示例#1
0
def add_iptables_rules():
    """
    Open firewall for NFS just during the installation.

    """
    iptables.add_nfs_chain()
    iptables.save()
示例#2
0
def install_mail_client(args):
    """
    Installs a local postfix MTA which accepts email on localhost forwards
    relays everything to mailrelay-server. Also installs mailx.
    See line comments in install_mail_server

    """

    if config.host(net.get_hostname()).has_command_re("install-postfix-server"):
        app.print_verbose("This server will later install the postfix server, abort client installation.")
        return

    version_obj = version.Version("Install-postfix-client", SCRIPT_VERSION)
    version_obj.check_executed()

    # Install required packages
    install.package("postfix")

    # Set config file parameters
    #
    general.use_original_file("/etc/postfix/main.cf")
    postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
    postfix_main_cf.replace(
        "#myhostname = host.domain.tld",
        "myhostname = {0}.{1}".format(get_hostname(), config.general.get_resolv_domain()),
    )  # monitor.syco.com
    postfix_main_cf.replace(
        "#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())
    )  # syco.com
    postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")

    # Listen only on localhost
    postfix_main_cf.replace("inet_interfaces = localhost", "inet_interfaces = localhost")
    postfix_main_cf.replace("#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = 127.0.0.1")
    postfix_main_cf.replace(
        "mydestination = $myhostname, localhost.$mydomain, localhost", "mydestination = $myhostname, localhost"
    )

    # Relay everything not for local machine to mailrelay.
    postfix_main_cf.replace(
        "#relay_domains = $mydestination", "relay_domains = {0}".format(config.general.get_resolv_domain())
    )
    postfix_main_cf.replace(
        "#relayhost = $mydomain", "relayhost = [{0}]".format(config.general.get_mail_relay_domain_name())
    )
    postfix_main_cf.replace("#home_mailbox = Maildir/", "home_mailbox = Maildir/")
    postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4")

    # Install a simple mail CLI-tool
    install_mailx()

    # Tell iptables and nrpe that this server is configured as a mail-relay server.
    iptables.add_mail_relay_chain()
    iptables.save()

    # Restart postfix
    x("service postfix restart")

    # Send test mail to the syco admin
    send_test_mail((None, config.general.get_admin_email()))
示例#3
0
def install_openvas(args):
    '''
    Install and configure openvas on the local host.

    '''
    app.print_verbose("Install OpenVAS version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("InstallOpenVAS", SCRIPT_VERSION)
    version_obj.check_executed()

    _install_packages()
    _disable_selinux()

    iptables.add_openvas_chain()
    iptables.save()

    #
    app.print_verbose("Get OpenVAS nvt.")
    x("openvas-nvt-sync --wget &> /dev/null ")

    #
    app.print_verbose("Rebuild OpenVAS database.")
    x("openvasmd --rebuild")

    #
    app.print_verbose("Add default OpenVAS admin user.")
    x("openvasad -c 'add_user' -u admin -w admin --role=Admin")

    _modify_configs()
    _setup_default_database()
    _start_all_services()

    version_obj.mark_executed()
示例#4
0
def install_mail_server(args):
  app.print_verbose("Install mail-relay-server version: %d" % SCRIPT_VERSION)
  version_obj = version.Version("Install-mail-relay-server", SCRIPT_VERSION)
  version_obj.check_executed()

  general.shell_exec("yum -y install sendmail")

  # Tell iptables that this server is configured as a mail-relay server.
  general.shell_exec("touch /etc/mail/syco_mail_relay_server")
  iptables.add_mail_relay_chain()
  iptables.save()

  hardening.network.configure_resolv_conf()
  hardening.network.configure_localhost()
  hardening.network.restart_network()

  app.print_verbose("Configure /etc/mail/*")

  # Allow all servers on localdomain to relay through this server.
  set_config_property2("/etc/mail/access", "Connect:10.100                          RELAY")
  x("/usr/sbin/makemap hash access < access")

  # Remove the loopback address restriction to accept email from the internet or intranet.
  set_config_property(
    "/etc/mail/sendmail.mc",
    r".*DAEMON_OPTIONS\(\`Port\=smtp\,Addr\=127\.0\.0\.1\, Name\=MTA\'\)dnl",
    r"dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl")

  _rebuild_sendmail_config()

  _test_mail()
  version_obj.mark_executed()
示例#5
0
def install_keepalived(args):
    global SYCO_PLUGIN_PATH, ACCEPTED_KA_ENV, ka_env

    SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/keepalived/").next()
    ACCEPTED_KA_ENV = get_environments()

    if len(args) != 2:
        print_killmessage()
    else:
        ka_env = args[1]

    if ka_env.lower() not in ACCEPTED_KA_ENV:
        print_killmessage()

    app.print_verbose("Install Keepalived version: %d" % script_version)
    version_obj = version.Version("InstallKeepalived", script_version)
    version_obj.check_executed()
    os.chdir("/")

    install_packages("keepalived")
    _configure_keepalived()

    # Adding iptables rules
    iptables_setup()
    save()

    version_obj.mark_executed()
示例#6
0
def uninstall_openvas(args):
    '''
    Uninstall openvas

    '''
    if (os.access("/etc/init.d/openvas-manager", os.F_OK)):
        app.print_verbose("Stop all services.")
        x("/etc/init.d/openvas-manager stop")
        x("/etc/init.d/openvas-scanner stop")
        x("/etc/init.d/gsad stop")

    #
    app.print_verbose("Remove packages and files.")
    x("yum -y remove openvas-*")
    x("rm -rf /var/lib/openvas")
    x("rm /etc/yum.repos.d/atomic.repo")

    #
    app.print_verbose("Remove iptables rules.")
    iptables.del_openvas_chain()
    iptables.save()

    #
    app.print_verbose("Enabling SELINUX.")
    x("echo 1 > /selinux/enforce")
    selinuxconf = scOpen("/etc/selinux/config")
    selinuxconf.replace("^SELINUX=.*","SELINUX=enforcing")

    #
    app.print_verbose("Tell syco openvas is uninstalled.")
    version_obj = version.Version("InstallOpenVAS", SCRIPT_VERSION)
    version_obj.mark_uninstalled()
示例#7
0
def add_iptables_rules():
    '''
  Open iptables for NFS just during the installation.

  '''
    iptables.add_nfs_chain()
    iptables.save()
示例#8
0
def install_sssd(args):
    '''
    Install ldap client on current host and connect to networks ldap server.

    '''
    app.print_verbose("Install sssd script-version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("InstallSssd", SCRIPT_VERSION)
    version_obj.check_executed()

    # Get all passwords from installation user at the start of the script.
    app.get_ldap_sssd_password()

    install_packages()

    installOpenLdap.setup_hosts()
    iptables.add_ldap_chain()
    iptables.save()

    ip = config.general.get_ldap_server_ip()
    general.wait_for_server_to_start(ip, "636")

    install_certs()

    # For some reason it needs to be executed twice.
    authconfig()
    authconfig()

    installOpenLdap.configure_client_cert_for_ldaptools()
    configured_sssd()
    configured_sudo()

    version_obj.mark_executed()
示例#9
0
def install_rsyslogd(args):
    """
    Install rsyslogd on the server.

