def add_iptables_rules():
"""
Open firewall for NFS just during the installation.
"""
iptables.add_nfs_chain()
iptables.save()
def install_mail_client(args):
"""
Installs a local postfix MTA which accepts email on localhost forwards
relays everything to mailrelay-server. Also installs mailx.
See line comments in install_mail_server
"""
if config.host(net.get_hostname()).has_command_re("install-postfix-server"):
app.print_verbose("This server will later install the postfix server, abort client installation.")
return
version_obj = version.Version("Install-postfix-client", SCRIPT_VERSION)
version_obj.check_executed()
# Install required packages
install.package("postfix")
# Set config file parameters
#
general.use_original_file("/etc/postfix/main.cf")
postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
postfix_main_cf.replace(
"#myhostname = host.domain.tld",
"myhostname = {0}.{1}".format(get_hostname(), config.general.get_resolv_domain()),
) # monitor.syco.com
postfix_main_cf.replace(
"#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())
) # syco.com
postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")
# Listen only on localhost
postfix_main_cf.replace("inet_interfaces = localhost", "inet_interfaces = localhost")
postfix_main_cf.replace("#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = 127.0.0.1")
postfix_main_cf.replace(
"mydestination = $myhostname, localhost.$mydomain, localhost", "mydestination = $myhostname, localhost"
)
# Relay everything not for local machine to mailrelay.
postfix_main_cf.replace(
"#relay_domains = $mydestination", "relay_domains = {0}".format(config.general.get_resolv_domain())
)
postfix_main_cf.replace(
"#relayhost = $mydomain", "relayhost = [{0}]".format(config.general.get_mail_relay_domain_name())
)
postfix_main_cf.replace("#home_mailbox = Maildir/", "home_mailbox = Maildir/")
postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4")
# Install a simple mail CLI-tool
install_mailx()
# Tell iptables and nrpe that this server is configured as a mail-relay server.
iptables.add_mail_relay_chain()
iptables.save()
# Restart postfix
x("service postfix restart")
# Send test mail to the syco admin
send_test_mail((None, config.general.get_admin_email()))
def install_openvas(args):
'''
Install and configure openvas on the local host.
'''
app.print_verbose("Install OpenVAS version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallOpenVAS", SCRIPT_VERSION)
version_obj.check_executed()
_install_packages()
_disable_selinux()
iptables.add_openvas_chain()
iptables.save()
#
app.print_verbose("Get OpenVAS nvt.")
x("openvas-nvt-sync --wget &> /dev/null ")
#
app.print_verbose("Rebuild OpenVAS database.")
x("openvasmd --rebuild")
#
app.print_verbose("Add default OpenVAS admin user.")
x("openvasad -c 'add_user' -u admin -w admin --role=Admin")
_modify_configs()
_setup_default_database()
_start_all_services()
version_obj.mark_executed()
def install_mail_server(args):
app.print_verbose("Install mail-relay-server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("Install-mail-relay-server", SCRIPT_VERSION)
version_obj.check_executed()
general.shell_exec("yum -y install sendmail")
# Tell iptables that this server is configured as a mail-relay server.
general.shell_exec("touch /etc/mail/syco_mail_relay_server")
iptables.add_mail_relay_chain()
iptables.save()
hardening.network.configure_resolv_conf()
hardening.network.configure_localhost()
hardening.network.restart_network()
app.print_verbose("Configure /etc/mail/*")
# Allow all servers on localdomain to relay through this server.
set_config_property2("/etc/mail/access", "Connect:10.100 RELAY")
x("/usr/sbin/makemap hash access < access")
# Remove the loopback address restriction to accept email from the internet or intranet.
set_config_property(
"/etc/mail/sendmail.mc",
r".*DAEMON_OPTIONS\(\`Port\=smtp\,Addr\=127\.0\.0\.1\, Name\=MTA\'\)dnl",
r"dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl")
_rebuild_sendmail_config()
_test_mail()
version_obj.mark_executed()
def install_keepalived(args):
global SYCO_PLUGIN_PATH, ACCEPTED_KA_ENV, ka_env
SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/keepalived/").next()
ACCEPTED_KA_ENV = get_environments()
if len(args) != 2:
print_killmessage()
else:
ka_env = args[1]
if ka_env.lower() not in ACCEPTED_KA_ENV:
print_killmessage()
app.print_verbose("Install Keepalived version: %d" % script_version)
version_obj = version.Version("InstallKeepalived", script_version)
version_obj.check_executed()
os.chdir("/")
install_packages("keepalived")
_configure_keepalived()
# Adding iptables rules
iptables_setup()
save()
version_obj.mark_executed()
def uninstall_openvas(args):
'''
Uninstall openvas
'''
if (os.access("/etc/init.d/openvas-manager", os.F_OK)):
app.print_verbose("Stop all services.")
x("/etc/init.d/openvas-manager stop")
x("/etc/init.d/openvas-scanner stop")
x("/etc/init.d/gsad stop")
#
app.print_verbose("Remove packages and files.")
x("yum -y remove openvas-*")
x("rm -rf /var/lib/openvas")
x("rm /etc/yum.repos.d/atomic.repo")
#
app.print_verbose("Remove iptables rules.")
iptables.del_openvas_chain()
iptables.save()
#
app.print_verbose("Enabling SELINUX.")
x("echo 1 > /selinux/enforce")
selinuxconf = scOpen("/etc/selinux/config")
selinuxconf.replace("^SELINUX=.*","SELINUX=enforcing")
#
app.print_verbose("Tell syco openvas is uninstalled.")
version_obj = version.Version("InstallOpenVAS", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def add_iptables_rules():
'''
Open iptables for NFS just during the installation.
'''
iptables.add_nfs_chain()
iptables.save()
def install_sssd(args):
'''
Install ldap client on current host and connect to networks ldap server.
'''
app.print_verbose("Install sssd script-version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallSssd", SCRIPT_VERSION)
version_obj.check_executed()
# Get all passwords from installation user at the start of the script.
app.get_ldap_sssd_password()
install_packages()
installOpenLdap.setup_hosts()
iptables.add_ldap_chain()
iptables.save()
ip = config.general.get_ldap_server_ip()
general.wait_for_server_to_start(ip, "636")
install_certs()
# For some reason it needs to be executed twice.
authconfig()
authconfig()
installOpenLdap.configure_client_cert_for_ldaptools()
configured_sssd()
configured_sudo()
version_obj.mark_executed()
def install_rsyslogd(args):
"""
Install rsyslogd on the server.
