Пример #1
0
def setup_clam_and_freshclam():
    #
    # Setup clamav and freshclam
    #
    app.print_verbose("Setup clamav and freshclam")

    app.print_verbose("  Setup config files.")
    clamd = scOpen("/usr/local/etc/clamd.conf")
    clamd.replace("^[#]\?Example.*", "#Example")
    clamd.replace("^[#]\?LogFileMaxSize.*", "LogFileMaxSize 100M")
    clamd.replace("^[#]\?LogFile.*", "LogFile /var/log/clamav/clamd.log")
    clamd.replace("^[#]\?LogTime.*", "LogTime yes")
    clamd.replace("^[#]\?LogSyslog.*", "LogSyslog yes")
    clamd.replace("^[#]\?TCPSocket.*", "TCPSocket 3310")
    clamd.replace("^[#]\?TCPAddr.*", "TCPAddr 127.0.0.1")
    clamd.replace("^[#]\?ExcludePath.*/proc.*", "ExcludePath ^/proc")
    clamd.replace("^[#]\?ExcludePath.*/sys.*", "ExcludePath ^/sys")
    clamd.replace("^[#]\?User.*", "User clamav")
    clamd.replace("^[#]\?LocalSocket.*",
                  "LocalSocket /var/run/clamav/clamd.socket")
    clamd.replace("^[#]\?PidFile.*", "PidFile /var/run/clamav/clamd.pid")

    freshclam = scOpen("/usr/local/etc/freshclam.conf")
    freshclam.replace("^[#]\?Example.*", "#Example")
    freshclam.replace("^[#]\?LogFileMaxSize.*", "LogFileMaxSize 100M")
    freshclam.replace("^[#]\?LogTime.*", "LogTime yes")
    freshclam.replace("^[#]\?LogSyslog.*", "LogSyslog yes")
    freshclam.replace("^[#]\?DatabaseOwner.*", "DatabaseOwner clamav")
    freshclam.replace("^[#]\?PidFile.*",
                      "PidFile /var/run/clamav/freshclam.pid")
    freshclam.replace("^[#]\?DatabaseMirror.*",
                      "DatabaseMirror database.clamav.net")
    freshclam.replace("^[#]\?UpdateLogFile.*",
                      "UpdateLogFile /var/log/clamav/freshclam.log")
Пример #2
0
def install_packages():
    '''
    Install packages and start service.

    '''
    setup_hosts()

    # Install all required packages.
    x("yum -y install openldap-servers openldap-clients mlocate")

    # Create backend database.
    scOpen("/var/lib/ldap/DB_CONFIG").add(
        "set_cachesize 0 268435456 1\n" +
        "set_lg_regionmax 262144\n" +
        "set_lg_bsize 2097152"
    )
    x("chown -R ldap:ldap /var/lib/ldap")

    # Set password for cn=config (it's secret)
    scOpen('/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif').add(
        'olcRootPW: %(ldap_password)s' %
        {'ldap_password': get_hashed_password(app.get_ldap_admin_password())}
    )

    # Autostart slapd after reboot.
    x("chkconfig slapd on")

    # Start ldap server
    x("service slapd start")
Пример #3
0
def disable_usb():
    # TODO Currently need usb dvd reader for installation.
    return
    app.print_verbose("Disable usb")
    scOpen("/etc/modprobe.d/syco.conf").replace_add(
        "^blacklist usb-storage$", "blacklist usb-storage"
    )
Пример #4
0
def customize_shell():
    app.print_verbose("Customize shell")

    app.print_verbose("  Add Date And Time To History Output")
    scOpen("/etc/bashrc").replace_add(
        "^export HISTTIMEFORMAT=.*$",
        "export HISTTIMEFORMAT=\"%h/%d - %H:%M:%S \""
    )

    app.print_verbose("  Add Color To Grep")
    root = scOpen("/root/.bash_profile")
    root.replace_add("^export GREP_COLOR=.*$",   "export GREP_COLOR='1;32'")
    root.replace_add("^export GREP_OPTIONS=.*$", "export GREP_OPTIONS=--color=auto")

    skel = scOpen("/etc/skel/.bash_profile")
    skel.replace_add("^export GREP_COLOR=.*$",   "export GREP_COLOR='1;32'")
    skel.replace_add("^export GREP_OPTIONS=.*$", "export GREP_OPTIONS=--color=auto")

    app.print_verbose("  Enable SSH key forwarding to work with sudo su")
    tmp_sudo_file = get_install_dir() + "sudoers"
    x("cp /etc/sudoers " + tmp_sudo_file)
    sudoers = scOpen(tmp_sudo_file)
    sudoers.remove("Defaults    env_keep += \"SSH_AUTH_SOCK\"")
    sudoers.add("Defaults    env_keep += \"SSH_AUTH_SOCK\"")
    xRes = x("visudo -c -f " + tmp_sudo_file)
    if tmp_sudo_file + ": parsed OK" in xRes:
        x("mv " + tmp_sudo_file + " /etc/sudoers")
    else:
        app.print_error("Temporary sudoers file corrupt, not updating")
Пример #5
0
def add_kvm_chain():
    del_kvm_chain()

    if (not os.path.exists('/etc/init.d/libvirtd')):
        return

    app.print_verbose("Add iptables chain for kvm")

    iptables("-N kvm")
    iptables("-A syco_forward  -p ALL -j kvm")

    iptables("-A kvm -m physdev --physdev-is-bridged -j ACCEPT")

    # DHCP / TODO: Needed??
    # iptables("-A kvm -m state --state NEW -m udp -p udp --dport 67 -j allowed_udp")
    # iptables("-A kvm -m state --state NEW -m udp -p udp --dport 68 -j allowed_udp")

    # Controls IP packet forwarding
    scOpen("/etc/sysctl.conf").replace_add("^net.ipv4.ip_forward.*$",
                                           "net.ipv4.ip_forward = 1")

    # Flush settings.
    x("/sbin/sysctl -w net.ipv4.route.flush=1")
    x("/sbin/sysctl -w net.ipv6.route.flush=1")

    # Reload all settings.
    x("service libvirtd reload")
Пример #6
0
def install_auditd():
	app.print_verbose("Install auditd.")
	#
	# Setup auditd rules
	#
	app.print_verbose("CIS 5.3 Configure System Accounting (auditd)")

	app.print_verbose("CIS 5.3.1 Enable auditd Service")
	x("chkconfig auditd on")

	app.print_verbose("Added our own audit.rules")
	x("[ -f '/etc/audit/audit.rules' ] && rm /etc/audit/audit.rules")
	x("cp %shardening/audit.rules /etc/audit/audit.rules" % app.SYCO_VAR_PATH)
	x("chmod 700 /var/log/audit/")
	x("chmod 700 /etc/audit/audit.rules")

	#
	# Harding audit.conf file
	#
	auditd = scOpen("/etc/audit/auditd.conf")

	app.print_verbose("CIS 5.3.2.1 Configure Audit Log Storage Size")
	auditd.replace_add("^max_log_file[\s]*\=.*",       "max_log_file = 50")

	app.print_verbose("CIS 5.3.2.2 Disable System on Audit Log Full")
	auditd.replace_add("^space_left_action[\s]*\=.*",       "space_left_action = email")
	auditd.replace_add("^action_mail_acct[\s]*\=.*",        "action_mail_acct = root")
	auditd.replace_add("^admin_space_left_action[\s]*\=.*", "admin_space_left_action = halt")

	app.print_verbose("CIS 5.3.2.3 Keep All Auditing Information")
	auditd.replace_add("^max_log_file_action[\s]*\=.*", "max_log_file_action = keep_logs")

	app.print_verbose("Extra auditd configs")
	auditd.replace_add("^num_logs[\s]*\=.*",                "num_logs = 99")
	auditd.replace_add("^space_left[\s]*\=.*",              "space_left = 125")
	auditd.replace_add("^admin_space_left[\s]*\=.*",        "admin_space_left = 75")

	x("chmod 700 /etc/audit/auditd.conf")

