def install_keepalived(args): global SYCO_PLUGIN_PATH, ACCEPTED_KA_ENV, ka_env SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/keepalived/").next() ACCEPTED_KA_ENV = get_environments() if len(args) != 2: print_killmessage() else: ka_env = args[1] if ka_env.lower() not in ACCEPTED_KA_ENV: print_killmessage() app.print_verbose("Install Keepalived version: %d" % script_version) version_obj = version.Version("InstallKeepalived", script_version) version_obj.check_executed() os.chdir("/") install_packages("keepalived") _configure_keepalived() # Adding iptables rules iptables_setup() save() version_obj.mark_executed()
def install_rsyslogd(args): """ Install rsyslogd on the server. """ app.print_verbose("Install rsyslogd.") version_obj = version.Version("InstallRsyslogd", SCRIPT_VERSION) version_obj.check_executed() # Installing packages install_packages("rsyslog rsyslog-gnutls gnutls-utils") # Autostart rsyslog at boot x("chkconfig rsyslog on") # Generation new certs if no certs exsists if not os.path.exists('/etc/pki/rsyslog/ca.crt'): rsyslog_newcerts(args) _setup_rsyslogd() # Add iptables chains iptables.add_rsyslog_chain("server") iptables.save() # Restarting service x("service rsyslog restart") install_compress_logs() # Configure logrotate installLogrotate.install_logrotate(args) version_obj.mark_executed()
def install_docker(args): """Install and configure docker on the local host.""" app.print_verbose("Install docker version: %d" % SCRIPT_VERSION) version_obj = version.Version("Installdocker", SCRIPT_VERSION) version_obj.check_executed() proxy_host = config.general.get_proxy_host() proxy_port = config.general.get_proxy_port() x("cp %s/docker/docker.repo /etc/yum.repos.d/docker.repo" % app.SYCO_VAR_PATH) general.install_packages("docker-engine") x("cp %s/docker/docker /etc/sysconfig/docker" % app.SYCO_VAR_PATH) # http://stackoverflow.com/questions/23111631/cannot-download-docker-images-behind-a-proxy docker_conf = scOpen(filename="/etc/sysconfig/docker") if proxy_host and proxy_port: docker_conf.replace("%HTTP_PROXY%", 'export HTTP_PROXY="http://%s:%s"' % (proxy_host, proxy_port)) docker_conf.replace("%HTTPS_PROXY%", 'export HTTPS_PROXY="https://%s:%s"' % (proxy_host, proxy_port)) else: docker_conf.replace("%HTTP_PROXY%", "") docker_conf.replace("%HTTPS_PROXY%", "") x("chkconfig docker on") x("service docker start") version_obj.mark_executed() # FW rule needed to access container through ports # Sleep for docker to start completely before setting rule x("sleep 10 && iptables -A syco_output -j DOCKER") x("service iptables save") version_obj.mark_executed()
def install_docker(args): """Install and configure docker on the local host.""" app.print_verbose("Install docker version: %d" % SCRIPT_VERSION) version_obj = version.Version("Installdocker", SCRIPT_VERSION) version_obj.check_executed() proxy_host = config.general.get_proxy_host() proxy_port = config.general.get_proxy_port() x('cp %s/docker/docker.repo /etc/yum.repos.d/docker.repo' % app.SYCO_VAR_PATH) general.install_packages("docker-engine") x('cp %s/docker/docker /etc/sysconfig/docker' % app.SYCO_VAR_PATH) # http://stackoverflow.com/questions/23111631/cannot-download-docker-images-behind-a-proxy docker_conf = scOpen(filename='/etc/sysconfig/docker') if proxy_host and proxy_port: docker_conf.replace('%HTTP_PROXY%', 'export HTTP_PROXY="http://%s:%s"' % (proxy_host, proxy_port)) docker_conf.replace('%HTTPS_PROXY%', 'export HTTPS_PROXY="https://%s:%s"' % (proxy_host, proxy_port)) else: docker_conf.replace('%HTTP_PROXY%', '') docker_conf.replace('%HTTPS_PROXY%', '') x('chkconfig docker on') x('service docker start') version_obj.mark_executed() #FW rule needed to access container through ports #Sleep for docker to start completely before setting rule x('sleep 10 && iptables -A syco_output -j DOCKER') x('service iptables save') version_obj.mark_executed()
