[or-cvs] r20555: {projects} Update status, add rekey script. (projects/misc-sysadmin)

[mikeperry at seul.org]

Author: mikeperry
Date: 2009-09-13 21:20:58 -0400 (Sun, 13 Sep 2009)
New Revision: 20555

Added:
   projects/misc-sysadmin/ssh-rekey.sh
Modified:
   projects/misc-sysadmin/00_CAPTAINS.LOG
   projects/misc-sysadmin/grsec-prep.sh
Log:

Update status, add rekey script.



Modified: projects/misc-sysadmin/00_CAPTAINS.LOG
===================================================================
--- projects/misc-sysadmin/00_CAPTAINS.LOG	2009-09-13 23:52:53 UTC (rev 20554)
+++ projects/misc-sysadmin/00_CAPTAINS.LOG	2009-09-14 01:20:58 UTC (rev 20555)
@@ -70,10 +70,19 @@
    This ensures rpm updates happen but the end result has permissions
    compatible with suexec.
  - Made shell of both gitweb and gitperl /sbin/nologin and disabled passwords
+ - Enabled postfix daemon
+ - Fixed postfix not to try to relay off upstream ISPs internal network
+ - Installed Grsec+SELinux Kernel as per above sections
+ - Successfully relabeled FS for SELinux
+ - Successfully installed and booted into grsec kernel
+ - Rotated ssh keys
+ - Altered label on /srv/gitweb/repositories to be read by web interface:
+   /usr/sbin/semanage fcontext -a -t httpd_sys_content_t "/srv/gitweb/repositories(/.*)?"
 
-38.229.70.9:
+38.229.70.12:
  - Installed Grsec+SELinux Kernel as per above sections
- - Have not yet rebooted
+ - Successfully relabeled FS for SELinux
+ - Successfully installed and booted into grsec kernel
 
 38.229.70.13:
  - Installed Grsec+SELinux Kernel as per above sections
@@ -83,8 +92,11 @@
 38.229.70.14:
  - Installed Grsec+SELinux Kernel as per above sections
  - GRSec kernel did not come back up (vmware-tools?) 
+ - Needs ssh rekey
+ - Needs auditd
 
 38.229.70.15
  - Installed Grsec+SELinux Kernel as per above sections
  - installed epkg from source (encap implementation)
  - installed chpax from source
+ - Rotated ssh keys

Modified: projects/misc-sysadmin/grsec-prep.sh
===================================================================
--- projects/misc-sysadmin/grsec-prep.sh	2009-09-13 23:52:53 UTC (rev 20554)
+++ projects/misc-sysadmin/grsec-prep.sh	2009-09-14 01:20:58 UTC (rev 20555)
@@ -25,6 +25,10 @@
 cp ~torproject/misc-sysadmin/kernel/grub.conf /etc/grub.conf
 cp ~torproject/misc-sysadmin/kernel/rc.local /etc/rc.d/rc.local
 
+/sbin/chkconfig --level 3 auditd on
+/etc/init.d/auditd start
+
+
 # XXX: While we're at it, fix timeout on logout and put /sbin, /usr/sbin/ and
 # /usr/local/sbin in path
 

Added: projects/misc-sysadmin/ssh-rekey.sh
===================================================================
--- projects/misc-sysadmin/ssh-rekey.sh	                        (rev 0)
+++ projects/misc-sysadmin/ssh-rekey.sh	2009-09-14 01:20:58 UTC (rev 20555)
@@ -0,0 +1,28 @@
+#!/bin/bash -x
+#
+# ssh-rekey by
+# Mike Perry <mikeperry at fscked.org>
+#
+# This is released under the same license as Tor
+#
+
+HOSTNAME=`hostname`
+echo "Attempting to prep $HOSTNAME..."
+if [ -f /tmp/rekeyed ];
+then
+echo "Already reykeyed!"
+exit
+fi
+
+rm /etc/ssh/ssh_host_key*
+rm /etc/ssh/ssh_host_dsa_key*
+rm /etc/ssh/ssh_host_rsa_key*
+
+/usr/bin/ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
+/usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
+/usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
+
+/etc/init.d/sshd reload
+
+echo
+touch /tmp/rekeyed