Tech – Page 7 – Ryan Schulze

Granular OSSEC Emails

February 25, 2016February 25, 2016RyanOSSEC

Occasionally I see questions on the OSSEC mailing list on how to send a bunch of alerts only to a specific email address. An example for a typical use case would be different departments responsible for different groups of servers and having alerts only go to them. OSSEC has a few options for sending Alerts to specific email addresses, but it only adds those email addresses to the alert (meaning it always goes to the global email address). Sometimes this isn’t desirable.

A workaround is setting the global email recipient to a blackhole email address (something that is aliased to /dev/null on the mail server) and only using the granular settings for delivering mail.

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <smtp_server>127.0.0.1</smtp_server>
    <email_to>dev-null@email.domain</email_to>
    <email_from>ossec@ossec.server</email_from>
  </global>

  <email_alerts>
    <email_to>ossec-admins@email.domain</email_to>
    <level>7</level>
  </email_alerts>
</ossec_config>

<ossec_config>

<email_notification>yes</email_notification>

<smtp_server>127.0.0.1</smtp_server>

<email_to>dev-null@email.domain</email_to>

<email_from>ossec@ossec.server</email_from>

</global>

<email_alerts>

<email_to>ossec-admins@email.domain</email_to>

</email_alerts>

</ossec_config>

You can then use attributes like the rule ID, group names, or event locations to split up alerts to different recipients. The downside is that by doing this, you will miss alerts with <options>alert_by_email</options> and a low level, unless you add a few granular email alerts. Rule 1002 (catch-all $BAD_WORDS) is a good candidate you will want to keep on receiving. Rules 501-504 (OSSEC agent/master status alerts) could also be interesting; either add an <email_alert> for each rule individually, or overwrite the rules adding <group>ossec,</group> to then, so you can add one <email_alert> for the group of rules.

We use this system pretty extensively assigning alerts to email groups by <event_location> and/or <group>

An example for the email block could look like this:

<ossec_config>
  <global>
    <email_notification>yes</email_notification>
    <smtp_server>127.0.0.1</smtp_server>
    <email_to>dev-null@email.domain</email_to>
    <email_from>ossec@ossec.server</email_from>
  </global>

  <alerts>
    <log_alert_level>1</log_alert_level>
    <email_alert_level>7</email_alert_level>
  </alerts>

  <email_alerts>
    <email_to>ossec-admins@email.domain</email_to>
    <level>7</level>
  </email_alerts>

  <email_alerts>
    <email_to>ossec-admins@email.domain</email_to>
    <rule_id>1002</rule_id>
  </email_alerts>

  <email_alerts>
    <email_to>ossec-admins@email.domain</email_to>
    <group>ossec</group>
  </email_alerts>

  <email_alerts>
    <email_to>serverA-admins@email.domain</email_to>
    <group>servergroupA</group>
  </email_alerts>

  <email_alerts>
    <email_to>serverB-admins@email.domain</email_to>
    <group>servergroupB</group>
  </email_alerts>

</ossec_config>

<ossec_config>

<email_notification>yes</email_notification>

<smtp_server>127.0.0.1</smtp_server>

<email_to>dev-null@email.domain</email_to>

<email_from>ossec@ossec.server</email_from>

</global>

<log_alert_level>1</log_alert_level>

<email_alert_level>7</email_alert_level>

</alerts>

<email_alerts>

<email_to>ossec-admins@email.domain</email_to>

</email_alerts>

<email_alerts>

<email_to>ossec-admins@email.domain</email_to>

<rule_id>1002</rule_id>

</email_alerts>

<email_alerts>

<email_to>ossec-admins@email.domain</email_to>

<group>ossec</group>

</email_alerts>

<email_alerts>

<email_to>serverA-admins@email.domain</email_to>

<group>servergroupA</group>

</email_alerts>

<email_alerts>

<email_to>serverB-admins@email.domain</email_to>

<group>servergroupB</group>

</email_alerts>

</ossec_config>

A script to diff files/directories on two different servers

February 6, 2016February 6, 2016Ryanbash, linux, scripting

Ok, short one today. This is a straightforward script that simplifies comparing directories on different servers. There is no magic in it, it just rsyncs the directories to a local temp directory and runs diff against them (then deletes the directory afterwards). Mainly intended for config files, I wouldn’t recommend trying to diff gigabytes of binaries with it.

