User Tools

Site Tools


nfsen

Tasks from stock, Production Network Utility Server

  • Doon
  • Complete configuration logs will be uploaded to this wiki, here
  • Below are the step by step notes for each addition or change to the server.

changing the carmom password

- you don't need details

changing the user rc files

vim .bashrc
bashrc
# .bashrc
# Source global definitions
if [ -f /etc/bashrc ]; then
      . /etc/bashrc
fi
     
# User specific aliases and functions
LS_COLORS='no=00:fi=00:di=01;35:ln=01;36:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.flac=01;35:*.mp3=01;35:*.mpc=01;35:*.ogg=01;35:*.wav=01;35:'; export LS_COLORS
vim .vimrc
.vimrc
set background=dark
set ts=4
set ai

changing the prompt

vim .bash_profile
.bash_profile
  export PS1="\n\[\e[30;1m\]\[\016\]\[\017\](\[\e[34;1m\]\u@\h\[\e[30;1m\])-(\[\e[34;1m\]\j\[\e[30;1m\])-(\[\e[34;1m\]\@ \d\[\e[30;1m\])->\[\e[30;1m\]\n\[\016\]\[\017\](\[\[\e[32;1m\]\w\[\e[30;1m\])-(\[\e[32;1m\]\$(/bin/ls -1 | /usr/bin/wc -l | /bin/sed 's: ::g') files, \$(/bin/ls -lah | /bin/grep -m 1 total | /bin/sed 's/total //')b\[\e[30;1m\])--> \[\e[0m\]"

Tac Plus

Install/configure dependencies

Pluggable Authentication Modules (PAM) Kerberos

edit/replace the /etc/krb5.conf file to match the following

krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ITSA-INT.ITSA.GOV.AU
 dns_lookup_realm = yes
 dns_lookup_kdc = yes
 ticket_lifetime = 24h
; for Windows 2008 with AES
      default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
      permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

[realms]
ITSA-INT.ITSA.GOV.AU= {
  kdc = cbrdc01.itsa-int.itsa.gov.au:88
  admin_server = cbrdc01.itsa-int.itsa.gov.au:749
  default_domain = itsa-int.itsa.gov.au
}

[domain_realm]
  ale.itsa-int.itsa.gov.au = ITSA-INT.ITSA.GOV.AU
  .itsa-int.itsa.gov.au = ITSA-INT.ITSA.GOV.AU
  itsa-int.itsa.gov.au = ITSA-INT.ITSA.GOV.AU

[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = true
}

test by attempting to connect to kerberos with

kinit <username>

Install Supporting Libraries

yum install pam-devel gcc flex bison tcp_wrappers-devel

Source code

Changes to source

authen.c

replace

		prompt = cfg_get_host_prompt(datap->NAS_id->NAS_ip);
		if (prompt == NULL && !STREQ(datap->NAS_id->NAS_name,
					     datap->NAS_id->NAS_ip)) {
		    prompt = cfg_get_host_prompt(datap->NAS_id->NAS_name);
		}
		if (prompt == NULL) {
		    prompt = "\nUser Access Verification\n\nUsername: ";
		}

with

			prompt = cfg_get_host_prompt(datap->NAS_id->NAS_ip);
			if (prompt == NULL && !STREQ(datap->NAS_id->NAS_name,
						     datap->NAS_id->NAS_ip)) {
		    	prompt = cfg_get_host_prompt(datap->NAS_id->NAS_name);
			}
			if (prompt == NULL) {
				prompt = tac_strdup(global_prompt);
			}
			if (prompt == NULL) {
			    prompt = "\nUser Access Verification\n\nUsername: ";
			}

config.c

Between

switch (sym_code) {
case S_eof:
    return(0);

and

case S_accounting:
    sym_get();

add

case S_prompt:
	sym_get();
	
	parse (S_separator);
	if (global_prompt != NULL) {	
		parse_error("Duplicate value for prompt on line %d", sym_line); 
		break;
	}
	global_prompt = tac_strdup(sym_buf);
	
	sym_get();
	continue;

tac_plus.h

After

extern int wtmpfd;

add

extern char *global_prompt;

tac_plus.c

after

char *bind_address = NULL;

add

char *global_prompt = NULL;

Compile and Install

 cd <Directory containing source code>
 ./configure --bindir=/usr/local/bin --sbindir=/usr/local/sbin --localstatedir=/var/local/tacacs --sysconfdir=/etc --with-logfile=/var/log/tacacs/tacacs --with-pidfile=/var/run/tacacs.pid --with-acctfile=/var/log/tacacs/acctfile
 
 make
 make install
 

you should see something similar to

/bin/sh ./libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include -g -O2 -pthread    -g -O2 -pthread    -MT libtacacs_la-maxsess.lo -MD -MP -MF .deps/libtacacs_la-maxsess.Tpo -c -o libtacacs_la-maxsess.lo `test -f 'maxsess.c' || echo './'`maxsess.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I/usr/local/include -g -O2 -pthread -g -O2 -pthread -MT libtacacs_la-maxsess.lo -MD -MP -MF .deps/libtacacs_la-maxsess.Tpo -c maxsess.c  -fPIC -DPIC -o .libs/libtacacs_la-maxsess.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I/usr/local/include -g -O2 -pthread -g -O2 -pthread -MT libtacacs_la-maxsess.lo -MD -MP -MF .deps/libtacacs_la-maxsess.Tpo -c maxsess.c -o libtacacs_la-maxsess.o >/dev/null 2>&1
mv -f .deps/libtacacs_la-maxsess.Tpo .deps/libtacacs_la-maxsess.Plo
/bin/sh ./libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include -g -O2 -pthread    -g -O2 -pthread    -MT libtacacs_la-packet.lo -MD -MP -MF .deps/libtacacs_la-packet.Tpo -c -o libtacacs_la-packet.lo `test -f 'packet.c' || echo './'`packet.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I/usr/local/include -g -O2 -pthread -g -O2 -pthread -MT libtacacs_la-packet.lo -MD -MP -MF .deps/libtacacs_la-packet.Tpo -c packet.c  -fPIC -DPIC -o .libs/libtacacs_la-packet.o
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I/usr/local/include -g -O2 -pthread -g -O2 -pthread -MT libtacacs_la-packet.lo -MD -MP -MF .deps/libtacacs_la-packet.Tpo -c packet.c -o libtacacs_la-packet.o >/dev/null 2>&1
mv -f .deps/libtacacs_la-packet.Tpo .deps/libtacacs_la-packet.Plo
/bin/sh ./libtool --tag=CC   --mode=link gcc -g -O2 -pthread    -g -O2 -pthread    -version-info 1:0:0 -version-number 1:0:0 -L/usr/local/lib -L/lib   -L/usr/local/lib -L/lib -o libtacacs.la -rpath /usr/local/lib libtacacs_la-fdes.lo libtacacs_la-maxsess.lo libtacacs_la-md4.lo libtacacs_la-md5.lo libtacacs_la-packet.lo  -lpam  -lnsl -lcrypt
libtool: link: rm -fr  .libs/libtacacs.a .libs/libtacacs.la .libs/libtacacs.lai .libs/libtacacs.so .libs/libtacacs.so.1 .libs/libtacacs.so.1.0.0
libtool: link: gcc -shared  -fPIC -DPIC  .libs/libtacacs_la-fdes.o .libs/libtacacs_la-maxsess.o .libs/libtacacs_la-md4.o .libs/libtacacs_la-md5.o .libs/libtacacs_la-packet.o   -L/usr/local/lib -L/lib -lpam -lnsl -lcrypt  -O2 -pthread -O2 -pthread   -pthread -Wl,-soname -Wl,libtacacs.so.1 -o .libs/libtacacs.so.1.0.0
libtool: link: (cd ".libs" && rm -f "libtacacs.so.1" && ln -s "libtacacs.so.1.0.0" "libtacacs.so.1")
libtool: link: (cd ".libs" && rm -f "libtacacs.so" && ln -s "libtacacs.so.1.0.0" "libtacacs.so")
libtool: link: ar cru .libs/libtacacs.a  libtacacs_la-fdes.o libtacacs_la-maxsess.o libtacacs_la-md4.o libtacacs_la-md5.o libtacacs_la-packet.o
libtool: link: ranlib .libs/libtacacs.a
libtool: link: ( cd ".libs" && rm -f "libtacacs.la" && ln -s "../libtacacs.la" "libtacacs.la" )
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT acct.o -MD -MP -MF .deps/acct.Tpo -c -o acct.o acct.c
mv -f .deps/acct.Tpo .deps/acct.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT authen.o -MD -MP -MF .deps/authen.Tpo -c -o authen.o authen.c
mv -f .deps/authen.Tpo .deps/authen.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT author.o -MD -MP -MF .deps/author.Tpo -c -o author.o author.c
mv -f .deps/author.Tpo .deps/author.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT choose_authen.o -MD -MP -MF .deps/choose_authen.Tpo -c -o choose_authen.o choose_authen.c
mv -f .deps/choose_authen.Tpo .deps/choose_authen.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT config.o -MD -MP -MF .deps/config.Tpo -c -o config.o config.c
mv -f .deps/config.Tpo .deps/config.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT default_fn.o -MD -MP -MF .deps/default_fn.Tpo -c -o default_fn.o default_fn.c
mv -f .deps/default_fn.Tpo .deps/default_fn.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT default_v0_fn.o -MD -MP -MF .deps/default_v0_fn.Tpo -c -o default_v0_fn.o default_v0_fn.c
mv -f .deps/default_v0_fn.Tpo .deps/default_v0_fn.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT do_acct.o -MD -MP -MF .deps/do_acct.Tpo -c -o do_acct.o do_acct.c
mv -f .deps/do_acct.Tpo .deps/do_acct.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT do_author.o -MD -MP -MF .deps/do_author.Tpo -c -o do_author.o do_author.c
mv -f .deps/do_author.Tpo .deps/do_author.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT dump.o -MD -MP -MF .deps/dump.Tpo -c -o dump.o dump.c
mv -f .deps/dump.Tpo .deps/dump.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT enable.o -MD -MP -MF .deps/enable.Tpo -c -o enable.o enable.c
mv -f .deps/enable.Tpo .deps/enable.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT encrypt.o -MD -MP -MF .deps/encrypt.Tpo -c -o encrypt.o encrypt.c
mv -f .deps/encrypt.Tpo .deps/encrypt.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT expire.o -MD -MP -MF .deps/expire.Tpo -c -o expire.o expire.c
mv -f .deps/expire.Tpo .deps/expire.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT hash.o -MD -MP -MF .deps/hash.Tpo -c -o hash.o hash.c
mv -f .deps/hash.Tpo .deps/hash.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT maxsessint.o -MD -MP -MF .deps/maxsessint.Tpo -c -o maxsessint.o maxsessint.c
mv -f .deps/maxsessint.Tpo .deps/maxsessint.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT parse.o -MD -MP -MF .deps/parse.Tpo -c -o parse.o parse.c
mv -f .deps/parse.Tpo .deps/parse.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT programs.o -MD -MP -MF .deps/programs.Tpo -c -o programs.o programs.c
mv -f .deps/programs.Tpo .deps/programs.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT pw.o -MD -MP -MF .deps/pw.Tpo -c -o pw.o pw.c
mv -f .deps/pw.Tpo .deps/pw.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT pwlib.o -MD -MP -MF .deps/pwlib.Tpo -c -o pwlib.o pwlib.c
mv -f .deps/pwlib.Tpo .deps/pwlib.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT report.o -MD -MP -MF .deps/report.Tpo -c -o report.o report.c
mv -f .deps/report.Tpo .deps/report.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT sendauth.o -MD -MP -MF .deps/sendauth.Tpo -c -o sendauth.o sendauth.c
mv -f .deps/sendauth.Tpo .deps/sendauth.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT sendpass.o -MD -MP -MF .deps/sendpass.Tpo -c -o sendpass.o sendpass.c
mv -f .deps/sendpass.Tpo .deps/sendpass.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT tac_plus.o -MD -MP -MF .deps/tac_plus.Tpo -c -o tac_plus.o tac_plus.c
mv -f .deps/tac_plus.Tpo .deps/tac_plus.Po
gcc -DHAVE_CONFIG_H -I.   -I/usr/local/include  -g -O2 -pthread    -MT utils.o -MD -MP -MF .deps/utils.Tpo -c -o utils.o utils.c
mv -f .deps/utils.Tpo .deps/utils.Po
/bin/sh ./libtool --tag=CC   --mode=link gcc  -g -O2 -pthread    -L. -L/usr/local/lib -L/lib -o tac_plus acct.o authen.o author.o choose_authen.o config.o default_fn.o default_v0_fn.o do_acct.o do_author.o dump.o enable.o encrypt.o expire.o hash.o maxsessint.o parse.o programs.o pw.o pwlib.o report.o sendauth.o sendpass.o tac_plus.o utils.o  -lwrap -ltacacs -lpam  -lnsl -lcrypt
libtool: link: gcc -g -O2 -pthread -o .libs/tac_plus acct.o authen.o author.o choose_authen.o config.o default_fn.o default_v0_fn.o do_acct.o do_author.o dump.o enable.o encrypt.o expire.o hash.o maxsessint.o parse.o programs.o pw.o pwlib.o report.o sendauth.o sendpass.o tac_plus.o utils.o  -L. -L/usr/local/lib -L/lib -lwrap /home/carmom/buildTemp/tacacs+-F4.0.4.25/.libs/libtacacs.so -lpam -lnsl -lcrypt -pthread -Wl,-rpath -Wl,/usr/local/lib
rm -f tac_convert tac_convert.tmp; \
        sed -e 's,@bindir\@,/usr/local/bin,g' -e 's,@prefix\@,/usr/local,g' -e 's,@libexecdir\@,/usr/local/libexec,g' -e 's,@localstatedir\@,/var/local/tacacs,g' -e 's,@libdir\@,/usr/local/lib,g' -e 's,@pkglibdir\@,/usr/local/lib/tacacs+,g' -e 's,@sysconfdir\@,/etc,g' -e 's,@PERLV_PATH\@,/usr/bin/perl,g' -e 's,@TACPLUS_PIDFILE\@,/var/run/tacacs.pid,g' -e 's,@TACPLUS_LOGFILE\@,/var/log/tacacs/tacacs,g' ./tac_convert.in >tac_convert.tmp; \
        mv tac_convert.tmp tac_convert; \
        chmod 755 tac_convert
rm -f users_guide users_guide.tmp; \
        sed -e 's,@bindir\@,/usr/local/bin,g' -e 's,@prefix\@,/usr/local,g' -e 's,@libexecdir\@,/usr/local/libexec,g' -e 's,@localstatedir\@,/var/local/tacacs,g' -e 's,@libdir\@,/usr/local/lib,g' -e 's,@pkglibdir\@,/usr/local/lib/tacacs+,g' -e 's,@sysconfdir\@,/etc,g' -e 's,@PERLV_PATH\@,/usr/bin/perl,g' -e 's,@TACPLUS_PIDFILE\@,/var/run/tacacs.pid,g' -e 's,@TACPLUS_LOGFILE\@,/var/log/tacacs/tacacs,g' ./users_guide.in >users_guide.tmp; \
        mv users_guide.tmp users_guide
gmake[1]: Entering directory `/home/carmom/buildTemp/tacacs+-F4.0.4.25'
test -z "/usr/local/lib" || /bin/mkdir -p "/usr/local/lib"
 /bin/sh ./libtool   --mode=install /usr/bin/install -c   libtacacs.la '/usr/local/lib'
libtool: install: /usr/bin/install -c .libs/libtacacs.so.1.0.0 /usr/local/lib/libtacacs.so.1.0.0
libtool: install: (cd /usr/local/lib && { ln -s -f libtacacs.so.1.0.0 libtacacs.so.1 || { rm -f libtacacs.so.1 && ln -s libtacacs.so.1.0.0 libtacacs.so.1; }; })
libtool: install: (cd /usr/local/lib && { ln -s -f libtacacs.so.1.0.0 libtacacs.so || { rm -f libtacacs.so && ln -s libtacacs.so.1.0.0 libtacacs.so; }; })
libtool: install: /usr/bin/install -c .libs/libtacacs.lai /usr/local/lib/libtacacs.la
libtool: install: /usr/bin/install -c .libs/libtacacs.a /usr/local/lib/libtacacs.a
libtool: install: chmod 644 /usr/local/lib/libtacacs.a
libtool: install: ranlib /usr/local/lib/libtacacs.a
libtool: finish: PATH="/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin:/sbin" ldconfig -n /usr/local/lib
----------------------------------------------------------------------
Libraries have been installed in:
   /usr/local/lib

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,-rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
test -z "/usr/local/bin" || /bin/mkdir -p "/usr/local/bin"
  /bin/sh ./libtool   --mode=install /usr/bin/install -c tac_pwd tac_plus '/usr/local/bin'
libtool: install: /usr/bin/install -c tac_pwd /usr/local/bin/tac_pwd
libtool: install: /usr/bin/install -c .libs/tac_plus /usr/local/bin/tac_plus
test -z "/usr/local/include" || /bin/mkdir -p "/usr/local/include"
 /usr/bin/install -c -m 644 tacacs.h '/usr/local/include'
test -z "/usr/local/share/man/man5" || /bin/mkdir -p "/usr/local/share/man/man5"
 /usr/bin/install -c -m 644 tac_plus.conf.5 '/usr/local/share/man/man5'
test -z "/usr/local/share/man/man8" || /bin/mkdir -p "/usr/local/share/man/man8"
 /usr/bin/install -c -m 644 tac_plus.8 tac_pwd.8 '/usr/local/share/man/man8'
test -z "/usr/local/share/tacacs+" || /bin/mkdir -p "/usr/local/share/tacacs+"
 /usr/bin/install -c -m 644 do_auth.py users_guide '/usr/local/share/tacacs+'
test -z "/usr/local/share/tacacs+" || /bin/mkdir -p "/usr/local/share/tacacs+"
 /usr/bin/install -c tac_convert '/usr/local/share/tacacs+'
gmake[1]: Leaving directory `/home/carmom/buildTemp/tacacs+-F4.0.4.25'

In order to allow log files to be written out, you'll have to add a new directory

mkdir /var/log/tac

do_auth.py

in the source code directory

sudo cp do_auth.py /usr/local/bin/

(this will match up with the configuration file for handing off authorization to the do_auth.py module, if you change where do_auth.py is, change the config file to match)

Configuration

/etc/tac_plus.conf

# /etc/tac_plus.conf
# set the key
key = cle_tacacs

prompt = "Authenticating against AAA server

Username: "

accounting file = /var/log/tac/tac_plus.acct

group = networkEngineers {
        default service = permit
        service = exec {
                priv-lvl = 15
        }
}
group = rancidUser {
        default service = permit
        service = exec {
                priv-lvl = 15
                shell:roles="\"network-admin\""
        }
        after authorization "/usr/bin/python /usr/local/bin/do_auth.py -i $address -u $user -d $name -l /var/log/do_auth.log -f /etc/do_auth.ini"
}

user = rancid {
        login = cleartext "<redacted>"
        member = rancidUser
}

user = carmom {
        login = PAM
        member = networkEngineers
}

user = bryana {
        login = PAM
        member = networkEngineers
}

/etc/do_auth.ini

[users]
rancid =
    rancidCommands

[rancids]
host_allow =
    10.20.55.136
    10.20.55.230
device_permit =
    .*
command_permit =
    .*
av_pairs =
    priv-lvl=15

[rancidCommands]
host_allow =
    10.20.55.136
    10.20.55.230
device_permit =
    .*
command_permit =
     show.*
     dir.*
     more.*
     write t.*
av_pairs =
    priv-lvl=15
    shell:roles="network-admin"

/etc/pam.d/tac_plus

tac_plus
auth        required      pam_env.so debug
auth        sufficient    pam_krb5.so nullok debug

account     required      pam_krb5.so debug

password    sufficient    pam_ldap.so use_authtok debug
password    sufficient    pam_krb5.so nullok debug

session     optional      pam_ldap.so debug

/etc/init.d/tac_plus

tac_plus
#!/bin/sh
#
# tac_plus        This shell script takes care of starting and stopping
#                                tac_plus (TACACS+ daemon).
#
# chkconfig: 35 80 20
# description: tac_plus is TACACS+ daemon.
# processname: tac_plus
# config: /etc/tacacs/tac_plus.cfg
# pidfile: /var/run/tac_plus.pid
# debug : 0

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.

#To correct GLIB errors
MALLOC_CHECK_=0
export MALLOC_CHECK_

# Some config parameters
#For config file
tacacs_config="/etc/tac_plus.conf"
#For debug option
debug=0
prog=tac_plus
progAndPath=/usr/local/bin/$prog
lockfile=/var/lock/subsys/$prog

start() {
        [ ${NETWORKING} = "no" ] && exit 1
        if [ ! -x $progAndPath ]; then
                echo $"$prog not available as an executable"
                exit 5
        fi
        if [ ! -f $tacacs_config ]; then
                echo $"Configuration file $tacacs_config not available"
                exit 6
        fi
        if [ -f $lockfile ]; then
                echo $"$prog is already running :"
                exit 2;
        fi

        if [ $debug -gt 0 ]
        then
                echo -n $"Starting $prog with debug level $debug : "
                daemon $progAndPath -d $debug -C $tacacs_config
                RETVAL=$?
                echo
        else
                echo -n $"Starting $prog :"
                daemon $progAndPath -C $tacacs_config
                RETVAL=$?
                echo
        fi
        [ $RETVAL -eq 0 ] && touch $lockfile
        return $RETVAL
}

stop(){
        echo -n $"Shutting down $prog: "
        killproc $prog
        RETVAL=$?
                echo
        [ $RETVAL -eq 0 ] && rm -f $lockfile
        return $RETVAL
}


# See how we were called.
case "$1" in
  start)
        start
                ;;
  stop)
                stop
        ;;
  status)
        status tac_plus
        ;;
  restart)
        stop
        start
        ;;

  reload)
        echo "$prog now reloading......"
        kill -HUP `cat /var/run/tac_plus.pid`
        exit $?
        ;;
  test)
        echo "TACACS+ config being testing..."
        /usr/sbin/tac_plus -P -C $tacacs_config
        ;;
  *)
        echo "Usage: tac_plus {start|stop|status|restart|reload|test}"
        exit 1
esac

exit 0

In order to make tac_plus automatically start, after this file has been created,

chkconfig --add tac_plus
chkconfig --level 25 tac_plus on

/etc/sysconfig/iptables

add

  -A RH-Firewall-1-INPUT -p tcp --dport 49 -j ACCEPT

before

  -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited

and restart iptables

Setting Up Rancid

install rancid as root. We'll sudo to root and create a build directory, which we'll delete after install.

sudo su -
mkdir tmpBuild
cd tmpBuild

Download and Extract

wget ftp://ftp.shrubbery.net/pub/rancid/rancid-2.3.8.tar.gz
tar -xvzf rancid-2.3.8.tar.gz
cd rancid-2.3.8

Add dependencies

yum install expect svn

Install Rancid with chosen directory scheme

./configure \
	--prefix=/usr/local/rancid \
 	--localstatedir=/var/local/rancid \
	--sysconfdir=/etc/rancid \
	--bindir=/usr/local/bin \
	--sbindir=/usr/local/sbin
make install

Add a System account for rancid

groupadd netadmin
adduser -g netadmin -c "Network Configurations" -d /usr/local/rancid rancid

Give Rancid ownership of appropriate directories

cd /etc/rancid
chown rancid:netadmin *
cd /var/local
chown rancid:netadmin rancid/
cd /var/log
mkdir /var/log/rancid
chown rancid:netadmin rancid

edit /etc/rancid/rancid.conf

vim /etc/rancid/rancid.conf
rancid.conf
# rancid 2.3.8
# This file sets up the environment used for rancid.  see rancid.conf(5)
#
# This will be site specific
#
# This is a cleaned up configuration, with unused options removed,
# if you need to add unused options, check the rancid.default.conf file
TERM=network;export TERM
#
# Collating locale
LC_COLLATE="POSIX"; export LC_COLLATE
#
# Create files w/o world read/write/exec permissions, but read/exec permissions
# for group.
umask 027
#
# Use a full path (no sym-links) for BASEDIR.
#
TMPDIR=/tmp; export TMPDIR
# Be careful changing this, it affects CVSROOT below.  It should be a FQPN, not
# relative.
BASEDIR=/var/local/rancid; export BASEDIR
PATH=/usr/local/bin:/usr/bin:/usr/sbin:/bin:.:/usr/local/bin:/usr/bin; export PATH
# Location of the CVS/SVN repository.  Be careful changing this.
CVSROOT=$BASEDIR/CVS; export CVSROOT
# Location of log files produced by rancid-run(1).
LOGDIR=/var/log/rancid; export LOGDIR
#
# Select which RCS system to use, "cvs" (default) or "svn".  Do not change
# this after CVSROOT has been created with rancid-cvs.  Changing between these
# requires manual conversions.
RCSSYS=svn export RCSSYS
# FILTER_PWDS determines which passwords are filtered from configs by the
# value set (NO | YES | ALL).  see rancid.conf(5).
FILTER_PWDS=YES; export FILTER_PWDS
#
# if NOCOMMSTR is set, snmp community strings will be stripped from the configs
NOCOMMSTR=YES; export NOCOMMSTR
#
# list of rancid groups
LIST_OF_GROUPS="wan_routers core_switches 2960_access_switches 3750_access_switches nexus_switches firewalls"

Create SVN and config Directories

make sure that you have set RCSSYS to svn and have only groups you intend to keep in the LIST_OF_GROUPS in rancid.conf

sudo su - rancid
rancid-cvs

update the router.db files

cd /usr/local/rancid
vim <group directory>/router.db
2960_access_switches/router.db
mel-sw-2960-01:cisco:up
per-sw-2960-01:cisco:up
bne-sw-2960-01:cisco:up
bne-sw-dist-2960-02:cisco:up
hba-sw-2960-01:cisco:up
3750_access_switches/router.db
syd-sw-dist-lvl4-3750-02:cisco:up
core_switches/router.db
syd-sw-core-lvl1-3750-01:cisco:up
nexus_switches/router.db
cbr-sym-sw-stor-nx5000-01:cisco-nx:up
adl-sw-stor-nx5548-01:cisco-nx:up
wan_routers/router.db
mel-rtr-2921-01:cisco:up
syd-rtr-2921-01:cisco:up
syd-rtr-2921-02:cisco:up
per-rtr-2921-01:cisco:up
bne-rtr-2921-01:cisco:up
hba-rtr-2921-01:cisco:up

Edit .cloginrc

touch /etc/rancid/cloginrc
chown rancid:netadmin /etc/rancid/cloginrc
chmod 600 /etc/rancid/cloginrc
ln -s /etc/rancid/cloginrc /usr/local/rancid/.cloginrc
vim /usr/local/rancid/.cloginrc
.cloginrc
# basic configuration for ITSA cloginrc
# the password should line up with the password configured for rancid under tac_plus 
# if you need a more complex cloginrc to meet a special requirement, extra options are documented in 
# cloginrc(5) -- man cloginrc
add password * pdXxQhSJ1a49TBURid8bKQdN3MS2
add user * rancid
add method * ssh

Test Run

sudo su - rancid
rancid-run

ls -lah /var/local/rancid/2960_access_switches
ls -lah /var/local/rancid/3750_access_switches
ls -lah /var/local/rancid/core_switches
ls -lah /var/local/rancid/nexus_switches
ls -lah /var/local/rancid/wan_routers

Schedule checks on monitored devices

sudo su - rancid
crontab -e
crontab
#
# Rancid user's crontab file
#

# Run config differ hourly
1 * * * * /usr/local/bin/rancid-run

# Clean out config differ logs
50 23 *  * * /bin/find /var/log/rancid -type f -mtime +2 -exec rm {} \;

Webserver

The apache server is used to provide dokuwiki and websvn services. Access to the wiki and websvn is limited using kerberos SSO.

Installation/Generic Configuration

install apache and pre-requisits for msktutil

yum install httpd httpd-devel apr-devel apr-util-devel mod_auth_kerb gcc-c++ krb5-devel autoconf

build msktutil

cd ~/tmpBuild/
wget https://msktutil.googlecode.com/files/msktutil-0.4.1.tar.bz2
tar -xvjf msktutil-0.4.1.tar.bz2
cd msktutil-0.4.1
export CPPFLAGS="-I/usr/include/et/"
./configure
make

Create a keytab and computer account

kinit <admin user>
./msktutil -c -b OU=Servers -s HTTP/doon.itsa-int.itsa.gov.au -h doon.itsa-int.itsa.gov.au -k /etc/httpd/conf/doon.HTTP.keytab --computer-name doon --upn HTTP/doon.itsa-int.itsa.gov.au --server cbrdc01 --verbose --enctypes 28
chown apache:apache /etc/httpd/conf/doon.HTTP.keytab

Setup a Cron Job to make sure that the keytab keeps an up to date password

cp msktutil /sbin/
crontab -e
root-crontab
48 0 * * * echo "******************************************************************" >>  /var/log/msktutil
49 0 * * * date >> /var/log/msktutil
50 0 * * * msktutil --auto-update  -s HTTP/doon.itsa-int.itsa.gov.au -h doon.itsa-int.itsa.gov.au -k /etc/httpd/conf/doon.HTTP.keytab --computer-name doon --upn HTTP/doon.itsa-int.itsa.gov.au --server cbrdc01 --verbose >> /var/log/msktutil

Build ModAuthKerb for username mangling in kerberos/ldap authorization

cd ~/tmpBuild/
links http://modauthkerb.cvs.sourceforge.net/viewvc/modauthkerb/mod_map_user/

browse to “download GNU tarball” hit enter accept the default save location press 'q' to quit

tar  -xvzf modauthkerb-mod_map_user.tar.gz
cd mod_map_user/
autoconf
./configure
make install

/etc/httpd/conf/httpd.conf

vim /etc/httpd/conf/http.conf
httpd.conf
#
# This is the main Apache server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2/> for detailed information.
# 
# This Has been modified by Michael Carmody and Trimmed down for 
# readability.
#

### Section 1: Global Environment
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests it can handle or where it
# can find its configuration files.

# Don't give away too much information about all the subcomponents
# we are running.  Comment out this line if you don't mind remote sites
# finding out what major optional modules you are running
ServerTokens OS

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
ServerRoot "/etc/httpd"

#
# PidFile: The file in which the server should record its process
# identification number when it starts.
#
PidFile run/httpd.pid

#
# Timeout: The number of seconds before receives and sends time out.
#
Timeout 120

#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive Off

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog logs/error_log

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel notice


##
## Server-Pool Size Regulation (MPM specific)
##

# prefork MPM
# StartServers: number of server processes to start
# MinSpareServers: minimum number of server processes which are kept spare
# MaxSpareServers: maximum number of server processes which are kept spare
# ServerLimit: maximum value for MaxClients for the lifetime of the server
# MaxClients: maximum number of server processes allowed to start
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule prefork.c>
StartServers       8
MinSpareServers    5
MaxSpareServers   20
ServerLimit      256
MaxClients       256
MaxRequestsPerChild  4000
</IfModule>

# worker MPM
# StartServers: initial number of server processes to start
# MaxClients: maximum number of simultaneous client connections
# MinSpareThreads: minimum number of worker threads which are kept spare
# MaxSpareThreads: maximum number of worker threads which are kept spare
# ThreadsPerChild: constant number of worker threads in each server process
# MaxRequestsPerChild: maximum number of requests a server process serves
<IfModule worker.c>
StartServers         4
MaxClients         300
MinSpareThreads     25
MaxSpareThreads     75
ThreadsPerChild     25
MaxRequestsPerChild  0
</IfModule>

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the <VirtualHost>
# directive.
Listen 80

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule expires_module modules/mod_expires.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule info_module modules/mod_info.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule cache_module modules/mod_cache.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule version_module modules/mod_version.so
LoadModule map_user_module modules/mod_map_user.so
LoadModule auth_kerb_module modules/mod_auth_kerb.so


# Load config files from the config directory "/etc/httpd/conf.d".
#
Include conf.d/*.conf

# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
#
# User/Group: The name (or #number) of the user/group to run httpd as.
#
User apache
Group apache

### Section 2: 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.  e.g. admin@your-domain.com
#
NameVirtualHost *:80
<VirtualHost *:80>
ServerName doon
Redirect permanent / http://doon.itsa-int.itsa.gov.au/
</VirtualHost>
<VirtualHost *:80>
ServerAdmin apache@localhost

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
ServerName ale.itsa-int.itsa.gov.au:80

#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client.  When set "On", Apache will use the value of the
# ServerName directive.
#
UseCanonicalName On

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/var/www/html"
</VirtualHost>
#
# Each directory to which Apache has access can be configured with respect
# to which services and features are allowed and/or disabled in that
# directory (and its subdirectories).
#
# First, we configure the "default" to be a very restrictive set of
# features.
#
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# This should be changed to whatever you set DocumentRoot to.
#
<Directory "/var/www/html">

#
# Possible values for the Options directive are "None", "All",
# or any combination of:
#   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important.  Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
    Options Indexes FollowSymLinks

#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
#   Options FileInfo AuthConfig Limit
#
    AllowOverride None

#
# Controls who can get stuff from this server.
#
    Order allow,deny
    Allow from all
    AuthType Kerberos
    KrbAuthRealms ITSA-INT.ITSA.GOV.AU
    KrbServiceName HTTP
    Krb5Keytab /etc/httpd/conf/doon.HTTP.keytab
    KrbMethodNegotiate on
    KrbMethodK5Passwd on
    require valid-user
    require group "@InfrastructureAdmins"
</Directory>

#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# See also: http://httpd.apache.org/docs/misc/FAQ.html#forbidden
#
<IfModule mod_userdir.c>
    #
    # UserDir is disabled by default since it can confirm the presence
    # of a username on the system (depending on home directory
    # permissions).
    #
    UserDir disable
</IfModule>

# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
DirectoryIndex index.html index.html.var

# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess

# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

# TypesConfig describes where the mime.types file (or equivalent) is
# to be found.
#
TypesConfig /etc/mime.types

#
# DefaultType is the default MIME type the server will use for a document
# if it cannot otherwise determine one, such as from filename extensions.
# If your server contains mostly text or HTML documents, "text/plain" is
# a good value.  If most of your content is binary, such as applications
# or images, you may want to use "application/octet-stream" instead to
# keep browsers from trying to display binary files as though they are
# text.
#
DefaultType text/plain

# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type.  The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
<IfModule mod_mime_magic.c>
    MIMEMagicFile conf/magic
</IfModule>

#
# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# The following directives define some format nicknames for use with
# a CustomLog directive (see below).
#
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

# For a single logfile with access, agent, and referer information
# (Combined Logfile Format), use the following directive:
#
CustomLog logs/access_log combined

#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
ServerSignature On

#
# Aliases: Add here as many aliases as you need (with no limit). The format is
# Alias fakename realname
#
# Note that if you include a trailing / on fakename then the server will
# require it to be present in the URL.  So "/icons" isn't aliased in this
# example, only "/icons/".  If the fakename is slash-terminated, then the
# realname must also be slash terminated, and if the fakename omits the
# trailing slash, the realname must also omit it.
#
# We include the /icons/ alias for FancyIndexed directory listings.  If you
# do not use FancyIndexing, you may comment this out.
#
Alias /icons/ "/var/www/icons/"

<Directory "/var/www/icons">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>

#
# WebDAV module configuration section.
#
<IfModule mod_dav_fs.c>
    # Location of the WebDAV lock database.
    DAVLockDB /var/lib/dav/lockdb
</IfModule>

#
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the client.
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

#
# Redirect allows you to tell clients about documents which used to exist in
# your server's namespace, but do not anymore. This allows you to tell the
# clients where to look for the relocated document.
# Example:
# Redirect permanent /foo http://www.example.com/bar

#
# Directives controlling the display of server-generated directory listings.
#

#
# IndexOptions: Controls the appearance of server-generated directory
# listings.
#
IndexOptions FancyIndexing VersionSort NameWidth=* HTMLTable

#
# AddIcon* directives tell the server which icon to show for different
# files or filename extensions.  These are only displayed for
# FancyIndexed directories.
#
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip

AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*

AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

#
# DefaultIcon is which icon to show for files which do not have an icon
# explicitly set.
#
DefaultIcon /icons/unknown.gif

# ReadmeName is the name of the README file the server will look for by
# default, and append to directory listings.
#
# HeaderName is the name of a file which should be prepended to
# directory indexes.
ReadmeName README.html
HeaderName HEADER.html

# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing.  Shell-style wildcarding is permitted.
#
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t

# DefaultLanguage and AddLanguage allows you to specify the language of
# a document. You can then use content negotiation to give a browser a
# file in a language the user can understand.
#
# Specify a default language. This means that all data
# going out without a specific language tag (see below) will
# be marked with this one. You probably do NOT want to set
# this unless you are sure it is correct for all cases.
#
# * It is generally better to not mark a page as
# * being a certain language than marking it with the wrong
# * language!
#
# DefaultLanguage nl
#
# Note 1: The suffix does not have to be the same as the language
# keyword --- those with documents in Polish (whose net-standard
# language code is pl) may wish to use "AddLanguage pl .po" to
# avoid the ambiguity with the common suffix for perl scripts.
#
# Note 2: The example entries below illustrate that in some cases
# the two character 'Language' abbreviation is not identical to
# the two character 'Country' code for its country,
# E.g. 'Danmark/dk' versus 'Danish/da'.
#
# Note 3: In the case of 'ltz' we violate the RFC by using a three char
# specifier. There is 'work in progress' to fix this and get
# the reference data for rfc1766 cleaned up.
#
# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
# Norwegian (no) - Polish (pl) - Portugese (pt)
# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
#
AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw

#
# LanguagePriority allows you to give precedence to some languages
# in case of a tie during content negotiation.
#
# Just list the languages in decreasing order of preference. We have
# more or less alphabetized them here. You probably want to change this.
#
LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW

#
# ForceLanguagePriority allows you to serve a result page rather than
# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)
# [in case no accepted languages matched the available variants]
#
ForceLanguagePriority Prefer Fallback

#
# Specify a default charset for all content served; this enables
# interpretation of all content as UTF-8 by default.  To use the
# default browser choice (ISO-8859-1), or to allow the META tags
# in HTML content to override this choice, comment out this
# directive:
#
AddDefaultCharset UTF-8

#
# AddType allows you to add to or override the MIME configuration
# file mime.types for specific file types.
#
#AddType application/x-tar .tgz

#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
# Despite the name similarity, the following Add* directives have nothing
# to do with the FancyIndexing customization directives above.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz

# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz

# For type maps (negotiated resources):
# (This is enabled by default to allow the Apache "It Worked" page
#  to be distributed in multiple languages.)
#
AddHandler type-map var

#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

#
# Putting this all together, we can internationalize error responses.
#
 # We use Alias to redirect any /error/HTTP_<error>.html.var response to
# our collection of by-error message multi-language collections.  We use
# includes to substitute the appropriate text.
#
# You can modify the messages' appearance without changing any of the
# default HTTP_<error>.html.var files by adding the line:
#
#   Alias /error/include/ "/your/include/path/"
#
# which allows you to create your own set of files by starting with the
# /var/www/error/include/ files and
# copying them to /your/include/path/, even on a per-VirtualHost basis.
#

Alias /error/ "/var/www/error/"

<IfModule mod_negotiation.c>
<IfModule mod_include.c>
    <Directory "/var/www/error">
        AllowOverride None
        Options IncludesNoExec
        AddOutputFilter Includes html
        AddHandler type-map var
        Order allow,deny
        Allow from all
        LanguagePriority en es de fr
        ForceLanguagePriority Prefer Fallback
    </Directory>

</IfModule>
</IfModule>

#
# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
#
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0

#
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash.  This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
#
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs/1.0" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully

start up apache to test if the configuration has any issues with the current version.

service httpd start

/etc/sysconfig/iptables

add

  1. A RH-Firewall-1-INPUT -p tcp –dport 80 -j ACCEPT
  2. A RH-Firewall-1-INPUT -p tcp –dport 443 -j ACCEPT

before

  1. A RH-Firewall-1-INPUT -j REJECT –reject-with icmp-host-prohibited

and restart iptables

/etc/init.d/iptables restart

DokuWiki Install

Copy from old server

On the old server

sudo su - 
cd /var/www/html
tar -cvzf /home/<user>/oldWiki.tgz *

Copy the file to the new server

sudo su -
cd /var/www/html
tar -xvzf /home/<user>/oldWiki.tgz 
chown -R apache:apache

Installing from new

As we already had a dokuwiki running, and wanted to keep the information on it, it was copied across.

If you need to install from scratch, for whatever reason, install dokuwiki as per the http://www.dokuwiki.org/Install

Once installed and setup, you'll need to set up http://www.dokuwiki.org/auth:ad

the local.protected.php file we've been using is as follows

local.protected.php
<?php
  // general DokuWiki options
  $conf['useacl']				= 1;
  $conf['disableactions']			= 'register';
  $conf['authtype']				= 'ad';
  $conf['auth']['ad']['debug']			= 1;
  // configure your Active Directory data here
  $conf['auth']['ad']['account_suffix']		= '@itsa.gov.au';
  $conf['auth']['ad']['base_dn']		= 'DC=itsa-int,DC=itsa,DC=gov,DC=au';
  $conf['auth']['ad']['domain_controllers']	= 'cbrdc01.itsa-int.itsa.gov.au';
  $conf['auth']['ad']['sso']			= 1;
  $conf['auth']['ad']['ad_username']		= 'svc-doon';
  $conf['auth']['ad']['ad_password']		= '<REDACTED>';
  $conf['manager']				= '@InfrastructureAdmins';
  $conf['superuser']				= '@InfrastructureAdmins';
?>

WebSVN install

svn list http://websvn.tigris.org/svn/websvn/tags
svn export http://websvn.tigris.org/svn/websvn/tags/<latestRelease> /var/www/websvn/
vim /etc/httpd/conf.d/websvn.conf
websvn.conf
<Directory "/var/www/html/websvn">
        # Kerberos Auth
        AuthName "AD Login"
        AuthType Kerberos
        KrbAuthRealms ITSA-INT.ITSA.GOV.AU
        KrbServiceName HTTP
        Krb5Keytab /etc/httpd/conf/ale.HTTP.keytab
        KrbMethodNegotiate on
        KrbMethodK5Passwd on
        KrbDelegateBasic on
        KrbSaveCredentials on
        KrbAuthoritative on

        MapUsernameRule (.*)@(.*) "$1"

        AuthzLDAPAuthoritative off
        AuthLDAPUrl "ldap://cbrdc01.itsa-int.itsa.gov.au:389/DC=itsa-int,DC=itsa,DC=gov,DC=au?sAMAccountName"
        AuthLDAPBindDN "CN=svc-doon,OU=Service Accounts,DC=itsa-int,DC=itsa,DC=gov,DC=au"
        AuthLDAPBindPassword "<REDACTED>"

        require ldap-group cn=InfrastructureAdmins,ou=CBR,ou=Groups Distribution,DC=itsa-int,DC=itsa,DC=gov,DC=au
</Directory>
vim /etc/openldap/ldap.conf
ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

# "ldaps://cbrdc01.itsa-int.itsa.gov.au:3269/DC=itsa-int,DC=itsa,DC=gov,DC=au?sAMAccountName"
#        AuthLDAPBindDN "CN=svc-doon,OU=Service Accounts,DC=int,DC=dfas,DC=com,DC=au"
BASE DC=int,DC=dfas,DC=com
URI  ldap://dc01.int.dfas.com

#SIZELIMIT 12
#TIMELIMIT 15
#DEREF  never
REFERRALS no

SELinux

The default permissions for selinux will stop apache from using the svn executable or accessing the subversion repository files.

In order to avoid this cramping my style, I used the audit log to tell me what changes needed to be made, and the audit2allow program to convert the changes to a policy first, turn off the enforcing of seLinux policies. Violations of policy will still be tracked in the audit log.

yum install policycoreutils-python
setenforce 0

then, load http://doon.itsa-int.itsa.gov.au/websvn/ in the web browser and browse around a bit.

cd ~
setenforce 1
grep svn /var/log/audit/audit.log | audit2allow -M httpd_svn
semodule -i httpd_svn.pp

finally, browse http://doon.itsa-int.itsa.gov.au/websvn/ some more and make sure that it is fully accessible with the SELinux policies being enforced.

Add Http to automatic startup

chkconfig --level 35 httpd on
nfsen.txt · Last modified: 2015/07/27 01:51 by 127.0.0.1