def rsyslog_newcerts(args):
"""
Generate new tls certs for rsyslog server
NOTE: This needs to be executed once a year.
"""
x("mkdir -p /etc/pki/rsyslog")
# Copy certs template
template_ca = "{0}template.ca".format(get_install_dir())
x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca))
hostname = "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain())
_replace_tags(template_ca, hostname)
# Making CA
x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key")
x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key "+
"--outfile /etc/pki/rsyslog/ca.crt " +
"--template {0}".format(template_ca)
)
# Copy server template and cert/key generator script
target_template = '/etc/pki/rsyslog/template.server'
x("cp -f /opt/syco/var/rsyslog/template.server {0}".format(target_template))
_replace_tags(target_template, fqdn)
# New generator script used by clients directly
generator_script = "syco-gen-rsyslog-client-keys.sh"
x("cp -f /opt/syco/var/rsyslog/{0} /etc/pki/rsyslog/".format(generator_script))
x("chmod 700 /etc/pki/rsyslog/{0}".format(generator_script))
def rsyslog_newcerts(args):
'''
Generate new tls certs for rsyslog server and all clients defined in install.cfg.
NOTE: This needs to be executed once a year.
'''
x("mkdir -p /etc/pki/rsyslog")
# Copy certs template
template_ca = "{0}template.ca".format(get_install_dir())
x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca))
hostname = "{0}.{1}".format(net.get_hostname(), config.general.get_resolv_domain())
_replace_tags(template_ca, hostname)
# Making CA
x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key")
x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key "+
"--outfile /etc/pki/rsyslog/ca.crt " +
"--template {0}".format(template_ca)
)
#
# Create rsyslog SERVER cert
#
for server in get_servers():
_create_cert(server)
def customize_shell():
app.print_verbose("Customize shell")
app.print_verbose(" Add Date And Time To History Output")
scOpen("/etc/bashrc").replace_add(
"^export HISTTIMEFORMAT=.*$",
"export HISTTIMEFORMAT=\"%h/%d - %H:%M:%S \""
)
app.print_verbose(" Add Color To Grep")
root = scOpen("/root/.bash_profile")
root.replace_add("^export GREP_COLOR=.*$", "export GREP_COLOR='1;32'")
root.replace_add("^export GREP_OPTIONS=.*$", "export GREP_OPTIONS=--color=auto")
skel = scOpen("/etc/skel/.bash_profile")
skel.replace_add("^export GREP_COLOR=.*$", "export GREP_COLOR='1;32'")
skel.replace_add("^export GREP_OPTIONS=.*$", "export GREP_OPTIONS=--color=auto")
app.print_verbose(" Enable SSH key forwarding to work with sudo su")
tmp_sudo_file = get_install_dir() + "sudoers"
x("cp /etc/sudoers " + tmp_sudo_file)
sudoers = scOpen(tmp_sudo_file)
sudoers.remove("Defaults env_keep += \"SSH_AUTH_SOCK\"")
sudoers.add("Defaults env_keep += \"SSH_AUTH_SOCK\"")
xRes = x("visudo -c -f " + tmp_sudo_file)
if tmp_sudo_file + ": parsed OK" in xRes:
x("mv " + tmp_sudo_file + " /etc/sudoers")
else:
app.print_error("Temporary sudoers file corrupt, not updating")
def customize_shell():
app.print_verbose("Customize shell")
app.print_verbose(" Add Date And Time To History Output")
scOpen("/etc/bashrc").replace_add(
"^export HISTTIMEFORMAT=.*$",
"export HISTTIMEFORMAT=\"%h/%d - %H:%M:%S \"")
app.print_verbose(" Add Color To Grep")
root = scOpen("/root/.bash_profile")
root.replace_add("^export GREP_COLOR=.*$", "export GREP_COLOR='1;32'")
root.replace_add("^export GREP_OPTIONS=.*$",
"export GREP_OPTIONS=--color=auto")
skel = scOpen("/etc/skel/.bash_profile")
skel.replace_add("^export GREP_COLOR=.*$", "export GREP_COLOR='1;32'")
skel.replace_add("^export GREP_OPTIONS=.*$",
"export GREP_OPTIONS=--color=auto")
app.print_verbose(" Enable SSH key forwarding to work with sudo su")
tmp_sudo_file = get_install_dir() + "sudoers"
x("cp /etc/sudoers " + tmp_sudo_file)
sudoers = scOpen(tmp_sudo_file)
sudoers.remove("Defaults env_keep += \"SSH_AUTH_SOCK\"")
sudoers.add("Defaults env_keep += \"SSH_AUTH_SOCK\"")
xRes = x("visudo -c -f " + tmp_sudo_file)
if tmp_sudo_file + ": parsed OK" in xRes:
x("mv " + tmp_sudo_file + " /etc/sudoers")
else:
app.print_error("Temporary sudoers file corrupt, not updating")
def _create_cert(hostname):
'''
Create certificate for one rsyslog client.