"""
app.print_verbose("Install rsyslogd.")
version_obj = version.Version("InstallRsyslogd", SCRIPT_VERSION)
version_obj.check_executed()
# Installing packages
x("yum install rsyslog rsyslog-gnutls gnutls-utils -y")
# Autostart rsyslog at boot
x("chkconfig rsyslog on")
# Generation new certs if no certs exsists
if not os.path.exists('/etc/pki/rsyslog/ca.crt'):
rsyslog_newcerts(args)
_setup_rsyslogd()
# Add iptables chains
iptables.add_rsyslog_chain("server")
iptables.save()
# Restarting service
x("service rsyslog restart")
install_compress_logs()
# Configure logrotate
installLogrotate.install_logrotate(args)
version_obj.mark_executed()
def _install_icinga_core(args):
"""
Core installation is decently straightforward. Icinga-bins are downloaded from the EPEL-repo and and SQL-db is created
and set up with the standard icinga db-schema.
The "hard" part is setting up the object base, which is done in via helper functions.
"""
# Disable SELinux for now, Install icinga-packages.
x("setenforce 0")
install.rforge_repo()
x("yum -y install icinga icinga-idoutils-libdbi-mysql nagios-plugins-all nagios-plugins-nrpe")
# Set set up icinga mysql-database
icinga_sql_password = _setup_icinga_mysql()
# Let ido2db know password has changed
general.use_original_file("/etc/icinga/ido2db.cfg")
general.set_config_property("/etc/icinga/ido2db.cfg","db_pass=icinga","db_pass={0}".format(icinga_sql_password, False))
x("cp --remove-destination {0}syco-private/var/nagios/icinga.cfg /etc/icinga/icinga.cfg".format(constant.SYCO_USR_PATH))
x("chown icinga:icinga /etc/icinga/icinga.cfg")
# Add icinga-server iptables chain
iptables.add_icinga_chain()
iptables.save()
# Reload the icinga object structure
_reload_icinga(args,reload=False)
return icinga_sql_password
def install_rsyslogd(args):
"""
Install rsyslogd on the server.
"""
app.print_verbose("Install rsyslogd.")
version_obj = version.Version("InstallRsyslogd", SCRIPT_VERSION)
version_obj.check_executed()
# Installing packages
x("yum install rsyslog rsyslog-gnutls gnutls-utils -y")
# Autostart rsyslog at boot
x("chkconfig rsyslog on")
# Generation new certs if no certs exsists
if not os.path.exists('/etc/pki/rsyslog/ca.crt'):
rsyslog_newcerts(args)
# Add iptables chains
iptables.add_rsyslog_chain("server")
iptables.save()
# Restarting service
x("service rsyslog restart")
install_compress_logs()
# Configure logrotate
installLogrotate.install_logrotate(args)
version_obj.mark_executed()
def install_cobbler(args):
'''
Install cobbler on current host.
'''
app.print_verbose("Install cobbler version: %d" % SCRIPT_VERSION)
version_obj = version.Version("installCobbler", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize password.
app.get_root_password_hash()
# Disable SELINUX it just messes with me.
x("echo 0 > /selinux/enforce")
general.set_config_property("/etc/selinux/config", '^SELINUX=.*', "SELINUX=permissive")
_install_cobbler()
iptables.add_cobbler_chain()
iptables.save()
_modify_cobbler_settings()
_import_repos()
setup_all_systems(args)
# Start/Restart used services.
x("/etc/init.d/dhcpd restart")
version_obj.mark_executed()
def install_haproxy(args):
app.print_verbose("Install HA Proxy version: %d" % script_version)
version_obj = version.Version("InstallHaproxy", script_version)
version_obj.check_executed()
global CERT_SERVER, CERT_SERVER_PATH, CERT_COPY_TO_PATH, SYCO_PLUGIN_PATH
CERT_SERVER = config.general.get_cert_server_ip()
CERT_SERVER_PATH = config.general.get_option('haproxy.remote_cert_path')
CERT_COPY_TO_PATH = config.general.get_option('haproxy.local_cert_path')
SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/haproxy/").next()
# Validate all command line parameters.
if len(sys.argv) != 4:
print_killmessage()
haproxy_env()
haproxy_state()
x("yum install -y tcl haproxy")
iptables.add_haproxy_chain()
iptables.save()
_copy_certificate_files()
_configure_haproxy()
version_obj.mark_executed()
def install_ossec_client(args):
'''
Install OSSEC Client on the server
'''
if os.path.exists('/var/ossec/bin/manage_agents'):
app.print_error("Not insalling OSSEC client since OSSEC server detected")
return
app.print_verbose("Install ossec client.")
version_obj = version.Version("InstallOssec", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords used by the script
app.init_mysql_passwords()
build_ossec('preloaded-vars-client.conf')
_setup_conf()
_setup_keys()
# Enabling syslog logging
x('/var/ossec/bin/ossec-control enable client-syslog')
# Adding iptables rules
iptables.add_ossec_chain()
iptables.save()
# Restaring OSSEC server
x("service ossec restart")
x('yum remove gcc perl-Time-HiRes -y')
version_obj.mark_executed()
def _install_icinga_web(icinga_db_pass):
"""
This installs the icinga web module. Only source of complexity is moking icinga accessible from the document root.
"""
x("yum install -y icinga-web php php-cli php-pear php-xmlrpc php-xsl php-pdo php-soap php-gd php-ldap php-mysql"
)
# Setup icinga-web mysql
icinga_web_db_bass = _setup_icinga_web_mysql()
# Configure icinga web client config files
_configure_icinga_web(icinga_db_pass, icinga_web_db_bass)
# Allow icinga-web to issue icinga commands
x("useradd -G icingacmd apache")
# Make everything startup on reboot
x("/sbin/chkconfig --level 3 httpd on")
x("/sbin/chkconfig --level 3 mysqld on")
x("/sbin/chkconfig --level 3 ido2db on")
# Harden with iptables-chain
iptables.add_httpd_chain()
iptables.save()
def _install_icinga_core(args):
"""
Core installation is decently straightforward. Icinga-bins are downloaded from the EPEL-repo and and SQL-db is created
and set up with the standard icinga db-schema.
The "hard" part is setting up the object base, which is done in via helper functions.
"""
# Disable SELinux for now, Install icinga-packages.
x("setenforce 0")
install.rforge_repo()
x("yum -y install icinga icinga-idoutils-libdbi-mysql nagios-plugins-all nagios-plugins-nrpe"
)
# Set set up icinga mysql-database
icinga_sql_password = _setup_icinga_mysql()
# Let ido2db know password has changed
general.use_original_file("/etc/icinga/ido2db.cfg")
general.set_config_property(
"/etc/icinga/ido2db.cfg", "db_pass=icinga",
"db_pass={0}".format(icinga_sql_password, False))
x("cp --remove-destination {0}syco-private/var/nagios/icinga.cfg /etc/icinga/icinga.cfg"
.format(constant.SYCO_USR_PATH))
x("chown icinga:icinga /etc/icinga/icinga.cfg")
# Add icinga-server iptables chain
iptables.add_icinga_chain()
iptables.save()
# Reload the icinga object structure
_reload_icinga(args, reload=False)
return icinga_sql_password
def uninstall_openvas(args):
'''
Uninstall openvas
'''
if (os.access("/etc/init.d/openvas-manager", os.F_OK)):
app.print_verbose("Stop all services.")
x("/etc/init.d/openvas-manager stop")
x("/etc/init.d/openvas-scanner stop")
x("/etc/init.d/gsad stop")
#
app.print_verbose("Remove packages and files.")
x("yum -y remove openvas-*")
x("rm -rf /var/lib/openvas")
x("rm /etc/yum.repos.d/atomic.repo")
#
app.print_verbose("Remove iptables rules.")
iptables.del_openvas_chain()
iptables.save()
#
app.print_verbose("Enabling SELINUX.")
x("echo 1 > /selinux/enforce")
selinuxconf = scOpen("/etc/selinux/config")
selinuxconf.replace("^SELINUX=.*", "SELINUX=enforcing")
#
app.print_verbose("Tell syco openvas is uninstalled.")
version_obj = version.Version("InstallOpenVAS", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def install_openvas(args):
'''
Install and configure openvas on the local host.
