Update for automated response around poorly behaving archlinux-keyring weekly timer; rename Sora role to Password

README.md

@@ -2,7 +2,9 @@ This project is our Infrastructure-as-Code solution, detailing the deployment &
 
 # Etymology
 
-It is named after the fictional Star Wars Imperial Intelligence organization that oversaw the various divisions of Intelligence and orchestrated their operations. Like its namesake, this project oversees the various tools within our ecosystem and enforces compliance with standards.
+It is named after flagship carrier Kapisi from the game [Homeworld: Deserts of Kharak](https://store.steampowered.com/app/281610?snr=5000_5100___primarylinks). The carrier was the command and production center of Operation Khadiim, an expedition to understand an anomaly on their world & escape the fanaticism of their Gaalsien rivals. The S'jet were able to succeed in this mission not only due to the military efficacy of their forces but also through the research and production capabilities available to the Kapisi.
+
+This project seeks to give other admins and engineers to launch their own infrastructures and break out of any strangleholds that may have entangled them, whether that is tribalism, vendor lock, or stigma.
 
 # Relevant Files and Software
 
@@ -12,7 +14,7 @@ export ANSIBLE_VAULT_PASSWORD_FILE=$HOME/password-store/${organization}.vault.pa
 export ANSIBLE_VAULT_FILE=$HOME/password-store/${organization}.vault
 ```
 
-Take a look at `examples/msn0.yml` as an example inventory -- make sure you populate one of your own. 
+Take a look at `examples/msn0.yml` as an example inventory -- make sure you populate one of your own. The scripts here expect inventories to have layers of groups -- the top group under `all` must be managed vs. unmanaged. The rest of the scripts use YAMLPath to sort out the rest of the groups.
 
 Once you have your vault and inventory, use [AniNIX/ShadowArch](/AniNIX/ShadowArch) with your hypervisor to provision the base image for your machines, or [Raspbian](https://www.raspberrypi.org/).
 

roles/Password/bin/sora-dump-config

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+slapcat -a "(!(entryDN:dnSubtreeMatch:=ou=People,dc=aninix,dc=net))"

roles/Password/files/sora-base-config

@@ -0,0 +1,119 @@
+dn: dc=aninix,dc=net
+objectClass: dcObject
+objectClass: organization
+dc: aninix
+o: AniNIXUsers
+description: AniNIX::LDAP Crediential Directory
+structuralObjectClass: organization
+entryUUID: a521b05a-3532-4042-bf8f-3631a1e51b94
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20160901205333Z
+entryCSN: 20160901205333.449191Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20160901205333Z
+
+dn: cn=root,dc=aninix,dc=net
+objectClass: organizationalRole
+cn: root
+description: Directory Manager
+structuralObjectClass: organizationalRole
+entryUUID: 9e4273d9-d002-4015-a774-bed02afd6cc9
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20160901205333Z
+pwdLastSuccess: 20220918222625Z
+entryCSN: 20220918222625.132392Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20220918222625Z
+
+dn: ou=Group,dc=aninix,dc=net
+ou: Group
+objectClass: top
+objectClass: organizationalUnit
+structuralObjectClass: organizationalUnit
+entryUUID: 475e1ae1-d992-4a9a-85de-e7f71974ac03
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20160901214257Z
+entryCSN: 20160901214257.941445Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20160901214257Z
+
+dn: cn=ldapuser,ou=Group,dc=aninix,dc=net
+cn: ldapuser
+gidNumber: 10000
+objectClass: posixGroup
+objectClass: top
+structuralObjectClass: posixGroup