'''
fqdn = "{0}.{1}".format(hostname, config.general.get_resolv_domain())
app.print_verbose("Create cert for host: {0}".format(fqdn))
template_server = "{0}template.{1}".format(get_install_dir(), fqdn)
x("cp -f /opt/syco/var/rsyslog/template.server {0}".format(template_server))
_replace_tags(template_server, fqdn)
# Create key
x("certtool --generate-privkey " +
"--outfile /etc/pki/rsyslog/{0}.key".format(fqdn)
)
# Create cert
x("certtool --generate-request " +
"--load-privkey /etc/pki/rsyslog/{0}.key ".format(fqdn) +
"--outfile /etc/pki/rsyslog/{0}.csr ".format(fqdn) +
"--template {0}".format(template_server)
)
# Sign cert
x("certtool --generate-certificate " +
"--load-request /etc/pki/rsyslog/{0}.csr ".format(fqdn) +
"--outfile /etc/pki/rsyslog/{0}.crt ".format(fqdn) +
"--load-ca-certificate /etc/pki/rsyslog/ca.crt " +
"--load-ca-privkey /etc/pki/rsyslog/ca.key " +
"--template {0}".format(template_server)
)
def rsyslog_newcerts(args):
"""
Generate new tls certs for rsyslog server and all clients defined in install.cfg.
NOTE: This needs to be executed once a year.
"""
x("mkdir -p /etc/pki/rsyslog")
# Copy certs template
template_ca = "{0}template.ca".format(get_install_dir())
x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca))
hostname = "{0}.{1}".format(net.get_hostname(),
config.general.get_resolv_domain())
_replace_tags(template_ca, hostname)
# Making CA
x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key")
x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key "
+ "--outfile /etc/pki/rsyslog/ca.crt " +
"--template {0}".format(template_ca))
#
# Create rsyslog SERVER cert
#
for server in get_servers():
_create_cert(server)
def _create_cert(hostname):
"""
Create certificate for one rsyslog client.
"""
fqdn = "{0}.{1}".format(hostname, config.general.get_resolv_domain())
app.print_verbose("Create cert for host: {0}".format(fqdn))
template_server = "{0}template.{1}".format(get_install_dir(), fqdn)
x("cp -f /opt/syco/var/rsyslog/template.server {0}".format(
template_server))
_replace_tags(template_server, fqdn)
# Create key
x("certtool --generate-privkey " +
"--outfile /etc/pki/rsyslog/{0}.key".format(fqdn))
# Create cert
x("certtool --generate-request " +
"--load-privkey /etc/pki/rsyslog/{0}.key ".format(fqdn) +
"--outfile /etc/pki/rsyslog/{0}.csr ".format(fqdn) +
"--template {0}".format(template_server))
# Sign cert
x("certtool --generate-certificate " +
"--load-request /etc/pki/rsyslog/{0}.csr ".format(fqdn) +
"--outfile /etc/pki/rsyslog/{0}.crt ".format(fqdn) +
"--load-ca-certificate /etc/pki/rsyslog/ca.crt " +
"--load-ca-privkey /etc/pki/rsyslog/ca.key " +
"--template {0}".format(template_server))
def rsyslog_newcerts(args):
"""
Generate new tls certs for rsyslog server
NOTE: This needs to be executed once a year.
