finishing file cleanup

slack/TODO

@@ -0,0 +1,15 @@
+
+ELG
+OSSEC (with mass reg)
+
+NTP
+SSH config (banner,restrictions)
+SNMP configuration fixed
+OSSEC 
+		agent install
+		registration with server
+Central syslog
+Add to zenoss
+
+
+Create /root/builtON(date)AT(time)

slack/ts-base-ovh/files/etc/aliases

@@ -0,0 +1,3 @@
+root: prodtechopsalerts@turnsys.com
+postmaster: root
+clamav: root

slack/ts-base-ovh/files/etc/aliases(1)

@@ -0,0 +1,3 @@
+root: prodtechopsalerts@turnsys.com
+postmaster: root
+clamav: root

slack/ts-base-ovh/files/etc/cron.d/sysstat

@@ -0,0 +1,9 @@
+# The first element of the path is a directory where the debian-sa1
+# script is located
+PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# Activity reports every 10 minutes everyday
+*/2 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
+
+# Additional run at 23:59 to rotate the statistics file
+59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2

slack/ts-base-ovh/files/etc/cron.d/sysstat(1)

@@ -0,0 +1,9 @@
+# The first element of the path is a directory where the debian-sa1
+# script is located
+PATH=/usr/lib/sysstat:/usr/sbin:/usr/sbin:/usr/bin:/sbin:/bin
+
+# Activity reports every 10 minutes everyday
+*/2 * * * * root command -v debian-sa1 > /dev/null && debian-sa1 1 1
+
+# Additional run at 23:59 to rotate the statistics file
+59 23 * * * root command -v debian-sa1 > /dev/null && debian-sa1 60 2

slack/ts-base-ovh/files/etc/cron.daily/clamscan

@@ -0,0 +1,14 @@
+#!/bin/bash
+#A script to scan build systems
+
+#Execute the scan
+#-i print only infected files
+#-r scan recursively
+#-stdout force everything to stdout
+#-cross-fs=no don't cross filesystems
+#--follow-dir-symlinks/--follow-file-symlinks=2 force clamav to follow all symbolic links
+#--detect-pua[=yes/no(*)] Detect Possibly Unwanted Applications. See http://www.clamav.net/support/pua for the complete list of PUA
+
+clamscan -i -r --quiet --stdout --exclude-pua=packed --cross-fs=no --follow-dir-symlinks=2 --follow-file-symlinks=2 \
+--detect-pua=yes --exclude-dir=/usr/share/doc/clamav-0.97.6/test  --exclude=".svn-base$|.py$|.xml$|.pcap$|.iso$|.txt$|.log$|pcap.|.flow$|.flow2$|.dat$|.rb$" /
+

slack/ts-base-ovh/files/etc/default/snmpd

@@ -0,0 +1,22 @@
+# This file controls the activity of snmpd and snmptrapd
+
+# Don't load any MIBs by default.
+# You might comment this lines once you have the MIBs downloaded.
+export MIBS=
+
+# snmpd control (yes means start daemon).
+SNMPDRUN=yes
+
+# snmpd options (use syslog, close stdin/out/err).
+SNMPDOPTS='-LS4d -Lf /dev/null -u snmp -g snmp -I -smux -p /var/run/snmpd.pid -c /etc/snmp/snmpd.conf'
+
+# snmptrapd control (yes means start daemon).  As of net-snmp version
+# 5.0, master agentx support must be enabled in snmpd before snmptrapd
+# can be run.  See snmpd.conf(5) for how to do this.
+TRAPDRUN=no
+
+# snmptrapd options (use syslog).
+TRAPDOPTS='-Lsd -p /var/run/snmptrapd.pid'
+
+# create symlink on Debian legacy location to official RFC path
+SNMPDCOMPAT=yes

slack/ts-base-ovh/files/etc/default/sysstat

@@ -0,0 +1,9 @@
+#
+# Default settings for /etc/init.d/sysstat, /etc/cron.d/sysstat
+# and /etc/cron.daily/sysstat files
+#
+
+# Should sadc collect system activity informations? Valid values
+# are "true" and "false". Please do not put other values, they
+# will be overwritten by debconf!
+ENABLED="true"

slack/ts-base-ovh/files/etc/ntp.conf

@@ -0,0 +1,8 @@
+restrict 127.0.0.1
+restrict ::1
+driftfile /var/lib/ntp/drift
+server tsys-winsrv.turnsys.net
+server tplab-dc02.tplab.tippingpoint.com
+
+restrict default limited kod nomodify notrap nopeer noquery
+restrict -6 default limited kod nomodify notrap nopeer noquery

slack/ts-base-ovh/files/etc/pki/ca-trust/source/anchors/TippingPointCARootCert.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFsTCCA5mgAwIBAgIQPScq9qCwUrtAEaVlK2jqwzANBgkqhkiG9w0BAQsFADBr
+MRMwEQYKCZImiZPyLGQBGRYDY29tMRwwGgYKCZImiZPyLGQBGRYMdGlwcGluZ3Bv
+aW50MRUwEwYKCZImiZPyLGQBGRYFdHBsYWIxHzAdBgNVBAMTFlRpcHBpbmdQb2lu
+dENBUm9vdENlcnQwHhcNMTYwMTA2MDA0MjIxWhcNMjYwMTA2MDA1MjE4WjBrMRMw
+EQYKCZImiZPyLGQBGRYDY29tMRwwGgYKCZImiZPyLGQBGRYMdGlwcGluZ3BvaW50
+MRUwEwYKCZImiZPyLGQBGRYFdHBsYWIxHzAdBgNVBAMTFlRpcHBpbmdQb2ludENB
+Um9vdENlcnQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCgbaS0izbY
+qSNT6fMB+bOgTK3w++1p5IlGboQXKY2pQqZJ/JukO+WiLUn7+Owl8Nfqk6ihd9Xz
+zTcSJiZTI8ENUBfGLfEKxdHgOlgxU6+Tk6PNfEWw3wmVkhRd0noty1xfOVOr4kH7
+8iPwT8uCBxzpU206bjVKowhsnRrqTXj6N0UiQP1EzSz3m/2aSNMT1E4kQqkYoaHL
+mA68ODGXWtIfAVpc7qnwKEQ3amfBtZ8dv2xz75O9ks/Q7PICIz3s22LsUhpiy7Au
+4ZATNYyD/NDUMKl+YmkM9CHdL4izof7Kb8uQ46TLdC0ww6SaN+suDGY99RMgzKxJ
+vbPR7Zgmj8Frao5Bp8S25eZ8vCWNWAQ9MHt6H4PbzPN9tCoTTn3IEdBw6V+hR187
+Eqzg+3ZTK+3sfsYrjRfV2dcTjCfHJFkmmEDIQ/0F9RwhWvUSG7sfkYEHmGAQBQqu
+XSJjssGrVK37QBQ4RdDhkE1eCc/s7R8/0j3KOH/pfiEoFqH6etaBHci6N2zA6yjV
+t4mnVjVj/dk19GKWTH5+nHAM4TH0Jo68fpyarxktnMWXgtKbgxnPIQHAJbr3oP3q
+2xZrm7eZflzjlSdrqTnAr8OxcjF0Ayima5Ru6BAAjG6MH4+N5BIfXLbeDU5Au1IN
+vRuIAtwL1Gf96xRtSMdBjxV1LvZ+3ULQdQIDAQABo1EwTzALBgNVHQ8EBAMCAYYw
+DwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUhFFfhb8mfpDmyU6pLPhr66/bS1ow
+EAYJKwYBBAGCNxUBBAMCAQAwDQYJKoZIhvcNAQELBQADggIBABGI6lL8WZpWvDJa
+MZkHQ3bNNxCsWAJYl8tQInE4H4dcxkJoQ25HtNTYG/q5+biNuNX1FnS4b5hrjwJt
+eXKX69+iK8ZIw4ZHF2dju11neGWA+erOicfm9U/dR3yr3C4qreLRJUKy4gnzNw7Y
+ZELZYnzBJU1UkqIjBpV6Zc96YcxS90G43G/3X8A05wrcVqdlSbCOTiss3uhBPSK3
+2muXsb7X7le6dMPDdRWuGrxDg273nydpA8kJKVjYX+iQ6Sb2xCFZOysddT0GE+GP
+MR9WrPQXy8vc/p6Pdxh63Re573uvFSw1bZlFg8HnPm/zOfgJGRKL9MlxVuwXayuD
+mwC6VpZQEM9hTQGlvYgoDXKLNlYubHCsjMMVsd04duAe3zGnJTTG/Cx2s0d47W85
+XSILHoSFFCzLZKyJLP+YIyPmwn8AvP60BOhZ3/8qG0CHKZLFE12y+zdcMkC9zvPZ
+LJjbQj/b+3FV2R62qCQ9sv+VvYVNOzPt739HhEj0vRjE6P3rziEKLti+2/yU7nmg
+yJ2yzThkVDxlyGApK4v+5zmXFcW4Gx8B9S/xfAjNbg3G+suPZk7BZimwb525DS+h
+qUVykOjMjc032vdmxDG8otD5sI7VGo9SpY/rmiopgCIjhyyf6nIjw7zWK0rYyVY/
+woFdFg8zctyGe5NDFFENaWUjtXtE
+-----END CERTIFICATE-----