def _install_nrpe(args): """ The nrpe installation is quite standard . Except that the stock NRPE.conf is replaced with a prepped one. Server only listens to this IP. Not super safe but better than nothing. Also, argument parsing is _disabled_. """ # Initialize all used passwords at the beginning of the script. app.get_ldap_sssd_password() app.get_mysql_monitor_password() install.epel_repo() # Confusing that nagios-plugins-all does not really include all plugins # WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At # the moment EPEL has the latest version but RPMForge obsolete the EPEL # package. Because of that, exclude nagios-nrpe from RPMForge. app.print_verbose("Install required packages for NRPE") install_packages( "nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap nagios-plugins-perl perl-Net-DNS " "perl-Proc-ProcessTable perl-Date-Calc policycoreutils-python") # Move object structure and prepare conf-file x("rm -rf /etc/nagios/nrpe.d") x("rm -rf /etc/nagios/nrpe.cfg") x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format( constant.SYCO_USR_PATH)) x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format( constant.SYCO_USR_PATH)) # Extra plugins installed _install_nrpe_plugins() # Allow only monitor to query NRPE monitor_server_front_ip = config.general.get_monitor_server_ip() app.print_verbose("Set monitor server: %s" % monitor_server_front_ip) nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg") nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip) # Set permissions for read/execute under nagios-user x("chown -R root:nrpe /etc/nagios/") # Allow nrpe to listen on UDP port 5666 iptables.add_nrpe_chain() iptables.save() # Make nrpe-server startup stateful and restart x("/sbin/chkconfig --level 3 nrpe on") x("service nrpe restart")
def install_rsyslogd_client(args): ''' Install rsyslog client the server ''' app.print_verbose("Install rsyslog client.") # If rsyslogd is installed, raise exception. version_obj = version.Version("InstallRsyslogd", installRsyslogd.SCRIPT_VERSION) version_obj.check_executed() # version_obj = version.Version("InstallRsyslogdClient", SCRIPT_VERSION) version_obj.check_executed() # Initialize all passwords used by the script app.init_mysql_passwords() #Enabling iptables before server has start iptables.add_rsyslog_chain("client") iptables.save() # Wating for rsyslog Server to start general.wait_for_server_to_start(config.general.get_log_server_hostname1(), "514") app.print_verbose("CIS 5.2 Configure rsyslog") app.print_verbose("CIS 5.2.1 Install the rsyslog package") general.install_packages("rsyslog rsyslog-gnutls") app.print_verbose("CIS 5.2.2 Activate the rsyslog Service") if os.path.exists('/etc/xinetd.d/syslog'): x("chkconfig syslog off") x("chkconfig rsyslog on") _configure_rsyslog_conf() _gen_and_copy_cert(args) # Restaring rsyslog x("/etc/init.d/rsyslog restart") # Configure logrotate installLogrotate.install_logrotate(args) version_obj.mark_executed()
def _install_nrpe(args): """ The nrpe installation is quite standard . Except that the stock NRPE.conf is replaced with a prepped one. Server only listens to this IP. Not super safe but better than nothing. Also, argument parsing is _disabled_. """ # Initialize all used passwords at the beginning of the script. app.get_ldap_sssd_password() app.get_mysql_monitor_password() install.epel_repo() # Confusing that nagios-plugins-all does not really include all plugins # WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At # the moment EPEL has the latest version but RPMForge obsolete the EPEL # package. Because of that, exclude nagios-nrpe from RPMForge. app.print_verbose("Install required packages for NRPE") install_packages("nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap nagios-plugins-perl perl-Net-DNS " "perl-Proc-ProcessTable perl-Date-Calc policycoreutils-python") # Move object structure and prepare conf-file x("rm -rf /etc/nagios/nrpe.d") x("rm -rf /etc/nagios/nrpe.cfg") x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(constant.SYCO_USR_PATH)) x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(constant.SYCO_USR_PATH)) # Extra plugins installed _install_nrpe_plugins() # Allow only monitor to query NRPE monitor_server_front_ip = config.general.get_monitor_server_ip() app.print_verbose("Set monitor server: %s" % monitor_server_front_ip) nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg") nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip) # Set permissions for read/execute under nagios-user x("chown -R root:nrpe /etc/nagios/") # Allow nrpe to listen on UDP port 5666 iptables.add_nrpe_chain() iptables.save() # Make nrpe-server startup stateful and restart x("/sbin/chkconfig --level 3 nrpe on") x("service nrpe restart")