+entryUUID: dc17d42d-fae9-496d-b362-82f27679476c
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20160903051753Z
+entryCSN: 20160903051753.156600Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20160903051753Z
+
+dn: cn=hypervisorauth,ou=Group,dc=aninix,dc=net
+cn: hypervisorauth
+gidNumber: 10001
+objectClass: posixGroup
+objectClass: top
+structuralObjectClass: posixGroup
+entryUUID: 88cb5e2c-ee93-4d62-a83a-63ceff9ceba0
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20160903061147Z
+memberUid: lurso3
+entryCSN: 20160903061653.689826Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20160903061653Z
+
+dn: ou=pwpolicies,dc=aninix,dc=net
+ou: pwpolicies
+objectClass: top
+objectClass: organizationalUnit
+structuralObjectClass: organizationalUnit
+entryUUID: ee2c6fc6-a40a-4d6f-992e-c1a04439f022
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20161029155416Z
+entryCSN: 20161029155416.247439Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20161029155416Z
+
+dn: cn=default,ou=pwpolicies,dc=aninix,dc=net
+objectClass: pwdPolicy
+objectClass: person
+objectClass: top
+cn: default
+sn: Default
+pwdAttribute: userPassword
+pwdMaxAge: 31536000
+pwdExpireWarning: 604800
+pwdInHistory: 12
+pwdCheckQuality: 1
+pwdMaxFailure: 5
+pwdLockout: TRUE
+pwdLockoutDuration: 86400
+pwdGraceAuthNLimit: 3
+pwdFailureCountInterval: 3600
+pwdMustChange: TRUE
+pwdMinLength: 8
+pwdAllowUserChange: TRUE
+pwdSafeModify: FALSE
+structuralObjectClass: person
+entryUUID: f983ea45-deca-4b8f-8e55-cebbacf392ba
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20161029171109Z
+entryCSN: 20161029171109.930559Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20161029171109Z
+
+dn: cn=DarkFeather,ou=Group,dc=aninix,dc=net
+cn: DarkFeather
+gidNumber: 10002
+objectClass: posixGroup
+objectClass: top
+memberUid: DarkFeather
+structuralObjectClass: posixGroup
+entryUUID: 1f333fb2-0611-4235-ba07-aa9fa0edb439
+creatorsName: cn=root,dc=aninix,dc=net
+createTimestamp: 20201018201805Z
+entryCSN: 20201018201805.104347Z#000000#000#000000
+modifiersName: cn=root,dc=aninix,dc=net
+modifyTimestamp: 20201018201805Z

roles/Password/package/Makefile

@@ -0,0 +1,26 @@
+binlist = ldap-adduser ldap-userreport ldap-resetpass
+filelist = sample-user.ldif
+
+compile:
+	@echo Nothing to do
+
+install: clean ${binlist} ${filelist}
+	mkdir -p ${pkgdir}/opt/aninix/Password/
+	for i in ${filelist}; do install -m 0640 -o ldap -g ldap $$i ${pkgdir}/opt/aninix/Password/; done
+	mkdir -p ${pkgdir}/usr/local/sbin/
+	for i in ${binlist}; do install -m 0750 -o root -g root $$i ${pkgdir}/usr/local/sbin; done
+
+test: compile
+	@echo Nothing to do
+
+clean:
+	@echo Nothing to do.
+
+diff:
+	@echo Nothing to do.
+
+reverse:
+	@echo Nothing to do.
+
+checkperm:
+	@echo Nothing to do.

roles/Password/package/PKGBUILD

@@ -0,0 +1,46 @@
+depends=('bash>=4.4' 'openldap')
+makedepends=('make>=4.2')
+checkdepends=()
+optdepends=()
+pkgname="Password-Scripts"
+pkgver="$(git describe --tag --abbrev=0)"."$(git rev-parse --short HEAD)"
+pkgrel=1
+pkgrel() {
+    echo $(( `git log "$(git describe --tag --abbrev=0)"..HEAD | grep -c commit` + 1 ))
+}
+epoch="$(git log | grep -c commit)"
+pkgdesc="AniNIX/Password Scripts"
+arch=("x86_64")
+url="$(git config remote.origin.url | sed 's/.git$//')"
+license=('custom')
+groups=()
+provides=("${pkgname}")
+conflicts=()
+replaces=("${pkgname,,}" "aninix-${pkgname,,}")
+backup=()
+options=()
+install=
+changelog=
+source=()
+noextract=()
+md5sums=()
+validpgpkeys=()
+
+prepare() {
+    git pull || true
+}
+
+build() {
+    make -C ..
