
                   with_user=True)

    mysql_exec("RESET MASTER;", with_user=True)
    mysql_exec("FLUSH PRIVILEGES;", with_user=True)

    version_obj.mark_executed()