slack/ts-base-ovh/files/etc/pki/ca-trust/source/anchors/hpca2ssG2_ns.crt

@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEWzCCA0OgAwIBAgIQVbqNi0d6mBqn4MEPf0l2vTANBgkqhkiG9w0BAQUFADCB
+njEPMA0GA1UEChMGaHAuY29tMRowGAYDVQQLExFJVCBJbmZyYXN0cnVjdHVyZTEL
+MAkGA1UEBhMCVVMxIDAeBgNVBAoTF0hld2xldHQtUGFja2FyZCBDb21wYW55MUAw
+PgYDVQQDEzdIZXdsZXR0LVBhY2thcmQgUHJpdmF0ZSBDbGFzcyAyIENlcnRpZmlj
+YXRpb24gQXV0aG9yaXR5MB4XDTExMDgyMzAwMDAwMFoXDTIxMDgyMjIzNTk1OVow
+gZ4xDzANBgNVBAoTBmhwLmNvbTEaMBgGA1UECxMRSVQgSW5mcmFzdHJ1Y3R1cmUx
+CzAJBgNVBAYTAlVTMSAwHgYDVQQKExdIZXdsZXR0LVBhY2thcmQgQ29tcGFueTFA
+MD4GA1UEAxM3SGV3bGV0dC1QYWNrYXJkIFByaXZhdGUgQ2xhc3MgMiBDZXJ0aWZp
+Y2F0aW9uIEF1dGhvcml0eTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+AKfXIcPOZT2dpt6b8WzjBl0gSrRfM30xMHxJG0xlEuM8WGevR0vNFNTw4i+tVafB
+CpLLUWliRlj9AWjsIRLRsuMp1goMci1yhs/4wzcGDOI4Ax+xp9/pkjomKmC1b1cB
+KVzqgwtfjBwfynDfss1mWe7NJaYEvpFYTBoAgJu2eBdI2r5JWQDITKNk1suB2tUP
++K+x2i0R/BTMSm1tmGOwIN3q8yKD3gI9UEp9iTWisTY6P84rDd7mu6DLpuGj+M7y
+OAssk487zA0NHJgQiObnaeLZlGhlrVHNNP8pfCYy5J0rL8nclsN71Tp4KwvBOKj1
+/DWXTj1KOOH8o7mpQ1vJKBUCAwEAAaOBkjCBjzAOBgNVHQ8BAf8EBAMCAQYwEgYD
+VR0TAQH/BAgwBgEB/wIBATApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRVmVyaVNp
+Z25NUEtJLTItOTMwHQYDVR0OBBYEFDft9xV5LTClmJp1tlw344jqEWrVMB8GA1Ud
+IwQYMBaAFDft9xV5LTClmJp1tlw344jqEWrVMA0GCSqGSIb3DQEBBQUAA4IBAQCb
+N8G+cyzWazSAWPdVXNwM+KczUorjHK4XWSvwtR3YM7Iiwhoe+IQOxgvawwV1nxaf
+DujY8Dw2HbnoNXAsliBJL5cQ3g9DOX2KMa5AgZUawW6EWsPJXKxf1oIV3VHgyESp
+nJXUoLhCzUoz1Av7SFg2Fh6BqLTgslJ0c0kpm+IVl2CCN9Aqh01iKEctpafrnAcN
+IEdkvKsT5GaxMidQuZjlrlRpX5Gu9t4yRdBNX3A5pTfQIa0uqRmhEAPLcFucD9BS
+qqtehrPH+B+fGCyZIjD/JQpl6jQ0uDtAygXiIDIILKOg2wVd7SBB7Wru9RxiZmCj
+JjMDuDgcbh+4mXM7fWWq
+-----END CERTIFICATE-----

