-
Notifications
You must be signed in to change notification settings - Fork 19
Expand file tree
/
Copy pathsecure_zenoss.sh
More file actions
executable file
·179 lines (142 loc) · 5.61 KB
/
secure_zenoss.sh
File metadata and controls
executable file
·179 lines (142 loc) · 5.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
#!/bin/sh
###############################################################################
#
# A script to secure a standalone Zenoss installation.
#
# This script should be run after installing Zenoss, but before starting the
# zenoss service for the first time.
#
# Example steps:
#
# yum -y --nogpgcheck --enablerepo=epel localinstall zenoss_core-4.2.3-1697.el6.x86_64.rpm
# su - zenoss
# sh secure_zenoss.sh
# exit
# service zenoss start
#
###############################################################################
cat << END_OF_CHANGELOG > /dev/null
2013-01-06 Daniel Robbins <drobbins@zenoss.com>
* Make etc/ perm fix always enabled (wouldn't enable properly on some builds)
2013-01-04 Chet Luther <cluther@zenoss.com>
* Initial revision
* ZEN-4836: Set 0600 permission on all configuration files
* ZEN-4837: Use a randomized secure password everywhere
* ZEN-????: Zenoss install should help secure MySQL root user
* ZEN-1847: Restrict zeneventserver to only listen on 127.0.0.1
END_OF_CHANGELOG
### Prerequisites #############################################################
if [ -z "$ZENHOME" ]
then
echo "ZENHOME not set. Login as the zenoss user before running this script."
exit 1
fi
if ! openssl --version >/dev/null 2>&1
then
echo "This script requires the openssl command line tool to be installed."
exit 2
fi
### ZEN-4837: Set 0600 permission on all configuration files (ZEN-4836) #######
echo "Restricting permissions on $ZENHOME/etc/*.conf*"
chmod 0600 $ZENHOME/etc/*.conf*
### ZEN-4837: Use a randomized secure password everywhere #####################
# Generate a random secure password. Must replace / to make later sed simpler.
RANDOM_PASSWORD=$(openssl rand -base64 15 | sed 's/\//x/')
# Ensure that global.conf exists. Otherwise zenglobalconf fails.
if [ ! -f $ZENHOME/etc/global.conf ]
then
cp $ZENHOME/etc/global.conf.example $ZENHOME/etc/global.conf
fi
# Update global.conf passwords only if they haven't already been set.
GLOBAL_CONF_PWD_PROPERTIES="
zodb-password
amqppassword
zep-password
hubpassword
"
for PWD_PROP in $GLOBAL_CONF_PWD_PROPERTIES
do
# To set properties that don't exist (i.e. hubpassword)
if ! zenglobalconf -p $PWD_PROP > /dev/null
then
echo "Assigning secure password for global.conf:$PWD_PROP"
zenglobalconf -u $PWD_PROP=$RANDOM_PASSWORD
# To set properties that have default value (i.e. everything else)
elif [ "$(zenglobalconf -p $PWD_PROP)" == "zenoss" ]
then
echo "Assigning secure password for global.conf:$PWD_PROP"
zenglobalconf -u $PWD_PROP=$RANDOM_PASSWORD
fi
done
# Get the current secure password in case we didn't set it on this run.
RANDOM_PASSWORD=$(zenglobalconf -p hubpassword)
# Update hubpasswd only if it hasn't been changed from the default.
if ! grep -q "^admin:${RANDOM_PASSWORD}\$" $ZENHOME/etc/hubpasswd
then
echo "Assigning secure password for hubpassword:admin"
sed -i "s/admin:.*/admin:${RANDOM_PASSWORD}/" $ZENHOME/etc/hubpasswd
fi
### ZEN-????: Zenoss install should help secure MySQL root user ###############
MYSQL_ADMIN_PASSWORD=$(zenglobalconf -p zodb-admin-password)
if [ -z "$(zenglobalconf -p zodb-admin-password)" ]
then
if mysql -uroot mysql -e "select 1" >/dev/null 2>&1
then
echo "MySQL is configured with a blank root password."
if [ -t 1 ]
then
printf "Configure a secure MySQL root password? [Yn]: "
read YESNO
if echo "$YESNO" | egrep -iq Y
then
while [ 1 ]
do
printf " Enter new MySQL root password: "
stty -echo ; read MYSQL_ROOT_PASSWORD_1 ; stty echo
echo
printf "Confirm new MySQL root password: "
stty -echo ; read MYSQL_ROOT_PASSWORD_2 ; stty echo
echo
if [ -z "$MYSQL_ROOT_PASSWORD_1" ]
then
echo "A blank password is not acceptable."
continue
fi
if [ "$MYSQL_ROOT_PASSWORD_1" != "$MYSQL_ROOT_PASSWORD_2" ]
then
echo "Passwords don't match. Try again."
continue
fi
break
done
echo "Changing MySQL root password."
mysqladmin -uroot -h localhost password "$MYSQL_ROOT_PASSWORD_1"
for ROOT_PWD_PROP in zodb-admin-password zep-admin-password
do
echo "Assigning MySQL root password for global.conf:$ROOT_PWD_PROP"
zenglobalconf -u $ROOT_PWD_PROP="$MYSQL_ROOT_PASSWORD_1"
done
fi
fi
# Using a blank MySQL root password failed.
else
echo "Zenoss needs root MySQL access to create its databases."
if [ -t 1 ]
then
printf "Enter the MySQL root user password: "
stty -echo ; read MYSQL_ROOT_PASSWORD ; stty echo
echo
for ROOT_PWD_PROP in zodb-admin-password zep-admin-password
do
echo "Assigning MySQL root password for global.conf:$ROOT_PWD_PROP"
zenglobalconf -u $ROOT_PWD_PROP="$MYSQL_ROOT_PASSWORD"
done
fi
fi
fi
### ZEN-1847: Restrict zeneventserver to only listen on 127.0.0.1 #############
if ! grep -q 'Djetty.host=localhost' ~/.bashrc
then
echo "Forcing zeneventserver to only listen on 127.0.0.1:8084"
echo 'export DEFAULT_ZEP_JVM_ARGS="-Djetty.host=localhost -server"' >> ~/.bashrc
fi