	#
	app.print_verbose("CIS 5.3.3 Enable Auditing for Processes That Start Prior to auditd")
	auditd = scOpen("/etc/grub.conf")
	auditd.add_to_end_of_line("^[^#]*kernel", "audit=1")

	# Addin audit to pam
	app.print_verbose("Logging all admin Actions")
	pam = scOpen("/etc/pam.d/systemauth")
	pam.replace_add("^session[\s]required[\s]pam_tty_audit.so[\s]enable=","session\trequired\tpam_tty_audit.so enable=*")

	# Making audit to log to syslog
	app.print_verbose("Sending all admin actions to Syslog")
	syslog = scOpen("/etc/audisp/plugins.d/syslog.conf")
	syslog.replace_add("^active[\s]=.*","active = yes")


	#
	# Restarting service
	#

	x("service auditd restart")
Пример #7
0
def install_auditd():
    app.print_verbose("Install auditd.")
    #
    # Setup auditd rules
    #
    app.print_verbose("CIS 5.3 Configure System Accounting (auditd)")

    app.print_verbose("CIS 5.3.1 Enable auditd Service")
    x("chkconfig auditd on")

    app.print_verbose("Added our own audit.rules")
    x("[ -f '/etc/audit/audit.rules' ] && rm /etc/audit/audit.rules")
    x("cp %shardening/audit.rules /etc/audit/audit.rules" % app.SYCO_VAR_PATH)
    x("cp %shardening/syslog.conf /etc/audisp/plugins.d/syslog.conf" %
      app.SYCO_VAR_PATH)
    x("chmod 700 /var/log/audit/")
    x("chmod 700 /etc/audit/audit.rules")

    #
    # Harding audit.conf file
    #
    auditd = scOpen("/etc/audit/auditd.conf")

    app.print_verbose("CIS 5.3.2.1 Configure Audit Log Storage Size")
    auditd.replace_add("^max_log_file[\s]*\=.*", "max_log_file = 50")

    app.print_verbose("CIS 5.3.2.2 Disable System on Audit Log Full")
    auditd.replace_add("^space_left_action[\s]*\=.*",
                       "space_left_action = email")
    auditd.replace_add("^action_mail_acct[\s]*\=.*", "action_mail_acct = root")
    auditd.replace_add("^admin_space_left_action[\s]*\=.*",
                       "admin_space_left_action = halt")

    app.print_verbose("CIS 5.3.2.3 Keep All Auditing Information")
    auditd.replace_add("^max_log_file_action[\s]*\=.*",
                       "max_log_file_action = rotate")

    app.print_verbose("Extra auditd configs")
    auditd.replace_add("^num_logs[\s]*\=.*", "num_logs = 10")
    auditd.replace_add("^space_left[\s]*\=.*", "space_left = 125")
    auditd.replace_add("^admin_space_left[\s]*\=.*", "admin_space_left = 75")

    x("chmod 700 /etc/audit/auditd.conf")

    #
    app.print_verbose(
        "CIS 5.3.3 Enable Auditing for Processes That Start Prior to auditd")
    auditd = scOpen("/etc/grub.conf")
    auditd.add_to_end_of_line("^[^#]*kernel", "audit=1")

    # Addin audit to pam
    app.print_verbose("Logging all admin Actions")
    pam = scOpen("/etc/pam.d/systemauth")
    pam.replace_add("^session[\s]required[\s]pam_tty_audit.so[\s]enable=",
                    "session\trequired\tpam_tty_audit.so enable=*")

    # Making audit to log to syslog
    app.print_verbose("Sending all admin actions to Syslog")
    syslog = scOpen("/etc/audisp/plugins.d/syslog.conf")
    syslog.replace_add("^active[\s]=.*", "active = yes")
Пример #8
0
def setup_ssh():
    app.print_verbose("Harden ssh and sshd.")
    x("cp /etc/ssh/ssh_config  /etc/ssh/ssh_config.sycobak")
    x("cp /etc/ssh/sshd_config /etc/ssh/sshd_config.sycobak")

    config = ConfigParser.SafeConfigParser()
    config.read('%s/hardening/config.cfg' % app.SYCO_VAR_PATH)

    #
    # Hardening ssh config
    #
    ssh = scOpen("/etc/ssh/ssh_config")
    for setting in config.options('ssh'):
        ssh.replace_add("^(?#)(?i)" + setting + ".*",
                        config.get('ssh', setting))

    #
    # Hardening sshd config
    #
    ssh = scOpen("/etc/ssh/sshd_config")
    for setting in config.options('sshd'):
        ssh.replace_add(".*(?#)(?i)" + setting + ".*",
                        config.get('sshd', setting))

    #
    # Set login banner.
    #
    x('cp %s/hardening/issue.net /etc/issue.net' % app.SYCO_VAR_PATH)
Пример #9
0
def _install_nrpe_plugins():
    '''
    Install NRPE-plugins (to be executed remoteley) and SELinux-rules.

    '''
    # Install packages and their dependencies.
    _install_nrpe_plugins_dependencies()
    x("cp -p {0}lib/nagios/plugins_nrpe/* /usr/lib64/nagios/plugins/".format(constant.SYCO_PATH))

    # Set the sssd password
    nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
    nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
    nrpe_config.replace("($LDAPURL)", config.general.get_ldap_hostname())

    # Change ownership of plugins to nrpe (from icinga/nagios)
    x("chmod -R 750 /usr/lib64/nagios/plugins/")
    x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")

    # Set SELinux roles to allow NRPE execution of binaries such as python/perl/iptables
    # Corresponding .te-files summarize rule content
    x("mkdir -p /var/lib/syco_selinux_modules")
    rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
    for path in rule_path_list:
        x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
    x("semodule -i /var/lib/syco_selinux_modules/*.pp")

    # Set MySQL password, if running MySQL.
    nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
    nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))
Пример #10
0
def configure_ldap_client():
    scOpen("/etc/openldap/ldap.conf").add(
        "uri ldaps://" + config.general.get_ldap_hostname() + "\n" + "base " +
        config.general.get_ldap_dn() + "\n" +
        "tls_cacertdir /etc/openldap/cacerts\n" +
        "tls_cert /etc/openldap/cacerts/client.pem\n" +
        "tls_key /etc/openldap/cacerts/client.pem\n")
Пример #11
0
def disable_usb():
    # TODO Currently need usb dvd reader for installation.
    return
    app.print_verbose("Disable usb")
    scOpen("/etc/modprobe.d/syco.conf").replace_add(
        "^blacklist usb-storage$", "blacklist usb-storage"
    )
Пример #12
0
def customize_shell():
    app.print_verbose("Customize shell")

    app.print_verbose("  Add Date And Time To History Output")
    scOpen("/etc/bashrc").replace_add(
        "^export HISTTIMEFORMAT=.*$",
        "export HISTTIMEFORMAT=\"%h/%d - %H:%M:%S \"")

    app.print_verbose("  Add Color To Grep")
    root = scOpen("/root/.bash_profile")
    root.replace_add("^export GREP_COLOR=.*$", "export GREP_COLOR='1;32'")
    root.replace_add("^export GREP_OPTIONS=.*$",
                     "export GREP_OPTIONS=--color=auto")

    skel = scOpen("/etc/skel/.bash_profile")
    skel.replace_add("^export GREP_COLOR=.*$", "export GREP_COLOR='1;32'")
    skel.replace_add("^export GREP_OPTIONS=.*$",
                     "export GREP_OPTIONS=--color=auto")

    app.print_verbose("  Enable SSH key forwarding to work with sudo su")
    tmp_sudo_file = get_install_dir() + "sudoers"
    x("cp /etc/sudoers " + tmp_sudo_file)
    sudoers = scOpen(tmp_sudo_file)
    sudoers.remove("Defaults    env_keep += \"SSH_AUTH_SOCK\"")
    sudoers.add("Defaults    env_keep += \"SSH_AUTH_SOCK\"")
    xRes = x("visudo -c -f " + tmp_sudo_file)
    if tmp_sudo_file + ": parsed OK" in xRes:
        x("mv " + tmp_sudo_file + " /etc/sudoers")
    else:
        app.print_error("Temporary sudoers file corrupt, not updating")
Пример #13
0
Файл: ssh.py Проект: Nemie/syco
def setup_ssh():
	app.print_verbose("Harden ssh and sshd.")
	x("cp /etc/ssh/ssh_config  /etc/ssh/ssh_config.sycobak")
	x("cp /etc/ssh/sshd_config /etc/ssh/sshd_config.sycobak")

	config = ConfigParser.SafeConfigParser()
	config.read('%s/hardening/config.cfg' % app.SYCO_VAR_PATH)

