Update for automated response around poorly behaving archlinux-keyring weekly timer; rename Sora role to Password

roles/Password/bin/sora-dump-config

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+slapcat -a "(!(entryDN:dnSubtreeMatch:=ou=People,dc=aninix,dc=net))"

roles/Password/files/sora-base-config

@@ -0,0 +1,119 @@
+dn: dc=aninix,dc=net
+objectClass: dcObject
+objectClass: organization
+dc: aninix
+o: AniNIXUsers
+description: AniNIX::LDAP Crediential Directory
+structuralObjectClass: organization
+entryUUID: a521b05a-3532-4042-bf8f-3631a1e51b94
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20160901205333Z
+entryCSN: 20160901205333.449191Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20160901205333Z
+
+dn: cn=root,dc=aninix,dc=net
+objectClass: organizationalRole
+cn: root
+description: Directory Manager
+structuralObjectClass: organizationalRole
+entryUUID: 9e4273d9-d002-4015-a774-bed02afd6cc9
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20160901205333Z
+pwdLastSuccess: 20220918222625Z
+entryCSN: 20220918222625.132392Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20220918222625Z
+
+dn: ou=Group,dc=aninix,dc=net
+ou: Group
+objectClass: top
+objectClass: organizationalUnit
+structuralObjectClass: organizationalUnit
+entryUUID: 475e1ae1-d992-4a9a-85de-e7f71974ac03
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20160901214257Z
+entryCSN: 20160901214257.941445Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20160901214257Z
+
+dn: cn=ldapuser,ou=Group,dc=aninix,dc=net
+cn: ldapuser
+gidNumber: 10000
+objectClass: posixGroup
+objectClass: top
+structuralObjectClass: posixGroup
+entryUUID: dc17d42d-fae9-496d-b362-82f27679476c
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20160903051753Z
+entryCSN: 20160903051753.156600Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20160903051753Z
+
+dn: cn=hypervisorauth,ou=Group,dc=aninix,dc=net
+cn: hypervisorauth
+gidNumber: 10001
+objectClass: posixGroup
+objectClass: top
+structuralObjectClass: posixGroup
+entryUUID: 88cb5e2c-ee93-4d62-a83a-63ceff9ceba0
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20160903061147Z
+memberUid: lurso3
+entryCSN: 20160903061653.689826Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20160903061653Z
+
+dn: ou=pwpolicies,dc=aninix,dc=net
+ou: pwpolicies
+objectClass: top
+objectClass: organizationalUnit
+structuralObjectClass: organizationalUnit
+entryUUID: ee2c6fc6-a40a-4d6f-992e-c1a04439f022
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20161029155416Z
+entryCSN: 20161029155416.247439Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20161029155416Z
+
+dn: cn=default,ou=pwpolicies,dc=aninix,dc=net
+objectClass: pwdPolicy
+objectClass: person
+objectClass: top
+cn: default
+sn: Default
+pwdAttribute: userPassword
+pwdMaxAge: 31536000
+pwdExpireWarning: 604800
+pwdInHistory: 12
+pwdCheckQuality: 1
+pwdMaxFailure: 5
+pwdLockout: TRUE
+pwdLockoutDuration: 86400
+pwdGraceAuthNLimit: 3
+pwdFailureCountInterval: 3600
+pwdMustChange: TRUE
+pwdMinLength: 8
+pwdAllowUserChange: TRUE
+pwdSafeModify: FALSE
+structuralObjectClass: person
+entryUUID: f983ea45-deca-4b8f-8e55-cebbacf392ba
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20161029171109Z
+entryCSN: 20161029171109.930559Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20161029171109Z
+
+dn: cn=DarkFeather,ou=Group,dc=aninix,dc=net
+cn: DarkFeather
+gidNumber: 10002
+objectClass: posixGroup
+objectClass: top
+memberUid: DarkFeather
+structuralObjectClass: posixGroup
+entryUUID: 1f333fb2-0611-4235-ba07-aa9fa0edb439
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20201018201805Z
+entryCSN: 20201018201805.104347Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20201018201805Z

roles/Password/package/Makefile

@@ -0,0 +1,26 @@
+binlist = ldap-adduser ldap-userreport ldap-resetpass
+filelist = sample-user.ldif
+
+compile:
+	@echo Nothing to do
+
+install: clean ${binlist} ${filelist}
+	mkdir -p ${pkgdir}/opt/aninix/Password/
+	for i in ${filelist}; do install -m 0640 -o ldap -g ldap $$i ${pkgdir}/opt/aninix/Password/; done
+	mkdir -p ${pkgdir}/usr/local/sbin/
+	for i in ${binlist}; do install -m 0750 -o root -g root $$i ${pkgdir}/usr/local/sbin; done
+
+test: compile
+	@echo Nothing to do
+
+clean:
+	@echo Nothing to do.
+
+diff:
+	@echo Nothing to do.
+
+reverse:
+	@echo Nothing to do.
+
+checkperm:
+	@echo Nothing to do.