    """
    app.print_verbose("Install rsyslogd.")
    version_obj = version.Version("InstallRsyslogd", SCRIPT_VERSION)
    version_obj.check_executed()

    # Installing packages
    x("yum install rsyslog rsyslog-gnutls gnutls-utils -y")

    # Autostart rsyslog at boot
    x("chkconfig rsyslog on")

    # Generation new certs if no certs exsists
    if not os.path.exists('/etc/pki/rsyslog/ca.crt'):
        rsyslog_newcerts(args)

    _setup_rsyslogd()

    # Add iptables chains
    iptables.add_rsyslog_chain("server")
    iptables.save()

    # Restarting service
    x("service rsyslog restart")

    install_compress_logs()

    # Configure logrotate
    installLogrotate.install_logrotate(args)

    version_obj.mark_executed()
示例#10
0
def _install_icinga_core(args):
    """
    Core installation is decently straightforward. Icinga-bins are downloaded from the EPEL-repo and and SQL-db is created
    and set up with the standard icinga db-schema.

    The "hard" part is setting up the object base, which is done in via helper functions.

    """
    # Disable SELinux for now, Install icinga-packages.
    x("setenforce 0")
    install.rforge_repo()
    x("yum -y install icinga icinga-idoutils-libdbi-mysql nagios-plugins-all nagios-plugins-nrpe")

    # Set set up icinga mysql-database
    icinga_sql_password = _setup_icinga_mysql()

    # Let ido2db know password has changed
    general.use_original_file("/etc/icinga/ido2db.cfg")
    general.set_config_property("/etc/icinga/ido2db.cfg","db_pass=icinga","db_pass={0}".format(icinga_sql_password, False))
    x("cp --remove-destination {0}syco-private/var/nagios/icinga.cfg /etc/icinga/icinga.cfg".format(constant.SYCO_USR_PATH))
    x("chown icinga:icinga /etc/icinga/icinga.cfg")

    # Add icinga-server iptables chain
    iptables.add_icinga_chain()
    iptables.save()

    # Reload the icinga object structure
    _reload_icinga(args,reload=False)

    return icinga_sql_password
示例#11
0
def install_rsyslogd(args):
    """
    Install rsyslogd on the server.

    """
    app.print_verbose("Install rsyslogd.")
    version_obj = version.Version("InstallRsyslogd", SCRIPT_VERSION)
    version_obj.check_executed()

    # Installing packages
    x("yum install rsyslog rsyslog-gnutls gnutls-utils -y")

    # Autostart rsyslog at boot
    x("chkconfig rsyslog on")

    # Generation new certs if no certs exsists
    if not os.path.exists('/etc/pki/rsyslog/ca.crt'):
        rsyslog_newcerts(args)

    # Add iptables chains
    iptables.add_rsyslog_chain("server")
    iptables.save()

    # Restarting service
    x("service rsyslog restart")

    install_compress_logs()

    # Configure logrotate
    installLogrotate.install_logrotate(args)

    version_obj.mark_executed()
示例#12
0
def install_cobbler(args):
  '''
  Install cobbler on current host.

  '''
  app.print_verbose("Install cobbler version: %d" % SCRIPT_VERSION)
  version_obj = version.Version("installCobbler", SCRIPT_VERSION)
  version_obj.check_executed()

  # Initialize password.
  app.get_root_password_hash()

  # Disable SELINUX it just messes with me.
  x("echo 0 > /selinux/enforce")
  general.set_config_property("/etc/selinux/config", '^SELINUX=.*', "SELINUX=permissive")

  _install_cobbler()

  iptables.add_cobbler_chain()
  iptables.save()

  _modify_cobbler_settings()

  _import_repos()
  setup_all_systems(args)

  # Start/Restart used services.
  x("/etc/init.d/dhcpd restart")

  version_obj.mark_executed()
示例#13
0
def install_haproxy(args):
    app.print_verbose("Install HA Proxy version: %d" % script_version)
    version_obj = version.Version("InstallHaproxy", script_version)
    version_obj.check_executed()

    global CERT_SERVER, CERT_SERVER_PATH, CERT_COPY_TO_PATH, SYCO_PLUGIN_PATH
    CERT_SERVER = config.general.get_cert_server_ip()
    CERT_SERVER_PATH = config.general.get_option('haproxy.remote_cert_path')
    CERT_COPY_TO_PATH = config.general.get_option('haproxy.local_cert_path')
    SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/haproxy/").next()

    # Validate all command line parameters.
    if len(sys.argv) != 4:
        print_killmessage()

    haproxy_env()
    haproxy_state()

    x("yum install -y tcl haproxy")
    iptables.add_haproxy_chain()
    iptables.save()
    _copy_certificate_files()
    _configure_haproxy()

    version_obj.mark_executed()
示例#14
0
def install_ossec_client(args):
    '''
    Install OSSEC Client on the server

    '''

    if os.path.exists('/var/ossec/bin/manage_agents'):
        app.print_error("Not insalling OSSEC client since OSSEC server detected")
        return

    app.print_verbose("Install ossec client.")
    version_obj = version.Version("InstallOssec", SCRIPT_VERSION)
    version_obj.check_executed()

    # Initialize all passwords used by the script
    app.init_mysql_passwords()

    build_ossec('preloaded-vars-client.conf')
    _setup_conf()
    _setup_keys()

    # Enabling syslog logging
    x('/var/ossec/bin/ossec-control enable client-syslog')

    # Adding iptables rules
    iptables.add_ossec_chain()
    iptables.save()

    # Restaring OSSEC server
    x("service ossec restart")

    x('yum remove gcc perl-Time-HiRes -y')

    version_obj.mark_executed()
示例#15
0
def _install_icinga_web(icinga_db_pass):
    """
    This installs the icinga web module. Only source of complexity is moking icinga accessible from the document root.

    """
    x("yum install -y icinga-web php php-cli php-pear php-xmlrpc php-xsl php-pdo php-soap php-gd php-ldap php-mysql"
      )

    # Setup icinga-web mysql
    icinga_web_db_bass = _setup_icinga_web_mysql()

    # Configure icinga web client config files
    _configure_icinga_web(icinga_db_pass, icinga_web_db_bass)

    # Allow icinga-web to issue icinga commands
    x("useradd -G icingacmd apache")

    # Make everything startup on reboot
    x("/sbin/chkconfig --level 3 httpd on")
    x("/sbin/chkconfig --level 3 mysqld on")
    x("/sbin/chkconfig --level 3 ido2db on")

    # Harden with iptables-chain
    iptables.add_httpd_chain()
    iptables.save()
示例#16
0
def _install_icinga_core(args):
    """
    Core installation is decently straightforward. Icinga-bins are downloaded from the EPEL-repo and and SQL-db is created
    and set up with the standard icinga db-schema.

    The "hard" part is setting up the object base, which is done in via helper functions.