+}
+
+check() {
+    chmod -R u+r ../pkg
+	make -C .. test
+}
+
+package() {
+    export pkgdir="${pkgdir}"
+	make -C .. install
+    install -D -m644 ../../../../LICENSE "${pkgdir}/usr/share/licenses/${pkgname}/LICENSE"
+}

roles/Password/package/ldap-adduser

@@ -43,16 +43,15 @@ if [ "$?" -eq 0 ]; then
     read answer
     if [ "$answer" == "YES" ]; then
         file="/etc/openldap/users.d/$username.ldif"
-        cp /usr/local/src/ConfigPackages/Sora/sample-user.ldif "$file"
+        cp /opt/aninix/Password/sample-user.ldif "$file"
         line="$(grep -E '^uid: ' "$file")"; sed -i "s/$line/uid: $username/" "$file"
         line="$(grep -E '^dn: ' "$file" | cut -f 2 -d ' ' | cut -f 1 -d ',')"; sed -i "s/$line/uid=$username/" "$file"
         line="$(grep -E '^homeDirectory: ' "$file")"; sed -i "s#$line#homeDirectory: /home/$username/#" "$file"
         line="$(grep -E '^cn: ' "$file")"; sed -i "s/$line/cn: $username/" "$file"
         line="$(grep -E '^mail: ' "$file")"; sed -i "s#$line#mail: ircs://aninix.net:6697/$username#" "$file"
         line="$(grep -E '^uidNumber: ' "$file")"; sed -i "s/$line/uidNumber: $newuserid/" "$file"
-        ldapadd -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass -f "$file"
+        ldapadd -D 'cn=root,dc=aninix,dc=net' -W -f "$file"
         ldap-resetpass "$username"
-        # usermod -a -G ssh-allow,passwdchange "$username"
     fi
     rmdir "$lockfile"
     exit 0;

roles/Password/package/ldap-resetpass

@@ -7,11 +7,11 @@ if [ -z "$uid" ]; then
     exit 1
 fi
 
-ldappasswd -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass "uid=$uid,ou=People,dc=aninix,dc=net"
+ldappasswd -D 'cn=root,dc=aninix,dc=net' -W "uid=$uid,ou=People,dc=aninix,dc=net"
 
 if [ `ldapsearch -x "(uid=$uid)" + \* | grep -c shadowLastChange\:` -ne 0 ]; then
-    (printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\ndelete: shadowLastChange\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass &>/dev/null;
+    (printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\ndelete: shadowLastChange\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -W &>/dev/null;
 fi
-(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: shadowLastChange\nshadowLastChange: 0\n\ndn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -y /root/.ldappass &>/dev/null;
+(printf "dn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: shadowLastChange\nshadowLastChange: 0\n\ndn: uid=$uid,ou=People,dc=aninix,dc=net\nchangetype: modify\nadd: pwdReset\npwdReset: TRUE\n\n") | ldapmodify -D 'cn=root,dc=aninix,dc=net' -W &>/dev/null;
 
 exit $?

roles/Password/package/ldap-userreport

@@ -8,17 +8,9 @@ function shortshow() {
     echo ${user}": "$email
 }
 
-function queryLDAPAttribute() {
-    ldapsearch -x "$1" "$2" | grep -E "${2}: " | sed "s/^${2}: //"
-}
-
 basedn=`ldapsearch -x '(cn=root)' dn | grep -E ^dn:\  | sed 's/dn: cn=root,//'`
 
-maxAge="$(queryLDAPAttribute '(cn=default)' pwdMaxAge)"
+for user in `ldapsearch -x -b "ou=People,$basedn" '(uid=*)' uid | grep -E ^uid:\  | sed 's/^uid: //'`; do
-changeAge=$(( $maxAge - 2592000 ))
-deleteAge=$(( 2 * $maxAge ))
-
-for user in `queryLDAPAttribute '(uid=*)' uid`; do
 
     # Pull changed stats
     lastChanged=`/usr/sbin/ldapsearch -x "(uid=$user)" + | grep pwdChangedTime | cut -f 2 -d ' '`
@@ -45,7 +37,7 @@ for user in `queryLDAPAttribute '(uid=*)' uid`; do
             if [ "$lastChanged" == "$errortext" ]; then
                 shortshow
             else
-                if [ $delta -gt "$changeAge" ] && [ $delta -lt "$maxAge" ]; then shortshow; fi