roles/Password/package/PKGBUILD

@@ -0,0 +1,46 @@
+depends=('bash>=4.4' 'openldap')
+makedepends=('make>=4.2')
+checkdepends=()
+optdepends=()
+pkgname="Password-Scripts"
+pkgver="$(git describe --tag --abbrev=0)"."$(git rev-parse --short HEAD)"
+pkgrel=1
+pkgrel() {
+    echo $(( `git log "$(git describe --tag --abbrev=0)"..HEAD | grep -c commit` + 1 ))
+}
+epoch="$(git log | grep -c commit)"
+pkgdesc="AniNIX/Password Scripts"
+arch=("x86_64")
+url="$(git config remote.origin.url | sed 's/.git$//')"
+license=('custom')
+groups=()
+provides=("${pkgname}")
+conflicts=()
+replaces=("${pkgname,,}" "aninix-${pkgname,,}")
+backup=()
+options=()
+install=
+changelog=
+source=()
+noextract=()
+md5sums=()
+validpgpkeys=()
+
+prepare() {
+    git pull || true
+}
+
+build() {
+    make -C ..
+}
+
+check() {
+    chmod -R u+r ../pkg
+	make -C .. test
+}
+
+package() {
+    export pkgdir="${pkgdir}"
+	make -C .. install
+    install -D -m644 ../../../../LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
+}

roles/Password/package/ldap-adduser

@@ -43,16 +43,15 @@ if [ "$?" -eq 0 ]; then
     read answer
     if [ "$answer" == "YES" ]; then
         file="/etc/openldap/users.d/$username.ldif"
-        cp /usr/local/src/ConfigPackages/Sora/sample-user.ldif "$file"
+        cp /opt/aninix/Password/sample-user.ldif "$file"
         line="$(grep -E '^uid: ' "$file")"; sed -i "s/$line/uid: $username/" "$file"
         line="$(grep -E '^dn: ' "$file" | cut -f 2 -d ' ' | cut -f 1 -d ',')"; sed -i "s/$line/uid=$username/" "$file"
         line="$(grep -E '^homeDirectory: ' "$file")"; sed -i "s#$line#homeDirectory: /home/$username/#" "$file"
         line="$(grep -E '^cn: ' "$file")"; sed -i "s/$line/cn: $username/" "$file"
         line="$(grep -E '^mail: ' "$file")"; sed -i "s#$line#mail: ircs://aninix.net:6697/$username#" "$file"
         line="$(grep -E '^uidNumber: ' "$file")"; sed -i "s/$line/uidNumber: $newuserid/" "$file"
-        ldapadd -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass -f "$file"
+        ldapadd -D 'cn=root,dc=aninix,dc=net' -W -f "$file"
         ldap-resetpass "$username"
-        # usermod -a -G ssh-allow,passwdchange "$username"
     fi
     rmdir "$lockfile"
     exit 0;

roles/Password/package/ldap-resetpass

@@ -7,11 +7,11 @@ if [ -z "$uid" ]; then
     exit 1
 fi
 
-ldappasswd -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass "uid=$uid,ou=People,dc=aninix,dc=net"
+ldappasswd -D 'cn=root,dc=aninix,dc=net' -W "uid=$uid,ou=People,dc=aninix,dc=net"
 
 if [ `ldapsearch -x "(uid=$uid)" + \* | grep -c shadowLastChange\:` -ne 0 ]; then
-    (printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\ndelete: shadowLastChange\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass &>/dev/null;
+    (printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\ndelete: shadowLastChange\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -W &>/dev/null;
 fi
-(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: shadowLastChange\nshadowLastChange: 0\n\ndn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass &>/dev/null;
+(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: shadowLastChange\nshadowLastChange: 0\n\ndn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -W &>/dev/null;
 
 exit $?

roles/Password/package/ldap-userreport

@@ -8,17 +8,9 @@ function shortshow() {
     echo ${user}": "$email
 }
 
-function queryLDAPAttribute() {
-    ldapsearch -x "$1" "$2" | grep -E "${2}: " | sed "s/^${2}: //"
-}
-
 basedn=`ldapsearch -x '(cn=root)' dn | grep -E ^dn:\  | sed 's/dn: cn=root,//'`
 
