Commit a256bf39 authored by sdrfnord's avatar sdrfnord

Made script compliant with PEP 8 -- Style Guide for Python Code.

parent cb0806cf
......@@ -23,39 +23,49 @@ See http://falkhusemann.de/blog/artikel-veroffentlichungen/tauchfahrt/ for more
# Debian packages: python-pyip
import pexpect
import logging, sys, re, os
import ping
import subprocess
import sys
import os
import re
import logging
import time
import filecmp
import socket
import pexpect
# import ping
import filecmp
from ConfigParser import ConfigParser
class scout():
def __init__(self,
base_config_path = '%s/.scout' % os.environ['HOME'],
ssh_identity_file = None,
ssh_known_hosts_file = os.path.join(os.environ['HOME'], '.ssh', 'initrd_known_hosts'),
shell_promt_regex = '~ # ',
config_file = '.config.cfg',
):
base_config_path='%s/.scout' % os.environ['HOME'],
ssh_identity_file=None,
ssh_known_hosts_file=os.path.join(
os.environ['HOME'],
'.ssh',
'initrd_known_hosts'
),
shell_promt_regex='~ # ',
config_file='.config.cfg',
):
self._base_config_path = base_config_path
self._ssh_parms = ssh_parms = '%s -o UserKnownHostsFile=%s' % (
'-i %s' % ssh_identity_file if ssh_identity_file != None else '',
ssh_known_hosts_file
)
self._hash_check_program = os.path.join(self._base_config_path, 'hashdeep')
self._ssh_parms = '%s -o UserKnownHostsFile=%s' % (
'-i %s' % ssh_identity_file if ssh_identity_file is not None else '',
ssh_known_hosts_file
)
self._hash_check_program = os.path.join(
self._base_config_path, 'hashdeep')
self._shell_promt_regex = re.compile(shell_promt_regex)
if os.path.isfile(self._hash_check_program) == False:
if os.path.isfile(self._hash_check_program) is False:
raise Exception('File %s not found.' % self._hash_check_program)
cfg_file = os.path.join(self._base_config_path, config_file)
cfg_file_permissions = oct(os.stat(cfg_file).st_mode)
if cfg_file_permissions[-3:] != '600':
logging.warning('Configuration file (which usually contains passwords) has more file permissions than needed (%s).' % cfg_file_permissions[-4:]
+ '\n Please change this by executing the following command: chmod 0600 \'%s\'' % cfg_file)
+ '\n Please change this by executing the following command: chmod 0600 \'%s\'' % cfg_file)
sys.exit(20)
self._cfg = ConfigParser()
self._cfg.read(cfg_file)
......@@ -89,7 +99,9 @@ class scout():
if self._cfg.has_option(hostname, 'password'):
passwd = self._cfg.get(hostname, 'password')
else:
passwd = raw_input('Please enter the unlock password for %s' % hostname)
passwd = raw_input(
'Please enter the unlock password for %s' %
hostname)
child.sendline('echo -n \'%s\' > /lib/cryptsetup/passfifo' % passwd)
self._disk_unlocked = True
self._exit_gracefully(child)
......@@ -97,7 +109,10 @@ class scout():
def main(self, hostname, keyfile, port=22):
self._ssh_parms += ' root@%s' % hostname
self._hash_file = os.path.join(self._base_config_path, '%s_initrd_hashlist' % hostname)
self._hash_file = os.path.join(
self._base_config_path,
'%s_initrd_hashlist' %
hostname)
self._hash_file_old = '%s.1' % self._hash_file
self._disk_unlocked = False
while True:
......@@ -108,37 +123,46 @@ class scout():
print "SSH server not responding."
sys.exit(1)
if self._is_normal_os(ssh_version_string):
logging.info('Normal SSH Server is present. Unlocking seems to be not necessary.')
logging.info(
'Normal SSH Server is present. Unlocking seems to be not necessary.')