#!/bin/bash 

set -o nounset

if [[ -z ${1:-} || -z ${2:-} || -z ${3:-} ]] ; then
	echo "Usage: ${0##*/} <file|directory> <server1> <server2>"
	echo
	echo "e.g. ./${0##*/} '/etc/pam.d/' 10.0.0.1 10.0.0.2"
	echo
	exit 0
fi

Dir="${1}"
IP1="${2}"
IP2="${3}"

tmpdir=$(mktemp -d)
trap 'rm -rf "${tmpdir}"' INT TERM EXIT

for ip in ${IP1} ${IP2}
do
	rsync -az "${ip}:${Dir}" "${tmpdir}/${ip}"
done
diff -BZEburN "${tmpdir}/${IP1}" "${tmpdir}/${IP2}" | colordiff --difftype=diffu

#!/bin/bash

set -o nounset

if [[ -z ${1:-} || -z ${2:-} || -z ${3:-} ]] ; then

echo "Usage: ${0##*/} <file|directory> <server1> <server2>"

echo

echo "e.g. ./${0##*/} '/etc/pam.d/' 10.0.0.1 10.0.0.2"

echo

exit 0

Dir="${1}"

IP1="${2}"

IP2="${3}"

tmpdir=$(mktemp -d)

trap 'rm -rf "${tmpdir}"' INT TERM EXIT

for ip in ${IP1} ${IP2}

rsync -az "${ip}:${Dir}" "${tmpdir}/${ip}"

done

diff -BZEburN "${tmpdir}/${IP1}" "${tmpdir}/${IP2}" | colordiff --difftype=diffu

Renewing “Let’s Encrypt” SSL certificates

December 15, 2015December 15, 2015Ryanbash, ssl

Let’s Encrypt provides free DV SSL certificates for everyone and is now in the open beta phase. I’m not going to go into the details of which of the clients are best, since that depends entirely on your use case (I use acme-tiny and a rule in varnish to intercept all calls to /.well-known/acme-challenge/).

Since the certificates are only valid for 90 days, I often see people suggesting to just renew them via cronjob every 2 months. I find this to be really awful advice, if that renewal fails for any reasons (network problems, local problems, problems with let’s encrypt) the next renewal is a month after the certificate expired. It is also pretty inflexible (what if you would rather prefer to renew them after 80 days).

I use openssl to check daily how long the certificate is still valid, and if a threshold has been reached it tries to renew the certificate (I believe the official client has this functionality too). And if the certificate isn’t renewed by a 2nd threshold, it sends an email altering the admin of the problem (for manually intervening and fixing whatever went wrong).

At the end of this posting I’ll add the complete script, but the quickest way to check how long a certificate is still valid is to use openssl x509 -in -checkend. It will return 0 if the file is still valid in x seconds, and 1 if the certificate doesn’t exist or if the certificate will be expired by then. Just multiply the number of days by 86400 and check if the certificate is still valid:

openssl x509 -noout -in "domain.cert" -checkend $( bc <<< "86400 * days")
echo $?

1 2	openssl x509 -noout -in "domain.cert" -checkend $( bc <<< "86400 * days") echo $?

The openssl binary has a few nice options for looking at certificates (both local files and remotely connecting to a server and looking at the provided certificate)
Show information about a local certificate file: openssl x509 -text -noout -in
Connect to a remote server and display the certificate provided: openssl s_client -showcerts -servername foo.bar -connect IP:PORT | openssl x509 -text -noout (–servername foo.bar is only required if you are connecting to a server and need to use SNI to request a cert for a specific domain, i.e. a webserver providing multiple domains on port 443 via SNI. It can of course be omitted if you don’t need it.)