"""
x("mkdir -p /etc/pki/rsyslog")
# Copy certs template
template_ca = "{0}template.ca".format(get_install_dir())
x("cp -f /opt/syco/var/rsyslog/template.ca {0}".format(template_ca))
hostname = "{0}.{1}".format(net.get_hostname(),
config.general.get_resolv_domain())
_replace_tags(template_ca, hostname)
# Making CA
x("certtool --generate-privkey --outfile /etc/pki/rsyslog/ca.key")
x("certtool --generate-self-signed --load-privkey /etc/pki/rsyslog/ca.key "
+ "--outfile /etc/pki/rsyslog/ca.crt " +
"--template {0}".format(template_ca))
# Copy server template and cert/key generator script
target_template = '/etc/pki/rsyslog/template.server'
x("cp -f /opt/syco/var/rsyslog/template.server {0}".format(
target_template))
_replace_tags(target_template, fqdn)
# New generator script used by clients directly
generator_script = "syco-gen-rsyslog-client-keys.sh"
x("cp -f /opt/syco/var/rsyslog/{0} /etc/pki/rsyslog/".format(
generator_script))
x("chmod 700 /etc/pki/rsyslog/{0}".format(generator_script))
def _setup_default_database():
'''
Create sqllite default database for openvas.
Sql file is a dumpo of the database after reqular openvas installation.
'''
app.print_verbose('Setup default database')
x("cp -f {0}var/openvas/sql_init.sql {1}sql_init.sql".format(
app.SYCO_PATH, get_install_dir()))
sql = scOpen("{0}sql_init.sql".format(get_install_dir()))
sql.replace("${SYCO_HOSTS}", config.general.get_subnet())
sql.replace("${SYCO_ALERT_EMAIL}", config.general.get_admin_email())
x("cat {0}sql_init.sql | sqlite3 /var/lib/openvas/mgr/tasks.db".format(
get_install_dir()))
def _setup_default_database():
'''
Create sqllite default database for openvas.
Sql file is a dumpo of the database after reqular openvas installation.
'''
app.print_verbose('Setup default database')
x("cp -f {0}var/openvas/sql_init.sql {1}sql_init.sql".format(
app.SYCO_PATH, get_install_dir()
))
sql = scOpen("{0}sql_init.sql".format(get_install_dir()))
sql.replace("${SYCO_HOSTS}", config.general.get_subnet())
sql.replace("${SYCO_ALERT_EMAIL}",config.general.get_admin_email())
x("cat {0}sql_init.sql | sqlite3 /var/lib/openvas/mgr/tasks.db".format(
get_install_dir()
))
def copy_easy_rsa():
# Downloading and md5 checking
download_file(EASY_RSA_DOWNLOAD, "v2.2.0.zip",md5=EASY_RSA_MD5)
# Unzipping and moving easy-rsa files
install_dir = get_install_dir()
x("yum -y install unzip")
x("unzip {0}{1} -d {0}".format(install_dir,"v2.2.0.zip"))
x("mv {0}easy-rsa-2.2.0/easy-rsa/2.0 /etc/openvpn/easy-rsa".format(install_dir))
x("yum -y remove unzip")
def copy_easy_rsa():
# Downloading and md5 checking
download_file(EASY_RSA_DOWNLOAD, "v2.2.0.zip", md5=EASY_RSA_MD5)
# Unzipping and moving easy-rsa files
install_dir = get_install_dir()
x("yum -y install unzip")
x("unzip {0}{1} -d {0}".format(install_dir, "v2.2.0.zip"))
x("mv {0}easy-rsa-2.2.0/easy-rsa/2.0 /etc/openvpn/easy-rsa".format(
install_dir))
x("yum -y remove unzip")
def _install_nrpe_plugins_dependencies():
'''
Install libraries/binaries that the NRPE-plugins depend on.
