def install_sssd(args):
"""
Install ldap client on current host and connect to networks ldap server.
"""
app.print_verbose("Install sssd script-version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallSssd", SCRIPT_VERSION)
version_obj.check_executed()
# Get all passwords from installation user at the start of the script.
app.get_ldap_sssd_password()
install_packages()
installOpenLdap.setup_hosts()
iptables.add_ldap_chain()
iptables.save()
ip = config.general.get_ldap_server_ip()
general.wait_for_server_to_start(ip, "636")
install_certs()
# For some reason it needs to be executed twice.
authconfig()
authconfig()
installOpenLdap.configure_client_cert_for_ldaptools()
augeas = Augeas(x)
create_sss_folders()
configure_sssd(augeas)
configure_sudo(augeas)
version_obj.mark_executed()
def install_sssd(args):
'''
Install ldap client on current host and connect to networks ldap server.
'''
app.print_verbose("Install sssd script-version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallSssd", SCRIPT_VERSION)
version_obj.check_executed()
# Get all passwords from installation user at the start of the script.
app.get_ldap_sssd_password()
install_packages()
installOpenLdap.setup_hosts()
iptables.add_ldap_chain()
iptables.save()
ip = config.general.get_ldap_server_ip()
general.wait_for_server_to_start(ip, "636")
install_certs()
# For some reason it needs to be executed twice.
authconfig()
authconfig()
installOpenLdap.configure_client_cert_for_ldaptools()
configured_sssd()
configured_sudo()
version_obj.mark_executed()
def install_git_server(args):
app.print_verbose("Install Git-Server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallGit", SCRIPT_VERSION)
version_obj.check_executed()
# Get all passwords from installation user at the start of the script.
app.get_ldap_sssd_password()
x("yum -y install git")
setup_git_user()
setup_repo_folder()
create_empty_test_repo()
set_permission_on_repos()
# Deny user git to login on SSH
x("usermod --shell /usr/bin/git-shell git")
install_gitweb()
install_cgit()
# Configure apache
x("cp " + app.SYCO_PATH + "var/git/git.conf /etc/httpd/conf.d/git.conf")
_install_httpd_certificates()
_setup_ldap_auth()
x("/etc/init.d/httpd restart")
# Install startpage
shutil.copy(app.SYCO_PATH + "var/git/index.html", "/var/www/html/index.html")
version_obj.mark_executed()
def install_git_server(args):
app.print_verbose("Install Git-Server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallGit", SCRIPT_VERSION)
version_obj.check_executed()
# Get all passwords from installation user at the start of the script.
app.get_ldap_sssd_password()
x("yum -y install git")
setup_git_user()
setup_repo_folder()
create_empty_test_repo()
set_permission_on_repos()
# Deny user git to login on SSH
x("usermod --shell /usr/bin/git-shell git")
install_gitweb()
install_cgit()
# Configure apache
x("cp " + app.SYCO_PATH + "var/git/git.conf /etc/httpd/conf.d/git.conf")
_install_httpd_certificates()
_setup_ldap_auth()
x("/etc/init.d/httpd restart")
# Install startpage
shutil.copy(app.SYCO_PATH + "var/git/index.html",
"/var/www/html/index.html")
version_obj.mark_executed()
def _install_icinga(args):
'''
The icinga-installation is divided into three parts - icinga core, icinga web and PNP4Nagios. Icinga core insatlls the icinga-poller (baically
an exakt for of the Nagios poller except with SQL integration). Icinga-core also includes a very simple GUI that is kept as a backup
in case the fancier GUI goes down for any reason. Icinga-web is the "bells and whistles" GUI which is heavier, with "improved" looks
and more functionality.
'''
# Initialize all used passwords.
app.init_mysql_passwords()
app.get_ldap_sssd_password()
# Install icinga poller, web-interface and graping.
icinga_db_password = _install_icinga_core(args)
_install_icinga_web(icinga_db_password)
_install_pnp4nagios()
# Install a http index
_install_http_index()
# Enable SELinux
_install_SELinux()
# Restart all services
x("service ido2db restart")
x("service nrpe restart")
x("service icinga restart")
x("service httpd restart")
def _install_icinga(args):
'''
The icinga-installation is divided into three parts - icinga core, icinga web and PNP4Nagios. Icinga core insatlls the icinga-poller (baically
an exakt for of the Nagios poller except with SQL integration). Icinga-core also includes a very simple GUI that is kept as a backup
in case the fancier GUI goes down for any reason. Icinga-web is the "bells and whistles" GUI which is heavier, with "improved" looks
and more functionality.
'''
# Initialize all used passwords.
app.init_mysql_passwords()
app.get_ldap_sssd_password()
# Install icinga poller, web-interface and graping.
icinga_db_password = _install_icinga_core(args)
_install_icinga_web(icinga_db_password)
_install_pnp4nagios()
# Install a http index
_install_http_index()
# Enable SELinux
_install_SELinux()
# Restart all services
x("service ido2db restart")
x("service nrpe restart")
x("service icinga restart")
x("service httpd restart")
def initialize_passwords():
'''
Get all passwords from installation user at the start of the script.
'''
app.get_ca_password()
app.get_ldap_admin_password()
app.get_ldap_sssd_password()
def initialize_passwords():
'''
Get all passwords from installation user at the start of the script.
'''
app.get_ca_password()
app.get_ldap_admin_password()
app.get_ldap_sssd_password()
def _install_nrpe(args):
"""
The nrpe installation is quite standard . Except that the stock NRPE.conf
is replaced with a prepped one. Server only listens to this IP. Not super
safe but better than nothing. Also, argument parsing is _disabled_.
"""
# Initialize all used passwords at the beginning of the script.
app.get_ldap_sssd_password()
app.get_mysql_monitor_password()
install.epel_repo()
# Confusing that nagios-plugins-all does not really include all plugins
# WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At
# the moment EPEL has the latest version but RPMForge obsolete the EPEL
# package. Because of that, exclude nagios-nrpe from RPMForge.
app.print_verbose("Install required packages for NRPE")
install_packages(
"nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap nagios-plugins-perl perl-Net-DNS "
"perl-Proc-ProcessTable perl-Date-Calc policycoreutils-python")
# Move object structure and prepare conf-file
x("rm -rf /etc/nagios/nrpe.d")
x("rm -rf /etc/nagios/nrpe.cfg")
x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(
constant.SYCO_USR_PATH))
x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(
constant.SYCO_USR_PATH))
# Extra plugins installed
_install_nrpe_plugins()
# Allow only monitor to query NRPE
monitor_server_front_ip = config.general.get_monitor_server_ip()
app.print_verbose("Set monitor server: %s" % monitor_server_front_ip)
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg")
nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip)
# Set permissions for read/execute under nagios-user
x("chown -R root:nrpe /etc/nagios/")
# Allow nrpe to listen on UDP port 5666
iptables.add_nrpe_chain()
iptables.save()
# Make nrpe-server startup stateful and restart
x("/sbin/chkconfig --level 3 nrpe on")
x("service nrpe restart")
def _install_nrpe(args):
"""
The nrpe installation is quite standard . Except that the stock NRPE.conf
is replaced with a prepped one. Server only listens to this IP. Not super
safe but better than nothing. Also, argument parsing is _disabled_.
"""
# Initialize all used passwords at the beginning of the script.
app.get_ldap_sssd_password()
app.get_mysql_monitor_password()
install.epel_repo()
# Confusing that nagios-plugins-all does not really include all plugins
# WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At
# the moment EPEL has the latest version but RPMForge obsolete the EPEL
# package. Because of that, exclude nagios-nrpe from RPMForge.
x(
"yum install -y nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap "
"nagios-plugins-perl perl-Net-DNS perl-Proc-ProcessTable"
"perl-Date-Calc policycoreutils-python --exclude=nagios-nrpe"
)
# Move object structure and prepare conf-file
x("rm -rf /etc/nagios/nrpe.d")
x("rm -rf /etc/nagios/nrpe.cfg")
x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(constant.SYCO_USR_PATH))
x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(constant.SYCO_USR_PATH))
# Extra plugins installed
_install_nrpe_plugins()
# Allow only monitor to query NRPE
monitor_server_front_ip = config.general.get_monitor_server_ip()
app.print_verbose("Set monitor server: %s" % monitor_server_front_ip)
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg")
nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip)
# Set permissions for read/execute under nagios-user
x("chown -R root:nrpe /etc/nagios/")
# Allow nrpe to listen on UDP port 5666
iptables.add_nrpe_chain()
iptables.save()
# Make nrpe-server startup stateful and restart
x("/sbin/chkconfig --level 3 nrpe on")
x("service nrpe restart")
def _install_nrpe_plugins():
'''
Install NRPE-plugins (to be executed remoteley) and SELinux-rules.
