-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathSEP_operations.sh
302 lines (276 loc) · 10.1 KB
/
SEP_operations.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
#!/bin/bash
LASTVERSION="14"
INSTALLERPATH="/var/chef/cache"
SYMANTECINSTALLERNAME="SymantecEndpointProtection"
JAVAVERSION="jdk1.8.0_151"
OPTION=$1
TARGETGROUP=$2
FILE_NAME=$3
CMDTARGETGROUP=$TARGETGROUP
KERNELPACKAGES="kernel-3.10.0-327.el7.x86_64 kernel-headers-3.10.0-327.el7.x86_64 kernel-tools-libs-3.10.0-327.el7.x86_64 kernel-tools-3.10.0-327.el7.x86_64"
SUPPORTEDKERNELS="2.6.32-504|3.10.0-123|3.10.0-327|3.10.0-229|2.6.32-642|2.6.32-573|2.6.32-504"
##Check if symantec is installed
check_symantec(){
if [ -f /opt/Symantec/symantec_antivirus/sav ]; then
echo "GLOBAL : Symantec is already installed, going to check versions"
check_version
else
echo "GLOBAL : Symantec is not installed, going to configure and install"
configure_symantec
#download_symantec
fi
}
##Check if version is the latest
check_version(){
VERSION=$(/opt/Symantec/symantec_antivirus/sav info -p | awk '{print $1}')
if [[ "$VERSION" == "$LASTVERSION" ]]; then
echo "GLOBAL : Last Symantec Version installed. Release $LASTVERSION. Checking Setup used."
check_proper_setup
else
echo "GLOBAL : Another Symantec Version installed, going to reinstall"
uninstall_symantec
fi
}
##Uninstall symantec
uninstall_symantec(){
echo "UNINSTALL : Uninstalling Services"
service symcfgd stop >/dev/null 2>&1 ##Stop all symantec process
service rtvscand stop >/dev/null 2>&1 ##Stop all symantec process
service autoprotect stop >/dev/null 2>&1 ##Stop all symantec process
/opt/Symantec/symantec_antivirus/uninstall.sh -u >/dev/null 2>&1 ##Stop all symantec process
echo "UNINSTALL : Cleaning up Directories"
rm -rf /opt/Symantec >/dev/null 2>&1 ##Cleanup symantec dir
rm -r /etc/Symantec.conf >/dev/null 2>&1 ##Cleanup global symantec config
rm -f /usr/local/etc/aipconfig/symantec.cfg >/dev/null 2>&1
echo "UNINSTALL : Clean complete. Please remove from EPP Console Previous to continue. If this step is missing node will be regenerate on same Target Group"
#configure_symantec
#download_symantec #Go to startup
}
install_symantec(){
cd $INSTALLERPATH
mkdir -p $SYMANTECINSTALLERNAME
cp -p $FILE_NAME $SYMANTECINSTALLERNAME
cd $SYMANTECINSTALLERNAME
unzip -o $FILE_NAME >/dev/null 2>&1
rm $FILE_NAME
cd $INSTALLERPATH
set_clienttargetgroup
cd $SYMANTECINSTALLERNAME
yum -y install kernel-devel-$(uname -r) bzip2 gcc glibc.i686
echo "INSTALL : Starting Installation"
bash -x install.sh -u >/dev/null 2>&1
bash -x install.sh -i >/dev/null 2>&1
copile_kernel
checkpostinstall
}
copile_kernel(){
cd $INSTALLERPATH/$SYMANTECINSTALLERNAME/src/ap-kernelmodule-14.0.2332-0100
bash build.sh
}
checkpostinstall(){
VERSION=$(/opt/Symantec/symantec_antivirus/sav info -p | awk '{print $1}')
AUTOPROTECT=$(/opt/Symantec/symantec_antivirus/sav info -a | awk '{print $1}')
if [[ "$VERSION" == "$LASTVERSION" ]]; then
echo "COMPLETE : Last Symantec Version installed."
if [[ "$AUTOPROTECT" == "Enabled" ]]; then
echo "COMPLETE : Autoprotect module is on status enabled."