    """
    # Disable SELinux for now, Install icinga-packages.
    x("setenforce 0")
    install.rforge_repo()
    x("yum -y install icinga icinga-idoutils-libdbi-mysql nagios-plugins-all nagios-plugins-nrpe"
      )

    # Set set up icinga mysql-database
    icinga_sql_password = _setup_icinga_mysql()

    # Let ido2db know password has changed
    general.use_original_file("/etc/icinga/ido2db.cfg")
    general.set_config_property(
        "/etc/icinga/ido2db.cfg", "db_pass=icinga",
        "db_pass={0}".format(icinga_sql_password, False))
    x("cp --remove-destination {0}syco-private/var/nagios/icinga.cfg /etc/icinga/icinga.cfg"
      .format(constant.SYCO_USR_PATH))
    x("chown icinga:icinga /etc/icinga/icinga.cfg")

    # Add icinga-server iptables chain
    iptables.add_icinga_chain()
    iptables.save()

    # Reload the icinga object structure
    _reload_icinga(args, reload=False)

    return icinga_sql_password
示例#17
0
def uninstall_openvas(args):
    '''
    Uninstall openvas

    '''
    if (os.access("/etc/init.d/openvas-manager", os.F_OK)):
        app.print_verbose("Stop all services.")
        x("/etc/init.d/openvas-manager stop")
        x("/etc/init.d/openvas-scanner stop")
        x("/etc/init.d/gsad stop")

    #
    app.print_verbose("Remove packages and files.")
    x("yum -y remove openvas-*")
    x("rm -rf /var/lib/openvas")
    x("rm /etc/yum.repos.d/atomic.repo")

    #
    app.print_verbose("Remove iptables rules.")
    iptables.del_openvas_chain()
    iptables.save()

    #
    app.print_verbose("Enabling SELINUX.")
    x("echo 1 > /selinux/enforce")
    selinuxconf = scOpen("/etc/selinux/config")
    selinuxconf.replace("^SELINUX=.*", "SELINUX=enforcing")

    #
    app.print_verbose("Tell syco openvas is uninstalled.")
    version_obj = version.Version("InstallOpenVAS", SCRIPT_VERSION)
    version_obj.mark_uninstalled()
示例#18
0
def install_openvas(args):
    '''
    Install and configure openvas on the local host.

    '''
    app.print_verbose("Install OpenVAS version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("InstallOpenVAS", SCRIPT_VERSION)
    version_obj.check_executed()

    _install_packages()
    _disable_selinux()

    iptables.add_openvas_chain()
    iptables.save()

    #
    app.print_verbose("Get OpenVAS nvt.")
    x("openvas-nvt-sync --wget &> /dev/null ")

    #
    app.print_verbose("Rebuild OpenVAS database.")
    x("openvasmd --rebuild")

    #
    app.print_verbose("Add default OpenVAS admin user.")
    x("openvasad -c 'add_user' -u admin -w admin --role=Admin")

    _modify_configs()
    _setup_default_database()
    _start_all_services()

    version_obj.mark_executed()
示例#19
0
def install_freeradius(args):
    '''
    Install and configure the freeradius on the local host.

    '''
    app.print_verbose("Install FreeRadius version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("InstallFreeRadius", SCRIPT_VERSION)
    version_obj.check_executed()

    # Initialize all passwords used by the script
    app.get_ldap_admin_password()

    _install_packages()

    # Configure iptables
    iptables.add_freeradius_chain()
    iptables.save()

    _configure_ldap()
    _enable_ldap()
    _configure_radius()
    _setup_radius_clients()

    x("/etc/init.d/radiusd restart")

    version_obj.mark_executed()
示例#20
0
def install_haproxy(args):
    app.print_verbose("Install HA Proxy version: %d" % script_version)
    version_obj = version.Version("InstallHaproxy", script_version)
    version_obj.check_executed()

    global CERT_SERVER, CERT_SERVER_PATH, CERT_COPY_TO_PATH, SYCO_PLUGIN_PATH
    CERT_SERVER = config.general.get_cert_server_ip()
    CERT_SERVER_PATH = config.general.get_option('haproxy.remote_cert_path')
    CERT_COPY_TO_PATH = config.general.get_option('haproxy.local_cert_path')
    SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/haproxy/").next()

    # Validate all command line parameters.
    if len(sys.argv) != 4:
        print_killmessage()

    haproxy_env()
    haproxy_state()

    x("yum install -y tcl haproxy")
    iptables.add_haproxy_chain()
    iptables.save()
    _copy_certificate_files()
    _configure_haproxy()

    version_obj.mark_executed()
示例#21
0
def install_openldap(args):
    '''
    Install openldap on current host.

    '''
    app.print_verbose("Install openldap script-version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("InstallOpenLdap", SCRIPT_VERSION)
    version_obj.check_executed()

    initialize_passwords()

    # Do the installation.
    enable_selinux()
    install_packages()
    store_logs_on_file()
    configure_ldap_client()
    configure_openldap()
    configure_sudo_in_ldap()
    create_modules()
    add_auditlog_overlay()
    add_pwdpolicy_overlay()
    add_user_domain()
    create_certs()
    enable_ssl()
    require_highest_security_from_clients()

    # Let clients connect to the server through the firewall. This is done after
    # everything else is done, so we are sure that the server is secure before
    # letting somebody in.
    iptables.add_ldap_chain()
    iptables.save()

    _install_web_page()

    version_obj.mark_executed()
示例#22
0
def install_mail_server(args):
    app.print_verbose("Install mail-relay-server version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("Install-mail-relay-server", SCRIPT_VERSION)
    version_obj.check_executed()

    general.shell_exec("yum -y install sendmail")

    # Tell iptables that this server is configured as a mail-relay server.
    general.shell_exec("touch /etc/mail/syco_mail_relay_server")
    iptables.add_mail_relay_chain()
    iptables.save()

    hardening.network.configure_resolv_conf()
    hardening.network.configure_localhost()
    hardening.network.restart_network()

    app.print_verbose("Configure /etc/mail/*")

    # Allow all servers on localdomain to relay through this server.
    set_config_property2("/etc/mail/access",
                         "Connect:10.100                          RELAY")
    x("/usr/sbin/makemap hash access < access")

    # Remove the loopback address restriction to accept email from the internet or intranet.
    set_config_property(
        "/etc/mail/sendmail.mc",
        r".*DAEMON_OPTIONS\(\`Port\=smtp\,Addr\=127\.0\.0\.1\, Name\=MTA\'\)dnl",
        r"dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl")

    _rebuild_sendmail_config()

    _test_mail()
    version_obj.mark_executed()
示例#23
0
def install_cobbler(args):
    '''
  Install cobbler on current host.

  '''
    app.print_verbose("Install cobbler version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("installCobbler", SCRIPT_VERSION)
    version_obj.check_executed()

    # Initialize password.
    app.get_root_password_hash()

    # Disable SELINUX it just messes with me.
    x("echo 0 > /selinux/enforce")
    general.set_config_property("/etc/selinux/config", '^SELINUX=.*',
                                "SELINUX=permissive")

    _install_cobbler()

    iptables.add_cobbler_chain()
    iptables.save()

    _modify_cobbler_settings()

    _import_repos()
    setup_all_systems(args)

    # Start/Restart used services.
    x("/etc/init.d/dhcpd restart")

    version_obj.mark_executed()
示例#24
0
def uninstall_redis(args):
    """
    Remove Redis from the server
    """
    app.print_verbose("Uninstall Redis")

    os.chdir("/")

    _chkconfig("redis", "off")
    _service("redis", "stop")
    _chkconfig("keepalived", "on")
    _service("keepalived", "restart")

    x("yum -y remove redis keepalived")
    x("rm -rf {0}redis.conf".format(REDIS_CONF_DIR))
    x("rm -rf {0}redis.conf.rpmsave".format(REDIS_CONF_DIR))
    x("rm -rf {0}*".format(KEEPALIVED_CONF_DIR))

    iptables.iptables(
        "-D syco_input -p tcp -m multiport --dports 6379 -j allowed_tcp")
    iptables.iptables(
        "-D syco_output -p tcp -m multiport --dports 6379 -j allowed_tcp")
    iptables.iptables("-D multicast_packets -d 224.0.0.0/8 -j ACCEPT")
    iptables.iptables("-D multicast_packets -s 224.0.0.0/8 -j ACCEPT")
    iptables.iptables("-D syco_input -p 112 -i eth1 -j ACCEPT")
    iptables.iptables("-D syco_output -p 112 -o eth1 -j ACCEPT")
    iptables.iptables("-A multicast_packets -s 224.0.0.0/4 -j DROP")
    iptables.iptables("-A multicast_packets -d 224.0.0.0/4 -j DROP")
    iptables.save()
    version_obj = version.Version("InstallRedis", script_version)
    version_obj.mark_uninstalled()
示例#25
0
def uninstall_redis(args):
    """
    Remove Redis from the server
    """
    app.print_verbose("Uninstall Redis")

    os.chdir("/")

    _chkconfig("redis", "off")
    _service("redis", "stop")
    _chkconfig("keepalived", "on")
    _service("keepalived", "restart")

    x("yum -y remove redis keepalived")
    x("rm -rf {0}redis.conf".format(REDIS_CONF_DIR))
    x("rm -rf {0}redis.conf.rpmsave".format(REDIS_CONF_DIR))
    x("rm -rf {0}*".format(KEEPALIVED_CONF_DIR))

    iptables.iptables("-D syco_input -p tcp -m multiport --dports 6379 -j allowed_tcp")
    iptables.iptables("-D syco_output -p tcp -m multiport --dports 6379 -j allowed_tcp")
    iptables.iptables("-D multicast_packets -d 224.0.0.0/8 -j ACCEPT")
    iptables.iptables("-D multicast_packets -s 224.0.0.0/8 -j ACCEPT")
    iptables.iptables("-D syco_input -p 112 -i eth1 -j ACCEPT")
    iptables.iptables("-D syco_output -p 112 -o eth1 -j ACCEPT")
    iptables.iptables("-A multicast_packets -s 224.0.0.0/4 -j DROP")
    iptables.iptables("-A multicast_packets -d 224.0.0.0/4 -j DROP")
    iptables.save()
    version_obj = version.Version("InstallRedis", script_version)
    version_obj.mark_uninstalled()
示例#26
0
def install_sssd(args):
    """
    Install ldap client on current host and connect to networks ldap server.

    """
    app.print_verbose("Install sssd script-version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("InstallSssd", SCRIPT_VERSION)
    version_obj.check_executed()

    # Get all passwords from installation user at the start of the script.
    app.get_ldap_sssd_password()

    install_packages()

    installOpenLdap.setup_hosts()
    iptables.add_ldap_chain()
    iptables.save()

    ip = config.general.get_ldap_server_ip()
    general.wait_for_server_to_start(ip, "636")

    install_certs()

    # For some reason it needs to be executed twice.
    authconfig()
    authconfig()

    installOpenLdap.configure_client_cert_for_ldaptools()
    augeas = Augeas(x)
    create_sss_folders()
    configure_sssd(augeas)
    configure_sudo(augeas)

    version_obj.mark_executed()
示例#27
0
def uninstall_openvas(args):
  '''
  Uninstall nmap

  '''
  
  if (os.access("/etc/init.d/openvas-manager", os.F_OK)):
    general.shell_exec("/etc/init.d/openvas-manager stop")
    general.shell_exec("/etc/init.d/openvas-scanner stop")
    general.shell_exec("/etc/init.d/gsad stop")



  x("yum -y remove openvas-*")
  x("rm -rf /var/lib/openvas")
  #x("rm /etc/yum.repos.d/atomic.repo")
  iptables.del_openvas_chain()
  iptables.save()
  app.print_verbose("Enabling SELINUX")
  x("echo 1 > /selinux/enforce")
  selinuxconf = scOpen("/etc/selinux/config")
  selinuxconf.replace("^SELINUX=.*","SELINUX=enforcing")

  version_obj = version.Version("InstallOpenVAS", SCRIPT_VERSION)
  version_obj.mark_uninstalled()
示例#28
0
def install_keepalived(args):
    global SYCO_PLUGIN_PATH, ACCEPTED_KA_ENV, ka_env

    SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/keepalived/").next()
    ACCEPTED_KA_ENV = get_environments()

    if len(args) != 2:
        print_killmessage()
    else:
        ka_env = args[1]

    if ka_env.lower() not in ACCEPTED_KA_ENV:
        print_killmessage()

    app.print_verbose("Install Keepalived version: %d" % script_version)
    version_obj = version.Version("InstallKeepalived", script_version)
    version_obj.check_executed()
    os.chdir("/")

    install_packages("keepalived")
    _configure_keepalived()

    # Adding iptables rules
    iptables_setup()
    save()

    version_obj.mark_executed()
示例#29
0
def install_openldap(args):
    '''
    Install openldap on current host.

    '''
    app.print_verbose("Install openldap script-version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("InstallOpenLdap", SCRIPT_VERSION)
    version_obj.check_executed()

    initialize_passwords()

    # Do the installation.
    enable_selinux()
    install_packages()
    store_logs_on_file()
    configure_ldap_client()
    configure_openldap()
    configure_sudo_in_ldap()
    create_modules()
    add_auditlog_overlay()
    add_pwdpolicy_overlay()
    add_user_domain()
    create_certs()
    enable_ssl()
    require_highest_security_from_clients()

    # Let clients connect to the server through the firewall. This is done after
    # everything else is done, so we are sure that the server is secure before
    # letting somebody in.
    iptables.add_ldap_chain()
    iptables.save()

    version_obj.mark_executed()
示例#30
0
文件: nfs.py 项目: Nemie/syco
def add_iptables_rules():
  '''
  Open iptables for NFS just during the installation.

  '''
  iptables.add_nfs_chain()
  iptables.save()
示例#31
0
def install_freeradius(args):
    '''
    Install and configure the freeradius on the local host.

    '''
    app.print_verbose("Install FreeRadius version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("InstallFreeRadius", SCRIPT_VERSION)
    version_obj.check_executed()

    # Initialize all passwords used by the script
    app.get_ldap_admin_password()

    _install_packages()

    # Configure iptables
    iptables.add_freeradius_chain()
    iptables.save()

    _configure_ldap()
    _enable_ldap()
    _configure_radius()
    _setup_radius_clients()

    x("/etc/init.d/radiusd restart")

    version_obj.mark_executed()
示例#32
0
def install_mail_server(args):
    """
  Installs a postfix-based mail relay MTA that listens on the DMZ, and relays
  towards the internet. Also possible to send from localhost. Also installs mailx.