'''
# Install packages and their dependencies.
_install_nrpe_plugins_dependencies()
x("cp -p {0}lib/nagios/plugins_nrpe/* /usr/lib64/nagios/plugins/".format(constant.SYCO_PATH))
# Set the sssd password
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
nrpe_config.replace("($LDAPURL)", config.general.get_ldap_hostname())
# Change ownership of plugins to nrpe (from icinga/nagios)
x("chmod -R 750 /usr/lib64/nagios/plugins/")
x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")
# Set SELinux roles to allow NRPE execution of binaries such as python/perl/iptables
# Corresponding .te-files summarize rule content
x("mkdir -p /var/lib/syco_selinux_modules")
rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
for path in rule_path_list:
x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
x("semodule -i /var/lib/syco_selinux_modules/*.pp")
# Set MySQL password, if running MySQL.
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))
def configured_sudo():
scOpen("/etc/nsswitch.conf").remove("^sudoers.*")
scOpen("/etc/nsswitch.conf").add("sudoers: ldap files")
x("touch /etc/ldap.conf")
x("chown root:root /etc/ldap.conf")
x("chmod 644 /etc/ldap.conf")
scOpen("/etc/ldap.conf").remove(
"^sudoers_base.*\|^binddn.*\|^bindpw.*\|^ssl.*\|^tls_cacertdir.*\|" +
"^tls_cert.*\|^tls_key.*\|sudoers_debug.*"
)
scOpen("/etc/ldap.conf").add(
"uri ldaps://" + config.general.get_ldap_hostname() + "\n" +
"base " + config.general.get_ldap_dn() + "\n" +
"ssl on\n" +
"tls_cacertdir /etc/openldap/cacerts\n" +
"tls_cert /etc/openldap/cacerts/client.pem\n" +
"tls_key /etc/openldap/cacerts/client.pem\n" +
"sudoers_base ou=SUDOers," + config.general.get_ldap_dn() + "\n" +
"binddn cn=sssd," + config.general.get_ldap_dn() + "\n" +
"bindpw " + app.get_ldap_sssd_password()
)
# SUDO now uses it's own ldap config file.
x("cp /etc/ldap.conf /etc/sudo-ldap.conf")
x("chmod 440 /etc/sudo-ldap.conf")
x("chown root:root /etc/sudo-ldap.conf")
x("restorecon /etc/sudo-ldap.conf")
def _reload_icinga(args, reload=True):
'''
Re-probes the network for running services and updates the icinga object structure.
'''
# Initialize all used passwords.
app.init_mysql_passwords()
app.get_ldap_sssd_password()
hostList = _get_host_list()
_append_services_to_hostlist(hostList)
_build_icinga_config(hostList)
_install_server_plugins()
if reload:
x("service icinga reload")
def configured_sssd():
# If the authentication provider is offline, specifies for how long to allow
# cached log-ins (in days). This value is measured from the last successful
# online log-in. If not specified, defaults to 0 (no limit).
scOpen("/etc/sssd/sssd.conf").remove("^offline_credentials_expiration.*")
x("sed -i '/\[pam\]/a offline_credentials_expiration=5' /etc/sssd/sssd.conf")
# Enumeration means that the entire set of available users and groups on the
# remote source is cached on the local machine. When enumeration is disabled,
# users and groups are only cached as they are requested.
scOpen("/etc/sssd/sssd.conf").remove("^enumerate=true")
scOpen("/etc/sssd/sssd.conf").replace("\[domain/default\]","\[domain/default\]\nenumerate=true")
# Configure client certificate auth.
scOpen("/etc/sssd/sssd.conf").remove("^ldap_tls_cert.*")
scOpen("/etc/sssd/sssd.conf").remove("^ldap_tls_key.*")
scOpen("/etc/sssd/sssd.conf").remove("^ldap_tls_reqcert.*")
scOpen("/etc/sssd/sssd.conf").replace("\[domain/default\]",
"\[domain/default\]\n" +
"ldap_tls_cert = /etc/openldap/cacerts/client.pem\n" +
"ldap_tls_key = /etc/openldap/cacerts/client.pem\n" +
"ldap_tls_reqcert = demand"
)
# Only users with this employeeType are allowed to login to this computer.
scOpen("/etc/sssd/sssd.conf").remove("^access_provider.*")
scOpen("/etc/sssd/sssd.conf").remove("^ldap_access_filter.*")
scOpen("/etc/sssd/sssd.conf").replace("\[domain/default\]",
"\[domain/default\]\n" +
"access_provider = ldap\n" +
"ldap_access_filter = (employeeType=Sysop)"
)
# Login to ldap with a specified user.
scOpen("/etc/sssd/sssd.conf").remove("^ldap_default_bind_dn.*")
scOpen("/etc/sssd/sssd.conf").remove("^ldap_default_authtok_type.*")
scOpen("/etc/sssd/sssd.conf").remove("^ldap_default_authtok.*")
scOpen("/etc/sssd/sssd.conf").replace("\[domain/default\]",
"\[domain/default\]\n" +
"ldap_default_bind_dn = cn=sssd," + config.general.get_ldap_dn()
)
scOpen("/etc/sssd/sssd.conf").replace("\[domain/default\]",
"\[domain/default\]\n" +
"ldap_default_authtok_type = password"
)
scOpen("/etc/sssd/sssd.conf").replace("\[domain/default\]",
"\[domain/default\]\n" +
"ldap_default_authtok = " + app.get_ldap_sssd_password()
)
# Need to change the modified date before restarting, to tell sssd to reload
# the config file.
x("touch /etc/sssd/sssd.conf")
# Restart sssd and read in all new configs.
x("rm /var/lib/sss/db/config.ldb")
x("service sssd restart")
# Start sssd after reboot.
x("chkconfig sssd on")
def configured_sudo():
scOpen("/etc/nsswitch.conf").remove("^sudoers.*")
scOpen("/etc/nsswitch.conf").add("sudoers: ldap files")
x("touch /etc/ldap.conf")
x("chown root:root /etc/ldap.conf")
x("chmod 644 /etc/ldap.conf")
scOpen("/etc/ldap.conf").remove(
"^sudoers_base.*\|^binddn.*\|^bindpw.*\|^ssl.*\|^tls_cacertdir.*\|" +
"^tls_cert.*\|^tls_key.*\|sudoers_debug.*"
)
scOpen("/etc/ldap.conf").add(
"uri ldaps://" + config.general.get_ldap_hostname() + "\n" +
"base " + config.general.get_ldap_dn() + "\n" +
"ssl on\n" +
"tls_cacertdir /etc/openldap/cacerts\n" +
"tls_cert /etc/openldap/cacerts/client.pem\n" +
"tls_key /etc/openldap/cacerts/client.pem\n" +
"sudoers_base ou=SUDOers," + config.general.get_ldap_dn() + "\n" +
"binddn cn=sssd," + config.general.get_ldap_dn() + "\n" +
"bindpw " + app.get_ldap_sssd_password()
)
# Needed to fix a but in Centos 6.2, will be fixed in 6.3.
# https://bugzilla.redhat.com/show_bug.cgi?id=760843
x("cp /etc/ldap.conf /etc/nslcd.conf")
def _reload_icinga(args, reload=True):
'''
Re-probes the network for running services and updates the icinga object structure.
'''
# Initialize all used passwords.
app.init_mysql_passwords()
app.get_ldap_sssd_password()
hostList = _get_host_list()
_append_services_to_hostlist(hostList)
_build_icinga_config(hostList)
_install_server_plugins()
if reload:
x("service icinga reload")
def configure_sudo(augeas):
#The database sudoers node doesn't appear to be insertable with a one liner so we have to echo it in
if not augeas.find_entry("/files/etc/nsswitch.conf/database[. = 'sudoers']"):
x("echo \"sudoers: ldap files sss\" >> /etc/nsswitch.conf")
else:
augeas.set_enhanced("/files/etc/nsswitch.conf/database[. = 'sudoers']/service[1]", "ldap")
augeas.set_enhanced("/files/etc/nsswitch.conf/database[. = 'sudoers']/service[2]", "files")
augeas.set_enhanced("/files/etc/nsswitch.conf/database[. = 'sudoers']/service[3]", "sss")
x("touch /etc/ldap.conf")
x("chown root:root /etc/ldap.conf")
x("chmod 644 /etc/ldap.conf")
augeas.set_enhanced("/files/etc/ldap.conf/uri", "ldaps://%s" % config.general.get_ldap_hostname())
augeas.set_enhanced("/files/etc/ldap.conf/base", config.general.get_ldap_dn())
augeas.set_enhanced("/files/etc/ldap.conf/ssl", "on")
augeas.set_enhanced("/files/etc/ldap.conf/tls_cacertdir", "/etc/openldap/cacerts")
augeas.set_enhanced("/files/etc/ldap.conf/tls_cert", "/etc/openldap/cacerts/client.pem")
augeas.set_enhanced("/files/etc/ldap.conf/tls_key", "/etc/openldap/cacerts/client.pem")
augeas.set_enhanced("/files/etc/ldap.conf/sudoers_base", "ou=SUDOers,dc=fareoffice,dc=com")
augeas.set_enhanced("/files/etc/ldap.conf/binddn", "cn=sssd,%s" % config.general.get_ldap_dn())
augeas.set_enhanced("/files/etc/ldap.conf/bindpw", app.get_ldap_sssd_password())
# SUDO now uses it's own ldap config file.
x("cp /etc/ldap.conf /etc/sudo-ldap.conf")
x("chmod 440 /etc/sudo-ldap.conf")
x("chown root:root /etc/sudo-ldap.conf")
x("restorecon /etc/sudo-ldap.conf")
def configured_sudo():
scOpen("/etc/nsswitch.conf").remove("^sudoers.*")
scOpen("/etc/nsswitch.conf").add("sudoers: ldap files")
x("touch /etc/ldap.conf")
x("chown root:root /etc/ldap.conf")
x("chmod 644 /etc/ldap.conf")
scOpen("/etc/ldap.conf").remove(
"^sudoers_base.*\|^binddn.*\|^bindpw.*\|^ssl.*\|^tls_cacertdir.*\|" +
"^tls_cert.*\|^tls_key.*\|sudoers_debug.*")
scOpen("/etc/ldap.conf").add(
"uri ldaps://" + config.general.get_ldap_hostname() + "\n" + "base " +
config.general.get_ldap_dn() + "\n" + "ssl on\n" +
"tls_cacertdir /etc/openldap/cacerts\n" +
"tls_cert /etc/openldap/cacerts/client.pem\n" +
"tls_key /etc/openldap/cacerts/client.pem\n" +
"sudoers_base ou=SUDOers," + config.general.get_ldap_dn() + "\n" +
"binddn cn=sssd," + config.general.get_ldap_dn() + "\n" + "bindpw " +
app.get_ldap_sssd_password())
# SUDO now uses it's own ldap config file.
x("cp /etc/ldap.conf /etc/sudo-ldap.conf")
x("chmod 440 /etc/sudo-ldap.conf")
x("chown root:root /etc/sudo-ldap.conf")
x("restorecon /etc/sudo-ldap.conf")
def _setup_ldap():
'''
Configure openvpn to authenticate through LDAP.
'''
ldapconf = scOpen("/etc/openvpn/auth/ldap.conf")
ldapconf.replace(
"^\\s*URL\s*.*",
"\\tURL\\tldaps://%s" % config.general.get_ldap_hostname())
ldapconf.replace("^\s*# Password\s*.*",
"\\tPassword\\t%s" % app.get_ldap_sssd_password())
ldapconf.replace("^\s*# BindDN\s*.*",
"\\tBindDN\\tcn=sssd,%s" % config.general.get_ldap_dn())
ldapconf.replace("^\s*TLSEnable\s*.*", "\\t# TLSEnable\\t YES")
# Deal with certs
ldapconf.replace("^\s*TLSCACertFile\s*.*",
"\\tTLSCACertFile\\t /etc/openldap/cacerts/ca.crt")
ldapconf.replace("^\s*TLSCACertDir\s*.*",
"\\tTLSCACertDir\\t /etc/openldap/cacerts/")
ldapconf.replace("^\s*TLSCertFile\s*.*",
"\\tTLSCertFile\\t /etc/openldap/cacerts/client.crt")
ldapconf.replace("^\s*TLSKeyFile\s*.*",
"\\tTLSKeyFile\\t /etc/openldap/cacerts/client.key")
# Auth
ldapconf.replace("^\s*BaseDN\s*.*",
"\\BaseDN\\t \"%s\"" % config.general.get_ldap_dn())
ldapconf.replace(
"^\s*SearchFilter\s*.*",
"\\tSearchFilter\\t \"(\\&(uid=%u)(employeeType=Sysop))\"")
x('echo "plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf" >> /etc/openvpn/server.conf '
)
def install_logmgmt(args):
'''
Install and configure log management tools on the local host.
'''
app.print_verbose("Install LogManagement version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallLogMgmt", SCRIPT_VERSION)
version_obj.check_executed()
x("mkdir -p /var/lib/logmgmt")
shutil.copy(app.SYCO_PATH + "var/logmgmt/compress_logs.sh", "/var/lib/logmgmt/")
x("chmod +x /var/lib/logmgmt/compress_logs.sh")
shutil.copy(app.SYCO_PATH + "var/logmgmt/logmgmt_cron", "/etc/cron.daily/")
x("chmod +x /etc/cron.daily/logmgmt_cron")
logMgmtCron = scOpen("/etc/cron.daily/logmgmt_cron")
logMgmtCron.replace("${alert_email}",config.general.get_admin_email())
x("yum -y install php")
x("yum -y install php-mysql")
x("yum -y install php-gd")
x("cd /tmp/; wget http://download.adiscon.com/loganalyzer/loganalyzer-3.5.6.tar.gz")
x("cd /tmp; tar xzf loganalyzer-3.5.6.tar.gz")
x("cp -rp /tmp/loganalyzer-3.5.6/src /var/www/html/loganalyzer")
x("chown -R apache /var/www/html/loganalyzer")
shutil.copy(app.SYCO_PATH + "var/logmgmt/config.php", "/var/www/html/loganalyzer/")
logConfig = scOpen("/var/www/html/loganalyzer/config.php")
logConfig.replace("${mysql_user}","root")
logConfig.replace("${mysql_password}",app.get_mysql_root_password())
x("chown -R apache /var/www/html/loganalyzer")
x("rm -rf /tmp/loganalyzer*")
shutil.copy(app.SYCO_PATH + "var/logmgmt/remove_sql.sh", "/var/lib/logmgmt/")
x("chmod +x /var/lib/logmgmt/remove_sql.sh")
logSql = scOpen("/var/lib/logmgmt/remove_sql.sh")
logSql.replace("${mysql_user}","root")
logSql.replace("${mysql_password}",app.get_mysql_root_password())
shutil.copy(app.SYCO_PATH + "var/logmgmt/loganalyzer.conf", "/etc/httpd/conf.d/")
htconf = scOpen("/etc/httpd/conf.d/loganalyzer.conf")
htconf.replace("${bind_dn}","cn=sssd,%s" % config.general.get_ldap_dn() )
htconf.replace("${bind_password}","%s" % app.get_ldap_sssd_password() )
htconf.replace("${ldap_url}","ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(),config.general.get_ldap_dn()) )
x("service httpd restart")
version_obj.mark_executed()
def install_logmgmt(args):
'''
Install and configure log management tools on the local host.
'''
app.print_verbose("Install LogManagement version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallLogMgmt", SCRIPT_VERSION)
version_obj.check_executed()
x("mkdir -p /var/lib/logmgmt")
shutil.copy(app.SYCO_PATH + "var/logmgmt/compress_logs.sh",
"/var/lib/logmgmt/")
x("chmod +x /var/lib/logmgmt/compress_logs.sh")
shutil.copy(app.SYCO_PATH + "var/logmgmt/logmgmt_cron", "/etc/cron.daily/")
x("chmod +x /etc/cron.daily/logmgmt_cron")
logMgmtCron = scOpen("/etc/cron.daily/logmgmt_cron")
logMgmtCron.replace("${alert_email}", config.general.get_admin_email())
x("yum -y install php")
x("yum -y install php-mysql")
x("yum -y install php-gd")
x("cd /tmp/; wget http://download.adiscon.com/loganalyzer/loganalyzer-3.5.6.tar.gz"
)
x("cd /tmp; tar xzf loganalyzer-3.5.6.tar.gz")
x("cp -rp /tmp/loganalyzer-3.5.6/src /var/www/html/loganalyzer")
x("chown -R apache /var/www/html/loganalyzer")
shutil.copy(app.SYCO_PATH + "var/logmgmt/config.php",
"/var/www/html/loganalyzer/")
logConfig = scOpen("/var/www/html/loganalyzer/config.php")
logConfig.replace("${mysql_user}", "root")
logConfig.replace("${mysql_password}", app.get_mysql_root_password())
x("chown -R apache /var/www/html/loganalyzer")
x("rm -rf /tmp/loganalyzer*")
shutil.copy(app.SYCO_PATH + "var/logmgmt/remove_sql.sh",
"/var/lib/logmgmt/")
x("chmod +x /var/lib/logmgmt/remove_sql.sh")
logSql = scOpen("/var/lib/logmgmt/remove_sql.sh")
logSql.replace("${mysql_user}", "root")
logSql.replace("${mysql_password}", app.get_mysql_root_password())
shutil.copy(app.SYCO_PATH + "var/logmgmt/loganalyzer.conf",
"/etc/httpd/conf.d/")
htconf = scOpen("/etc/httpd/conf.d/loganalyzer.conf")
htconf.replace("${bind_dn}", "cn=sssd,%s" % config.general.get_ldap_dn())
htconf.replace("${bind_password}", "%s" % app.get_ldap_sssd_password())
htconf.replace(
"${ldap_url}", "ldaps://%s:636/%s?uid" %
(config.general.get_ldap_hostname(), config.general.get_ldap_dn()))
x("service httpd restart")
version_obj.mark_executed()
def configured_sssd():
# If the authentication provider is offline, specifies for how long to allow
# cached log-ins (in days). This value is measured from the last successful
# online log-in. If not specified, defaults to 0 (no limit).
scOpen("/etc/sssd/sssd.conf").remove("^offline_credentials_expiration.*")
x("sed -i '/\[pam\]/a offline_credentials_expiration=5' /etc/sssd/sssd.conf"
)
# Enumeration means that the entire set of available users and groups on the
# remote source is cached on the local machine. When enumeration is disabled,
# users and groups are only cached as they are requested.
scOpen("/etc/sssd/sssd.conf").remove("^enumerate=true")
scOpen("/etc/sssd/sssd.conf").replace(
"\[domain/default\]", "\[domain/default\]\nenumerate=true")
# Configure client certificate auth.
scOpen("/etc/sssd/sssd.conf").remove("^ldap_tls_cert.*")
scOpen("/etc/sssd/sssd.conf").remove("^ldap_tls_key.*")
scOpen("/etc/sssd/sssd.conf").remove("^ldap_tls_reqcert.*")
scOpen("/etc/sssd/sssd.conf").replace(
"\[domain/default\]", "\[domain/default\]\n" +
"ldap_tls_cert = /etc/openldap/cacerts/client.pem\n" +
"ldap_tls_key = /etc/openldap/cacerts/client.pem\n" +
"ldap_tls_reqcert = demand")
# Only users with this employeeType are allowed to login to this computer.
scOpen("/etc/sssd/sssd.conf").remove("^access_provider.*")
scOpen("/etc/sssd/sssd.conf").remove("^ldap_access_filter.*")
scOpen("/etc/sssd/sssd.conf").replace(
"\[domain/default\]",
"\[domain/default\]\n" + "access_provider = ldap\n" +
"ldap_access_filter = (employeeType=Sysop)")
# Login to ldap with a specified user.
scOpen("/etc/sssd/sssd.conf").remove("^ldap_default_bind_dn.*")
scOpen("/etc/sssd/sssd.conf").remove("^ldap_default_authtok_type.*")
scOpen("/etc/sssd/sssd.conf").remove("^ldap_default_authtok.*")
scOpen("/etc/sssd/sssd.conf").replace(
"\[domain/default\]", "\[domain/default\]\n" +
"ldap_default_bind_dn = cn=sssd," + config.general.get_ldap_dn())
scOpen("/etc/sssd/sssd.conf").replace(
"\[domain/default\]",
"\[domain/default\]\n" + "ldap_default_authtok_type = password")
scOpen("/etc/sssd/sssd.conf").replace(
"\[domain/default\]", "\[domain/default\]\n" +
"ldap_default_authtok = " + app.get_ldap_sssd_password())
# Need to change the modified date before restarting, to tell sssd to reload
# the config file.
x("touch /etc/sssd/sssd.conf")
# Restart sssd and read in all new configs.
x("rm /var/lib/sss/db/config.ldb")
x("service sssd restart")
# Start sssd after reboot.
x("chkconfig sssd on")
def configure_sssd(augeas):
# If the authentication provider is offline, specifies for how long to allow
# cached log-ins (in days). This value is measured from the last successful
# online log-in. If not specified, defaults to 0 (no limit).
# We want to cache credentials even though noone has logged in.
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'pam']/offline_credentials_expiration", "0")
# Enumeration means that the entire set of available users and groups on the
# remote source is cached on the local machine. When enumeration is disabled,
# users and groups are only cached as they are requested.
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/enumerate", "true")
# Configure client certificate auth.
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_tls_cert",
"/etc/openldap/cacerts/client.pem")
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_tls_key",
"/etc/openldap/cacerts/client.pem")
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_tls_reqcert", "demand")
# Only users with this employeeType are allowed to login to this computer.
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/access_provider", "ldap")
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_access_filter",
"(employeeType=Sysop)")
# Login to ldap with a specified user.
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_default_bind_dn",
"cn=sssd," + config.general.get_ldap_dn())
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_default_authtok_type", "password")
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_default_authtok",
app.get_ldap_sssd_password())
#Enable caching of sudo rules
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/sudo_provider", "ldap")
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_sudo_full_refresh_interval",
"86400")
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_sudo_smart_refresh_interval",
"3600")
#Set low timeout levels to ensure that cache is used when ldap is slow/down
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_search_timeout", "5")
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_enumeration_search_timeout", "5")
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_network_timeout", "5")
#sssd section settings
augeas.set_enhanced("/files/etc/sssd/sssd.conf/target[. = 'sssd']/services", "nss,pam,sudo")
# Need to change the modified date before restarting, to tell sssd to reload
# the config file.
x("touch /etc/sssd/sssd.conf")
# Restart sssd and read in all new configs.
x("rm /var/lib/sss/db/config.ldb")
x("service sssd restart")
# Start sssd after reboot.
x("chkconfig sssd on")
def _install_nrpe(args):
"""
The nrpe installation is quite standard - except that the stock NRPE.conf is replaced with a prepped one.
Server only listens to this IP. Not super safe but better than nothing. Also, argument parsing is _disabled_.
"""
# Initialize all passwords at the beginning of the script.
app.get_ldap_sssd_password()
app.get_mysql_monitor_password()
install.epel_repo()
# Confusing that nagios-plugins-all does not really include all plugins
x(
"yum install nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap nagios-plugins-perl perl-Net-DNS perl-Proc-ProcessTable perl-Date-Calc -y"
)
# Move object structure and prepare conf-file
x("rm -rf /etc/nagios/nrpe.d")
x("rm -rf /etc/nagios/nrpe.cfg")
x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(constant.SYCO_USR_PATH))
x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(constant.SYCO_USR_PATH))
# Set permissions for read/execute under NRPE-user
x("chown -R root:nrpe /etc/nagios/")
# Extra plugins installed
_install_nrpe_plugins()
# Allow only monitor to query NRPE
monitor_server_front_ip = config.host(config.general.get_monitor_server()).get_front_ip()
app.print_verbose("Setting monitor server:" + monitor_server_front_ip)
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg")
nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip)
# Allow nrpe to listen on UDP port 5666
iptables.add_nrpe_chain()
iptables.save()
# Make nrpe-server startup stateful and restart
x("/sbin/chkconfig --level 3 nrpe on")
x("service nrpe restart")
def _install_nrpe_plugins():
"""Install NRPE-plugins (to be executed remoteley) and SELinux-rules."""
# Install packages and their dependencies.
_install_nrpe_plugins_dependencies()
x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH,
PLG_PATH))
# Set the sssd password
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname())
nrpe_config.replace(
"$(SQLPASS)",
app.get_mysql_monitor_password().replace("&", "\&").replace("/", "\/"))
# Set name of main disk
host_config = config.host(net.get_hostname())
if host_config.is_guest():
nrpe_config.replace("${MAINDISK}", "vda")
elif host_config.is_firewall() or host_config.is_host():
nrpe_config.replace("${MAINDISK}", "sda")
# Change ownership of plugins to nrpe (from icinga/nagios)
x("chmod -R 550 /usr/lib64/nagios/plugins/")
x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")
# Set SELinux roles to allow NRPE execution of binaries such as python/perl.
# Corresponding .te-files summarize rule content
x("mkdir -p /var/lib/syco_selinux_modules")
rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
for path in rule_path_list:
x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
x("semodule -i /var/lib/syco_selinux_modules/*.pp")
# Fix some SELinux rules on custom plugins.
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk")
_fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php")
_fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*")
# TODO??
#_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl")
# New in centos 6.7
x("setsebool -P nagios_run_sudo 1")
def _install_pnp4nagios():
'''
PNP4Nagios is design to work with Nagios - some hacking is needed to make it play nice with icinga, especially with file permissions
creating files that the EPEL-package has missed. PNP4Nagios uses the NPCD-daemon to spool data from Icinga to Round Robin Databases. I.e
using bulk mode, see http://docs.pnp4nagios.org/_detail/bulk.png
'''
# Get packages from epel repo
install.epel_repo()
x("yum install -y pnp4nagios icinga-web-module-pnp")
# Pnp4 uses the nagios password file, which will not exist
general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf")
general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf",
"AuthName \"Nagios Access\"",
"AuthName \"Icinga Access\"", False)
general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf",
"AuthUserFile /etc/nagios/passwd",
"AuthUserFile /etc/icinga/passwd", False)
# NPCD config prepped to work with icinga instead of nagios
x("cp {0}syco-private/var/nagios/npcd.cfg /etc/pnp4nagios/npcd.cfg".format(
constant.SYCO_USR_PATH))
x("chown icinga:icinga /etc/pnp4nagios/npcd.cfg")
# Package-maker does create a log for process-perfdata. PBP goes bonkers if it can't find it
x("touch /var/log/pnp4nagios/perfdata.log")
