forked from freedomofpress/securedrop
-
Notifications
You must be signed in to change notification settings - Fork 4
/
server_setup.sh
executable file
·427 lines (378 loc) · 15 KB
/
server_setup.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
#!/bin/bash
#
# Requirements:
# 1. 3 updated ubuntu 12.04 servers
# 2. The 'serverKeys.tar.gz' file from the viewingSetup.sh script
#
# Usage:
# ./serverSetup.sh
# Then follow the instructions
#
PUPPETRELEASEDEB="https://apt.puppetlabs.com/puppetlabs-release-precise.deb"
PUPPETDEBNAME="puppetlabs-release-precise.deb"i
PUPPETMASTERDEPENDENCIES="rubygems sqlite3 libsqlite3-ruby"
PUPPETMODULES='puppetlabs-apt puppetlabs-git puppetlabs-stdlib'
OSSECBINARYURL="https://pressfreedomfoundation.org/securedrop-files/ossec-binary.tgz"
OSSECBINARY="ossec-binary.tgz"
# Check for root
function rootCheck {
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root" 1>&2
exit 1
fi
}
# Download puppet ppa package
function puppetDownload {
if [ -f /etc/apt/sources.list.d/puppetlabs.list ]; then
wget $PUPPETRELEASEDEB
dpkg -i $PUPPETDEBNAME
apt-get update -y
rm $PUPPETDEBNAME
else
echo 'Puppet ppa is already installed'
fi
}
# On puppet master install puppetmaster required packages
function installPuppetMaster {
apt-get install puppetmaster $PUPPETMASTERDEPENDENCIES -y
}
# On puppet master install puppet module tool
function installPuppetModuleTool {
if ! type -P puppet-module; then
cd /etc/puppet/modules
gem install puppet-module
else
echo "Puppet module tool already installed"
fi
}
# On puppet master install rails
function installRails {
if [[ $(rails -v) != "Rails 2.2.2" ]]; then
gem install rails -v 2.2.2 --no-ri --no-rdoc
else
echo "Rails already installed"
fi
}
# On puppet master install puppet modules
function installPuppetModules {
DIR='/etc/puppet/modules'
cd $DIR
for PUPPETMODULE in $PUPPETMODULES
do
NAME=$(echo $PUPPETMODULE | awk -F "-" '{print $2}')
if [ ! -d "/etc/puppet/modules/$NAME" ]; then
echo "Installing $NAME"
puppet module install $PUPPETMODULE
else
echo "$PUPPETMODULE already installed"
fi
done
}
#Enable puppet stored configs
function enablePuppetStoredconfigs {
if ! grep "thin_storeconfigs" /etc/puppet/puppet.conf; then
echo "thin_storeconfigs = true" >> /etc/puppet/puppet.conf
fi
if ! grep "dbadpter" /etc/puppet/puppet.conf; then
echo "dbadpter = sqlite3" >> /etc/puppet/puppet.conf
fi
}
#Install deaddrop files
function copyDeaddropFiles {
cp -Rfp $CURRENTDIR/{manifests,modules} /etc/puppet/
}
#Download ossec binary
function downloadOSSECBinary {
cd $CURRENTDIR
echo ''
read -p "Download OSSEC binary from $OSSECBINARYURL? (y/n) " -e -i n DOWNLOADFROMINTERNET
if [ $DOWNLOADFROMINTERNET == 'n' ]; then
read -p 'Enter the full path to the OSSEC binary: ' -e -i ~/$OSSECBINARY OSSECBINARY
else
wget $OSSECBINARYURL
fi
mkdir -p /etc/puppet/modules/ossec/files/
mv $OSSECBINARY /etc/puppet/modules/ossec/files/
}
#Downlaod webpy
function downloadWebpy {
cd $CURRENTDIR
if [ ! -d '/etc/puppet/modules/deaddrop/files/webpy/web' ]; then
echo ''
read -p 'Download webpy from github? (y/n) ' -e -i n DOWNLOADFROMINTERNET
if [ DOWNLOADFROMINTERNET == 'n' ]; then
read -p 'Enter the full path to webpy directory: ' -e -i ~/webpy WEBPY
mv $WEBPY /etc/puppet/deaddrop/files/
else
git clone git://github.com/webpy/webpy.git /etc/puppet/modules/deaddrop/files/webpy
fi
fi
}
# Enter Environment Variables
function enterEnvironmentVariables {
DIR="/etc/puppet/manifests"
echo ''
echo '##########################################################'
echo 'You will need to provide the following environment'
echo 'specific information.'
