5.2.11.1. ON Core scripts
On the ON Core, we can find different scripts on the following path:
ls /usr/share/opennac/utils/scripts/
5.2.11.1.1. ad_integration.sh
Description:
This script is used to integrate an AD to OpenNAC Enterprise.
Execution parameters:
/usr/share/opennac/utils/scripts/ad_integration.sh <SERVER_IP> <REALM> <LOWER_REALM> <WORKGROUP> <USER> <PASSWORD>
Example:
/usr/share/opennac/utils/scripts/ad_integration.sh 192.168.1.2 MYCOMPANY.COM mycompany.com MYCOMPANY Administrator adminPassword
Note
If Password is omitted, it will be asked during the script execution
5.2.11.1.2. core_update.sh
Description:
This script updates a specific rpm packets and executes the post_install.sh script.
Execution parameters:
/usr/share/opennac/utils/scripts/core_update.sh <packet>
Example:
/usr/share/opennac/utils/scripts/core_update.sh opennac-dhcp-helper-reader.x86_64
Note
It only works with local rpm packets
5.2.11.1.3. db_replication.sh
Description:
This script permits doing database replications or fixes from one node to other nodes.
Modes:
Deployment: This will use the current node (ON Principal) as the source of the replication deployment and will apply the worker configuration into ip/listIPs
Fix: This will take the current node (ON Principal) as the source of the replication fix and the destination. You can also use a specific node (ON Worker) as the source of the replication fix by using –src and the destination will be set by using –dest
Execution parameters:
/usr/share/opennac/utils/scripts/db_replication.sh -t [deploy/fix] [OPTIONS]
TYPE:
-t [type] –type = type of the use case deploy or fix
OPTIONS:
- --dest
ip of the node to fix or deploy. This can be the ip or a file containing all the ips of the worker nodes. IMPORTANT: if we use a file, it must be in the same directory as the db_replication script
-h,–help shows this menu
- --src
ONLY used in fix mode. This is the ip of the source node. If it’s not included or left blank the current node will be used.
- --path
this is the path where the temporary files will be written to. By default it uses /tmp/. This must be provided in the format /<path>/.
- --dbpass
the database’s password
- --rootPassword
the root user password, if it’s not included or left blank the current password will be opennac
- --replicationpass
the replication’s password
- --replicationuser
the replication user. By default the value is on_worker.
- --principalip
the primary node’s IP, this will be used to set the ON Principal IP in the ON Worker’s /etc/hosts file
- --interface
the interface we want to use for the principal
- -y
accepts all confirmations. This includes stopping services in a Principal node for a fix, and removing the results file
Example:
Deployment:
/usr/share/opennac/utils/scripts/db_replication.sh -t deploy --dest 10.20.0.10
/usr/share/opennac/utils/scripts/db_replication.sh -t deploy --dest listIPS.txt
Fix:
/usr/share/opennac/utils/scripts/db_replication.sh -t fix --dest 10.20.0.10
/usr/share/opennac/utils/scripts/db_replication.sh -t fix --dest 10.20.0.10
/usr/share/opennac/utils/scripts/db_replication.sh -t fix --dest listIPs.txt
/usr/share/opennac/utils/scripts/db_replication.sh -t fix --src 10.20.0.11 --dest 10.20.0.10
/usr/share/opennac/utils/scripts/db_replication.sh -t fix --src onworker1 --dest 10.20.0.10
/usr/share/opennac/utils/scripts/db_replication.sh -t fix --src onworker1 --dest listIPs.txt
Note
For deployment mode the IPs are needed. For fix mode, we can use the alias defined in the /etc/hosts file
5.2.11.1.5. opennac_mysql_password_change.sh
Description:
There are two main users/passwords used to access mysql: root and admin. On the ON Core, this script is used to change one or both passwords. The script changes the access password and all the related files.