+                if [ $delta -gt 28512000 ] && [ $delta -lt 31536000 ]; then shortshow; fi
             fi
             ;;
         "--expired")
@@ -53,11 +45,6 @@ for user in `queryLDAPAttribute '(uid=*)' uid`; do
                 shortshow;
             fi
             ;;
-        "--removeable")
-            if [ "$lastChanged" != "$errortext" ] && [ "$delta" -ge "$deleteAge" ]; then
-                shortshow;
-            fi
-            ;;
         *)
             cat
             ;;

roles/Password/package/sample-user.ldif

@@ -0,0 +1,21 @@
+dn: uid=testuser,ou=People,dc=aninix,dc=net
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+objectClass: posixAccount
+objectClass: shadowAccount
+uid: testuser
+cn: Test User
+sn: User
+givenName: Test
+title: User
+telephoneNumber: +0 000 000 0000
+mobile: +0 000 000 0000
+postalAddress: AddressLine1$AddressLine2$AddressLine3
+loginShell: /bin/bash
+uidNumber: 10006
+gidNumber: 10000
+homeDirectory: /home/testuser
+description: Work contact
+mail: testuser@aninix.net

roles/Password/tasks/daemon.yml

@@ -0,0 +1,35 @@
+---
+ - name: Create the base config
+   become: yes
+   template:
+     src: slapd.ldif
+     dest: /etc/openldap/slapd.ldif
+     owner: ldap
+     group: ldap
+     mode: 0640
+
+ - name: Create the directories
+   file:
+     path: "{{ item }}"
+     owner: ldap
+     group: ldap
+     mode: 0700
+   loop:
+     - /var/lib/openldap/openldap-data/
+     - /etc/openldap
+     - /etc/openldap/users.d
+     - /etc/openldap/groups.d
+     - /etc/openldap/slapd.d
+
+ - name: Initialize the instance
+   become: yes
+   command:
+     cmd: slapadd -n 0 -F /etc/openldap/slapd.d/ -l /etc/openldap/config.ldif && chown -R ldap: /etc/openldap
+     creates: /etc/openldap/slapd.d/cn=config
+
+ - name: Ensure the service
+   become: yes
+   service:
+     name: slapd
+     state: restarted
+     enabled: yes

roles/Password/tasks/login.yml

@@ -0,0 +1,17 @@
+---
+
+ - name: Set login config
+   become: yes
+   template:
+     src: nslcd.conf.j2
+     dest: /etc/nslcd.conf
+     owner: nslcd
+     group: nslcd
+     mode: 0600
+
+ - name: Ensure login service
+   become: yes
+   service:
+     name: nslcd
+     state: restarted
+     enabled: yes

roles/Password/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+ - name: Sora packages
+   become: yes
+   package:
+     name:
+       - openldap
+       - Password-Scripts
+
+ - include_tasks: daemon.yml
+
+ - include_tasks: login.yml
+
+ - include_tasks: web.yml

roles/Password/tasks/web.yml

@@ -0,0 +1,24 @@
+---
+
+ - name: Clone the web portal
+   become: yes
+   git:
+     repo: https://github.com/ltb-project/self-service-password
+     dest: /usr/share/webapps/self-service-password
+
+ - name: Ensure web portal ownership
+   file:
+     state: directory
+     owner: http
+     group: http
+     path: /usr/share/webapps/self-service-password
+     recurse: true
+
+ - name: Web portal config
+   become: yes
+   template:
+     src: config.inc.php.j2
+     dest: /usr/share/webapps/self-service-password/conf/config.inc.php
+     owner: http
+     group: http
+     mode: 0600

roles/Sharingan/files/monit/checks/automated_response

@@ -0,0 +1,3 @@
+check program check_archlinux_wkd with path "/usr/bin/systemctl is-failed archlinux-keyring-wkd-sync.service"
+    if status == 0 for 1 times within 5 cycles then exec "/usr/bin/systemctl reset-failed archlinux-keyring-wkd-sync.service"
+    if status == 0 for 5 times within 5 cycles then exec "/etc/monit.d/scripts/critical CRITICAL: Archlinux Keyring WKD Sync has failed and automated remediation has not solved it."