This is the full script I use for checking and renewing certs. It basically just loops through a list of domains, checks if any of the date thresholds are met and then renews certificates/send emails.

#!/bin/bash 

# how many days before the certificate expires should it be renewed
RENEW="28"

# how many days before the certificate expires should start sending alerts to the admin
ALERT="14"
ALERT_EMAIL='admin@your.domain'

# some variables set by ansible
SSL_BASEDIR="/etc/ssl"
ACME_LETSENCRYPT_BINARY="python /usr/local/bin/acme_tiny.py"
ACME_CHALLENGE_DIR="/var/www/acme-challenges"

ACME_LETSENCRYPT_DIR="${SSL_BASEDIR}/letsencrypt"
ACME_ACCOUNT_KEY="${ACME_LETSENCRYPT_DIR}/account.key"


# download lets-encrypt-x1-cross-signed.pem if the local copy is more than 3 days old
if [[ ! -r "${ACME_LETSENCRYPT_DIR}/lets-encrypt-x1-cross-signed.pem" || $(($(date +%s) - $(date -r "${ACME_LETSENCRYPT_DIR}/lets-encrypt-x1-cross-signed.pem" +%s))) -ge 259299 ]] ; then
	curl --silent https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > "${ACME_LETSENCRYPT_DIR}/lets-encrypt-x1-cross-signed.pem"
fi

for fqdn in www.domain1.foo www.domain2.foo ; do

	# check if we have to renew a certificate
	openssl x509 -noout -in "${ACME_LETSENCRYPT_DIR}/${fqdn}.crt" -checkend $( bc <<< "86400 * ${RENEW}") 2>/dev/null
	if [[ $? -gt 0 ]] ; then
		${ACME_LETSENCRYPT_BINARY} \
			--account-key "${ACME_ACCOUNT_KEY}" \
			--csr "${ACME_LETSENCRYPT_DIR}/${fqdn}.csr" \
			--acme-dir "${ACME_CHALLENGE_DIR}" \
			> "${ACME_LETSENCRYPT_DIR}/${fqdn}.crt"
		cat "${ACME_LETSENCRYPT_DIR}/${fqdn}.crt" "${ACME_LETSENCRYPT_DIR}/lets-encrypt-x1-cross-signed.pem" \
		> "${ACME_LETSENCRYPT_DIR}/${fqdn}.pem"
		openssl x509 -noout -text -certopt no_header,no_version,no_pubkey -in "${ACME_LETSENCRYPT_DIR}/${fqdn}.crt" | \
		mailx -s "[SSL] OK: ${fqdn} certificate was renewed" ${ALERT_EMAIL}
	fi

	# check if we need to alert about certificates that weren't renewed yet
	openssl x509 -noout -in "${ACME_LETSENCRYPT_DIR}/${fqdn}.crt" -checkend $( bc <<< "86400 * ${ALERT}") 2>/dev/null
	if [[ $? -gt 0 ]] ; then
		openssl x509 -noout -text -certopt no_header,no_version,no_pubkey -in "${ACME_LETSENCRYPT_DIR}/${fqdn}.crt" | \
		mailx -s "[SSL] ERROR: ${fqdn} certificate will expire soon and wasn't automatically renewed" ${ALERT_EMAIL}
	fi

done

#!/bin/bash

# how many days before the certificate expires should it be renewed

RENEW="28"

# how many days before the certificate expires should start sending alerts to the admin

ALERT="14"

ALERT_EMAIL='admin@your.domain'

# some variables set by ansible

SSL_BASEDIR="/etc/ssl"

ACME_LETSENCRYPT_BINARY="python /usr/local/bin/acme_tiny.py"

ACME_CHALLENGE_DIR="/var/www/acme-challenges"

ACME_LETSENCRYPT_DIR="${SSL_BASEDIR}/letsencrypt"