'''
app.print_verbose("Install OpenVAS version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallOpenVAS", SCRIPT_VERSION)
version_obj.check_executed()
_install_packages()
_disable_selinux()
iptables.add_openvas_chain()
iptables.save()
#
app.print_verbose("Get OpenVAS nvt.")
x("openvas-nvt-sync --wget &> /dev/null ")
#
app.print_verbose("Rebuild OpenVAS database.")
x("openvasmd --rebuild")
#
app.print_verbose("Add default OpenVAS admin user.")
x("openvasad -c 'add_user' -u admin -w admin --role=Admin")
_modify_configs()
_setup_default_database()
_start_all_services()
version_obj.mark_executed()
def install_freeradius(args):
'''
Install and configure the freeradius on the local host.
'''
app.print_verbose("Install FreeRadius version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallFreeRadius", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords used by the script
app.get_ldap_admin_password()
_install_packages()
# Configure iptables
iptables.add_freeradius_chain()
iptables.save()
_configure_ldap()
_enable_ldap()
_configure_radius()
_setup_radius_clients()
x("/etc/init.d/radiusd restart")
version_obj.mark_executed()
def install_haproxy(args):
app.print_verbose("Install HA Proxy version: %d" % script_version)
version_obj = version.Version("InstallHaproxy", script_version)
version_obj.check_executed()
global CERT_SERVER, CERT_SERVER_PATH, CERT_COPY_TO_PATH, SYCO_PLUGIN_PATH
CERT_SERVER = config.general.get_cert_server_ip()
CERT_SERVER_PATH = config.general.get_option('haproxy.remote_cert_path')
CERT_COPY_TO_PATH = config.general.get_option('haproxy.local_cert_path')
SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/haproxy/").next()
# Validate all command line parameters.
if len(sys.argv) != 4:
print_killmessage()
haproxy_env()
haproxy_state()
x("yum install -y tcl haproxy")
iptables.add_haproxy_chain()
iptables.save()
_copy_certificate_files()
_configure_haproxy()
version_obj.mark_executed()
def install_openldap(args):
'''
Install openldap on current host.
'''
app.print_verbose("Install openldap script-version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallOpenLdap", SCRIPT_VERSION)
version_obj.check_executed()
initialize_passwords()
# Do the installation.
enable_selinux()
install_packages()
store_logs_on_file()
configure_ldap_client()
configure_openldap()
configure_sudo_in_ldap()
create_modules()
add_auditlog_overlay()
add_pwdpolicy_overlay()
add_user_domain()
create_certs()
enable_ssl()
require_highest_security_from_clients()
# Let clients connect to the server through the firewall. This is done after
# everything else is done, so we are sure that the server is secure before
# letting somebody in.
iptables.add_ldap_chain()
iptables.save()
_install_web_page()
version_obj.mark_executed()
def install_mail_server(args):
app.print_verbose("Install mail-relay-server version: %d" % SCRIPT_VERSION)
version_obj = version.Version("Install-mail-relay-server", SCRIPT_VERSION)
version_obj.check_executed()
general.shell_exec("yum -y install sendmail")
# Tell iptables that this server is configured as a mail-relay server.
general.shell_exec("touch /etc/mail/syco_mail_relay_server")
iptables.add_mail_relay_chain()
iptables.save()
hardening.network.configure_resolv_conf()
hardening.network.configure_localhost()
hardening.network.restart_network()
app.print_verbose("Configure /etc/mail/*")
# Allow all servers on localdomain to relay through this server.
set_config_property2("/etc/mail/access",
"Connect:10.100 RELAY")
x("/usr/sbin/makemap hash access < access")
# Remove the loopback address restriction to accept email from the internet or intranet.
set_config_property(
"/etc/mail/sendmail.mc",
r".*DAEMON_OPTIONS\(\`Port\=smtp\,Addr\=127\.0\.0\.1\, Name\=MTA\'\)dnl",
r"dnl DAEMON_OPTIONS(`Port=smtp,Addr=127.0.0.1, Name=MTA')dnl")
_rebuild_sendmail_config()
_test_mail()
version_obj.mark_executed()
def install_cobbler(args):
'''
Install cobbler on current host.
'''
app.print_verbose("Install cobbler version: %d" % SCRIPT_VERSION)
version_obj = version.Version("installCobbler", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize password.
app.get_root_password_hash()
# Disable SELINUX it just messes with me.
x("echo 0 > /selinux/enforce")
general.set_config_property("/etc/selinux/config", '^SELINUX=.*',
"SELINUX=permissive")
_install_cobbler()
iptables.add_cobbler_chain()
iptables.save()
_modify_cobbler_settings()
_import_repos()
setup_all_systems(args)