# Since we are using icinga (not nagios) we need to change permissions.
# Tried just adding icinga to nagios group but creates a dependency on PNP/Nagios package states which is not good.
x("chown -R icinga:icinga /var/log/pnp4nagios")
x("chown -R icinga:icinga /var/spool/pnp4nagios")
x("chown -R icinga:icinga /var/lib/pnp4nagios")
# Set npcd (bulk parser/spooler) to auto-start
x(" /sbin/chkconfig --level 3 npcd on")
# Setup LDAP-login for PNP4NAgios.
general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf")
x("rm -f /etc/httpd/conf.d/pnp4nagios.conf")
x("cp -p {0}icinga/pnp4nagios.conf /etc/httpd/conf.d/".format(
constant.SYCO_VAR_PATH))
htconf = scopen.scOpen("/etc/httpd/conf.d/pnp4nagios.conf")
htconf.replace("${BIND_DN}", "cn=sssd,%s" % config.general.get_ldap_dn())
htconf.replace("${BIND_PASSWORD}", "%s" % app.get_ldap_sssd_password())
htconf.replace(
"${LDAP_URL}", "ldaps://%s:636/%s?uid" %
(config.general.get_ldap_hostname(), config.general.get_ldap_dn()))
# Restart everything
x("service icinga restart")
x("service httpd restart")
x("service npcd restart")
def _install_nrpe_plugins():
"""Install NRPE-plugins (to be executed remoteley) and SELinux-rules."""
# Install packages and their dependencies.
_install_nrpe_plugins_dependencies()
x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH, PLG_PATH))
for plugin_path in app.get_syco_plugin_paths("/var/icinga/plugins/"):
x("cp -p {0}* {1}".format(plugin_path, PLG_PATH))
# Set the sssd password
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
nrpe_config.replace("$(LDAPURL)", config.general.get_ldap_hostname())
nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))
# Set name of main disk
host_config = config.host(net.get_hostname())
if host_config.is_guest():
nrpe_config.replace("${MAINDISK}", "vda")
elif host_config.is_firewall() or host_config.is_host():
nrpe_config.replace("${MAINDISK}", "sda")
# Change ownership of plugins to nrpe (from icinga/nagios)
x("chmod -R 550 /usr/lib64/nagios/plugins/")
x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")
# Set SELinux roles to allow NRPE execution of binaries such as python/perl.
# Corresponding .te-files summarize rule content
x("mkdir -p /var/lib/syco_selinux_modules")
rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
for path in rule_path_list:
x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
x("semodule -i /var/lib/syco_selinux_modules/*.pp")
# Fix some SELinux rules on custom plugins.
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk")
_fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php")
_fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*")
# TODO??
#_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py")
#_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hpasm")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_hparray")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ifutil.pl")
# New in centos 6.7
x("setsebool -P nagios_run_sudo 1")
def passwords(args):
app.print_verbose("Set all passwords used by syco")
app.init_all_passwords()
print "root: ", app.get_root_password()
print "svn: ", app.get_svn_password()
print "ldap_admin: ", app.get_ldap_admin_password()
print "ldap_sssd: ", app.get_ldap_sssd_password()
print "glassfish_master: ", app.get_glassfish_master_password()
print "glassfish_admin: ", app.get_glassfish_admin_password()
print "glassfish_user: "******"glassfish")
print "mysql_root: ", app.get_mysql_root_password()
print "mysql_int: ", app.get_mysql_integration_password()
print "mysql_stable: ", app.get_mysql_stable_password()
print "mysql_uat: ", app.get_mysql_uat_password()
print "mysql_prod: ", app.get_mysql_production_password()
def _setup_ldap_auth():
'''
Configure the httpd conf files to authenticate against syco LDAP-server.
'''
fn = "/etc/httpd/conf.d/git.conf"
scOpen(fn).replace("${AUTHLDAPBINDDN}",
"cn=sssd," + config.general.get_ldap_dn())
scOpen(fn).replace("${AUTHLDAPBINDPASSWORD}", app.get_ldap_sssd_password())
ldapurl = "ldaps://%s:636/ou=people,%s?uid" % (
config.general.get_ldap_hostname(), config.general.get_ldap_dn())
scOpen(fn).replace("${AUTHLDAPURL}", ldapurl)
version_obj = version.Version("InstallGit", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def configure_sudo(augeas):
"""
Configure the client to use sudo
"""
# The database sudoers node doesn't appear to be insertable with a
# one liner so we have to echo it in
if not augeas.find_entry(
"/files/etc/nsswitch.conf/database[. = 'sudoers']"):
x("echo \"sudoers: files sss\" >> /etc/nsswitch.conf")
else:
augeas.set_enhanced(
"/files/etc/nsswitch.conf/database[. = 'sudoers']/service[1]",
"files")
augeas.set_enhanced(
"/files/etc/nsswitch.conf/database[. = 'sudoers']/service[2]",
"sss")
augeas.remove(
"/files/etc/nsswitch.conf/database[. = 'sudoers']/service[3]")
x("touch /etc/ldap.conf")
x("chown root:root /etc/ldap.conf")
x("chmod 644 /etc/ldap.conf")
augeas.set_enhanced("/files/etc/ldap.conf/uri",
"ldaps://%s" % config.general.get_ldap_hostname())
augeas.set_enhanced("/files/etc/ldap.conf/base",
config.general.get_ldap_dn())
augeas.set_enhanced("/files/etc/ldap.conf/ssl", "on")
augeas.set_enhanced("/files/etc/ldap.conf/tls_cacertdir",
"/etc/openldap/cacerts")
augeas.set_enhanced("/files/etc/ldap.conf/tls_cert",
"/etc/openldap/cacerts/client.pem")
augeas.set_enhanced("/files/etc/ldap.conf/tls_key",
"/etc/openldap/cacerts/client.pem")
augeas.set_enhanced("/files/etc/ldap.conf/sudoers_base",
"ou=SUDOers,dc=fareoffice,dc=com")
augeas.set_enhanced("/files/etc/ldap.conf/binddn",
"cn=sssd,%s" % config.general.get_ldap_dn())
augeas.set_enhanced("/files/etc/ldap.conf/bindpw",
app.get_ldap_sssd_password())
# SUDO now uses it's own ldap config file. But some applications don't.
x("cp /etc/ldap.conf /etc/sudo-ldap.conf")
x("chmod 440 /etc/sudo-ldap.conf")
x("chown root:root /etc/sudo-ldap.conf")
x("restorecon /etc/sudo-ldap.conf")
def _configure_apache():
'''
Add conf.d files to apache for loganalyzer
'''
x("cp -f {0}var/loganalyzer/loganalyzer.conf /etc/httpd/conf.d/".format(
app.SYCO_PATH))
htconf = scOpen("/etc/httpd/conf.d/loganalyzer.conf")
htconf.replace("${BIND_DN}",
"cn=sssd,{0}".format(config.general.get_ldap_dn()))
htconf.replace("${BIND_PASSWORD}", app.get_ldap_sssd_password())
htconf.replace(
"${LDAP_URL}",
"ldaps://{0}:636/{1}?uid".format(config.general.get_ldap_hostname(),
config.general.get_ldap_dn()))
x("service httpd restart")
def _setup_ldap_auth():
'''
Configure the httpd conf files to authenticate against syco LDAP-server.