ACME_ACCOUNT_KEY="${ACME_LETSENCRYPT_DIR}/account.key"

# download lets-encrypt-x1-cross-signed.pem if the local copy is more than 3 days old

if [[ ! -r "${ACME_LETSENCRYPT_DIR}/lets-encrypt-x1-cross-signed.pem" || $(($(date +%s) - $(date -r "${ACME_LETSENCRYPT_DIR}/lets-encrypt-x1-cross-signed.pem" +%s))) -ge 259299 ]] ; then

curl --silent https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.pem > "${ACME_LETSENCRYPT_DIR}/lets-encrypt-x1-cross-signed.pem"

for fqdn in www.domain1.foo www.domain2.foo ; do

# check if we have to renew a certificate

openssl x509 -noout -in "${ACME_LETSENCRYPT_DIR}/${fqdn}.crt" -checkend $( bc <<< "86400 * ${RENEW}") 2>/dev/null

if [[ $? -gt 0 ]] ; then

${ACME_LETSENCRYPT_BINARY} \

--account-key "${ACME_ACCOUNT_KEY}" \

--csr "${ACME_LETSENCRYPT_DIR}/${fqdn}.csr" \

--acme-dir "${ACME_CHALLENGE_DIR}" \

> "${ACME_LETSENCRYPT_DIR}/${fqdn}.crt"

cat "${ACME_LETSENCRYPT_DIR}/${fqdn}.crt" "${ACME_LETSENCRYPT_DIR}/lets-encrypt-x1-cross-signed.pem" \

> "${ACME_LETSENCRYPT_DIR}/${fqdn}.pem"

openssl x509 -noout -text -certopt no_header,no_version,no_pubkey -in "${ACME_LETSENCRYPT_DIR}/${fqdn}.crt" | \

mailx -s "[SSL] OK: ${fqdn} certificate was renewed" ${ALERT_EMAIL}

# check if we need to alert about certificates that weren't renewed yet

openssl x509 -noout -in "${ACME_LETSENCRYPT_DIR}/${fqdn}.crt" -checkend $( bc <<< "86400 * ${ALERT}") 2>/dev/null

if [[ $? -gt 0 ]] ; then

openssl x509 -noout -text -certopt no_header,no_version,no_pubkey -in "${ACME_LETSENCRYPT_DIR}/${fqdn}.crt" | \

mailx -s "[SSL] ERROR: ${fqdn} certificate will expire soon and wasn't automatically renewed" ${ALERT_EMAIL}

done

Convert configuration files to ansible templates

April 8, 2015June 11, 2015Ryanansible, bash, linux, scripting

I’ve been playing around with ansible a lot lately, and I noticed that while changing stuff from “installed and configured manually” to “installed and configured by ansible” I was running into quite a few configuration files that needed to be manually turned into templates. It can be quite tedious to replace values in a configuration file with placeholders and put all those placeholders in a .yml file with default values.
Automating this is something I would have typically done in perl, but since I wanted to learn more about using regex in bash I decided to have a go at it in bash using regex and ${BASH_REMATCH}

The script takes a configuration file and spits out an ansible template, as well as the variable definitions you will need to add to your defaults/main.yml or vars/main.yml

The whole script is a bit to long to post here, but the interesting part is:

if [[ ${line} =~ ^([^#][^\ ]+)[\ ]*[${Separator}][\ ]*([^\ ]+)$ ]] ; then
	VariableName="${Prefix}_${BASH_REMATCH[1]//-/_}" # create a name for this configuration variable
	VariableName="${VariableName,,}" # make lowercase
	sed -ri "s/^(${BASH_REMATCH[1]}[\ ]*[${Separator}][\ ]*).+$/\1{{ ${VariableName} }}/" "${Template}" # change the ansible template
	printf "%-40s %s\n" "${VariableName}:" "'${BASH_REMATCH[2]}'" # print variable info to stdout 
fi

if [[ ${line} =~ ^([^#][^\ ]+)[\ ]*[${Separator}][\ ]*([^\ ]+)$ ]] ; then

VariableName="${Prefix}_${BASH_REMATCH[1]//-/_}" # create a name for this configuration variable

VariableName="${VariableName,,}" # make lowercase

sed -ri "s/^(${BASH_REMATCH[1]}[\ ]*[${Separator}][\ ]*).+$/\1{{ ${VariableName} }}/" "${Template}" # change the ansible template

printf "%-40s %s\n" "${VariableName}:" "'${BASH_REMATCH[2]}'" # print variable info to stdout

(You can download the full script here ansible_template.sh).