#lockversion
exit 0
elif [[ "$AUTOPROTECT" == "Malfunctioning" ]]; then
echo "COMPLETE : Autoprotect looks into malfunction status, probably require restart or update virus definitions"
#lockversion
exit 0
else
echo "WARNING : Autoprotect module seems invalid. Please restart. Status $AUTOPROTECT"
shutdown -r +5 "AIP:
System is going to be reboot due to Symantec update process.
In case of any request or problem found after this reboot in
the normal use of the system please contact:
sec.support@xxxxxxxxxx.com
Regards,
AIP Engineering Support"
exit 0
fi
else
echo "ERROR : Error during post instalation. Symantec release returns in error."
exit 1
fi
}
##Change TargetGroup
set_clienttargetgroup(){
sed -i "s/AIP-DOCP/$TARGETGROUP/" $INSTALLERPATH/$SYMANTECINSTALLERNAME/Configuration/sylink.xml
if [ $? -ne 0 ]; then
echo "CONFIGURATION : Error during setup of Targetgroup on Configuration File"
exit 1
fi
}
##Check for proper setup for symantec
check_proper_setup(){
if [ ! -f /usr/local/etc/aipconfig/symantec.cfg ]; then
echo "CONFIGURATION : Creating Configuration File"
echo "### BEGIN SYMANTEC OPTIONS
# TARGETGROUP=MYCLIENT : Set the client target group for new installatinos
# SYMANTECENABLE=yes : Set if symantec should be install or not
TARGETGROUP=$CMDTARGETGROUP
SYMANTECENABLE=yes
### END SYMANTEC OPTIONS" > /usr/local/etc/aipconfig/symantec.cfg
echo "CONFIGURATION : Configuration mismatch. Going to remove. Please reinstall"
uninstall_symantec ##Call to uninstall as current version were install from another way
#install_symantec
else ##Check if installation is correct
echo "CONFIGURATION : Using previous configuration file"
source /usr/local/etc/aipconfig/symantec.cfg
if [[ "$TARGETGROUP" != "$CMDTARGETGROUP" ]]; then ##Check if targetgroup from config match with the one from command line
echo "CONFIGURATION : Target group differs. Need to uninstall"
uninstall_symantec
#install_symantec
elif [[ "$SYMANTECENABLE" != "yes" ]]; then
echo "CONFIGURATION : Symantec requested to be disable per command line config"
uninstall_symantec
else
echo "COMPLETE : Not going to do any, all seems ok"
echo "COMPLETE : Current version does not verify for malfunction of services"
fi
fi
}
##Download symantec
#download_symantec(){
# DOWNLOADFILE="RHEL_Symantec_$LASTVERSION.zip"
# curl -O https://s3.amazonaws.com/software-installable-bin/EPP_Linux/$DOWNLOADFILE > /dev/null 2>&1
# if [ $? -ne 0 ]; then
# echo "Canceling as download of last symantec fail"
# exit 1
# else
# uncompress_symantec $DOWNLOADFILE
# fi
#}
##Uncompress symantec
#uncompress_symantec(){
#DOWNLOADFILE=$1
# unzip -o $DOWNLOADFILE >/dev/null 2>&1
# if [ $? -ne 0 ]; then
# echo "Canceling as cannot uncompress symantec"
# exit 1
# else
# configure_symantec
# fi
#}
##Do initial configuration for symantec
configure_symantec(){
mkdir -p /opt/Symantec
touch /etc/Symantec.conf
echo "[Symantec Shared]" > /etc/Symantec.conf
echo "BaseDir=/opt/Symantec" >> /etc/Symantec.conf
#echo "JAVA_HOME=/opt/Symantec/$JAVAVERSION/jre/bin/" >> /etc/Symantec.conf
}
##Copy java
copyjava(){
cd $INSTALLERPATH
unzip -o $JAVAVERSION.zip >/dev/null 2>&1
if [ ! -f /opt/Symantec/$JAVAVERSION ]; then
cp -rp $INSTALLERPATH/$JAVAVERSION /opt/Symantec/
chmod +x /opt/Symantec/$JAVAVERSION/jre/bin/java
if [ $? -ne 0 ]; then
echo "INSTALL : Incorrect copy for java on Symantec dir"
exit 1
else
echo "INSTALL : Java were copy to symantec directory"
fi
fi
}
##Check that kernel version matchs
check_kernel_version(){
CURRENTVERSION=$(uname -r | sed 's/.el7.x86_64//' | sed 's/.el6.x86_64//') ##Remove release versions
ISLASTSUPPORTED=$(echo $CURRENTVERSION | egrep "$SUPPORTEDKERNELS")
if [[ "$ISLASTSUPPORTED" == "" ]]; then ##If version is not supported
remove_supplementary_kernel_packages
install_correctkernel_version ##Install proper kernel
echo "KERNEL CONFIG : In order to proceed it's require to restart"
shutdown -r +5 "AIP:
System is going to be reboot due to kernel update process.