'''
# Dependency for check_rsyslog
x("yum install -y MySQL-python")
# Dependency for check_clamav
x("yum install -y nagios-plugins-perl perl-Net-DNS-Resolver-Programmable sudo yum install perl-suidperl")
nrpe_sudoers_file = scopen.scOpen("/etc/sudoers.d/nrpe")
nrpe_sudoers_file.add("Defaults:nrpe !requiretty")
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_clamav".format(PLG_PATH))
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_clamscan".format(PLG_PATH))
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_disk".format(PLG_PATH))
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}get_services".format(PLG_PATH))
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files".format(PLG_PATH))
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs".format(PLG_PATH))
# Dependency for check_clamscan
x("yum install -y perl-Proc-ProcessTable perl-Date-Calc")
# Dependency for check_ldap
x("yum install -y php-ldap php-cli")
# Dependency for hosts/firewall hardware checks
host_config_object = config.host(net.get_hostname())
if host_config_object.is_host() or host_config_object.is_firewall():
# Create an installname and filenames
install_dir = general.get_install_dir()
# Download and install HP health monitoring package
general.download_file(
HP_HEALTH_URL, HP_HEALTH_FILENAME, md5=HP_HEALTH_MD5
)
x("yum install {0} -y".format(HP_HEALTH_FILENAME))
# Remove their evil crontab
x("rm -f /etc/cron.d/hp-health")
# Let nrpe run hpasmcli
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:/sbin/hpasmcli")
nrpe_sudoers_file.add("nrpe ALL=NOPASSWD:{0}check_hpasm".format(PLG_PATH))
x("service hp-health start")
# Kernel wont parse anything but read-only in sudoers. So chmod it.
x("chmod 0440 /etc/sudoers.d/nrpe")
def build_ossec(preloaded_conf):
x('yum install gcc make perl-Time-HiRes -y')
# Downloading and md5 checking
download_file(OSSEC_DOWNLOAD, "ossec-hids.tar.gz",md5=OSSEC_MD5)
# Preparing OSSEC for building
install_dir = get_install_dir()
x("tar -C {0} -zxf {0}ossec-hids.tar.gz".format(install_dir))
x("mv {0}ossec-hids-* {0}ossecbuild".format(install_dir))
# Coping in ossec settings before build
x('\cp -f /opt/syco/var/ossec/osseconf/{0} {1}ossecbuild/etc/preloaded-vars.conf'.format(preloaded_conf, install_dir))
# Building OSSEC
x('{0}ossecbuild/install.sh'.format(install_dir))
# Autostart ossec.
x("chkconfig ossec on")
def build_ossec(preloaded_conf):
x('yum install gcc make perl-Time-HiRes -y')
# Downloading and md5 checking
download_file(OSSEC_DOWNLOAD, "ossec-hids.tar.gz", md5=OSSEC_MD5)
# Preparing OSSEC for building
install_dir = get_install_dir()
x("tar -C {0} -zxf {0}ossec-hids.tar.gz".format(install_dir))
x("mv {0}ossec-hids-* {0}ossecbuild".format(install_dir))
# Coping in ossec settings before build
x('\cp -f /opt/syco/var/ossec/osseconf/{0} {1}ossecbuild/etc/preloaded-vars.conf'
.format(preloaded_conf, install_dir))
# Building OSSEC
x('{0}ossecbuild/install.sh'.format(install_dir))
# Autostart ossec.
x("chkconfig ossec on")
def _generate_client_keys():
'''
Generating keys for all ossec clients.
And prepare separate key files that can be downloaded by each client.