You can use regular expressions in a [[ ]] with =~ (e.g. if [[ “boot” =~ ^b ]]), and you can access the result of the regular expression by using ( ) to mark what parts of the result to store and access them via $BASH_REMATCH (comparable to how you would do it for other languages). Here I am parsing out anything that looks like a key=value from the configfile (with multiple possible separators) and storing the results in BASH_REMATCH[1] and BASH_REMATCH[2]

Usage of the script is pretty straightforward. you give it a prefix for the variable names (so you don’t end up with multiple roles all using a common variable name like “port”), and either a local or remote file to work with, and it spits out something like this:

$ ./ansible_template.sh php webserver.somewhere.tld:/etc/php5/conf.d/xcache.ini

- name: Template

template: src={{ item.local }} dest={{ item.remote }} owner={{ item.owner }} group={{ item.group }} mode={{ item.mode }}

with_items:

- { local: 'xcache.ini.j2', remote: '/etc/php5/conf.d/xcache.ini', owner: 'root', group: 'root', mode: '0644' }

php_zend_extension: '/usr/lib/php5/20090626/xcache.so'

php_xcache.admin.enable_auth: 'On'

php_xcache.admin.user: 'admin'

php_xcache.admin.pass: 'ea6299af10b40ba80236a0f015ed627d'

php_xcache.shm_scheme: 'mmap'

php_xcache.size: '16M'

php_xcache.count: '1'

php_xcache.slots: '8K'

php_xcache.ttl: '0'

There a tons of different configuration file formats out there so this script won’t work perfectly 100% of the time, but it does do quite well and reduces the manually copy&pasting to a minimum.

$ cat xcache.ini.j2

; configuration for php Xcache module

[xcache-common]

zend_extension = {{ php_zend_extension }}

[xcache.admin]

xcache.admin.enable_auth = {{ php_xcache.admin.enable_auth }}

xcache.admin.user = "{{ php_xcache.admin.user }}"

xcache.admin.pass = "{{ php_xcache.admin.pass }}"

[xcache]

xcache.shm_scheme = "{{ php_xcache.shm_scheme }}"

xcache.size = {{ php_xcache.size }}

xcache.count = {{ php_xcache.count }}

xcache.slots = {{ php_xcache.slots }}

xcache.ttl = {{ php_xcache.ttl }}

...

How to prevent changes to a tag via svn hook

February 4, 2015Ryanbash, hook, linux, subversion, svn

A colleague of mine recently asked if it was possible to keep people from committing changes to tags in subversion. I thought “Hey, that should be easy to do via the pre-commit hook. I bet someone already made one that I can just test and use“. Either my google-fu failed me or the request wasn’t as common as I had anticipated, because surprisingly I couldn’t find any hooks that truly accomplish blocking changes to a tag (probably right after I post this someone will say “hey, why didn’t you look $here, it is exactly what you wanted“).

I found people looking for such a feature, and I found a hook or two that kinda did what I needed (the best I could find was a hook that just blocked updates to /tags/* but it allowed deletes, adds and property changes), but none that really blocked all changes to tags. So I decided to just make my own configurable svn hook. You can tell it what to allow and what to block, and which directory to work on (since not everyone has the tags in their base directory of the repository).

You may have to change the SVNLOOK variable depending on where your svnlook binary is installed.