	#
	# Hardening ssh config
	#
	ssh = scOpen("/etc/ssh/ssh_config")
	for setting in config.options('ssh'):
		ssh.replace_add("^(?#)(?i)" + setting + ".*", config.get('ssh',setting))

	#
	# Hardening sshd config
	#
	ssh = scOpen("/etc/ssh/sshd_config")
	for setting in config.options('sshd'):
		ssh.replace_add(".*(?#)(?i)" + setting + ".*", config.get('sshd',setting))

	#
	# Set login banner.
	#
	x('cp %s/hardening/issue.net /etc/issue.net' % app.SYCO_VAR_PATH)
Пример #14
0
def setup_clam_and_freshclam():
  #
  # Setup clamav and freshclam
  #
  app.print_verbose("Setup clamav and freshclam")

  app.print_verbose("  Setup config files.")
  clamd = scOpen("/usr/local/etc/clamd.conf")
  clamd.replace("^[#]\?Example.*",            "#Example")
  clamd.replace("^[#]\?LogFileMaxSize.*",     "LogFileMaxSize 100M")
  clamd.replace("^[#]\?LogFile.*",            "LogFile /var/log/clamav/clamd.log")
  clamd.replace("^[#]\?LogTime.*",            "LogTime yes")
  clamd.replace("^[#]\?LogSyslog.*",          "LogSyslog yes")
  clamd.replace("^[#]\?TCPSocket.*",          "TCPSocket 3310")
  clamd.replace("^[#]\?TCPAddr.*",            "TCPAddr 127.0.0.1")
  clamd.replace("^[#]\?ExcludePath.*/proc.*", "ExcludePath ^/proc")
  clamd.replace("^[#]\?ExcludePath.*/sys.*",  "ExcludePath ^/sys")
  clamd.replace("^[#]\?User.*",               "User clamav")
  clamd.replace("^[#]\?LocalSocket.*",        "LocalSocket /var/run/clamav/clamd.socket")
  clamd.replace("^[#]\?PidFile.*",            "PidFile /var/run/clamav/clamd.pid")

  freshclam = scOpen("/usr/local/etc/freshclam.conf")
  freshclam.replace("^[#]\?Example.*",        "#Example")
  freshclam.replace("^[#]\?LogFileMaxSize.*", "LogFileMaxSize 100M")
  freshclam.replace("^[#]\?LogTime.*",        "LogTime yes")
  freshclam.replace("^[#]\?LogSyslog.*",      "LogSyslog yes")
  freshclam.replace("^[#]\?DatabaseOwner.*",  "DatabaseOwner clamav")
  freshclam.replace("^[#]\?PidFile.*",        "PidFile /var/run/clamav/freshclam.pid")
  freshclam.replace("^[#]\?DatabaseMirror.*", "DatabaseMirror database.clamav.net")
  freshclam.replace("^[#]\?UpdateLogFile.*",  "UpdateLogFile /var/log/clamav/freshclam.log")
Пример #15
0
def install_packages():
    '''
    Install packages and start service.

    '''
    setup_hosts()

    # Install all required packages.
    x("yum -y install openldap-servers openldap-clients mlocate")

    # Create backend database.
    scOpen("/var/lib/ldap/DB_CONFIG").add("set_cachesize 0 268435456 1\n" +
                                          "set_lg_regionmax 262144\n" +
                                          "set_lg_bsize 2097152")
    x("chown -R ldap:ldap /var/lib/ldap")

    # Set password for cn=config (it's secret)
    scOpen(
        '/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{0\}config.ldif'
    ).add(
        'olcRootPW: %(ldap_password)s' %
        {'ldap_password': get_hashed_password(app.get_ldap_admin_password())})

    # Autostart slapd after reboot.
    x("chkconfig slapd on")

    # Start ldap server
    x("service slapd start")
Пример #16
0
def enable_ssl():
    '''
    Configure slapd to only be accessible over ssl,
    with client certificate.

    Learn more:
        http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.0
        http://www.openldap.org/faq/data/cache/185.html

    '''
    ldapadd("admin", """
dn: cn=config
changetype:modify
replace: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/openldap/cacerts/slapd.key
-
replace: olcTLSCertificateFile
olcTLSCertificateFile: /etc/openldap/cacerts/slapd.crt
-
replace: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/openldap/cacerts/ca.crt
-
replace: olcTLSCipherSuite
olcTLSCipherSuite: HIGH:MEDIUM:-SSLv2
-
replace: olcTLSVerifyClient
olcTLSVerifyClient: allow""")

    # Enable LDAPS and dispable LDAP
    scOpen('/etc/sysconfig/ldap').replace('[#]*SLAPD_LDAPS=.*', 'SLAPD_LDAPS=yes')
    scOpen('/etc/sysconfig/ldap').replace('[#]*SLAPD_LDAP=.*', 'SLAPD_LDAP=no')
    x("service slapd restart")

    configure_client_cert_for_ldaptools()
Пример #17
0
def add_kvm_chain():
  del_kvm_chain()

  if (not os.path.exists('/etc/init.d/libvirtd')):
    return

  app.print_verbose("Add iptables chain for kvm")

  iptables("-N kvm")
  iptables("-A syco_forward  -p ALL -j kvm")

  iptables("-A kvm -m physdev --physdev-is-bridged -j ACCEPT")

  # DHCP / TODO: Needed??
  # iptables("-A kvm -m state --state NEW -m udp -p udp --dport 67 -j allowed_udp")
  # iptables("-A kvm -m state --state NEW -m udp -p udp --dport 68 -j allowed_udp")

  # Controls IP packet forwarding
  scOpen("/etc/sysctl.conf").replace_add(
    "^net.ipv4.ip_forward.*$", "net.ipv4.ip_forward = 1"
  )

  # Flush settings.
  x("/sbin/sysctl -w net.ipv4.route.flush=1")
  x("/sbin/sysctl -w net.ipv6.route.flush=1")

  # Reload all settings.
  x("service libvirtd reload")
Пример #18
0
def build_client_certs(args):
    install.package("zip")
    os.chdir("/etc/openvpn/easy-rsa/keys")
    general.set_config_property(
        "/etc/cronjob", "01 * * * * root run-parts syco build_client_certs",
        "01 * * * * root run-parts syco build_client_certs")

    # Create client.conf
    clientConf = "/etc/openvpn/easy-rsa/keys/client.conf"
    x("cp " + app.SYCO_PATH + "/var/openvpn/client.conf %s" % clientConf)
    scOpen(clientConf).replace('${OPENVPN.HOSTNAME}',
                               config.general.get_openvpn_hostname())

    x("cp " + app.SYCO_PATH + "/doc/openvpn/install.txt .")

    for user in os.listdir("/home"):
        cert_already_installed = os.access(
            "/home/" + user + "/openvpn_client_keys.zip", os.F_OK)
        valid_file = "lost+found" not in user
        if valid_file and not cert_already_installed:
            os.chdir("/etc/openvpn/easy-rsa/")
            general.set_config_property("/etc/openvpn/easy-rsa/vars",
                                        '[\s]*export KEY_CN.*',
                                        'export KEY_CN="' + user + '"')
            general.set_config_property("/etc/openvpn/easy-rsa/vars",
                                        '[\s]*export KEY_NAME.*',
                                        'export KEY_NAME="' + user + '"')

            general.set_config_property(
                "/etc/openvpn/easy-rsa/build-key-pkcs12",
                '.*export EASY_RSA.*',
                'source ./vars;export EASY_RSA="${EASY_RSA:-.}"')

            out = general.shell_exec(
                "./build-key-pkcs12 --batch " + user,
                cwd="/etc/openvpn/easy-rsa/",
                events={
                    '(?i)Enter Export Password:'******'\n',
                    '(?i)Verifying - Enter Export Password:'******'\n'
                })
            app.print_verbose(out)