'''
fn = "/etc/httpd/conf.d/git.conf"
scOpen(fn).replace("${AUTHLDAPBINDDN}", "cn=sssd," + config.general.get_ldap_dn())
scOpen(fn).replace("${AUTHLDAPBINDPASSWORD}", app.get_ldap_sssd_password())
ldapurl = "ldaps://%s:636/ou=people,%s?uid" % (
config.general.get_ldap_hostname(),
config.general.get_ldap_dn()
)
scOpen(fn).replace("${AUTHLDAPURL}", ldapurl)
version_obj = version.Version("InstallGit", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def _install_pnp4nagios():
'''
PNP4Nagios is design to work with Nagios - some hacking is needed to make it play nice with icinga, especially with file permissions
creating files that the EPEL-package has missed. PNP4Nagios uses the NPCD-daemon to spool data from Icinga to Round Robin Databases. I.e
using bulk mode, see http://docs.pnp4nagios.org/_detail/bulk.png
'''
# Get packages from epel repo
install.epel_repo()
x("yum install -y pnp4nagios icinga-web-module-pnp")
# Pnp4 uses the nagios password file, which will not exist
general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf")
general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf","AuthName \"Nagios Access\"","AuthName \"Icinga Access\"", False)
general.set_config_property("/etc/httpd/conf.d/pnp4nagios.conf","AuthUserFile /etc/nagios/passwd","AuthUserFile /etc/icinga/passwd",False)
# NPCD config prepped to work with icinga instead of nagios
x("cp {0}syco-private/var/nagios/npcd.cfg /etc/pnp4nagios/npcd.cfg".format(constant.SYCO_USR_PATH))
x("chown icinga:icinga /etc/pnp4nagios/npcd.cfg")
# Package-maker does create a log for process-perfdata. PBP goes bonkers if it can't find it
x("touch /var/log/pnp4nagios/perfdata.log")
# Since we are using icinga (not nagios) we need to change permissions.
# Tried just adding icinga to nagios group but creates a dependency on PNP/Nagios package states which is not good.
x("chown -R icinga:icinga /var/log/pnp4nagios")
x("chown -R icinga:icinga /var/spool/pnp4nagios")
x("chown -R icinga:icinga /var/lib/pnp4nagios")
# Set npcd (bulk parser/spooler) to auto-start
x(" /sbin/chkconfig --level 3 npcd on")
# Setup LDAP-login for PNP4NAgios.
general.use_original_file("/etc/httpd/conf.d/pnp4nagios.conf")
x("rm -f /etc/httpd/conf.d/pnp4nagios.conf")
x("cp -p {0}icinga/pnp4nagios.conf /etc/httpd/conf.d/".format(constant.SYCO_VAR_PATH))
htconf = scopen.scOpen("/etc/httpd/conf.d/pnp4nagios.conf")
htconf.replace("${BIND_DN}","cn=sssd,%s" % config.general.get_ldap_dn() )
htconf.replace("${BIND_PASSWORD}","%s" % app.get_ldap_sssd_password() )
htconf.replace("${LDAP_URL}","ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(),config.general.get_ldap_dn()) )
# Restart everything
x("service icinga restart")
x("service httpd restart")
x("service npcd restart")
def passwords(args):
app.print_verbose("Set all passwords used by syco")
app.init_all_passwords()
print "root: ", app.get_root_password()
print "svn: ", app.get_svn_password()
print "ldap_admin: ", app.get_ldap_admin_password()
print "ldap_sssd: ", app.get_ldap_sssd_password()
print "glassfish_master: ", app.get_glassfish_master_password()
print "glassfish_admin: ", app.get_glassfish_admin_password()
print "glassfish_user: "******"glassfish")
print "mysql_root: ", app.get_mysql_root_password()
print "mysql_int: ", app.get_mysql_integration_password()
print "mysql_stable: ", app.get_mysql_stable_password()
print "mysql_uat: ", app.get_mysql_uat_password()
print "mysql_prod: ", app.get_mysql_production_password()
print "mysql_backup: ", app.get_mysql_backup_password()
print "mysql_monitor: ", app.get_mysql_monitor_password()
print "switch_icmp: ", app.get_switch_icmp_password()
def _configure_apache():
'''
Add conf.d files to apache for loganalyzer
'''
x("cp -f {0}var/loganalyzer/loganalyzer.conf /etc/httpd/conf.d/".format(
app.SYCO_PATH
))
htconf = scOpen("/etc/httpd/conf.d/loganalyzer.conf")
htconf.replace("${BIND_DN}","cn=sssd,{0}".format(
config.general.get_ldap_dn()
))
htconf.replace("${BIND_PASSWORD}", app.get_ldap_sssd_password())
htconf.replace("${LDAP_URL}", "ldaps://{0}:636/{1}?uid".format(
config.general.get_ldap_hostname(), config.general.get_ldap_dn()
))
x("service httpd restart")
def _install_nrpe_plugins():
'''
Install NRPE-plugins (to be executed remoteley) and SELinux-rules.
'''
# Install packages and their dependencies.
_install_nrpe_plugins_dependencies()
x("cp -p {0}lib/nagios/plugins_nrpe/* {1}".format(constant.SYCO_PATH, PLG_PATH))
# Set the sssd password
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
nrpe_config.replace("$(LDAPPASSWORD)", app.get_ldap_sssd_password())
nrpe_config.replace("($LDAPURL)", config.general.get_ldap_hostname())
# Change ownership of plugins to nrpe (from icinga/nagios)
x("chmod -R 750 /usr/lib64/nagios/plugins/")
x("chown -R nrpe:nrpe /usr/lib64/nagios/plugins/")
# Set SELinux roles to allow NRPE execution of binaries such as python/perl/iptables
# Corresponding .te-files summarize rule content
x("mkdir -p /var/lib/syco_selinux_modules")
rule_path_list = list_plugin_files("/var/nagios/selinux_rules")
for path in rule_path_list:
x("cp {0}/*.pp /var/lib/syco_selinux_modules/".format(path))
x("semodule -i /var/lib/syco_selinux_modules/*.pp")
#Fix some SELinux rules on custom plugins.
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_disk")
_fix_selinux("nagios_services_plugin_exec_t", "check_ldap.php")
_fix_selinux("nagios_services_plugin_exec_t", "check_iptables.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_clam*")
_fix_selinux("nagios_unconfined_plugin_exec_t", "pmp-check-mysql*")
_fix_selinux("nagios_unconfined_plugin_exec_t", "farpayment_stats.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "rentalfront_stats.py")
_fix_selinux("nagios_unconfined_plugin_exec_t", "checkMySQLProcesslist.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_connections.pl")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_procs.sh")
_fix_selinux("nagios_unconfined_plugin_exec_t", "check_ulimit.py")
# Set MySQL password, if running MySQL.
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.d/common.cfg")
nrpe_config.replace("$(SQLPASS)", app.get_mysql_monitor_password().replace("&","\&").replace("/","\/"))
def _configure_icinga_web(icinga_db_pass, web_sqlpassword):
'''
Sets configuration parameters for icinga-web, including MySQL-password, LDAP user-auth and timezone.
Watch out: The repoforge package creates an icinga-web folder in /etc/ with a few XML-files, which are then linked into the
/usr/share/icinga-web/app/config xmls through overwrite-tags. However, the icinga-web documentation assumes you are using the
standard configs, meaning that its easier to debug/powergoodgle if not loading the includes (by just not setting apache
permissions).
'''
# Configure upp database passwords
general.use_original_file("/usr/share/icinga-web/app/config/databases.xml")
general.set_config_property(
"/usr/share/icinga-web/app/config/databases.xml",
"mysql://icinga_web:icinga_web",
"mysql://icinga-web:{0}".format(web_sqlpassword), False)
general.set_config_property(
"/usr/share/icinga-web/app/config/databases.xml",
"mysql://icinga:icinga", "mysql://icinga:{0}".format(icinga_db_pass),
False)
# Configure LDAP login
general.use_original_file("/etc/httpd/conf.d/icinga-web.conf ")
x("rm -f /etc/httpd/conf.d/icinga-web.conf ")
x("cp -p {0}icinga/icinga-web.conf /etc/httpd/conf.d/".format(
constant.SYCO_VAR_PATH))
htconf = scopen.scOpen("/etc/httpd/conf.d/icinga-web.conf ")
htconf.replace("${BIND_DN}", "cn=sssd,%s" % config.general.get_ldap_dn())
htconf.replace("${BIND_PASSWORD}", "%s" % app.get_ldap_sssd_password())
htconf.replace(
"${LDAP_URL}", "ldaps://%s:636/%s?uid" %
(config.general.get_ldap_hostname(), config.general.get_ldap_dn()))
x("/usr/bin/icinga-web-clearcache")
# Configure timezone and laguage
general.use_original_file(
"/usr/share/icinga-web/app/config/translation.xml")
general.set_config_property(
"/usr/share/icinga-web/app/config/translation.xml",
"default_locale=\"en\"",
"default_locale=\"en\" default_timezone=\"CET\"", False)
def _setup_ldap():
'''
Configure openvpn to authenticate through LDAP.
