Merge pull request duosecurity#175 from vbscott/support_makefile

Support makefile

Makefile.am

@@ -1,7 +1,7 @@
 
 ACLOCAL_AMFLAGS = -I autotools
 
-SUBDIRS = compat lib login_duo
+SUBDIRS = compat lib login_duo duo_unix_support
 
 if PAM
 SUBDIRS += pam_duo

configure.ac

@@ -183,6 +183,6 @@ AC_REPLACE_FUNCS([asprintf getgrouplist strlcpy vsyslog])
 AC_SEARCH_LIBS(inet_ntoa, nsl)
 AC_SEARCH_LIBS(socket, socket)
 
-AC_CONFIG_FILES(Makefile compat/Makefile lib/Makefile lib/libduo.pc login_duo/Makefile pam_duo/Makefile tests/Makefile tests/unity_tests/Makefile tests/unity_tests/Unity-2.4.3/Makefile)
+AC_CONFIG_FILES(Makefile compat/Makefile duo_unix_support/Makefile lib/Makefile lib/libduo.pc login_duo/Makefile pam_duo/Makefile tests/Makefile tests/unity_tests/Makefile tests/unity_tests/Unity-2.4.3/Makefile)
 
 AC_OUTPUT

duo_unix_support/Makefile.am

@@ -0,0 +1,5 @@
+docdir = $(datadir)/doc/@PACKAGE@/duo_unix_support
+doc_DATA = README.md
+
+sbin_SCRIPTS = duo_unix_support.sh
+EXTRA_DIST = duo_unix_support.sh README.md

duo_unix_support/README.md

@@ -0,0 +1,44 @@
+The Duo Unix Support Script is intended to be used to gather information used for debugging Duo Unix issues by Duo Security.  The main purpose of this script is to easily gather and tar information for the sole purpose of debugging.  Please use this script as directed by Duo and delete the tarball, /etc/duo/duo_unix_support.tar.gz, that is generated after use.
+This script is supported by Debian, Ubuntu, Red Hat Enterprise Linux, and CentOS.
+The following information may be gathered by this script depending on the Operating System:
+
+Logs
+    /var/log/secure
+    /var/log/messages
+    /var/log/auth.log
+    /var/log/syslog
+
+Configs
+    /etc/duo/login_duo.conf
+    /etc/duo/pam_duo.conf
+    (With the skeys scrubbed)
+    /etc/ssh/sshd_config
+
+PAM Stacks
+    /etc/pam.d/sshd
+    /etc/pam.d/passwd
+    /etc/pam.d/common-auth
+    /etc/pam.d/system-auth
+
+SELinux
+    sebools
+    semodules
+    sestatus
+    Policies that use TCP sockets
+
+Software versions
+    Operating System
+    Kernel
+    OpenSSL
+    OpenSSH
+    Duo Unix
+    gcc
+    make
+
+Use
+    Ensure either that you are logged in as root or are using sudo before proceeding.
+
+    # chmod +x ./duo_unix_support.sh
+    # ./duo_unix_support.sh
+
+    This script will create the file duo_unix_support.tar.gz which will be located in /etc/duo. Delete duo_unix_support.tar.gz after use.

duo_unix_support/duo_unix_support.sh

@@ -0,0 +1,196 @@
+#!/usr/bin/env bash
+
+# Users can have login_duo installed in different locations by defining a --prefix flag at compile time
+PREFIX="/usr"
+README_INSTALL="/usr/local"
+options=$(getopt -o h -l prefix: -- "$@")
+while true; do
+    case "$1" in
+    --prefix)
+        shift;
+        PREFIX="$1"
+        README_INSTALL="$1"
+        ;;
+    -h)
+        echo "Usage:"
+        echo "    ./duo_unix_support.sh -h                       Display this help message."
+        echo "    ./duo_unix_support.sh --prefix [dir_name]      Add prefix used to compile Duo Unix with if changed from the default."
+        exit
+        ;;
+    *)
+        shift
+        break
+        ;;
+    esac
+    shift
+done
+
+echo -e "The Duo Unix support script gathers and aggregates information about your Duo Unix installation and the server it is installed on for easy sending to Duo Security support. This script is intended to be used with Debian, Ubuntu, RHEL, and CentOS systems. While use of this script is not required for support cases with Duo, it is highly recommended as it will expedite the support and debugging process. Namely, this script collects:\n\n\t* Logfiles in /var/log, such as auth and secure\n\t* PAM configurations in /etc/pam.d, such as common-auth or sshd\n\t* SSHD configurations in /etc/ssh\n\t* Information about the server distribution and relevant libraries such as SELinux or OpenSSL\n\t* Configurations for pam_duo and login_duo scrubbed of sensitive skeys\n\nThese files are typically asked for during support cases with Duo. We advise that you review any of these files prior to running this script should you wish to expunge any other information you deem sensitive from these files. For a full list of the information collected by this script, see ${README_INSTALL}/share/doc/duo_unix/duo_unix_support/README.md."
+
+read -rp "Do you wish to run this program? [N/y] " user_input
+
+case $user_input in
+    [Yy]* ) ;;
+    *) exit;;
+esac
+
+# Ensure that the person running this script is root
+if [ $(id -u) != 0 ]; then
+    echo "Please rerun as root"
+    exit
+fi
+# If there is an existing support file or tarball then delete them
+if [ -d '/etc/duo/duo_unix_support' ]; then
+    rm -rf /etc/duo/duo_unix_support
+fi
+
+if [ -e '/etc/duo/duo_unix_support.tar.gz' ]; then
+   rm -r /etc/duo/duo_unix_support.tar.gz
+fi
+
+if [ -e '/etc/duo' ]; then
+    mkdir /etc/duo/duo_unix_support
+    cd /etc/duo/duo_unix_support
+else
+    echo -e "\nNo Duo Unix installation found, exiting"
+    exit
+fi
+
+# Try to get distro name/version from *-release files.
+# This could be something like rhel-release, os-release, lsb_release...
+if [ -f /etc/os-release ]; then
+    # Covers most modern distros/versions
+    . /etc/os-release
+    OS=${ID}
+    VER=${VERSION_ID}
+
+elif rpm -q centos-release > /dev/null 2>&1; then
+    # Older versions of CentOS that have unconventional *-release files
+    # without $ID, $VERSION_ID, or the like
+    # eg. /etc/rhel-release on CentOS6 reads: CentOS release 6.9 (Final)
+    OS='centos'
+    VER=$(rpm -q --queryformat '%{VERSION}' centos-release)
+
+elif rpm -q redhat-release-server > /dev/null 2>&1; then
+    # Older versions of RHEL that have unconventional *-release files
+    OS='rhel'
+    VER=$(rpm -q --queryformat '%{RELEASE}' redhat-release-server | awk -F. '{print $1}')
+
+elif [ -f /etc/lsb-release ]; then
+    # Certain newer versions of Debian/Ubuntu
+    . /etc/lsb-release
+    OS=${DISTRIB_ID}
+    VER=${DISTRIB_RELEASE}
+
+elif [ -f /etc/debian_version ]; then
+    # Certain older versions of Debian
+    OS='debian'
+    VER=$(cat /etc/debian_version)
+
+else
+    VER=$(uname -a)
+fi
+
+KERNEL=$(uname -srm)
+OPENSSL_VER=$(openssl version)
+
+# login_duo can exist in different locations
+if [ -e "${PREFIX}/sbin/login_duo" ]; then
+    echo "duo_unix=$(${PREFIX}/sbin/login_duo -v 2>&1)" >> configuration.txt
+elif [ -e "${PREFIX}/local/sbin/login_duo" ]; then
+    echo "duo_unix=$(${PREFIX}/local/sbin/login_duo -v 2>&1)" >> configuration.txt
+else
+    echo "Could not find version of Duo Unix (login_duo was not found)" > configuration.txt
+fi
+
+echo "operating_system=${OS}" >> configuration.txt
+echo "version=${VER}" >> configuration.txt
+echo "kernel=${KERNEL}" >> configuration.txt
+echo "openssl_version=${OPENSSL_VER}" >> configuration.txt
+echo "ssh=$(ssh -V 2>&1)" &>> configuration.txt
+echo -e "\nGathering logs and pam configs"
+# Check if the user has gcc and make
+if type gcc >/dev/null; then
+   GCC_VER=$(gcc --version)
+   echo "gcc=$GCC_VER" | grep "gcc" >> configuration.txt
+fi
+if type make >/dev/null; then
+   MAKE_VER=$(make --version)
+   echo "make=$MAKE_VER" | grep "make" >> configuration.txt
+fi
+
+# Copy over common configurations and scrub the skey from the configs
+
+echo "* Successfully copied login_duo.conf"
+sed '/skey/d' /etc/duo/login_duo.conf > login_duo.conf
+chmod --reference /etc/duo/login_duo.conf login_duo.conf
+
+# The user might not have pam_duo install on their system
+if [ -e '/etc/duo/pam_duo.conf' ]; then
+    echo "* Successfully copied pam_duo.conf"
+    sed '/skey/d' /etc/duo/pam_duo.conf > pam_duo.conf
+    chmod --reference /etc/duo/pam_duo.conf pam_duo.conf
+fi
+
+check_and_cp () {
+  # Check for non-empty argument
+  if [ -z $1 ]; then
+    echo "Empty argument passed in! Skipping."
+  fi
+
+  # Attempt to cp the file over
+  if [ -e $1 ]; then
+    stderr_output=$(cp -p $1 . 2>&1)
+    if [ -z $stderr_output ]; then
+      echo "* Successfully copied $1"
+    else
+      echo "Could not copy $1: $stderr_output"
+    fi
+  fi
+}
+
+#Different Unix systesm utilize different files, it is alright if not all are gathered.
+COPY_FILES=(
+           "/etc/pam.d/sshd"
+           "/etc/pam.d/common-auth"
+           "/etc/pam.d/passwd"
+           "/etc/pam.d/system-auth"
+           "/etc/pam.d/password-auth"
+           "/etc/ssh/sshd_config"
+           "/var/log/messages"
+           "/var/log/secure"
+           "/var/log/auth.log"
+           "/var/log/syslog"
+)
+
+for path in "${COPY_FILES[@]}"
+do
+  check_and_cp $path
+done
+
+# Copy over configurations related only to centos or rhel
+if type sestatus &>/dev/null; then
+    # Get information about their SELinux policies
+    echo -e "\nGathering information about SELinux"
+    SESTATUS=$(sestatus)
+    SEMODULES=$(semodule -l)
+    SEBOOLS=$(getsebool -a)
+
+    echo "sestatus=$SESTATUS" >> selinux_config.txt
+    echo "$SEMODULES" >> selinux_modules.txt
+    echo "sebools=$SEBOOLS" >> selinux_bools.txt
+
+    #Check to see if sesearch is installed and if it is get policies that use the tcp_socket
+    if type sesearch &>/dev/null; then
+        SESEARCH=$(sesearch -c tcp_socket -AC)
+        echo "sesearch=$SESEARCH" >> selinux_config.txt
+    fi
+fi
+cd ../
+if tar -zcpf duo_unix_support.tar.gz duo_unix_support/; then
+    chmod 600 /etc/duo/duo_unix_support.tar.gz
+    rm -rf /etc/duo/duo_unix_support/
+    echo -e "\nPlease send /etc/duo/duo_unix_support.tar.gz to support@duosecurity to open a new support case or continue an ongoing case.\nWe strongly recommend that you keep this file local in the meantime to prevent the tarball from becoming world-readable on flash drives for example. Remember to delete this tarball once sent in."
+else
+    echo -e "\nFailed to tar /etc/duo/duo_unix_support files, exiting."
+fi