# Start/Restart used services.
x("/etc/init.d/dhcpd restart")
version_obj.mark_executed()
def uninstall_redis(args):
"""
Remove Redis from the server
"""
app.print_verbose("Uninstall Redis")
os.chdir("/")
_chkconfig("redis", "off")
_service("redis", "stop")
_chkconfig("keepalived", "on")
_service("keepalived", "restart")
x("yum -y remove redis keepalived")
x("rm -rf {0}redis.conf".format(REDIS_CONF_DIR))
x("rm -rf {0}redis.conf.rpmsave".format(REDIS_CONF_DIR))
x("rm -rf {0}*".format(KEEPALIVED_CONF_DIR))
iptables.iptables(
"-D syco_input -p tcp -m multiport --dports 6379 -j allowed_tcp")
iptables.iptables(
"-D syco_output -p tcp -m multiport --dports 6379 -j allowed_tcp")
iptables.iptables("-D multicast_packets -d 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-D multicast_packets -s 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-D syco_input -p 112 -i eth1 -j ACCEPT")
iptables.iptables("-D syco_output -p 112 -o eth1 -j ACCEPT")
iptables.iptables("-A multicast_packets -s 224.0.0.0/4 -j DROP")
iptables.iptables("-A multicast_packets -d 224.0.0.0/4 -j DROP")
iptables.save()
version_obj = version.Version("InstallRedis", script_version)
version_obj.mark_uninstalled()
def uninstall_redis(args):
"""
Remove Redis from the server
"""
app.print_verbose("Uninstall Redis")
os.chdir("/")
_chkconfig("redis", "off")
_service("redis", "stop")
_chkconfig("keepalived", "on")
_service("keepalived", "restart")
x("yum -y remove redis keepalived")
x("rm -rf {0}redis.conf".format(REDIS_CONF_DIR))
x("rm -rf {0}redis.conf.rpmsave".format(REDIS_CONF_DIR))
x("rm -rf {0}*".format(KEEPALIVED_CONF_DIR))
iptables.iptables("-D syco_input -p tcp -m multiport --dports 6379 -j allowed_tcp")
iptables.iptables("-D syco_output -p tcp -m multiport --dports 6379 -j allowed_tcp")
iptables.iptables("-D multicast_packets -d 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-D multicast_packets -s 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-D syco_input -p 112 -i eth1 -j ACCEPT")
iptables.iptables("-D syco_output -p 112 -o eth1 -j ACCEPT")
iptables.iptables("-A multicast_packets -s 224.0.0.0/4 -j DROP")
iptables.iptables("-A multicast_packets -d 224.0.0.0/4 -j DROP")
iptables.save()
version_obj = version.Version("InstallRedis", script_version)
version_obj.mark_uninstalled()
def install_sssd(args):
"""
Install ldap client on current host and connect to networks ldap server.
"""
app.print_verbose("Install sssd script-version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallSssd", SCRIPT_VERSION)
version_obj.check_executed()
# Get all passwords from installation user at the start of the script.
app.get_ldap_sssd_password()
install_packages()
installOpenLdap.setup_hosts()
iptables.add_ldap_chain()
iptables.save()
ip = config.general.get_ldap_server_ip()
general.wait_for_server_to_start(ip, "636")
install_certs()
# For some reason it needs to be executed twice.
authconfig()
authconfig()
installOpenLdap.configure_client_cert_for_ldaptools()
augeas = Augeas(x)
create_sss_folders()
configure_sssd(augeas)
configure_sudo(augeas)
version_obj.mark_executed()
def uninstall_openvas(args):
'''
Uninstall nmap
'''
if (os.access("/etc/init.d/openvas-manager", os.F_OK)):
general.shell_exec("/etc/init.d/openvas-manager stop")
general.shell_exec("/etc/init.d/openvas-scanner stop")
general.shell_exec("/etc/init.d/gsad stop")
x("yum -y remove openvas-*")
x("rm -rf /var/lib/openvas")
#x("rm /etc/yum.repos.d/atomic.repo")
iptables.del_openvas_chain()
iptables.save()
app.print_verbose("Enabling SELINUX")
x("echo 1 > /selinux/enforce")
selinuxconf = scOpen("/etc/selinux/config")
selinuxconf.replace("^SELINUX=.*","SELINUX=enforcing")
version_obj = version.Version("InstallOpenVAS", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def install_keepalived(args):
global SYCO_PLUGIN_PATH, ACCEPTED_KA_ENV, ka_env
SYCO_PLUGIN_PATH = app.get_syco_plugin_paths("/var/keepalived/").next()
ACCEPTED_KA_ENV = get_environments()
if len(args) != 2:
print_killmessage()
else:
ka_env = args[1]
if ka_env.lower() not in ACCEPTED_KA_ENV:
print_killmessage()
app.print_verbose("Install Keepalived version: %d" % script_version)
version_obj = version.Version("InstallKeepalived", script_version)
version_obj.check_executed()
os.chdir("/")
install_packages("keepalived")
_configure_keepalived()
# Adding iptables rules
iptables_setup()
save()
version_obj.mark_executed()
def install_openldap(args):
'''
Install openldap on current host.
'''
app.print_verbose("Install openldap script-version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallOpenLdap", SCRIPT_VERSION)
version_obj.check_executed()
initialize_passwords()
# Do the installation.
enable_selinux()
install_packages()
store_logs_on_file()
configure_ldap_client()
configure_openldap()
configure_sudo_in_ldap()
create_modules()
add_auditlog_overlay()
add_pwdpolicy_overlay()
add_user_domain()
create_certs()
enable_ssl()
require_highest_security_from_clients()
# Let clients connect to the server through the firewall. This is done after
# everything else is done, so we are sure that the server is secure before
# letting somebody in.
iptables.add_ldap_chain()
iptables.save()
version_obj.mark_executed()
def add_iptables_rules(): ''' Open iptables for NFS just during the installation. ''' iptables.add_nfs_chain() iptables.save()
def install_freeradius(args):
'''
Install and configure the freeradius on the local host.
'''
app.print_verbose("Install FreeRadius version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallFreeRadius", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords used by the script
app.get_ldap_admin_password()
_install_packages()
# Configure iptables
iptables.add_freeradius_chain()
iptables.save()
_configure_ldap()
_enable_ldap()
_configure_radius()
_setup_radius_clients()
x("/etc/init.d/radiusd restart")
version_obj.mark_executed()
def install_mail_server(args):
"""
Installs a postfix-based mail relay MTA that listens on the DMZ, and relays
towards the internet. Also possible to send from localhost. Also installs mailx.
"""
version_obj = version.Version("Install-postfix-server", SCRIPT_VERSION)
version_obj.check_executed()
app.print_verbose("Installing postfix-server version: {0}".format(SCRIPT_VERSION))
init_properties = PostFixProperties()
# Install required packages
install.package("postfix")
# Set config file parameters
#
general.use_original_file("/etc/postfix/main.cf")
postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
# Hostname is full canonical name of machine.
postfix_main_cf.replace(
"#myhostname = host.domain.tld", "myhostname = {0}".format(config.general.get_mail_relay_domain_name())
) # mailrelay.syco.com
postfix_main_cf.replace(
"#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())
) # syco.com
postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")
# Accept email from frontnet and backnet
postfix_main_cf.replace(
"inet_interfaces = localhost",
"inet_interfaces = 127.0.0.1,{0},{1}".format(init_properties.server_front_ip, init_properties.server_back_ip),
)
postfix_main_cf.replace(
"#mynetworks = 168.100.189.0/28, 127.0.0.0/8",
"mynetworks = {0}, {1}, 127.0.0.0/8".format(
init_properties.server_network_front, init_properties.server_network_back
),
)
# Do not relay anywhere special, i.e straight to internet.
postfix_main_cf.replace("#relay_domains = $mydestination", "relay_domains =")
postfix_main_cf.replace("#home_mailbox = Maildir/", "home_mailbox = Maildir/")
# Stop warning about IPv6.
postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4")
# Install a simple mail CLI-tool
install_mailx()
# Tell iptables and nrpe that this server is configured as a mail-relay server.
iptables.add_mail_relay_chain()
iptables.save()
x("service postfix restart")
# Send test mail to the syco admin
send_test_mail((None, config.general.get_admin_email()))
def _configure_iptables():
'''
Accept TCP traffic on 3128 from localnets and allow output to anywhere on port 80 and 443
'''
iptables.iptables("-A syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp")
iptables.iptables("-A syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
iptables.save()
def install_ntp(ntp_server_ip = False):
'''
Install and configure the ntp-server on the local host.
'''
app.print_verbose("Install NTP version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallNTP", SCRIPT_VERSION)
version_obj.check_executed()
# Install the NTP packages.
if (not os.access("/etc/ntp.conf", os.F_OK)):
general.shell_exec("yum -y install ntp")
general.shell_exec("/sbin/chkconfig ntpd on")
iptables.add_ntp_chain()
iptables.save()
# Set ntp-server configs
#
# For restrict info: http://www.eecis.udel.edu/~mills/ntp/html/accopt.html
#
if (ntp_server_ip):
app.print_verbose("Configure /etc/ntp.conf as a client")
# Deny packets of all kinds, including ntpq(8) and ntpdc(8) queries.
general.set_config_property("/etc/ntp.conf", "restrict default.*", "restrict default ignore")
general.set_config_property("/etc/ntp.conf", "restrict -6 default.*", "restrict -6 default ignore")
# Using only internal NTP-server.
general.set_config_property("/etc/ntp.conf", "server 0.*ntp.org", "server " + ntp_server_ip + " burst")
general.set_config_property("/etc/ntp.conf", ".*server 1.*ntp.org", "#server 1.se.pool.ntp.org")
general.set_config_property("/etc/ntp.conf", ".*server 2.*ntp.org", "#server 2.se.pool.ntp.org")
general.set_config_property("/etc/ntp.conf", ".*server 3.*ntp.org", "#server 3.se.pool.ntp.org")
# Allow access to/from the ntp-server. You may use either a hostname or IP address
# on the server line. You must use an IP address on the restrict line. Or do I??
general.set_config_property("/etc/ntp.conf", "restrict " + ntp_server_ip + " kod nomodify notrap nopeer noquery", "restrict " + ntp_server_ip + " kod nomodify notrap nopeer noquery")
# Don't use fudge server
general.set_config_property("/etc/ntp.conf", ".*server.*127.127.1.0.*", "#server 127.127.1.0")
general.set_config_property("/etc/ntp.conf", ".*fudge.*127.127.1.0.*", "#fudge 127.127.1.0 stratum 10")
# This command modifies the ntpd panic threshold (which is normally 1024
# seconds). Setting this to 0 disables the panic sanity check and a clock
# offset of any value will be accepted.
general.set_config_property("/etc/ntp.conf", ".*tinker panic.*", "tinker panic 0")
else:
app.print_verbose("Configure /etc/ntp.conf as a server")
general.set_config_property("/etc/ntp.conf", "server 0.*ntp.org", "server ntp3.sptime.se")
general.set_config_property("/etc/ntp.conf", "server 1.*ntp.org", "server ntp4.sptime.se")
general.set_config_property("/etc/ntp.conf", "server 2.*ntp.org", "server ntp1.sth.netnod.se")
general.set_config_property("/etc/ntp.conf", "server 3.*ntp.org", "server " + config.general.get_slave_ntp_server())
general.shell_exec("service ntpd start")
version_obj.mark_executed()
def install_mail_server(args):
'''
Installs a postfix-based mail relay MTA that listens on the DMZ, and relays
towards the internet. Also possible to send from localhost. Also installs mailx.
'''
version_obj = version.Version("Install-postfix-server", SCRIPT_VERSION)
version_obj.check_executed()
app.print_verbose(
"Installing postfix-server version: {0}".format(SCRIPT_VERSION))
# Install required packages
install.package("postfix")
# Set config file parameters
#
general.use_original_file("/etc/postfix/main.cf")
postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
# Hostname is full canonical name of machine.
postfix_main_cf.replace(
"#myhostname = host.domain.tld", "myhostname = {0}".format(
config.general.get_mail_relay_domain_name())) # mailrelay.syco.com
postfix_main_cf.replace("#mydomain = domain.tld", "mydomain = {0}".format(
config.general.get_resolv_domain())) # syco.com
postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")
# Accept email from frontnet and backnet
postfix_main_cf.replace(
"inet_interfaces = localhost",
"inet_interfaces = 127.0.0.1,{0},{1}".format(server_front_ip,
server_back_ip))
postfix_main_cf.replace(
"#mynetworks = 168.100.189.0/28, 127.0.0.0/8",
"mynetworks = {0}, {1}, 127.0.0.0/8".format(server_front_network,
server_back_network))
# Do not relay anywhere special, i.e straight to internet.
postfix_main_cf.replace("#relay_domains = $mydestination",
"relay_domains =")
postfix_main_cf.replace("#home_mailbox = Maildir/",
"home_mailbox = Maildir/")
# Stop warning about IPv6.
postfix_main_cf.replace("inet_protocols = all", "inet_protocols = ipv4")
# Install a simple mail CLI-tool
install_mailx()
# Tell iptables and nrpe that this server is configured as a mail-relay server.
iptables.add_mail_relay_chain()
iptables.save()
x("service postfix restart")
# Send test mail to the syco admin
send_test_mail((None, config.general.get_admin_email()))
def uninstall_glassfish(args):
'''
The main function the glassfish uninstallation.
'''
app.print_verbose("Uninstall " + GLASSFISH_VERSION +
" version: %d" % SCRIPT_VERSION)
if (os.access(GLASSFISH_INSTALL_PATH, os.F_OK)):
os.chdir("/tmp")
x("/etc/init.d/" + GLASSFISH_VERSION + " stop -an")
x("rm -rf " + GLASSFISH_INSTALL_PATH)
x("/sbin/chkconfig --del " + GLASSFISH_VERSION)
x("rm " + "/etc/init.d/" + GLASSFISH_VERSION)
if (_is_glassfish_user_installed()):
# Change dir if some of the rm commands fails, so not everythig will
# be deleted by mistake.
x("rm -rf /home/glassfish")
x("userdel glassfish")
x("groupdel glassfishadm")
if (os.access("/usr/java/jdk1.6.0_22", os.F_OK)):
x("rpm -e sun-javadb-core-10.5.3-0.2")
x("rpm -e sun-javadb-client-10.5.3-0.2")
x("rpm -e sun-javadb-demo-10.5.3-0.2")
x("rpm -e sun-javadb-docs-10.5.3-0.2")
x("rpm -e sun-javadb-javadoc-10.5.3-0.2")
x("rpm -e sun-javadb-common-10.5.3-0.2")
x("rpm -e jdk-1.6.0_22-fcs")
if (os.access("/usr/java/jdk1.6.0_24", os.F_OK)):
x("rpm -e sun-javadb-core-10.6.2-1.1.i386")
x("rpm -e sun-javadb-client-10.6.2-1.1.i386")
x("rpm -e sun-javadb-demo-10.6.2-1.1.i386")
x("rpm -e sun-javadb-docs-10.6.2-1.1.i386")
x("rpm -e sun-javadb-javadoc-10.6.2-1.1.i386")
x("rpm -e sun-javadb-common-10.6.2-1.1.i386")
x("rpm -e jdk-1.6.0_24-fcs")
x("rpm -e jdk-6u24-linux-amd64")
if (os.access("/usr/java/jdk1.6.0_29", os.F_OK)):
x("rpm -e sun-javadb-javadoc-10.6.2-1.1.i386")
x("rpm -e sun-javadb-docs-10.6.2-1.1.i386")
x("rpm -e sun-javadb-demo-10.6.2-1.1.i386")
x("rpm -e sun-javadb-client-10.6.2-1.1.i386")
x("rpm -e sun-javadb-core-10.6.2-1.1.i386")
x("rpm -e sun-javadb-common-10.6.2-1.1.i386")
x("rpm -e jdk-6u29-linux-amd64")
iptables.del_glassfish_chain()
iptables.save()
version_obj = version.Version("Install" + GLASSFISH_VERSION,
SCRIPT_VERSION)
version_obj.mark_uninstalled()
def _configure_iptables():
'''
Accept TCP traffic on 3128 from localnets and allow output to anywhere on port 80 and 443
'''
iptables.iptables(
"-A syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp")
iptables.iptables(
"-A syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
iptables.save()
def uninstall_sssd(args):
app.print_verbose("Uninstall sssd script-version: %d" % SCRIPT_VERSION)
x("yum -y remove openldap-clients sssd")
x("rm -rf /var/lib/sss/")
iptables.del_ldap_chain()
iptables.save()
version_obj = version.Version("InstallSssd", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def uninstall_sssd(args):
app.print_verbose("Uninstall sssd script-version: %d" % SCRIPT_VERSION)
x("yum -y remove openldap-clients sssd")
x("rm -rf /var/lib/sss/")
iptables.del_ldap_chain()
iptables.save()
version_obj = version.Version("InstallSssd", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def install_freeradius(args):
'''
Install and configure the mysql-server on the local host.
'''
app.print_verbose("Install FreeRadius version: %d" % SCRIPT_VERSION)
version_obj = version.Version("InstallFreeRadius", SCRIPT_VERSION)
version_obj.check_executed()
# Install the mysql-server packages.
if (not os.access("/usr/sbin/radiusd", os.W_OK | os.X_OK)):
x("yum -y install freeradius-utils freeradius-ldap")
x("/sbin/chkconfig radiusd on ")
if (not os.access("/usr/sbin/radiusd", os.F_OK)):
raise Exception("Couldn't install FreeRadius")
# Configure iptables
iptables.add_freeradius_chain()
iptables.save()
app.print_verbose("Copying config")
ldapconf = scOpen("/etc/raddb/modules/ldap")
ldapconf.replace(
"\\t*server =.*",
"\\tserver=\"ldaps://%s\"" % config.general.get_ldap_hostname())
ldapconf.replace("\\t#password = .*",
"\\tpassword =%s" % app.get_ldap_admin_password())
ldapconf.replace(
"\\t#identity = .*",
"\\tidentity = \"cn=Manager,%s\"" % config.general.get_ldap_dn())
ldapconf.replace("\\t#base_filter = .*",
"\\tbase_filter = \"(employeeType=Sysop)\"")
ldapconf.replace("\\tfilter = .*", "\\tfilter =\"(uid=%u)\"")
ldapconf.replace("\\tbasedn = .*",
"\\tbasedn =\"%s\"" % config.general.get_ldap_dn())
#Deal with certs
ldapconf.replace("\\t\\t# cacertfile.*=.*",
"\\t\\tcacertfile\\t= /etc/openldap/cacerts/ca.crt")
ldapconf.replace("\\t\\t# certfile.*=.*",
"\\t\\tcertfile\\t= /etc/openldap/cacerts/client.crt")
ldapconf.replace("\\t\\t# keyfile.*=.*",
"\\t\\tkeyfile\\t= /etc/openldap/cacerts/client.key")
x("/usr/bin/awk '/^[#]\\tldap/{c++;if(c==1){sub(\"^[#]\\tldap\",\"\\tldap\")}}1' %s"
%
"/etc/raddb/sites-enabled/default > /etc/raddb/sites-enabled/default.tmp"
)
x("cp /etc/raddb/sites-enabled/default.tmp /etc/raddb/sites-enabled/default"
)
x("rm /etc/raddb/sites-enabled/default.tmp")
version_obj.mark_executed()
def uninstall_glassfish(args):
'''
The main function the glassfish uninstallation.
'''
app.print_verbose("Uninstall " + GLASSFISH_VERSION + " version: %d" % SCRIPT_VERSION)
if (os.access(GLASSFISH_INSTALL_PATH, os.F_OK)):
os.chdir("/tmp")
x("/etc/init.d/" + GLASSFISH_VERSION + " stop -an")
x("rm -rf " + GLASSFISH_INSTALL_PATH)
x("/sbin/chkconfig --del " + GLASSFISH_VERSION)
x("rm " + "/etc/init.d/" + GLASSFISH_VERSION)
if (_is_glassfish_user_installed()):
# Change dir if some of the rm commands fails, so not everythig will
# be deleted by mistake.
x("rm -rf /home/glassfish")
x("userdel glassfish")
x("groupdel glassfishadm")
if (os.access("/usr/java/jdk1.6.0_22", os.F_OK)):
x("rpm -e sun-javadb-core-10.5.3-0.2")
x("rpm -e sun-javadb-client-10.5.3-0.2")
x("rpm -e sun-javadb-demo-10.5.3-0.2")
x("rpm -e sun-javadb-docs-10.5.3-0.2")
x("rpm -e sun-javadb-javadoc-10.5.3-0.2")
x("rpm -e sun-javadb-common-10.5.3-0.2")
x("rpm -e jdk-1.6.0_22-fcs")
if (os.access("/usr/java/jdk1.6.0_24", os.F_OK)):
x("rpm -e sun-javadb-core-10.6.2-1.1.i386")
x("rpm -e sun-javadb-client-10.6.2-1.1.i386")
x("rpm -e sun-javadb-demo-10.6.2-1.1.i386")
x("rpm -e sun-javadb-docs-10.6.2-1.1.i386")
x("rpm -e sun-javadb-javadoc-10.6.2-1.1.i386")
x("rpm -e sun-javadb-common-10.6.2-1.1.i386")
x("rpm -e jdk-1.6.0_24-fcs")
x("rpm -e jdk-6u24-linux-amd64")
if (os.access("/usr/java/jdk1.6.0_29", os.F_OK)):
x("rpm -e sun-javadb-javadoc-10.6.2-1.1.i386")
x("rpm -e sun-javadb-docs-10.6.2-1.1.i386")
x("rpm -e sun-javadb-demo-10.6.2-1.1.i386")
x("rpm -e sun-javadb-client-10.6.2-1.1.i386")
x("rpm -e sun-javadb-core-10.6.2-1.1.i386")
x("rpm -e sun-javadb-common-10.6.2-1.1.i386")
x("rpm -e jdk-6u29-linux-amd64")
iptables.del_glassfish_chain()
iptables.save()
version_obj = version.Version("Install" + GLASSFISH_VERSION, SCRIPT_VERSION)
version_obj.mark_uninstalled()
def _configure_iptables():
"""
* Keepalived uses multicast and VRRP protocol to talk to the nodes and need to
be opened. So first we remove the multicast blocks and then open them up.