  """
    version_obj = version.Version("Install-postfix-server", SCRIPT_VERSION)
    version_obj.check_executed()
    app.print_verbose("Installing postfix-server version: {0}".format(SCRIPT_VERSION))

    init_properties = PostFixProperties()

    # Install required packages
    install.package("postfix")

    # Set config file parameters
    #
    general.use_original_file("/etc/postfix/main.cf")
    postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")

    # Hostname is full canonical name of machine.
    postfix_main_cf.replace(
        "#myhostname = host.domain.tld", "myhostname = {0}".format(config.general.get_mail_relay_domain_name())
    )  # mailrelay.syco.com
    postfix_main_cf.replace(
        "#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())
    )  # syco.com
    postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")

    # Accept email from frontnet and backnet
    postfix_main_cf.replace(
        "inet_interfaces = localhost",
        "inet_interfaces = 127.0.0.1,{0},{1}".format(init_properties.server_front_ip, init_properties.server_back_ip),
    )
    postfix_main_cf.replace(
        "#mynetworks = 168.100.189.0/28, 127.0.0.0/8",
        "mynetworks = {0}, {1}, 127.0.0.0/8".format(
            init_properties.server_network_front, init_properties.server_network_back
        ),
    )

    # Do not relay anywhere special, i.e straight to internet.
    postfix_main_cf.replace("#relay_domains = $mydestination", "relay_domains =")
    postfix_main_cf.replace("#home_mailbox = Maildir/", "home_mailbox = Maildir/")

    # Stop warning about IPv6.
    postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4")

    # Install a simple mail CLI-tool
    install_mailx()

    # Tell iptables and nrpe that this server is configured as a mail-relay server.
    iptables.add_mail_relay_chain()
    iptables.save()

    x("service postfix restart")

    # Send test mail to the syco admin
    send_test_mail((None, config.general.get_admin_email()))
示例#33
0
def _configure_iptables():
    '''
    Accept TCP traffic on 3128 from localnets and allow output to anywhere on port 80 and 443

    '''
    iptables.iptables("-A syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp")
    iptables.iptables("-A syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
    iptables.save()
示例#34
0
def install_ntp(ntp_server_ip = False):
  '''
  Install and configure the ntp-server on the local host.

  '''
  app.print_verbose("Install NTP version: %d" % SCRIPT_VERSION)
  version_obj = version.Version("InstallNTP", SCRIPT_VERSION)
  version_obj.check_executed()

  # Install the NTP packages.
  if (not os.access("/etc/ntp.conf", os.F_OK)):
    general.shell_exec("yum -y install ntp")

  general.shell_exec("/sbin/chkconfig ntpd on")

  iptables.add_ntp_chain()
  iptables.save()

  # Set ntp-server configs
  #
  # For restrict info: http://www.eecis.udel.edu/~mills/ntp/html/accopt.html
  #
  if (ntp_server_ip):
    app.print_verbose("Configure /etc/ntp.conf as a client")

    # Deny packets of all kinds, including ntpq(8) and ntpdc(8) queries.
    general.set_config_property("/etc/ntp.conf", "restrict default.*", "restrict default ignore")
    general.set_config_property("/etc/ntp.conf", "restrict -6 default.*", "restrict -6 default ignore")

    # Using only internal NTP-server.
    general.set_config_property("/etc/ntp.conf", "server 0.*ntp.org", "server " + ntp_server_ip + " burst")
    general.set_config_property("/etc/ntp.conf", ".*server 1.*ntp.org", "#server 1.se.pool.ntp.org")
    general.set_config_property("/etc/ntp.conf", ".*server 2.*ntp.org", "#server 2.se.pool.ntp.org")
    general.set_config_property("/etc/ntp.conf", ".*server 3.*ntp.org", "#server 3.se.pool.ntp.org")

    # Allow access to/from the ntp-server. You may use either a hostname or IP address
    # on the server line. You must use an IP address on the restrict line. Or do I??
    general.set_config_property("/etc/ntp.conf", "restrict " + ntp_server_ip + " kod nomodify notrap nopeer noquery", "restrict " + ntp_server_ip + " kod nomodify notrap nopeer noquery")

    # Don't use fudge server
    general.set_config_property("/etc/ntp.conf", ".*server.*127.127.1.0.*", "#server 127.127.1.0")
    general.set_config_property("/etc/ntp.conf", ".*fudge.*127.127.1.0.*", "#fudge  127.127.1.0 stratum 10")

    # This command modifies the ntpd panic threshold (which is normally 1024
    # seconds). Setting this to 0 disables the panic sanity check and a clock
    # offset of any value will be accepted.
    general.set_config_property("/etc/ntp.conf", ".*tinker panic.*", "tinker panic 0")
  else:
    app.print_verbose("Configure /etc/ntp.conf as a server")
    general.set_config_property("/etc/ntp.conf", "server 0.*ntp.org", "server ntp3.sptime.se")
    general.set_config_property("/etc/ntp.conf", "server 1.*ntp.org", "server ntp4.sptime.se")
    general.set_config_property("/etc/ntp.conf", "server 2.*ntp.org", "server ntp1.sth.netnod.se")
    general.set_config_property("/etc/ntp.conf", "server 3.*ntp.org", "server " + config.general.get_slave_ntp_server())


  general.shell_exec("service ntpd start")

  version_obj.mark_executed()
示例#35
0
def install_mail_server(args):
    '''
  Installs a postfix-based mail relay MTA that listens on the DMZ, and relays
  towards the internet. Also possible to send from localhost. Also installs mailx.

  '''
    version_obj = version.Version("Install-postfix-server", SCRIPT_VERSION)
    version_obj.check_executed()
    app.print_verbose(
        "Installing postfix-server version: {0}".format(SCRIPT_VERSION))

    # Install required packages
    install.package("postfix")

    # Set config file parameters
    #
    general.use_original_file("/etc/postfix/main.cf")
    postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")

    # Hostname is full canonical name of machine.
    postfix_main_cf.replace(
        "#myhostname = host.domain.tld", "myhostname = {0}".format(
            config.general.get_mail_relay_domain_name()))  # mailrelay.syco.com
    postfix_main_cf.replace("#mydomain = domain.tld", "mydomain = {0}".format(
        config.general.get_resolv_domain()))  # syco.com
    postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")

    # Accept email from frontnet and backnet
    postfix_main_cf.replace(
        "inet_interfaces = localhost",
        "inet_interfaces = 127.0.0.1,{0},{1}".format(server_front_ip,
                                                     server_back_ip))
    postfix_main_cf.replace(
        "#mynetworks = 168.100.189.0/28, 127.0.0.0/8",
        "mynetworks = {0}, {1}, 127.0.0.0/8".format(server_front_network,
                                                    server_back_network))

    # Do not relay anywhere special, i.e straight to internet.
    postfix_main_cf.replace("#relay_domains = $mydestination",
                            "relay_domains =")
    postfix_main_cf.replace("#home_mailbox = Maildir/",
                            "home_mailbox = Maildir/")

    # Stop warning about IPv6.
    postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4")

    # Install a simple mail CLI-tool
    install_mailx()

    # Tell iptables and nrpe that this server is configured as a mail-relay server.
    iptables.add_mail_relay_chain()
    iptables.save()

    x("service postfix restart")

    # Send test mail to the syco admin
    send_test_mail((None, config.general.get_admin_email()))
示例#36
0
def uninstall_glassfish(args):
    '''
  The main function the glassfish uninstallation.