            # Config client.crt
            general.set_config_property(
                "/etc/openvpn/easy-rsa/keys/client.conf", "^cert.*crt",
                "cert " + user + ".crt")
            general.set_config_property(
                "/etc/openvpn/easy-rsa/keys/client.conf", "^key.*key",
                "key " + user + ".key")

            os.chdir("/etc/openvpn/easy-rsa/keys")
            x("zip /home/" + user + "/openvpn_client_keys.zip ca.crt " + user +
              ".crt " + user + ".key " + user +
              ".p12 client.conf install.txt /etc/openvpn/ta.key")
            # Set permission for the user who now owns the file.
            os.chmod("/home/" + user + "/openvpn_client_keys.zip",
                     stat.S_IRUSR | stat.S_IRGRP)
            general.shell_exec("chown " + user + ":users /home/" + user +
                               "/openvpn_client_keys.zip ")
Пример #19
0
def syslog():
	app.print_verbose("CIS 5.2 Configure rsyslog")

	#
	app.print_verbose("CIS 5.2.1 Install the rsyslog package")
	x("yum install rsyslog")

	#
	app.print_verbose("CIS 5.2.2 Activate the rsyslog Service")
	if os.path.exists('/etc/xinetd.d/syslog'):
		x("chkconfig syslog off")
	x("chkconfig rsyslog on")

	#
	app.print_verbose("CIS 5.2.3 Configure /etc/rsyslog.conf")
	# >> etc/rsyslog.conf
	# auth,user.* 	/var/log/messages
	# kern.*			/var/log/kern.log
	# daemon.*		/var/log/daemon.log
	# syslog.* 		/var/log/syslog
	# lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log

	# x("pkill -HUP rsyslogd")

	#
	app.print_verbose("CIS 5.2.4 Create and Set Permissions on rsyslog Log Files")
	# for logfile in all_files_in_rsyslog.conf
	# touch logfile
	# chown root:root logfile
	# chmod og-rwx logfile

	#
	# Enable autpriv in rsyslog.conf
	#
	rsyslog = scOpen('/etc/rsyslog.conf')
	rsyslog.remove("^authpriv\\.\\*")
	rsyslog.add("authpriv.*\t\t\t\t/var/log/secure\n")


	#
	# Enable auth in rsyslog.conf
	#
	rsyslog.remove("^auth\\.\\*")
	rsyslog.add("auth.*\t\t\t\t/var/log/messages\n")

	#
	# Secure VSFTP if installed.
	#
	if os.path.isfile("/etc/vsftpd.conf"):
		app.print_verbose("Enable user logining for vsftpd.")
		ftp = scOpen("/etc/vsftpd.conf")
		ftp.replace("^([\#]?)xferlog_std_format=NO.*", "xferlog_std_format=NO")
		ftp.replace("^([\#]?)log_ftp_protocol=YES.*",  "log_ftp_protocol=YES")

	if os.path.isfile("/etc/vsftpd/vsftpd.conf"):
		app.print_verbose("Enable user logining for vsftpd.")
		ftp = scOpen("/etc/vsftpd.conf")
		ftp.replace("^([\#]?)xferlog_std_format=NO", "xferlog_std_format=NO")
		ftp.replace("^([\#]?)log_ftp_protocol=YES",  "log_ftp_protocol=YES")
Пример #20
0
def syslog():
    app.print_verbose("CIS 5.2 Configure rsyslog")

    #
    app.print_verbose("CIS 5.2.1 Install the rsyslog package")
    x("yum install rsyslog")

    #
    app.print_verbose("CIS 5.2.2 Activate the rsyslog Service")
    if os.path.exists('/etc/xinetd.d/syslog'):
        x("chkconfig syslog off")
    x("chkconfig rsyslog on")

    #
    app.print_verbose("CIS 5.2.3 Configure /etc/rsyslog.conf")
    # >> etc/rsyslog.conf
    # auth,user.* 	/var/log/messages
    # kern.*			/var/log/kern.log
    # daemon.*		/var/log/daemon.log
    # syslog.* 		/var/log/syslog
    # lpr,news,uucp,local0,local1,local2,local3,local4,local5,local6.* /var/log/unused.log

    # x("pkill -HUP rsyslogd")

    #
    app.print_verbose(
        "CIS 5.2.4 Create and Set Permissions on rsyslog Log Files")
    # for logfile in all_files_in_rsyslog.conf
    # touch logfile
    # chown root:root logfile
    # chmod og-rwx logfile

    #
    # Enable autpriv in rsyslog.conf
    #
    rsyslog = scOpen('/etc/rsyslog.conf')
    rsyslog.remove("^authpriv\\.\\*")
    rsyslog.add("authpriv.*\t\t\t\t/var/log/secure\n")

    #
    # Enable auth in rsyslog.conf
    #
    rsyslog.remove("^auth\\.\\*")
    rsyslog.add("auth.*\t\t\t\t/var/log/messages\n")

    #
    # Secure VSFTP if installed.
    #
    if os.path.isfile("/etc/vsftpd.conf"):
        app.print_verbose("Enable user logining for vsftpd.")
        ftp = scOpen("/etc/vsftpd.conf")
        ftp.replace("^([\#]?)xferlog_std_format=NO.*", "xferlog_std_format=NO")
        ftp.replace("^([\#]?)log_ftp_protocol=YES.*", "log_ftp_protocol=YES")

    if os.path.isfile("/etc/vsftpd/vsftpd.conf"):
        app.print_verbose("Enable user logining for vsftpd.")
        ftp = scOpen("/etc/vsftpd.conf")
        ftp.replace("^([\#]?)xferlog_std_format=NO", "xferlog_std_format=NO")
        ftp.replace("^([\#]?)log_ftp_protocol=YES", "log_ftp_protocol=YES")
Пример #21
0
def configure_ldap_client():
    scOpen("/etc/openldap/ldap.conf").add(
	"uri ldaps://" + config.general.get_ldap_hostname() + "\n" +
	"base " + config.general.get_ldap_dn() + "\n" +
        "tls_cacertdir /etc/openldap/cacerts\n" +
        "tls_cert /etc/openldap/cacerts/client.pem\n" +
	"tls_key /etc/openldap/cacerts/client.pem\n" 
    )
Пример #22
0
def disable_ip6_support():
  app.print_verbose("Disable IP6 support")
  modprobe = scOpen("/etc/modprobe.d/syco.conf")
  modprobe.replace_add("^options ipv6.*",    "options ipv6 disable=1")
  modprobe.replace_add("^alias net-pf-10 off$", "alias net-pf-10 off")

  network = scOpen("/etc/sysconfig/network")
  network.replace_add("^NETWORKING_IPV6=.*$", "NETWORKING_IPV6=no")
Пример #23
0
def setup_crontab():
    #
    # Setup crontab
    #
    app.print_verbose("Setup crontab")
    x("cp %s/clam/viruscan.sh /etc/cron.daily/" % app.SYCO_VAR_PATH)
    scOpen("/etc/cron.daily/viruscan.sh").replace(
        "${ADMIN_EMAIL}", config.general.get_admin_email())
Пример #24
0
def install_gitweb():
    '''
  Install the git web interface gitweb.

  '''
    x("yum -y install gitweb")
    scOpen("/var/www/git/gitweb.cgi").replace(
        "^our.*projectroot.*", 'our $projectroot = "/var/lib/git";')
Пример #25
0
def configure_localhost():
  app.print_verbose("Configure /etc/hosts")
  localhost =  (
  	"127.0.0.1" +
  	" %s.%s" % (gethostname(), general.get_resolv_domain()) +
  	" localhost.localdomain localhost %s" % gethostname()
  )
  scOpen("/etc/hosts").replace_add("127.0.0.1.*", localhost)
Пример #26
0
def disable_ip6_support():
    app.print_verbose("Disable IP6 support")
    modprobe = scOpen("/etc/modprobe.d/syco.conf")
    modprobe.replace_add("^options ipv6.*", "options ipv6 disable=1")
    modprobe.replace_add("^alias net-pf-10 off$", "alias net-pf-10 off")

    network = scOpen("/etc/sysconfig/network")
    network.replace_add("^NETWORKING_IPV6=.*$", "NETWORKING_IPV6=no")
Пример #27
0
def install_logmgmt(args):
  '''
  Install and configure log management tools on the local host.