Execution parameters:
/usr/share/opennac/utils/scripts/opennac_mysql_password_change.sh -s <server_role> -c <current_password> -r <new_root_password> -a <new_admin_password>
OPTIONS:
- -s|–server_role ROLE Depending on the server role:
single: server locally reading and writing on the mysql database principal: principal server replicating workers servers with all openNAC services running (radius, collectd, …) only_principal: principal server but only MySQL server (without other services) worker: worker server replicating from a principal server
- -c|–cur_root_pwd CUR_PWD Current MySQL root password
Default: “opennac”
-r|–new_root_pwd ROOT_PWD New MySQL root password
-a|–new_admin_pwd ADM_PWD New MySQL admin password
-h|–help Display this help and exit
Example:
/usr/share/opennac/utils/scripts/opennac_mysql_password_change.sh -s single -c currentpass -r newpass123! -a newpass123!
5.2.11.1.6. opennac-services-monitor.sh
Description:
This script gets the healthcheck from OpenNAC Enterprise Services and stops the radiusd service if one of the dependent services is down.
Execution parameters:
/usr/share/opennac/utils/scripts/opennac-service-monitor.sh
Example:
/usr/share/opennac/utils/scripts/opennac-service-monitor.sh
5.2.11.1.7. opennac_userdev_count.sh
Description:
Script to query opennac mysql database and get distinct counts of user devices.
Execution parameters:
/usr/share/opennac/utils/scripts/opennac_userdev_count.sh <mysql_username> <mysql_password>
Example:
/usr/share/opennac/utils/scripts/opennac_userdev_count.sh admin adminpass123!
5.2.11.1.8. password_policy.sh
Description:
Script use to configure password policies and conditions. Every time the script is executed, the password policy is set.
- Default password policy:
Password length: minimum 8 characters.
- Complexity:
One or more lowercase characters.
One or more uppercase characters.
One or more numbers.
One or more special characters.
When the password is changed, it must differ from the previous one by at least 4 characters.
Execution parameters:
/usr/share/opennac/utils/scripts/password_policy.sh [-h|-i|-c|-s|-l|-L|-u|-e|-M|-m]
OPTIONS:
- -h
Print script Help options.
- -i
Add the ClientAliveInterval parameter in /etc/ssh/sshd_config. Is equivalent to Inactivity Timeout. The default is 0, indicating that these messages will not be sent to the client
- -c
Add the ClientAliveCountMax parameter in /etc/ssh/sshd_config. It indicates the number of keep alive to send. The Authentication Timeout is equivalent to ClientAliveInternal * ClientAliveCountMax. The default value is 3.
- -s
Add the MaxSessions parameter in /etc/ssh/sshd_config. It specifies the maximum number of open sessions permitted per network connection. The default is 10.
- -l
Adds the number of maxlogins for a user (maximum number of logins for a user at the same time). It’s set automatically for all the users. If the need is to limit maxlogins for specific users it’s necessary to edit the file /etc/security/limits.conf manually.
- -L
Adds the number of maxsyslogins for a user (maximum number of logins in the system for a user at the same time). It’s set automatically for all the users. If the need is to limit maxsyslogins for specific users it’s necessary to edit the file /etc/security/limits.conf manually.
- -u
Name of the user whose password we want to change the expiration date with change command for options [-e,-M,-m]
- -e
ExpirationDate with, YYYY-MM-DD format, for the user specified with -u. The -u option is required for this option to be performed.
- -M
Maximum days a password is valid for the user specified with -u. The -u option is required for this option to be performed.
- -m
Minimum days a password needs to be valid before it can be changed for the user specified with -u. The -u option is required for this option to be performed.
Execution example: ./password_policy.sh -i 0 -c 3 -s 10 -l 10 -L 10 -u root -e 2021-12-29 -M 90 -m 10
Example:
/usr/share/opennac/utils/scripts/password_policy.sh -i 0 -c 3 -s 10 -l 10 -L 10 -u root -e 2021-12-29 -M 90 -m 10
5.2.11.1.9. post-install_no-move.sh
Description:
Script that checks the .ini.sample files that need to be changed after an actualization. It will show the files to be moved, but it will not do the action.