  '''
    app.print_verbose("Uninstall " + GLASSFISH_VERSION +
                      " version: %d" % SCRIPT_VERSION)

    if (os.access(GLASSFISH_INSTALL_PATH, os.F_OK)):
        os.chdir("/tmp")
        x("/etc/init.d/" + GLASSFISH_VERSION + " stop -an")
        x("rm -rf " + GLASSFISH_INSTALL_PATH)
        x("/sbin/chkconfig --del " + GLASSFISH_VERSION)
        x("rm " + "/etc/init.d/" + GLASSFISH_VERSION)

    if (_is_glassfish_user_installed()):
        # Change dir if some of the rm commands fails, so not everythig will
        # be deleted by mistake.
        x("rm -rf /home/glassfish")
        x("userdel glassfish")
        x("groupdel glassfishadm")

    if (os.access("/usr/java/jdk1.6.0_22", os.F_OK)):
        x("rpm -e sun-javadb-core-10.5.3-0.2")
        x("rpm -e sun-javadb-client-10.5.3-0.2")
        x("rpm -e sun-javadb-demo-10.5.3-0.2")
        x("rpm -e sun-javadb-docs-10.5.3-0.2")
        x("rpm -e sun-javadb-javadoc-10.5.3-0.2")
        x("rpm -e sun-javadb-common-10.5.3-0.2")
        x("rpm -e jdk-1.6.0_22-fcs")

    if (os.access("/usr/java/jdk1.6.0_24", os.F_OK)):
        x("rpm -e sun-javadb-core-10.6.2-1.1.i386")
        x("rpm -e sun-javadb-client-10.6.2-1.1.i386")
        x("rpm -e sun-javadb-demo-10.6.2-1.1.i386")
        x("rpm -e sun-javadb-docs-10.6.2-1.1.i386")
        x("rpm -e sun-javadb-javadoc-10.6.2-1.1.i386")
        x("rpm -e sun-javadb-common-10.6.2-1.1.i386")
        x("rpm -e jdk-1.6.0_24-fcs")
        x("rpm -e jdk-6u24-linux-amd64")

    if (os.access("/usr/java/jdk1.6.0_29", os.F_OK)):
        x("rpm -e sun-javadb-javadoc-10.6.2-1.1.i386")
        x("rpm -e sun-javadb-docs-10.6.2-1.1.i386")
        x("rpm -e sun-javadb-demo-10.6.2-1.1.i386")
        x("rpm -e sun-javadb-client-10.6.2-1.1.i386")
        x("rpm -e sun-javadb-core-10.6.2-1.1.i386")
        x("rpm -e sun-javadb-common-10.6.2-1.1.i386")
        x("rpm -e jdk-6u29-linux-amd64")

    iptables.del_glassfish_chain()
    iptables.save()

    version_obj = version.Version("Install" + GLASSFISH_VERSION,
                                  SCRIPT_VERSION)
    version_obj.mark_uninstalled()
示例#37
0
def _configure_iptables():
    '''
    Accept TCP traffic on 3128 from localnets and allow output to anywhere on port 80 and 443

    '''
    iptables.iptables(
        "-A syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp")
    iptables.iptables(
        "-A syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
    iptables.save()
示例#38
0
def uninstall_sssd(args):
    app.print_verbose("Uninstall sssd script-version: %d" % SCRIPT_VERSION)
    x("yum -y remove openldap-clients sssd")
    x("rm -rf /var/lib/sss/")

    iptables.del_ldap_chain()
    iptables.save()

    version_obj = version.Version("InstallSssd", SCRIPT_VERSION)
    version_obj.mark_uninstalled()
示例#39
0
def uninstall_sssd(args):
    app.print_verbose("Uninstall sssd script-version: %d" % SCRIPT_VERSION)
    x("yum -y remove openldap-clients sssd")
    x("rm -rf /var/lib/sss/")

    iptables.del_ldap_chain()
    iptables.save()

    version_obj = version.Version("InstallSssd", SCRIPT_VERSION)
    version_obj.mark_uninstalled()
示例#40
0
def install_freeradius(args):
    '''
  Install and configure the mysql-server on the local host.

  '''
    app.print_verbose("Install FreeRadius version: %d" % SCRIPT_VERSION)
    version_obj = version.Version("InstallFreeRadius", SCRIPT_VERSION)
    version_obj.check_executed()

    # Install the mysql-server packages.
    if (not os.access("/usr/sbin/radiusd", os.W_OK | os.X_OK)):
        x("yum -y install freeradius-utils freeradius-ldap")

        x("/sbin/chkconfig radiusd on ")
        if (not os.access("/usr/sbin/radiusd", os.F_OK)):
            raise Exception("Couldn't install FreeRadius")

    # Configure iptables
    iptables.add_freeradius_chain()
    iptables.save()

    app.print_verbose("Copying config")

    ldapconf = scOpen("/etc/raddb/modules/ldap")
    ldapconf.replace(
        "\\t*server =.*",
        "\\tserver=\"ldaps://%s\"" % config.general.get_ldap_hostname())
    ldapconf.replace("\\t#password = .*",
                     "\\tpassword =%s" % app.get_ldap_admin_password())
    ldapconf.replace(
        "\\t#identity = .*",
        "\\tidentity = \"cn=Manager,%s\"" % config.general.get_ldap_dn())
    ldapconf.replace("\\t#base_filter = .*",
                     "\\tbase_filter = \"(employeeType=Sysop)\"")
    ldapconf.replace("\\tfilter = .*", "\\tfilter =\"(uid=%u)\"")
    ldapconf.replace("\\tbasedn = .*",
                     "\\tbasedn =\"%s\"" % config.general.get_ldap_dn())

    #Deal with certs
    ldapconf.replace("\\t\\t# cacertfile.*=.*",
                     "\\t\\tcacertfile\\t= /etc/openldap/cacerts/ca.crt")
    ldapconf.replace("\\t\\t# certfile.*=.*",
                     "\\t\\tcertfile\\t= /etc/openldap/cacerts/client.crt")
    ldapconf.replace("\\t\\t# keyfile.*=.*",
                     "\\t\\tkeyfile\\t= /etc/openldap/cacerts/client.key")

    x("/usr/bin/awk '/^[#]\\tldap/{c++;if(c==1){sub(\"^[#]\\tldap\",\"\\tldap\")}}1' %s"
      %
      "/etc/raddb/sites-enabled/default > /etc/raddb/sites-enabled/default.tmp"
      )
    x("cp /etc/raddb/sites-enabled/default.tmp /etc/raddb/sites-enabled/default"
      )
    x("rm /etc/raddb/sites-enabled/default.tmp")
    version_obj.mark_executed()
示例#41
0
def uninstall_glassfish(args):
  '''
  The main function the glassfish uninstallation.

  '''
  app.print_verbose("Uninstall " + GLASSFISH_VERSION + " version: %d" % SCRIPT_VERSION)

  if (os.access(GLASSFISH_INSTALL_PATH, os.F_OK)):
    os.chdir("/tmp")
    x("/etc/init.d/" + GLASSFISH_VERSION + " stop -an")
    x("rm -rf " + GLASSFISH_INSTALL_PATH)
    x("/sbin/chkconfig --del " + GLASSFISH_VERSION)
    x("rm " + "/etc/init.d/" + GLASSFISH_VERSION)

  if (_is_glassfish_user_installed()):
    # Change dir if some of the rm commands fails, so not everythig will
    # be deleted by mistake.
    x("rm -rf /home/glassfish")
    x("userdel glassfish")
    x("groupdel glassfishadm")

  if (os.access("/usr/java/jdk1.6.0_22", os.F_OK)):
    x("rpm -e sun-javadb-core-10.5.3-0.2")
    x("rpm -e sun-javadb-client-10.5.3-0.2")
    x("rpm -e sun-javadb-demo-10.5.3-0.2")
    x("rpm -e sun-javadb-docs-10.5.3-0.2")
    x("rpm -e sun-javadb-javadoc-10.5.3-0.2")
    x("rpm -e sun-javadb-common-10.5.3-0.2")
    x("rpm -e jdk-1.6.0_22-fcs")