  '''
  app.print_verbose("Install LogManagement version: %d" % SCRIPT_VERSION)
  
  

  version_obj = version.Version("InstallLogMgmt", SCRIPT_VERSION)
  version_obj.check_executed()

 

  x("mkdir -p /var/lib/logmgmt")
  
  shutil.copy(app.SYCO_PATH + "var/logmgmt/compress_logs.sh",  "/var/lib/logmgmt/")
  x("chmod +x /var/lib/logmgmt/compress_logs.sh")
  
  shutil.copy(app.SYCO_PATH + "var/logmgmt/logmgmt_cron",  "/etc/cron.daily/")
  x("chmod +x /etc/cron.daily/logmgmt_cron")
  logMgmtCron = scOpen("/etc/cron.daily/logmgmt_cron")
  logMgmtCron.replace("${alert_email}",config.general.get_admin_email())
  
  

  x("yum -y install php")
  x("yum -y install php-mysql")
  x("yum -y install php-gd")
  x("cd /tmp/; wget http://download.adiscon.com/loganalyzer/loganalyzer-3.5.6.tar.gz")
  x("cd /tmp; tar xzf loganalyzer-3.5.6.tar.gz")
  x("cp -rp /tmp/loganalyzer-3.5.6/src /var/www/html/loganalyzer")
  x("chown -R apache /var/www/html/loganalyzer")
  shutil.copy(app.SYCO_PATH + "var/logmgmt/config.php",  "/var/www/html/loganalyzer/")
  
  logConfig = scOpen("/var/www/html/loganalyzer/config.php")
  logConfig.replace("${mysql_user}","root")
  logConfig.replace("${mysql_password}",app.get_mysql_root_password())
  
  x("chown -R apache /var/www/html/loganalyzer")
  x("rm -rf /tmp/loganalyzer*")
  
  
  shutil.copy(app.SYCO_PATH + "var/logmgmt/remove_sql.sh",  "/var/lib/logmgmt/")
  x("chmod +x /var/lib/logmgmt/remove_sql.sh")
  logSql = scOpen("/var/lib/logmgmt/remove_sql.sh")
  logSql.replace("${mysql_user}","root")
  logSql.replace("${mysql_password}",app.get_mysql_root_password())
  
  shutil.copy(app.SYCO_PATH + "var/logmgmt/loganalyzer.conf",  "/etc/httpd/conf.d/")
  htconf = scOpen("/etc/httpd/conf.d/loganalyzer.conf")
  htconf.replace("${bind_dn}","cn=sssd,%s" % config.general.get_ldap_dn() )
  htconf.replace("${bind_password}","%s" % app.get_ldap_sssd_password() )
  htconf.replace("${ldap_url}","ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(),config.general.get_ldap_dn()) )
  
  
  x("service httpd restart")
  version_obj.mark_executed()
Пример #28
0
def _configure_haproxy():
    x("mv {0}haproxy.cfg {0}org.haproxy.cfg".format(HAPROXY_CONF_DIR))
    x("cp {0}/{1}.haproxy.cfg {2}haproxy.cfg".format(SYCO_PLUGIN_PATH, HAPROXY_ENV, HAPROXY_CONF_DIR))
    x("cp {0}/error.html {1}error.html".format(SYCO_PLUGIN_PATH, HAPROXY_CONF_DIR))

    scopen.scOpen(HAPROXY_CONF_DIR + "haproxy.cfg").replace("${ENV_IP}", get_ip_address('eth1'))

    _chkconfig("haproxy","on")
    _service("haproxy","restart")
Пример #29
0
def install_logmgmt(args):
    '''
  Install and configure log management tools on the local host.

  '''
    app.print_verbose("Install LogManagement version: %d" % SCRIPT_VERSION)

    version_obj = version.Version("InstallLogMgmt", SCRIPT_VERSION)
    version_obj.check_executed()

    x("mkdir -p /var/lib/logmgmt")

    shutil.copy(app.SYCO_PATH + "var/logmgmt/compress_logs.sh",
                "/var/lib/logmgmt/")
    x("chmod +x /var/lib/logmgmt/compress_logs.sh")

    shutil.copy(app.SYCO_PATH + "var/logmgmt/logmgmt_cron", "/etc/cron.daily/")
    x("chmod +x /etc/cron.daily/logmgmt_cron")
    logMgmtCron = scOpen("/etc/cron.daily/logmgmt_cron")
    logMgmtCron.replace("${alert_email}", config.general.get_admin_email())

    x("yum -y install php")
    x("yum -y install php-mysql")
    x("yum -y install php-gd")
    x("cd /tmp/; wget http://download.adiscon.com/loganalyzer/loganalyzer-3.5.6.tar.gz"
      )
    x("cd /tmp; tar xzf loganalyzer-3.5.6.tar.gz")
    x("cp -rp /tmp/loganalyzer-3.5.6/src /var/www/html/loganalyzer")
    x("chown -R apache /var/www/html/loganalyzer")
    shutil.copy(app.SYCO_PATH + "var/logmgmt/config.php",
                "/var/www/html/loganalyzer/")

    logConfig = scOpen("/var/www/html/loganalyzer/config.php")
    logConfig.replace("${mysql_user}", "root")
    logConfig.replace("${mysql_password}", app.get_mysql_root_password())

    x("chown -R apache /var/www/html/loganalyzer")
    x("rm -rf /tmp/loganalyzer*")

    shutil.copy(app.SYCO_PATH + "var/logmgmt/remove_sql.sh",
                "/var/lib/logmgmt/")
    x("chmod +x /var/lib/logmgmt/remove_sql.sh")
    logSql = scOpen("/var/lib/logmgmt/remove_sql.sh")
    logSql.replace("${mysql_user}", "root")
    logSql.replace("${mysql_password}", app.get_mysql_root_password())

    shutil.copy(app.SYCO_PATH + "var/logmgmt/loganalyzer.conf",
                "/etc/httpd/conf.d/")
    htconf = scOpen("/etc/httpd/conf.d/loganalyzer.conf")
    htconf.replace("${bind_dn}", "cn=sssd,%s" % config.general.get_ldap_dn())
    htconf.replace("${bind_password}", "%s" % app.get_ldap_sssd_password())
    htconf.replace(
        "${ldap_url}", "ldaps://%s:636/%s?uid" %
        (config.general.get_ldap_hostname(), config.general.get_ldap_dn()))

    x("service httpd restart")
    version_obj.mark_executed()
Пример #30
0
def install_gitweb():
  '''
  Install the git web interface gitweb.

  '''
  x("yum -y install gitweb")  
  scOpen("/var/www/git/gitweb.cgi").replace(
    "^our.*projectroot.*", 'our $projectroot = "/var/lib/git";'
  )
Пример #31
0
def setup_crontab():
  #
  # Setup crontab
  #
  app.print_verbose("Setup crontab")
  x("cp %s/clam/viruscan.sh /etc/cron.daily/" % app.SYCO_VAR_PATH)
  scOpen("/etc/cron.daily/viruscan.sh").replace(
    "${ADMIN_EMAIL}", config.general.get_admin_email()
  )
Пример #32
0
def install_cgit():
  '''
  Install the git web interface cgit.

  '''
  x("yum -y install cgit")
  x("setsebool -P httpd_enable_cgi 1")  
  scOpen("/etc/cgitrc").remove("^include=.*")
  scOpen("/etc/cgitrc").add("include=/etc/cgitrepos")  
  configure_repos_for_cgit()
Пример #33
0
def install_cgit():
    '''
  Install the git web interface cgit.

  '''
    x("yum -y install cgit")
    x("setsebool -P httpd_enable_cgi 1")
    scOpen("/etc/cgitrc").remove("^include=.*")
    scOpen("/etc/cgitrc").add("include=/etc/cgitrepos")
    configure_repos_for_cgit()
Пример #34
0
def enable_ip_forward(enable=1):
    """
    Controls IP packet forwarding

    """
    scOpen("/etc/sysctl.conf").replace_add("^net.ipv4.ip_forward.*$", "net.ipv4.ip_forward = {0}".format(enable))
    x("/sbin/sysctl -w net.ipv4.ip_forward={0}".format(enable))

    # Flush settings.
    x("/sbin/sysctl -w net.ipv4.route.flush=1")
    x("/sbin/sysctl -w net.ipv6.route.flush=1")
Пример #35
0
def setup_crontab():
    #
    # Setup crontab
    #
    app.print_verbose("Setup crontab")
    x("cp %s/clam/viruscan.sh /etc/cron.daily/" % app.SYCO_VAR_PATH)
    scOpen("/etc/cron.daily/viruscan.sh").replace(
        "${ADMIN_EMAIL}", config.general.get_admin_email())

    # https://redmine.fareoffice.com/issues/61041
    x("/bin/chmod 0755 /etc/cron.daily/viruscan.sh")
Пример #36
0
def _install_glassfish():
    '''
  Installation of the glassfish application server.

  '''
    if (not os.access(GLASSFISH_INSTALL_PATH + "/glassfish", os.F_OK)):
        os.chdir(app.INSTALL_DIR)
        if (not os.access(GLASSFISH_INSTALL_FILE, os.F_OK)):
            general.download_file(GLASSFISH_REPO_URL, user="******")

        # Create installation dir
        if (not os.access(GLASSFISH_INSTALL_PATH, os.F_OK)):
            x("mkdir -p " + GLASSFISH_INSTALL_PATH)
            x("chmod 770 " + GLASSFISH_INSTALL_PATH)
            x("chown 200:200 " + GLASSFISH_INSTALL_PATH)

        # Set executeion permissions and run the installation.
        if ".zip" in GLASSFISH_INSTALL_FILE:
            install.package("unzip")
            x("unzip " + GLASSFISH_INSTALL_FILE + " -d " +
              GLASSFISH_INSTALL_PATH,
              user="******")
            x("mv " + GLASSFISH_INSTALL_PATH + "glassfish3/* " +
              GLASSFISH_INSTALL_PATH,
              user="******")
            x("rm -rf " + GLASSFISH_INSTALL_PATH + "glassfish3",
              user="******")
        else:
            raise Exception("Only installing zip version of glassfish")

        # Install the start script
        # It's possible to do this from glassfish with "asadmin create-service",
        # but our own script is a little bit better. It creates startup log files
        # and has a better "start user" functionality.
        if (not os.access("/etc/init.d/" + GLASSFISH_VERSION, os.F_OK)):
            x("cp " + app.SYCO_PATH + "var/glassfish/" + GLASSFISH_VERSION +
              " /etc/init.d/" + GLASSFISH_VERSION)
            x("chmod 0755 " + "/etc/init.d/" + GLASSFISH_VERSION)
            x("/sbin/chkconfig --add " + GLASSFISH_VERSION)
            x("/sbin/chkconfig --level 3 " + GLASSFISH_VERSION + " on")

            scOpen("/etc/init.d/" + GLASSFISH_VERSION).replace(
                "${MYSQL_PRIMARY}",
                config.general.get_mysql_primary_master_ip())
            scOpen("/etc/init.d/" + GLASSFISH_VERSION).replace(
                "${MYSQL_SECONDARY}",
                config.general.get_mysql_secondary_master_ip())

    if (not os.access(GLASSFISH_DOMAINS_PATH + "domain1/config/domain.xml",
                      os.F_OK)):
        raise Exception("Failed to install " + GLASSFISH_INSTALL_PATH)

    if (not os.access("/etc/init.d/" + GLASSFISH_VERSION, os.F_OK)):
        raise Exception("Failed to install /etc/init.d/" + GLASSFISH_VERSION)
Пример #37
0
def setup_crontab():
    #
    # Setup crontab
    #
    app.print_verbose("Setup crontab")
    x("cp %s/clam/viruscan.sh /etc/cron.daily/" % app.SYCO_VAR_PATH)
    scOpen("/etc/cron.daily/viruscan.sh").replace(
        "${ADMIN_EMAIL}", config.general.get_admin_email()
    )

    # https://redmine.fareoffice.com/issues/61041
    x("/bin/chmod 0755 /etc/cron.daily/viruscan.sh")
Пример #38
0
def enable_ip_forward(enable=1):
    '''
    Controls IP packet forwarding

    '''
    scOpen("/etc/sysctl.conf").replace_add(
        "^net.ipv4.ip_forward.*$", "net.ipv4.ip_forward = {0}".format(enable)
    )
    x("/sbin/sysctl -w net.ipv4.ip_forward={0}".format(enable))

    # Flush settings.
    x("/sbin/sysctl -w net.ipv4.route.flush=1")
Пример #39
0
def install_auditd():
    app.print_verbose("Install auditd.")
    #
    # Setup auditd rules
    #
    app.print_verbose("CIS 5.3 Configure System Accounting (auditd)")

    app.print_verbose("CIS 5.3.1 Enable auditd Service")
    x("chkconfig auditd on")

    app.print_verbose("Added our own audit.rules")
    x("[ -f '/etc/audit/audit.rules' ] && rm /etc/audit/audit.rules")
    x("cp %shardening/audit.rules /etc/audit/audit.rules" % app.SYCO_VAR_PATH)
    x("chmod 700 /var/log/audit/")
    x("chmod 700 /etc/audit/audit.rules")

    #
    # Harding audit.conf file
    #
    auditd = scOpen("/etc/audit/auditd.conf")

    app.print_verbose("CIS 5.3.2.1 Configure Audit Log Storage Size")
    auditd.replace_add("^max_log_file[\s]*\=.*", "max_log_file = 50")

    app.print_verbose("CIS 5.3.2.2 Disable System on Audit Log Full")
    auditd.replace_add("^space_left_action[\s]*\=.*",
                       "space_left_action = email")
    auditd.replace_add("^action_mail_acct[\s]*\=.*", "action_mail_acct = root")
    auditd.replace_add("^admin_space_left_action[\s]*\=.*",
                       "admin_space_left_action = halt")

    app.print_verbose("CIS 5.3.2.3 Keep All Auditing Information")
    auditd.replace_add("^max_log_file_action[\s]*\=.*",
                       "max_log_file_action = keep_logs")

    app.print_verbose("Extra auditd configs")
    auditd.replace_add("^num_logs[\s]*\=.*", "num_logs = 99")
    auditd.replace_add("^space_left[\s]*\=.*", "space_left = 125")
    auditd.replace_add("^admin_space_left[\s]*\=.*", "admin_space_left = 75")

    x("chmod 700 /etc/audit/auditd.conf")

    #
    app.print_verbose(
        "CIS 5.3.3 Enable Auditing for Processes That Start Prior to auditd")
    auditd = scOpen("/etc/grub.conf")
    auditd.add_to_end_of_line("^[^#]*kernel", "audit=1")