-maxAge="$(queryLDAPAttribute '(cn=default)' pwdMaxAge)"
-changeAge=$(( $maxAge - 2592000 ))
-deleteAge=$(( 2 * $maxAge ))
-
-for user in `queryLDAPAttribute '(uid=*)' uid`; do
+for user in `ldapsearch -x -b "ou=People,$basedn" '(uid=*)' uid | grep -E ^uid:\  | sed 's/^uid: //'`; do
 
     # Pull changed stats
     lastChanged=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep pwdChangedTime | cut -f 2 -d ' '`
@@ -45,7 +37,7 @@ for user in `queryLDAPAttribute '(uid=*)' uid`; do
             if [ "$lastChanged" == "$errortext" ]; then
                 shortshow
             else
-                if [ $delta -gt "$changeAge" ] && [ $delta -lt "$maxAge" ]; then shortshow; fi
+                if [ $delta -gt 28512000 ] && [ $delta -lt 31536000 ]; then shortshow; fi
             fi
             ;;
         "--expired")
@@ -53,11 +45,6 @@ for user in `queryLDAPAttribute '(uid=*)' uid`; do
                 shortshow;
             fi
             ;;
-        "--removeable")
-            if [ "$lastChanged" != "$errortext" ] && [ "$delta" -ge "$deleteAge" ]; then
-                shortshow;
-            fi
-            ;;
         *)
             cat
             ;;

roles/Password/package/sample-user.ldif

@@ -0,0 +1,21 @@
+dn: uid=testuser,ou=People,dc=aninix,dc=net
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: testuser
+cn: Test User
+sn: User
+givenName: Test
+title: User
+telephoneNumber: +0 000 000 0000
+mobile: +0 000 000 0000
+postalAddress: AddressLine1$AddressLine2$AddressLine3
+loginShell: /bin/bash
+uidNumber: 10006
+gidNumber: 10000
+homeDirectory: /home/testuser
+description: Work contact
+mail: testuser@aninix.net

roles/Password/tasks/daemon.yml

@@ -0,0 +1,35 @@
+---
+ - name: Create the base config
+   become: yes
+   template:
+     src: slapd.ldif
+     dest: /etc/openldap/slapd.ldif
+     owner: ldap
+     group: ldap
+     mode: 0640
+
+ - name: Create the directories
+   file:
+     path: "{{ item }}"
+     owner: ldap
+     group: ldap
+     mode: 0700
+   loop:
+     - /var/lib/openldap/openldap-data/
+     - /etc/openldap
+     - /etc/openldap/users.d
+     - /etc/openldap/groups.d
+     - /etc/openldap/slapd.d
+
+ - name: Initialize the instance
+   become: yes
+   command:
+     cmd: slapadd -n 0 -F /etc/openldap/slapd.d/ -l /etc/openldap/config.ldif && chown -R ldap: /etc/openldap
+     creates: /etc/openldap/slapd.d/cn=config
+
+ - name: Ensure the service
+   become: yes
+   service:
+     name: slapd
+     state: restarted
+     enabled: yes

roles/Password/tasks/login.yml

@@ -0,0 +1,17 @@
+---
+
+ - name: Set login config
+   become: yes
+   template:
+     src: nslcd.conf.j2
+     dest: /etc/nslcd.conf
+     owner: nslcd
+     group: nslcd
+     mode: 0600
+
+ - name: Ensure login service
+   become: yes
+   service:
+     name: nslcd
+     state: restarted
+     enabled: yes

roles/Password/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+ - name: Sora packages
+   become: yes
+   package:
+     name:
+       - openldap
+       - Password-Scripts
+
+ - include_tasks: daemon.yml
+
+ - include_tasks: login.yml
+
+ - include_tasks: web.yml

roles/Password/tasks/web.yml

@@ -0,0 +1,24 @@
+---
+
+ - name: Clone the web portal
+   become: yes
+   git:
+     repo: https://github.com/ltb-project/self-service-password
+     dest: /usr/share/webapps/self-service-password
+
+ - name: Ensure web portal ownership
+   file:
+     state: directory
+     owner: http
+     group: http
+     path: /usr/share/webapps/self-service-password
+     recurse: true
+
+ - name: Web portal config
+   become: yes
+   template:
+     src: config.inc.php.j2
+     dest: /usr/share/webapps/self-service-password/conf/config.inc.php
+     owner: http
+     group: http
+     mode: 0600

roles/Sharingan/files/monit/checks/automated_response

@@ -0,0 +1,3 @@
+check program check_archlinux_wkd with path "/usr/bin/systemctl is-failed archlinux-keyring-wkd-sync.service"
+    if status == 0 for 1 times within 5 cycles then exec "/usr/bin/systemctl reset-failed archlinux-keyring-wkd-sync.service"
+    if status == 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical CRITICAL: Archlinux Keyring WKD Sync has failed and automated remediation has not solved it."