echo "- The application's public gpg key"
echo '- Monitor, Source and Document Server IP address and fully'
echo ' qualified domain names'
echo '- The IP address that the admin will be SSHing from'
echo '- The IP address of the firewall'
echo "- The application PGP key's fingerprint"
echo '- The SMTP server for email alerts'
echo '- The email address to send alerts to'
echo '##########################################################'
echo ''
cd $CURRENTDIR
read -p "Enter the full path to application's public gpg key: " -e -i ../SecureDrop.asc KEYFILE
cp -p $KEYFILE /etc/puppet/modules/deaddrop/files
app_gpg_pub_key=$(basename "$KEYFILE")
cd $DIR
awk -v value="'$app_gpg_pub_key'" '$1=="$app_gpg_pub_key"{$3=value}1' nodes.pp > nodes.pp.tmp && mv nodes.pp.tmp nodes.pp
echo -n "Enter the application PGP fingerprint generated on the viewing station: "
read app_gpg_fingerprint
awk -v value="'$app_gpg_fingerprint'" '$1=="$app_gpg_fingerprint"{$3=value}1' nodes.pp > nodes.pp.tmp && mv nodes.pp.tmp nodes.pp
echo -n "Enter the Monitor server's IP address: "
read monitor_ip
awk -v value="'$monitor_ip'" '$1=="$monitor_ip"{$3=value}1' nodes.pp > nodes.pp.tmp && mv nodes.pp.tmp nodes.pp
echo -n "Enter the Monitor server's fully qualified domain: "
read monitor_fqdn
sed -i "s/monitor_fqdn/$monitor_fqdn/" nodes.pp
awk -v value="'$monitor_fqdn'" '$1=="$monitor_hostname"{$3=value}1' nodes.pp > nodes.pp.tmp && mv nodes.pp.tmp nodes.pp
echo -n "Enter the Source server's IP address: "
read source_ip
awk -v value="'$source_ip'" '$1=="$source_ip"{$3=value}1' nodes.pp > nodes.pp.tmp && mv nodes.pp.tmp nodes.pp
echo -n "Enter the Source server's fully qualified domain: "
read source_fqdn
sed -i "s/source_fqdn/$source_fqdn/" nodes.pp
awk -v value="'$source_fqdn'" '$1=="$source_hostname"{$3=value}1' nodes.pp > nodes.pp.tmp && mv nodes.pp.tmp nodes.pp
echo -n "Enter the Document server's IP address: "
read journalist_ip
awk -v value="'$journalist_ip'" '$1=="$journalist_ip"{$3=value}1' nodes.pp > nodes.pp.tmp && mv nodes.pp.tmp nodes.pp
echo -n "Enter the Document server's fully qualified domain: "
read journalist_fqdn
sed -i "s/journalist_fqdn/$journalist_fqdn/" nodes.pp
awk -v value="'$journalist_fqdn'" '$1=="$journalist_hostname"{$3=value}1' nodes.pp > nodes.pp.tmp && mv nodes.pp.tmp nodes.pp
echo -n "Enter the IP address that you will be SSHing to the Monitor Server from (other IPs will get blocked):"
read admin_ip
awk -v value="'$admin_ip'" '$1=="$admin_ip"{$3=value}1' nodes.pp > nodes.pp.tmp && mv nodes.pp.tmp nodes.pp
echo -n "Enter the management IP address of the firewall (or 127.0.0.1 if you don't have one): "
read intFWlogs_ip
awk -v value="'$intFWlogs_ip'" '$1=="$intFWlogs_ip"{$3=value}1' nodes.pp > nodes.pp.tmp && mv nodes.pp.tmp nodes.pp
echo -n "Enter the SMTP server for email alerts to use: "
read mail_server
awk -v value="'$mail_server'" '$1=="$mail_server"{$3=value}1' nodes.pp > nodes.pp.tmp && mv nodes.pp.tmp nodes.pp
echo -n "Enter the email address to send alerts to: "
read ossec_email_to
awk -v value="'$ossec_email_to'" '$1=="$ossec_email_to"{$3=value}1' nodes.pp > nodes.pp.tmp && mv nodes.pp.tmp nodes.pp
echo -n "Using python-bcrypt's bcrypt.gensalt to create bcrypt salt"
apt-get install python-pip python-dev -y
pip install python-bcrypt
bcrypt_salt=`python $CURRENTDIR/gen_bcrypt_salt.py`
echo $bcrypt_salt
awk -v value="'$bcrypt_salt'" '$1=="$bcrypt_salt"{$3=value}1' nodes.pp > nodes.pp.tmp && mv nodes.pp.tmp nodes.pp