    #
    # Restarting service
    #
    x("service auditd restart")
Пример #40
0
def setup_clam_and_freshclam():
    #
    # Setup clamav and freshclam
    #
    app.print_verbose("Setup clamav and freshclam")

    app.print_verbose("  Setup config files.")
    x("cp /usr/local/etc/clamd.conf.sample /usr/local/etc/clamd.conf")
    clamd = scOpen("/usr/local/etc/clamd.conf")
    clamd.replace("^[#]\?Example.*",            "#Example")
    clamd.replace("^[#]\?LogFileMaxSize.*",     "LogFileMaxSize 100M")
    clamd.replace("^[#]\?LogFile.*",            "LogFile /var/log/clamav/clamd.log")
    clamd.replace("^[#]\?LogTime.*",            "LogTime yes")
    clamd.replace("^[#]\?LogSyslog.*",          "LogSyslog yes")
    clamd.replace("^[#]\?TCPSocket.*",          "TCPSocket 3310")
    clamd.replace("^[#]\?TCPAddr.*",            "TCPAddr 127.0.0.1")
    clamd.replace("^[#]\?ExcludePath.*/proc.*", "ExcludePath ^/proc")
    clamd.replace("^[#]\?ExcludePath.*/sys.*",  "ExcludePath ^/sys")
    clamd.replace("^[#]\?User.*",               "User clamav")
    clamd.replace("^[#]\?LocalSocket.*",        "LocalSocket /var/run/clamav/clamd.socket")
    clamd.replace("^[#]\?PidFile.*",            "PidFile /var/run/clamav/clamd.pid")
    clamd.replace("^[#]\?DatabaseDirectory.*",  "DatabaseDirectory /var/lib/clamav")

    x("cp /usr/local/etc/freshclam.conf.sample /usr/local/etc/freshclam.conf")
    freshclam = scOpen("/usr/local/etc/freshclam.conf")
    freshclam.replace("^[#]\?Example.*",        "#Example")
    freshclam.replace("^[#]\?LogFileMaxSize.*", "LogFileMaxSize 100M")
    freshclam.replace("^[#]\?LogTime.*",        "LogTime yes")
    freshclam.replace("^[#]\?LogSyslog.*",      "LogSyslog yes")
    freshclam.replace("^[#]\?DatabaseOwner.*",  "DatabaseOwner clamav")
    freshclam.replace("^[#]\?PidFile.*",        "PidFile /var/run/clamav/freshclam.pid")
    freshclam.replace("^[#]\?DatabaseMirror.*", "DatabaseMirror db.northeu.clamav.net")
    freshclam.replace("^[#]\?UpdateLogFile.*",  "UpdateLogFile /var/log/clamav/freshclam.log")
    freshclam.replace("^[#]\?DatabaseDirectory.*", "DatabaseDirectory /var/lib/clamav")

    #TODO: Change replace statements above to augeas since that tends to be more stable.
    app.print_verbose("  Install augeas and add clam lens that is not available on CentOS 6")
    x("yum install -y augeas")
    x("cp %s/augeas/lenses/clamav.aug /usr/share/augeas/lenses/dist/" % app.SYCO_VAR_PATH)

    #Help augeas find freshclam.conf
    if x("readlink /etc/freshclam.conf").find("/usr/local/etc/freshclam.conf") == -1:
        x("rm -f /etc/freshclam.conf")
        x("ln -s /usr/local/etc/freshclam.conf /etc/")

    #Initialize augeas
    augeas = Augeas(x)

    if config.general.get_proxy_host() and config.general.get_proxy_port():
        app.print_verbose("  Configure proxy for freshclam")
        augeas.set_enhanced("/files/etc/freshclam.conf/HTTPProxyPort", "%s" % config.general.get_proxy_port())
        augeas.set_enhanced("/files/etc/freshclam.conf/HTTPProxyServer", "%s" % config.general.get_proxy_host())
Пример #41
0
def setup_hosts():
    '''
    Communication with the LDAP-server needs to be done with domain name, and not
    the ip. This ensures the dns-name is configured.

    '''
    scOpen('/etc/hosts').remove('^' + config.general.get_ldap_server_ip() +
                                '.*')
    scOpen('/etc/hosts').add(
        '%(ldap_ip)s %(domain_name)s' % {
            'ldap_ip': config.general.get_ldap_server_ip(),
            'domain_name': config.general.get_ldap_hostname()
        })
Пример #42
0
def configure_client_cert_for_ldaptools():
    '''
    Configure the client cert to be used by ldaptools (ldapsearch etc.).

    This is done by setting environment variables for all users in /etc/profile

    '''
    scOpen("/etc/profile").remove(
        "^LDAPTLS_CERT.*\|^LDAPTLS_KEY.*\|export LDAPTLS_CERT LDAPTLS_KEY.*")
    scOpen(
        "/etc/profile").add("LDAPTLS_CERT=/etc/openldap/cacerts/client.pem\n" +
                            "LDAPTLS_KEY=/etc/openldap/cacerts/client.pem\n" +
                            "export LDAPTLS_CERT LDAPTLS_KEY")
Пример #43
0
def setup_hosts():
    '''
    Communication with the LDAP-server needs to be done with domain name, and not
    the ip. This ensures the dns-name is configured.

    '''
    scOpen('/etc/hosts').remove('^' + config.general.get_ldap_server_ip() + '.*')
    scOpen('/etc/hosts').add(
        '%(ldap_ip)s %(domain_name)s' % {
            'ldap_ip' : config.general.get_ldap_server_ip(),
            'domain_name' : config.general.get_ldap_hostname()
        }
    )
Пример #44
0
def del_kvm_chain():
    app.print_verbose("Delete iptables chain for kvm")
    iptables("-D syco_forward  -p ALL -j kvm", general.X_OUTPUT_CMD)
    iptables("-F kvm", general.X_OUTPUT_CMD)
    iptables("-X kvm", general.X_OUTPUT_CMD)

    # Controls IP packet forwarding
    scOpen("/etc/sysctl.conf").replace_add("^net.ipv4.ip_forward.*$",
                                           "net.ipv4.ip_forward = 0")

    # Flush settings.
    x("/sbin/sysctl -w net.ipv4.route.flush=1")
    x("/sbin/sysctl -w net.ipv6.route.flush=1")
Пример #45
0
def setup_kernel():
    app.print_verbose("Help kernel to prevent certain kinds of attacks")
    config = ConfigParser.SafeConfigParser()
    config.read('%s/hardening/config.cfg' % app.SYCO_VAR_PATH)

    # Harden network config
    for setting in config.options('network'):
        scOpen("/etc/sysctl.conf").replace_add("^" + setting + ".*$",
                                               config.get('network', setting))

    # Flush settings.
    x("/sbin/sysctl -w net.ipv4.route.flush=1")
    x("/sbin/sysctl -w net.ipv6.route.flush=1")
Пример #46
0
def setup_crontab():
    #
    # Setup crontab
    #
    app.print_verbose("Setup crontab")
    x("mkdir /opt/scripts")
    x("cp %s/clam/viruscan.sh /opt/scripts/" % app.SYCO_VAR_PATH)
    scOpen("/opt/scripts/viruscan.sh").replace(
        "${ADMIN_EMAIL}", config.general.get_admin_email())
    x("echo '0 3 * * *	root /opt/scripts/viruscan.sh' > /etc/cron.d/viruscan")


    x("/bin/chmod 0755 /opt/scripts/viruscan.sh")
Пример #47
0
def _configure_keepalived():
    """
    * Keepalived needs the possibility to bind on non local adresses.
    * It will replace the variables in the config file with the hostname.
    * It is not enviromental dependent and can be installed on any server.

    """
    x("echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf")
    x("mv {0}keepalived.conf {1}org.keepalived.conf".format(KEEPALIVED_CONF_DIR, KEEPALIVED_CONF_DIR))
    x("cp {0}var/redis/keepalived.conf {1}keepalived.conf".format(SYCO_FO_PATH, KEEPALIVED_CONF_DIR))
    scopen.scOpen(KEEPALIVED_CONF_DIR + "keepalived.conf").replace("${REDIS_SERVER_NAME_UP}", socket.gethostname().upper())
    _chkconfig("keepalived"," on")
    _service("keepalived", "restart")
Пример #48
0
def _configure_keepalived():
    '''
    * Keepalived needs the possibility to bind on non local adresses.
    * It will replace the variables in the config file with the hostname.
    * It is not environmental dependent and can be installed on any server.
    '''
    x("echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf")
    x("sysctl -p")
    x("mv {0}keepalived.conf {0}org.keepalived.conf".format(KA_CONF_DIR))
    x("cp {0}/{1}.keepalived.conf {2}keepalived.conf".format(SYCO_PLUGIN_PATH, HAPROXY_ENV, KA_CONF_DIR))
    scopen.scOpen(KA_CONF_DIR + "keepalived.conf").replace("${KA_SERVER_NAME_UP}", socket.gethostname().upper())
    scopen.scOpen(KA_CONF_DIR + "keepalived.conf").replace("${KA_SERVER_NAME_DN}", socket.gethostname().lower())
    _chkconfig("keepalived","on")
    _service("keepalived","restart")
Пример #49
0
def disable_singel_user_mode():
	'''
	Disable singel user mode.