roles/Sharingan/files/monit/hostdefs/DarkNet

@@ -1 +1,2 @@
 include "/etc/monit.d/checks/system"
+include "/etc/monit.d/checks/automated_response"

roles/Sharingan/files/monit/hostdefs/Maat

@@ -1 +1,2 @@
 include "/etc/monit.d/checks/system"
+include "/etc/monit.d/checks/automated_response"

roles/Sharingan/files/monit/hostdefs/Nodelet0

@@ -0,0 +1 @@
+include "/etc/monit.d/checks/system"

roles/Sharingan/files/monit/hostdefs/Nodelet1

@@ -0,0 +1 @@
+include "/etc/monit.d/checks/system"

roles/Sharingan/files/monit/hostdefs/Nodelet2

@@ -0,0 +1 @@
+include "/etc/monit.d/checks/system"

roles/Sharingan/files/monit/hostdefs/Nodelet3

@@ -0,0 +1 @@
+include "/etc/monit.d/checks/system"

roles/Sharingan/files/monit/hostdefs/Nodelet4

@@ -0,0 +1 @@
+include "/etc/monit.d/checks/system"

roles/Sharingan/files/monit/hostdefs/Sharingan

@@ -1,3 +1,4 @@
 include "/etc/monit.d/checks/system"
 include "/etc/monit.d/checks/vips"
 include "/etc/monit.d/checks/availability"
+include "/etc/monit.d/checks/automated_response"

roles/Sharingan/files/monit/hostdefs/Yggdrasil

@@ -2,3 +2,4 @@ include "/etc/monit.d/checks/system"
 include "/etc/monit.d/checks/watcher-of-watchers"
 include "/etc/monit.d/checks/warrant-canary"
 include "/etc/monit.d/checks/grimoire"
+include "/etc/monit.d/checks/automated_response"

roles/Sharingan/tasks/scans.yml

@@ -33,33 +33,17 @@
      - sharingan-scan.service
      - sharingan-scan.timer
 
- - name: Scanning services
-   become: yes
-   register: clam_svc
-   copy:
-     src: "clamav/{{ item }}"
-     dest: /usr/lib/systemd/system/
-     owner: root
-     group: root
-     mode: 0664
-   loop:
-     - freshclam.service
-     - freshclam.timer
-     - clamscan.service
-     - clamscan.timer
-
  - systemd:
      daemon_reload: yes
    become: yes
-   when: clam_svc.changed or lynis_svc.changed
-
+   when: lynis_svc.changed
 
  - name: Enable timers
    become: yes
-   loop:
-     - freshclam.timer
-     - sharingan-scan.timer
    service:
-     name: "{{ item }}"
+     name: sharingan-scan.timer
      state: restarted
      enabled: yes
+
+ - import_tasks: "./vscan.yml"
+   when: vscan_enabled is defined

roles/Sharingan/tasks/siem.yml

@@ -5,7 +5,8 @@
    package:
      name:
        - elasticsearch
-       - mongodb44-bin # Temporarily pinned for extensions
+       - mongodb-bin
+       - mongodb-tools-bin
        - graylog
      state: present
 

roles/Sharingan/tasks/vscan.yml

@@ -0,0 +1,26 @@
+---
+
+ - name: Virus scanning services
+   become: yes
+   register: clam_svc
+   copy:
+     src: "clamav/{{ item }}"
+     dest: /usr/lib/systemd/system/
+     owner: root
+     group: root
+     mode: 0664
+   loop:
+     - freshclam.service
+     - freshclam.timer
+     - clamscan.service
+     - clamscan.timer
+
+ - name: Enable timers
+   become: yes
+   loop:
+     - freshclam.timer
+     - clamscan.timer
+   service:
+     name: "{{ item }}"
+     state: restarted
+     enabled: yes

roles/Sora/tasks/main.yml

@@ -1,7 +0,0 @@
----
- - name: Sora packages
-   become: yes
-   package:
-     name:
-       - openldap
-

roles/Vanik/tasks/main.yml

@@ -1,12 +0,0 @@
----
-
- - command: ./scripts/generate-dhcp.py
-   delegate_to: localhost
-   run_once: true
-   name: Generate DHCP leases.
-
- - command: ./scripts/generate-dns.py
-   delegate_to: localhost
-   run_once: true
-   name: Generate DNS entries
-