In case of any request or problem found after this reboot in
the normal use of the system please contact:
sec.support@xxxxxxxxxx.com
Regards,
AIP Engineering Support"
exit 0
else
install_correctkernel_version
fi
}
##Remove supplementary kernel packages
remove_supplementary_kernel_packages(){
for i in $(rpm -qa | grep kernel- | egrep -v "$SUPPORTEDKERNELS"); do ##Loop into any kernel that is not supported
echo "PACKAGE : Removing $i"
sleep 1
rpm -e $i >/dev/null 2>&1 ##Remove each kernel package that is not supported, avoiding errors
done
}
##Install correct kernel verion. only for el7 yet
install_correctkernel_version(){
for i in $KERNELPACKAGES; do
ISINSTALL=$(rpm -q $i | grep "is not installed") ##Filter to see if package is not installed
if [[ "$ISINSTALL" != "" ]]; then #If string is not null assume its not install per rpm query
yum install -y $i >/dev/null 2>&1
if [ $? -eq 0 ]; then
echo "ERROR: Error during installation of $i"
else
echo "KERNEL CONFIG : Package $i installed"
fi
fi
done
}
##Lock kernel version ##Should also review on grub config file that it-s properly set
lockversion(){
echo "KERNEL CONFIG : Setting Version lock for kernel packages"
yum versionlock kernel-3.10.0-327.el7 >/dev/null 2>&1
yum versionlock kernel-headers-3.10.0-327.el7.x86_64 >/dev/null 2>&1
yum versionlock kernel-tools-3.10.0-327.el7.x86_64 >/dev/null 2>&1
yum versionlock kernel-tools-libs-3.10.0-327.el7.x86_64 >/dev/null 2>&1
}
help(){
echo "Incorrect usage. Please correct:
$0 --forceinstall <TARGETGROUP> <FILE_NAME> : Force install
$0 --install <TARGETGROUP> <FILE_NAME> : Install
$0 --uninstall : Uninstall complete
$0 --lockversions : Lock Kernel Verrsions
"
}
###########################################
## BEGIN
###########################################
if [ $# -eq 3 ]; then
if [[ "$1" == "--forceinstall" ]]; then
rm -f /usr/local/etc/aipconfig/symantec.cfg >/dev/null 2>&1
check_proper_setup
#check_kernel_version
#install_correctkernel_version
#remove_supplementary_kernel_packages
configure_symantec
#copyjava
install_symantec
elif [[ "$1" == "--install" ]]; then
#check_kernel_version
#install_correctkernel_version
#remove_supplementary_kernel_packages
configure_symantec
#copyjava
install_symantec
else
help
fi
elif [ $# -eq 1 ]; then
if [[ "$1" == "--uninstall" ]]; then
uninstall_symantec
elif [[ "$1" == "--setproperkernel" ]]; then
install_correctkernel_version
remove_supplementary_kernel_packages
elif [[ "$1" == "--lockversions" ]]; then
lockversion
else
echo "Incorrect first option"
help
fi
else
help
fi