|
|
@ -8,7 +8,8 @@ uninstallkey = [] |
|
|
|
|
|
|
|
|
|
|
|
variables = { |
|
|
|
variables = { |
|
|
|
'backup_servers': [ '192.168.100.31' ], |
|
|
|
'backup_servers': [ '192.168.100.31' ], |
|
|
|
'backup_rsync_pass': 's3cretp@ssw0rd' |
|
|
|
'backup_rsync_pass': 's3cretp@ssw0rd', |
|
|
|
|
|
|
|
'backup_ssh_keys': [] |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
# Read local variables file if available |
|
|
|
# Read local variables file if available |
|
|
@ -17,7 +18,7 @@ if isfile(makepath(programfiles32,'wapt','private','symetric.txt')) and isfile(m |
|
|
|
f = Fernet(open(makepath(programfiles32,'wapt','private','symetric.txt'),'r').read()) |
|
|
|
f = Fernet(open(makepath(programfiles32,'wapt','private','symetric.txt'),'r').read()) |
|
|
|
variables.update(json.loads(f.decrypt(open(makepath(programfiles32,'wapt','private','variables.txt'),'r').read()))) |
|
|
|
variables.update(json.loads(f.decrypt(open(makepath(programfiles32,'wapt','private','variables.txt'),'r').read()))) |
|
|
|
|
|
|
|
|
|
|
|
overrides = ['rsyncd.conf', 'pre-exec.cmd', 'vsrsync.cmd', 'cygiconv-2.dll', 'cygwin1.dll', 'cygz.dll', 'rsync.exe'] |
|
|
|
overrides = ['rsyncd.conf', 'rsync.cmd', 'pre-exec.cmd', 'vsrsync.cmd', 'cygiconv-2.dll', 'cygwin1.dll', 'cygz.dll', 'rsync.exe'] |
|
|
|
|
|
|
|
|
|
|
|
def install(): |
|
|
|
def install(): |
|
|
|
print('Installing BackupPC Agent') |
|
|
|
print('Installing BackupPC Agent') |
|
|
@ -37,11 +38,8 @@ def install(): |
|
|
|
open(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC','rsyncd.secrets'),'w').write('backup:%s' % variables['backup_rsync_pass']) |
|
|
|
open(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC','rsyncd.secrets'),'w').write('backup:%s' % variables['backup_rsync_pass']) |
|
|
|
|
|
|
|
|
|
|
|
# The default behaviour is to add a firewall rule allowing local network. We'll remove this rule to create a more restrictive one |
|
|
|
# The default behaviour is to add a firewall rule allowing local network. We'll remove this rule to create a more restrictive one |
|
|
|
print('Adding firewall rules') |
|
|
|
print('Removing uneeded firewall rules') |
|
|
|
run('netsh advfirewall firewall del rule name="Agent BackupPC"', accept_returncodes=[0,1]) |
|
|
|
run('netsh advfirewall firewall del rule name="Agent BackupPC"', accept_returncodes=[0,1]) |
|
|
|
run('netsh advfirewall firewall add rule name="Agent BackupPC" dir=in action=allow program="%s" enable=yes remoteip=%s' % (makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC','rsync.exe'),','.join(variables['backup_servers']))) |
|
|
|
|
|
|
|
# Port 445 is needed for winexe |
|
|
|
|
|
|
|
run('netsh advfirewall firewall add rule name="remote admin" dir=in action=allow protocol=TCP localport=445 enable=yes remoteip=%s' % ','.join(variables['backup_servers'])) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Create the backup account |
|
|
|
# Create the backup account |
|
|
|
print('Create a local account and add it to the admin group') |
|
|
|
print('Create a local account and add it to the admin group') |
|
|
@ -49,25 +47,19 @@ def install(): |
|
|
|
if 'backup_pass' in variables : |
|
|
|
if 'backup_pass' in variables : |
|
|
|
run('net user lbkp %s' % variables['backup_pass']) |
|
|
|
run('net user lbkp %s' % variables['backup_pass']) |
|
|
|
run('net localgroup Administrateurs lbkp /add', accept_returncodes=[0,2]) |
|
|
|
run('net localgroup Administrateurs lbkp /add', accept_returncodes=[0,2]) |
|
|
|
|
|
|
|
print('Writing SSH Keys for the backup account') |
|
|
|
# For vista and newer, UAC prevents admin shares, we need to enable it |
|
|
|
mkdirs(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh')) |
|
|
|
print('Enabling remote access to admin shares') |
|
|
|
open(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys'),'w').write("\n".join(variables['backup_ssh_keys'])) |
|
|
|
if windows_version() > Version('6'): |
|
|
|
run(r'icacls.exe "%s" /inheritance:d' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys')) |
|
|
|
reg_key = reg_openkey_noredir(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system',sam=KEY_WRITE,create_if_missing=True) |
|
|
|
run(r'icacls.exe "%s" /remove:g "*S-1-5-32-545" /t /c /q' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys')) |
|
|
|
reg_setvalue(reg_key, 'LocalAccountTokenFilterPolicy', 1, REG_DWORD) |
|
|
|
run(r'icacls.exe "%s" /remove:g "*S-1-5-11" /t /c /q' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys')) |
|
|
|
|
|
|
|
run(r'icacls.exe "%s" /grant "NT SERVICE\sshd":(R)' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'Users','lbkp','.ssh','authorized_keys')) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def uninstall(): |
|
|
|
def uninstall(): |
|
|
|
print('Removing BackupPC Agent') |
|
|
|
print('Removing BackupPC Agent') |
|
|
|
print('Removing firewall rules') |
|
|
|
|
|
|
|
run('netsh advfirewall firewall del rule name="Agent BackupPC"', accept_returncodes=[0,1]) |
|
|
|
|
|
|
|
run('netsh advfirewall firewall del rule name="remote admin"', accept_returncodes=[0,1]) |
|
|
|
|
|
|
|
print('Removing lbkp from Admin group') |
|
|
|
print('Removing lbkp from Admin group') |
|
|
|
run('net localgroup Administrateurs lbkp /delete', accept_returncodes=[0,2]) |
|
|
|
run('net localgroup Administrateurs lbkp /delete', accept_returncodes=[0,2]) |
|
|
|
print('Disabling remote access to admin shares') |
|
|
|
|
|
|
|
if windows_version() > Version('6'): |
|
|
|
|
|
|
|
reg_key = reg_openkey_noredir(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system',sam=KEY_WRITE) |
|
|
|
|
|
|
|
reg_delvalue(reg_key, 'LocalAccountTokenFilterPolicy') |
|
|
|
|
|
|
|
print('Removing files') |
|
|
|
print('Removing files') |
|
|
|
for file in overrides: |
|
|
|
for file in overrides: |
|
|
|
path = makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file) |
|
|
|
path = makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file) |
|
|
@ -75,13 +67,6 @@ def uninstall(): |
|
|
|
os.unlink(path) |
|
|
|
os.unlink(path) |
|
|
|
|
|
|
|
|
|
|
|
def audit(): |
|
|
|
def audit(): |
|
|
|
filter_policy = registry_readstring(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system','LocalAccountTokenFilterPolicy') |
|
|
|
|
|
|
|
if not filter_policy : |
|
|
|
|
|
|
|
print(r"key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy doesn't exist") |
|
|
|
|
|
|
|
return "ERROR" |
|
|
|
|
|
|
|
elif int(filter_policy) != 1 : |
|
|
|
|
|
|
|
print("Wrong value for LocalAccountTokenFilterPolicy") |
|
|
|
|
|
|
|
return "ERROR" |
|
|
|
|
|
|
|
for file in overrides + ['rsyncd.secrets','part.cmd' ]: |
|
|
|
for file in overrides + ['rsyncd.secrets','part.cmd' ]: |
|
|
|
if not isfile(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file)): |
|
|
|
if not isfile(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file)): |
|
|
|
print('%s is missing' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file)) |
|
|
|
print('%s is missing' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file)) |
|
|
|