# Copyright (C) 2007 Red Hat, Inc., Kent Lamb <klamb@redhat.com>
# This file is part of the sos project: https://github.com/sosreport/sos
#
# This copyrighted material is made available to anyone wishing to use,
# modify, copy, or redistribute it subject to the terms and conditions of
# version 2 of the GNU General Public License.
#
# See the LICENSE file in the source distribution for further information.
from sos.plugins import Plugin, RedHatPlugin, SoSPredicate
from glob import glob
from os.path import exists
class Ipa(Plugin, RedHatPlugin):
""" Identity, policy, audit
"""
plugin_name = 'ipa'
profiles = ('identity', 'apache')
ipa_server = False
ipa_client = False
files = ('/etc/ipa',)
packages = ('ipa-server', 'ipa-client', 'freeipa-server', 'freeipa-client')
def check_ipa_server_version(self):
if self.is_installed("pki-server") \
or exists("/var/lib/pki") \
or exists("/usr/share/doc/ipa-server-4.2.0"):
return "v4"
elif self.is_installed("pki-common") \
or exists("/var/lib/pki-ca/"):
return "v3"
return None
def ca_installed(self):
# Follow the same checks as IPA CA installer code
if exists("%s/conf/ca/CS.cfg" % self.pki_tomcat_dir_v4) \
or exists("%s/conf/CS.cfg" % self.pki_tomcat_dir_v3):
return True
def ipa_server_installed(self):
if self.is_installed("ipa-server") \
or self.is_installed("freeipa-server"):
return True
def retrieve_pki_logs(self, ipa_version):
if ipa_version == "v4":
self.add_copy_spec([
"/var/log/pki/pki-tomcat/ca/debug",
"/var/log/pki/pki-tomcat/ca/system",
"/var/log/pki/pki-tomcat/ca/transactions",
"/var/log/pki/pki-tomcat/ca/selftests.log",
"/var/log/pki/pki-tomcat/catalina.*",
"/var/log/pki/pki-ca-spawn.*",
"/var/log/pki/pki-tomcat/kra/debug",
"/var/log/pki/pki-tomcat/kra/system",
"/var/log/pki/pki-tomcat/kra/transactions",
"/var/log/pki/pki-kra-spawn.*"
])
elif ipa_version == "v3":
self.add_copy_spec([
"/var/log/pki-ca/debug",
"/var/log/pki-ca/system",
"/var/log/pki-ca/transactions",
"/var/log/pki-ca/selftests.log",
"/var/log/pki-ca/catalina.*",
"/var/log/pki/pki-ca-spawn.*"
])
def setup(self):
self.pki_tomcat_dir_v4 = "/var/lib/pki/pki-tomcat"
self.pki_tomcat_dir_v3 = "/var/lib/pki-ca"
self.pki_tomcat_conf_dir_v4 = "/etc/pki/pki-tomcat/ca"
self.pki_tomcat_conf_dir_v3 = "/etc/pki-ca"
# Returns "v3", "v4", or None
ipa_version = self.check_ipa_server_version()
if self.ipa_server_installed():
self._log_debug("IPA server install detected")
self._log_debug("IPA version is [%s]" % ipa_version)
self.add_copy_spec([
"/var/log/ipaserver-install.log",
"/var/log/ipaserver-kra-install.log",
"/var/log/ipareplica-install.log",
"/var/log/ipareplica-ca-install.log",
"/var/log/ipa-custodia.audit.log"
])
if self.ca_installed():
self._log_debug("CA is installed: retrieving PKI logs")
self.retrieve_pki_logs(ipa_version)
self.add_copy_spec([
"/var/log/ipaclient-install.log",
"/var/log/ipaupgrade.log",
"/var/log/krb5kdc.log",
"/var/log/dirsrv/slapd-*/logs/access",
"/var/log/dirsrv/slapd-*/logs/errors",
"/etc/dirsrv/slapd-*/dse.ldif",
"/etc/dirsrv/slapd-*/schema/99user.ldif",
"/etc/hosts",
"/etc/httpd/alias/*",
"/etc/named.*",
"/etc/ipa/ca.crt",
"/etc/ipa/default.conf",
"/etc/ipa/kdcproxy/kdcproxy.conf",
"/etc/ipa/kdcproxy/ipa-kdc-proxy.conf",
"/etc/ipa/kdcproxy.conf",
"/root/.ipa/log/cli.log",
"/var/lib/certmonger/requests/[0-9]*",
"/var/lib/certmonger/cas/[0-9]*",
"/var/lib/ipa/ra-agent.pem",
"/var/lib/ipa/certs/httpd.crt",
"/var/kerberos/krb5kdc/kdc.crt",
"/var/lib/ipa/sysrestore/sysrestore.state",
"/var/log/ipa/healthcheck/healthcheck.log*"
])
# Make sure to use the right PKI config and NSS DB folders
if ipa_version == "v4":
self.pki_tomcat_dir = self.pki_tomcat_dir_v4
self.pki_tomcat_conf_dir = self.pki_tomcat_conf_dir_v4
else:
self.pki_tomcat_dir = self.pki_tomcat_dir_v3
self.pki_tomcat_conf_dir = self.pki_tomcat_conf_dir_v3
self.add_cmd_output("certutil -L -d %s/alias" % self.pki_tomcat_dir)
self.add_copy_spec("%s/CS.cfg" % self.pki_tomcat_conf_dir)
self.add_forbidden_path([
"/etc/pki/nssdb/key*",
"/etc/dirsrv/slapd-*/key*",
"/etc/dirsrv/slapd-*/pin.txt",
"/etc/dirsrv/slapd-*/pwdfile.txt",
"/etc/httpd/alias/ipasession.key",
"/etc/httpd/alias/key*",
"/etc/httpd/alias/pin.txt",
"/etc/httpd/alias/pwdfile.txt",
"/etc/named.keytab",
"%s/alias/key*" % self.pki_tomcat_dir,
"%s/flatfile.txt" % self.pki_tomcat_conf_dir,
"%s/password.conf" % self.pki_tomcat_conf_dir,
])
self.add_cmd_output([
"ls -la /etc/dirsrv/slapd-*/schema/",
"certutil -L -d /etc/httpd/alias/",
"pki-server cert-find --show-all",
"pki-server subsystem-cert-validate ca",
"klist -ket /etc/dirsrv/ds.keytab",
"klist -ket /etc/httpd/conf/ipa.keytab",
"klist -ket /var/lib/ipa/gssproxy/http.keytab"
])
getcert_pred = SoSPredicate(self,
services=['certmonger'])
self.add_cmd_output("getcert list", pred=getcert_pred)
for certdb_directory in glob("/etc/dirsrv/slapd-*/"):
self.add_cmd_output("certutil -L -d %s" % certdb_directory)
return
def postproc(self):
match = r"(\s*arg \"password )[^\"]*"
subst = r"\1********"
self.do_file_sub("/etc/named.conf", match, subst)
self.do_cmd_output_sub("getcert list",
r"(pin=)'(\d+)'",
r"\1'***'")
request_logs = "/var/lib/certmonger/requests/[0-9]*"
for request_log in glob(request_logs):
self.do_file_sub(request_log,
r"(key_pin=)(\d+)",
r"\1***")
# vim: set et ts=4 sw=4 :