  if (os.access("/usr/java/jdk1.6.0_24", os.F_OK)):
    x("rpm -e sun-javadb-core-10.6.2-1.1.i386")
    x("rpm -e sun-javadb-client-10.6.2-1.1.i386")
    x("rpm -e sun-javadb-demo-10.6.2-1.1.i386")
    x("rpm -e sun-javadb-docs-10.6.2-1.1.i386")
    x("rpm -e sun-javadb-javadoc-10.6.2-1.1.i386")
    x("rpm -e sun-javadb-common-10.6.2-1.1.i386")
    x("rpm -e jdk-1.6.0_24-fcs")
    x("rpm -e jdk-6u24-linux-amd64")

  if (os.access("/usr/java/jdk1.6.0_29", os.F_OK)):
    x("rpm -e sun-javadb-javadoc-10.6.2-1.1.i386")
    x("rpm -e sun-javadb-docs-10.6.2-1.1.i386")
    x("rpm -e sun-javadb-demo-10.6.2-1.1.i386")
    x("rpm -e sun-javadb-client-10.6.2-1.1.i386")
    x("rpm -e sun-javadb-core-10.6.2-1.1.i386")
    x("rpm -e sun-javadb-common-10.6.2-1.1.i386")
    x("rpm -e jdk-6u29-linux-amd64")

  iptables.del_glassfish_chain()
  iptables.save()

  version_obj = version.Version("Install" + GLASSFISH_VERSION, SCRIPT_VERSION)
  version_obj.mark_uninstalled()
示例#42
0
def _configure_iptables():
    """
    * Keepalived uses multicast and VRRP protocol to talk to the nodes and need to
        be opened. So first we remove the multicast blocks and then open them up.
    * VRRP is known as Protocol 112 in iptables.
    """
    iptables.iptables("-D multicast_packets -s 224.0.0.0/4 -j DROP")
    iptables.iptables("-D multicast_packets -d 224.0.0.0/4 -j DROP")
    iptables.iptables("-A multicast_packets -d 224.0.0.0/8 -j ACCEPT")
    iptables.iptables("-A multicast_packets -s 224.0.0.0/8 -j ACCEPT")
    iptables.iptables("-A syco_input -p 112 -i eth1 -j ACCEPT")
    iptables.iptables("-A syco_output -p 112 -o eth1 -j ACCEPT")
    iptables.save()
示例#43
0
def install_espower(args):
    """Installation of Elastic search passing rule"""
    if (len(args) != 2):
        raise Exception("syco install-espower Logstash Version [syco install-es 1.4.2]")
    install_rabbit()
    install_logstash(args[1])
    config_rabbitmq()
    config_logstash()
    # Adding iptables rules
    iptables.add_rabbitmq_chain()
    iptables.save()

    print("Go to http://ip-address:15672 for rabbit mq ")
示例#44
0
def install_espower(args):
    """Installation of Elastic search passing rule"""
    if len(args) != 2:
        raise Exception("syco install-espower Logstash Version [syco install-es 1.4.2]")
    install_rabbit()
    install_logstash(args[1])
    config_rabbitmq()
    config_logstash()
    # Adding iptables rules
    iptables.add_rabbitmq_chain()
    iptables.save()

    print("Go to http://ip-address:15672 for rabbit mq ")
示例#45
0
def install_mail_client(args):
    """
    Installs a local postfix MTA which accepts email on localhost forwards
    relays everything to mailrelay-server. Also installs mailx.
    See line comments in install_mail_server

    """

    if config.host(net.get_hostname()).has_command_re("install-postfix-server"):
        app.print_verbose(
            "This server will later install the postfix server, abort client installation."
        )
        return

    version_obj = version.Version("Install-postfix-client", SCRIPT_VERSION)
    version_obj.check_executed()

    # Install required packages
    install.package("postfix")

    # Set config file parameters
    #
    general.use_original_file("/etc/postfix/main.cf")
    postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
    postfix_main_cf.replace("#myhostname = host.domain.tld", "myhostname = {0}.{1}".format(get_hostname(), config.general.get_resolv_domain())) # monitor.syco.com
    postfix_main_cf.replace("#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())) # syco.com
    postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")

    # Listen only on localhost
    postfix_main_cf.replace("inet_interfaces = localhost", "inet_interfaces = localhost")
    postfix_main_cf.replace("#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = 127.0.0.1")
    postfix_main_cf.replace("mydestination = $myhostname, localhost.$mydomain, localhost", "mydestination = $myhostname, localhost")

    # Relay everything not for local machine to mailrelay.
    postfix_main_cf.replace("#relay_domains = $mydestination", "relay_domains = {0}".format(config.general.get_resolv_domain()))
    postfix_main_cf.replace("#relayhost = $mydomain","relayhost = [{0}]".format(config.general.get_mail_relay_domain_name()))
    postfix_main_cf.replace("#home_mailbox = Maildir/","home_mailbox = Maildir/")
    postfix_main_cf.replace("inet_protocols = all","inet_protocols = ipv4")

    # Install a simple mail CLI-tool
    install_mailx()

    # Tell iptables and nrpe that this server is configured as a mail-relay server.
    iptables.add_mail_relay_chain()
    iptables.save()

    # Restart postfix
    x("service postfix restart")

    # Send test mail to the syco admin
    send_test_mail((None, config.general.get_admin_email()))
示例#46
0
def uninstall_mail_relay(args):
    """
    Uninstalls postfix and mailx.

    """
    app.print_verbose("Removing mail-relay chain")

    # Remove package and rpmsave of cfg
    x("yum remove postfix mailx -y")
    x("rm -rf /etc/postfix")

    # Remote iptables chains
    iptables.del_mail_relay_chain()
    iptables.save()
示例#47
0
def uninstall_ntp(args):
    '''
  Uninstall NTP

  '''
    if (os.access("/etc/ntp.conf", os.F_OK)):
        general.shell_exec("service ntpd stop")
    general.shell_exec("yum -y remove ntp ")

    iptables.del_ntp_chain()
    iptables.save()

    version_obj = version.Version("InstallNTP", SCRIPT_VERSION)
    version_obj.mark_uninstalled()
示例#48
0
文件: installNTP.py 项目: Nemie/syco
def uninstall_ntp(args):
  '''
  Uninstall NTP

  '''
  if (os.access("/etc/ntp.conf", os.F_OK)):
    general.shell_exec("service ntpd stop")
  general.shell_exec("yum -y remove ntp ")

  iptables.del_ntp_chain()
  iptables.save()

  version_obj = version.Version("InstallNTP", SCRIPT_VERSION)
  version_obj.mark_uninstalled()
示例#49
0
def _install_nrpe(args):
    """
    The nrpe installation is quite standard . Except that the stock NRPE.conf
    is replaced with a prepped one. Server only listens to this IP. Not super
    safe but better than nothing. Also, argument parsing is _disabled_.