echo ''
echo '############################################################'
echo '#Check the values entered #'
echo '############################################################'
echo ''
cat $DIR/nodes.pp
echo ''
echo -n 'Are these okay (y/n): '
read answer
case $answer in
"y")
main
;;
"n")
enterEnvironmentVariables
;;
*)
echo 'invalid entry'
main
;;
esac
}
# Install puppet on the source and jouranlist servers
function installAgents {
DIR='/etc/puppet/manifests'
cd $DIR
echo ''
echo ''
echo '########################################################'
echo 'This will install and configure puppet on the source and'
echo 'document servers using the IP addresses provided'
echo '########################################################'
echo ''
SOURCE=$(awk '{if ($1=="$source_ip") print $3;}' nodes.pp | sed "s/'//g")
JOURNALIST=$(awk '{if ($1=="$journalist_ip") print $3;}' nodes.pp | sed "s/'//g")
MONITOR=$(awk '{if ($1=="$monitor_ip") print $3;}' nodes.pp | sed "s/'//g")
SOURCE_HOSTNAME=$(awk '{if ($1=="$source_hostname") print $3;}' nodes.pp | sed "s/'//g")
JOURNALIST_HOSTNAME=$(awk '{if ($1=="$journalist_hostname") print $3;}' nodes.pp | sed "s/'//g")
MONITOR_HOSTNAME=$(awk '{if ($1=="$monitor_hostname") print $3;}' nodes.pp | sed "s/'//g")
AGENTS="$SOURCE $JOURNALIST"
echo "Congiguring /etc/hosts file on $MONITOR_HOSTNAME server..."
awk '$1=="127.0.0.1"{$3="puppet"}1' /etc/hosts > /etc/hosts.tmp && mv /etc/hosts.tmp /etc/hosts
if ! grep -q "$SOURCE_HOSTNAME" /etc/hosts; then
echo "$SOURCE $SOURCE_HOSTNAME" >> /etc/hosts
fi
if ! grep -q "$JOURNALIST_HOSTNAME" /etc/hosts; then
echo "$JOURNALIST $JOURNALIST_HOSTNAME" >> /etc/hosts
fi
if ! grep -q "$MONITOR_HOSTNAME" /etc/hosts; then
echo "$MONITOR $MONITOR_HOSTNAME" >> /etc/hosts
fi
cat /etc/hosts
echo -n 'What is your username on the Source and Document server? '
read REMOTEUSER
for agent in $AGENTS
do
echo ''
echo '#######################################################'
echo "ssh to $agent as $REMOTEUSER"
echo '#######################################################'
echo ''
ssh -t -t $REMOTEUSER@$agent "sudo /bin/sh -c 'echo "$MONITOR $MONITOR_HOSTNAME puppet" >> /etc/hosts;echo "$SOURCE $SOURCE_HOSTNAME" >> /etc/hosts; echo "$JOURNALIST $JOURNALIST_HOSTNAME" >> /etc/hosts; wget "http://apt.puppetlabs.com/puppetlabs-release-precise.deb"; dpkg -i "puppetlabs-release-precise.deb"; apt-get update; apt-get install puppet -y; puppet agent -t'"
done
echo ''
echo '#######################################################'
echo 'Agents are installed sign the agent certs on the puppet'
echo 'master'
echo '#######################################################'
echo ''
}
#Sign All Certs
function signAllCerts {
echo ''
echo '########################################################'
echo 'This will sign all the waiting agent certs on the puppet'
echo 'master'
echo '########################################################'
puppetca --sign --all
}
#run puppet manifests in correct order
function runPuppetManifests {
DIR='/etc/puppet/manifests/'
cd $DIR
MONITOR=$(awk '{if ($1=="$monitor_ip") print $3;}' nodes.pp | sed "s/'//g")
SOURCE=$(awk '{if ($1=="$source_ip") print $3;}' nodes.pp | sed "s/'//g")
JOURNALIST=$(awk '{if ($1=="$journalist_ip") print $3;}' nodes.pp | sed "s/'//g")
AGENTS="$SOURCE $JOURNALIST"
echo ''
echo '##########################################'
echo 'Running puppet manifests on monitor server'
