Viewing file:  ipa.py (3.7 KB) -rw-r--r--
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
# Copyright (C) 2007 Red Hat, Inc., Kent Lamb <klamb@redhat.com>
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
from sos.plugins import Plugin, RedHatPlugin
from glob import glob
class Ipa(Plugin, RedHatPlugin):
""" Identity, policy, audit
"""
plugin_name = 'ipa'
profiles = ('identity',)
ipa_server = False
ipa_client = False
files = ('/etc/ipa',)
packages = ('ipa-server', 'ipa-client')
def check_enabled(self):
self.ipa_server = self.is_installed("ipa-server")
self.ipa_client = self.is_installed("ipa-client")
return Plugin.check_enabled(self)
def setup(self):
if self.ipa_server:
self.add_copy_spec([
"/var/log/ipaserver-install.log",
"/var/log/ipareplica-install.log"
])
if self.ipa_client:
self.add_copy_spec("/var/log/ipaclient-install.log")
self.add_copy_spec([
"/var/log/ipaupgrade.log",
"/var/log/krb5kdc.log",
"/var/log/pki-ca/debug",
"/var/log/pki-ca/catalina.out",
"/var/log/pki-ca/system",
"/var/log/pki-ca/transactions",
"/var/log/dirsrv/slapd-*/logs/access",
"/var/log/dirsrv/slapd-*/logs/errors",
"/etc/dirsrv/slapd-*/dse.ldif",
"/etc/dirsrv/slapd-*/schema/99user.ldif",
"/etc/hosts",
"/etc/named.*",
"/etc/pki-ca/CS.cfg",
"/etc/ipa/ca.crt",
"/etc/ipa/default.conf",
"/var/lib/certmonger/requests/[0-9]*",
"/var/lib/certmonger/cas/[0-9]*"
])
self.add_forbidden_path("/etc/pki/nssdb/key*")
self.add_forbidden_path("/etc/pki-ca/flatfile.txt")
self.add_forbidden_path("/etc/pki-ca/password.conf")
self.add_forbidden_path("/var/lib/pki-ca/alias/key*")
self.add_forbidden_path("/etc/dirsrv/slapd-*/key*")
self.add_forbidden_path("/etc/dirsrv/slapd-*/pin.txt")
self.add_forbidden_path("/etc/dirsrv/slapd-*/pwdfile.txt")
self.add_forbidden_path("/etc/named.keytab")
self.add_cmd_output([
"ls -la /etc/dirsrv/slapd-*/schema/",
"getcert list",
"certutil -L -d /var/lib/pki-ca/alias",
"certutil -L -d /etc/httpd/alias/",
"klist -ket /etc/dirsrv/ds.keytab",
"klist -ket /etc/httpd/conf/ipa.keytab"
])
for certdb_directory in glob("/etc/dirsrv/slapd-*/"):
self.add_cmd_output(["certutil -L -d %s" % certdb_directory])
return
def postproc(self):
match = r"(\s*arg \"password )[^\"]*"
subst = r"\1********"
self.do_file_sub("/etc/named.conf", match, subst)
self.do_cmd_output_sub("getcert list",
r"(pin=)'(\d+)'",
r"\1'***'")
request_logs = "/var/lib/certmonger/requests/[0-9]*"
for request_log in glob(request_logs):
self.do_file_sub(request_log,
r"(key_pin=)(\d+)",
r"\1***")
# vim: et ts=4 sw=4
|