#!/bin/bash

#===============================================================================
#
#          FILE:  pre-commit
# 
#   DESCRIPTION:  pre-commit svn hook. configurable hook to block certain 
#                 actions on svn tags
#                 (e.g. blocking changes to existing tags)
# 
#  REQUIREMENTS:  svnlook
#        AUTHOR:  Ryan Schulze (rs), ryan@dopefish.de
#===============================================================================

#===============================================================================
# Path to tags directory in the repository
#===============================================================================
TAGS_PATH="^tags/"

#===============================================================================
# What to allow or block
#===============================================================================
UPDATE=block
DELETE=block
ADD=block
PROPERTIES=block

#===============================================================================

REPOS="${1}"
TXN="${2}"

SVNLOOK=/usr/bin/svnlook

ABORT=0

while read line
do
	# SVN Action for this element
	ACTION="${line%% *}"

	# Path for this element
	FILE_PATH="$(echo "${line#* }" | sed 's/^ *//')"

	# regex that skips entries for the top level directory of a specific tag (e.g. tags/1.5/)
	# so that we can still create and delete the tags themselves
	if [[ "${FILE_PATH}" =~ ${TAGS_PATH}[/]*[^/]+/.+$ ]] 
	then
		# A  - Item added to repository
		# D  - Item deleted from repository
		# U  - File contents changed
		# _U - Properties of item changed
		# UU - File contents and properties changed
		case ${ACTION} in 
			U | UU )  [[ "${UPDATE}" == 'block' ]] && ABORT=1 ;;
			D )       [[ "${DELETE}" == 'block' ]] && ABORT=1 ;;
			A )       [[ "${ADD}" == 'block' ]] && ABORT=1 ;;
			_U | UU ) [[ "${PROPERTIES}" == 'block' ]] && ABORT=1 ;;
		esac
	fi

	if [[ ${ABORT} -gt 0 ]]
	then
		echo "Cannot change tags!" 1>&2
		exit 1
	fi	

done < <(${SVNLOOK} changed -t "$TXN" "$REPOS")

# All checks passed, so allow the commit.
exit 0

#!/bin/bash

#===============================================================================

# FILE: pre-commit

# DESCRIPTION: pre-commit svn hook. configurable hook to block certain

# actions on svn tags

# (e.g. blocking changes to existing tags)

# REQUIREMENTS: svnlook

# AUTHOR: Ryan Schulze (rs), ryan@dopefish.de

#===============================================================================

# Path to tags directory in the repository

#===============================================================================

TAGS_PATH="^tags/"

#===============================================================================

# What to allow or block

#===============================================================================

UPDATE=block

DELETE=block

ADD=block

PROPERTIES=block

#===============================================================================

REPOS="${1}"

TXN="${2}"

SVNLOOK=/usr/bin/svnlook

ABORT=0

while read line

# SVN Action for this element

ACTION="${line%% *}"

# Path for this element

FILE_PATH="$(echo "${line#* }" | sed 's/^ *//')"

# regex that skips entries for the top level directory of a specific tag (e.g. tags/1.5/)

# so that we can still create and delete the tags themselves

if [[ "${FILE_PATH}" =~ ${TAGS_PATH}[/]*[^/]+/.+$ ]]

then

# A - Item added to repository

# D - Item deleted from repository

# U - File contents changed

# _U - Properties of item changed

# UU - File contents and properties changed

case ${ACTION} in

U | UU ) [[ "${UPDATE}" == 'block' ]] && ABORT=1 ;;

D ) [[ "${DELETE}" == 'block' ]] && ABORT=1 ;;

A ) [[ "${ADD}" == 'block' ]] && ABORT=1 ;;

_U | UU ) [[ "${PROPERTIES}" == 'block' ]] && ABORT=1 ;;

esac

if [[ ${ABORT} -gt 0 ]]

then

echo "Cannot change tags!" 1>&2

exit 1

done < <(${SVNLOOK} changed -t "$TXN" "$REPOS")

# All checks passed, so allow the commit.

exit 0