'''
ldapconf = scOpen("/etc/openvpn/auth/ldap.conf")
ldapconf.replace("^\\s*URL\s*.*","\\tURL\\tldaps://%s" % config.general.get_ldap_hostname())
ldapconf.replace("^\s*# Password\s*.*","\\tPassword\\t%s" % app.get_ldap_sssd_password())
ldapconf.replace("^\s*# BindDN\s*.*","\\tBindDN\\tcn=sssd,%s" % config.general.get_ldap_dn())
ldapconf.replace("^\s*TLSEnable\s*.*","\\t# TLSEnable\\t YES")
# Deal with certs
ldapconf.replace("^\s*TLSCACertFile\s*.*","\\tTLSCACertFile\\t /etc/openldap/cacerts/ca.crt")
ldapconf.replace("^\s*TLSCACertDir\s*.*","\\tTLSCACertDir\\t /etc/openldap/cacerts/")
ldapconf.replace("^\s*TLSCertFile\s*.*","\\tTLSCertFile\\t /etc/openldap/cacerts/client.crt")
ldapconf.replace("^\s*TLSKeyFile\s*.*","\\tTLSKeyFile\\t /etc/openldap/cacerts/client.key")
# Auth
ldapconf.replace("^\s*BaseDN\s*.*","\\BaseDN\\t \"%s\"" % config.general.get_ldap_dn() )
ldapconf.replace("^\s*SearchFilter\s*.*","\\tSearchFilter\\t \"(\\&(uid=%u)(employeeType=Sysop))\"")
x('echo "plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so /etc/openvpn/auth/ldap.conf" >> /etc/openvpn/server.conf ')
def _configure_icinga_web(icinga_db_pass, web_sqlpassword):
'''
Sets configuration parameters for icinga-web, including MySQL-password, LDAP user-auth and timezone.
Watch out: The repoforge package creates an icinga-web folder in /etc/ with a few XML-files, which are then linked into the
/usr/share/icinga-web/app/config xmls through overwrite-tags. However, the icinga-web documentation assumes you are using the
standard configs, meaning that its easier to debug/powergoodgle if not loading the includes (by just not setting apache
permissions).
'''
# Configure upp database passwords
general.use_original_file("/usr/share/icinga-web/app/config/databases.xml")
general.set_config_property(
"/usr/share/icinga-web/app/config/databases.xml",
"mysql://icinga_web:icinga_web",
"mysql://icinga-web:{0}".format(web_sqlpassword),
False
)
general.set_config_property(
"/usr/share/icinga-web/app/config/databases.xml",
"mysql://icinga:icinga",
"mysql://icinga:{0}".format(icinga_db_pass),
False
)
# Configure LDAP login
general.use_original_file("/etc/httpd/conf.d/icinga-web.conf ")
x("rm -f /etc/httpd/conf.d/icinga-web.conf ")
x("cp -p {0}icinga/icinga-web.conf /etc/httpd/conf.d/".format(constant.SYCO_VAR_PATH))
htconf = scopen.scOpen("/etc/httpd/conf.d/icinga-web.conf ")
htconf.replace("${BIND_DN}","cn=sssd,%s" % config.general.get_ldap_dn() )
htconf.replace("${BIND_PASSWORD}","%s" % app.get_ldap_sssd_password() )
htconf.replace("${LDAP_URL}","ldaps://%s:636/%s?uid" % (config.general.get_ldap_hostname(),config.general.get_ldap_dn()) )
x("/usr/bin/icinga-web-clearcache")
# Configure timezone and laguage
general.use_original_file("/usr/share/icinga-web/app/config/translation.xml")
general.set_config_property("/usr/share/icinga-web/app/config/translation.xml", "default_locale=\"en\"","default_locale=\"en\" default_timezone=\"CET\"",False)
def install_openvpn_server(args):
'''
The actual installation of openvpn server.
'''
app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION)
version_obj.check_executed()
if len(args) != 2:
raise Exception("syco install-openvpn-server 2.3.7")
# Initialize all passwords
enable_ldap = config.general.get_option("openvpn.ldap.enable", "false")
build_openvpn(args)
x('mkdir /etc/openvpn')
if enable_ldap:
app.get_ldap_sssd_password()
x("yum -y install openvpn-auth-ldap")
if not os.access("/etc/openvpn/easy-rsa", os.F_OK):
copy_easy_rsa()
# Install server.conf
server_conf = "/etc/openvpn/server.conf"
x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % server_conf)
scOpen(server_conf).replace('${EXTERN_IP}', net.get_public_ip())
scOpen(server_conf).replace('${OPENVPN_NETWORK}',
config.general.get_openvpn_network())
scOpen(server_conf).replace('${PUSH_ROUTES}', _get_push_routes())
ccd_enabled = config.general.get_option("openvpn.ccd.enable",
"false").lower()
ccd_dir = ""
client_routes = ""
c2c = ""
if ccd_enabled:
ccd_dir = "client-config-dir ccd"
client_routes = _get_client_routes()
c2c = "client-to-client"
x('mkdir /etc/openvpn/ccd')
scOpen(server_conf).replace('${CCD_DIR}', ccd_dir)
scOpen(server_conf).replace('${CLIENT_ROUTES}', str(client_routes))
scOpen(server_conf).replace('${CLIENT_TO_CLIENT}', c2c)
scOpen(server_conf).replace('${DHCP_DNS_SERVERS}',
_get_dhcp_dns_servers())
scOpen(server_conf).replace('^dh.*dh1024.pem', 'dh dh4096.pem')
scOpen(server_conf).add('\n')
scOpen(server_conf).add('tls-version-min 1.2')
# Prepare the ca cert generation.
fn = "/etc/openvpn/easy-rsa/vars"
scOpen(fn).replace(
'[\s]*export KEY_COUNTRY.*',
'export KEY_COUNTRY="' + config.general.get_country_name() + '"')
scOpen(fn).replace(
'[\s]*export KEY_PROVINCE.*',
'export KEY_PROVINCE="' + config.general.get_state() + '"')
scOpen(fn).replace(
'[\s]*export KEY_CITY.*',
'export KEY_CITY="' + config.general.get_locality() + '"')
scOpen(fn).replace(
'[\s]*export KEY_ORG.*',
'export KEY_ORG="' + config.general.get_organization_name() + '"')
scOpen(fn).replace(
'[\s]*export KEY_OU.*', 'export KEY_OU="' +
config.general.get_organizational_unit_name() + '"')
scOpen(fn).replace(
'[\s]*export KEY_EMAIL.*',
'export KEY_EMAIL="' + config.general.get_admin_email() + '"')
scOpen(fn).replace('[\s]*export HASH_ALGO.*',
'export HASH_ALGO=sha256')
scOpen(fn).replace('[\s]*export KEY_SIZE.*', 'export KEY_SIZE=4096')
# Can't find the current version of openssl.cnf.
scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace(
"\[\[\:alnum\:\]\]", "[[:alnum:]]*")
# Generate CA cert
os.chdir("/etc/openvpn/easy-rsa/")
x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh"
)
x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh4096.pem} /etc/openvpn/"
)
#Generation TLS key
os.chdir("/etc/openvpn/")
x("/usr/local/sbin/openvpn --genkey --secret ta.key")
# To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx"
scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace(
"unique_subject.*", "unique_subject = no")
# To be able to route trafic to internal network
net.enable_ip_forward()
if enable_ldap:
_setup_ldap()
iptables.add_openvpn_chain()
iptables.save()
x("/etc/init.d/openvpn restart")
x("/sbin/chkconfig openvpn on")
build_client_certs(args)
version_obj.mark_executed()
def install_openvpn_server(args):
'''
The actual installation of openvpn server.
'''
app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords
enable_ldap = config.general.get_option("openvpn.ldap.enable", "false")
x("yum -y install openvpn")
if enable_ldap:
app.get_ldap_sssd_password()
x("yum -y install openvpn-auth-ldap")
if not os.access("/etc/openvpn/easy-rsa", os.F_OK):
copy_easy_rsa()
# Install server.conf
server_conf = "/etc/openvpn/server.conf"
x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % server_conf)
scOpen(server_conf).replace('${EXTERN_IP}', net.get_public_ip())
scOpen(server_conf).replace('${OPENVPN_NETWORK}', config.general.get_openvpn_network())
scOpen(server_conf).replace('${PUSH_ROUTES}', _get_push_routes())
ccd_enabled = config.general.get_option("openvpn.ccd.enable", "false").lower()
ccd_dir = ""
client_routes = ""
c2c = ""
if ccd_enabled:
ccd_dir = "client-config-dir ccd"
client_routes = _get_client_routes()
c2c = "client-to-client"
scOpen(server_conf).replace('${CCD_DIR}', ccd_dir)
scOpen(server_conf).replace('${CLIENT_ROUTES}', client_routes)
scOpen(server_conf).replace('${CLIENT_TO_CLIENT}', c2c)
scOpen(server_conf).replace('${DHCP_DNS_SERVERS}', _get_dhcp_dns_servers())
# Prepare the ca cert generation.
fn = "/etc/openvpn/easy-rsa/vars"
scOpen(fn).replace('[\s]*export KEY_COUNTRY.*', 'export KEY_COUNTRY="' + config.general.get_country_name() + '"')
scOpen(fn).replace('[\s]*export KEY_PROVINCE.*', 'export KEY_PROVINCE="' + config.general.get_state() + '"')
scOpen(fn).replace('[\s]*export KEY_CITY.*', 'export KEY_CITY="' + config.general.get_locality() + '"')
scOpen(fn).replace('[\s]*export KEY_ORG.*', 'export KEY_ORG="' + config.general.get_organization_name() + '"')
scOpen(fn).replace('[\s]*export KEY_OU.*', 'export KEY_OU="' + config.general.get_organizational_unit_name() + '"')
scOpen(fn).replace('[\s]*export KEY_EMAIL.*', 'export KEY_EMAIL="' + config.general.get_admin_email() + '"')
# Can't find the current version of openssl.cnf.
scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace("\[\[\:alnum\:\]\]", "[[:alnum:]]*")
# Generate CA cert
os.chdir("/etc/openvpn/easy-rsa/")
x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh")
x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/")
#Generation TLS key
os.chdir("/etc/openvpn/")
x("openvpn --genkey --secret ta.key")
# To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx"
scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace("unique_subject.*", "unique_subject = no")
# To be able to route trafic to internal network
net.enable_ip_forward()
if enable_ldap:
_setup_ldap()
iptables.add_openvpn_chain()
iptables.save()
x("/etc/init.d/openvpn restart")
x("/sbin/chkconfig openvpn on")
build_client_certs(args)
version_obj.mark_executed()
def install_openvpn_server(args):
'''
The actual installation of openvpn server.