* VRRP is known as Protocol 112 in iptables.
"""
iptables.iptables("-D multicast_packets -s 224.0.0.0/4 -j DROP")
iptables.iptables("-D multicast_packets -d 224.0.0.0/4 -j DROP")
iptables.iptables("-A multicast_packets -d 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-A multicast_packets -s 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-A syco_input -p 112 -i eth1 -j ACCEPT")
iptables.iptables("-A syco_output -p 112 -o eth1 -j ACCEPT")
iptables.save()
def install_espower(args):
"""Installation of Elastic search passing rule"""
if (len(args) != 2):
raise Exception("syco install-espower Logstash Version [syco install-es 1.4.2]")
install_rabbit()
install_logstash(args[1])
config_rabbitmq()
config_logstash()
# Adding iptables rules
iptables.add_rabbitmq_chain()
iptables.save()
print("Go to http://ip-address:15672 for rabbit mq ")
def install_espower(args):
"""Installation of Elastic search passing rule"""
if len(args) != 2:
raise Exception("syco install-espower Logstash Version [syco install-es 1.4.2]")
install_rabbit()
install_logstash(args[1])
config_rabbitmq()
config_logstash()
# Adding iptables rules
iptables.add_rabbitmq_chain()
iptables.save()
print("Go to http://ip-address:15672 for rabbit mq ")
def install_mail_client(args):
"""
Installs a local postfix MTA which accepts email on localhost forwards
relays everything to mailrelay-server. Also installs mailx.
See line comments in install_mail_server
"""
if config.host(net.get_hostname()).has_command_re("install-postfix-server"):
app.print_verbose(
"This server will later install the postfix server, abort client installation."
)
return
version_obj = version.Version("Install-postfix-client", SCRIPT_VERSION)
version_obj.check_executed()
# Install required packages
install.package("postfix")
# Set config file parameters
#
general.use_original_file("/etc/postfix/main.cf")
postfix_main_cf = scopen.scOpen("/etc/postfix/main.cf")
postfix_main_cf.replace("#myhostname = host.domain.tld", "myhostname = {0}.{1}".format(get_hostname(), config.general.get_resolv_domain())) # monitor.syco.com
postfix_main_cf.replace("#mydomain = domain.tld", "mydomain = {0}".format(config.general.get_resolv_domain())) # syco.com
postfix_main_cf.replace("#myorigin = $mydomain", "myorigin = $myhostname")
# Listen only on localhost
postfix_main_cf.replace("inet_interfaces = localhost", "inet_interfaces = localhost")
postfix_main_cf.replace("#mynetworks = 168.100.189.0/28, 127.0.0.0/8", "mynetworks = 127.0.0.1")
postfix_main_cf.replace("mydestination = $myhostname, localhost.$mydomain, localhost", "mydestination = $myhostname, localhost")
# Relay everything not for local machine to mailrelay.
postfix_main_cf.replace("#relay_domains = $mydestination", "relay_domains = {0}".format(config.general.get_resolv_domain()))
postfix_main_cf.replace("#relayhost = $mydomain","relayhost = [{0}]".format(config.general.get_mail_relay_domain_name()))
postfix_main_cf.replace("#home_mailbox = Maildir/","home_mailbox = Maildir/")
postfix_main_cf.replace("inet_protocols = all","inet_protocols = ipv4")
# Install a simple mail CLI-tool
install_mailx()
# Tell iptables and nrpe that this server is configured as a mail-relay server.
iptables.add_mail_relay_chain()
iptables.save()
# Restart postfix
x("service postfix restart")
# Send test mail to the syco admin
send_test_mail((None, config.general.get_admin_email()))
def uninstall_mail_relay(args):
"""
Uninstalls postfix and mailx.
"""
app.print_verbose("Removing mail-relay chain")
# Remove package and rpmsave of cfg
x("yum remove postfix mailx -y")
x("rm -rf /etc/postfix")
# Remote iptables chains
iptables.del_mail_relay_chain()
iptables.save()
def uninstall_ntp(args):
'''
Uninstall NTP
'''
if (os.access("/etc/ntp.conf", os.F_OK)):
general.shell_exec("service ntpd stop")
general.shell_exec("yum -y remove ntp ")
iptables.del_ntp_chain()
iptables.save()
version_obj = version.Version("InstallNTP", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def uninstall_ntp(args):
'''
Uninstall NTP
'''
if (os.access("/etc/ntp.conf", os.F_OK)):
general.shell_exec("service ntpd stop")
general.shell_exec("yum -y remove ntp ")
iptables.del_ntp_chain()
iptables.save()
version_obj = version.Version("InstallNTP", SCRIPT_VERSION)
version_obj.mark_uninstalled()
def _install_nrpe(args):
"""
The nrpe installation is quite standard . Except that the stock NRPE.conf
is replaced with a prepped one. Server only listens to this IP. Not super
safe but better than nothing. Also, argument parsing is _disabled_.
"""
# Initialize all used passwords at the beginning of the script.
app.get_ldap_sssd_password()
app.get_mysql_monitor_password()
install.epel_repo()
# Confusing that nagios-plugins-all does not really include all plugins
# WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At
# the moment EPEL has the latest version but RPMForge obsolete the EPEL
# package. Because of that, exclude nagios-nrpe from RPMForge.
app.print_verbose("Install required packages for NRPE")
install_packages(
"nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap nagios-plugins-perl perl-Net-DNS "
"perl-Proc-ProcessTable perl-Date-Calc policycoreutils-python")
# Move object structure and prepare conf-file
x("rm -rf /etc/nagios/nrpe.d")
x("rm -rf /etc/nagios/nrpe.cfg")
x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(
constant.SYCO_USR_PATH))
x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(
constant.SYCO_USR_PATH))
# Extra plugins installed
_install_nrpe_plugins()
# Allow only monitor to query NRPE
monitor_server_front_ip = config.general.get_monitor_server_ip()
app.print_verbose("Set monitor server: %s" % monitor_server_front_ip)
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg")
nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip)
# Set permissions for read/execute under nagios-user
x("chown -R root:nrpe /etc/nagios/")
# Allow nrpe to listen on UDP port 5666
iptables.add_nrpe_chain()
iptables.save()
# Make nrpe-server startup stateful and restart
x("/sbin/chkconfig --level 3 nrpe on")
x("service nrpe restart")
def uninstall_squid(args=""):
'''
Remove Squid Caching Proxy from the server.
