Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cohesity v6.8 removes sudo access and enforces restricted shell. I wrote this automation to restore this access. #36

Open
amlucent opened this issue Jun 27, 2023 · 0 comments
Open

cohesity v6.8 removes sudo access and enforces restricted shell. I wrote this automation to restore this access. #36

amlucent opened this issue Jun 27, 2023 · 0 comments
Assignees
@naveena-maplelabs

Comments

@amlucent
Copy link

amlucent commented Jun 27, 2023
edited

馃殌 Feature Request

cohesity v6.8.1 removes sudo access and enforces restricted shell. This change seems very short sighted. This was a completely supported feature in every version previously, previous versions even offered a button in the GUI so that customers could supply the support user with sudo quickly and easily. Now, without warning, that access has been ripped away. This change feels half-baked and under communicated to me.

I wanted to share an automation I wrote that restores this unrestricted shell and sudo access. I chose to write this in ansible format so it can be quickly and easily applied to a users entire fleet of cohesity clusters at once.

Feel free to include or reject this contribution.

#!/bin/ansible-playbook
# Cohesity 6.8+ is required! 
# 
---
- name: "##### Allows Linux Shell access and sudo for 6.8+ Cohesity clusters #####"
  hosts: '{{target|default("cohesity")}}'
  gather_facts: False
  #become: yes

  tasks:
        # Login to the Target Cluster by API
    - name: Get Token for target Cohesity cluster
      delegate_to: localhost
      ansible.builtin.uri:
        url: https://{{ inventory_hostname }}/irisservices/api/v1/public/accessTokens
        headers:
          Content-Type: application/json
        body:
          username: "{{ var_cohesity_user }}"
          password: "{{ var_cohesity_passwd }}"
          domain: "LOCAL"          
        method: POST
        status_code: 201
        body_format: json
        return_content: yes
        validate_certs: false
      register: target_token

    - name: Register target's token
      ansible.builtin.set_fact:
        target_cohesity_token: "{{ (target_token.content | from_json).accessToken }}"
      delegate_to: localhost

      # Grab Target Cluster IP information
    - name: Get list of the Cohesity clusters IP addresses from nslookup
      ansible.builtin.shell: "nslookup {{ inventory_hostname_short }} | grep ^Address | sed 's|Address: ||' | tail -n +2"
      register: nslookup
      delegate_to: localhost

    - name: set fact IP address
      set_fact:
        target_ips: "{{ nslookup.stdout_lines }}"

    - debug: 
        var: target_ips

    - name: Remove old SSH keys by hostname.
      local_action:
        module: ansible.builtin.shell
        cmd: ssh-keygen -R "{{ inventory_hostname | lower }}"

    - name: Remove old SSH keys by IPv4 address.
      local_action:
        module: ansible.builtin.shell
        cmd: ssh-keygen -R "{{ item }}"
      with_items: "{{ target_ips }}"

    - name: Update local known_hosts file with new ssh_keys
      delegate_to: localhost
      lineinfile:
        dest: ~/.ssh/known_hosts
        create: 'yes'
        state: present
        mode: "0600"
        line: "{{ lookup('pipe', 'ssh-keyscan -t rsa -p {{ ansible_port }} {{ inventory_hostname | lower }},{{ item }}') }}"
      with_items: "{{ target_ips }}"

    - name: Process known_hosts file with new keys.
      local_action:
        module: shell
        cmd: sort ~/.ssh/known_hosts | tee /tmp/known_hosts_new; uniq -u /tmp/known_hosts_new ~/.ssh/known_hosts

      # Enable & Set password of "support" user if ran for the first time 
    - name: Enable the support user and set password (Will fail gracefully if already enabled)
      delegate_to: localhost
      ansible.builtin.uri:
        url: https://{{ inventory_hostname }}/irisservices/api/v1/public/users/linuxPassword
        method: PUT
        headers:
          Content-Type: application/json
          Accept: application/json
          Authorization: "Bearer {{ target_cohesity_token }}"
        validate_certs: no
        return_content: yes
        status_code: [200, 201, 202]
        body: >- 
            {{
              (
                {"linuxUsername": "support", "linuxPassword": ansible_password}
              ) | to_json }}
        body_format: json
      ignore_errors: yes

      # Set local sec policy on Cohesity clusters - restricted timeout over 10 years
    - name: Set Gflag for Linux "Restricted" Shell
      ansible.builtin.command: /home/support/bin/iris_cli -username "{{ var_cohesity_user }}" -password "{{ var_cohesity_passwd }}" -skip_password_prompt cluster update-gflag gflag-name=secure_shell_disabled_duration_hours gflag-value=100000 service-name=nexus reason="disable secure-shell timeout"
      ignore_errors: yes

    - name: Disable Linux "Restricted" Shell
      ansible.builtin.command: /home/support/bin/iris_cli -username "{{ var_cohesity_user }}" -password "{{ var_cohesity_passwd }}" -skip_password_prompt cluster secure-shell enable=false
      ignore_errors: yes
      
    - name: Pause
      ansible.builtin.pause:
        seconds: 90

    - name: Update local known_hosts file with new ssh_keys (again)
      delegate_to: localhost
      lineinfile:
        dest: ~/.ssh/known_hosts
        create: 'yes'
        state: present
        mode: "0600"
        line: "{{ lookup('pipe', 'ssh-keyscan -t rsa -p {{ ansible_port }} {{ inventory_hostname | lower }},{{ item }}') }}"
      with_items: "{{ target_ips }}"

    - name: Process known_hosts file with new keys.
      local_action:
        module: shell
        cmd: sort ~/.ssh/known_hosts | tee /tmp/known_hosts_new; uniq -u /tmp/known_hosts_new ~/.ssh/known_hosts

    - name: restart Nexus services for "Restricted" shell timeout to take effect
      shell: /home/cohesity/software/crux/bin/allssh.sh /home/cohesity/software/crux/bin/nexus.sh stop && /home/cohesity/software/crux/bin/allssh.sh /home/cohesity/software/crux/bin/nexus.sh start

    - name: Pause (again)
      ansible.builtin.pause:
        seconds: 120

    - name: Disable Linux "Restricted" Shell (again)
      ansible.builtin.command: /home/cohesity/software/crux/bin/iris_cli -username "{{ var_cohesity_user }}" -password "{{ var_cohesity_passwd }}" -skip_password_prompt cluster secure-shell enable=false
      ignore_errors: yes

      # Set local sec policy on Cohesity clusters (max passwd lifetime is 365 days in 6.8+.  Its a real drag.)
    - name: Set Policies
      ansible.builtin.shell: /home/cohesity/software/crux/bin/iris_cli -username "{{ var_cohesity_user }}" -password "{{ var_cohesity_passwd }}" -skip_password_prompt security-config edit min-length=8 min-lifetime-days=0 max-lifetime-days=365 num-diff-chars=0 num-disallowed-old-pwd=0 failed-login-lock-duration-mins=15 max-failed-login-attempts=6 inactivity-time-days=1 session-inactivity-timeout=3600 is-data-classified=true classified-data-msg="{{ classification_level }}"

    - name: Enable Linux "support" user sudo access
      ansible.builtin.shell: /home/cohesity/software/crux/bin/iris_cli -username "{{ var_cohesity_user }}" -password "{{ var_cohesity_passwd }}" -skip_password_prompt user linux-sudo-access enable=true

(Write your answer here)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@naveena-maplelabs naveena-maplelabs

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@amlucent @naveena-maplelabs