Execution parameters:
/usr/share/opennac/utils/scripts/post-install_no-move.sh
Example:
/usr/share/opennac/utils/scripts/post-install_no-move.sh
5.2.11.1.10. post_install.sh
Description:
Script that checks the .ini.sample files that need to be changed after an actualization and change them. Finally, it execute the restartOpenNACServices.sh script.
Execution parameters:
/usr/share/opennac/utils/scripts/post_install.sh
Example:
/usr/share/opennac/utils/scripts/post_install.sh
5.2.11.1.11. resource_meter.sh
Description:
This script gives information about the hostname, the total disk memory and total RAM in ON Core, and finally shows the number of cores for ON Core.
Execution parameters:
/usr/share/opennac/utils/scripts/resource_meter.sh
Example:
/usr/share/opennac/utils/scripts/resource_meter.sh
5.2.11.1.12. resource_net.sh
Description:
This script gives information about the hostname, the gateway, the dns. the ntp and the interfaces of ON Core.
Execution parameters:
/usr/share/opennac/utils/scripts/resource_net.sh
Example:
/usr/share/opennac/utils/scripts/resource_net.sh
5.2.11.1.13. restartOpenNACServices.sh
Description:
Restarts the OpenNAC Enterprise most important services for ON Core.
The services restarted are the following:
redis
dhcp-helper-reader
mariadb
gearmand
radiusd
httpd
php-fpm
opennac
snmptrapd
collectd
filebeat
rsyslog
Execution parameters:
/usr/share/opennac/utils/scripts/restartOpenNACServices.sh [-v|-f|-s]
OPTIONS:
- -v
Enable verbose mode
- -f
Force restart in all services, although they are stopped
- -s
Provide a custom services list (Ex: ‘redis httpd’)
- -h
Help
Example:
/usr/share/opennac/utils/scripts/restartOpenNACServices.sh
5.2.11.1.14. set_up_ssh_keys.sh
Description:
This script creates a ssh key in the ON Principal and copy it to the ON Workers
Execution parameters:
/usr/share/opennac/utils/scripts/set_up_ssh_keys.sh (ip|ips_file)
File format:
<IP1>
<IP2>
<IP3>
Example:
/usr/share/opennac/utils/scripts/set_up_ssh_keys.sh 10.10.45.10
/usr/share/opennac/utils/scripts/set_up_ssh_keys.sh ips.txt
Example of ips.txt:
10.10.45.10
10.10.45.11
10.10.45.12
5.2.11.1.16. checkProfiling.php
Description:
In installations that are going to be upgraded to the 1.2.2-12 version with policies reliant on the EPT tag, it is crucial to run the script checkProfiling.php that checks the profile of user devices prior to update.
As of version 1.2.2-12, in the profiling tree, if a device does not meet any of the profiling rules of the parent branches, it would not continue in that branch.
Former Engine
The profiling tree is traversed without taking into account the fulfillment of the parent’s rules, i.e., the ENTIRE tree is traversed with the corresponding computational cost.
A printer with port tags DOP_TCP_80,DOP_UDP_161 and DOP_TCP_9200. It would traverse the DESKTOP branch even if it does not have tags that meet the DNS, operating system and DHCP fingerprint rules of the operating system.
New Engine
If AT LEAST one rule of the parent branch is not fulfilled, the branch is not traversed.
Scenario 1: A printer that only has the DNS_BROTHER_HLL5100DN_SERIES tag.
It would not traverse the PRINTER branch even if it matched the DNS rule of PRINTER_BROTHER_HLL5100DN. This is because it does not comply with any of the PRINTER rules since it does not have port tags, DHCP fingerprint and service info.
Scenario 2: A printer that has the DNS_BROTHER_HLL5100DN_SERIES tag and the port tags DOP_TCP_515 and DOP_TCP_9200
In this scenario, it would check the PRINTER branch but it would not check PRINTER_BROTHER_HLL5100DN because it has no DHCP fingerprint, SNMP or MAC tags to match PRINTER_BROTHER.
Scenario 3: A printer that has DOP_TCP_515, DOP_TCP_9200, SSO_PRINTER_BROTHER and DNS_BROTHER_HLL5100DN_SERIES tags.
In this scenario, it would check the PRINTER_BROTHER_HLL5100DN branch since it complies with at least one of the rules of each parent.
Script operation
The checkProfiling.php script allows for simulating the operation of the new engine in installations where EPT is used in policies. This simulation helps identify and implement the necessary changes to minimize errors that may occur after the upgrade. The script offers the following options:
-u Admin portal user, admin by default
-p Admin portal user’s password, opennac by default
-h Host IP, 127.0.0.1 by default
-d maximum number of days to filter devices based on their last modification date, 30 by default
Example:
php checkProfiling.php -u 'user1' -p '1234' -h '10.10.10.10' -d '60'
In case the IP or the number of days does not comply with the format, help is displayed which can also be shown as –help.
After providing the required fields, the system retrieves a token to enable API requests. Using this token, it performs a GET request, retrieving devices (in batches of 50) from the Configuration Management Database (CMDB). These devices have a last modification date that is not earlier than the specified timeframe (calculated by subtracting the entered number of days from the current date).
During the retrieval process, certain devices are excluded based on specific criteria, namely:
Devices with null EPT (Endpoint Type) or EPT_UNKNOWN.
Devices with MAC addresses of 00:00:00:00:00:00.
For each device obtained, the system conducts a Simulate Profiling operation, considering its associated tags. Additionally, it checks whether the device satisfies at least one of its parent’s rules.
If the device does not satisfy at least one of its parent’s rules, its information is inserted into a CSV file named “checkProfiling_<last analyzed date>”. This file serves as a record for making changes in the profiling tree. The CSV includes the following details for each device:
MAC address of the device
EPT of the device
Tags associated with the device
Profiling rules that have been matched with the device
Parent EPT that needs to be modified
In this case, the UD with MAC 3C:2A:F4:C1:E1:A6 would not be profiled as EPT_PRINTER_BROTHER_HLL5100DN with the new engine as it does not meet any EPT_PRINTER_BROTHER rules. So, it will be necessary to add the tag MAC_3C2AF4 to the Mac Vendor rule.
Go to ON NAC > Profiling > User device profiling and edit PRINTER_BROTHER:
Add the tag to the MAC vendor rule:
After running the checkProfiling.php script again, you should see no incorrect use devices profiles this time.
Note
There will be 2 scenarios in which nothing needs to be modified even if the file returns information.
Scenario 1 - Devices with expired tags may impact their appearance in the file, potentially affecting their accurate profiling. Example: printer with expired port, banner, and SNMP tags (UTC_DPA tag gives us information about how profiled it was).
Scenario 2 - Devices returning an EPT different from their expected branch during profiling simulation can result in false positives and may not trigger modification rules. Example: a device that is a desktop but when simulating it returns a printer.
5.2.11.1.17. regenerateBusinessProfiles.php
Description:
This script regenerates the Business Profiles shown in the EPT view, ensuring up-to-date information about profiles associated with user devices by filling in any missing User Device Profilings.
Execution parameters:
/usr/share/opennac/api/scripts/regenerateBusinessProfiles.php
5.2.11.1.18. synchronizeCaptiveThemes.sh
Description:
When a healthcheck indicates a failure in synchronizing captive themes (CAPTIVE_PORTAL_THEMES), it means that the captive portal themes on a Worker machine are not synchronized with the ON Principal. This script will help initiate the synchronization process and resolve any inconsistencies between the captive portal themes on the Worker machine and the ON Principal.
Execution parameters:
/usr/share/opennac/api/scripts/synchronizeCaptiveThemes.sh {IP}
{IP}: Specify the IP address of the Worker node.
/usr/share/opennac/api/scripts/synchronizeCaptiveThemes.sh {IP} {user}
{user}: Additionally, you can specify the parameter for a system user with sudo privileges but not root access.