    """
    # Initialize all used passwords at the beginning of the script.
    app.get_ldap_sssd_password()
    app.get_mysql_monitor_password()

    install.epel_repo()

    # Confusing that nagios-plugins-all does not really include all plugins
    # WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At
    # the moment EPEL has the latest version but RPMForge obsolete the EPEL
    # package. Because of that, exclude nagios-nrpe from RPMForge.
    app.print_verbose("Install required packages for NRPE")
    install_packages(
        "nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap nagios-plugins-perl perl-Net-DNS "
        "perl-Proc-ProcessTable perl-Date-Calc policycoreutils-python")

    # Move object structure and prepare conf-file
    x("rm -rf /etc/nagios/nrpe.d")
    x("rm -rf /etc/nagios/nrpe.cfg")
    x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(
        constant.SYCO_USR_PATH))
    x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(
        constant.SYCO_USR_PATH))

    # Extra plugins installed
    _install_nrpe_plugins()

    # Allow only monitor to query NRPE
    monitor_server_front_ip = config.general.get_monitor_server_ip()
    app.print_verbose("Set monitor server: %s" % monitor_server_front_ip)
    nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg")
    nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip)

    # Set permissions for read/execute under nagios-user
    x("chown -R root:nrpe /etc/nagios/")

    # Allow nrpe to listen on UDP port 5666
    iptables.add_nrpe_chain()
    iptables.save()

    # Make nrpe-server startup stateful and restart
    x("/sbin/chkconfig --level 3 nrpe on")
    x("service nrpe restart")
示例#50
0
def uninstall_squid(args=""):
    '''
    Remove Squid Caching Proxy from the server.
    '''
    app.print_verbose("Uninstall Squid Caching Proxy")
    os.chdir("/")

    _chkconfig("squid","off")
    _service("squid","stop")

    x("yum -y remove squid")
    x("rm -rf %s*" % (SQUID_CONF_DIR))
    iptables.iptables("-D syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp")
    iptables.iptables("-D syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
    iptables.save()
示例#51
0
def _install_nrpe(args):
    """
    The nrpe installation is quite standard . Except that the stock NRPE.conf
    is replaced with a prepped one. Server only listens to this IP. Not super
    safe but better than nothing. Also, argument parsing is _disabled_.

    """
    # Initialize all used passwords at the beginning of the script.
    app.get_ldap_sssd_password()
    app.get_mysql_monitor_password()

    install.epel_repo()

    # Confusing that nagios-plugins-all does not really include all plugins
    # WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At
    # the moment EPEL has the latest version but RPMForge obsolete the EPEL
    # package. Because of that, exclude nagios-nrpe from RPMForge.
    x(
        "yum install -y nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap "
        "nagios-plugins-perl perl-Net-DNS perl-Proc-ProcessTable"
        "perl-Date-Calc policycoreutils-python --exclude=nagios-nrpe"
    )

    # Move object structure and prepare conf-file
    x("rm -rf /etc/nagios/nrpe.d")
    x("rm -rf /etc/nagios/nrpe.cfg")
    x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(constant.SYCO_USR_PATH))
    x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(constant.SYCO_USR_PATH))

    # Extra plugins installed
    _install_nrpe_plugins()

    # Allow only monitor to query NRPE
    monitor_server_front_ip = config.general.get_monitor_server_ip()
    app.print_verbose("Set monitor server: %s" % monitor_server_front_ip)
    nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg")
    nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip)

    # Set permissions for read/execute under nagios-user
    x("chown -R root:nrpe /etc/nagios/")

    # Allow nrpe to listen on UDP port 5666
    iptables.add_nrpe_chain()
    iptables.save()

    # Make nrpe-server startup stateful and restart
    x("/sbin/chkconfig --level 3 nrpe on")
    x("service nrpe restart")
示例#52
0
def setup_node():
    """
	Setup nodejs for deployments
	"""
    # Installing nodejs modules for system
    x("/usr/local/bin/npm -g install express express-generator supervisor")

    # Setup webbfront
    x("yum install httpd -y")
    # Config webfront to proxy all info to port 3000
    x("cp /opt/syco/var/nodejs/httpd/nodejs.conf /etc/httpd/conf.d/")
    x("chkconfig httpd on")
    x("/etc/init.d/httpd restart")
    # Configure iptables
    iptables.add_httpd_chain()
    iptables.save()
示例#53
0
def install_rsyslogd_client(args):
    '''
    Install rsyslog client the server

    '''
    app.print_verbose("Install rsyslog client.")

    # If rsyslogd is installed, raise exception.
    version_obj = version.Version("InstallRsyslogd",
                                  installRsyslogd.SCRIPT_VERSION)
    version_obj.check_executed()

    #
    version_obj = version.Version("InstallRsyslogdClient", SCRIPT_VERSION)
    version_obj.check_executed()

    # Initialize all passwords used by the script
    app.init_mysql_passwords()

    #Enabling iptables before server has start
    iptables.add_rsyslog_chain("client")
    iptables.save()

    # Wating for rsyslog Server to start
    general.wait_for_server_to_start(config.general.get_log_server_hostname1(),
                                     "514")

    app.print_verbose("CIS 5.2 Configure rsyslog")

    app.print_verbose("CIS 5.2.1 Install the rsyslog package")
    general.install_packages("rsyslog rsyslog-gnutls")

    app.print_verbose("CIS 5.2.2 Activate the rsyslog Service")
    if os.path.exists('/etc/xinetd.d/syslog'):
        x("chkconfig syslog off")
    x("chkconfig rsyslog on")

    _configure_rsyslog_conf()
    _gen_and_copy_cert(args)

    # Restaring rsyslog
    x("/etc/init.d/rsyslog restart")

    # Configure logrotate
    installLogrotate.install_logrotate(args)

    version_obj.mark_executed()
示例#54
0
def uninstall_squid(args=""):
    '''
    Remove Squid Caching Proxy from the server.
    '''
    app.print_verbose("Uninstall Squid Caching Proxy")
    os.chdir("/")

    _chkconfig("squid", "off")
    _service("squid", "stop")

    x("yum -y remove squid")
    x("rm -rf %s*" % (SQUID_CONF_DIR))
    iptables.iptables(
        "-D syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp")
    iptables.iptables(
        "-D syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
    iptables.save()
示例#55
0
def _configure_iptables(args):
    '''
    * Keepalived uses multicast and VRRP protocol to talk to the nodes and need to 
        be opened. So first we remove the multicast blocks and then open them up.
    * VRRP is known as Protocol 112 in iptables.
    * Redis uses port 6379 and need to be opened.
    '''

    iptables.iptables("-A syco_input -p tcp -m multiport --dports 6379 -j allowed_tcp")
    iptables.iptables("-A syco_output -p tcp -m multiport --dports 6379 -j allowed_tcp")
    iptables.iptables("-D multicast_packets -s 224.0.0.0/4 -j DROP")
    iptables.iptables("-D multicast_packets -d 224.0.0.0/4 -j DROP")
    iptables.iptables("-A multicast_packets -d 224.0.0.0/8 -j ACCEPT")
    iptables.iptables("-A multicast_packets -s 224.0.0.0/8 -j ACCEPT")
    iptables.iptables("-A syco_input -p 112 -i eth1 -j ACCEPT")
    iptables.iptables("-A syco_output -p 112 -o eth1 -j ACCEPT")
    iptables.save()
示例#56
0
def uninstall_haproxy(args=""):
    '''
    Remove HA Proxy from the server.
    '''
    app.print_verbose("Uninstall HA Proxy")
    os.chdir("/")

    _chkconfig("haproxy","off")
    _service("haproxy","stop")

    x("yum -y remove haproxy")
    x("rm -rf {0}*".format(HAPROXY_CONF_DIR))
    x("rm -rf {0}/{1}.pem".format(CERT_COPY_TO_PATH, HAPROXY_ENV))
    iptables.iptables("-D syco_input -p tcp -m multiport --dports 80,443 -j allowed_tcp")
    iptables.iptables("-D syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
    iptables.iptables("-D syco_input -p tcp -m multiport --dports 81,82,83,84 -j allowed_tcp")
    iptables.iptables("-D syco_output -p tcp -m multiport --dports 81,82,83,84 -j allowed_tcp")
    iptables.save()