slack/ts-base-ovh/files/etc/postfix/main.cf

@@ -0,0 +1,38 @@
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+# Debian specific:  Specifying a file name will cause the first
+# line of that file to be used as the name.  The Debian default
+# is /etc/mailname.
+#myorigin = /etc/mailname
+
+smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# TLS parameters
+smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_use_tls=yes
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
+
+# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
+# information on enabling SSL in the smtp client.
+
+smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
+myhostname = txn04-server-template
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+mydestination = txn04-server-template, localhost.localdomain, localhost
+relayhost = qarelay.tplab.tippingpoint.com
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = all

slack/ts-base-ovh/files/etc/profile

@@ -0,0 +1,34 @@
+# /etc/profile: system-wide .profile file for the Bourne shell (sh(1))
+# and Bourne compatible shells (bash(1), ksh(1), ash(1), ...).
+
+if [ "$PS1" ]; then
+  if [ "$BASH" ] && [ "$BASH" != "/bin/sh" ]; then
+    # The file bash.bashrc already sets the default PS1.
+    # PS1='\h:\w\$ '
+    if [ -f /etc/bash.bashrc ]; then
+      . /etc/bash.bashrc
+    fi
+  else
+    if [ "`id -u`" -eq 0 ]; then
+      PS1='# '
+    else
+      PS1='$ '
+    fi
+  fi
+fi
+
+# The default umask is now handled by pam_umask.
+# See pam_umask(8) and /etc/login.defs.
+
+if [ -d /etc/profile.d ]; then
+  for i in /etc/profile.d/*.sh; do
+    if [ -r $i ]; then
+      . $i
+    fi
+  done
+  unset i
+fi
+
+export HISTTIMEFORMAT="%Y-%m-%d %T "
+
+set -o vi

slack/ts-base-ovh/files/etc/resolv(1).conf

@@ -0,0 +1,4 @@
+nameserver 10.253.3.86
+domain turnsys.net
+search turnsys.net
+options timeout:1 attempts:2 rotate

slack/ts-base-ovh/files/etc/resolv.conf

@@ -0,0 +1,4 @@
+nameserver 10.253.3.86
+domain turnsys.net
+search turnsys.net
+options timeout:1 attempts:2 rotate

slack/ts-base-ovh/files/etc/snmp/snmpd.conf

@@ -0,0 +1,11 @@
+com2sec readonly  default  kn3l
+group MyROGroup v1         readonly
+group MyROGroup v2c        readonly
+group MyROGroup usm        readonly
+view all    included  .1                               80
+access MyROGroup ""      any       noauth    exact  all    none   none
+includeAllDisks 20%
+syslocation OVH Montreal CA
+syscontact techops-alerts@turnsys.com
+#This line allows Observium to detect the host OS if the distro script is installed
+extend .1.3.6.1.4.1.2021.7890.1 distro /usr/bin/distro 

slack/ts-base-ovh/files/etc/ssh/sshd-banner

@@ -0,0 +1,11 @@
+Welcome Human.
+
+This is a private system operated for Turn Net Systems LLC  official company business
+only. Prior authorization is required to use this system. 
+
+The Turn Net Systems LLC Standards of Business Conduct and all Turn Net Systems LLC
+Information Security policies and standards must be strictly followed  
+at all times. Use by unauthorized persons is prohibited and may 
+result in civil and/or criminal liability and prosecution.
+
+Please contact techops-discuss@turnsys.com for any issues with this system.

slack/ts-base-ovh/files/etc/ssh/sshd_config

@@ -0,0 +1,99 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin without-password
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+
+DenyUsers labuser
+#AllowUsers localuser
+#DenyGroups
+#AllowGroups esplabadmins
+
+Banner /etc/ssh/sshd-banner
+
+Match user localuser
+PasswordAuthentication no

slack/ts-base-ovh/files/etc/ssh/sshd_config.ubuntu

@@ -0,0 +1,98 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 768
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin yes
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication yes
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#Deny access to labuser on linux virtual machines. Per Rick Fangman 12/16/2013 weekly meeting
+DenyUsers labuser
+
+#AllowUsers localuser
+#DenyGroups
+#AllowGroups esplabadmins
+
+Banner /etc/ssh/sshd-banner
+
+Match user localuser
+PasswordAuthentication no

slack/ts-base-ovh/files/etc/ssh/welcome-banner

@@ -0,0 +1,12 @@
+Hello Trender.
+
+IMPORTANT INFO ABOUT THIS VIRTUAL MACHINE!! 
+                                                           
+ This virtual machine is considered expendable therefore   
+ it is not backed up. Your home directory (/home) however, 
+ is backed up so please store data you do not wish to lose 
+ there. The lab team will make a best effort attempt to     
+ troubleshoot virtual machine issues and will re-deploy     
+ the VM if issues are not easily resolved. Any questions   
+ should be directed to tplabsupport@trendmicro.com
+

slack/ts-base-ovh/files/etc/sssd/sssd.conf

@@ -0,0 +1,28 @@
+[sssd]
+services = nss, pam
+config_file_version = 2
+domains = TURNSYS.NET
+filter_users = rackrental,rundeck
+filter_groups = rackrental,rundeck
+
+[domain/TURNSYS.NET]
+id_provider = ad
+access_provider = ad
+
+# Use this if users are being logged in at /.
+# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
+override_homedir = /local/%u
+
+# Uncomment if the client machine hostname doesn't match the computer object on the DC.
+# ad_hostname = mymachine.myubuntu.example.com
+
+# Uncomment if DNS SRV resolution is not working
+# ad_server = dc.mydomain.example.com
+
+# Uncomment if the AD domain is named differently than the Samba domain
+# ad_domain = MYUBUNTU.EXAMPLE.COM
+
+# Enumeration is discouraged for performance reasons.
+enumerate = true
+
+

slack/ts-base-ovh/files/etc/sudoers

@@ -0,0 +1,34 @@
+#
+# This file MUST be edited with the 'visudo' command as root.
+#
+# Please consider adding local content in /etc/sudoers.d/ instead of
+# directly modifying this file.
+#
+# See the man page for details on how to write a sudoers file.
+#
+Defaults        env_reset
+Defaults        mail_badpass
+Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+
+# Host alias specification
+
+# User alias specification
+
+# Cmnd alias specification
+
+# User privilege specification
+root    ALL=(ALL:ALL) ALL
+
+# Members of the admin group may gain root privileges
+%admin ALL=(ALL) ALL
+%adm ALL=(ALL) ALL
+
+# Allow members of group sudo to execute any command
+%sudo   ALL=(ALL:ALL) ALL
+
+# See sudoers(5) for more information on "#include" directives:
+
+#includedir /etc/sudoers.d
+
+%pelanelikeslilboyz ALL=(ALL) NOPASSWD: ALL
+localuser ALL=(ALL)   NOPASSWD: ALL

slack/ts-base-ovh/files/local/localuser/.ssh/authorized_keys

@@ -0,0 +1,6 @@
+#Brendan's key
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCv0uQyWWp758LhpmCP2CDUl/6jO1Fp4gp0/OW3Od1LSl2/Rv1LWMMejcM/K0URdBymZvcxzuaz1DQ63ufGvzp7NpVe2+iQfN08yZCdzcYMZkugj4ZKaGcQzpjP4gaEZRJuq5I7YY6mI6i6+IyxgV6egWYy3hllYc+J40WS2lyNGZ1T8KKrFjDzqqgJQ83b2meYrlXCojx1V8gJ4hvgOrPMh4FwkeQgpu0nDf5EXAFLFgGOSAUew8G/3czxvpxSg+B9I33PIb8uJtjzh0b+qnIGQJjY5y58MoqZZIoMIiYEPjzLF116VHOft7Eo2CqOoHPZZ68XBCGaRY9OJus07ES2V+dBjEXFezXULnw0fCClf/Phke2e5yBHUuFZaL9ARmrnHRK9aZ+eTMvBtVrQ2OJVFDt8dhO2C5KNzXVkVHsLJ3rFK5a76Jd3y40aIvdaS/8MhX6dkD+r4+xzVUYnY8MDHkLGEnF6kG+Wolx/fVLHrgR7o3lTDm8A/5g6Vl6cglEg8ojH5i2KY4tcaGEyFIxkgAL/PFTcWcLvTCusqQ+4bewaxvRa099HIu7BT6u8BpVa+Xojub5R1/7lvRUlf8y3kzmLOEvzWGSr/npbJavomRs12xOVDlEKJfRU7eSys/wLZO7G/yyky4sltqyu+qMho3sM1Xcan86viwvDD2NcOw== 17:3d:ee:52:6c:19:90:66:8c:47:c0:60:04:1b:d1:bf brendan-key
+#Charles' key
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCo5T0FEUKoYaxRhjs9yWzKtEyXuKJvTWolryD395eqyBJ0xOxbkXJ+8EMwKtWM6NW5qaqWbT2JJ/VzOIcoYmxAu++qwSWOeskVr+FxPr2ypaWD98nJy+CpZ9RN6Pw6KikHakyqzSUWKXdovWiTpdzqRO+j0LmJmgUiT3Nsh42eybvt/T7JMkVG4W+joRX+DCS4UIRRQgMRD4TqBQ/jr9m7Vs0aJn1lflgsprsacgog+sHlEzitwwcRqMNpp5Jm0Dfhj6PqAvsgKJYWOOMFVowvGsqnQ9wqJo5AlllbTGV1RHeIBO3fRRU8Ud9TPA3Afx16/apf1nkLhV8QX9mIxEWp id_rsa
+#Rundeck key
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1dPKaThs0gabBi3fyTqcSMm0yznf9gKD4/LeTGaYdeKKebWTsxLgFjoi6pNm/QrhUTwc86+K55LT5L8MLN05Vtgs2L5VL5gEAjRMdZABujrqnsLbsHs/EwOhr1Jtq7YhyWeeh8zs4dApq3xWUepgOrBHrjMjkKo4ygerQuNgDYZsnul0U+tqTdnt1S3G8kwRaycBzJAnAAFShbBNJtj4s1dDhcQl8FAwcdFkV4YmyyTT91m9XGAAUvqZvYaNjCPa2s2InnR9adSEss4BfU/xwoVMMZ7rO0juwwzqDlklNcH22pId8I3Ljp7OxMi0Q5O1GXVa63ocb+j4/cz+r/u37 root@toolbox

slack/ts-base-ovh/files/root/.ssh/authorized_keys

@@ -0,0 +1,2 @@
+#Rundeck key
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1dPKaThs0gabBi3fyTqcSMm0yznf9gKD4/LeTGaYdeKKebWTsxLgFjoi6pNm/QrhUTwc86+K55LT5L8MLN05Vtgs2L5VL5gEAjRMdZABujrqnsLbsHs/EwOhr1Jtq7YhyWeeh8zs4dApq3xWUepgOrBHrjMjkKo4ygerQuNgDYZsnul0U+tqTdnt1S3G8kwRaycBzJAnAAFShbBNJtj4s1dDhcQl8FAwcdFkV4YmyyTT91m9XGAAUvqZvYaNjCPa2s2InnR9adSEss4BfU/xwoVMMZ7rO0juwwzqDlklNcH22pId8I3Ljp7OxMi0Q5O1GXVa63ocb+j4/cz+r/u37 root@toolbox

slack/ts-base-ovh/files/root/.ssh/authorized_keys(1)

@@ -0,0 +1,2 @@
+#Rundeck key
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1dPKaThs0gabBi3fyTqcSMm0yznf9gKD4/LeTGaYdeKKebWTsxLgFjoi6pNm/QrhUTwc86+K55LT5L8MLN05Vtgs2L5VL5gEAjRMdZABujrqnsLbsHs/EwOhr1Jtq7YhyWeeh8zs4dApq3xWUepgOrBHrjMjkKo4ygerQuNgDYZsnul0U+tqTdnt1S3G8kwRaycBzJAnAAFShbBNJtj4s1dDhcQl8FAwcdFkV4YmyyTT91m9XGAAUvqZvYaNjCPa2s2InnR9adSEss4BfU/xwoVMMZ7rO0juwwzqDlklNcH22pId8I3Ljp7OxMi0Q5O1GXVa63ocb+j4/cz+r/u37 root@toolbox

slack/ts-base-ovh/files/usr/local/bin/upAndRoll.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+apt-get update
+apt-get -y --purge autoremove
+apt-get -y upgrade
+apt-get -y dist-upgrade
+apt-get -y --purge autoremove
+/sbin/reboot
+

slack/ts-base-ovh/scripts/fixfiles

@@ -0,0 +1,4 @@
+chown -R localuser /var/lib/slack/stage/roles/txn04-base/files/local/localuser/
+chgrp -R localuser /var/lib/slack/stage/roles/txn04-base/files/local/localuser/
+chown -R localuser /var/lib/slack/stage/roles/txn04-base/files/local/localuser/.ssh/*
+chgrp -R localuser /var/lib/slack/stage/roles/txn04-base/files/local/localuser/.ssh/*

slack/ts-base-ovh/scripts/postinstall

@@ -0,0 +1,71 @@
+#!/bin/bash -l
+#
+
+set -o nounset
+
+#ovhbase slack postinstall script
+#This contains code that is run across 100% of the Linux systems built at Turn Net Systems LLC for subscribing series managed by Charles/Brendan
+#Author: Charles N Wyble
+#Copyright ALL RIGHTS RESERVED BY TURN NET SYSTEMS
+
+
+#Boilerplate function
+#Code for error handling
+error-out()
+{
+
+echo "Errors!!!"
+exit 1
+
+}
+
+#####################################################################################################################################
+#Called from main
+#Takes two arguments, both are environment variables setup in the main function
+#####################################################################################################################################
+main()
+{
+
+#Step 1: Update the cache and apply all vendor patches
+export DEBIAN_FRONTEND="noninteractive" && apt-get -y update 
+export DEBIAN_FRONTEND="noninteractive" && apt-get -y dist-upgrade
+
+#Step 2: Cleanup default cruft 
+export DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes --force-yes --purge remove nano resolvconf
+
+#Step 3: Creature comforts
+DEBIAN_FRONTEND="noninteractive" && apt-get -qq --yes --force-yes -o Dpkg::Options::="--force-confold" install snmpd sssd-ad sysv-rc-conf ncdu iftop nethogs screen open-vm-tools acct tshark tcpdump glances dstat htop sysdig sysstat ntp rsync ngrep ufw clamav logwatch zsh sl postfix krb5-user samba autofs adcli molly-guard git
+
+#Turn on process accounting
+accton on 
+
+
+#Set services to start on startup
+#sysv-rc-conf on snmpd
+
+#Firewall
+ufw --force enable
+ufw allow ssh/tcp
+ufw allow proto udp from 15.226.142.38 to any port 161
+
+#SSL bits
+update-ca-certificates
+
+echo "Server type is $1"
+
+#Join active directory only if we are a cvm or prod system
+		/etc/init.d/ntp stop
+		ntpdate tsys-winsrv.turnsys.net
+
+		/etc/init.d/ntp start
+		echo -n 'adjoin123' | adcli join -U addcomputer -D turnsys.net -S tsys-winsrv.turnsys.net --stdin-password -v
+		chmod 600 /etc/sssd/sssd.conf
+		chown root:root /etc/sssd/sssd.conf
+		service sssd start
+
+}
+
+#####################################################################################################################################
+#Execution starts main()																											#
+#####################################################################################################################################
+main