Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/bin/sh
- ###############################################################################
- #
- # A script to secure a standalone Zenoss installation.
- #
- # This script should be run after installing Zenoss, but before starting the
- # zenoss service for the first time.
- #
- # Example steps:
- #
- # yum -y --nogpgcheck --enablerepo=epel localinstall zenoss_core-4.2.3-1697.el6.x86_64.rpm
- # su - zenoss
- # sh secure_zenoss.sh
- # exit
- # service zenoss start
- #
- ###############################################################################
- cat << END_OF_CHANGELOG > /dev/null
- 2013-01-06 Daniel Robbins <drobbins@zenoss.com>
- * Make etc/ perm fix always enabled (wouldn't enable properly on some builds)
- 2013-01-04 Chet Luther <cluther@zenoss.com>
- * Initial revision
- * ZEN-4836: Set 0600 permission on all configuration files
- * ZEN-4837: Use a randomized secure password everywhere
- * ZEN-????: Zenoss install should help secure MySQL root user
- * ZEN-1847: Restrict zeneventserver to only listen on 127.0.0.1
- END_OF_CHANGELOG
- ### Prerequisites #############################################################
- if [ -z "$ZENHOME" ]
- then
- echo "ZENHOME not set. Login as the zenoss user before running this script."
- exit 1
- fi
- if ! openssl --version >/dev/null 2>&1
- then
- echo "This script requires the openssl command line tool to be installed."
- exit 2
- fi
- ### ZEN-4837: Set 0600 permission on all configuration files (ZEN-4836) #######
- echo "Restricting permissions on $ZENHOME/etc/*.conf*"
- chmod 0600 $ZENHOME/etc/*.conf*
- ### ZEN-4837: Use a randomized secure password everywhere #####################
- # Generate a random secure password. Must replace / to make later sed simpler.
- RANDOM_PASSWORD=$(openssl rand -base64 15 | sed 's/\//x/')
- # Ensure that global.conf exists. Otherwise zenglobalconf fails.
- if [ ! -f $ZENHOME/etc/global.conf ]
- then
- cp $ZENHOME/etc/global.conf.example $ZENHOME/etc/global.conf
- fi
- # Update global.conf passwords only if they haven't already been set.
- GLOBAL_CONF_PWD_PROPERTIES="
- zodb-password
- amqppassword
- zep-password
- hubpassword
- "
- for PWD_PROP in $GLOBAL_CONF_PWD_PROPERTIES
- do
- # To set properties that don't exist (i.e. hubpassword)
- if ! zenglobalconf -p $PWD_PROP > /dev/null
- then
- echo "Assigning secure password for global.conf:$PWD_PROP"
- zenglobalconf -u $PWD_PROP=$RANDOM_PASSWORD
- # To set properties that have default value (i.e. everything else)
- elif [ "$(zenglobalconf -p $PWD_PROP)" == "zenoss" ]
- then
- echo "Assigning secure password for global.conf:$PWD_PROP"
- zenglobalconf -u $PWD_PROP=$RANDOM_PASSWORD
- fi
- done
- # Get the current secure password in case we didn't set it on this run.
- RANDOM_PASSWORD=$(zenglobalconf -p hubpassword)
- # Update hubpasswd only if it hasn't been changed from the default.
- if ! grep -q "^admin:${RANDOM_PASSWORD}\$" $ZENHOME/etc/hubpasswd
- then
- echo "Assigning secure password for hubpassword:admin"
- sed -i "s/admin:.*/admin:${RANDOM_PASSWORD}/" $ZENHOME/etc/hubpasswd
- fi
- ### ZEN-????: Zenoss install should help secure MySQL root user ###############
- MYSQL_ADMIN_PASSWORD=$(zenglobalconf -p zodb-admin-password)
- if [ -z "$(zenglobalconf -p zodb-admin-password)" ]
- then
- if mysql -uroot mysql -e "select 1" >/dev/null 2>&1
- then
- echo "MySQL is configured with a blank root password."
- if [ -t 1 ]
- then
- printf "Configure a secure MySQL root password? [Yn]: "
- read YESNO
- if echo "$YESNO" | egrep -iq Y
- then
- while [ 1 ]
- do
- printf " Enter new MySQL root password: "
- stty -echo ; read MYSQL_ROOT_PASSWORD_1 ; stty echo
- echo
- printf "Confirm new MySQL root password: "
- stty -echo ; read MYSQL_ROOT_PASSWORD_2 ; stty echo
- echo
- if [ -z "$MYSQL_ROOT_PASSWORD_1" ]
- then
- echo "A blank password is not acceptable."
- continue
- fi
- if [ "$MYSQL_ROOT_PASSWORD_1" != "$MYSQL_ROOT_PASSWORD_2" ]
- then
- echo "Passwords don't match. Try again."
- continue
- fi
- break
- done
- echo "Changing MySQL root password."
- mysqladmin -uroot -h localhost password "$MYSQL_ROOT_PASSWORD_1"
- for ROOT_PWD_PROP in zodb-admin-password zep-admin-password
- do
- echo "Assigning MySQL root password for global.conf:$ROOT_PWD_PROP"
- zenglobalconf -u $ROOT_PWD_PROP="$MYSQL_ROOT_PASSWORD_1"
- done
- fi
- fi
- # Using a blank MySQL root password failed.
- else
- echo "Zenoss needs root MySQL access to create its databases."
- if [ -t 1 ]
- then
- printf "Enter the MySQL root user password: "
- stty -echo ; read MYSQL_ROOT_PASSWORD ; stty echo
- echo
- for ROOT_PWD_PROP in zodb-admin-password zep-admin-password
- do
- echo "Assigning MySQL root password for global.conf:$ROOT_PWD_PROP"
- zenglobalconf -u $ROOT_PWD_PROP="$MYSQL_ROOT_PASSWORD"
- done
- fi
- fi
- fi
- ### ZEN-1847: Restrict zeneventserver to only listen on 127.0.0.1 #############
- if ! grep -q 'Djetty.host=localhost' ~/.bashrc
- then
- echo "Forcing zeneventserver to only listen on 127.0.0.1:8084"
- echo 'export DEFAULT_ZEP_JVM_ARGS="-Djetty.host=localhost -server"' >> ~/.bashrc
- fi
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement