# -*- coding: utf-8 -*- from setuphelpers import * from cryptography.fernet import Fernet import json import os uninstallkey = [] variables = { 'backup_servers': [ '192.168.100.31' ], 'backup_rsync_pass': 's3cretp@ssw0rd' } # Read local variables file if available if isfile(makepath(programfiles32,'wapt','private','symetric.txt')) and isfile(makepath(programfiles32,'wapt','private','variables.txt')): print('Reading local encrypted variables file') f = Fernet(open(makepath(programfiles32,'wapt','private','symetric.txt'),'r').read()) variables.update(json.loads(f.decrypt(open(makepath(programfiles32,'wapt','private','variables.txt'),'r').read()))) overrides = ['rsyncd.conf', 'pre-exec.cmd', 'vsrsync.cmd', 'cygiconv-2.dll', 'cygwin1.dll', 'cygz.dll', 'rsync.exe'] def install(): print('Installing BackupPC Agent') version = control['version'].split('-',1)[0] install_exe_if_needed("backuppc-client.exe",silentflags='/S',key='BackupPC',min_version=version,killbefore=['rsync.exe']) # We override some files # cygwin and rsync are needed because version 3.1.1 is very unreliable on Win2012, so we downgrade to 3.0.9 # our own pre-exec adds an exclusive lock # And vsrsync.cmd fixes an issue when PATH contains a & char print('Overriding scripts and binaries') for file in overrides: print('Copying %s' % file) filecopyto(file,makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC')) # We write credential file print('Writing credential file') open(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC','rsyncd.secrets'),'w').write('backup:%s' % variables['backup_rsync_pass']) # The default behaviour is to add a firewall rule allowing local network. We'll remove this rule to create a more restrictive one print('Adding firewall rules') run('netsh advfirewall firewall del rule name="Agent BackupPC"', accept_returncodes=[0,1]) run('netsh advfirewall firewall add rule name="Agent BackupPC" dir=in action=allow program="%s" enable=yes remoteip=%s' % (makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC','rsync.exe'),','.join(variables['backup_servers']))) # Port 445 is needed for winexe run('netsh advfirewall firewall add rule name="remote admin" dir=in action=allow protocol=TCP localport=445 enable=yes remoteip=%s' % ','.join(variables['backup_servers'])) # Create the backup account print('Create a local account and add it to the admin group') run('net user lbkp /add', accept_returncodes=[0,2]) if 'backup_pass' in variables: run('net user lbkp %s' % variables['backup_pass']) run('net localgroup Administrateurs lbkp /add', accept_returncodes=[0,2]) # For vista and newer, UAC prevents admin shares, we need to enable it print('Enabling remote access to admin shares') if windows_version() > Version('6'): reg_key = reg_openkey_noredir(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system',sam=KEY_WRITE,create_if_missing=True) reg_setvalue(reg_key, 'LocalAccountTokenFilterPolicy', 1, REG_DWORD) def uninstall(): print('Removing BackupPC Agent') print('Removing firewall rules') run('netsh advfirewall firewall del rule name="Agent BackupPC"', accept_returncodes=[0,1]) run('netsh advfirewall firewall del rule name="remote admin"', accept_returncodes=[0,1]) print('Removing lbkp from Admin group') run('net localgroup Administrateurs lbkp /delete', accept_returncodes=[0,2]) print('Disabling remote access to admin shares') if windows_version() > Version('6'): reg_key = reg_openkey_noredir(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system',sam=KEY_WRITE) reg_delvalue(reg_key, 'LocalAccountTokenFilterPolicy') print('Removing files') for file in overrides: path =makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file) if isfile(path): os.unlink(path) def audit(): filter_policy = registry_readstring(HKEY_LOCAL_MACHINE,r'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system','LocalAccountTokenFilterPolicy') if not filter_policy : print(r"key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountTokenFilterPolicy doesn't exist") return "ERROR" elif int(filter_policy) != 1 : print("Wrong value for LocalAccountTokenFilterPolicy") return "ERROR" for file in overrides + ['rsyncd.secrets','part.cmd' ]: if not isfile(makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file)): print('%s is missing' % makepath(os.getenv('SYSTEMDRIVE','C:\\'),'BackupPC',file)) return "ERROR" return "OK"