""" utility.py: defines miscellaneous utility services. """ from typing import Optional, Tuple import netaddr from core import utils from core.errors import CoreCommandError from core.executables import SYSCTL from core.nodes.base import CoreNode from core.services.coreservices import CoreService, ServiceMode class UtilService(CoreService): """ Parent class for utility services. """ name: Optional[str] = None group: str = "Utility" @classmethod def generate_config(cls, node: CoreNode, filename: str) -> str: return "" class IPForwardService(UtilService): name: str = "IPForward" configs: Tuple[str, ...] = ("ipforward.sh",) startup: Tuple[str, ...] = ("bash ipforward.sh",) @classmethod def generate_config(cls, node: CoreNode, filename: str) -> str: return cls.generateconfiglinux(node, filename) @classmethod def generateconfiglinux(cls, node: CoreNode, filename: str) -> str: cfg = """\ #!/bin/sh # auto-generated by IPForward service (utility.py) %(sysctl)s -w net.ipv4.conf.all.forwarding=1 %(sysctl)s -w net.ipv4.conf.default.forwarding=1 %(sysctl)s -w net.ipv6.conf.all.forwarding=1 %(sysctl)s -w net.ipv6.conf.default.forwarding=1 %(sysctl)s -w net.ipv4.conf.all.send_redirects=0 %(sysctl)s -w net.ipv4.conf.default.send_redirects=0 %(sysctl)s -w net.ipv4.conf.all.rp_filter=0 %(sysctl)s -w net.ipv4.conf.default.rp_filter=0 """ % { "sysctl": SYSCTL } for iface in node.get_ifaces(): name = utils.sysctl_devname(iface.name) cfg += "%s -w net.ipv4.conf.%s.forwarding=1\n" % (SYSCTL, name) cfg += "%s -w net.ipv4.conf.%s.send_redirects=0\n" % (SYSCTL, name) cfg += "%s -w net.ipv4.conf.%s.rp_filter=0\n" % (SYSCTL, name) return cfg class DefaultRouteService(UtilService): name: str = "DefaultRoute" configs: Tuple[str, ...] = ("defaultroute.sh",) startup: Tuple[str, ...] = ("bash defaultroute.sh",) @classmethod def generate_config(cls, node: CoreNode, filename: str) -> str: routes = [] ifaces = node.get_ifaces() if ifaces: iface = ifaces[0] for ip in iface.ips(): net = ip.cidr if net.size > 1: router = net[1] routes.append(str(router)) cfg = "#!/bin/sh\n" cfg += "# auto-generated by DefaultRoute service (utility.py)\n" for route in routes: cfg += f"ip route add default via {route}\n" return cfg class DefaultMulticastRouteService(UtilService): name: str = "DefaultMulticastRoute" configs: Tuple[str, ...] = ("defaultmroute.sh",) startup: Tuple[str, ...] = ("bash defaultmroute.sh",) @classmethod def generate_config(cls, node: CoreNode, filename: str) -> str: cfg = "#!/bin/sh\n" cfg += "# auto-generated by DefaultMulticastRoute service (utility.py)\n" cfg += "# the first interface is chosen below; please change it " cfg += "as needed\n" for iface in node.get_ifaces(control=False): rtcmd = "ip route add 224.0.0.0/4 dev" cfg += "%s %s\n" % (rtcmd, iface.name) cfg += "\n" break return cfg class StaticRouteService(UtilService): name: str = "StaticRoute" configs: Tuple[str, ...] = ("staticroute.sh",) startup: Tuple[str, ...] = ("bash staticroute.sh",) custom_needed: bool = True @classmethod def generate_config(cls, node: CoreNode, filename: str) -> str: cfg = "#!/bin/sh\n" cfg += "# auto-generated by StaticRoute service (utility.py)\n#\n" cfg += "# NOTE: this service must be customized to be of any use\n" cfg += "# Below are samples that you can uncomment and edit.\n#\n" for iface in node.get_ifaces(control=False): cfg += "\n".join(map(cls.routestr, iface.ips())) cfg += "\n" return cfg @staticmethod def routestr(ip: netaddr.IPNetwork) -> str: address = str(ip.ip) if netaddr.valid_ipv6(address): dst = "3ffe:4::/64" else: dst = "10.9.8.0/24" if ip[-2] == ip[1]: return "" else: rtcmd = "#/sbin/ip route add %s via" % dst return "%s %s" % (rtcmd, ip[1]) class SshService(UtilService): name: str = "SSH" configs: Tuple[str, ...] = ("startsshd.sh", "/etc/ssh/sshd_config") dirs: Tuple[str, ...] = ("/etc/ssh", "/var/run/sshd") startup: Tuple[str, ...] = ("bash startsshd.sh",) shutdown: Tuple[str, ...] = ("killall sshd",) validation_mode: ServiceMode = ServiceMode.BLOCKING @classmethod def generate_config(cls, node: CoreNode, filename: str) -> str: """ Use a startup script for launching sshd in order to wait for host key generation. """ sshcfgdir = cls.dirs[0] sshstatedir = cls.dirs[1] sshlibdir = "/usr/lib/openssh" if filename == "startsshd.sh": return """\ #!