echo '##########################################'
echo ''
service puppetmaster restart
puppet agent -t
echo -n 'What is your username on the Source and Document server? '
read REMOTEUSER
for agent in $AGENTS
do
echo "ssh to $agent as $REMOTEUSER"
ssh -t -t $REMOTEUSER@$agent "sudo /bin/sh -c 'service puppet restart; puppet agent -t'"
done
}
function ossecAuthd {
cd /var/ossec
if [ ! -f /var/ossec/etc/sslmanager.cert ]; then
openssl ecparam -name prime256v1 -genkey -out /var/ossec/etc/sslmanager.key
openssl req -new -x509 -key /var/ossec/etc/sslmanager.key -out /var/ossec/etc/sslmanager.cert -days 365
chown root:ossec /var/ossec/etc/sslmanager.cert
fi
/var/ossec/bin/ossec-authd -p 1515 -i $journalist_ip $source_ip >/dev/null 2>&1 &
ssh -t -t $REMOTEUSER@$SOURCE "sudo /bin/sh -c '/var/ossec/bin/agent-auth -m $MONITOR'"
ssh -t -t $REMOTEUSER@$SOURCE "sudo /bin/sh -c '/var/ossec/bin/agent-auth -m $MONITOR'"
}
function displayTorURL {
echo "The source server's Tor URL is: "
ssh -t -t $REMOTEUSER@$SOURCE "sudo /bin/sh -c 'cat /var/lib/tor/hidden_service/hostname'"
echo "The document server's Tor URL for the journalists are:"
ssh -t -t $REMOTEUSER@$JOURNALIST "sudo /bin/sh -c 'cat /var/lib/tor/hidden_service/hostname'"
}
function cleanUp {
sysctl -p
apt-get purge rubygems puppetmaster puppet gcc make libncurses5-dev build-essential kernel-package git-core g++ python-setuptools sqlite3 libsqlite3-ruby python-pip -y
apt-get autoremove -y
rm -Rf /etc/puppet
echo -n 'What is your username on the Source and Document server? '
read REMOTEUSER
ssh -t -t $REMOTEUSER@source "sudo /bin/sh -c 'apt-get purge puppet rubygems puppetmaster puppet gcc make libncurses5-dev build-essential kernel-package git-core g++ python-setuptools sqlite3 libsqlite3-ruby python-pip -y; apt-get autoremove -y'"
ssh -t -t $REMOTEUSER@journalist "sudo /bin/sh -c 'apt-get purge puppet rubygems puppetmaster puppet gcc make libncurses5-dev build-essential kernel-package git-core g++ python-setuptools sqlite3 libsqlite3-ruby python-pip -y; apt-get autoremove -y'"
}
#Main
function main {
CURRENTDIR=`pwd`
rootCheck
echo ''
echo '############################################################'
echo 'This script expects ~/SecureDrop.asc to be the application PGP key'
echo 'The remaining steps will install puppet run the manifests'
echo '(1) Install puppetmaster'
echo '(2) Enter environment information'
echo '(3) Install puppet agent on source and document servers'
echo '(4) Sign agent certs'
echo '(5) Run puppet manifests'
echo '(6) Clean up puppet and install files'
echo '(7) Apply GRSECURITY lock (if you have grsec-patched kernel)'
echo '(0) quit'
echo '###########################################################'
echo ''
echo -n 'Enter your choice (0-7): '
read option
case $option in
#Install puppetmaster
"1")
puppetDownload
installPuppetMaster
installPuppetModuleTool
installRails
installPuppetModules
enablePuppetStoredconfigs
copyDeaddropFiles
downloadOSSECBinary
downloadWebpy
main
;;
#Enter Environment Variables
"2")
enterEnvironmentVariables
main
;;
#Install puppet on agents
"3")
installAgents
main
;;
#Sign certs
"4")
signAllCerts
main
;;
#Run puppet manifests monitor -> source -> journalist
"5")
runPuppetManifests
runPuppetManifests
ossecAuthd
displayTorURL
main
;;
#After installation confirmed successfull cleanup unneeded
#programs and files
"6")
cleanUp
;;
#Steps to apply grsec lock
"7")
;;
"0")
exit
;;
*) echo invalid options;;
esac
}
main
#end
exit 0