def install_syco(args): """ Install/configure this script on the current computer. """ app.print_verbose("Install syco version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallSYCO", SCRIPT_VERSION) version_obj.check_executed() # Override base repo to one that works x("cat %syum/CentOS-Base.repo > /etc/yum.repos.d/CentOS-Base.repo" % app.SYCO_VAR_PATH) # Run all yum updates through proxy if available proxy_host = config.general.get_proxy_host() proxy_port = config.general.get_proxy_port() if proxy_host and proxy_port: x('echo proxy=%s >> /etc/yum.conf' % "http://%s:%s" % (proxy_host, proxy_port)) app.print_verbose("Install required packages for syco") install_packages("augeas") app.print_verbose("Create symlink /sbin/syco") set_syco_permissions() if not os.path.exists('/sbin/syco'): os.symlink('%sbin/syco.py' % SYCO_PATH, '/sbin/syco') # Use augeas to set max kernels to 2 since more won't fit on /boot from augeas import Augeas augeas = Augeas(x) augeas.set_enhanced("/files/etc/yum.conf/main/installonly_limit", "2") # Set Swappiness to 0 on all hosts to avoid excessive swapping augeas.set_enhanced("/files/etc/sysctl.conf/vm.swappiness", "0") if proxy_host and proxy_port: # Set proxy again with augeas to ensure there are no duplicates/inconsistencies augeas.set_enhanced("/files/etc/yum.conf/main/proxy", "http://%s:%s" % (proxy_host, proxy_port)) version_obj.mark_executed()
def install_syco(args): """ Install/configure this script on the current computer. """ app.print_verbose("Install syco version: %d" % SCRIPT_VERSION) version_obj = version.Version("InstallSYCO", SCRIPT_VERSION) version_obj.check_executed() # Override base repo to one that works x("cat %syum/CentOS-Base.repo > /etc/yum.repos.d/CentOS-Base.repo" % app.SYCO_VAR_PATH) # Run all yum updates through proxy if available proxy_host = config.general.get_proxy_host() proxy_port = config.general.get_proxy_port() if proxy_host and proxy_port: x('echo proxy=%s >> /etc/yum.conf' % "http://%s:%s" % (proxy_host,proxy_port)) app.print_verbose("Install required packages for syco") install_packages("augeas") app.print_verbose("Create symlink /sbin/syco") set_syco_permissions() if not os.path.exists('/sbin/syco'): os.symlink('%sbin/syco.py' % SYCO_PATH, '/sbin/syco') # Use augeas to set max kernels to 2 since more won't fit on /boot from augeas import Augeas augeas = Augeas(x) augeas.set_enhanced("/files/etc/yum.conf/main/installonly_limit", "2") # Set Swappiness to 0 on all hosts to avoid excessive swapping augeas.set_enhanced("/files/etc/sysctl.conf/vm.swappiness", "0") if proxy_host and proxy_port: # Set proxy again with augeas to ensure there are no duplicates/inconsistencies augeas.set_enhanced("/files/etc/yum.conf/main/proxy", "http://%s:%s" % (proxy_host,proxy_port)) version_obj.mark_executed()
def download_and_install(clam_version): # # Download and extract clamav # app.print_verbose("Download and extract clamav") dst_path = urlretrive( CLAM_AV_URL.format(clam_version), "clamav_latest.tar.gz") x("tar -C %s -zxf %s" % (app.INSTALL_DIR, dst_path)) compile_dir = "%scompile-clamav" % app.INSTALL_DIR x("mkdir -p %s" % compile_dir) x("mv %s/clamav-*/* %s" % (app.INSTALL_DIR, compile_dir)) # # Install packages required for compiling and coreutils to get nice and ionice # general.install_packages("gcc gcc-c++ zlib-devel bzip2-devel ncurses-devel file openssl-devel coreutils") # # Build and install clamav and freshclam # app.print_verbose("Build and install clamav and freshclam") x("chown -R root:root %s" % compile_dir) x("./configure", cwd=compile_dir) x("make", cwd=compile_dir) x("make install", cwd=compile_dir) x("ldconfig") # # Remove packages needed for compilation. # x( "yum remove -y zlib-devel bzip2-devel ncurses-devel " + "gcc cloog-ppl cpp glibc-devel glibc-headers kernel-headers " + "mpfr ppl gcc-c++ libstdc++-devel" )
def install_haproxy(args): app.print_verbose("Install HA Proxy version: %d" % script_version) version_obj = version.Version("InstallHaproxy", script_version) version_obj.check_executed() # Prompt for syco pw early, certificate copy requires root pw app.get_root_password() setup_global_vars() # Validate all command line parameters. if len(args) != 3: print_killmessage() env = haproxy_env(args) state = haproxy_state(args) install_packages("tcl haproxy") iptables.add_haproxy_chain() iptables.save() _copy_certificate_files(env) _configure_haproxy(env, state) version_obj.mark_executed()