'''
install_dir = get_install_dir()
for server in get_servers():
fqdn = '{0}'.format(server)
fqdn2 = '{0}.{1}'.format(server, config.general.get_resolv_domain())
x("{0}ossecbuild/contrib/ossec-batch-manager.pl -a --name {1} --ip {2}"
.format(install_dir, fqdn,
config.host(server).get_front_ip()))
# Prepare separate key files that can be downloaded by each client.
x("grep {0} /var/ossec/etc/client.keys > ".format(fqdn) +
"/var/ossec/etc/{0}_client.keys".format(fqdn2))
x('chmod 640 /var/ossec/etc/*.keys')
x('chown ossec:ossec /var/ossec/etc/*.keys')
def _generate_client_keys():
'''
Generating keys for all ossec clients.
And prepare separate key files that can be downloaded by each client.
'''
install_dir = get_install_dir()
for server in get_servers():
fqdn = '{0}.{1}'.format(server, config.general.get_resolv_domain())
x("{0}ossecbuild/contrib/ossec-batch-manager.pl -a -n {1} -p {2}".format(
install_dir, fqdn, config.host(server).get_front_ip())
)
# Prepare separate key files that can be downloaded by each client.
x(
"grep {0} /var/ossec/etc/client.keys > ".format(fqdn) +
"/var/ossec/etc/{0}_client.keys".format(fqdn)
)
x('chmod 640 /var/ossec/etc/*.keys')
x('chown ossec:ossec /var/ossec/etc/*.keys')
def install_ossec_server(args):
'''
Install OSSEC server on the server
'''
app.print_verbose("Install ossecd.")
version_obj = version.Version("InstallOssecd", SCRIPT_VERSION)
version_obj.check_executed()
install_dir = get_install_dir()
build_ossec("preloaded-vars-server.conf")
_generate_client_keys()
# Setup server config and local rules from syco
x('\cp -f ' + SYCO_FO_PATH +
'var/ossec/ossec_server.conf /var/ossec/etc/ossec.conf')
x('chown root:ossec /var/ossec/etc/ossec.conf')
x('chmod 640 /var/ossec/etc/ossec.conf')
# Configure rules
x('cp -f ' + SYCO_FO_PATH +
'var/ossec/local_rules.xml /var/ossec/rules/local_rules.xml')
#x("find /var/ossec/rules -type d -print0 | xargs -0 chmod 750")
#x("find /var/ossec/rules -type f -print0 | xargs -0 chmod 640")
x('chown root:ossec /var/ossec/rules/local_rules.xml')
x('chmod 640 /var/ossec/rules/local_rules.xml')
# Enabling syslog logging
x('/var/ossec/bin/ossec-control enable client-syslog')
# Adding iptables rules
iptables.add_ossec_chain()
iptables.save()
x("service ossec restart")
# Clean up install
x('yum remove gcc perl-Time-HiRes -y')
version_obj.mark_executed()
def install_ossec_server(args):
'''
Install OSSEC server on the server
'''
app.print_verbose("Install ossecd.")
version_obj = version.Version("InstallOssecd", SCRIPT_VERSION)
version_obj.check_executed()
install_dir = get_install_dir()
build_ossec("preloaded-vars-server.conf")
_generate_client_keys()
# Setup server config and local rules from syco
x('\cp -f /opt/syco/var/ossec/ossec_server.conf /var/ossec/etc/ossec.conf')
x('chown root:ossec /var/ossec/etc/ossec.conf')
x('chmod 640 /var/ossec/etc/ossec.conf')
# Configure rules
x('cp -f /opt/syco/var/ossec/local_rules.xml /var/ossec/rules/local_rules.xml')
#x("find /var/ossec/rules -type d -print0 | xargs -0 chmod 750")
#x("find /var/ossec/rules -type f -print0 | xargs -0 chmod 640")
x('chown root:ossec /var/ossec/rules/local_rules.xml')
x('chmod 640 /var/ossec/rules/local_rules.xml')
# Enabling syslog logging
x('/var/ossec/bin/ossec-control enable client-syslog')
# Adding iptables rules
iptables.add_ossec_chain()
iptables.save()
x("service ossec restart")
# Clean up install
x('yum remove gcc make perl-Time-HiRes -y')
version_obj.mark_executed()