/bin/sh # auto-generated by SSH service (utility.py) ssh-keygen -q -t rsa -N "" -f %s/ssh_host_rsa_key chmod 655 %s # wait until RSA host key has been generated to launch sshd /usr/sbin/sshd -f %s/sshd_config """ % ( sshcfgdir, sshstatedir, sshcfgdir, ) else: return """\ # auto-generated by SSH service (utility.py) Port 22 Protocol 2 HostKey %s/ssh_host_rsa_key UsePrivilegeSeparation yes PidFile %s/sshd.pid KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp %s/sftp-server UsePAM yes UseDNS no """ % ( sshcfgdir, sshstatedir, sshlibdir, ) class DhcpService(UtilService): name: str = "DHCP" configs: Tuple[str, ...] = ("/etc/dhcp/dhcpd.conf",) dirs: Tuple[str, ...] = ("/etc/dhcp", "/var/lib/dhcp") startup: Tuple[str, ...] = ("touch /var/lib/dhcp/dhcpd.leases", "dhcpd") shutdown: Tuple[str, ...] = ("killall dhcpd",) validate: Tuple[str, ...] = ("pidof dhcpd",) @classmethod def generate_config(cls, node: CoreNode, filename: str) -> str: """ Generate a dhcpd config file using the network address of each interface. """ cfg = """\ # auto-generated by DHCP service (utility.py) # NOTE: move these option lines into the desired pool { } block(s) below #option domain-name "test.com"; #option domain-name-servers 10.0.0.1; #option routers 10.0.0.1; log-facility local6; default-lease-time 600; max-lease-time 7200; ddns-update-style none; """ for iface in node.get_ifaces(control=False): cfg += "\n".join(map(cls.subnetentry, iface.ip4s)) cfg += "\n" return cfg @staticmethod def subnetentry(ip: netaddr.IPNetwork) -> str: """ Generate a subnet declaration block given an IPv4 prefix string for inclusion in the dhcpd3 config file. """ if ip.size == 1: return "" # divide the address space in half index = (ip.size - 2) / 2 rangelow = ip[index] rangehigh = ip[-2] return """ subnet %s netmask %s { pool { range %s %s; default-lease-time 600; option routers %s; } } """ % ( ip.cidr.ip, ip.netmask, rangelow, rangehigh, ip.ip, ) class DhcpClientService(UtilService): """ Use a DHCP client for all interfaces for addressing. """ name: str = "DHCPClient" configs: Tuple[str, ...] = ("startdhcpclient.sh",) startup: Tuple[str, ...] = ("bash startdhcpclient.sh",) shutdown: Tuple[str, ...] = ("killall dhclient",) validate: Tuple[str, ...] = ("pidof dhclient",) @classmethod def generate_config(cls, node: CoreNode, filename: str) -> str: """ Generate a script to invoke dhclient on all interfaces. """ cfg = "#!/bin/sh\n" cfg += "# auto-generated by DHCPClient service (utility.py)\n" cfg += "# uncomment this mkdir line and symlink line to enable client-" cfg += "side DNS\n# resolution based on the DHCP server response.\n" cfg += "#mkdir -p /var/run/resolvconf/interface\n" for iface in node.get_ifaces(control=False): cfg += "#ln -s /var/run/resolvconf/interface/%s.dhclient" % iface.name cfg += " /var/run/resolvconf/resolv.conf\n" cfg += "/sbin/dhclient -nw -pf /var/run/dhclient-%s.pid" % iface.name cfg += " -lf /var/run/dhclient-%s.lease %s\n" % (iface.name, iface.name) return cfg class FtpService(UtilService): """ Start a vsftpd server. """ name: str = "FTP" configs: Tuple[str, ...] = ("vsftpd.conf",) dirs: Tuple[str, ...] = ("/var/run/vsftpd/empty", "/var/ftp") startup: Tuple[str, ...] = ("vsftpd ./vsftpd.conf",) shutdown: Tuple[str, ...] = ("killall vsftpd",) validate: Tuple[str, ...] = ("pidof vsftpd",) @classmethod def generate_config(cls, node: CoreNode, filename: str) -> str: """ Generate a vsftpd.conf configuration file. """ return """\ # vsftpd.conf auto-generated by FTP service (utility.py) listen=YES anonymous_enable=YES local_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES xferlog_file=/var/log/vsftpd.log ftpd_banner=Welcome to the CORE FTP service secure_chroot_dir=/var/run/vsftpd/empty anon_root=/var/ftp """ class HttpService(UtilService): """ Start an apache server. """ name: str = "HTTP" configs: Tuple[str, ...] = ( "/etc/apache2/apache2.conf", "/etc/apache2/envvars", "/var/www/index.html", ) dirs: Tuple[str, ...] = ( "/etc/apache2", "/var/run/apache2", "/var/log/apache2", "/run/lock", "/var/lock/apache2", "/var/www", ) startup: Tuple[str, ...] = ("chown www-data /var/lock/apache2", "apache2ctl start") shutdown: Tuple[str, ...] = ("apache2ctl stop",) validate: Tuple[str, ...] = ("pidof apache2",) APACHEVER22: int = 22 APACHEVER24: int = 24 @classmethod def generate_config(cls, node: CoreNode, filename: str) -> str: """ Generate an apache2.conf configuration file. """ if filename == cls.configs[0]: return cls.generateapache2conf(node, filename) elif filename == cls.configs[1]: return cls.generateenvvars(node, filename) elif filename == cls.configs[2]: return cls.generatehtml(node, filename) else: return "" @classmethod def detectversionfromcmd(cls) -> int: """ Detect the apache2 version using the 'a2query' command. """ try: result = utils.cmd("a2query -v") status = 0 except CoreCommandError as e: status = e.returncode result = e.stderr if status == 0 and result[:3] == "2.4": return cls.APACHEVER24 return cls.APACHEVER22 @classmethod def generateapache2conf(cls, node: CoreNode, filename: str) -> str: lockstr = { cls.APACHEVER22: "LockFile ${APACHE_LOCK_DIR}/accept.lock\n", cls.APACHEVER24: "Mutex file:${APACHE_LOCK_DIR} default\n", } mpmstr = { cls.APACHEVER22: "", cls.APACHEVER24: "LoadModule mpm_worker_module /usr/lib/apache2/modules/mod_mpm_worker.so\n", } permstr = { cls.APACHEVER22: " Order allow,deny\n Deny from all\n Satisfy all\n", cls.APACHEVER24: " Require all denied\n", } authstr = { cls.APACHEVER22: "LoadModule authz_default_module /usr/lib/apache2/modules/mod_authz_default.so\n", cls.APACHEVER24: "LoadModule authz_core_module /usr/lib/apache2/modules/mod_authz_core.so\n", } permstr2 = { cls.APACHEVER22: "\t\tOrder allow,deny\n\t\tallow from all\n", cls.APACHEVER24: "\t\tRequire all granted\n", } version = cls.detectversionfromcmd() cfg = "# apache2.conf generated by utility.py:HttpService\n" cfg += lockstr[version] cfg += """\ PidFile ${APACHE_PID_FILE} Timeout 300 KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 5 """ cfg += mpmstr[version] cfg += """\ StartServers 5 MinSpareServers 5 MaxSpareServers 10 MaxClients 150 MaxRequestsPerChild 0 StartServers 2 MinSpareThreads 25 MaxSpareThreads 75 ThreadLimit 64 ThreadsPerChild 25 MaxClients 150 MaxRequestsPerChild 0 StartServers 2 MinSpareThreads 25 MaxSpareThreads 75 ThreadLimit 64 ThreadsPerChild 25 MaxClients 150 MaxRequestsPerChild 0 User ${APACHE_RUN_USER} Group ${APACHE_RUN_GROUP} AccessFileName .htaccess """ cfg += permstr[version] cfg += """\ DefaultType None HostnameLookups Off ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn #Include mods-enabled/*.load #Include mods-enabled/*.conf LoadModule alias_module /usr/lib/apache2/modules/mod_alias.so LoadModule auth_basic_module /usr/lib/apache2/modules/mod_auth_basic.so """ cfg += authstr[version] cfg += """\ LoadModule authz_host_module /usr/lib/apache2/modules/mod_authz_host.so LoadModule authz_user_module /usr/lib/apache2/modules/mod_authz_user.so LoadModule autoindex_module /usr/lib/apache2/modules/mod_autoindex.so LoadModule dir_module /usr/lib/apache2/modules/mod_dir.so LoadModule env_module /usr/lib/apache2/modules/mod_env.so NameVirtualHost *:80 Listen 80 Listen 443 Listen 443 LogFormat "%v:%p %h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"" vhost_combined LogFormat "%h %l %u %t \\"%r\\" %>s %O \\"%{Referer}i\\" \\"%{User-Agent}i\\"" combined LogFormat "%h %l %u %t \\"%r\\" %>s %O" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent ServerTokens OS ServerSignature On TraceEnable Off ServerAdmin webmaster@localhost DocumentRoot /var/www Options FollowSymLinks AllowOverride None Options Indexes FollowSymLinks MultiViews AllowOverride None """ cfg += permstr2[version] cfg += """\ ErrorLog ${APACHE_LOG_DIR}/error.log LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined """ return cfg @classmethod def generateenvvars(cls, node: CoreNode, filename: str) -> str: return """\ # this file is used by apache2ctl - generated by utility.py:HttpService # these settings come from a default Ubuntu apache2 installation export APACHE_RUN_USER=www-data export APACHE_RUN_GROUP=www-data export APACHE_PID_FILE=/var/run/apache2.pid export APACHE_RUN_DIR=/var/run/apache2 export APACHE_LOCK_DIR=/var/lock/apache2 export APACHE_LOG_DIR=/var/log/apache2 export LANG=C export LANG """ @classmethod def generatehtml(cls, node: CoreNode, filename: str) -> str: body = ( """\

%s web server

This is the default web page for this server.