def _install_nrpe_plugins_dependencies(): """Install libraries/binaries that the NRPE-plugins depend on.""" # Dependency for check_rsyslog app.print_verbose("Install required dependency for check_rsyslog") install_packages("MySQL-python") # Dependency for check_clamav app.print_verbose("Install required dependencies for check_clamav") install_packages("perl-Net-DNS-Resolver-Programmable perl-suidperl") x("""cat > /etc/sudoers.d/nrpe << EOF Defaults:nrpe !requiretty nrpe ALL=NOPASSWD:{0}check_clamav nrpe ALL=NOPASSWD:{0}check_clamscan nrpe ALL=NOPASSWD:{0}check_disk nrpe ALL=NOPASSWD:{0}get_services nrpe ALL=NOPASSWD:{0}check_file_age nrpe ALL=NOPASSWD:{0}check_ossec-clients.sh nrpe ALL=NOPASSWD:{0}check_haproxy_stats.pl nrpe ALL=NOPASSWD:/usr/sbin/rabbitmqctl nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs EOF """.format(PLG_PATH)) # Dependency for check_ldap app.print_verbose("Install required dependencies for check_ldap") install_packages("php-ldap php-cli") # Dependency for check_iostat app.print_verbose("Install required dependency for check_iostat") install_packages("sysstat") # Dependency for hosts/firewall hardware checks host_config_object = config.host(net.get_hostname()) if host_config_object.is_host() or host_config_object.is_firewall(): install.hp_repo() app.print_verbose("Install required dependencies for Hardware checks") install_packages("hp-health hpssacli") # Let nrpe run hpasmcli and hpssacli x("""cat >> /etc/sudoers.d/nrpe << EOF nrpe ALL=NOPASSWD:/sbin/hpasmcli nrpe ALL=NOPASSWD:{0}check_hpasm nrpe ALL=NOPASSWD:/usr/sbin/hpssacli nrpe ALL=NOPASSWD:{0}check_hparray EOF """.format(PLG_PATH)) # Dependency for check_ulimit app.print_verbose("Install required dependency for check_ulimit") install_packages("lsof") # Set ulimit values to take affect after reboot x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf") # Kernel wont parse anything but read-only in sudoers. So chmod it. x("chmod 0440 /etc/sudoers.d/nrpe")
def _install_nrpe_plugins_dependencies(): """Install libraries/binaries that the NRPE-plugins depend on.""" # Dependency for check_rsyslog app.print_verbose("Install required dependency for check_rsyslog") install_packages("MySQL-python") # Dependency for check_clamav app.print_verbose("Install required dependencies for check_clamav") install_packages("perl-Net-DNS-Resolver-Programmable perl-suidperl") x("""cat > /etc/sudoers.d/nrpe << EOF Defaults:nrpe !requiretty nrpe ALL=NOPASSWD:{0}check_clamav nrpe ALL=NOPASSWD:{0}check_clamscan nrpe ALL=NOPASSWD:{0}check_disk nrpe ALL=NOPASSWD:{0}get_services nrpe ALL=NOPASSWD:{0}check_file_age nrpe ALL=NOPASSWD:{0}check_ossec-clients.sh nrpe ALL=NOPASSWD:{0}check_haproxy_stats.pl nrpe ALL=NOPASSWD:/usr/sbin/rabbitmqctl nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-deleted-files nrpe ALL=NOPASSWD:{0}mysql/pmp-check-mysql-file-privs EOF """.format(PLG_PATH)) # Dependency for check_ldap app.print_verbose("Install required dependencies for check_ldap") install_packages("php-ldap php-cli") # Dependency for check_iostat app.print_verbose("Install required dependency for check_iostat") install_packages("sysstat") # Dependency for hosts/firewall hardware checks host_config_object = config.host(net.get_hostname()) if host_config_object.is_host() or host_config_object.is_firewall(): install.hp_repo() app.print_verbose("Install required dependencies for Hardware checks") install_packages("hp-health hpssacli") # Let nrpe run hpasmcli and hpssacli x("""cat >> /etc/sudoers.d/nrpe << EOF nrpe ALL=NOPASSWD:/sbin/hpasmcli nrpe ALL=NOPASSWD:{0}check_hpasm nrpe ALL=NOPASSWD:/usr/sbin/hpssacli nrpe ALL=NOPASSWD:{0}check_hparray EOF """.format(PLG_PATH)) # Dependency for check_ulimit app.print_verbose("Install required dependency for check_ulimit") install_packages("lsof") # Set ulimit values to take affect after reboot x("printf '\n*\tsoft\tnofile\t8196\n*\thard\tnofile\t16392\n' >> /etc/security/limits.conf" ) # Kernel wont parse anything but read-only in sudoers. So chmod it. x("chmod 0440 /etc/sudoers.d/nrpe")