roles/Sharingan/files/monit/hostdefs/DarkNet

@@ -1 +1,2 @@
 include "/etc/monit.d/checks/system"
+include "/etc/monit.d/checks/automated_response"

roles/Sharingan/files/monit/hostdefs/Maat

@@ -1 +1,2 @@
 include "/etc/monit.d/checks/system"
+include "/etc/monit.d/checks/automated_response"

roles/Sharingan/files/monit/hostdefs/Nodelet0

@@ -0,0 +1 @@
+include "/etc/monit.d/checks/system"

roles/Sharingan/files/monit/hostdefs/Nodelet1

@@ -0,0 +1 @@
+include "/etc/monit.d/checks/system"

roles/Sharingan/files/monit/hostdefs/Nodelet2

@@ -0,0 +1 @@
+include "/etc/monit.d/checks/system"

roles/Sharingan/files/monit/hostdefs/Nodelet3

@@ -0,0 +1 @@
+include "/etc/monit.d/checks/system"

roles/Sharingan/files/monit/hostdefs/Nodelet4

@@ -0,0 +1 @@
+include "/etc/monit.d/checks/system"

roles/Sharingan/files/monit/hostdefs/Sharingan

@@ -1,3 +1,4 @@
 include "/etc/monit.d/checks/system"
 include "/etc/monit.d/checks/vips"
 include "/etc/monit.d/checks/availability"
+include "/etc/monit.d/checks/automated_response"

roles/Sharingan/files/monit/hostdefs/Yggdrasil

@@ -2,3 +2,4 @@ include "/etc/monit.d/checks/system"
 include "/etc/monit.d/checks/watcher-of-watchers"
 include "/etc/monit.d/checks/warrant-canary"
 include "/etc/monit.d/checks/grimoire"
+include "/etc/monit.d/checks/automated_response"

roles/Sharingan/tasks/scans.yml

@@ -33,33 +33,17 @@
      - sharingan-scan.service
      - sharingan-scan.timer
 
- - name: Scanning services
-   become: yes
-   register: clam_svc
-   copy:
-     src: "clamav/{{ item }}"
-     dest: /usr/lib/systemd/system/
-     owner: root
-     group: root
-     mode: 0664
-   loop:
-     - freshclam.service
-     - freshclam.timer
-     - clamscan.service
-     - clamscan.timer
-
  - systemd:
      daemon_reload: yes
    become: yes
-   when: clam_svc.changed or lynis_svc.changed
+   when: lynis_svc.changed
-
 
  - name: Enable timers
    become: yes
-   loop:
-     - freshclam.timer
-     - sharingan-scan.timer
    service:
-     name: "{{ item }}"
+     name: sharingan-scan.timer
      state: restarted
      enabled: yes
+
+ - import_tasks: "./vscan.yml"
+   when: vscan_enabled is defined

roles/Sharingan/tasks/siem.yml

@@ -5,7 +5,8 @@
    package:
      name:
        - elasticsearch
-       - mongodb44-bin # Temporarily pinned for extensions
+       - mongodb-bin
+       - mongodb-tools-bin
        - graylog
      state: present
 

roles/Sharingan/tasks/vscan.yml

@@ -0,0 +1,26 @@
+---
+
+ - name: Virus scanning services
+   become: yes
+   register: clam_svc
+   copy:
+     src: "clamav/{{ item }}"
+     dest: /usr/lib/systemd/system/
+     owner: root
+     group: root
+     mode: 0664
+   loop:
+     - freshclam.service
+     - freshclam.timer
+     - clamscan.service
+     - clamscan.timer
+
+ - name: Enable timers
+   become: yes
+   loop:
+     - freshclam.timer
+     - clamscan.timer
+   service:
+     name: "{{ item }}"
+     state: restarted
+     enabled: yes

roles/Sora/tasks/main.yml

@@ -1,7 +0,0 @@
----
- - name: Sora packages
-   become: yes
-   package:
-     name:
-       - openldap
-

roles/Vanik/tasks/main.yml

@@ -1,12 +0,0 @@
----
-
- - command: ./scripts/generate-dhcp.py
-   delegate_to: localhost
-   run_once: true
-   name: Generate DHCP leases.
-
- - command: ./scripts/generate-dns.py
-   delegate_to: localhost
-   run_once: true
-   name: Generate DNS entries
-