	Which let a user start the server in "recoverymode" and change password.

	'''
	app.print_verbose("Enable Authentication for Single-User Mode")
	inittab = scOpen("/etc/inittab")
	inittab.replace_add("^([\#]?)id:3:initdefault:",  "#id:3:initdefault:")
	inittab.replace_add("^~~:S:wait:/sbin/sulogin.*", "~~:S:wait:/sbin/sulogin")

	app.print_verbose("Disable Interactive Hotkey Startup at Boot")
	scOpen("/etc/sysconfig/init").replace_add("^PROMPT.*", "PROMPT=no")
Пример #50
0
def _configure_keepalived():
    """
    * Keepalived needs the possibility to bind on non local adresses.
    * It will replace the variables in the config file with the hostname.
    * It is not environmental dependent and can be installed on any server.
    """
    x("echo 'net.ipv4.ip_nonlocal_bind = 1' >> /etc/sysctl.conf")
    x("sysctl -p")
    x("mv {0}keepalived.conf {0}org.keepalived.conf".format(KA_CONF_DIR))
    x("cp {0}/{1}.keepalived.conf {2}keepalived.conf".format(SYCO_PLUGIN_PATH, ka_env, KA_CONF_DIR))
    scopen.scOpen(KA_CONF_DIR + "keepalived.conf").replace("${KA_SERVER_NAME_UP}", socket.gethostname().upper())
    scopen.scOpen(KA_CONF_DIR + "keepalived.conf").replace("${KA_SERVER_NAME_DN}", socket.gethostname().lower())
    _chkconfig("keepalived","on")
    _service("keepalived","restart")
Пример #51
0
def setup_kernel():
    app.print_verbose("Help kernel to prevent certain kinds of attacks")
    config = ConfigParser.SafeConfigParser()
    config.read('%s/hardening/config.cfg' % app.SYCO_VAR_PATH)

    # Harden network config
    for setting in config.options('network'):
        scOpen("/etc/sysctl.conf").replace_add(
        	"^" + setting + ".*$", config.get('network', setting)
        )

    # Flush settings.
    x("/sbin/sysctl -w net.ipv4.route.flush=1")
    x("/sbin/sysctl -w net.ipv6.route.flush=1")
Пример #52
0
def disable_ip6_support():
    app.print_verbose("Disable IP6 support")
    modprobe = scOpen("/etc/modprobe.d/syco.conf")
    modprobe.replace_add("^options ipv6.*", "options ipv6 disable=1")
    modprobe.replace_add("^alias net-pf-10 off$", "alias net-pf-10 off")

    network = scOpen("/etc/sysconfig/network")
    network.replace_add("^NETWORKING_IPV6=.*$", "NETWORKING_IPV6=no")

    #Disable ipv6 if module is already loaded
    ipv6module = x('lsmod | grep ipv6 |cut -f21 -d" "')
    if int(ipv6module) == 1:
        x("/sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1")
        x("/sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1")
Пример #53
0
def configured_sudo():
    scOpen("/etc/nsswitch.conf").remove("^sudoers.*")
    scOpen("/etc/nsswitch.conf").add("sudoers: ldap files")

    x("touch /etc/ldap.conf")
    x("chown root:root /etc/ldap.conf")
    x("chmod 644 /etc/ldap.conf")
    scOpen("/etc/ldap.conf").remove(
        "^sudoers_base.*\|^binddn.*\|^bindpw.*\|^ssl.*\|^tls_cacertdir.*\|" +
        "^tls_cert.*\|^tls_key.*\|sudoers_debug.*")
    scOpen("/etc/ldap.conf").add(
        "uri ldaps://" + config.general.get_ldap_hostname() + "\n" + "base " +
        config.general.get_ldap_dn() + "\n" + "ssl on\n" +
        "tls_cacertdir /etc/openldap/cacerts\n" +
        "tls_cert /etc/openldap/cacerts/client.pem\n" +
        "tls_key /etc/openldap/cacerts/client.pem\n" +
        "sudoers_base ou=SUDOers," + config.general.get_ldap_dn() + "\n" +
        "binddn cn=sssd," + config.general.get_ldap_dn() + "\n" + "bindpw " +
        app.get_ldap_sssd_password())

    # SUDO now uses it's own ldap config file.
    x("cp /etc/ldap.conf /etc/sudo-ldap.conf")
    x("chmod 440 /etc/sudo-ldap.conf")
    x("chown root:root /etc/sudo-ldap.conf")
    x("restorecon /etc/sudo-ldap.conf")
Пример #54
0
def _configure_haproxy_state(state):
    if state == 'active':
        scopen.scOpen(HAPROXY_CONF).replace("${TCSTATE}", '')
        scopen.scOpen(HAPROXY_CONF).replace("${AVSTATE}", 'backup')
    else:
        scopen.scOpen(HAPROXY_CONF).replace("${TCSTATE}", 'backup')
        scopen.scOpen(HAPROXY_CONF).replace("${AVSTATE}", '')
Пример #55
0
def disable_ip6_support():
  app.print_verbose("Disable IP6 support")
  modprobe = scOpen("/etc/modprobe.d/syco.conf")
  modprobe.replace_add("^options ipv6.*",    "options ipv6 disable=1")
  modprobe.replace_add("^alias net-pf-10 off$", "alias net-pf-10 off")

  network = scOpen("/etc/sysconfig/network")
  network.replace_add("^NETWORKING_IPV6=.*$", "NETWORKING_IPV6=no")

  #Disable ipv6 if module is already loaded
  ipv6module = x('lsmod | grep ipv6 |cut -f21 -d" "')
  if int(ipv6module) == 1:
    x("/sbin/sysctl -w net.ipv6.conf.default.disable_ipv6=1")
    x("/sbin/sysctl -w net.ipv6.conf.all.disable_ipv6=1")
Пример #56
0
def configured_sudo():
    scOpen("/etc/nsswitch.conf").remove("^sudoers.*")
    scOpen("/etc/nsswitch.conf").add("sudoers: ldap files")

    x("touch /etc/ldap.conf")
    x("chown root:root /etc/ldap.conf")
    x("chmod 644 /etc/ldap.conf")
    scOpen("/etc/ldap.conf").remove(
        "^sudoers_base.*\|^binddn.*\|^bindpw.*\|^ssl.*\|^tls_cacertdir.*\|" +
        "^tls_cert.*\|^tls_key.*\|sudoers_debug.*"
    )
    scOpen("/etc/ldap.conf").add(
        "uri ldaps://" + config.general.get_ldap_hostname() + "\n" +
        "base " + config.general.get_ldap_dn() + "\n" +
        "ssl on\n" +
        "tls_cacertdir /etc/openldap/cacerts\n" +
        "tls_cert /etc/openldap/cacerts/client.pem\n" +
        "tls_key /etc/openldap/cacerts/client.pem\n" +
        "sudoers_base ou=SUDOers," + config.general.get_ldap_dn() + "\n" +
        "binddn cn=sssd," + config.general.get_ldap_dn() + "\n" +
        "bindpw " + app.get_ldap_sssd_password()
    )

    # Needed to fix a but in Centos 6.2, will be fixed in 6.3.
    # https://bugzilla.redhat.com/show_bug.cgi?id=760843
    x("cp /etc/ldap.conf /etc/nslcd.conf")
Пример #57
0
def _configure_haproxy_state():
    if haproxy_state() == 'active':
        scopen.scOpen(HAPROXY_CONF).replace("${TCSTATE}", '')
        scopen.scOpen(HAPROXY_CONF).replace("${AVSTATE}", 'backup')
    else:
        scopen.scOpen(HAPROXY_CONF).replace("${TCSTATE}", 'backup')
        scopen.scOpen(HAPROXY_CONF).replace("${AVSTATE}", '')