The web server software is running but no content has been added, yet.

""" % node.name ) for iface in node.get_ifaces(control=False): body += "
  • %s - %s
  • \n" % (iface.name, [str(x) for x in iface.ips()]) return "%s" % body class PcapService(UtilService): """ Pcap service for logging packets. """ name: str = "pcap" configs: Tuple[str, ...] = ("pcap.sh",) startup: Tuple[str, ...] = ("bash pcap.sh start",) shutdown: Tuple[str, ...] = ("bash pcap.sh stop",) validate: Tuple[str, ...] = ("pidof tcpdump",) meta: str = "logs network traffic to pcap packet capture files" @classmethod def generate_config(cls, node: CoreNode, filename: str) -> str: """ Generate a startpcap.sh traffic logging script. """ cfg = """ #!/bin/sh # set tcpdump options here (see 'man tcpdump' for help) # (-s snap length, -C limit pcap file length, -n disable name resolution) DUMPOPTS="-s 12288 -C 10 -n" if [ "x$1" = "xstart" ]; then """ for iface in node.get_ifaces(): if iface.control: cfg += "# " redir = "< /dev/null" cfg += "tcpdump ${DUMPOPTS} -w %s.%s.pcap -i %s %s &\n" % ( node.name, iface.name, iface.name, redir, ) cfg += """ elif [ "x$1" = "xstop" ]; then mkdir -p ${SESSION_DIR}/pcap mv *.pcap ${SESSION_DIR}/pcap fi; """ return cfg class RadvdService(UtilService): name: str = "radvd" configs: Tuple[str, ...] = ("/etc/radvd/radvd.conf",) dirs: Tuple[str, ...] = ("/etc/radvd", "/var/run/radvd") startup: Tuple[str, ...] = ( "radvd -C /etc/radvd/radvd.conf -m logfile -l /var/log/radvd.log", ) shutdown: Tuple[str, ...] = ("pkill radvd",) validate: Tuple[str, ...] = ("pidof radvd",) @classmethod def generate_config(cls, node: CoreNode, filename: str) -> str: """ Generate a RADVD router advertisement daemon config file using the network address of each interface. """ cfg = "# auto-generated by RADVD service (utility.py)\n" for iface in node.get_ifaces(control=False): prefixes = list(map(cls.subnetentry, iface.ips())) if len(prefixes) < 1: continue cfg += ( """\ interface %s { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; AdvDefaultPreference low; AdvHomeAgentFlag off; """ % iface.name ) for prefix in prefixes: if prefix == "": continue cfg += ( """\ prefix %s { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; }; """ % prefix ) cfg += "};\n" return cfg @staticmethod def subnetentry(ip: netaddr.IPNetwork) -> str: """ Generate a subnet declaration block given an IPv6 prefix string for inclusion in the RADVD config file. """ address = str(ip.ip) if netaddr.valid_ipv6(address): return str(ip) else: return "" class AtdService(UtilService): """ Atd service for scheduling at jobs """ name: str = "atd" configs: Tuple[str, ...] = ("startatd.sh",) dirs: Tuple[str, ...] = ("/var/spool/cron/atjobs", "/var/spool/cron/atspool") startup: Tuple[str, ...] = ("bash startatd.sh",) shutdown: Tuple[str, ...] = ("pkill atd",) @classmethod def generate_config(cls, node: CoreNode, filename: str) -> str: return """ #!/bin/sh echo 00001 > /var/spool/cron/atjobs/.SEQ chown -R daemon /var/spool/cron/* chmod -R 700 /var/spool/cron/* atd """ class UserDefinedService(UtilService): """ Dummy service allowing customization of anything. """ name: str = "UserDefined" meta: str = "Customize this service to do anything upon startup."