'''
app.print_verbose("Uninstall Squid Caching Proxy")
os.chdir("/")
_chkconfig("squid","off")
_service("squid","stop")
x("yum -y remove squid")
x("rm -rf %s*" % (SQUID_CONF_DIR))
iptables.iptables("-D syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp")
iptables.iptables("-D syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
iptables.save()
def _install_nrpe(args):
"""
The nrpe installation is quite standard . Except that the stock NRPE.conf
is replaced with a prepped one. Server only listens to this IP. Not super
safe but better than nothing. Also, argument parsing is _disabled_.
"""
# Initialize all used passwords at the beginning of the script.
app.get_ldap_sssd_password()
app.get_mysql_monitor_password()
install.epel_repo()
# Confusing that nagios-plugins-all does not really include all plugins
# WARNING: nrpe in EPEL and nagios-nrpe in RPMForge are the same package. At
# the moment EPEL has the latest version but RPMForge obsolete the EPEL
# package. Because of that, exclude nagios-nrpe from RPMForge.
x(
"yum install -y nagios-plugins-all nrpe nagios-plugins-nrpe php-ldap "
"nagios-plugins-perl perl-Net-DNS perl-Proc-ProcessTable"
"perl-Date-Calc policycoreutils-python --exclude=nagios-nrpe"
)
# Move object structure and prepare conf-file
x("rm -rf /etc/nagios/nrpe.d")
x("rm -rf /etc/nagios/nrpe.cfg")
x("cp -r {0}syco-private/var/nagios/nrpe.d /etc/nagios/".format(constant.SYCO_USR_PATH))
x("cp {0}syco-private/var/nagios/nrpe.cfg /etc/nagios/".format(constant.SYCO_USR_PATH))
# Extra plugins installed
_install_nrpe_plugins()
# Allow only monitor to query NRPE
monitor_server_front_ip = config.general.get_monitor_server_ip()
app.print_verbose("Set monitor server: %s" % monitor_server_front_ip)
nrpe_config = scopen.scOpen("/etc/nagios/nrpe.cfg")
nrpe_config.replace("$(MONITORIP)", monitor_server_front_ip)
# Set permissions for read/execute under nagios-user
x("chown -R root:nrpe /etc/nagios/")
# Allow nrpe to listen on UDP port 5666
iptables.add_nrpe_chain()
iptables.save()
# Make nrpe-server startup stateful and restart
x("/sbin/chkconfig --level 3 nrpe on")
x("service nrpe restart")
def setup_node():
"""
Setup nodejs for deployments
"""
# Installing nodejs modules for system
x("/usr/local/bin/npm -g install express express-generator supervisor")
# Setup webbfront
x("yum install httpd -y")
# Config webfront to proxy all info to port 3000
x("cp /opt/syco/var/nodejs/httpd/nodejs.conf /etc/httpd/conf.d/")
x("chkconfig httpd on")
x("/etc/init.d/httpd restart")
# Configure iptables
iptables.add_httpd_chain()
iptables.save()
def install_rsyslogd_client(args):
'''
Install rsyslog client the server
'''
app.print_verbose("Install rsyslog client.")
# If rsyslogd is installed, raise exception.
version_obj = version.Version("InstallRsyslogd",
installRsyslogd.SCRIPT_VERSION)
version_obj.check_executed()
#
version_obj = version.Version("InstallRsyslogdClient", SCRIPT_VERSION)
version_obj.check_executed()
# Initialize all passwords used by the script
app.init_mysql_passwords()
#Enabling iptables before server has start
iptables.add_rsyslog_chain("client")
iptables.save()
# Wating for rsyslog Server to start
general.wait_for_server_to_start(config.general.get_log_server_hostname1(),
"514")
app.print_verbose("CIS 5.2 Configure rsyslog")
app.print_verbose("CIS 5.2.1 Install the rsyslog package")
general.install_packages("rsyslog rsyslog-gnutls")
app.print_verbose("CIS 5.2.2 Activate the rsyslog Service")
if os.path.exists('/etc/xinetd.d/syslog'):
x("chkconfig syslog off")
x("chkconfig rsyslog on")
_configure_rsyslog_conf()
_gen_and_copy_cert(args)
# Restaring rsyslog
x("/etc/init.d/rsyslog restart")
# Configure logrotate
installLogrotate.install_logrotate(args)
version_obj.mark_executed()
def uninstall_squid(args=""):
'''
Remove Squid Caching Proxy from the server.
'''
app.print_verbose("Uninstall Squid Caching Proxy")
os.chdir("/")
_chkconfig("squid", "off")
_service("squid", "stop")
x("yum -y remove squid")
x("rm -rf %s*" % (SQUID_CONF_DIR))
iptables.iptables(
"-D syco_input -p tcp -m multiport --dports 3128 -j allowed_tcp")
iptables.iptables(
"-D syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
iptables.save()
def _configure_iptables(args):
'''
* Keepalived uses multicast and VRRP protocol to talk to the nodes and need to
be opened. So first we remove the multicast blocks and then open them up.
* VRRP is known as Protocol 112 in iptables.
* Redis uses port 6379 and need to be opened.
'''
iptables.iptables("-A syco_input -p tcp -m multiport --dports 6379 -j allowed_tcp")
iptables.iptables("-A syco_output -p tcp -m multiport --dports 6379 -j allowed_tcp")
iptables.iptables("-D multicast_packets -s 224.0.0.0/4 -j DROP")
iptables.iptables("-D multicast_packets -d 224.0.0.0/4 -j DROP")
iptables.iptables("-A multicast_packets -d 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-A multicast_packets -s 224.0.0.0/8 -j ACCEPT")
iptables.iptables("-A syco_input -p 112 -i eth1 -j ACCEPT")
iptables.iptables("-A syco_output -p 112 -o eth1 -j ACCEPT")
iptables.save()
def uninstall_haproxy(args=""):
'''
Remove HA Proxy from the server.
'''
app.print_verbose("Uninstall HA Proxy")
os.chdir("/")
_chkconfig("haproxy","off")
_service("haproxy","stop")
x("yum -y remove haproxy")
x("rm -rf {0}*".format(HAPROXY_CONF_DIR))
x("rm -rf {0}/{1}.pem".format(CERT_COPY_TO_PATH, HAPROXY_ENV))
iptables.iptables("-D syco_input -p tcp -m multiport --dports 80,443 -j allowed_tcp")
iptables.iptables("-D syco_output -p tcp -m multiport --dports 80,443 -j allowed_tcp")
iptables.iptables("-D syco_input -p tcp -m multiport --dports 81,82,83,84 -j allowed_tcp")
iptables.iptables("-D syco_output -p tcp -m multiport --dports 81,82,83,84 -j allowed_tcp")
iptables.save()