'''
app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords
app.get_ldap_sssd_password()
x("yum -y install openvpn openvpn-auth-ldap")
if (not os.access("/etc/openvpn/easy-rsa", os.F_OK)):
copy_easy_rsa()
# Install server.conf
serverConf = "/etc/openvpn/server.conf"
x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % serverConf)
scOpen(serverConf).replace('${EXTERN_IP}', net.get_public_ip())
scOpen(serverConf).replace('${OPENVPN.NETWORK}',
config.general.get_openvpn_network())
scOpen(serverConf).replace('${FRONT.NETWORK}',
config.general.get_front_network())
scOpen(serverConf).replace('${FRONT.NETMASK}',
config.general.get_front_netmask())
scOpen(serverConf).replace('${BACK.NETWORK}',
config.general.get_back_network())
scOpen(serverConf).replace('${BACK.NETMASK}',
config.general.get_back_netmask())
# Prepare the ca cert generation.
fn = "/etc/openvpn/easy-rsa/vars"
scOpen(fn).replace(
'[\s]*export KEY_COUNTRY.*',
'export KEY_COUNTRY="' + config.general.get_country_name() + '"')
scOpen(fn).replace(
'[\s]*export KEY_PROVINCE.*',
'export KEY_PROVINCE="' + config.general.get_state() + '"')
scOpen(fn).replace(
'[\s]*export KEY_CITY.*',
'export KEY_CITY="' + config.general.get_locality() + '"')
scOpen(fn).replace(
'[\s]*export KEY_ORG.*',
'export KEY_ORG="' + config.general.get_organization_name() + '"')
scOpen(fn).replace(
'[\s]*export KEY_OU.*', 'export KEY_OU="' +
config.general.get_organizational_unit_name() + '"')
scOpen(fn).replace(
'[\s]*export KEY_EMAIL.*',
'export KEY_EMAIL="' + config.general.get_admin_email() + '"')
# Can't find the current version of openssl.cnf.
scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace(
"\[\[\:alnum\:\]\]", "[[:alnum:]]*")
# Generate CA cert
os.chdir("/etc/openvpn/easy-rsa/")
x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh"
)
x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/"
)
#Generation TLS key
os.chdir("/etc/openvpn/")
x("openvpn --genkey --secret ta.key")
# To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx"
scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace(
"unique_subject.*", "unique_subject = no")
# To be able to route trafic to internal network
net.enable_ip_forward()
_setup_ldap()
iptables.add_openvpn_chain()
iptables.save()
x("/etc/init.d/openvpn restart")
x("/sbin/chkconfig openvpn on")
build_client_certs(args)
version_obj.mark_executed()
def install_openvpn_server(args):
'''
The actual installation of openvpn server.
'''
app.print_verbose("Install openvpn server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallOpenvpnServer", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords
app.get_ldap_sssd_password()
x("yum -y install openvpn openvpn-auth-ldap")
if (not os.access("/etc/openvpn/easy-rsa", os.F_OK)):
x("cp -R /usr/share/openvpn/easy-rsa/2.0 /etc/openvpn/easy-rsa")
# Install server.conf
serverConf = "/etc/openvpn/server.conf"
x("cp " + app.SYCO_PATH + "/var/openvpn/server.conf %s" % serverConf)
scOpen(serverConf).replace('${EXTERN_IP}', net.get_public_ip())
scOpen(serverConf).replace('${OPENVPN.NETWORK}', config.general.get_openvpn_network())
scOpen(serverConf).replace('${FRONT.NETWORK}', config.general.get_front_network())
scOpen(serverConf).replace('${FRONT.NETMASK}', config.general.get_front_netmask())
scOpen(serverConf).replace('${BACK.NETWORK}', config.general.get_back_network())
scOpen(serverConf).replace('${BACK.NETMASK}', config.general.get_back_netmask())
# Prepare the ca cert generation.
fn = "/etc/openvpn/easy-rsa/vars"
scOpen(fn).replace('[\s]*export KEY_COUNTRY.*', 'export KEY_COUNTRY="' + config.general.get_country_name() + '"')
scOpen(fn).replace('[\s]*export KEY_PROVINCE.*', 'export KEY_PROVINCE="' + config.general.get_state() + '"')
scOpen(fn).replace('[\s]*export KEY_CITY.*', 'export KEY_CITY="' + config.general.get_locality() + '"')
scOpen(fn).replace('[\s]*export KEY_ORG.*', 'export KEY_ORG="' + config.general.get_organization_name() + '"')
scOpen(fn).replace('[\s]*export KEY_OU.*', 'export KEY_OU="' + config.general.get_organizational_unit_name() + '"')
scOpen(fn).replace('[\s]*export KEY_EMAIL.*', 'export KEY_EMAIL="' + config.general.get_admin_email() + '"')
# Can't find the current version of openssl.cnf.
scOpen("/etc/openvpn/easy-rsa/whichopensslcnf").replace("\[\[\:alnum\:\]\]", "[[:alnum:]]*")
# Generate CA cert
os.chdir("/etc/openvpn/easy-rsa/")
x(". ./vars;./clean-all;./build-ca --batch;./build-key-server --batch server;./build-dh")
x("cp /etc/openvpn/easy-rsa/keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/")
# To prevent error "TXT_DB error number 2" when running ./build-key-pkcs12 --batch xxx"
scOpen("/etc/openvpn/easy-rsa/keys/index.txt.attr").replace("unique_subject.*", "unique_subject = no")
# To be able to route trafic to internal network
net.enable_ip_forward()
_setup_ldap()
iptables.add_openvpn_chain()
iptables.save()
x("/etc/init.d/openvpn restart")
x("/sbin/chkconfig openvpn on")
build_client_certs(args)
version_obj.mark_executed()
def configure_sssd(augeas):
# If the authentication provider is offline, specifies for how long to allow
# cached log-ins (in days). This value is measured from the last successful
# online log-in. If not specified, defaults to 0 (no limit).
# We want to cache credentials even though noone has logged in.
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'pam']/offline_credentials_expiration",
"0")
# Enumeration means that the entire set of available users and groups on the
# remote source is cached on the local machine. When enumeration is disabled,
# users and groups are only cached as they are requested.
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'domain/default']/enumerate",
"true")
# Configure client certificate auth.
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_tls_cert",
"/etc/openldap/cacerts/client.pem")
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_tls_key",
"/etc/openldap/cacerts/client.pem")
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_tls_reqcert",
"demand")
# Only users with this employeeType are allowed to login to this computer.
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'domain/default']/access_provider",
"ldap")
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_access_filter",
"(employeeType=Sysop)")
# Login to ldap with a specified user.
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_default_bind_dn",
"cn=sssd," + config.general.get_ldap_dn())
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_default_authtok_type",
"password")
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_default_authtok",
app.get_ldap_sssd_password())
# Enable caching of sudo rules
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'domain/default']/sudo_provider",
"ldap")
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_sudo_full_refresh_interval",
"86400")
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_sudo_smart_refresh_interval",
"3600")
# Set low timeout levels to ensure that cache is used when ldap is slow/down
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_search_timeout",
"5")
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_enumeration_search_timeout",
"5")
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'domain/default']/ldap_network_timeout",
"5")
# sssd section settings
augeas.set_enhanced(
"/files/etc/sssd/sssd.conf/target[. = 'sssd']/services",
"nss,pam,sudo")
# Need to change the modified date before restarting, to tell sssd to reload
# the config file.
x("touch /etc/sssd/sssd.conf")
# Restart sssd and read in all new configs.
x("rm /var/lib/sss/db/config.ldb")
x("service sssd restart")
# Start sssd after reboot.
x("chkconfig sssd on")