sys.exit(1)
elif not self._is_preboot(ssh_version_string):
logging.info('Waiting for pre-boot environment …')
else: # Dropbear
time.sleep(3) # Dropbear needs a bit time to start.
else: # Dropbear
time.sleep(3) # Dropbear needs a bit time to start.
logging.info('Preparing pre-boot integrity check …')
if os.system('cat %s | ssh %s "cat > /root/hashdeep"' % (
os.path.join(self._base_config_path, self._hash_check_program), self._ssh_parms)
) != 0:
raise Exception('Could not copy hashdeep over to %s.' % hostname)
) != 0:
raise Exception(
'Could not copy hashdeep over to %s.' %
hostname)
child = pexpect.spawn('ssh %s' % self._ssh_parms)
child.expect(r'BusyBox v1\.20\.2 \(Debian 1:1\.20\.0-7\) built-in shell \(ash\)')
child.expect(r"Enter 'help' for a list of built-in commands.")
child.expect(
r'BusyBox v1\.20\.2 \(Debian 1:1\.20\.0-7\) built-in shell \(ash\)')
child.expect(
r"Enter 'help' for a list of built-in commands.")
child.expect(self._shell_promt_regex)
child.sendline('chmod 500 /root/hashdeep')
if os.path.isfile(self._hash_file) == True:
if os.path.isfile(self._hash_file):
os.rename(self._hash_file, self._hash_file_old)
else:
logging.info('No checksums found to compare to.')
child.expect(self._shell_promt_regex)
new_hash_file_fh = file(self._hash_file, 'w')
child.sendline("/root/hashdeep -r -c sha256 /bin /conf /etc /init /root /sbin /scripts /lib/lib* /lib/klibc* /lib/modules/ /tmp /usr | sed -e '/^#/d' -e '/^%/d'| sort")
child.sendline(
"/root/hashdeep -r -c sha256 /bin /conf /etc /init /root /sbin /scripts /lib/lib* /lib/klibc* /lib/modules/ /tmp /usr | sed -e '/^#/d' -e '/^%/d'| sort")
logging.info('Verifying pre-boot environment …')
child.logfile = new_hash_file_fh
child.expect(self._shell_promt_regex)
child.logfile = None
new_hash_file_fh.close()
if os.path.isfile(self._hash_file_old) == True and filecmp.cmp(self._hash_file, self._hash_file_old) == False:
logging.warning('Changes from last boot checksum detected:')
os.system('comm -13 "%s" "%s" | cut -d "," -f 3' % (self._hash_file, self._hash_file_old))
if os.path.isfile(self._hash_file_old) and filecmp.cmp(self._hash_file, self._hash_file_old) is False:
logging.warning(
'Changes from last boot checksum detected:')
os.system(
'comm -13 "%s" "%s" | cut -d "," -f 3' %
(self._hash_file, self._hash_file_old))
if not re.match(r'YES', raw_input('\nDo you want to continue anyway (YES/NO)? ')):
self._exit_gracefully(child)
sys.exit(1)
......@@ -146,7 +170,7 @@ class scout():
self._unlock_disks(hostname, child)
else:
self._unlock_disks(hostname, child)
if self._disk_unlocked == True:
if self._disk_unlocked:
print "Server should be booting now."
sys.exit(0)
else:
......@@ -159,7 +183,7 @@ if __name__ == '__main__':
format='%(levelname)s: %(message)s',
level=logging.DEBUG,
# level=logging.INFO,
)
)
ssh_identity_file = None
if len(sys.argv) > 1:
......@@ -168,9 +192,9 @@ if __name__ == '__main__':
ssh_identity_file = sys.argv[2]
else:
logging.error('Not enough parameters.'
+ ' 1. Hostname/IP Address.'
+ ' 2. /path/to/dropbear/id_rsa'
)
+ ' 1. Hostname/IP Address.'
+ ' 2. /path/to/dropbear/id_rsa'
)
sys.exit(1)
scout = scout()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment