# Install CentOS instead of Upgrade
install
text

#Install from CD-ROM
cdrom

# Use English Language
#lang en_US.UTF-8
#keyboard us
#timezone America/North_Dakota/Center

# Skip the X Configuration
skipx

# Setup for DHCP
#network --device eth0 --bootproto dhcp  --noipv6

#rootpw  --iscrypted $6$uquHxpwPY/JUV27k$Jv9mPWwF4MapyGSD9upgtOWBODGqP.ou5Xs6s5ZXN.3.ebXv9Mhs9b6VIJ2mz.sifEOPLZHvzKLJqRk5orsW./

# Setup the firewall with SSH, HTTP/S, Syslog, Webmin, and Netflow enabled
firewall --enabled --port=22:tcp --port=69:udp --port=80:tcp --port=443:tcp --port=514:udp --port=10000:tcp --port=2055:udp

# Disable SELinux
selinux --disabled

# System authorization information
authconfig --enableshadow --passalgo=sha512


# Clear the Bootloader and load it to the Master Boot Record
bootloader --location=mbr --driveorder=sda --md5pass=$1$2advwFQ7$NJuwSmEC8IicFJ3Xw6iIz0  --append="crashkernel=auto rhgb quiet"
zerombr yes

# The following is the partition information you requested
# Note that any partitions you deleted are not expressed
# here so unless you clear all partitions first, this is
# not guaranteed to work

#clearpart --all --initlabel
#part /boot --fstype ext3 --size=100 --grow --maxsize=1024
#part /home --fstype ext3 --size=1024 --grow --maxsize=5120
#part / --fstype ext3 --size=2048 --grow --maxsize=8192
#part /var --fstype ext3 --size=2048 --grow
#part swap --size=256 --grow --maxsize=768



%packages --excludedocs
kernel
grub
e2fsprogs
lvm2
httpd
mod_ssl
mysql-*
php
php-*
ntp
rrdtool
patch
gettext
webmin
flow-tools
mailx
#tftp-server
telnet
sudo
iptables
cactiez
cactiez-spine
cactiez-plugin-*
rsyslog-mysql
nagios
nagios-*
net-snmp-utils
dmidecode
lm_sensors-libs






#
#   ------- Begin Cacti Install ---------
#

%post --nochroot --log=/mnt/sysimage/root/ks-post1.log

# Copy our tar file and extract it
cp /mnt/source/cactiez.tar.gz /mnt/sysimage/tmp/cactiez.tar.gz > /dev/null 

cd /mnt/sysimage/tmp/
tar -zxvf cactiez.tar.gz > /dev/null

cp -R /mnt/sysimage/tmp/boot/* /mnt/sysimage/boot/ > /dev/null 2>/dev/null
cp -R /mnt/sysimage/tmp/etc/* /mnt/sysimage/etc/ > /dev/null 2>/dev/null
cp -R /mnt/sysimage/tmp/var/* /mnt/sysimage/var/ > /dev/null 2>/dev/null

rm -fr /tftpboot

# Clean up the mess we made
rm -fr /mnt/sysimage/tmp/* > /dev/null 2>/dev/null

%end
%post --log=/root/ks-post2.log


# Creates the library links we need (mainly mysql), this normally isn't necessary except we are going to start MySQL now
ldconfig

# Start a few services so we can setup some graphs
mount -a
#service network start > /dev/null 2>/dev/null
#service snmpd start > /dev/null 2>/dev/null

# Generate a random MySQL root password
mysqlroot=`/usr/bin/openssl rand -base64 6`
mysqlcacti=`/usr/bin/openssl rand -base64 6`
echo "root      : $mysqlroot" > /root/mysqlpass.txt
echo "cactiuser : $mysqlcacti" >> /root/mysqlpass.txt

# Setup the MYSQL Databases and Import the tables
service mysqld start 
/usr/bin/mysqladmin --user=root create cacti
/usr/bin/mysqladmin --user=root create syslog
mysql -e "GRANT ALL ON cacti.* TO cactiuser@localhost IDENTIFIED BY '$mysqlcacti'"
mysql -e "GRANT ALL ON syslog.* TO cactiuser@localhost IDENTIFIED BY '$mysqlcacti'"

mysql cacti  < /var/www/html/cacti.sql
#mysql cacti  < /var/www/html/piadoc/pa.sql
mysql cacti  < /var/www/html/cacti-changes.sql
mysql syslog < /var/www/html/plugins/syslog/syslog-partitions.sql
mysql cacti < /var/www/html/plugins/syslog/syslog-plugin-setup.sql


# Set RSyslog to log to MySQL
echo "
\$ModLoad ommysql
\$template cacti_syslog,\"INSERT INTO syslog_incoming(facility, priority, date, time, host, message) values (%syslogfacility%, %syslogpriority%,  '%timereported:::date-mysql%', '%timereported:::date-mysql%', '%HOSTNAME%', '%msg%')\", SQL
*.*             >127.0.0.1,syslog,cactiuser,$mysqlcacti;cacti_syslog" >> /etc/rsyslog.conf
/bin/sed -i 's/#$ModLoad imudp.so/$ModLoad imudp.so/' /etc/rsyslog.conf
/bin/sed -i 's/#$UDPServerRun 514/$UDPServerRun 514/' /etc/rsyslog.conf
/bin/sed -i 's/#$ModLoad imtcp.so/$ModLoad imtcp.so/' /etc/rsyslog.conf
/bin/sed -i 's/#$InputTCPServerRun 514/$InputTCPServerRun 514/' /etc/rsyslog.conf

# Modify the Cacti config files with proper passwords
/bin/sed -i s/"syslogdb_password = 'cactiuser'"/"syslogdb_password = '"$mysqlcacti"'"/ /var/www/html/plugins/syslog/config.php
/bin/sed -i 's/use_cacti_db = true/use_cacti_db = false/' /var/www/html/plugins/syslog/config.php


# Create the Cacti Config file
mv /var/www/html/include/config.php.dist /var/www/html/include/config.php
/bin/sed -i s/'password = "cactiuser'/'password = "'$mysqlcacti/ /var/www/html/include/config.php
/bin/sed -i s/CactiMadeEZ/$mysqlcacti/ /usr/local/spine/spine.conf


# Fix PHP Issues
/bin/sed -i 's/display_errors = Off/display_errors = On/' /etc/php.ini
#/bin/sed -i 's/;date.timezone =/date.timezone = "America\/Chicago"/g' /etc/php.ini
cat /etc/sysconfig/clock > /tmp/zone
echo "export ZONE" >> /tmp/zone
echo '/bin/sed -i s,";date.timezone =","date.timezone = '\$ZONE'", /etc/php.ini' >> /tmp/zone
chmod +x /tmp/zone
/tmp/zone

# Install the plugins
/usr/bin/php /var/www/html/cli/plugins.php --enable --install settings
/usr/bin/php /var/www/html/cli/plugins.php --enable --install setup
/usr/bin/php /var/www/html/cli/plugins.php --enable --install maint
/usr/bin/php /var/www/html/cli/plugins.php --enable --install thold
/usr/bin/php /var/www/html/cli/plugins.php --enable --install errorimage
/usr/bin/php /var/www/html/cli/plugins.php --enable --install jqueryskin
/usr/bin/php /var/www/html/cli/plugins.php --enable --install webmin
/usr/bin/php /var/www/html/cli/plugins.php --enable --install watermark
/usr/bin/php /var/www/html/cli/plugins.php --enable --install autom8
#/usr/bin/php /var/www/html/cli/plugins.php --enable --install secpass
/usr/bin/php /var/www/html/cli/plugins.php --enable --install flowview

mysql cacti  < /var/www/html/plugins/boost/boost_sql_memory.sql
mysql cacti  < /var/www/html/plugins/autom8/changes.sql
mysql cacti  < /var/www/html/plugins/flowview/flowview.sql
mysql cacti  < /var/www/html/plugins/weathermap/weathermap.sql

mv /var/www/html/cacti-changes.sql /var/www/cacti-changes.sql


# Fix the directory permissions
mkdir -p /var/backups/rrds
mkdir -p /var/backups/cacti
mkdir -p /var/routerconfigs
mkdir -p /var/www/html/plugins/boost/cache
mkdir -p /var/netflow/flows/

chown -R root:root /var/backups
chown -R root:root /usr/local/spine/
chown -R apache:apache /var/routerconfigs
chown -R apache:apache /var/www/html/scripts
chown -R apache:apache /var/www/html/resource

chmod -R 755 /var/routerconfigs/
chmod -R 755 /var/backups
chmod -R 755 /usr/local/spine/spine
chmod -R 755 /var/netflow/
chmod -R 755 /var/www/html/plugins/weathermap/configs
chmod -R 755 /var/www/html/plugins/weathermap/output
chmod -R 755 /var/www/html/plugins/boost/cache
chmod 755 /var/www/html/scripts
chmod 755 /var/www/html/resource
chmod 755 /var/www/html/resource/script_queries
chmod 755 /var/www/html/resource/script_server
chmod 755 /var/www/html/resource/snmp_queries
chmod 755 /etc/rc.d/init.d/flow-capture
chmod 755 /etc/rc.d/init.d/cacti_rrdsvc
chmod 755 /var/www/html/plugins/boost/boost_server.php
chmod +x /var/www/backup.sh
#chmod +x /var/www/html/plugins/wmi/wmic


# Remove all resources and scripts, as they will be re-installed by their individual packages
rm -f /var/www/html/resource/script_queries/*.xml
rm -f /var/www/html/resource/script_server/*.xml
rm -f /var/www/html/resource/snmp_queries/*.xml
rm -f /var/www/html/scripts/*


# Install the crontabs
echo '*/1 * * * * php /var/www/html/poller.php > /dev/null 2>&1' > /tmp/crontab.tmp
echo '0 1 * * * nice -n 15 /var/www/backup.sh' >> /tmp/crontab.tmp
echo '0 2 * * * echo 3 > /proc/sys/vm/drop_caches' >> /tmp/crontab.tmp

crontab /tmp/crontab.tmp
rm /tmp/crontab.tmp

# Disable IPv6 until Cacti at least supports it
echo "install ipv6 /bin/true
blacklist ipv6" > /etc/modprobe.d/blacklist-ipv6.conf


# Remove the ISO File translation files
find / -name TRANS.TBL -exec rm {} \; /dev/null 2>/dev/null


# Remove some unneeded services
for service in lvm2-monitor netconsole netfs rdisc restorecond 
do
  chkconfig --del $service
done


# Stop services we don't want just yet
for service in ip6tables
do
  chkconfig $service off
done

# Start the services we do want
for service in cacti_rrdsvc flow-capture httpd mysqld ntpd snmpd webmin
do
  chkconfig --level 235 $service on
done


# Set MySQL to start before the syslog daemon, since we log to MySQL
mv /etc/rc.d/rc3.d/S64mysqld /etc/rc.d/rc3.d/S11mysqld
mv /etc/rc.d/rc0.d/K36mysqld /etc/rc.d/rc0.d/K89mysqld
mv /etc/rc.d/rc1.d/K36mysqld /etc/rc.d/rc1.d/K89mysqld
mv /etc/rc.d/rc6.d/K36mysqld /etc/rc.d/rc6.d/K89mysqld


# Import the CentOS Keys for Yum to work properly
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6


# Remove the webmin modules that we can't use
for directory in adsl-client bind8 burner caldera cfengine cluster-copy cluster-cron cluster-passwd cluster-shell cluster-software cluster-useradmin cluster-usermin cluster-webmin dhcpd dovecot exports fetchmail frox heartbeat idmapd ipsec jabber ldap-client ldap-useradmin lpadmin majordomo mon mscstyle3 nis openslp pap postfix postgresql ppp-client pptp-client pptp-server proftpd procmail pserver qmailadmin quota samba sarg sentry shorewall spam squid stunnel usermin vgetty webalizer wuftpd
do
  rm -fr /usr/libexec/webmin/$directory
done

# Fix Webmin redirecting out of our iframe
echo "
webprefixnoredir=1
" > /etc/webmin/config

# --- Begin securing the box a little more


# Secure SSH
/bin/sed -i 's/#MaxAuthTries 6/MaxAuthTries 3/' /etc/ssh/sshd_config
#/bin/sed -i 's#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
/bin/sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
/bin/sed -i 's/#Banner none/Banner \/etc\/banner/' /etc/ssh/sshd_config

# Disable HTTP Trace / Track Method
echo "
TraceEnable off
" >> /etc/httpd/conf/httpd.conf


# Disable Apache Weak Ciphers
/bin/sed -ir 's/SSLProtocol all -SSLv2/SSLProtocol -ALL +SSLv3 +TLSv1/' /etc/httpd/conf.d/ssl.conf
/bin/sed -ir 's/SSLCipherSuite ALL:.*/SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM/' /etc/httpd/conf.d/ssl.conf

# Don't alias decode to root
/bin/sed -i 's/decode:/#decode:/' /etc/aliases


# Blank out /etc/at.allow
echo "" > /etc/at.allow


# Create our banner
echo " * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE
ONLY. UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE 
PUNISHABLE UNDER THE COMPUTER FRAUD AND ABUSE ACT OF 1986 OR 
OTHER APPLICABLE LAWS. IF NOT AUTHORIZED TO ACCESS THIS SYSTEM,
DISCONNECT NOW. BY CONTINUING, YOU CONSENT TO YOUR KEYSTROKES
AND DATA CONTENT BEING MONITORED. ALL PERSONS ARE HEREBY 
NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES CONSENT TO 
MONITORING AND AUDITING. 


" > /etc/banner


# Fix a few umasks
/bin/sed -i 's/umask 0[0|2]2/umask 077/g' /etc/bashrc
/bin/sed -i 's/umask 0[0|2]2/umask 077/g' /etc/csh.cshrc


# Fix some Login Defaults
/bin/sed -i 's/PASS_MAX_DAYS	99999/PASS_MAX_DAYS	60/g' /etc/login.defs
/bin/sed -i 's/PASS_MIN_DAYS	0/PASS_MIN_DAYS	1/g' /etc/login.defs
/bin/sed -i 's/PASS_MIN_LEN	5/PASS_MIN_LEN	8/g' /etc/login.defs
echo "FAIL_DELAY 5" >> /etc/login.defs


# Require complex passwords
/bin/sed -i 's/type=/minlen=6 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1/' /etc/pam.d/system-auth-ac


# Decrease the number of outstanding syn requsets allowed
echo "
# Add some security
net.ipv4.tcp_max_syn_backlog = 1280
" >> /etc/sysctl.conf


# Secure MySQL
/bin/sed -i 's/symbolic-links=0/symbolic-links=0\nbind-address=127.0.0.1/' /etc/my.cnf
mysql -e "DELETE FROM mysql.user WHERE User='';"
mysql -e "DELETE FROM mysql.user WHERE User='root' AND Host!='localhost';"
mysql -e "DROP DATABASE test;"
mysql -e "DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';"
mysql -e "UPDATE mysql.user SET Password=PASSWORD('$mysqlroot') WHERE User='root';"
mysql -e "FLUSH PRIVILEGES;"
service mysqld stop


# Remove default user accounts
userdel ftp
userdel shutdown
userdel halt
userdel gopher
userdel games
#userdel rrdcached
groupdel audio
groupdel tape
groupdel dialout

rm -fr /var/rrdtool/rrdcached


# Fix some file permissions
chmod -R 700 /root
chmod -R 640 /var/log/*
chmod -R 644 /usr/share/man/
#chmod -R 755 /var/cache/php-eaccelerator
chmod -R 700 /etc/cron.daily/
chmod 440 /etc/xinetd.conf
chmod 700 /etc/snmp/snmpd.conf
#chmod 640 /etc/syslog.conf
chmod 640 /etc/security/access.conf
chmod 600 /etc/sysctl.conf
chmod 600 /etc/at.allow
chown root:sys /etc/snmp/snmpd.conf

# Expire the root password and require it to be changed every 60 days
#chage -d 0 -M 60 root


%end