Google Git
Sign in
apache / vcl / 01ce4947024c4c02ee004a1cc93abceb06409925 / . / managementnode / lib / VCL / Module / OS / Windows.pm
blob: f65c241372c440cd76d3e5911bbe35336c11029c [file] [log] [blame]
#!/usr/bin/perl -w
###############################################################################
# $Id$
###############################################################################
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
###############################################################################
=head1 NAME
VCL::Module::OS::Windows - Windows OS support module
=head1 SYNOPSIS
Needs to be written
=head1 DESCRIPTION
This module provides...
=cut
###############################################################################
package VCL::Module::OS::Windows;
# Specify the lib path using FindBin
use FindBin;
use lib "$FindBin::Bin/../../..";
# Configure inheritance
use base qw(VCL::Module::OS);
# Specify the version of this module
our $VERSION = '2.5.1';
# Specify the version of Perl to use
use 5.008000;
use strict;
use warnings;
use diagnostics;
use Encode;
use English '-no_match_vars';
use File::Basename;
use MIME::Base64;
use Net::Netmask;
use Text::CSV_XS;
use VCL::utils;
###############################################################################
=head1 CLASS VARIABLES
=cut
=head2 $SOURCE_CONFIGURATION_DIRECTORY
Data type : String
Description : Location on the management node of the files specific to this OS
module which are needed to configure the loaded OS on a computer.
This is normally the directory under 'tools' named after this OS
module.
Example:
/usr/local/vcl/tools/Windows
=cut
our $SOURCE_CONFIGURATION_DIRECTORY = "$TOOLS/Windows";
=head2 $NODE_CONFIGURATION_DIRECTORY
Data type : String
Description : Location on computer on which an image has been loaded where
configuration files reside. The files residing on the managment
node in the directory specified by $NODE_CONFIGURATION_DIRECTORY
are copied to this directory.
Example:
C:\Cygwin\home\root\VCL
=cut
our $NODE_CONFIGURATION_DIRECTORY = 'C:/Cygwin/home/root/VCL';
=head2 %TIME_ZONE_INFO
Data type : Hash
Description : Windows time zone code information. The hash keys are the
numerical Windows time zone codes used for things such as
Sysprep.
=cut
our %TIME_ZONE_INFO = (
'Afghanistan Standard Time' => {'abbreviation' => 'KAB', 'offset' => '+04:30', 'code' => '175'},
'Alaskan Standard Time' => {'abbreviation' => 'ALA', 'offset' => '-09:00', 'code' => '3'},
'Arab Standard Time' => {'abbreviation' => 'BKR', 'offset' => '+03:00', 'code' => '150'},
'Arabian Standard Time' => {'abbreviation' => 'ABT', 'offset' => '+04:00', 'code' => '165'},
'Arabic Standard Time' => {'abbreviation' => 'BKR', 'offset' => '+03:00', 'code' => '158'},
'Atlantic Standard Time' => {'abbreviation' => 'AST', 'offset' => '-04:00', 'code' => '50'},
'AUS Central Standard Time' => {'abbreviation' => 'ADA', 'offset' => '+09:30', 'code' => '245'},
'AUS Eastern Standard Time' => {'abbreviation' => 'CMS', 'offset' => '+10:00', 'code' => '255'},
'Azerbaijan Standard Time' => {'abbreviation' => undef, 'offset' => '+04:00', 'code' => undef},
'Azores Standard Time' => {'abbreviation' => 'AZO', 'offset' => '-01:00', 'code' => '80'},
'Canada Central Standard Time' => {'abbreviation' => 'CST', 'offset' => '-06:00', 'code' => '25'},
'Cape Verde Standard Time' => {'abbreviation' => 'AZO', 'offset' => '-01:00', 'code' => '83'},
'Caucasus Standard Time' => {'abbreviation' => 'ABT', 'offset' => '+04:00', 'code' => '170'},
'Cen. Australia Standard Time' => {'abbreviation' => 'ADA', 'offset' => '+09:30', 'code' => '250'},
'Central America Standard Time' => {'abbreviation' => 'CST', 'offset' => '-06:00', 'code' => '33'},
'Central Asia Standard Time' => {'abbreviation' => 'ADC', 'offset' => '+06:00', 'code' => '195'},
'Central Brazilian Standard Time' => {'abbreviation' => undef, 'offset' => '-04:00', 'code' => undef},
'Central Europe Standard Time' => {'abbreviation' => 'AMS', 'offset' => '+01:00', 'code' => '95'},
'Central European Standard Time' => {'abbreviation' => 'AMS', 'offset' => '+01:00', 'code' => '100'},
'Central Pacific Standard Time' => {'abbreviation' => 'MSN', 'offset' => '+11:00', 'code' => '280'},
'Central Standard Time' => {'abbreviation' => 'CST', 'offset' => '-06:00', 'code' => '20'},
'Central Standard Time (Mexico)' => {'abbreviation' => 'CST', 'offset' => '-06:00', 'code' => '30'},
'China Standard Time' => {'abbreviation' => 'SST', 'offset' => '+08:00', 'code' => '210'},
'Dateline Standard Time' => {'abbreviation' => 'IDLE', 'offset' => '-12:00', 'code' => '0'},
'E. Africa Standard Time' => {'abbreviation' => 'BKR', 'offset' => '+03:00', 'code' => '155'},
'E. Australia Standard Time' => {'abbreviation' => 'BGP', 'offset' => '+10:00', 'code' => '260'},
'E. Europe Standard Time' => {'abbreviation' => 'BCP', 'offset' => '+02:00', 'code' => '115'},
'E. South America Standard Time' => {'abbreviation' => 'BBA', 'offset' => '-03:00', 'code' => '65'},
'Eastern Standard Time' => {'abbreviation' => 'EST', 'offset' => '-05:00', 'code' => '35'},
'Egypt Standard Time' => {'abbreviation' => 'BCP', 'offset' => '+02:00', 'code' => '120'},
'Ekaterinburg Standard Time' => {'abbreviation' => 'EIK', 'offset' => '+05:00', 'code' => '180'},
'Fiji Standard Time' => {'abbreviation' => 'FKM', 'offset' => '+12:00', 'code' => '285'},
'FLE Standard Time' => {'abbreviation' => 'HRI', 'offset' => '+02:00', 'code' => '125'},
'Georgian Standard Time' => {'abbreviation' => undef, 'offset' => '+04:00', 'code' => undef},
'GMT Standard Time' => {'abbreviation' => 'GMT', 'offset' => '+00:00', 'code' => '85'},
'Greenland Standard Time' => {'abbreviation' => 'BBA', 'offset' => '-03:00', 'code' => '73'},
'Greenwich Standard Time' => {'abbreviation' => 'GMT', 'offset' => '+00:00', 'code' => '90'},
'GTB Standard Time' => {'abbreviation' => 'AIM', 'offset' => '+02:00', 'code' => '130'},
'Hawaiian Standard Time' => {'abbreviation' => 'HAW', 'offset' => '-10:00', 'code' => '2'},
'India Standard Time' => {'abbreviation' => 'BCD', 'offset' => '+05:30', 'code' => '190'},
'Iran Standard Time' => {'abbreviation' => 'THE', 'offset' => '+03:30', 'code' => '160'},
'Israel Standard Time' => {'abbreviation' => 'BCP', 'offset' => '+02:00', 'code' => '135'},
'Korea Standard Time' => {'abbreviation' => 'SYA', 'offset' => '+09:00', 'code' => '230'},
'Mid-Atlantic Standard Time' => {'abbreviation' => 'MAT', 'offset' => '-02:00', 'code' => '75'},
'Mountain Standard Time' => {'abbreviation' => 'MST', 'offset' => '-07:00', 'code' => '10'},
'Mountain Standard Time (Mexico)' => {'abbreviation' => 'MST', 'offset' => '-07:00', 'code' => '13'},
'Myanmar Standard Time' => {'abbreviation' => 'MMT', 'offset' => '+06:30', 'code' => '203'},
'N. Central Asia Standard Time' => {'abbreviation' => 'ADC', 'offset' => '+06:00', 'code' => '201'},
'Namibia Standard Time' => {'abbreviation' => undef, 'offset' => '+02:00', 'code' => undef},
'Nepal Standard Time' => {'abbreviation' => 'NPT', 'offset' => '+05:45', 'code' => '193'},
'New Zealand Standard Time' => {'abbreviation' => 'AWE', 'offset' => '+12:00', 'code' => '290'},
'Newfoundland Standard Time' => {'abbreviation' => 'NWF', 'offset' => '-03:30', 'code' => '60'},
'North Asia East Standard Time' => {'abbreviation' => 'SST', 'offset' => '+08:00', 'code' => '227'},
'North Asia Standard Time' => {'abbreviation' => 'BHJ', 'offset' => '+07:00', 'code' => '207'},
'Pacific SA Standard Time' => {'abbreviation' => 'AST', 'offset' => '-04:00', 'code' => '56'},
'Pacific Standard Time' => {'abbreviation' => 'PST', 'offset' => '-08:00', 'code' => '4'},
'Romance Standard Time' => {'abbreviation' => 'AMS', 'offset' => '+01:00', 'code' => '105'},
'Russian Standard Time' => {'abbreviation' => 'MSV', 'offset' => '+03:00', 'code' => '145'},
'SA Eastern Standard Time' => {'abbreviation' => 'BBA', 'offset' => '-03:00', 'code' => '70'},
'SA Pacific Standard Time' => {'abbreviation' => 'EST', 'offset' => '-05:00', 'code' => '45'},
'SA Western Standard Time' => {'abbreviation' => 'AST', 'offset' => '-04:00', 'code' => '55'},
'Samoa Standard Time' => {'abbreviation' => 'MIS', 'offset' => '-11:00', 'code' => '1'},
'SE Asia Standard Time' => {'abbreviation' => 'BHJ', 'offset' => '+07:00', 'code' => '205'},
'Singapore Standard Time' => {'abbreviation' => 'SST', 'offset' => '+08:00', 'code' => '215'},
'South Africa Standard Time' => {'abbreviation' => 'BCP', 'offset' => '+02:00', 'code' => '140'},
'Sri Lanka Standard Time' => {'abbreviation' => 'ADC', 'offset' => '+06:00', 'code' => '200'},
'Taipei Standard Time' => {'abbreviation' => 'SST', 'offset' => '+08:00', 'code' => '220'},
'Tasmania Standard Time' => {'abbreviation' => 'HVL', 'offset' => '+10:00', 'code' => '265'},
'Tokyo Standard Time' => {'abbreviation' => 'OST', 'offset' => '+09:00', 'code' => '235'},
'Tonga Standard Time' => {'abbreviation' => 'TOT', 'offset' => '+13:00', 'code' => '300'},
'US Eastern Standard Time' => {'abbreviation' => 'EST', 'offset' => '-05:00', 'code' => '40'},
'US Mountain Standard Time' => {'abbreviation' => 'MST', 'offset' => '-07:00', 'code' => '15'},
'Vladivostok Standard Time' => {'abbreviation' => 'HVL', 'offset' => '+10:00', 'code' => '270'},
'W. Australia Standard Time' => {'abbreviation' => 'SST', 'offset' => '+08:00', 'code' => '225'},
'W. Central Africa Standard Time' => {'abbreviation' => 'AMS', 'offset' => '+01:00', 'code' => '113'},
'W. Europe Standard Time' => {'abbreviation' => 'AMS', 'offset' => '+01:00', 'code' => '110'},
'West Asia Standard Time' => {'abbreviation' => 'EIK', 'offset' => '+05:00', 'code' => '185'},
'West Pacific Standard Time' => {'abbreviation' => 'BGP', 'offset' => '+10:00', 'code' => '275'},
'Yakutsk Standard Time' => {'abbreviation' => 'SYA', 'offset' => '+09:00', 'code' => '240'},
);
=head2 $KMS_CLIENT_PRODUCT_KEYS
Data type : Hash reference
Description : Keys used to activate Windows using a KMS server. The key needs
to be configured before attempting to activate via KMS. Each
flavor of Windows uses a different KMS client key. These keys are
public information.
=cut
# These keys are publicly available:
# https://technet.microsoft.com/en-us/library/jj612867(v=ws.11).aspx
our $KMS_CLIENT_PRODUCT_KEYS = {
'Windows 10 Education' => 'NW6C2-QMPVW-D7KKK-3GKT6-VCFB2',
'Windows 10 Education N' => '2WH4N-8QGBV-H22JP-CT43Q-MDWWJ',
'Windows 10 Enterprise' => 'NPPR9-FWDCX-D2C8J-H872K-2YT43',
'Windows 10 Enterprise 2015 LTSB' => 'WNMTR-4C88C-JK8YV-HQ7T2-76DF9',
'Windows 10 Enterprise 2015 LTSB N' => '2F77B-TNFGY-69QQF-B8YKP-D69TJ',
'Windows 10 Enterprise 2016 LTSB' => 'DCPHK-NFMTC-H88MJ-PFHPY-QJ4BJ',
'Windows 10 Enterprise 2016 LTSB N' => 'QFFDN-GRT3P-VKWWX-X7T3R-8B639',
'Windows 10 Enterprise N' => 'DPH2V-TTNVB-4X9Q3-TJR4H-KHJW4',
'Windows 10 Professional' => 'W269N-WFGWX-YVC9B-4J6C9-T83GX',
'Windows 10 Professional N' => 'MH37W-N47XK-V7XM9-C7227-GCQG9',
'Windows 7 Enterprise' => '33PXH-7Y6KF-2VJC9-XBBR8-HVTHH',
'Windows 7 Enterprise E' => 'C29WB-22CC8-VJ326-GHFJW-H9DH4',
'Windows 7 Enterprise N' => 'YDRBP-3D83W-TY26F-D46B2-XCKRJ',
'Windows 7 Professional' => 'FJ82H-XT6CR-J8D7P-XQJJ2-GPDD4',
'Windows 7 Professional E' => 'W82YF-2Q76Y-63HXB-FGJG9-GF7QX',
'Windows 7 Professional N' => 'MRPKT-YTG23-K7D7T-X2JMM-QY7MG',
'Windows 8 Enterprise' => '32JNW-9KQ84-P47T8-D8GGY-CWCK7',
'Windows 8 Enterprise N' => 'JMNMF-RHW7P-DMY6X-RF3DR-X2BQT',
'Windows 8 Professional' => 'NG4HW-VH26C-733KW-K6F98-J8CK4',
'Windows 8 Professional N' => 'XCVCF-2NXM9-723PB-MHCB7-2RYQQ',
'Windows 8.1 Enterprise' => 'MHF9N-XY6XB-WVXMC-BTDCT-MKKG7',
'Windows 8.1 Enterprise N' => 'TT4HM-HN7YT-62K67-RGRQJ-JFFXW',
'Windows 8.1 Professional' => 'GCRJD-8NW9H-F2CDX-CCM8D-9D6T9',
'Windows 8.1 Professional N' => 'HMCNV-VVBFX-7HMBH-CTY9B-B4FXY',
'Windows Server 2008 Datacenter' => '7M67G-PC374-GR742-YH8V4-TCBY3',
'Windows Server 2008 Datacenter without Hyper-V' => '22XQ2-VRXRG-P8D42-K34TD-G3QQC',
'Windows Server 2008 Enterprise' => 'YQGMW-MPWTJ-34KDK-48M3W-X4Q6V',
'Windows Server 2008 Enterprise without Hyper-V' => '39BXF-X8Q23-P2WWT-38T2F-G3FPG',
'Windows Server 2008 for Itanium-Based Systems' => '4DWFP-JF3DJ-B7DTH-78FJB-PDRHK',
'Windows Server 2008 HPC' => 'RCTX3-KWVHP-BR6TB-RB6DM-6X7HP',
'Windows Server 2008 R2 Datacenter' => '74YFP-3QFB3-KQT8W-PMXWJ-7M648',
'Windows Server 2008 R2 Enterprise' => '489J6-VHDMP-X63PK-3K798-CPX3Y',
'Windows Server 2008 R2 for Itanium-based Systems' => 'GT63C-RJFQ3-4GMB6-BRFB9-CB83V',
'Windows Server 2008 R2 HPC edition' => 'TT8MH-CG224-D3D7Q-498W2-9QCTX',
'Windows Server 2008 R2 Standard' => 'YC6KT-GKW9T-YTKYR-T4X34-R7VHC',
'Windows Server 2008 R2 Web' => '6TPJF-RBVHG-WBW2R-86QPH-6RTM4',
'Windows Server 2008 Standard' => 'TM24T-X9RMF-VWXK6-X8JC9-BFGM2',
'Windows Server 2008 Standard without Hyper-V' => 'W7VD6-7JFBR-RX26B-YKQ3Y-6FFFJ',
'Windows Server 2012' => 'BN3D2-R7TKB-3YPBD-8DRP2-27GG4',
'Windows Server 2012 Country Specific' => '4K36P-JN4VD-GDC6V-KDT89-DYFKP',
'Windows Server 2012 Datacenter' => '48HP8-DN98B-MYWDG-T2DCC-8W83P',
'Windows Server 2012 MultiPoint Premium' => 'XNH6W-2V9GX-RGJ4K-Y8X6F-QGJ2G',
'Windows Server 2012 MultiPoint Standard' => 'HM7DN-YVMH3-46JC3-XYTG7-CYQJJ',
'Windows Server 2012 N' => '8N2M2-HWPGY-7PGT9-HGDD8-GVGGY',
'Windows Server 2012 R2 Datacenter' => 'W3GGN-FT8W3-Y4M27-J84CP-Q3VJ9',
'Windows Server 2012 R2 Essentials' => 'KNC87-3J2TX-XB4WP-VCPJV-M4FWM',
'Windows Server 2012 R2 Server Standard' => 'D2N9P-3P6X9-2R39C-7RTCD-MDVJX',
'Windows Server 2012 Server Standard' => 'XC9B7-NBPP2-83J2H-RHMBY-92BT4',
'Windows Server 2012 Single Language' => '2WN2H-YGCQR-KFX6K-CD6TF-84YXQ',
'Windows Server 2016 Datacenter' => 'CB7KF-BWN84-R7R2Y-793K2-8XDDG',
'Windows Server 2016 Essentials' => 'JCKRF-N37P4-C2D82-9YXRT-4M63B',
'Windows Server 2016 Standard' => 'WC2BQ-8NRM3-FDDYY-2BFGV-KHKQY',
'Windows Vista Business' => 'YFKBB-PQJJV-G996G-VWGXY-2V3X8',
'Windows Vista Business N' => 'HMBQG-8H2RH-C77VX-27R82-VMQBT',
'Windows Vista Enterprise' => 'VKK3X-68KWM-X2YGT-QR4M6-4BWMV',
'Windows Vista Enterprise N' => 'VTC42-BM838-43QHV-84HX6-XJXKV',
'Windows Web Server 2008' => 'WYR28-R7TFJ-3X2YQ-YCY4H-M249D',
};
###############################################################################
=head1 INTERFACE OBJECT METHODS
=cut
#//////////////////////////////////////////////////////////////////////////////
=head2 initialize
Parameters :
Returns :
Description :
=cut
sub initialize {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
notify($ERRORS{'DEBUG'}, 0, "beginning Windows module initialization");
my $request_state = $self->data->get_request_state_name();
# If the request state is reserved, retrieve the firewall configuration now to reduce a delay after the user clicks Connect
if ($request_state =~ /reserved/) {
notify($ERRORS{'DEBUG'}, 0, "request state is $request_state, caching firewall configuration to reduce delays later on");
$self->get_firewall_configuration('TCP');
}
notify($ERRORS{'DEBUG'}, 0, "Windows module initialization complete");
if ($self->can("SUPER::initialize")) {
return $self->SUPER::initialize();
}
else {
return 1;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 pre_capture
Parameters : Hash containing 'end_state' key
Returns : If successful: true
If failed: false
Description : Performs the steps necessary to prepare a Windows OS before an
image is captured.
This subroutine is called by a provisioning module's capture()
subroutine.
The steps performed are:
=over 3
=cut
sub pre_capture {
my $self = shift;
my $args = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Check if end_state argument was passed
if (defined $args->{end_state}) {
$self->{end_state} = $args->{end_state};
}
else {
$self->{end_state} = 'off';
}
my $computer_node_name = $self->data->get_computer_node_name();
my $image_os_install_type = $self->data->get_image_os_install_type();
# Call OS::pre_capture to perform the pre-capture tasks common to all OS's
if (!$self->SUPER::pre_capture($args)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute parent class pre_capture() subroutine");
return 0;
}
notify($ERRORS{'OK'}, 0, "beginning Windows image capture preparation tasks on $computer_node_name");
=item *
Disable RDP access from any IP address
=cut
if (!$self->firewall_disable_rdp()) {
notify($ERRORS{'WARNING'}, 0, "unable to disable RDP from all addresses");
return 0;
}
=item *
Log off all currently logged in users
=cut
if (!$self->logoff_users()) {
notify($ERRORS{'WARNING'}, 0, "unable to log off all currently logged in users on $computer_node_name");
return 0;
}
=item *
Apply Windows security templates
=cut
# This find any .inf security template files configured for the OS and run secedit.exe to apply them
if (!$self->apply_security_templates()) {
notify($ERRORS{'WARNING'}, 0, "unable to apply security templates");
return 0;
}
=item *
If computer is part of Active Directory Domain, unjoin it
=cut
if ($self->ad_get_current_domain()) {
if (!$self->ad_unjoin()) {
notify($ERRORS{'WARNING'}, 0, "failed to remove computer from Active Directory domain");
return 0;
}
notify($ERRORS{'DEBUG'}, 0, "computer successfully unjoined from domain, rebooting for change to take effect");
# reboot if unjoin successful
if (!$self->reboot()) {
notify($ERRORS{'WARNING'}, 0, "failed to reboot after unjoining from domain");
}
}
=item *
Set Administrator account password to known value
=cut
if (!$self->set_password('Administrator', $WINDOWS_ROOT_PASSWORD)) {
notify($ERRORS{'WARNING'}, 0, "unable to set Administrator password");
return 0;
}
=item *
Set root account password to known value
=cut
if (!$self->set_password('root', $WINDOWS_ROOT_PASSWORD)) {
notify($ERRORS{'WARNING'}, 0, "unable to set root password");
return 0;
}
=item *
Delete the user assigned to this reservation
=cut
my $deleted_user_accounts = $self->delete_user_accounts();
if (!$deleted_user_accounts) {
notify($ERRORS{'DEBUG'}, 0, "unable to delete user accounts, will try again after reboot");
}
=item *
Set root as the owner of /home/root
=cut
if (!$self->set_file_owner('/home/root', 'root')) {
notify($ERRORS{'WARNING'}, 0, "unable to set root as the owner of /home/root");
return 0;
}
=item *
Enable DHCP on the private and public interfaces
=cut
if (!$self->enable_dhcp('public')) {
notify($ERRORS{'WARNING'}, 0, "failed to enable DHCP on the public interface");
return;
}
=item *
Copy the capture configuration files to the computer (scripts, utilities, drivers...)
=cut
if (!$self->copy_capture_configuration_files()) {
notify($ERRORS{'WARNING'}, 0, "unable to copy general Windows capture configuration files to $computer_node_name");
return 0;
}
=item *
Disable autoadminlogon before disabling the pagefile and rebooting
=cut
if (!$self->disable_autoadminlogon()) {
notify($ERRORS{'WARNING'}, 0, "unable to disable autoadminlogon");
return 0;
}
=item *
Disable Shutdown Event Tracker
=cut
if (!$self->disable_shutdown_event_tracker()) {
notify($ERRORS{'WARNING'}, 0, "unable to disable shutdown event tracker");
}
=item *
Disable System Restore
=cut
if (!$self->disable_system_restore()) {
notify($ERRORS{'WARNING'}, 0, "unable to disable system restore");
}
=item *
Disable hibernation
=cut
if (!$self->disable_hibernation()) {
notify($ERRORS{'WARNING'}, 0, "unable to disable hibernation");
}
=item *
Disable sleep
=cut
if (!$self->disable_sleep()) {
notify($ERRORS{'WARNING'}, 0, "unable to disable sleep");
}
=item *
Disable Windows Customer Experience Improvement program
=cut
if (!$self->disable_ceip()) {
notify($ERRORS{'WARNING'}, 0, "unable to disable Windows Customer Experience Improvement program");
}
=item *
Disable Internet Explorer configuration page
=cut
if (!$self->disable_ie_configuration_page()) {
notify($ERRORS{'WARNING'}, 0, "unable to disable IE configuration");
}
=item *
Disable Automatic Updates
=cut
if (!$self->disable_automatic_updates()) {
notify($ERRORS{'WARNING'}, 0, "unable to disable automatic updates");
}
=item *
Disable Security Center notifications
=cut
if (!$self->disable_security_center_notifications()) {
notify($ERRORS{'WARNING'}, 0, "unable to disable Security Center notifications");
}
=item *
Disable login screensaver if computer is a VM
=cut
if ($self->data->get_computer_vmhost_id(0)) {
if (!$self->disable_login_screensaver()) {
notify($ERRORS{'WARNING'}, 0, "unable to disable login screensaver");
}
}
=item *
Enable audio redirection for RDP sessions
=cut
if (!$self->enable_rdp_audio()) {
notify($ERRORS{'WARNING'}, 0, "unable to enable RDP audio redirection");
}
=item *
Enable client-compatible color depth for RDP sessions
=cut
if (!$self->enable_client_compatible_rdp_color_depth()) {
notify($ERRORS{'WARNING'}, 0, "unable to enable client-compatible color depth for RDP sessions");
}
=item *
Clean up the hard drive
=cut
if (!$self->clean_hard_drive()) {
notify($ERRORS{'WARNING'}, 0, "unable to clean unnecessary files the hard drive");
}
=item *
Disable the pagefile, reboot, and delete pagefile.sys
********* node reboots *********
=cut
# This will set the registry key to disable the pagefile, reboot, then delete pagefile.sys
# Calls the reboot() subroutine, which makes sure ssh service is set to auto and firewall is open for ssh
if (!$self->disable_pagefile()) {
notify($ERRORS{'WARNING'}, 0, "unable to disable pagefile");
return 0;
}
=item *
Delete the user assigned to this reservation if attempt before reboot failed
=cut
if (!$deleted_user_accounts && !$self->delete_user_accounts()) {
notify($ERRORS{'WARNING'}, 0, "unable to delete user accounts after reboot");
return 0;
}
=item *
Enable SSH access from any IP address
=cut
if (!$self->firewall_enable_ssh()) {
notify($ERRORS{'WARNING'}, 0, "unable to enable SSH from any IP address");
return 0;
}
=item *
Enable ping from any IP address
=cut
if (!$self->firewall_enable_ping()) {
notify($ERRORS{'WARNING'}, 0, "unable to enable ping from any IP address");
return 0;
}
=item *
Reenable the pagefile
=cut
if (!$self->enable_pagefile()) {
notify($ERRORS{'WARNING'}, 0, "unable to reenable pagefile");
return 0;
}
=item *
Delete the 'VCL Update Cygwin' scheduled task if it exists. It could conflict with other post_load scripts.
=cut
$self->delete_scheduled_task('VCL Update Cygwin');
=item *
Set the Cygwin SSHD service startup mode to manual
=cut
if (!$self->set_service_startup_mode('sshd', 'manual') && !$self->set_service_startup_mode('cygsshd', 'manual')) {
notify($ERRORS{'WARNING'}, 0, "unable to set sshd service startup mode to manual");
return 0;
}
=item *
Unmount any NFS shares
=cut
if (!$self->unmount_nfs_shares()) {
notify($ERRORS{'WARNING'}, 0, "unable to unmount NFS shares");
return;
}
else {
notify($ERRORS{'DEBUG'}, 0, "Call to unmount_nfs_shares returned successfully");
}
=back
=cut
notify($ERRORS{'OK'}, 0, "returning 1");
return 1;
} ## end sub pre_capture
#//////////////////////////////////////////////////////////////////////////////
=head2 post_load
Parameters : None.
Returns : If successful: true
If failed: false
Description : Performs the steps necessary to configure a Windows OS after an
image has been loaded.
This subroutine is called by a provisioning module's load()
subroutine.
The steps performed are:
=over 3
=cut
sub post_load {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $imagedomain_domaindnsname = $self->data->get_image_domain_dns_name(0);
my $node_configuration_directory = $self->get_node_configuration_directory();
notify($ERRORS{'OK'}, 0, "beginning Windows post-load tasks on $computer_node_name");
=item *
Wait for computer to respond to SSH
=cut
if (!$self->wait_for_response(15, 900, 8)) {
notify($ERRORS{'WARNING'}, 0, "$computer_node_name never responded to SSH");
return 0;
}
=item *
Attempt to trigger and fix Cygwin's nodosfilewarning
=cut
$self->fix_cygwin_nodosfilewarning();
=item *
Wait for root to log off
=cut
if (!$self->wait_for_logoff('root', 2)) {
notify($ERRORS{'WARNING'}, 0, "root account never logged off");
if (!$self->logoff_users()) {
notify($ERRORS{'WARNING'}, 0, "failed to log off all currently logged in users");
}
}
=item *
Set root as the owner of /home/root
=cut
if (!$self->set_file_owner('/home/root', 'root')) {
notify($ERRORS{'WARNING'}, 0, "unable to set root as the owner of /home/root");
}
=item *
Set the Cygwin SSHD service startup mode to automatic
The Cygwin SSHD service startup mode should be set to automatic after an image
has been loaded and is ready to be reserved. Access will be lost if the service
is not set to automatic and the computer is rebooted.
=cut
if (!$self->set_service_startup_mode('sshd', 'auto') && !$self->set_service_startup_mode('cygsshd', 'auto')) {
notify($ERRORS{'WARNING'}, 0, "unable to set sshd service startup mode to auto");
return 0;
}
=item *
Update the SSH known_hosts file on the management node
=cut
if (!$self->update_ssh_known_hosts()) {
notify($ERRORS{'WARNING'}, 0, "unable to update the SSH known_hosts file on the management node");
}
=item *
Enable RDP access on the private network interface
=cut
if (!$self->firewall_enable_rdp_private()) {
notify($ERRORS{'WARNING'}, 0, "unable to enable RDP on private network");
return 0;
}
=item *
Enable SSH access on the private network interface
=cut
if (!$self->firewall_enable_ssh_private()) {
notify($ERRORS{'WARNING'}, 0, "unable to enable SSH from private IP address");
return 0;
}
=item *
Enable ping on the private network interface
=cut
if (!$self->firewall_enable_ping_private()) {
notify($ERRORS{'WARNING'}, 0, "unable to enable ping from private IP address");
return 0;
}
=item *
Check the image for user account names known to be bad or easily compromised
=cut
if (!$self->check_image()) {
notify($ERRORS{'WARNING'}, 0, "unable to check the image for user accounts known to be bad");
}
=item *
Update the public IP address
=cut
if (!$self->update_public_ip_address()) {
my $public_ip_configuration = $self->data->get_management_node_public_ip_configuration();
if ($public_ip_configuration =~ /dhcp/i) {
notify($ERRORS{'WARNING'}, 0, "computer should have received a public IP address from DHCP but the address could not be determined, attempting to execute 'ipconfig /renew'");
if (!$self->ipconfig_renew()) {
notify($ERRORS{'WARNING'}, 0, "public IP address from DHCP but the address could not be determined, 'ipconfig /renew' failed");
return;
}
# Try to update the public IP address again
if (!$self->update_public_ip_address()) {
notify($ERRORS{'WARNING'}, 0, "computer should have received a public IP address from DHCP but the address could not be determined on second attempt after executing 'ipconfig /renew'");
return;
}
else {
notify($ERRORS{'DEBUG'}, 0, "computer initially failed to obtain a public IP address from DHCP, executed 'ipconfig /renew', public IP address could then be determined");
}
}
else {
notify($ERRORS{'WARNING'}, 0, "management node failed to set a static public IP address on the computer");
return;
}
}
=item *
Set persistent public default route
=cut
if (!$self->set_static_default_gateway()) {
notify($ERRORS{'WARNING'}, 0, "unable to set persistent public default route");
}
=item *
Configure and synchronize time
=cut
if (!$self->configure_time_synchronization()) {
notify($ERRORS{'WARNING'}, 0, "unable to configure and synchronize time");
}
=item *
Set the "My Computer" description to the image pretty name
=cut
if (!$self->set_my_computer_name()) {
notify($ERRORS{'WARNING'}, 0, "failed to rename My Computer");
}
=item *
Disable the "Select a location for the network" prompt
=cut
$self->disable_set_network_location_prompt();
=item *
Check if the RDP port configured on the computer matches the RDP connect method
=cut
if (!$self->check_rdp_port_configuration()) {
return 0;
}
=item *
Remove the Windows root password and other private information from the VCL configuration files
=cut
if (!$self->sanitize_files()) {
notify($ERRORS{'WARNING'}, 0, "failed to sanitize the files on the computer");
return;
}
=item *
Randomize the root account password
=cut
my $root_random_password = getpw();
$self->{root_password} = $root_random_password;
if (!$self->set_password('root', $root_random_password)) {
notify($ERRORS{'WARNING'}, 0, "failed to set random root password");
return 0;
}
=item *
Randomize the Administrator account password
=cut
my $administrator_random_password = getpw();
if (!$self->set_password('Administrator', $administrator_random_password)) {
notify($ERRORS{'WARNING'}, 0, "failed to set random Administrator password");
return 0;
}
=item *
Disable sleep
=cut
if (!$self->disable_sleep()) {
notify($ERRORS{'WARNING'}, 0, "unable to disable sleep");
}
=item *
Install Windows updates saved under tools on the management node
=cut
if (!$self->install_updates()) {
notify($ERRORS{'WARNING'}, 0, "failed to run custom post_load scripts");
}
=item *
Join Active Directory domain if configured for image
=cut
if ($imagedomain_domaindnsname) {
if (!$self->ad_check()) {
notify($ERRORS{'WARNING'}, 0, "failed to join Active Directory domain");
return 0;
}
}
elsif ($self->data->get_imagemeta_sethostname(0)) {
# Image configured to set hostname
if (!$self->set_computer_hostname()) {
notify($ERRORS{'WARNING'}, 0, "failed to rename computer");
return 0;
}
push @{$self->{reboot_required}}, 'computer was renamed';
}
=item *
Reboot the computer if necessary
=cut
if ($self->{reboot_required}) {
notify($ERRORS{'DEBUG'}, 0, "attempting to reboot computer, reasons why necessary:\n" . join("\n", @{$self->{reboot_required}}));
if (!$self->reboot()) {
notify($ERRORS{'WARNING'}, 0, "failed to reboot after renaming computer");
}
delete $self->{reboot_required};
}
=item *
Run custom post_load scripts residing in the image
=cut
my $script_path = '$SYSTEMROOT/vcl_post_load.cmd';
if (!$self->file_exists($script_path)) {
notify($ERRORS{'DEBUG'}, 0, "custom post_load script does NOT exist in image: $script_path");
}
else {
$self->run_script($script_path);
}
=item *
Delete the VCL Post Load' scheduled task if it exists
=cut
# Make sure the 'VCL Post Load' task is removed up if it exists to avoid conflicts
$self->delete_scheduled_task('VCL Post Load');
=item *
Call OS.pm::post_load
=cut
return $self->SUPER::post_load();
=back
=cut
}
#//////////////////////////////////////////////////////////////////////////////
=head2 post_reserve
Parameters : none
Returns : boolean
Description : Runs $SYSTEMROOT/vcl_post_reserve.cmd if it exists in the image.
Does not check if the actual script succeeded or not.
=cut
sub post_reserve {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return 0;
}
# Check if custom post_reserve script exists in the image
my $script_path = '$SYSTEMROOT/vcl_post_reserve.cmd';
if ($self->file_exists($script_path)) {
# If post_reserve script exists, assume it does user or reservation-specific actions
# If the user never connects and the reservation times out, there's no way to revert these actions in order to clean the computer for another user
# Tag the image as tainted so it is reloaded
$self->set_tainted_status('post-reserve scripts residing in the image executed');
# Run the post_reserve script
$self->run_script($script_path);
}
else {
notify($ERRORS{'DEBUG'}, 0, "custom post_reserve script does NOT exist in image: $script_path");
}
return $self->SUPER::post_reserve();
}
#//////////////////////////////////////////////////////////////////////////////
=head2 post_reservation
Parameters : none
Returns : boolean
Description : Executes $SYSTEMROOT/vcl_post_reservation.cmd if it exists in the
image. Does not check if the actual script succeeded or not.
=cut
sub post_reservation {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return 0;
}
my $computer_name = $self->data->get_computer_short_name();
# Check if custom post_reservation script exists in image
my $script_path = '$SYSTEMROOT/vcl_post_reservation.cmd';
if ($self->file_exists($script_path)) {
# Run the post_reservation script
$self->run_script($script_path);
}
else {
notify($ERRORS{'DEBUG'}, 0, "custom post_reservation script does NOT exist in image: $script_path");
}
$self->SUPER::post_reservation();
# Check if the computer is joined to any AD domain
my $computer_current_domain_name = $self->ad_get_current_domain();
if ($computer_current_domain_name) {
$self->ad_delete_computer();
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 pre_reload
Parameters : none
Returns : true
Description : Unjoins the computer from an Active Directory domain if
previously joined. This helps avoid orphaned computer objects.
=cut
sub pre_reload {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return 0;
}
my $computer_name = $self->data->get_computer_short_name();
# Check if the computer is joined to any AD domain
my $computer_current_domain_name = $self->ad_get_current_domain();
if ($computer_current_domain_name) {
# check that node is not a domain controller
my $check_dc = $self->ad_check_domain_controller();
if (!defined($check_dc) || $check_dc == 0) {
# if call to ad_check_domain_controller fails, still attempt to
# delete from domain; unusual for node to be a domain controller
notify($ERRORS{'DEBUG'}, 0, "attempting to delete computer from domain");
$self->ad_delete_computer();
}
elsif ($check_dc == 1) {
notify($ERRORS{'DEBUG'}, 0, "computer is a domain controller, not attempting to delete computer from its own domain");
}
}
return $self->SUPER::pre_reload();
}
#//////////////////////////////////////////////////////////////////////////////
=head2 sanitize
Parameters :
Returns :
Description :
=cut
sub sanitize {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
# Revoke access
if (!$self->revoke_access()) {
notify($ERRORS{'WARNING'}, 0, "failed to revoke access to $computer_node_name");
return 0;
}
# Delete the reservation users
if ($self->delete_user_accounts()) {
notify($ERRORS{'OK'}, 0, "users deleted from $computer_node_name");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to delete users from $computer_node_name");
return 0;
}
if (!$self->unmount_nfs_shares()) {
notify($ERRORS{'WARNING'}, 0, "failed to unmount nfs shares");
return 0;
}
else {
notify($ERRORS{'DEBUG'}, 0, "successfully unmounted any NFS shares");
}
notify($ERRORS{'OK'}, 0, "$computer_node_name has been sanitized");
return 1;
} ## end sub sanitize
#//////////////////////////////////////////////////////////////////////////////
=head2 grant_access
Parameters :
Returns :
Description :
=cut
sub grant_access {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path();
if ($self->process_connect_methods("", 1)) {
notify($ERRORS{'OK'}, 0, "processed connection methods on $computer_node_name");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to process connection methods on $computer_node_name");
return;
}
notify($ERRORS{'OK'}, 0, "access has been granted for reservation on $computer_node_name");
return 1;
} ## end sub grant_access
#//////////////////////////////////////////////////////////////////////////////
=head2 revoke_access
Parameters :
Returns :
Description :
=cut
sub revoke_access {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
# Disallow RDP connections
if ($self->firewall_disable_rdp()) {
notify($ERRORS{'OK'}, 0, "firewall was configured to deny RDP access on $computer_node_name");
}
else {
notify($ERRORS{'WARNING'}, 0, "firewall could not be configured to deny RDP access on $computer_node_name");
return 0;
}
notify($ERRORS{'OK'}, 0, "access has been revoked to $computer_node_name");
return 1;
} ## end sub revoke_access
###############################################################################
=head1 AUXILIARY OBJECT METHODS
=cut
#//////////////////////////////////////////////////////////////////////////////
=head2 create_directory
Parameters :
Returns :
Description :
=cut
sub create_directory {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $path = shift;
if (!$path) {
notify($ERRORS{'WARNING'}, 0, "directory path argument was not specified");
return;
}
# If ~ is passed as the directory path, skip directory creation attempt
# The command will create a /root/~ directory since the path is enclosed in quotes
return 1 if $path eq '~';
notify($ERRORS{'DEBUG'}, 0, "attempting to create directory: '$path'");
# Assemble the Windows shell mkdir command and execute it
my $mkdir_command = "cmd.exe /c \"mkdir \\\"$path\\\"\"";
my ($mkdir_exit_status, $mkdir_output) = $self->execute($mkdir_command);
if (!defined($mkdir_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to create directory on $computer_node_name: $path");
return;
}
elsif ($mkdir_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "created directory on $computer_node_name: '$path'");
}
elsif (grep(/already exists/i, @$mkdir_output)) {
notify($ERRORS{'OK'}, 0, "directory already exists on $computer_node_name: '$path'");
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to create directory on $computer_node_name: '$path', exit status: $mkdir_exit_status, output:\n" . join("\n", @$mkdir_output));
}
# Make sure directory was created
if (!$self->file_exists($path)) {
notify($ERRORS{'WARNING'}, 0, "directory does not exist on $computer_node_name: '$path'");
return 0;
}
else {
notify($ERRORS{'DEBUG'}, 0, "verified directory exists on $computer_node_name: '$path'");
return 1;
}
} ## end sub create_directory
#//////////////////////////////////////////////////////////////////////////////
=head2 delete_file
Parameters :
Returns :
Description :
=cut
sub delete_file {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Get file path subroutine argument
my $path_argument = shift;
if (!$path_argument) {
notify($ERRORS{'WARNING'}, 0, "file path was not specified as an argument");
return;
}
# Check if file exists before attempting to delete it
if (!$self->file_exists($path_argument)) {
notify($ERRORS{'OK'}, 0, "file not deleted because it does not exist: '$path_argument'");
return 1;
}
my $path_unix = $self->format_path_unix($path_argument);
my $path_dos = $self->format_path_dos($path_argument);
notify($ERRORS{'DEBUG'}, 0, "attempting to delete file: '$path_argument'");
# Assemble a set of commands concatenated together
# Try to take ownership, set the permissions, then delete the file using both Cygwin bash and Windows commands
# This should allow files to be deleted with restrictive ownership, permissions, and attributes
my $path_unix_directory = parent_directory_path($path_unix);
my ($path_unix_pattern) = $path_unix =~ /\/?([^\/]+)$/;
my $command;
$command .= "echo ---";
$command .= " ; echo Calling chown.exe to change owner to root...";
$command .= " ; /usr/bin/chown.exe -Rv root $path_unix 2>&1";
$command .= " ; echo ---";
$command .= " ; echo Calling chmod.exe to change permissions to 777...";
$command .= " ; /usr/bin/chmod.exe -Rv 777 $path_unix 2>&1";
$command .= " ; echo ---";
$command .= " ; echo Calling \\\"rm.exe -rfv $path_unix\\\" to to delete file...";
$command .= " ; /usr/bin/rm.exe -rfv $path_unix 2>&1";
if ($path_unix_pattern =~ /\*/) {
$command .= " ; echo ---";
$command .= " ; echo Calling \\\"rm.exe -rfv $path_unix_directory/.$path_unix_pattern\\\" to to delete file...";
$command .= " ; /usr/bin/rm.exe -rfv $path_unix_directory/.$path_unix_pattern 2>&1";
}
# Add call to rmdir if the path does not contain a wildcard
# rmdir does not accept wildcards
if ($path_dos !~ /\*/) {
$command .= " ; echo ---";
$command .= " ; echo Calling \\\"cmd.exe /c rmdir $path_dos\\\" to to delete directory...";
$command .= " ; cmd.exe /c \"rmdir /s /q \\\"$path_dos\\\"\" 2>&1";
}
$command .= " ; echo ---";
$command .= " ; echo Calling \\\"cmd.exe /c del $path_dos\\\" to to delete file...";
$command .= " ; cmd.exe /c \"del /s /q /f /a \\\"$path_dos\\\" 2>&1\" 2>&1";
$command .= " ; echo ---";
$command .= " ; echo Calling \\\"cmd.exe /c dir $path_dos\\\" to to list remaining files...";
$command .= " ; cmd.exe /c \"dir /a /w \\\"$path_dos\\\"\" 2>&1";
$command .= " ; echo ---";
$command .= " ; date +%r";
# Run the command
my ($exit_status, $output) = $self->execute($command, 0);
if (!defined($exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to delete file: '$path_argument'");
return;
}
## Sleep 1 second before checking if file was deleted
#sleep 1;
# Check if file was deleted
if ($self->file_exists($path_argument)) {
notify($ERRORS{'WARNING'}, 0, "failed to delete file, it still exists: '$path_argument', command:\n$command\noutput:\n" . join("\n", @$output));
return;
}
else {
notify($ERRORS{'DEBUG'}, 0, "deleted file: '$path_argument'");
return 1;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 move_file
Parameters :
Returns :
Description :
=cut
sub move_file {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Get file path subroutine arguments
my $source_path = shift;
my $destination_path = shift;
if (!$source_path) {
notify($ERRORS{'WARNING'}, 0, "file source path was not specified as an argument");
return;
}
if (!$destination_path) {
notify($ERRORS{'WARNING'}, 0, "file destination path was not specified as an argument");
return;
}
# Replace backslashes with forward slashes
$source_path =~ s/\\+/\//gs;
$destination_path =~ s/\\+/\//gs;
notify($ERRORS{'DEBUG'}, 0, "attempting to move file: $source_path --> $destination_path");
# Assemble the Windows shell move command and execute it
my $move_command = "mv -fv \"$source_path\" \"$destination_path\"";
my ($move_exit_status, $move_output) = $self->execute($move_command, 1);
if (defined($move_exit_status) && $move_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "file moved: $source_path --> $destination_path, output:\n@{$move_output}");
}
elsif ($move_exit_status) {
notify($ERRORS{'WARNING'}, 0, "failed to move file: $source_path --> $destination_path, exit status: $move_exit_status, output:\n@{$move_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to move file: $source_path --> $destination_path");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 delete_files_by_pattern
Parameters : $base_directory, $regex_pattern, $max_depth (optional)
Returns : boolean
Description : Deletes all files found under the base directory
=cut
sub delete_files_by_pattern {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my ($base_directory, $regex_pattern, $max_depth, $show_deleted) = @_;
# Make sure base directory and pattern were specified
if (!($base_directory && $regex_pattern)) {
notify($ERRORS{'WARNING'}, 0, "base directory and pattern must be specified as arguments");
return;
}
my $computer_name = $self->data->get_computer_short_name();
notify($ERRORS{'DEBUG'}, 0, "attempting to delete files on $computer_name, base directory: '$base_directory', pattern: '$regex_pattern', max depth: " . ($max_depth ? $max_depth : 'unlimited'));
# Check if the path begins with an environment variable
my ($base_directory_variable, $remainder) = $base_directory =~ /(\$[^\/\\]*)(.*)/g;
if ($base_directory_variable) {
my $cygpath_command = "/bin/cygpath.exe \"$base_directory_variable\"";
my ($cygpath_exit_status, $cygpath_output) = $self->execute($cygpath_command, 0);
if (!defined($cygpath_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to determine if $base_directory_variable environment variable is set on $computer_name: $cygpath_command");
return;
}
elsif (grep(/cygpath:/, @$cygpath_output)) {
notify($ERRORS{'DEBUG'}, 0, "files not deleted because $base_directory_variable environment variable is not set on $computer_name");
return;
}
elsif (!grep(/\w/, @$cygpath_output)) {
notify($ERRORS{'DEBUG'}, 0, "files not deleted because $base_directory_variable environment variable is empty on $computer_name");
return;
}
my ($base_directory_variable_value) = grep(/\w/, @$cygpath_output);
$remainder = '' unless defined($remainder);
my $base_directory_new = "$base_directory_variable_value/$remainder";
$base_directory_new =~ s/[\\\/]+/\//g;
notify($ERRORS{'DEBUG'}, 0, "$base_directory_variable environment variable is set on $computer_name: '$base_directory' --> '$base_directory_new'");
$base_directory = $base_directory_new;
}
# Remove trailing slashes from base directory
$base_directory =~ s/[\/\\]*$/\//;
# Assemble command
# Use find to locate all the files under the base directory matching the pattern specified
my $command = "/bin/find.exe \"$base_directory\"";
$command .= " -mindepth 1";
$command .= " -maxdepth $max_depth" if $max_depth;
$command .= " -iregex \"$regex_pattern\"";
$command .= " -exec chown -R root {} \\;";
$command .= " -exec chmod -R 777 {} \\;";
$command .= " -exec rm -rvf {} \\;";
my ($exit_status, $output) = $self->execute($command, 0);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to delete files under $base_directory matching pattern $regex_pattern, command: $command");
return;
}
elsif ($base_directory_variable && grep(/cygpath:/i, @$output)) {
notify($ERRORS{'OK'}, 0, "files not deleted because environment variable is not set: $base_directory_variable");
return;
}
elsif (grep(/find:.*no such file/i, @$output)) {
notify($ERRORS{'OK'}, 0, "files not deleted because base directory does not exist: $base_directory, command: '$command'");
return 1;
}
elsif (grep(/(^Usage:)/i, @$output)) {
notify($ERRORS{'WARNING'}, 0, "failed to delete files under $base_directory matching pattern $regex_pattern\ncommand: $command\noutput:\n" . join("\n", @$output));
return;
}
else {
my @deleted = grep(/removed /, @$output);
my @not_deleted = grep(/cannot remove/, @$output);
my $message;
$message .= "attempted to delete files:\n";
$message .= "base directory: $base_directory\n";
$message .= "regular expression pattern: $regex_pattern\n";
$message .= "files and directories deleted: " . scalar(@deleted) . "\n";
$message .= "files and directories NOT deleted: " . scalar(@not_deleted) . "\n";
$message .= "deleted:\n" . join("\n", @deleted) . "\n" if ($show_deleted && @deleted);
$message .= "NOT deleted:\n" . join("\n", @not_deleted) if (@not_deleted);
notify($ERRORS{'OK'}, 0, $message) if (@deleted || @not_deleted);
}
return 1;
} ## end sub delete_files_by_pattern
#//////////////////////////////////////////////////////////////////////////////
=head2 file_exists
Parameters :
Returns :
Description :
=cut
sub file_exists {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
# Get the path from the subroutine arguments and make sure it was passed
my $path = shift;
if (!$path) {
notify($ERRORS{'WARNING'}, 0, "unable to detmine if file exists, path was not specified as an argument");
return;
}
my $path_dos = $self->format_path_dos($path);
# Assemble the dir command and execute it
my $dir_command = "cmd.exe /c \"dir /a \\\"$path_dos\\\"\"";
my ($dir_exit_status, $dir_output) = $self->execute($dir_command, 0);
if (!defined($dir_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to determine if file exists on $computer_node_name: $path");
return;
}
# Checking if directory exists, no wildcard: (directory exists)
# $ cmd.exe /c "dir /a C:\test"
# Volume in drive C has no label.
# Volume Serial Number is 4C9E-6C37
#
# Directory of C:\test
#
#05/16/2012 01:19 PM <DIR> .
#05/16/2012 01:19 PM <DIR> ..
# 0 File(s) 0 bytes
# 2 Dir(s) 17,999,642,624 bytes free
# Checking if file or directory exists with wildcard: (file exists)
# $ cmd.exe /c "dir /a C:\te*"
# Volume in drive C has no label.
# Volume Serial Number is 4C9E-6C37
#
# Directory of C:\
#
#05/16/2012 01:19 PM <DIR> test
# 0 File(s) 0 bytes
# 1 Dir(s) 17,999,642,624 bytes free
# Checking if file exists with wildcard: (file does not exist)
# $ cmd.exe /c "dir /a C:\test\*"
# Volume in drive C has no label.
# Volume Serial Number is 4C9E-6C37
#
# Directory of C:\test
#
#05/16/2012 01:19 PM <DIR> .
#05/16/2012 01:19 PM <DIR> ..
# 0 File(s) 0 bytes
# 2 Dir(s) 17,999,642,624 bytes free
if ($dir_exit_status == 1 || grep(/(file not found|cannot find)/i, @$dir_output)) {
notify($ERRORS{'DEBUG'}, 0, "file does NOT exist on $computer_node_name: '$path'");
return 0;
}
elsif ($path =~ /\*/ && grep(/\s0 File/, @$dir_output) && grep(/\s2 Dir/, @$dir_output)) {
#notify($ERRORS{'DEBUG'}, 0, "file does NOT exist on $computer_node_name: '$path', exit status: $dir_exit_status, command: '$dir_command', output:\n" . join("\n", @$dir_output));
notify($ERRORS{'DEBUG'}, 0, "file does NOT exist on $computer_node_name: '$path'");
return 0;
}
else {
notify($ERRORS{'DEBUG'}, 0, "file exists on $computer_node_name: '$path'");
return 1;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 set_file_owner
Parameters : file path, owner
Returns : If successful: true
If failed: false
Description : Recursively sets the owner of the file path. The file path can
be a file or directory. The owner must be a valid user account. A
group can optionally be specified by appending a semicolon and
the group name to the owner.
Examples:
set_file_owner('/home/root', 'root')
set_file_owner('/home/root', 'root:Administrators')
=cut
sub set_file_owner {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Get the file path argument
my $file_path = shift;
if (!$file_path) {
notify($ERRORS{'WARNING'}, 0, "file path argument was not specified");
return;
}
# Get the owner argument
my $owner = shift;
if (!$owner) {
notify($ERRORS{'WARNING'}, 0, "owner argument was not specified");
return;
}
# Run chown
my ($chown_exit_status, $chown_output) = $self->execute("/usr/bin/chown.exe -vR \"$owner\" \"$file_path\"", 0);
# Check if exit status is defined - if not, SSH command failed
if (!defined($chown_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to set $owner as the owner of $file_path");
return;
}
# Check if any known error lines exist in the chown output
my @chown_error_lines = grep(/(chown:|cannot access|no such file|failed to)/ig, @$chown_output);
if (@chown_error_lines) {
notify($ERRORS{'WARNING'}, 0, "error occurred setting $owner as the owner of $file_path, error output:\n" . join("\n", @chown_error_lines));
return;
}
# Make sure an "ownership of" line exists in the chown output
my @chown_success_lines = grep(/(ownership of)/ig, @$chown_output);
if (@chown_success_lines) {
notify($ERRORS{'OK'}, 0, "set $owner as the owner of $file_path, files and directories modified: " . scalar(@chown_success_lines));
}
else {
notify($ERRORS{'OK'}, 0, "$owner is already the owner of $file_path");
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 logoff_users
Parameters :
Returns :
Description :
=cut
sub logoff_users {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
my ($exit_status, $output) = $self->execute("$system32_path/qwinsta.exe", 1, 60);
if ($exit_status > 0) {
notify($ERRORS{'WARNING'}, 0, "failed to run qwinsta.exe on $computer_node_name, exit status: $exit_status, output:\n" . join("\n", @$output));
return;
}
elsif (!defined($exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to run qwinsta.exe command on $computer_node_name");
return;
}
# Find lines with the state = Active or Disc
# Disc will occur if the user disconnected the RDP session but didn't logoff
my @connection_lines = grep(/(Active)/, @$output);
return 1 if !@connection_lines;
#notify($ERRORS{'OK'}, 0, "connections on $computer_node_name:\n@connection_lines");
# SESSIONNAME USERNAME ID STATE TYPE DEVICE
# '> root 0 Disc rdpwd '
# '>rdp-tcp#24 root 0 Active rdpwd '
foreach my $connection_line (@connection_lines) {
$connection_line =~ s/(^\s+|\s+$)//g;
my ($session_id) = $connection_line =~ /(\d+)\s+(?:Active|Listen|Conn|Disc)/g;
my ($session_name) = $connection_line =~ /^\s?>?([^ ]+)/g;
# Determine if the session ID or name will be used to kill the session
# logoff.exe has trouble killing sessions with ID=0
# Use the ID if it's > 0, otherwise use the session name
my $session_identifier;
if ($session_id) {
$session_identifier = $session_id;
}
elsif ($session_name) {
$session_identifier = $session_name;
}
else {
notify($ERRORS{'WARNING'}, 0, "session ID or name could not be determined from line:\n$connection_line");
next;
}
notify($ERRORS{'DEBUG'}, 0, "attempting to kill connection $session_identifier: '$connection_line'");
#LOGOFF [sessionname | sessionid] [/SERVER:servername] [/V]
# sessionname The name of the session.
# sessionid The ID of the session.
# /SERVER:servername Specifies the Terminal server containing the user
# session to log off (default is current).
# /V Displays information about the actions performed.
# Call logoff.exe, pass it the session
my ($logoff_exit_status, $logoff_output) = $self->execute("$system32_path/logoff.exe $session_identifier /V");
if (!defined($logoff_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to log off session: $session_identifier");
}
elsif ($logoff_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "logged off session: $session_identifier, output:\n" . join("\n", @$logoff_output));
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to log off session: $session_identifier, exit status: $logoff_exit_status, output:\n" . join("\n", @$logoff_output));
}
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 user_exists
Parameters : $username (optional)
Returns : boolean
Description : Executes 'net user <username>' to determine whether or not a
local user exists on the Windows computer.
=cut
sub user_exists {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Attempt to get the username from the arguments
# If no argument was supplied, use the user specified in the DataStructure
my $username = shift;
if (!$username) {
$username = $self->data->get_user_login_id();
}
#notify($ERRORS{'DEBUG'}, 0, "checking if user $username exists on $computer_node_name");
# Attempt to query the user account
my $command = "$system32_path/net.exe user \"$username\"";
my ($exit_status, $output) = $self->execute($command, 0);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to determine if user exists on $computer_node_name: $username");
return;
}
# Expected output if user exists:
# $ net user administrator
# User name Administrator
# Full Name
# Comment Built-in account for administering the computer/domain
# ...
# The command completed successfully.
# Expected output if user does NOT exist:
# $ net user foo
# The user name could not be found.
#
# More help is available by typing NET HELPMSG 2221.
# Note: exit status may not be reliable, see VCL-1054
if ($exit_status == 2 || grep(/not.*found/i, @$output)) {
notify($ERRORS{'DEBUG'}, 0, "user '$username' does NOT exist on $computer_node_name, exit status: $exit_status, output:\n" . join("\n", @$output));
return 0;
}
elsif (my ($username_line) = grep(/User name[\s\t]+$username[\s\t]*$/i, @$output)) {
notify($ERRORS{'DEBUG'}, 0, "user '$username' exists on $computer_node_name, found matching line in '$command' output:\n$username_line");
return 1;
}
elsif ($exit_status == 0) {
notify($ERRORS{'WARNING'}, 0, "returning 1 but unable to reliable determine if user '$username' exists on $computer_node_name, exit status is $exit_status but output does not contain a 'User name <space...> $username' line:\n" . join("\n", @$output));
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to determine if user '$username' exists on $computer_node_name, exit status: $exit_status, output:\n" . join("\n", @$output));
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 create_user
Parameters : hash reference
Returns : boolean
Description : Creates a user on the computer. The argument must be a hash
reference containing the following keys:
* username
* password
* root_access
=cut
sub create_user {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
my $domain_dns_name = $self->data->get_image_domain_dns_name();
my $user_parameters = shift;
if (!$user_parameters) {
notify($ERRORS{'WARNING'}, 0, "unable to create user, user parameters argument was not provided");
return;
}
elsif (!ref($user_parameters) || ref($user_parameters) ne 'HASH') {
notify($ERRORS{'WARNING'}, 0, "unable to create user, argument provided is not a hash reference");
return;
}
my $username = $user_parameters->{username};
if (!defined($username)) {
notify($ERRORS{'WARNING'}, 0, "failed to create user on $computer_node_name, argument hash does not contain a 'username' key:\n" . format_data($user_parameters));
return;
}
my $root_access = $user_parameters->{root_access};
if (!defined($root_access)) {
notify($ERRORS{'WARNING'}, 0, "failed to create user on $computer_node_name, argument hash does not contain a 'root_access' key:\n" . format_data($user_parameters));
return;
}
my $password = $user_parameters->{password};
# Check if image is configured for Active Directory and a password should NOT be set
# OS.pm::add_user_accounts should have already called should_set_user_password which checks if AD is configured and if user exists in AD
# If user exists in AD, password argument should not be set
# If for some reason it is set, add local user account
if ($domain_dns_name && !$password) {
$username .= "@" . $domain_dns_name;
}
else {
if (!defined($password) && !$domain_dns_name) {
notify($ERRORS{'WARNING'}, 0, "failed to create user on $computer_node_name, argument hash does not contain a 'password' key:\n" . format_data($user_parameters));
return;
}
# Not an AD image, check if user already exists
if (!$self->user_exists($username)) {
# Attempt to create the user account
my $add_user_command = "$system32_path/net.exe user \"$username\" \"$password\" /ADD /EXPIRES:NEVER /COMMENT:\"Account created by VCL\"";
my ($add_user_exit_status, $add_user_output) = $self->execute($add_user_command, 0);
if (!defined($add_user_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command create user on $computer_node_name: $username");
return;
}
elsif ($add_user_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "created user on $computer_node_name: $username, password: $password");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to create user on $computer_node_name: $username, exit status: $add_user_exit_status, command: '$add_user_command', output:\n" . join("\n", @$add_user_output));
return 0;
}
}
else {
# Account already exists on machine, set password
if (!$self->set_password($username, $password)) {
notify($ERRORS{'WARNING'}, 0, "failed to set password of existing user on $computer_node_name: $username");
return;
}
}
}
if (!$self->add_user_to_group($username, "Remote Desktop Users")) {
return;
}
# Add user to Administrators group if necessary
if ($root_access) {
if (!$self->add_user_to_group($username, "Administrators")) {
return;
}
}
else {
notify($ERRORS{'DEBUG'}, 0, "existing user NOT added to Administrators group on $computer_node_name: $username");
}
return 1;
} ## end sub create_user
#//////////////////////////////////////////////////////////////////////////////
=head2 add_user_to_group
Parameters : $username, $group
Returns : boolean
Description : Adds a user to a group on the computer.
=cut
sub add_user_to_group {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Attempt to get the username from the arguments
# If no argument was supplied, use the user specified in the DataStructure
my $username = shift;
my $group = shift;
if (!$username || !$group) {
notify($ERRORS{'WARNING'}, 0, "unable to add user to group, arguments were not passed correctly");
return;
}
# Attempt to add the user to the group using net.exe localgroup
my $localgroup_user_command = "$system32_path/net.exe localgroup \"$group\" $username /ADD";
my ($localgroup_user_exit_status, $localgroup_user_output) = $self->execute($localgroup_user_command);
if (defined($localgroup_user_exit_status) && $localgroup_user_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "added user to '$group' group on $computer_node_name: $username");
}
elsif (defined($localgroup_user_exit_status) && $localgroup_user_exit_status == 2) {
# Exit status is 2, this could mean the user is already a member or that the group doesn't exist
# Check the output to determine what happened
if (grep(/error 1378/, @{$localgroup_user_output})) {
# System error 1378 has occurred.
# The specified account name is already a member of the group.
notify($ERRORS{'OK'}, 0, "user is already a member of '$group' group on $computer_node_name: $username");
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to add user to '$group' group on $computer_node_name: $username, exit status: $localgroup_user_exit_status, output:\n@{$localgroup_user_output}");
return 0;
}
} ## end elsif (defined($localgroup_user_exit_status) ... [ if (defined($localgroup_user_exit_status) ...
elsif (defined($localgroup_user_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to add user to '$group' group on $computer_node_name: $username, exit status: $localgroup_user_exit_status, output:\n@{$localgroup_user_output}");
return 0;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to add user to '$group' group on $computer_node_name: $username");
return;
}
return 1;
} ## end sub add_user_to_group
#//////////////////////////////////////////////////////////////////////////////
=head2 remove_user_from_group
Parameters : $username, $group
Returns : boolean
Description : Removes a user from a local group on the computer. If an AD user
account and local account exist with the same name, both will be
removed.
=cut
sub remove_user_from_group {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
my $username = shift;
if (!defined($username)) {
notify($ERRORS{'WARNING'}, 0, "username argument was not supplied");
return;
}
my $group = shift;
if (!defined($group)) {
notify($ERRORS{'WARNING'}, 0, "local group name argument was not supplied");
return;
}
my @group_members = $self->get_group_members($group);
if (!@group_members) {
notify($ERRORS{'DEBUG'}, 0, "$username not removed from $group local group on $computer_name, group is either empty or membership could not be retrieved");
return 1;
}
my @matching_members = grep(/(^|\\)$username$/i, @group_members);
if (!@matching_members) {
notify($ERRORS{'OK'}, 0, "$username is not a member of $group local group on $computer_name");
return 1;
}
for my $matching_member (@matching_members) {
# Escape backslashes in domain usernames
$matching_member =~ s/\\/\\\\/;
my $command = "$system32_path/net.exe localgroup \"$group\" \"$matching_member\" /DELETE";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to remove $matching_member from $group local group on $computer_name: $command");
return;
}
elsif (grep(/no such/, @$output)) {
# There is no such global user or group: admin.
notify($ERRORS{'OK'}, 0, "$matching_member is not a member of $group local group on $computer_name");
return 1;
}
elsif ($exit_status ne '0') {
notify($ERRORS{'WARNING'}, 0, "failed to remove $matching_member from $group local group on $computer_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
return 0;
}
else {
notify($ERRORS{'OK'}, 0, "removed $matching_member from $group local group on $computer_name");
}
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_group_members
Parameters : $group_name
Returns : array
Description : Retrieves the names of users who are members of a local Windows
group.
=cut
sub get_group_members {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
my $group = shift;
if (!defined($group)) {
notify($ERRORS{'WARNING'}, 0, "local group name argument was not supplied");
return;
}
my $command = "$system32_path/net.exe localgroup \"$group\"";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to retrieve members of $group local group on $computer_name: $command");
return;
}
elsif ($exit_status ne '0') {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve members of $group local group on $computer_name, exit status: $exit_status, command: '$command', output:\n" . join("\n", @$output));
return 0;
}
# Alias name Remote Desktop Users
# Comment Members in this group are granted the right to logon remotely
#
# Members
#
# -------------------------------------------------------------------------------
# AD\admin
# admin
# AD\domainuser
# admin
# tester1
# ...
# test100
# The command completed successfully.
my @group_members;
my $separator_line_found = 0;
for my $line (@$output) {
if (!$separator_line_found) {
if ($line =~ /---/) {
$separator_line_found = 1;
}
next;
}
elsif ($line =~ /The command/) {
last;
}
push @group_members, $line;
}
notify($ERRORS{'OK'}, 0, "retrieve members of $group local group on $computer_name: " . join(", ", @group_members));
return @group_members;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 delete_user
Parameters : $node, $user, $type, $osname
Returns : 1 success 0 failure
Description : removes user account and profile directory from specificed node
=cut
sub delete_user {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Attempt to get the username from the arguments
# If no argument was supplied, use the user specified in the DataStructure
my $username = shift;
if (!(defined($username))) {
$username = $self->data->get_user_login_id();
}
notify($ERRORS{'OK'}, 0, "attempting to delete user $username from $computer_node_name");
# Attempt to delete the user account
my $delete_user_command = "$system32_path/net.exe user $username /DELETE";
my ($delete_user_exit_status, $delete_user_output) = $self->execute($delete_user_command);
if (defined($delete_user_exit_status) && $delete_user_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "deleted user $username from $computer_node_name");
}
elsif (defined($delete_user_exit_status) && $delete_user_exit_status == 2) {
notify($ERRORS{'OK'}, 0, "user $username was not deleted because user does not exist");
# Could be an AD domain user, make sure user is removed from groups
$self->remove_user_from_group($username, 'Administrators');
$self->remove_user_from_group($username, 'Remote Desktop Users');
}
elsif (defined($delete_user_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to delete user $username from $computer_node_name, exit status: $delete_user_exit_status, output:\n@{$delete_user_output}");
return 0;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command delete user $username from $computer_node_name");
return;
}
# Delete the user's home directory
if ($self->delete_file("C:/Documents and Settings/$username")) {
notify($ERRORS{'OK'}, 0, "deleted profile for user $username from $computer_node_name");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to delete profile for user $username from $computer_node_name");
return 0;
}
return 1;
} ## end sub delete_user
#//////////////////////////////////////////////////////////////////////////////
=head2 set_password
Parameters : $username, $password
Returns :
Description :
=cut
sub set_password {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# IMPORTANT: be sure to test passwords containing the following:
# $!
# \ (single backslash)
# '
# "
# ~
# `
# Special bash/Linux variables: = $0, $1, $#, $*, $@, $-, $!, $_, $?, $$
# my $test_password = '$0, $1 $# $* $@ $- $! $_ $? $$\ !@#$%^&*()_+-={}[]":;<>?/.,`~' . "'";
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Attempt to get the username from the arguments
my $username = shift;
my $password = shift;
my $user_password_only = shift;
# If no argument was supplied, use the user specified in the DataStructure
if (!defined($username)) {
$username = $self->data->get_user_logon_id();
}
if (!defined($password)) {
$password = $self->data->get_reservation_password();
}
# Make sure both the username and password were determined
if (!defined($username) || !defined($password)) {
notify($ERRORS{'WARNING'}, 0, "username and password could not be determined");
return 0;
}
# Attempt to set the password
my $password_escaped = _escape_password($password);
my $set_password_command = "$system32_path/net.exe user $username \"$password_escaped\"";
notify($ERRORS{'DEBUG'}, 0, "setting password of $username to '$password' on $computer_node_name, command:\n$set_password_command");
my ($set_password_exit_status, $set_password_output) = $self->execute($set_password_command);
if ($set_password_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "password changed to '$password' for user '$username' on $computer_node_name, command: '$set_password_command', output:\n" . join("\n", @$set_password_output));
}
elsif (defined $set_password_exit_status) {
notify($ERRORS{'WARNING'}, 0, "failed to change password to '$password' (escaped: '$password_escaped') for user '$username' on $computer_node_name, exit status: $set_password_exit_status, command: '$set_password_command', output:\n" . join("\n", @$set_password_output));
return 0;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to change password to '$password' for user '$username' on $computer_node_name");
return 0;
}
return 1 if $user_password_only;
# Get the list of services
my @services = $self->get_services_using_login_id($username);
if ($username eq 'root' && !@services) {
@services = ('sshd', 'cygsshd');
}
my $success = 0;
for my $service (@services) {
notify($ERRORS{'DEBUG'}, 0, "$service service is configured to run as $username, updating service credentials");
if ($self->set_service_credentials($service, $username, $password)) {
$success = 1;
last;
}
}
if(!$success) {
my $servicelist = join(', ', @services);
notify($ERRORS{'WARNING'}, 0, "failed to set credentials to $username ($password) for any of $servicelist");
}
# Get the scheduled tasks - check if any are configured to run as the user
my $scheduled_task_info = $self->get_scheduled_task_info();
for my $task_name (keys %$scheduled_task_info) {
my $run_as_user = $scheduled_task_info->{$task_name}{'Run As User'};
if ($run_as_user && $run_as_user =~ /^(.+\\)?$username$/i) {
notify($ERRORS{'DEBUG'}, 0, "password needs to be updated for scheduled task '$task_name' set to run as user '$run_as_user'");
# Attempt to update the scheduled task credentials
# Don't return false if this fails - not extremely vital
if (!$self->set_scheduled_task_credentials($task_name, $username, $password)) {
notify($ERRORS{'WARNING'}, 0, "failed to set '$task_name' scheduled task credentials to $username ($password)");
}
}
}
notify($ERRORS{'OK'}, 0, "changed password for user: $username");
return 1;
} ## end sub set_password
#//////////////////////////////////////////////////////////////////////////////
=head2 should_set_user_password
Parameters : $user_id
Returns : boolean
Description : Determines if a random password should be set for a user. This is
the default behavior. A random password will not be set if:
* The image is configured for Active Directory
* The user exists in the domain
=cut
sub should_set_user_password {
my $self = shift;
if (ref($self) !~ /VCL::Module/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my ($user_id) = shift;
if (!$user_id) {
notify($ERRORS{'WARNING'}, 0, "user ID argument was not supplied");
return;
}
if (defined($self->{should_set_user_password}{$user_id})) {
return $self->{should_set_user_password}{$user_id};
}
# Check if image is configured for Active Directory
my $domain_dns_name = $self->data->get_image_domain_dns_name();
if ($domain_dns_name) {
my $user_info = get_user_info($user_id);
if (!$user_info) {
notify($ERRORS{'WARNING'}, 0, "unable to determine if user password should be set, user info could not be retrieved for user ID $user_id");
return;
}
my $username = $user_info->{unityid};
if ($self->ad_user_exists($username)) {
$self->{should_set_user_password}{$user_id} = 0;
notify($ERRORS{'DEBUG'}, 0, "verified user exists in $domain_dns_name Active Directory domain: $username (ID: $user_id), random password will NOT be set for user");
}
else {
$self->{should_set_user_password}{$user_id} = 1;
notify($ERRORS{'WARNING'}, 0, "could not verify user exists in $domain_dns_name Active Directory domain: $username (ID: $user_id), random password will be set");
}
}
else {
# Not configured for Active Directory, random password should be set
$self->{should_set_user_password}{$user_id} = 1;
}
return $self->{should_set_user_password}{$user_id};
}
#//////////////////////////////////////////////////////////////////////////////
=head2 enable_user
Parameters : $username (optional
Returns :
Description :
=cut
sub enable_user {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Attempt to get the username from the arguments
my $username = shift;
# If no argument was supplied, use the user specified in the DataStructure
if (!defined($username)) {
$username = $self->data->get_user_logon_id();
}
# Make sure the username was determined
if (!defined($username)) {
notify($ERRORS{'WARNING'}, 0, "username could not be determined");
return 0;
}
# Attempt to enable the user account (set ACTIVE=YES)
notify($ERRORS{'DEBUG'}, 0, "enabling user $username on $computer_node_name");
my ($enable_exit_status, $enable_output) = $self->execute("$system32_path/net.exe user $username /ACTIVE:YES");
if ($enable_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "user $username enabled on $computer_node_name");
}
elsif ($enable_exit_status) {
notify($ERRORS{'WARNING'}, 0, "failed to enable user $username on $computer_node_name, exit status: $enable_exit_status, output:\n@{$enable_output}");
return 0;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to enable user $username on $computer_node_name");
return 0;
}
return 1;
} ## end sub enable_user
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_user
Parameters : $username
Returns : boolean
Description : Disables the user account specified by the argument.
=cut
sub disable_user {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
# Attempt to get the username from the arguments
my $username = shift;
if (!defined($username)) {
notify($ERRORS{'WARNING'}, 0, "username argument was not supplied");
return;
}
# Attempt to enable the user account (set ACTIVE=NO)
notify($ERRORS{'DEBUG'}, 0, "disbling user $username on $computer_node_name");
my ($exit_status, $output) = $self->execute("net user $username /ACTIVE:NO");
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run command to disable user $username on $computer_node_name");
return;
}
elsif (grep(/ successfully/, @$output)) {
notify($ERRORS{'OK'}, 0, "user $username disabled on $computer_node_name");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to disable user $username on $computer_node_name, exit status: $exit_status, output:\n" . join("\n", @$output));
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_pagefile
Parameters :
Returns :
Description :
=cut
sub disable_pagefile {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Set the registry key to blank
my $memory_management_key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management';
my $reg_add_command = $system32_path . '/reg.exe add "' . $memory_management_key . '" /v PagingFiles /d "" /t REG_MULTI_SZ /f';
my ($reg_add_exit_status, $reg_add_output) = $self->execute($reg_add_command, 1);
if (defined($reg_add_exit_status) && $reg_add_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "set registry key to disable pagefile");
}
elsif (defined($reg_add_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to set registry key to disable pagefile, exit status: $reg_add_exit_status, output:\n@{$reg_add_output}");
return 0;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to set registry key to disable pagefile");
return;
}
# Attempt to reboot the computer in order to delete the pagefile
if ($self->reboot()) {
notify($ERRORS{'DEBUG'}, 0, "computer was rebooted after disabling pagefile in the registry");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to reboot computer after disabling pagefile");
return;
}
# Attempt to delete the pagefile from all drives
# A pagefile may reside on drives other than C: if additional volumes are configured in the image
my @volume_list = $self->get_volume_list();
if (!@volume_list || !(grep(/c/, @volume_list))) {
@volume_list = ('c');
}
# Loop through the drive letters and attempt to delete pagefile.sys on each drive
for my $drive_letter (@volume_list) {
if ($self->delete_file("$drive_letter:/pagefile.sys")) {
notify($ERRORS{'DEBUG'}, 0, "deleted pagefile.sys on all $drive_letter:");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to delete pagefile.sys on all $drive_letter:");
return;
}
}
return 1;
} ## end sub disable_pagefile
#//////////////////////////////////////////////////////////////////////////////
=head2 enable_pagefile
Parameters :
Returns :
Description :
=cut
sub enable_pagefile {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $memory_management_key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management';
my $reg_add_command = $system32_path . '/reg.exe add "' . $memory_management_key . '" /v PagingFiles /d "$SYSTEMDRIVE\\pagefile.sys 0 0" /t REG_MULTI_SZ /f';
my ($reg_add_exit_status, $reg_add_output) = $self->execute($reg_add_command, 1);
if (defined($reg_add_exit_status) && $reg_add_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "set registry key to enable pagefile");
}
elsif (defined($reg_add_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to set registry key to enable pagefile, exit status: $reg_add_exit_status, output:\n@{$reg_add_output}");
return 0;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to set registry key to enable pagefile");
return;
}
return 1;
} ## end sub enable_pagefile
#//////////////////////////////////////////////////////////////////////////////
=head2 enable_ipv6
Parameters :
Returns :
Description :
=cut
sub enable_ipv6 {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $registry_string .= <<"EOF";
Windows Registry Editor Version 5.00
; This registry file contains the entries to disable all IPv6 components
; http://support.microsoft.com/kb/929852
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters]
"DisabledComponents"=dword:00000000
EOF
# Import the string into the registry
if ($self->import_registry_string($registry_string)) {
notify($ERRORS{'OK'}, 0, "set registry keys to enable IPv6");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set the registry keys to enable IPv6");
return 0;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_ipv6
Parameters :
Returns :
Description :
=cut
sub disable_ipv6 {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $registry_string .= <<"EOF";
Windows Registry Editor Version 5.00
; This registry file contains the entries to disable all IPv6 components
; http://support.microsoft.com/kb/929852
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters]
"DisabledComponents"=dword:ffffffff
EOF
# Import the string into the registry
if ($self->import_registry_string($registry_string)) {
notify($ERRORS{'OK'}, 0, "set registry keys to disable IPv6");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set the registry keys to disable IPv6");
return 0;
}
return 1;
} ## end sub disable_ipv6
#//////////////////////////////////////////////////////////////////////////////
=head2 import_registry_string
Parameters :
Returns :
Description :
=cut
sub import_registry_string {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $registry_string = shift;
if (!defined($registry_string) || !$registry_string) {
notify($ERRORS{'WARNING'}, 0, "registry file path was not passed correctly as an argument");
return;
}
#notify($ERRORS{'DEBUG'}, 0, "registry string:\n" . $registry_string);
# Escape special characters with a backslash:
# \
# "
#notify($ERRORS{'DEBUG'}, 0, "registry string:\n$registry_string");
#$registry_string =~ s/\\+/\\\\\\\\/gs;
$registry_string =~ s/\\/\\\\/gs;
$registry_string =~ s/"/\\"/gs;
# Replace \\" with \"
#$registry_string =~ s/\\+(")/\\\\$1/gs;
# Replace regular newlines with Windows newlines
$registry_string =~ s/\r?\n/\r\n/gs;
# Remove spaces from end of file
$registry_string =~ s/\s+$//;
# Assemble a temporary registry file path
# Name the file after the sub which called this so you can tell where the .reg file was generated from
my @caller = caller(1);
my ($calling_sub) = $caller[3] =~ /([^:]+)$/;
my $calling_line = $caller[2];
my $temp_registry_file_path = "C:/Cygwin/tmp/$calling_sub\_$calling_line.reg";
# Echo the registry string to a file on the node
my $echo_registry_command = "rm -f $temp_registry_file_path; /usr/bin/echo.exe -E \"$registry_string\" > " . $temp_registry_file_path;
my ($echo_registry_exit_status, $echo_registry_output) = $self->execute($echo_registry_command, 0);
if (defined($echo_registry_exit_status) && $echo_registry_exit_status == 0) {
notify($ERRORS{'DEBUG'}, 0, "registry string contents echoed to $temp_registry_file_path");
}
elsif ($echo_registry_exit_status) {
notify($ERRORS{'WARNING'}, 0, "failed to echo registry string contents to $temp_registry_file_path, exit status: $echo_registry_exit_status, output:\n@{$echo_registry_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to echo registry string contents to $temp_registry_file_path");
return;
}
# Run reg.exe IMPORT
if (!$self->reg_import($temp_registry_file_path)) {
notify($ERRORS{'WARNING'}, 0, "failed to import registry string contents from $temp_registry_file_path");
return;
}
# Delete the temporary .reg file
if (!$self->delete_file($temp_registry_file_path)) {
notify($ERRORS{'WARNING'}, 0, "failed to delete the temporary registry file: $temp_registry_file_path");
}
return 1;
} ## end sub import_registry_string
#//////////////////////////////////////////////////////////////////////////////
=head2 reg_query
Parameters : $registry_key, $registry_value (optional), $suppress_key_missing_error (optional)
Returns : If $registry_value argument is specified: scalar
If $registry_value argument is specified: hash reference
Description : Queries the registry on the Windows computer. The $registry_key
argument is required. The $registry_value argument is optional.
If $registry_value is specified, a scalar containing the value's
data is returned. The '(Default)' value's data is returned if the
$registry_value is either an empty string or exactly matches the
string '(Default)'.
If $registry_value is NOT specified, a hash reference containing
the keys's subkey names, values, and each value's data is
returned. The hash has 2 keys: 'subkeys', 'values'.
The 'subkeys' key contains an array reference. This array contains
the names of the key arguments subkeys.
The 'values' key contain a hash reference. The keys of this hash
are the names of the values that are set for the key argument.
Each of theses contains a 'type' and 'data' key containing the
registry value type and value data.
Example:
my $registry_data = $self->os->reg_query('HKLM/SYSTEM/CurrentControlSet/Services/NetBT/Parameters');
@{$registry_data->{subkeys}}[0] = 'Interfaces'
my @value_names = @{$registry_data->{values}};
$registry_data->{values}{$value_names[0]}{type} = 'REG_DWORD'
$registry_data->{values}{$value_names[0]}{data} = '123'
=cut
sub reg_query {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Get the arguments
my $key_argument = shift;
if (!defined($key_argument) || !$key_argument) {
notify($ERRORS{'WARNING'}, 0, "registry key was not passed correctly as an argument");
return;
}
my $value_argument = shift;
my $suppress_key_missing_error = shift;
# Replace forward slashes and double backslashes with a single backslashes
$key_argument =~ s/[\\\/]+/\\/g;
# Removing trailing slashes
$key_argument =~ s/\\+$//g;
# Replace abbreviated key names so argument matches reg.exe output
$key_argument =~ s/^HKLM/HKEY_LOCAL_MACHINE/;
$key_argument =~ s/^HKCU/HKEY_CURRENT_USER/;
$key_argument =~ s/^HKCR/HKEY_CLASSES_ROOT/;
$key_argument =~ s/^HKU/HKEY_USERS/;
$key_argument =~ s/^HKCC/HKEY_CURRENT_CONFIG/;
# Assemble the reg.exe QUERY command
my $command .= "$system32_path/reg.exe QUERY \"$key_argument\" ";
if (!defined($value_argument)) {
# Do not add any switches
$command .= "/s";
}
elsif ($value_argument eq '(Default)') {
# Add /ve switch to query the default value
$command .= "/ve";
}
else {
# Escape slashes and double-quotes in the value argument
(my $value_argument_escaped = $value_argument) =~ s/([\\\"])/\\$1/g;
# Add /v switch to query a specific value
$command .= "/v \"$value_argument_escaped\"";
}
# Ignore error lines, it will throw off parsing
$command .= " 2>/dev/null";
# Run reg.exe QUERY
my ($exit_status, $output) = $self->execute($command, 0);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to query registry key: $key_argument");
return;
}
elsif (grep(/unable to find the specified registry/, @$output)) {
my $message = "registry key or value does not exist:\nkey: '$key_argument'\n";
$message .= "value: '$value_argument'\n" if defined($value_argument);
$message .= "command: '$command'\n";
$message .= "exit status: $exit_status\n";
$message .= "output:\n" . join("\n", @{$output});
notify($ERRORS{'WARNING'}, 0, $message) unless $suppress_key_missing_error;
return;
}
elsif (!grep(/REG.EXE VERSION|HKEY/, @$output)) {
my $message = "failed to query registry:\nkey: '$key_argument'\n";
$message .= "value: '$value_argument'\n" if defined($value_argument);
$message .= "command: '$command'\n";
$message .= "exit status: $exit_status\n";
$message .= "output:\n" . join("\n", @{$output});
notify($ERRORS{'WARNING'}, 0, $message);
return;
}
# If value argument was specified, parse and return the data
if (defined($value_argument)) {
# Find the line containing the value information and parse it
my ($value, $type, $data) = map { $_ =~ /^\s*(.*)\s+(REG_\w+)\s+(.*)/ } @$output;
$value =~ s/(^\s+|\s+$)//g;
$type =~ s/(^\s+|\s+$)//g;
$data =~ s/(^\s+|\s+$)//g;
$value = '(Default)' if $value =~ /NO NAME/;
if ($type && defined($data)) {
$data = $self->reg_query_convert_data($type, $data);
notify($ERRORS{'DEBUG'}, 0, "retrieved registry data:\nkey: '$key_argument'\nvalue: '$value'\ntype: $type\ndata: '$data'");
return $data;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve registry data:\nkey: '$key_argument'\nvalue: '$value'\ncommand: '$command'\noutput:\n" . string_to_ascii(join("\n", @$output)));
return;
}
}
else {
# Value argument was not specified, construct a hash containing the contents of the key
my %registry_hash;
my $key;
for my $line (@$output) {
if ($line =~ /^HKEY/) {
$key = $line;
$registry_hash{$key} = {};
next;
}
elsif ($line =~ /^\s*(.*)\s+(REG_\w+)\s+(.*)/) {
my ($value, $type, $data) = ($1, $2, $3);
$value =~ s/(^\s+|\s+$)//g;
$type =~ s/(^\s+|\s+$)//g;
$data =~ s/(^\s+|\s+$)//g;
if ($type =~ /binary/i) {
#notify($ERRORS{'DEBUG'}, 0, "ignoring $type data, key: $key, value: $value");
next;
}
$value = '(Default)' if $value =~ /NO NAME/;
$data = $self->reg_query_convert_data($type, $data);
if (!defined($key) || !defined($value) || !defined($data) || !defined($type)) {
my $message = "some registry data is undefined:\n";
$message .= "line: '$line'\n";
$message .= "key: '" . ($key || 'undefined') . "'\n";
$message .= "value: '" . ($value || 'undefined') . "'\n";
$message .= "data: '" . ($data || 'undefined') . "'\n";
$message .= "type: '" . ($type || 'undefined') . "'";
notify($ERRORS{'WARNING'}, 0, $message);
}
else {
$registry_hash{$key}{$value}{type} = $type;
$registry_hash{$key}{$value} = $data;
}
}
elsif ($line =~ /^!/) {
# Ignore lines beginning with '!'
next;
}
elsif ($line =~ /^Error:/) {
# Ignore lines beginning with 'Error:' -- this is common and probably not a problem
# Example:
# Error: Access is denied in the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MRxDAV\EncryptedDirectories
next;
}
else {
# TODO: add support for registry values that span multiple lines. Example:
# Comments REG_SZ This security update is for Microsoft .NET Framework 3.5 SP1.
# If you later install a more recent service pack, this security update will be uninstalled automatically.
# For more information, visit http://support.microsoft.com/kb/2416473.
#notify($ERRORS{'WARNING'}, 0, "unexpected output in line: '" . string_to_ascii($line) . "'\ncommand: '$command'");
}
}
my $message = "retrieved registry data:\n";
$message .= "key: '$key_argument'\n";
$message .= "value: '$value_argument'\n" if defined($value_argument);
$message .= "keys found: " . scalar(keys %registry_hash);
notify($ERRORS{'DEBUG'}, 0, $message);
return \%registry_hash;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 reg_query_convert_data
Parameters : $type, $data
Returns : scalar
Description :
=cut
sub reg_query_convert_data {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my ($type, $data) = @_;
if (!$type || !defined($data)) {
notify($ERRORS{'WARNING'}, 0, "registry data type and data value arguments were not specified");
return;
}
if ($type =~ /dword/i) {
if ($data =~ /^[a-fA-F0-9]+$/) {
$data = "0x$data";
}
# Make sure a valid hex value was returned
if ($data !~ /^0x[a-fA-F0-9]+$/) {
notify($ERRORS{'WARNING'}, 0, "invalid $type value: '$data'");
return;
}
# Convert the hex value to decimal
$data = hex($data);
}
elsif ($type eq 'REG_MULTI_SZ') {
# Split data into an array, data values are separated in the output by '\0'
my @data_values = split(/\\0/, $data);
$data = \@data_values;
}
elsif ($type =~ /hex/) {
# Split data into an array, data values are separated in the output by ',00'
my @hex_values = split(/,00,?/, $data);
my $string;
for my $hex_value (@hex_values) {
my $decimal_value = hex $hex_value;
$string .= pack("C*", $decimal_value);
}
return $string;
}
return $data;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 reg_add
Parameters : $registry_key, $registry_value, $registry_type, $registry_data
Returns : If successful: true
If failed: false
Description : Adds or sets a registry key.
=cut
sub reg_add {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Get the arguments
my ($registry_key, $registry_value, $registry_type, $registry_data) = @_;
if (!defined($registry_key)) {
notify($ERRORS{'WARNING'}, 0, "registry key argument was not supplied");
return;
}
# Replace forward slashes with backslashes in registry key
$registry_key =~ s/\//\\\\/g;
if (defined($registry_value)) {
if (!defined($registry_type)) {
notify($ERRORS{'WARNING'}, 0, "registry value argument was supplied but type argument was not");
return;
}
my $valid_types = 'REG_SZ|REG_MULTI_SZ|REG_DWORD_BIG_ENDIAN|REG_DWORD|REG_BINARY|REG_DWORD_LITTLE_ENDIAN|REG_NONE|REG_EXPAND_SZ';
if ($registry_type !~ /^($valid_types)$/) {
notify($ERRORS{'WARNING'}, 0, "invalid registry type was specified: '$registry_type', the following types are supported:\n" . join("\n", sort split(/\|/, $valid_types)));
return;
}
if (!defined($registry_data)) {
notify($ERRORS{'WARNING'}, 0, "registry value argument was supplied but data argument was not");
return;
}
}
# Assemble the reg.exe ADD command
my $add_registry_command = "$system32_path/reg.exe ADD \"$registry_key\"";
if ($registry_value) {
if ($registry_value =~ /^default$/i) {
$add_registry_command .= " /ve";
}
else {
$add_registry_command .= " /v \"$registry_value\"";
}
$add_registry_command .= " /t $registry_type /d \"$registry_data\"";
}
$add_registry_command .= " /f";
my ($add_registry_exit_status, $add_registry_output) = $self->execute($add_registry_command, 1);
if (!defined($add_registry_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to add registry key: $registry_key");
return;
}
elsif ($add_registry_exit_status == 0) {
notify($ERRORS{'DEBUG'}, 0, "added registry key, command: $add_registry_command, output:\n" . join("\n", @$add_registry_output));
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to add registry key: $registry_key, exit status: $add_registry_exit_status, command:\n$add_registry_command\noutput:\n" . join("\n", @$add_registry_output));
return 0;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 reg_delete
Parameters : registry key, registry value
Returns :
Description :
=cut
sub reg_delete {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Get the arguments
my $registry_key = shift;
if (!defined($registry_key) || !$registry_key) {
notify($ERRORS{'WARNING'}, 0, "registry key was not passed correctly as an argument");
return;
}
my $registry_value = shift;
# Replace forward slashes with backslashes in registry key
$registry_key =~ s/\//\\\\/g;
# Run reg.exe DELETE
my $delete_registry_command;
if ($registry_value) {
$delete_registry_command = $system32_path . "/reg.exe DELETE \"$registry_key\" /v \"$registry_value\" /f";
}
else {
$delete_registry_command = $system32_path . "/reg.exe DELETE \"$registry_key\" /f";
$registry_value = '*';
}
my ($delete_registry_exit_status, $delete_registry_output) = $self->execute($delete_registry_command, 0);
if (defined($delete_registry_exit_status) && $delete_registry_exit_status == 0) {
notify($ERRORS{'DEBUG'}, 0, "deleted registry key: $registry_key, value: $registry_value, output:\n" . join("\n", @$delete_registry_output));
}
elsif ($delete_registry_output && grep(/unable to find/i, @$delete_registry_output)) {
# Error: The system was unable to find the specified registry key or value
notify($ERRORS{'DEBUG'}, 0, "registry key does NOT exist: $registry_key");
}
elsif ($delete_registry_exit_status) {
notify($ERRORS{'WARNING'}, 0, "failed to delete registry key: $registry_key, value: $registry_value, exit status: $delete_registry_exit_status, output:\n@{$delete_registry_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to delete registry key: $registry_key, value: $registry_value");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 reg_import
Parameters :
Returns :
Description :
=cut
sub reg_import {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Get the registry file path argument
my $registry_file_path = shift;
if (!defined($registry_file_path) || !$registry_file_path) {
notify($ERRORS{'WARNING'}, 0, "registry file path was not passed correctly as an argument");
return;
}
# Run reg.exe IMPORT
my $command .= $system32_path . "/reg.exe IMPORT $registry_file_path";
my ($exit_status, $output) = $self->execute($command, 0);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to import registry file: $registry_file_path");
return;
}
elsif (grep(/completed successfully/i, @$output)) {
notify($ERRORS{'DEBUG'}, 0, "imported registry file: $registry_file_path");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to import registry file: $registry_file_path, exit status: $exit_status, output:\n" . join("\n", @$output));
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 reg_export
Parameters :
Returns :
Description :
=cut
sub reg_export {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Get the arguments
my $root_key = shift;
if (!$root_key) {
notify($ERRORS{'WARNING'}, 0, "registry root key was not passed correctly as an argument");
return;
}
# Get the registry file path argument
my $registry_file_path = shift;
if (!defined($registry_file_path) || !$registry_file_path) {
notify($ERRORS{'WARNING'}, 0, "registry file path was not passed correctly as an argument");
return;
}
$registry_file_path = $self->format_path_dos($registry_file_path);
# Replace forward slashes with backslashes in registry key
$root_key =~ s/\//\\\\/g;
# Run reg.exe EXPORT
my $command .= "cmd.exe /c \"del /Q \\\"$registry_file_path.tmp\\\" 2>NUL & $system32_path/reg.exe EXPORT $root_key \\\"$registry_file_path.tmp\\\" && type \\\"$registry_file_path.tmp\\\" > \\\"$registry_file_path\\\" && del /Q \\\"$registry_file_path.tmp\\\"\"";
my ($exit_status, $output) = $self->execute($command, 1);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to export registry key $root_key to file: $registry_file_path");
return;
}
elsif (grep(/completed successfully/i, @$output)) {
notify($ERRORS{'DEBUG'}, 0, "exported registry key $root_key to file: $registry_file_path");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to export registry key $root_key to file: $registry_file_path, exit status: $exit_status, output:\n" . join("\n", @$output));
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 reg_load
Parameters : $root_key, $hive_file_path
Returns :
Description :
=cut
sub reg_load {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Get the arguments
my $root_key = shift;
if (!$root_key) {
notify($ERRORS{'WARNING'}, 0, "registry root key was not passed correctly as an argument");
return;
}
my $hive_file_path = shift;
if (!$hive_file_path) {
notify($ERRORS{'WARNING'}, 0, "registry hive file path was not passed correctly as an argument");
return;
}
$hive_file_path = $self->format_path_unix($hive_file_path);
# Escape backslashes in the root key
$root_key =~ s/\\+/\\\\/;
# Run reg.exe LOAD
my $command .= "$system32_path/reg.exe LOAD $root_key $hive_file_path";
my ($exit_status, $output) = $self->execute($command, 0);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to load registry hive file '$hive_file_path' into key $root_key");
return;
}
elsif (grep(/completed successfully/i, @$output)) {
notify($ERRORS{'DEBUG'}, 0, "loaded registry hive file '$hive_file_path' into key $root_key");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to load registry hive file '$hive_file_path' into key $root_key, exit status: $exit_status, output:\n" . join("\n", @$output));
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 reg_unload
Parameters : $root_key
Returns :
Description :
=cut
sub reg_unload {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Get the arguments
my $root_key = shift;
if (!$root_key) {
notify($ERRORS{'WARNING'}, 0, "registry root key was not passed correctly as an argument");
return;
}
# Escape backslashes in the root key
$root_key =~ s/\\+/\\\\/;
# Run reg.exe UNLOAD
my $command .= "$system32_path/reg.exe UNLOAD $root_key";
my ($exit_status, $output) = $self->execute($command, 0);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to unload registry hive: $root_key");
return;
}
elsif (grep(/completed successfully/i, @$output)) {
notify($ERRORS{'DEBUG'}, 0, "unloaded registry hive key: $root_key");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to unload registry hive: $root_key, exit status: $exit_status, output:\n" . join("\n", @$output));
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 add_hklm_run_registry_key
Parameters :
Returns :
Description :
=cut
sub add_hklm_run_registry_key {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $command_name = shift;
my $command = shift;
notify($ERRORS{'DEBUG'}, 0, "command name: " . $command_name);
notify($ERRORS{'DEBUG'}, 0, "command: " . $command);
# Replace forward slashes with backslashes, unless a space precedes the forward slash
$command =~ s/([^ ])\//$1\\/g;
notify($ERRORS{'DEBUG'}, 0, "forward to backslash: " . $command);
# Escape backslashes, can never have enough...
$command =~ s/\\/\\\\/g;
notify($ERRORS{'DEBUG'}, 0, "escape backslashes: " . $command);
# Escape quotes
$command =~ s/"/\\"/g;
notify($ERRORS{'DEBUG'}, 0, "escaped quotes: " . $command);
# Make sure arguments were supplied
if (!defined($command_name) && !defined($command)) {
notify($ERRORS{'WARNING'}, 0, "HKLM run registry key not added, arguments were not passed correctly");
return 0;
}
my $registry_string .= <<"EOF";
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run]
"$command_name"="$command"
EOF
notify($ERRORS{'DEBUG'}, 0, "registry string:\n" . $registry_string);
# Import the string into the registry
if ($self->import_registry_string($registry_string)) {
notify($ERRORS{'OK'}, 0, "added HKLM run registry value, name: $command_name, command: $command");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to add HKLM run registry value, name: $command_name, command: $command");
return 0;
}
# Attempt to query the registry key to make sure it was added
my $reg_query_command = $system32_path . '/reg.exe query "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"';
my ($reg_query_exit_status, $reg_query_output) = $self->execute($reg_query_command, 1);
if (defined($reg_query_exit_status) && $reg_query_exit_status == 0) {
notify($ERRORS{'DEBUG'}, 0, "queried '$command_name' registry key:\n" . join("\n", @{$reg_query_output}));
}
elsif (defined($reg_query_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to query '$command_name' registry key, exit status: $reg_query_exit_status, output:\n@{$reg_query_output}");
return 0;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to query '$command_name' registry key");
return;
}
return 1;
} ## end sub add_hklm_run_registry_key
#//////////////////////////////////////////////////////////////////////////////
=head2 delete_hklm_run_registry_key
Parameters :
Returns :
Description :
=cut
sub delete_hklm_run_registry_key {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $key_name = shift;
# Make sure argument was supplied
if (!defined($key_name) && !defined($key_name)) {
notify($ERRORS{'WARNING'}, 0, "HKLM run registry key not deleted, argument was not passed correctly");
return 0;
}
# Attempt to query the registry key to make sure it was added
my $reg_delete_command = $system32_path . '/reg.exe delete "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" /v "' . $key_name . '" /F';
my ($reg_delete_exit_status, $reg_delete_output) = $self->execute($reg_delete_command, 1);
if (defined($reg_delete_exit_status) && $reg_delete_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "deleted '$key_name' run registry key:\n" . join("\n", @{$reg_delete_output}));
}
elsif (defined($reg_delete_output) && grep(/unable to find/i, @{$reg_delete_output})) {
notify($ERRORS{'OK'}, 0, "'$key_name' run registry key was not deleted, it does not exist");
}
elsif (defined($reg_delete_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to delete '$key_name' run registry key, exit status: $reg_delete_exit_status, output:\n@{$reg_delete_output}");
return 0;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to delete '$key_name' run registry key");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 set_scheduled_task_credentials
Parameters : $task_name, $username, $password
Returns : boolean
Description : Sets the credentials under which a scheduled task runs.
=cut
sub set_scheduled_task_credentials {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my ($task_name, $username, $password) = @_;
if (!defined($task_name) || !defined($username) || !defined($password)) {
notify($ERRORS{'WARNING'}, 0, "scheduled task name, username, and password arguments were not supplied");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $password_escaped = _escape_password($password);
my $command = "$system32_path/schtasks.exe /Change /RU \"$username\" /RP \"$password_escaped\" /TN \"$task_name\"";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to change password for scheduled task: $task_name");
return;
}
elsif (grep (/^SUCCESS:/, @$output)) {
notify($ERRORS{'OK'}, 0, "changed password for scheduled task: $task_name");
return 1;
}
elsif (grep (/The parameter is incorrect/, @$output)) {
if ($task_name =~ /{/) {
# Ignore task such as: \User_Feed_Synchronization-{88DE35B9-C115-4DE3-AB5E-B9D2C4A2DB66}
# This one always fails and is not important
notify($ERRORS{'DEBUG'}, 0, "unable to change password for scheduled task '$task_name' due to Windows bug\ncommand: '$command'\noutput:\n" . join("\n", @$output));
}
else {
notify($ERRORS{'WARNING'}, 0, "unable to change password for scheduled task '$task_name' due to Windows bug\ncommand: '$command'\noutput:\n" . join("\n", @$output));
# Don't return false - There is a bug in Windows 7
# If a scheduled task is created using the GUI using a schedule the password cannot be set via schtasks.exe
# schtasks.exe displays: ERROR: The parameter is incorrect.
# If the same task is changed to run on an event such as logon it works
}
return 1;
}
elsif (grep (/^ERROR:/, @$output)) {
notify($ERRORS{'WARNING'}, 0, "failed to change password for scheduled task: $task_name, command:\n$command\noutput:\n" . join("\n", @$output));
return 0;
}
else {
notify($ERRORS{'WARNING'}, 0, "unexpected output returned while attempting to change password for scheduled task: $task_name, command:\n$command\noutput:\n" . join("\n", @$output));
return 0;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 delete_scheduled_task
Parameters :
Returns :
Description :
=cut
sub delete_scheduled_task {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
my $task_name = shift;
# Run schtasks.exe to delete any existing task
my $delete_task_command = "$system32_path/schtasks.exe /Delete /F /TN \"$task_name\"";
my ($delete_task_exit_status, $delete_task_output) = $self->execute($delete_task_command);
if (defined($delete_task_exit_status) && $delete_task_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "deleted existing scheduled task '$task_name' on $computer_node_name");
}
elsif (defined($delete_task_output) && grep(/(task.*does not exist|cannot find the file specified)/i, @{$delete_task_output})) {
notify($ERRORS{'DEBUG'}, 0, "scheduled task '$task_name' does not exist on $computer_node_name");
}
elsif (defined($delete_task_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to delete existing scheduled task '$task_name' on $computer_node_name, exit status: $delete_task_exit_status, output:\n@{$delete_task_output}");
return 0;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to execute ssh command to delete existing scheduled task '$task_name' on $computer_node_name");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 create_startup_scheduled_task
Parameters : $task_name, $task_command, $task_user, $task_password
Returns :
Description :
=cut
sub create_startup_scheduled_task {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
my $task_name = shift;
my $task_command = shift;
my $task_user = shift;
my $task_password = shift;
# Escape backslashes, can never have enough...
$task_command =~ s/\\/\\\\/g;
# Replace forward slashes with backslashes
$task_command =~ s/([^\s])\//$1\\\\/g;
# Escape quote characters
$task_command =~ s/"/\\"/g;
# Make sure arguments were supplied
if (!defined($task_name) || !defined($task_command) || !defined($task_user) || !defined($task_password)) {
notify($ERRORS{'WARNING'}, 0, "startup scheduled task not added, arguments were not passed correctly");
return;
}
# You cannot create a task if one with the same name already exists
# Windows 6.x schtasks.exe has a /F which forces a new task to be created if one with the same name already exists
# This option isn't supported with XP and other older versions of Windows
if (!$self->delete_scheduled_task($task_name)) {
notify($ERRORS{'WARNING'}, 0, "unable to delete existing scheduled task '$task_name' on $computer_node_name");
}
# Run schtasks.exe to add the task
# Occasionally see this error even though it schtasks.exe returns exit status 0:
# WARNING: The Scheduled task "System Startup Script" has been created, but may not run because the account information could not be set.
my $password_escaped = _escape_password($task_password);
my $command = "$system32_path/schtasks.exe /Create /RU \"$task_user\" /RP \"$password_escaped\" /RL HIGHEST /SC ONSTART /TN \"$task_name\" /TR \"$task_command\"";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute ssh command created scheduled task '$task_name' on $computer_node_name");
return;
}
elsif (grep(/password is incorrect/, @$output)) {
# ERROR: The user name or password is incorrect.
notify($ERRORS{'WARNING'}, 0, "failed to create scheduled task '$task_name' on $computer_node_name\n" .
"username : '$task_user'\n" .
"password : '$task_password'\n" .
"escaped password : '$password_escaped'\n" .
"command:\n$command\n" .
"output:\n" . join("\n", @$output)
);
return 0;
}
elsif ($exit_status != 0) {
notify($ERRORS{'WARNING'}, 0, "failed to create scheduled task '$task_name' on $computer_node_name, exit status: $exit_status, command: '$command', output:\n@$output");
return 0;
}
else {
notify($ERRORS{'OK'}, 0, "created scheduled task '$task_name' on $computer_node_name");
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 create_update_cygwin_startup_scheduled_task
Parameters : none
Returns : boolean
Description : Creates a scheduled task that runs on startup named 'VCL Update
Cygwin' which runs update_cygwin.cmd as root.
=cut
sub create_update_cygwin_startup_scheduled_task {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Avoid doing this more than once
if ($self->{created_update_cygwin_startup_scheduled_task}) {
return 1;
}
my $request_state = $self->data->get_request_state_name();
my $node_configuration_directory = $self->get_node_configuration_directory();
my $root_password;
if ($request_state =~ /(image|checkpoint)/) {
$root_password = $WINDOWS_ROOT_PASSWORD;
}
else {
if ($self->{root_password}) {
$root_password = $self->{root_password};
}
else {
$root_password = getpw();
$self->{root_password} = $root_password;
}
}
if (!$self->set_password('root', $root_password)) {
notify($ERRORS{'WARNING'}, 0, "unable to create startup scheduled task to update Cygwin, failed to set root password");
return;
}
# Make sure the 'VCL Post Load' task doesn't exist or they will conflict
$self->delete_scheduled_task('VCL Post Load');
# Copy the current version of update_cygwin.cmd to the computer
$self->copy_file_to("$SOURCE_CONFIGURATION_DIRECTORY/Scripts/update_cygwin.cmd", "$node_configuration_directory/Scripts/update_cygwin.cmd");
# Create a scheduled task to run post_load.cmd when the image boots
my $task_command = "$node_configuration_directory/Scripts/update_cygwin.cmd >> $node_configuration_directory/Logs/update_cygwin.log";
if ($self->create_startup_scheduled_task('VCL Update Cygwin', $task_command, 'root', $root_password)) {
$self->{created_update_cygwin_startup_scheduled_task} = 1;
return 1;
}
else {
return 0;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 enable_autoadminlogon
Parameters :
Returns :
Description :
=cut
sub enable_autoadminlogon {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $registry_string .= <<"EOF";
Windows Registry Editor Version 5.00
; This file enables autoadminlogon for the root account
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]
"AutoAdminLogon"="1"
"DefaultUserName"="root"
"DefaultPassword"= "$WINDOWS_ROOT_PASSWORD"
EOF
# Import the string into the registry
if ($self->import_registry_string($registry_string)) {
notify($ERRORS{'OK'}, 0, "enabled autoadminlogon");
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to enable autoadminlogon");
return 0;
}
} ## end sub enable_autoadminlogon
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_autoadminlogon
Parameters :
Returns :
Description :
=cut
sub disable_autoadminlogon {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $registry_string .= <<EOF;
Windows Registry Editor Version 5.00
; This file disables autoadminlogon for the root account
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon]
"AutoAdminLogon"="0"
"AutoLogonCount"="0"
"DefaultPassword"= ""
EOF
# Import the string into the registry
if ($self->import_registry_string($registry_string)) {
notify($ERRORS{'OK'}, 0, "disabled autoadminlogon");
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to disable autoadminlogon");
return 0;
}
} ## end sub disable_autoadminlogon
#//////////////////////////////////////////////////////////////////////////////
=head2 create_eventlog_entry
Parameters :
Returns :
Description :
=cut
sub create_eventlog_entry {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
my $message = shift;
# Make sure the message was passed as an argument
if (!defined($message)) {
notify($ERRORS{'WARNING'}, 0, "failed to create eventlog entry, message was passed as an argument");
return 0;
}
# Run eventcreate.exe to create an event log entry
my $eventcreate_command = $system32_path . '/eventcreate.exe /T INFORMATION /L APPLICATION /SO VCL /ID 555 /D "' . $message . '"';
my ($eventcreate_exit_status, $eventcreate_output) = $self->execute($eventcreate_command);
if (defined($eventcreate_exit_status) && $eventcreate_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "created event log entry on $computer_node_name: $message");
}
elsif (defined($eventcreate_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to create event log entry on $computer_node_name: $message, exit status: $eventcreate_exit_status, output:\n@{$eventcreate_output}");
return 0;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to create event log entry on $computer_node_name: $message");
return;
}
return 1;
} ## end sub create_eventlog_entry
#//////////////////////////////////////////////////////////////////////////////
=head2 reboot
Parameters : $total_wait_seconds, $attempt_delay_seconds, $attempt_limit, $pre_configure
Returns : boolean
Description :
=cut
sub reboot {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Check if an arguments were supplied
# Attempt to get the total number of seconds to wait from the arguments
my $total_wait_seconds = shift;
if (!defined($total_wait_seconds) || $total_wait_seconds !~ /^\d+$/) {
$total_wait_seconds = 300;
}
# Seconds to wait in between loop attempts
my $attempt_delay_seconds = shift;
if (!defined($attempt_delay_seconds) || $attempt_delay_seconds !~ /^\d+$/) {
$attempt_delay_seconds = 15;
}
# Number of power reset attempts to make if reboot fails
my $attempt_limit = shift;
if (!defined($attempt_limit) || $attempt_limit !~ /^\d+$/) {
$attempt_limit = 2;
}
my $pre_configure = shift;
$pre_configure = 1 unless defined $pre_configure;
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path();
my $reboot_start_time = time();
notify($ERRORS{'DEBUG'}, 0, "reboot will be attempted on $computer_node_name");
# Check if computer responds to ssh before preparing for reboot
if ($system32_path && $self->wait_for_ssh(0)) {
# Perform pre-reboot configuration tasks unless $pre_configure argument was supplied and is false
if ($pre_configure) {
# Make sure SSH access is enabled from private IP addresses
if (!$self->firewall_enable_ssh_private()) {
notify($ERRORS{'WARNING'}, 0, "reboot not attempted, failed to enable ssh from private IP addresses");
return 0;
}
# Set sshd service startup mode to manual
if (!$self->set_service_startup_mode('sshd', 'manual') && !$self->set_service_startup_mode('cygsshd', 'manual')) {
notify($ERRORS{'WARNING'}, 0, "reboot not attempted, unable to set sshd service startup mode to manual");
return 0;
}
else {
notify($ERRORS{'DEBUG'}, 0, "sshd service set to manual start");
}
# Make sure ping access is enabled from private IP addresses
if (!$self->firewall_enable_ping_private()) {
notify($ERRORS{'WARNING'}, 0, "reboot not attempted, failed to enable ping from private IP addresses");
return 0;
}
# Kill the screen saver process, it occasionally prevents reboots and shutdowns from working
$self->kill_process('logon.scr');
# Make sure update_cygwin.cmd runs after the computer is rebooted with the new hostname
$self->create_update_cygwin_startup_scheduled_task();
}
# Delete cached network configuration information so it is retrieved next time it is needed
delete $self->{network_configuration};
# Check if tsshutdn.exe exists on the computer
# tsshutdn.exe is the preferred utility, shutdown.exe often fails on Windows Server 2003
my $reboot_command;
my $windows_product_name = $self->get_product_name() || '';
if ($windows_product_name =~ /2003/ && $self->file_exists("$system32_path/tsshutdn.exe")) {
$reboot_command = "$system32_path/tsshutdn.exe 0 /REBOOT /DELAY:0 /V";
}
else {
$reboot_command = "$system32_path/shutdown.exe /r /t 0 /f";
}
my ($reboot_exit_status, $reboot_output) = $self->execute($reboot_command);
if (!defined($reboot_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to reboot $computer_node_name");
return;
}
elsif ($reboot_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "executed reboot command on $computer_node_name");
}
else {
# The following message may be displayed causing the reboot to fail:
# The computer is processing another action and thus cannot be shut down. Wait until the computer has finished its action, and then try again.(21)
notify($ERRORS{'WARNING'}, 0, "failed to reboot $computer_node_name, attempting power reset, output:\n" . join("\n", @$reboot_output));
# Call provisioning module's power_reset() subroutine
if ($self->provisioner->power_reset()) {
notify($ERRORS{'OK'}, 0, "initiated power reset on $computer_node_name");
}
else {
notify($ERRORS{'WARNING'}, 0, "reboot failed, failed to initiate power reset on $computer_node_name");
return;
}
}
}
else {
# Computer did not respond to ssh
notify($ERRORS{'WARNING'}, 0, "$computer_node_name did not respond to ssh, graceful reboot cannot be performed, attempting hard reset");
# Call provisioning module's power_reset() subroutine
if ($self->provisioner->power_reset()) {
notify($ERRORS{'OK'}, 0, "initiated power reset on $computer_node_name");
}
else {
notify($ERRORS{'WARNING'}, 0, "reboot failed, failed to initiate power reset on $computer_node_name");
return 0;
}
} ## end else [ if ($self->wait_for_ssh(0))
# Wait for the reboot to complete
my $result = $self->wait_for_reboot($total_wait_seconds, $attempt_delay_seconds, $attempt_limit);
my $reboot_duration = (time - $reboot_start_time);
if ($result) {
# Reboot was successful, calculate how long reboot took
notify($ERRORS{'OK'}, 0, "reboot complete on $computer_node_name, took $reboot_duration seconds");
# Clear any previous reboot_required reasons to prevent unnecessary reboots
delete $self->{reboot_required};
# Clear any imagemeta postoption reboot flag
$self->data->set_imagemeta_postoption('');
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "reboot failed on $computer_node_name, waited $reboot_duration seconds for computer to respond");
return 0;
}
} ## end sub reboot
#//////////////////////////////////////////////////////////////////////////////
=head2 shutdown
Parameters : $enable_dhcp
Returns :
Description :
=cut
sub shutdown {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Get the argument that determines whether or not to disable DHCP before shutting down computer
my $enable_dhcp = shift;
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Kill the screen saver process, it occasionally prevents reboots and shutdowns from working
$self->kill_process('logon.scr');
# Clear the event log before shutting down
$self->clear_event_log();
my $shutdown_command = "/bin/cygstart.exe \$SYSTEMROOT/system32/cmd.exe /c \"";
if ($enable_dhcp) {
notify($ERRORS{'DEBUG'}, 0, "enabling DHCP and shutting down $computer_node_name");
my $private_interface_name = $self->get_private_interface_name();
my $public_interface_name = $self->get_public_interface_name();
if (!$private_interface_name || !$public_interface_name) {
notify($ERRORS{'WARNING'}, 0, "unable to determine private and public interface names, failed to enable DHCP and shut down $computer_node_name");
return;
}
$shutdown_command .= "$system32_path/netsh.exe interface ip set address name=\\\"$private_interface_name\\\" source=dhcp & ";
$shutdown_command .= "$system32_path/netsh.exe interface ip set dnsservers name=\\\"$private_interface_name\\\" source=dhcp & ";
$shutdown_command .= "$system32_path/netsh.exe interface ip set address name=\\\"$public_interface_name\\\" source=dhcp & ";
$shutdown_command .= "$system32_path/netsh.exe interface ip set dnsservers name=\\\"$public_interface_name\\\" source=dhcp & ";
$shutdown_command .= "$system32_path/netsh.exe interface ip reset $NODE_CONFIGURATION_DIRECTORY/Logs/ipreset.log & ";
$shutdown_command .= "$system32_path/ipconfig.exe /release & ";
$shutdown_command .= "$system32_path/ipconfig.exe /flushdns & ";
$shutdown_command .= "$system32_path/arp.exe -d * & ";
$shutdown_command .= "$system32_path/route.exe DELETE 0.0.0.0 MASK 0.0.0.0 & ";
}
else {
notify($ERRORS{'DEBUG'}, 0, "shutting down $computer_node_name");
}
# Check if tsshutdn.exe exists on the computer
# tsshutdn.exe is the preferred utility for Windows 2003, shutdown.exe often fails
my $windows_product_name = $self->get_product_name() || '';
if ($windows_product_name =~ /2003/ && $self->file_exists("$system32_path/tsshutdn.exe")) {
$shutdown_command .= "$system32_path/tsshutdn.exe 0 /POWERDOWN /DELAY:0 /V";
}
else {
$shutdown_command .= "$system32_path/shutdown.exe /s /t 0 /f";
}
$shutdown_command .= "\"";
my $attempt_count = 0;
my $attempt_limit = 12;
while ($attempt_count < $attempt_limit) {
$attempt_count++;
if ($attempt_count > 1) {
notify($ERRORS{'DEBUG'}, 0, "sleeping for 10 seconds before making next shutdown attempt");
sleep 10;
}
my ($shutdown_exit_status, $shutdown_output) = $self->execute($shutdown_command);
if (!defined($shutdown_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute ssh command to shutdown $computer_node_name");
last;
}
elsif (grep(/(processing another action)/i, @$shutdown_output)) {
notify($ERRORS{'WARNING'}, 0, "attempt $attempt_count/$attempt_limit: failed to execute shutdown command on $computer_node_name, exit status: $shutdown_exit_status, output:\n@{$shutdown_output}");
next;
}
else {
notify($ERRORS{'DEBUG'}, 0, "attempt $attempt_count/$attempt_limit: executed shutdown command on $computer_node_name");
last;
}
}
# Wait maximum of 3 minutes for the computer to become unresponsive
if (!$self->wait_for_no_ping(180)) {
# Computer never stopped responding to ping
notify($ERRORS{'WARNING'}, 0, "$computer_node_name never became unresponsive to ping after shutdown command was issued");
return;
}
# Wait maximum of 5 minutes for computer to power off
my $power_off = $self->provisioner->wait_for_power_off(300);
if (!defined($power_off)) {
# wait_for_power_off result will be undefined if the provisioning module doesn't implement a power_status subroutine
notify($ERRORS{'OK'}, 0, "unable to determine power status of $computer_node_name from provisioning module, sleeping 1 minute to allow computer time to shutdown");
sleep 60;
}
elsif (!$power_off) {
notify($ERRORS{'WARNING'}, 0, "$computer_node_name never powered off");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 set_service_startup_mode
Parameters :
Returns : 1 if succeeded, 0 otherwise
Description :
=cut
sub set_service_startup_mode {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $service_name = shift;
my $startup_mode = shift;
# Make sure both arguments were supplied
if (!defined($service_name) && !defined($startup_mode)) {
notify($ERRORS{'WARNING'}, 0, "set service startup mode failed, service name and startup mode arguments were not passed correctly");
return 0;
}
# Make sure the startup mode is valid
if ($startup_mode !~ /boot|system|auto|demand|disabled|delayed-auto|manual/i) {
notify($ERRORS{'WARNING'}, 0, "set service startup mode failed, invalid startup mode: $startup_mode");
return 0;
}
# Set the mode to demand if manual was specified, specific to sc command
$startup_mode = "demand" if ($startup_mode eq "manual");
# Use sc.exe to change the start mode
my $service_startup_command = $system32_path . '/sc.exe config ' . "$service_name start= $startup_mode";
my ($service_startup_exit_status, $service_startup_output) = $self->execute($service_startup_command);
if (defined($service_startup_output) && grep(/service does not exist/, @$service_startup_output)) {
notify($ERRORS{'WARNING'}, 0, "$service_name service startup mode not set because service does not exist");
return;
}
elsif (defined($service_startup_exit_status) && $service_startup_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "$service_name service startup mode set to $startup_mode");
}
elsif ($service_startup_exit_status) {
notify($ERRORS{'WARNING'}, 0, "failed to set $service_name service startup mode to $startup_mode, exit status: $service_startup_exit_status, output:\n@{$service_startup_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to set $service_name service startup mode to $startup_mode");
return;
}
return 1;
} ## end sub set_service_startup_mode
#//////////////////////////////////////////////////////////////////////////////
=head2 defragment_hard_drive
Parameters :
Returns : 1 if succeeded, 0 otherwise
Description :
=cut
sub defragment_hard_drive {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Defragment the hard drive
notify($ERRORS{'OK'}, 0, "beginning to defragment the hard drive on $computer_node_name");
my ($defrag_exit_status, $defrag_output) = $self->execute({ command => "$system32_path/defrag.exe \$SYSTEMDRIVE -v", timeout => (15 * 60)});
if (defined($defrag_exit_status) && $defrag_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "hard drive defragmentation complete on $computer_node_name");
return 1;
}
elsif (defined($defrag_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to defragment the hard drive, exit status: $defrag_exit_status, output:\n@{$defrag_output}");
return 0;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run the SSH command to defragment the hard drive");
return;
}
} ## end sub defragment_hard_drive
#//////////////////////////////////////////////////////////////////////////////
=head2 prepare_post_load
Parameters : None.
Returns : If successful: true
If failed: false
Description : This subroutine should be called as the last step before an image
is captured if Sysprep is not is used. It enables autoadminlogon
so that root automatically logs on the next time the computer is
booted and creates a registry key under
HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
This key causes the post_load.cmd script after the image is
loaded when root automatically logs on. This script needs to run
in order to configure networking and the Cygwin SSH service.
=cut
sub prepare_post_load {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $end_state = $self->{end_state} || 'off';
# Set the DevicePath registry key
# This is used to locate device drivers
if (!$self->set_device_path_key()) {
notify($ERRORS{'WARNING'}, 0, "failed to set the DevicePath registry key");
return;
}
# Get the node configuration directory
my $node_configuration_directory = $self->get_node_configuration_directory();
unless ($node_configuration_directory) {
notify($ERRORS{'WARNING'}, 0, "node configuration directory could not be determined");
return;
}
# Add HKLM run key to call post_load.cmd after the image comes up
if (!$self->add_hklm_run_registry_key('post_load.cmd', $node_configuration_directory . '/Scripts/post_load.cmd >> ' . $node_configuration_directory . '/Logs/post_load.log')) {
notify($ERRORS{'WARNING'}, 0, "unable to create run key to call post_load.cmd");
return;
}
# Enable autoadminlogon
if (!$self->enable_autoadminlogon()) {
notify($ERRORS{'WARNING'}, 0, "unable to enable autoadminlogon");
return 0;
}
# Shut down computer unless end_state argument was passed with a value other than 'off'
if ($end_state eq 'off') {
if (!$self->shutdown(1)) {
notify($ERRORS{'WARNING'}, 0, "failed to shut down computer");
return;
}
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 set_service_credentials
Parameters : $service_name, $username, $password
Returns :
Description :
=cut
sub set_service_credentials {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Attempt to get the username from the arguments
my $service_name = shift;
my $username = shift;
my $password = shift;
# Make sure arguments were supplied
if (!$service_name || !$username || !$password) {
notify($ERRORS{'WARNING'}, 0, "set service logon failed, service name, username, and password arguments were not passed correctly");
return 0;
}
# Attempt to set the service logon user name and password
my $password_escaped = _escape_password($password);
my $service_logon_command = "$system32_path/sc.exe config $service_name obj= \".\\$username\" password= \"$password_escaped\"";
my ($service_logon_exit_status, $service_logon_output) = $self->execute($service_logon_command);
if (defined($service_logon_exit_status) && $service_logon_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "changed logon credentials for '$service_name' service to $username ($password) on $computer_node_name");
}
elsif (defined($service_logon_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to change $service_name service logon credentials to $username ($password) on $computer_node_name, exit status: $service_logon_exit_status, output:\n@{$service_logon_output}");
return 0;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to change $service_name service logon credentials to $username ($password) on $computer_node_name");
return;
}
return 1;
} ## end sub set_service_credentials
#//////////////////////////////////////////////////////////////////////////////
=head2 get_service_configuration
Parameters : none
Returns : hash reference
Description : Retrieves info for all services installed on the computer. A hash
reference is returned. The hash keys are service names.
Example:
"sshd" => {
"SERVICE_START_NAME" => ".\\root",
},
=cut
sub get_service_configuration {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
return $self->{service_configuration} if $self->{service_configuration};
my $computer_node_name = $self->data->get_computer_node_name();
notify($ERRORS{'DEBUG'}, 0, "retrieving service configuration information from the registry");
my $services_key = 'HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services';
my $cygwin_path = $self->get_cygwin_installation_directory_path();
my $node_reg_file_path = $cygwin_path . "/tmp/services_$computer_node_name.reg";
my $mn_reg_file_path = "/tmp/vcl/services_$computer_node_name.reg";
# Export the registry key to the temp directory on the computer
if (!$self->reg_export($services_key, $node_reg_file_path)) {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve service credential information from the registry on $computer_node_name");
return;
}
# Copy the file to the managment node
if (!$self->copy_file_from($node_reg_file_path, $mn_reg_file_path)) {
return;
}
# Get the contents of the file on the managment node
my @reg_file_contents = $self->mn_os->get_file_contents($mn_reg_file_path);
if (!@reg_file_contents) {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve contents of file on $computer_node_name containing exported service credential information from the registry: $node_reg_file_path");
return;
}
# Delete the registry files
$self->delete_file($node_reg_file_path);
$self->mn_os->delete_file($mn_reg_file_path);
my $service_configuration;
my $service_name;
for my $line (@reg_file_contents) {
if ($line =~ /Services\\([^\\]+)\]$/i) {
$service_name = $1;
$service_configuration->{$service_name} = {};
}
elsif ($line =~ /"ObjectName"="(.+)"/i) {
my $object_name = $1;
$service_configuration->{$service_name}{SERVICE_START_NAME} = $object_name;
}
}
#notify($ERRORS{'DEBUG'}, 0, "retrieved service configuration from $computer_node_name:\n" . format_data($service_configuration));
$self->{service_configuration} = $service_configuration;
return $self->{service_configuration};
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_service_login_ids
Parameters : $login_id
Returns : array
Description : Enumerates the services installed on the computer and returns an
array containing the names of the services which are configured
to run using the credentials of the login ID specified as the
argument.
=cut
sub get_services_using_login_id {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $login_id = shift;
if (!$login_id) {
notify($ERRORS{'WARNING'}, 0, "unable to get services using login id, login id argument was not passed correctly");
return;
}
# Get configuration for all the services installed on the computer
my $service_configuration = $self->get_service_configuration();
my @matching_service_names;
for my $service_name (sort keys %$service_configuration) {
my $service_start_name = $service_configuration->{$service_name}{SERVICE_START_NAME};
# The service start name may be in any of the following forms:
# LocalSystem
# NT AUTHORITY\LocalService
# .\root
if ($service_start_name && $service_start_name =~ /^((NT AUTHORITY|\.)\\+)?$login_id$/i) {
push @matching_service_names, $service_name;
}
}
notify($ERRORS{'DEBUG'}, 0, "services found using login ID '$login_id' (" . scalar(@matching_service_names) . "): " . join(", ", @matching_service_names));
return @matching_service_names;
} ## end sub get_services_using_login_id
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_scheduled_task
Parameters :
Returns : 1 success 0 failure
Description :
=cut
sub disable_scheduled_task {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Attempt to get the task name from the arguments
my $task_name = shift;
if (!$task_name) {
notify($ERRORS{'OK'}, 0, "failed to disable scheduled task, task name argument was not correctly passed");
return;
}
# Attempt to delete the user account
my $schtasks_command = $system32_path . '/schtasks.exe /Change /DISABLE /TN "' . $task_name . '"';
my ($schtasks_exit_status, $schtasks_output) = $self->execute($schtasks_command, 1);
if (!defined($schtasks_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to disable $task_name scheduled task on $computer_node_name");
return;
}
elsif (grep(/have been changed/, @$schtasks_output)) {
notify($ERRORS{'OK'}, 0, "$task_name scheduled task disabled on $computer_node_name");
}
elsif (grep(/does not exist/, @$schtasks_output)) {
notify($ERRORS{'OK'}, 0, "$task_name was not disabled on $computer_node_name because it does not exist");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to disable $task_name scheduled task on $computer_node_name, exit status: $schtasks_exit_status, output:\n@{$schtasks_output}");
return 0;
}
return 1;
} ## end sub disable_scheduled_task
#//////////////////////////////////////////////////////////////////////////////
=head2 get_scheduled_task_info
Parameters :
Returns : hash reference
Description : Queries the scheduled tasks on a computer and returns the
configuration for each task. A hash reference is returned. The
hash keys are the scheduled task names.
Example:
"\\Microsoft\\Windows\\Time Synchronization\\SynchronizeTime" => {
"Author" => "Microsoft Corporation",
"Comment" => "Maintains date and time synchronization...",
"Days" => "1/1/2005",
"Delete Task If Not Rescheduled" => "Stop On Battery Mode",
"End Date" => "1:00:00 AM",
"HostName" => "WIN7-64BIT",
"Idle Time" => " any services that explicitly depend on it will fail to start.",
"Last Result" => 1056,
"Last Run Time" => "9/11/2011 1:00:00 AM",
"Logon Mode" => "Interactive/Background",
"Months" => "N/A",
"Next Run Time" => "9/18/2011 1:00:00 AM",
"Power Management" => "Enabled",
"Repeat: Every" => "SUN",
"Repeat: Stop If Still Running" => "Disabled",
"Repeat: Until: Duration" => "Disabled",
"Repeat: Until: Time" => "Every 1 week(s)",
"Run As User" => "Disabled",
"Schedule" => "Enabled",
"Schedule Type" => "72:00:00",
"Scheduled Task State" => " date and time synchronization will be unavailable. If this service is disabled",
"Start Date" => "Weekly",
"Start In" => "N/A",
"Start Time" => "Scheduling data is not available in this format.",
"Status" => "Ready",
"Stop Task If Runs X Hours and X Mins" => "LOCAL SERVICE",
"Task To Run" => "%windir%\\system32\\sc.exe start w32time task_started"
},
=cut
sub get_scheduled_task_info {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
return $self->{scheduled_task_info} if $self->{scheduled_task_info};
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Attempt to retrieve scheduled task information
my $command = $system32_path . '/schtasks.exe /Query /V /FO CSV';
my ($exit_status, $output) = $self->execute($command, 0);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run command to retrieve scheduled task information");
return;
}
elsif ($exit_status == 0) {
#notify($ERRORS{'DEBUG'}, 0, "retrieved scheduled task information, output:\n" . join("\n", @$output));
if (grep(/no scheduled tasks/i, @$output)) {
notify($ERRORS{'DEBUG'}, 0, "there are no scheduled tasks on $computer_node_name, output:\n" . join("\n", @$output));
return {};
}
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve scheduled task information, exit status: $exit_status\ncommand: '$command'\noutput:\n" . join("\n", @$output));
return;
}
my @properties;
my $scheduled_task_info;
for my $line (@$output) {
# Split the line into an array and remove quotes from beginning and end of each value
my @values = split(/\",\"/, $line);
if (grep { $_ eq 'TaskName' } @values) {
@properties = @values;
next;
}
elsif (!@properties) {
notify($ERRORS{'WARNING'}, 0, "unable to parse scheduled task info, column definition line containing 'TaskName' was not found before line: '$line'");
return;
}
if (scalar(@properties) != scalar(@values)) {
notify($ERRORS{'WARNING'}, 0, "property count (" . scalar(@properties) . ") does not equal value count (" . scalar(@values) . ")\nproperties line: '$line'\nvalues: '" . join(",", @values));
next;
}
my $info;
for (my $i=0; $i<scalar(@values); $i++) {
$info->{$properties[$i]} = $values[$i];
}
my $task_name = $info->{TaskName};
if (defined($task_name)) {
$scheduled_task_info->{$task_name} = $info;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to determine scheduled task name from line: '$line', info:\n" . format_data($info));
}
}
$self->{scheduled_task_info} = $scheduled_task_info;
notify($ERRORS{'DEBUG'}, 0, "found " . scalar(keys %$scheduled_task_info) . " scheduled tasks");
return $scheduled_task_info;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 enable_dynamic_dns
Parameters : $interface (private or public or both)
Returns :
Description :
=cut
sub enable_dynamic_dns {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $interface = shift;
if (!defined($interface)) {
notify($ERRORS{'OK'}, 0, "interface not specified for function enable_dynamic_dns defaulting to public interface");
$interface = 'public'
}
my $management_node_keys = $self->data->get_management_node_keys();
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
my $registry_string .= <<"EOF";
Windows Registry Editor Version 5.00
; This file enables dynamic DNS updates
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters]
"DisableDynamicUpdate"=dword:00000000
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters]
"DisableReverseAddressRegistrations"=dword:00000000
EOF
# Import the string into the registry
if ($self->import_registry_string($registry_string)) {
notify($ERRORS{'OK'}, 0, "enabled dynamic dns");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to enable dynamic dns");
return;
}
# Get the network configuration
my $network_configuration = $self->get_network_configuration();
if (!$network_configuration) {
notify($ERRORS{'WARNING'}, 0, "unable to retrieve network configuration");
return;
}
# Get the public and private interface names
my $public_interface_name = $self->get_public_interface_name();
my $private_interface_name = $self->get_private_interface_name();
# Assemble netsh.exe commands to disable DNS registration
my $netsh_command;
if ($interface eq 'public') {
$netsh_command .= "$system32_path/netsh.exe interface ip set dns";
$netsh_command .= " name = \"$public_interface_name\"";
$netsh_command .= " source = dhcp";
$netsh_command .= " register = both";
$netsh_command .= " ;";
}
elsif ($interface eq 'private') {
$netsh_command .= "$system32_path/netsh.exe interface ip set dns";
$netsh_command .= " name = \"$private_interface_name\"";
$netsh_command .= " source = dhcp";
$netsh_command .= " register = both";
$netsh_command .= " ;";
}
else {
$netsh_command .= "$system32_path/netsh.exe interface ip set dns";
$netsh_command .= " name = \"$public_interface_name\"";
$netsh_command .= " source = dhcp";
$netsh_command .= " register = both";
$netsh_command .= " ;";
$netsh_command .= "$system32_path/netsh.exe interface ip set dns";
$netsh_command .= " name = \"$private_interface_name\"";
$netsh_command .= " source = dhcp";
$netsh_command .= " register = both";
$netsh_command .= " ;";
}
# Execute the netsh.exe command
my ($netsh_exit_status, $netsh_output) = run_ssh_command($computer_node_name, $management_node_keys, $netsh_command);
if (defined($netsh_exit_status) && $netsh_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "enabled dynamic DNS registration on $interface adapters");
}
elsif (defined($netsh_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to enable dynamic DNS registration on $interface adapters, exit status: $netsh_exit_status, output:\n@{$netsh_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to enable dynamic DNS registration on $interface adapters");
return;
}
return 1;
} ## end sub enable_dynamic_dns
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_dynamic_dns
Parameters :
Returns :
Description :
=cut
sub disable_dynamic_dns {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $registry_string .= <<"EOF";
Windows Registry Editor Version 5.00
; This file disables dynamic DNS updates
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters]
"DisableDynamicUpdate"=dword:00000001
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters]
"DisableReverseAddressRegistrations"=dword:00000001
EOF
# Import the string into the registry
if ($self->import_registry_string($registry_string)) {
notify($ERRORS{'OK'}, 0, "disabled dynamic dns");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to disable dynamic dns");
return;
}
# Get the network configuration
my $network_configuration = $self->get_network_configuration();
if (!$network_configuration) {
notify($ERRORS{'WARNING'}, 0, "unable to retrieve network configuration");
return;
}
# Get the public and private interface names
my $public_interface_name = $self->get_public_interface_name();
my $private_interface_name = $self->get_private_interface_name();
# Assemble netsh.exe commands to disable DNS registration
my $netsh_command;
$netsh_command .= "$system32_path/netsh.exe interface ip set dns";
$netsh_command .= " name = \"$public_interface_name\"";
$netsh_command .= " source = dhcp";
$netsh_command .= " register = none";
$netsh_command .= " ;";
$netsh_command .= "$system32_path/netsh.exe interface ip set dns";
$netsh_command .= " name = \"$private_interface_name\"";
$netsh_command .= " source = dhcp";
$netsh_command .= " register = none";
$netsh_command .= " ;";
# Execute the netsh.exe command
my ($netsh_exit_status, $netsh_output) = $self->execute($netsh_command);
if (defined($netsh_exit_status) && $netsh_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "disabled dynamic DNS registration on public and private adapters");
}
elsif (defined($netsh_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to disable dynamic DNS registration on public and private adapters, exit status: $netsh_exit_status, output:\n@{$netsh_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to disable dynamic DNS registration on public and private adapters");
return;
}
return 1;
} ## end sub disable_dynamic_dns
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_netbios
Parameters :
Returns :
Description :
=cut
sub disable_netbios {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Attempt to query the registry for the NetBT service parameters
my $interface_registry_data = $self->reg_query('HKLM/SYSTEM/CurrentControlSet/Services/NetBT/Parameters/Interfaces');
if (!$interface_registry_data) {
notify($ERRORS{'WARNING'}, 0, "failed to query registry to determine NetBT network interface strings");
return;
}
my @interface_keys = grep(/Tcpip_/i, keys %{$interface_registry_data});
notify($ERRORS{'DEBUG'}, 0, "retrieved NetBT interface keys:\n" . join("\n", @interface_keys));
for my $interface_key (@interface_keys) {
my $netbios_options = $interface_registry_data->{$interface_key}{NetbiosOptions};
if ($self->reg_add($interface_key, 'NetbiosOptions', 'REG_DWORD', 2)) {
notify($ERRORS{'OK'}, 0, "disabled Netbios for interface: $interface_key");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to disabled Netbios for interface: $interface_key");
return;
}
}
return 1;
} ## end sub disable_netbios
#//////////////////////////////////////////////////////////////////////////////
=head2 set_computer_description
Parameters :
Returns :
Description :
=cut
sub set_computer_description {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Attempt to get the description from the arguments
my $description = shift;
if (!$description) {
my $image_name = $self->data->get_image_name();
my $image_prettyname = $self->data->get_image_prettyname();
$description = "$image_prettyname ($image_name)";
}
my $registry_string .= <<"EOF";
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters]
"srvcomment"="$description"
EOF
# Import the string into the registry
if ($self->import_registry_string($registry_string)) {
notify($ERRORS{'OK'}, 0, "set computer description to '$description'");
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set computer description to '$description'");
return 0;
}
} ## end sub set_computer_description
#//////////////////////////////////////////////////////////////////////////////
=head2 set_my_computer_name
Parameters :
Returns :
Description :
=cut
sub set_my_computer_name {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $image_prettyname = $self->data->get_image_prettyname();
my $value = shift;
$value = $image_prettyname if !$value;
my $add_registry_command .= $system32_path . "/reg.exe add \"HKCR\\CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\" /v LocalizedString /t REG_EXPAND_SZ /d \"$value\" /f";
my ($add_registry_exit_status, $add_registry_output) = $self->execute($add_registry_command, 1);
if (defined($add_registry_exit_status) && $add_registry_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "my computer name changed to '$value'");
}
elsif ($add_registry_exit_status) {
notify($ERRORS{'WARNING'}, 0, "failed to change my computer name to '$value', exit status: $add_registry_exit_status, output:\n@{$add_registry_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to change my computer name to '$value'");
return;
}
return 1;
} ## end sub set_my_computer_name
#//////////////////////////////////////////////////////////////////////////////
=head2 get_firewall_configuration
Parameters : $protocol (optional), $no_cache (optional)
Returns : hash reference
Description : Retrieves information about the open firewall ports on the
computer and constructs a hash. The hash keys are protocol names.
Each protocol key contains a hash reference. The keys are either
port numbers or ICMP types.
By default, the firewall configuration is only retrieved from the
computer the first time this subroutine is called. This data is
then stored in $self->{firewall_configuration} as a cached copy.
Subsequent calls return this cached copy by default. An optional
$no_cache argument may be supplied to override this, forcing the
firewall configuration to be retrieved from the computer again.
Example:
"ICMP" => {
8 => {
"description" => "Allow inbound echo request"
}
},
"TCP" => {
22 => {
"interface_names" => [
"Local Area Connection 3"
],
"name" => "sshd"
},
3389 => {
"name" => "Remote Desktop",
"scope" => "192.168.53.54/255.255.255.255"
},
=cut
sub get_firewall_configuration {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $protocol = shift || '*';
my $no_cache = shift;
if (!$no_cache && $self->{firewall_configuration}) {
notify($ERRORS{'DEBUG'}, 0, "returning previously retrieved firewall configuration");
return $self->{firewall_configuration};
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
my $network_configuration = $self->get_network_configuration() || return;
my $firewall_configuration = {};
# Retrieve the normal non-ICMP firewall configuration unless the protocol argument specifically requested ICMP only
if ($protocol !~ /^icmp$/) {
notify($ERRORS{'DEBUG'}, 0, "retrieving non-ICMP firewall configuration from $computer_node_name");
my $port_command = "$system32_path/netsh.exe firewall show portopening verbose = ENABLE";
my ($port_exit_status, $port_output) = $self->execute($port_command);
if (!defined($port_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run command to show open firewall ports on $computer_node_name");
return;
}
elsif (!grep(/Port\s+Protocol/i, @$port_output)) {
notify($ERRORS{'WARNING'}, 0, "unexpected output returned from command to show open firewall ports on $computer_node_name, command: '$port_command', exit status: $port_exit_status, output:\n" . join("\n", @$port_output));
return;
}
# Execute the netsh.exe command to retrieve firewall port openings
# Expected output:
# Port configuration for Local Area Connection 4:
# Port Protocol Mode Name
# -------------------------------------------------------------------
# 443 TCP Disable Secure Web Server (HTTPS)
# 22 TCP Disable Cygwin SSHD
my $configuration;
my $previous_protocol;
my $previous_port;
for my $line (@$port_output) {
if ($line =~ /^Port configuration for (.+):/ig) {
$configuration = $1;
}
elsif ($line =~ /^(\d+)\s+(\w+)\s+(\w+)\s+(.*)/ig) {
my $port = $1;
my $protocol = $2;
my $mode = $3;
my $name = $4;
$previous_protocol = $protocol;
$previous_port = $port;
next if ($mode !~ /enable/i);
$firewall_configuration->{$protocol}{$port}{name}= $name;
if ($configuration !~ /\w+ profile/i) {
push @{$firewall_configuration->{$protocol}{$port}{interface_names}}, $configuration;
}
}
elsif (!defined($previous_protocol) ||
!defined($previous_port) ||
!defined($firewall_configuration->{$previous_protocol}) ||
!defined($firewall_configuration->{$previous_protocol}{$previous_port})
) {
next;
}
elsif (my ($scope) = $line =~ /Scope:\s+(.+)/ig) {
$firewall_configuration->{$previous_protocol}{$previous_port}{scope} = $scope;
}
}
}
else {
notify($ERRORS{'DEBUG'}, 0, "skipping retrieval of non-ICMP firewall configuration from $computer_node_name, protocol argument is '$protocol'");
}
# Retrieve the ICMP firewall configuration if the protocol argument specifically requested ICMP only or no argument was supplied
if ($protocol =~ /(icmp|\*)/) {
notify($ERRORS{'DEBUG'}, 0, "retrieving ICMP firewall configuration from $computer_node_name");
# Execute the netsh.exe ICMP command
my $icmp_command = "$system32_path/netsh.exe firewall show icmpsetting verbose = ENABLE";
my ($icmp_exit_status, $icmp_output) = $self->execute($icmp_command);
if (!defined($icmp_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run command to show firewall ICMP settings on $computer_node_name");
return;
}
elsif (!grep(/Mode\s+Type/i, @$icmp_output)) {
notify($ERRORS{'WARNING'}, 0, "unexpected output returned from command to show firewall ICMP settings on $computer_node_name, command: '$icmp_command', exit status: $icmp_exit_status, output:\n" . join("\n", @$icmp_output));
return;
}
# ICMP configuration for Local Area Connection 4:
# Mode Type Description
# -------------------------------------------------------------------
# Disable 3 Allow outbound destination unreachable
# Disable 4 Allow outbound source quench
my $configuration;
for my $line (@$icmp_output) {
if ($line =~ /^ICMP configuration for (.+):/ig) {
$configuration = $1;
}
elsif ($line =~ /^(\w+)\s+(\d+)\s+(.*)/ig) {
my $mode = $1;
my $type = $2;
my $description = $3;
next if ($mode !~ /enable/i);
$firewall_configuration->{ICMP}{$type}{description} = $description || '';
if ($configuration !~ /\w+ profile/i) {
push @{$firewall_configuration->{ICMP}{$type}{interface_names}}, $configuration;
}
}
}
}
else {
notify($ERRORS{'DEBUG'}, 0, "skipping retrieval ICMP firewall configuration from $computer_node_name, protocol argument is '$protocol'");
}
$self->{firewall_configuration} = $firewall_configuration;
notify($ERRORS{'DEBUG'}, 0, "retrieved firewall configuration from $computer_node_name:\n" . format_data($firewall_configuration));
return $firewall_configuration;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 parse_firewall_scope
Parameters : @scope_strings
Returns : string
Description : Parses an array of firewall scope strings and collpases them into
a simplified scope if possible. A comma-separated string is
returned. The scope string argument may be in the form:
-192.168.53.54/255.255.255.192
-192.168.53.54/24
-192.168.53.54
-*
-Any
-LocalSubnet
=cut
sub parse_firewall_scope {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my @scope_strings = @_;
if (!@scope_strings) {
notify($ERRORS{'WARNING'}, 0, "scope array argument was not supplied");
return;
}
my @netmask_objects;
for my $scope_string (@scope_strings) {
if ($scope_string =~ /(\*|Any)/i) {
my $netmask_object = new Net::Netmask('any');
push @netmask_objects, $netmask_object;
}
elsif ($scope_string =~ /LocalSubnet/i) {
my $network_configuration = $self->get_network_configuration() || return;
for my $interface_name (sort keys %$network_configuration) {
for my $ip_address (keys %{$network_configuration->{$interface_name}{ip_address}}) {
my $subnet_mask = $network_configuration->{$interface_name}{ip_address}{$ip_address};
my $netmask_object = new Net::Netmask("$ip_address/$subnet_mask");
if ($netmask_object) {
push @netmask_objects, $netmask_object;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to create Net::Netmask object, IP address: $ip_address, subnet mask: $subnet_mask");
return;
}
}
}
}
elsif (my @scope_sections = split(/,/, $scope_string)) {
for my $scope_section (@scope_sections) {
if (my ($start_address, $end_address) = $scope_section =~ /^([\d\.]+)-([\d\.]+)$/) {
my @netmask_range_objects = Net::Netmask::range2cidrlist($start_address, $end_address);
if (@netmask_range_objects) {
push @netmask_objects, @netmask_range_objects;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to call Net::Netmask::range2cidrlist to create an array of objects covering IP range: $start_address-$end_address");
return;
}
}
elsif (my ($ip_address, $subnet_mask) = $scope_section =~ /^([\d\.]+)\/([\d\.]+)$/) {
my $netmask_object = new Net::Netmask("$ip_address/$subnet_mask");
if ($netmask_object) {
push @netmask_objects, $netmask_object;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to create Net::Netmask object, IP address: $ip_address, subnet mask: $subnet_mask");
return;
}
}
elsif (($ip_address) = $scope_section =~ /^([\d\.]+)$/) {
my $netmask_object = new Net::Netmask("$ip_address");
if ($netmask_object) {
push @netmask_objects, $netmask_object;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to create Net::Netmask object, IP address: $ip_address");
return;
}
}
else {
notify($ERRORS{'WARNING'}, 0, "unable to parse '$scope_section' section of scope: '$scope_string'");
return;
}
}
}
else {
notify($ERRORS{'WARNING'}, 0, "unexpected scope format: '$scope_string'");
return;
}
}
my @netmask_objects_collapsed = cidrs2cidrs(@netmask_objects);
if (@netmask_objects_collapsed) {
my $scope_result_string;
my @ip_address_ranges;
for my $netmask_object (@netmask_objects_collapsed) {
if ($netmask_object->first() eq $netmask_object->last()) {
push @ip_address_ranges, $netmask_object->first();
$scope_result_string .= $netmask_object->base() . ",";
}
else {
push @ip_address_ranges, $netmask_object->first() . "-" . $netmask_object->last();
$scope_result_string .= $netmask_object->base() . "/" . $netmask_object->mask() . ",";
}
}
$scope_result_string =~ s/,+$//;
my $argument_string = join(",", @scope_strings);
if ($argument_string ne $scope_result_string) {
notify($ERRORS{'DEBUG'}, 0, "parsed firewall scope:\n" .
"argument: '$argument_string'\n" .
"result: '$scope_result_string'\n" .
"IP address ranges:\n" . join(", ", @ip_address_ranges)
);
}
return $scope_result_string;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to parse firewall scope: '" . join(",", @scope_strings) . "', no Net::Netmask objects were created");
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 enable_firewall_port
Parameters : $protocol, $port, $scope (optional), $overwrite_existing (optional), $name (optional), $description (optional)
Returns : 1 if succeeded, 0 otherwise
Description : Enables a firewall port on the computer. The protocol and port
arguments are required. An optional scope argument may supplied.
A boolean overwrite existing may be supplied following the scope
argument. The default is false. If false, the existing firewall
configuration will be retrieved. If an exception already exists
for the given protocol and port, the existing and new scopes will
be joined. If set to true, any existing exception matching the
protocol and port will be removed and a new exception added.
=cut
sub enable_firewall_port {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my ($protocol, $port, $scope_argument, $overwrite_existing, $name, $description) = @_;
if (!defined($protocol) || !defined($port)) {
notify($ERRORS{'WARNING'}, 0, "protocol and port arguments were not supplied");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Make sure the protocol is uppercase
$protocol = uc($protocol);
$scope_argument = '*' if (!defined($scope_argument));
my $parsed_scope_argument = $self->parse_firewall_scope($scope_argument);
if (!$parsed_scope_argument) {
notify($ERRORS{'WARNING'}, 0, "failed to parse firewall scope argument: '$scope_argument'");
return;
}
$scope_argument = $parsed_scope_argument;
my $new_scope;
my $firewall_configuration;
if (!$overwrite_existing) {
# Need to append to firewall, retrieve current configuration
$firewall_configuration = $self->get_firewall_configuration($protocol) || return;
my $existing_scope = $firewall_configuration->{$protocol}{$port}{scope};
my $existing_name = $firewall_configuration->{$protocol}{$port}{name} || '';
# Check if an exception already exists for the protocol/port
if ($existing_scope) {
# Exception already exists, parse it
my $parsed_existing_scope = $self->parse_firewall_scope($existing_scope);
if (!$parsed_existing_scope) {
notify($ERRORS{'WARNING'}, 0, "failed to parse existing firewall scope: '$existing_scope'");
return;
}
$existing_scope = $parsed_existing_scope;
$new_scope = $self->parse_firewall_scope("$existing_scope,$scope_argument");
if (!$new_scope) {
notify($ERRORS{'WARNING'}, 0, "failed to parse new firewall scope: '$existing_scope,$scope_argument'");
return;
}
# Check if existing exception scope matches the scope argument
if ($new_scope eq $existing_scope) {
notify($ERRORS{'DEBUG'}, 0, "firewall is already open on $computer_node_name, existing scope includes scope argument:\n" .
"existing name: '$existing_name'\n" .
"protocol: $protocol\n" .
"port/type: $port\n" .
"existing argument: $existing_scope\n" .
"scope argument: $scope_argument\n" .
"overwrite existing rule: " . ($overwrite_existing ? 'yes' : 'no')
);
return 1;
}
else {
notify($ERRORS{'DEBUG'}, 0, "firewall is already open on $computer_node_name, existing scope does NOT include scope argument:\n" .
"existing name: '$existing_name'\n" .
"protocol: $protocol\n" .
"port/type: $port\n" .
"existing scope: $existing_scope\n" .
"scope argument: $scope_argument\n" .
"new scope: $new_scope\n" .
"overwrite existing rule: " . ($overwrite_existing ? 'yes' : 'no')
);
}
}
else {
$new_scope = $scope_argument;
notify($ERRORS{'DEBUG'}, 0, "firewall exception does not already exist on $computer_node_name:\n" .
"protocol: $protocol\n" .
"port/type: $port\n" .
"scope: $new_scope\n" .
"overwrite existing rule: " . ($overwrite_existing ? 'yes' : 'no')
);
}
}
else {
$new_scope = $scope_argument;
notify($ERRORS{'DEBUG'}, 0, "configuring firewall exception on $computer_node_name:\n" .
"protocol: $protocol\n" .
"port/type: $port\n" .
"scope: $new_scope\n" .
"overwrite existing rule: " . ($overwrite_existing ? 'yes' : 'no')
);
}
# Make sure the scope was figured out before proceeding
if (!$new_scope) {
notify($ERRORS{'WARNING'}, 0, "failed to configure firewall exception on $computer_node_name, scope could not be determined");
return;
}
# Construct a name and description if arguments were not supplied
$name = "VCL: allow $protocol/$port from $new_scope" if !$name;
$description = "VCL: allow $protocol/$port from $new_scope" if !$description;
$name = substr($name, 0, 60) . "..." if length($name) > 60;
# Call the helper subroutine, this runs the appropriate netsh commands based on the version of Windows
if ($self->_enable_firewall_port_helper($protocol, $port, $new_scope, $overwrite_existing, $name, $description)) {
# Update the stored firewall configuration info if it was retrieved
if ($firewall_configuration) {
$firewall_configuration->{$protocol}{$port} = {
name => $name,
name => $description,
scope => $new_scope,
};
}
return 1;
}
else {
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 _enable_firewall_port_helper
Parameters :
Returns : 1 if succeeded, 0 otherwise
Description :
=cut
sub _enable_firewall_port_helper {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my ($protocol, $port, $scope, $overwrite_existing, $name, $description) = @_;
if (!defined($protocol) || !defined($port) || !defined($scope) || !defined($name)) {
notify($ERRORS{'WARNING'}, 0, "protocol and port arguments were not supplied");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
my $netsh_command;
if ($protocol =~ /icmp/i) {
$netsh_command .= "$system32_path/netsh.exe firewall set icmpsetting";
$netsh_command .= " type = $port";
$netsh_command .= " mode = ENABLE";
$netsh_command .= " profile = ALL";
}
else {
if ($overwrite_existing) {
# Get the firewall configuration and check if an exception has been configured on an interface
my $firewall_configuration = $self->get_firewall_configuration($protocol) || return;
if (defined($firewall_configuration->{$protocol}{$port}{interface_names})) {
for my $interface_name (@{$firewall_configuration->{$protocol}{$port}{interface_names}}) {
notify($ERRORS{'DEBUG'}, 0, "removing existing firewall exception:\n" .
"protocol: $protocol\n" .
"port: $port\n" .
"interface: $interface_name"
);
$netsh_command .= "$system32_path/netsh.exe firewall delete portopening";
$netsh_command .= " protocol = $protocol";
$netsh_command .= " port = $port";
$netsh_command .= " interface = \"$interface_name\"";
$netsh_command .= " ; ";
}
}
}
$netsh_command .= "$system32_path/netsh.exe firewall set portopening";
$netsh_command .= " name = \"$name\"";
$netsh_command .= " protocol = $protocol";
$netsh_command .= " port = $port";
$netsh_command .= " mode = ENABLE";
}
if ($scope eq '0.0.0.0/0.0.0.0') {
$netsh_command .= " scope = ALL";
}
else {
$netsh_command .= " scope = CUSTOM";
$netsh_command .= " addresses = $scope";
}
# Execute the netsh.exe command
my ($netsh_exit_status, $netsh_output) = $self->execute($netsh_command);
if (!defined($netsh_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to open firewall on $computer_node_name, command: '$netsh_command'");
return;
}
elsif (@$netsh_output[-1] =~ /(Ok|The object already exists)/i) {
notify($ERRORS{'OK'}, 0, "opened firewall on $computer_node_name:\n" .
"name: '$name'\n" .
"protocol: $protocol\n" .
"port/type: $port\n" .
"scope: $scope"
);
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to open firewall on $computer_node_name:\n" .
"name: '$name'\n" .
"protocol: $protocol\n" .
"port/type: $port\n" .
"command : '$netsh_command'\n" .
"exit status: $netsh_exit_status\n" .
"output:\n" . join("\n", @$netsh_output)
);
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 firewall_enable_ping
Parameters :
Returns : 1 if succeeded, 0 otherwise
Description :
=cut
sub firewall_enable_ping {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $netsh_command;
$netsh_command .= "$system32_path/netsh.exe firewall set icmpsetting";
$netsh_command .= " type = 8";
$netsh_command .= " mode = ENABLE";
$netsh_command .= " profile = ALL";
# Execute the netsh.exe command
my ($netsh_exit_status, $netsh_output) = $self->execute($netsh_command);
if (defined($netsh_output) && @$netsh_output[-1] =~ /(Ok|The object already exists)/i) {
notify($ERRORS{'OK'}, 0, "configured firewall to allow ping");
}
elsif (defined($netsh_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to configure firewall to allow ping, exit status: $netsh_exit_status, output:\n@{$netsh_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to configure firewall to allow ping");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 firewall_enable_ping_private
Parameters :
Returns : 1 if succeeded, 0 otherwise
Description :
=cut
sub firewall_enable_ping_private {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $netsh_command;
# Get the public interface name
# Add command to disable ping on public interface if its name is found
my $public_interface_name = $self->get_public_interface_name();
if ($public_interface_name) {
notify($ERRORS{'DEBUG'}, 0, "ping will be disabled on public interface: $public_interface_name");
$netsh_command .= "$system32_path/netsh.exe firewall set icmpsetting";
$netsh_command .= " type = 8";
$netsh_command .= " mode = DISABLE";
$netsh_command .= " interface = \"$public_interface_name\"";
$netsh_command .= ' ;';
}
else {
notify($ERRORS{'WARNING'}, 0, "ping will not be disabled on public interface because public interface name could not be determined");
}
# Get the private interface name
# Add command to ensable ping on private interface if its name is found
my $private_interface_name = $self->get_private_interface_name();
if ($private_interface_name) {
notify($ERRORS{'DEBUG'}, 0, "ping will be enabled on private interface: $private_interface_name");
$netsh_command .= "$system32_path/netsh.exe firewall set icmpsetting";
$netsh_command .= " type = 8";
$netsh_command .= " mode = DISABLE";
$netsh_command .= " profile = ALL";
$netsh_command .= ' ;';
$netsh_command .= "$system32_path/netsh.exe firewall set icmpsetting";
$netsh_command .= " type = 8";
$netsh_command .= " mode = ENABLE";
$netsh_command .= " interface = \"$private_interface_name\"";
}
else {
notify($ERRORS{'WARNING'}, 0, "private interface name could not be determined, ping will be enabled for all profiles");
$netsh_command .= "$system32_path/netsh.exe firewall set icmpsetting";
$netsh_command .= " type = 8";
$netsh_command .= " mode = ENABLE";
$netsh_command .= " profile = ALL";
$netsh_command .= ' ;';
}
# Execute the netsh.exe command
my ($netsh_exit_status, $netsh_output) = $self->execute($netsh_command);
if (defined($netsh_output) && @$netsh_output[-1] =~ /(Ok|The object already exists)/i) {
notify($ERRORS{'OK'}, 0, "configured firewall to allow ping on private interface");
}
elsif (defined($netsh_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to configure firewall to allow ping on private interface, exit status: $netsh_exit_status, output:\n@{$netsh_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to configure firewall to allow ping on private interface");
return;
}
return 1;
} ## end sub firewall_enable_ping_private
#//////////////////////////////////////////////////////////////////////////////
=head2 firewall_disable_ping
Parameters :
Returns : 1 if succeeded, 0 otherwise
Description :
=cut
sub firewall_disable_ping {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $netsh_command;
# Get the private interface name
# Add command to disable ping on private interface if its name is found
my $private_interface_name = $self->get_private_interface_name();
if ($private_interface_name) {
notify($ERRORS{'DEBUG'}, 0, "retrieved private interface name: $private_interface_name");
$netsh_command .= "$system32_path/netsh.exe firewall set icmpsetting";
$netsh_command .= " type = 8";
$netsh_command .= " mode = DISABLE";
$netsh_command .= " interface = \"$private_interface_name\"";
$netsh_command .= ' ;';
}
else {
notify($ERRORS{'WARNING'}, 0, "private interface name could not be determined");
}
# Get the public interface name
# Add command to disable ping on public interface if its name is found
my $public_interface_name = $self->get_public_interface_name();
if ($public_interface_name) {
notify($ERRORS{'DEBUG'}, 0, "retrieved public interface name: $public_interface_name");
$netsh_command .= "$system32_path/netsh.exe firewall set icmpsetting";
$netsh_command .= " type = 8";
$netsh_command .= " mode = DISABLE";
$netsh_command .= " interface = \"$public_interface_name\"";
$netsh_command .= ' ;';
}
else {
notify($ERRORS{'WARNING'}, 0, "public interface name could not be determined");
}
# Add command to disable ping for all profiles
$netsh_command .= "$system32_path/netsh.exe firewall set icmpsetting";
$netsh_command .= " type = 8";
$netsh_command .= " mode = DISABLE";
$netsh_command .= " profile = ALL";
# Execute the netsh.exe command
my ($netsh_exit_status, $netsh_output) = $self->execute($netsh_command);
if (defined($netsh_output) && @$netsh_output[-1] =~ /(Ok|The object already exists)/i) {
notify($ERRORS{'OK'}, 0, "configured firewall to disallow ping");
}
elsif (defined($netsh_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to configure firewall to disallow ping, exit status: $netsh_exit_status, output:\n@{$netsh_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to configure firewall to disallow ping");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 firewall_enable_ssh
Parameters :
Returns : 1 if succeeded, 0 otherwise
Description :
=cut
sub firewall_enable_ssh {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Check if the remote IP was passed correctly as an argument
my $remote_ip = shift;
my $system32_path = $self->get_system32_path() || return;
my $netsh_command;
# Get the public interface name
# Add command to disable SSH on public interface if its name is found
my $public_interface_name = $self->get_public_interface_name();
if ($public_interface_name) {
notify($ERRORS{'DEBUG'}, 0, "SSH will be disabled on public interface: $public_interface_name");
$netsh_command .= "$system32_path/netsh.exe firewall delete portopening";
$netsh_command .= " protocol = TCP";
$netsh_command .= " port = 22";
$netsh_command .= " interface = \"$public_interface_name\"";
$netsh_command .= ' ;';
}
else {
notify($ERRORS{'WARNING'}, 0, "SSH will not be disabled on public interface because public interface name could not be determined");
}
# Get the private interface name
# Add command to disable SSH on private interface if its name is found
my $private_interface_name = $self->get_private_interface_name();
if ($private_interface_name) {
notify($ERRORS{'DEBUG'}, 0, "SSH will be disabled on private interface: $private_interface_name");
$netsh_command .= "$system32_path/netsh.exe firewall delete portopening";
$netsh_command .= " protocol = TCP";
$netsh_command .= " port = 22";
$netsh_command .= " interface = \"$private_interface_name\"";
$netsh_command .= ' ;';
}
else {
notify($ERRORS{'WARNING'}, 0, "SSH will not be disabled on private interface because private interface name could not be determined");
}
$netsh_command .= "$system32_path/netsh.exe firewall set portopening";
$netsh_command .= " name = \"Cygwin SSHD\"";
$netsh_command .= " protocol = TCP";
$netsh_command .= " port = 22";
$netsh_command .= " mode = ENABLE";
if (!defined($remote_ip) || $remote_ip !~ /[\d\.\/]/) {
$remote_ip = 'all addresses'; # Set only to display in output
$netsh_command .= " scope = ALL";
}
else {
$netsh_command .= " scope = CUSTOM";
$netsh_command .= " addresses = $remote_ip";
}
# Execute the netsh.exe command
my ($netsh_exit_status, $netsh_output) = $self->execute($netsh_command);
if (defined($netsh_output) && @$netsh_output[-1] =~ /(Ok|The object already exists)/i) {
notify($ERRORS{'OK'}, 0, "configured firewall to allow SSH from $remote_ip");
}
elsif (defined($netsh_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to configure firewall to allow SSH from $remote_ip, exit status: $netsh_exit_status, output:\n@{$netsh_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to configure firewall to allow SSH from $remote_ip");
return;
}
return 1;
} ## end sub firewall_enable_ssh_private
#//////////////////////////////////////////////////////////////////////////////
=head2 firewall_enable_ssh_private
Parameters :
Returns : 1 if succeeded, 0 otherwise
Description :
=cut
sub firewall_enable_ssh_private {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $netsh_command;
# Get the public interface name
# Add command to disable SSH on public interface if its name is found
my $public_interface_name = $self->get_public_interface_name();
if ($public_interface_name) {
notify($ERRORS{'DEBUG'}, 0, "SSH will be disabled on public interface: $public_interface_name");
$netsh_command .= "$system32_path/netsh.exe firewall delete portopening";
$netsh_command .= " protocol = TCP";
$netsh_command .= " port = 22";
$netsh_command .= " interface = \"$public_interface_name\"";
$netsh_command .= ' ;';
}
else {
notify($ERRORS{'WARNING'}, 0, "SSH will not be disabled on public interface because public interface name could not be determined");
}
# Get the private interface name
# Add command to ensable SSH on private interface if its name is found
my $private_interface_name = $self->get_private_interface_name();
if ($private_interface_name) {
notify($ERRORS{'DEBUG'}, 0, "SSH will be enabled on private interface: $private_interface_name");
$netsh_command .= "$system32_path/netsh.exe firewall delete portopening";
$netsh_command .= " protocol = TCP";
$netsh_command .= " port = 22";
$netsh_command .= " profile = ALL";
$netsh_command .= ' ;';
$netsh_command .= "$system32_path/netsh.exe firewall set portopening";
$netsh_command .= " name = \"Cygwin SSHD\"";
$netsh_command .= " protocol = TCP";
$netsh_command .= " port = 22";
$netsh_command .= " mode = ENABLE";
$netsh_command .= " interface = \"$private_interface_name\"";
}
else {
notify($ERRORS{'WARNING'}, 0, "private interface name could not be determined, SSH will be enabled for all profiles");
$netsh_command .= "$system32_path/netsh.exe firewall set portopening";
$netsh_command .= " name = \"Cygwin SSHD\"";
$netsh_command .= " protocol = TCP";
$netsh_command .= " port = 22";
$netsh_command .= " profile = ALL";
}
# Execute the netsh.exe command
my ($netsh_exit_status, $netsh_output) = $self->execute($netsh_command);
if (defined($netsh_output) && @$netsh_output[-1] =~ /(Ok|The object already exists)/i) {
notify($ERRORS{'OK'}, 0, "configured firewall to allow SSH on private interface");
}
elsif (defined($netsh_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to configure firewall to allow SSH on private interface, exit status: $netsh_exit_status, output:\n@{$netsh_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to configure firewall to allow SSH on private interface");
return;
}
return 1;
} ## end sub firewall_enable_ssh_private
#//////////////////////////////////////////////////////////////////////////////
=head2 firewall_enable_rdp
Parameters :
Returns : 1 if succeeded, 0 otherwise
Description :
=cut
sub firewall_enable_rdp {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Check if the remote IP was passed correctly as an argument
my $remote_ip = shift;
my $system32_path = $self->get_system32_path() || return;
my $netsh_command;
# Set the key to allow remote connections whenever enabling RDP
# Include this in the SSH command along with the netsh.exe commands rather than calling it separately for faster execution
$netsh_command .= $system32_path . '/reg.exe ADD "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /t REG_DWORD /v fDenyTSConnections /d 0 /f ; ';
$netsh_command .= "$system32_path/netsh.exe firewall set portopening";
$netsh_command .= " name = \"Remote Desktop\"";
$netsh_command .= " protocol = TCP";
$netsh_command .= " port = 3389";
$netsh_command .= " mode = ENABLE";
if (!defined($remote_ip) || $remote_ip !~ /[\d\.\/]/) {
$remote_ip = 'all addresses'; # Set only to display in output
$netsh_command .= " scope = ALL";
}
else {
$netsh_command .= " scope = CUSTOM";
$netsh_command .= " addresses = $remote_ip";
}
# Execute the netsh.exe command
my ($netsh_exit_status, $netsh_output) = $self->execute($netsh_command);
if (defined($netsh_output) && @$netsh_output[-1] =~ /(Ok|The object already exists)/i) {
notify($ERRORS{'OK'}, 0, "configured firewall to allow RDP from $remote_ip");
}
elsif (defined($netsh_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to configure firewall to allow RDP from $remote_ip, exit status: $netsh_exit_status, output:\n@{$netsh_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to configure firewall to allow RDP from $remote_ip");
return;
}
return 1;
} ## end sub firewall_enable_rdp
#//////////////////////////////////////////////////////////////////////////////
=head2 firewall_enable_rdp_private
Parameters :
Returns : 1 if succeeded, 0 otherwise
Description :
=cut
sub firewall_enable_rdp_private {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $netsh_command;
# Set the key to allow remote connections whenever enabling RDP
# Include this in the SSH command along with the netsh.exe commands rather than calling it separately for faster execution
$netsh_command .= $system32_path . '/reg.exe ADD "HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server" /t REG_DWORD /v fDenyTSConnections /d 0 /f ; ';
# Get the public interface name
# Add command to disable RDP on public interface if its name is found
my $public_interface_name = $self->get_public_interface_name();
if ($public_interface_name) {
notify($ERRORS{'DEBUG'}, 0, "RDP will be disabled on public interface: $public_interface_name");
$netsh_command .= "$system32_path/netsh.exe firewall delete portopening";
$netsh_command .= " protocol = TCP";
$netsh_command .= " port = 3389";
$netsh_command .= " interface = \"$public_interface_name\"";
$netsh_command .= ' ;';
}
else {
notify($ERRORS{'WARNING'}, 0, "RDP will not be disabled on public interface because public interface name could not be determined");
}
# Get the private interface name
# Add command to ensable RDP on private interface if its name is found
my $private_interface_name = $self->get_private_interface_name();
if ($private_interface_name) {
notify($ERRORS{'DEBUG'}, 0, "RDP will be enabled on private interface: $private_interface_name");
$netsh_command .= "netsh.exe firewall delete portopening";
$netsh_command .= " protocol = TCP";
$netsh_command .= " port = 3389";
$netsh_command .= " profile = ALL";
$netsh_command .= ' ;';
$netsh_command .= "$system32_path/netsh.exe firewall set portopening";
$netsh_command .= " name = \"Remote Desktop\"";
$netsh_command .= " protocol = TCP";
$netsh_command .= " port = 3389";
$netsh_command .= " mode = ENABLE";
$netsh_command .= " interface = \"$private_interface_name\"";
}
else {
notify($ERRORS{'WARNING'}, 0, "private interface name could not be determined, RDP will be enabled for all profiles");
$netsh_command .= "$system32_path/netsh.exe firewall set portopening";
$netsh_command .= " name = \"Remote Desktop\"";
$netsh_command .= " protocol = TCP";
$netsh_command .= " port = 3389";
$netsh_command .= " profile = ALL";
}
# Execute the netsh.exe command
my ($netsh_exit_status, $netsh_output) = $self->execute($netsh_command);
if (defined($netsh_output) && @$netsh_output[-1] =~ /(Ok|The object already exists)/i) {
notify($ERRORS{'OK'}, 0, "configured firewall to allow RDP on private interface");
}
elsif (defined($netsh_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to configure firewall to allow RDP on private interface, exit status: $netsh_exit_status, output:\n@{$netsh_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to configure firewall to allow RDP on private interface");
return;
}
return 1;
} ## end sub firewall_enable_ssh_private
#//////////////////////////////////////////////////////////////////////////////
=head2 firewall_disable_rdp
Parameters :
Returns : 1 if succeeded, 0 otherwise
Description :
=cut
sub firewall_disable_rdp {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $netsh_command;
# Get the private interface name
# Add command to disable RDP on private interface if its name is found
my $private_interface_name = $self->get_private_interface_name();
if ($private_interface_name) {
notify($ERRORS{'DEBUG'}, 0, "RDP will be disabled on private interface: $private_interface_name");
$netsh_command .= "$system32_path/netsh.exe firewall delete portopening";
$netsh_command .= " protocol = TCP";
$netsh_command .= " port = 3389";
$netsh_command .= " interface = \"$private_interface_name\"";
$netsh_command .= ' ;';
}
else {
notify($ERRORS{'WARNING'}, 0, "private interface name could not be determined");
}
# Get the public interface name
# Add command to disable RDP on public interface if its name is found
my $public_interface_name = $self->get_public_interface_name();
if ($public_interface_name) {
notify($ERRORS{'DEBUG'}, 0, "RDP will be disabled on public interface: $public_interface_name");
$netsh_command .= "$system32_path/netsh.exe firewall delete portopening";
$netsh_command .= " protocol = TCP";
$netsh_command .= " port = 3389";
$netsh_command .= " interface = \"$public_interface_name\"";
$netsh_command .= ' ;';
}
else {
notify($ERRORS{'WARNING'}, 0, "public interface name could not be determined");
}
# Add command to disable RDP for all profiles
$netsh_command .= "$system32_path/netsh.exe firewall delete portopening";
$netsh_command .= " protocol = TCP";
$netsh_command .= " port = 3389";
$netsh_command .= " profile = ALL";
# Execute the netsh.exe command
my ($netsh_exit_status, $netsh_output) = $self->execute($netsh_command);
if (defined($netsh_output) && @$netsh_output[-1] =~ /(Ok|The object already exists)/i) {
notify($ERRORS{'OK'}, 0, "configured firewall to disallow RDP");
}
elsif (defined($netsh_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to configure firewall to disallow RDP, exit status: $netsh_exit_status, output:\n@{$netsh_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to configure firewall to disallow RDP");
return;
}
return 1;
} ## end sub firewall_disable_rdp
#//////////////////////////////////////////////////////////////////////////////
=head2 get_network_configuration
Parameters : $no_cache (optional)
Returns :
Description : Retrieves the network configuration from the computer. Returns
a hash. The hash keys are the interface names:
$hash{<interface name>}{dhcp_enabled}
$hash{<interface name>}{description}
$hash{<interface name>}{ip_address}
$hash{<interface name>}{subnet_mask}
$hash{<interface name>}{default_gateway}
The hash also contains 2 keys containing the names of the
public and private interfaces:
$hash{public_name}
$hash{private_name}
=cut
sub get_network_configuration {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $no_cache = shift;
if ($no_cache) {
delete $self->{network_configuration};
}
elsif ($self->{network_configuration}) {
notify($ERRORS{'DEBUG'}, 0, "returning network configuration previously retrieved");
return $self->{network_configuration};
}
my $system32_path = $self->get_system32_path();
my $computer_node_name = $self->data->get_computer_node_name();
notify($ERRORS{'DEBUG'}, 0, "attempting to retrieve network configuration from $computer_node_name");
# Get the computer private IP address
my $computer_private_ip_address = $self->data->get_computer_private_ip_address();
if (!$computer_private_ip_address) {
notify($ERRORS{'DEBUG'}, 0, "unable to retrieve computer private IP address from reservation data");
return;
}
my $network_configuration;
notify($ERRORS{'DEBUG'}, 0, "attempting to retrieve network configuration information from $computer_node_name");
# Run ipconfig /all, try twice in case it fails the first time
my $ipconfig_attempt = 0;
my $ipconfig_attempt_limit = 2;
my $ipconfig_attempt_delay = 5;
my $ipconfig_command = $system32_path . '/ipconfig.exe /all';
my ($ipconfig_exit_status, $ipconfig_output);
IPCONFIG_ATTEMPT: while (++$ipconfig_attempt) {
($ipconfig_exit_status, $ipconfig_output) = $self->execute($ipconfig_command, 0);
if (!defined($ipconfig_output)) {
notify($ERRORS{'WARNING'}, 0, "attempt $ipconfig_attempt: failed to run the SSH command to run ipconfig");
}
elsif (grep(/Subnet Mask/i, @$ipconfig_output)) {
# Make sure output was returned
notify($ERRORS{'DEBUG'}, 0, "ran ipconfig on $computer_node_name:\n" . join("\n", @$ipconfig_output));
last;
}
else {
notify($ERRORS{'WARNING'}, 0, "attempt $ipconfig_attempt: failed to run ipconfig, exit status: $ipconfig_exit_status, output:\n" . join("\n", @$ipconfig_output));
}
if ($ipconfig_attempt >= $ipconfig_attempt_limit) {
notify($ERRORS{'WARNING'}, 0, "failed to get network configuration, made $ipconfig_attempt attempts to run ipconfig");
return;
}
sleep $ipconfig_attempt_delay;
}
my $interface_name;
my $previous_ip = 0;
my $setting;
for my $line (@{$ipconfig_output}) {
# Find beginning of interface section
if ($line =~ /\A[^\s].*adapter (.*):\s*\Z/i) {
# Get the interface name
$interface_name = $1;
if (defined($network_configuration->{$interface_name})) {
notify($ERRORS{'WARNING'}, 0, "interface with same name has already been found: $interface_name\n" . format_data($network_configuration->{$interface_name}));
}
else {
notify($ERRORS{'DEBUG'}, 0, "found interface: $interface_name");
}
next;
}
# Skip line if interface hasn't been found yet
next if !$interface_name;
# Take apart the line finding the setting name and value with a hideous regex
my ($line_setting, $value) = $line =~ /^[ ]{1,8}(\w[^\.]*\w)?[ \.:]+([^\r\n]*)/i;
# If the setting was found in the line, use it
# Otherwise, use the last found setting
$setting = $line_setting if $line_setting;
# Skip line if value wasn't found
next if !$value;
# Normalize the setting format, make it lowercase, convert dashes and spaces to underscores
$setting = lc($setting);
$setting =~ s/[ -]/_/g;
# Windows 6.x includes a version indicator in IP address lines such as IPv4, remove this
$setting =~ s/ip(v\d)?_address/ip_address/;
# Autoconfiguration ip address will be displayed as "Autoconfiguration IP Address. . . : 169.x.x.x"
$setting =~ s/autoconfiguration_ip/ip/;
# Check which setting was found and add to hash
if ($setting =~ /dns_servers/) {
push(@{$network_configuration->{$interface_name}{$setting}}, $value);
notify($ERRORS{'OK'}, 0, "$interface_name:$setting\n" . format_data($network_configuration->{$interface_name}{$setting}));
}
elsif ($setting =~ /ip_address/) {
$value =~ s/[^\.\d]//g;
$network_configuration->{$interface_name}{$setting}{$value} = '';
$previous_ip = $value;
}
elsif ($setting =~ /subnet_mask/) {
$network_configuration->{$interface_name}{ip_address}{$previous_ip} = $value;
}
elsif ($setting =~ /physical_address/) {
# Change '-' characters in MAC address to ':' to be consistent with Linux
$value =~ s/-/:/g;
$network_configuration->{$interface_name}{physical_address} = $value;
}
elsif ($setting) {
$network_configuration->{$interface_name}{$setting} = $value;
}
}
$self->{network_configuration} = $network_configuration;
# Can produce large output, if you need to monitor the configuration setting uncomment the below output statement
#notify($ERRORS{'DEBUG'}, 0, "retrieved network configuration:\n" . format_data($self->{network_configuration}));
return $self->{network_configuration};
}
#//////////////////////////////////////////////////////////////////////////////
=head2 enable_dhcp
Parameters :
Returns :
Description :
=cut
sub enable_dhcp {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $interface_name = shift;
if (!$interface_name) {
notify($ERRORS{'WARNING'}, 0, "interface name argument was not supplied");
return;
}
elsif ($interface_name =~ /^public$/i) {
$interface_name = $self->get_public_interface_name() || return;
}
elsif ($interface_name =~ /^private$/i) {
$interface_name = $self->get_private_interface_name() || return;
}
if ($self->is_dhcp_enabled($interface_name)) {
notify($ERRORS{'DEBUG'}, 0, "DHCP is already enabled on interface '$interface_name'");
return 1;
}
# Delete cached network configuration information so it is retrieved next time it is needed
delete $self->{network_configuration};
# Use netsh.exe to set the NIC to use DHCP
my $set_dhcp_command;
$set_dhcp_command .= "$system32_path/ipconfig.exe /release \"$interface_name\" 2>NUL";
$set_dhcp_command .= " ; $system32_path/netsh.exe interface ip set address name=\"$interface_name\" source=dhcp 2>&1";
$set_dhcp_command .= " ; $system32_path/netsh.exe interface ip set dns name=\"$interface_name\" source=dhcp register=none 2>&1";
$set_dhcp_command .= " ; $system32_path/ipconfig.exe /renew \"$interface_name\"";
# Just execute the command, SSH connection may be terminated while running it
$self->execute({command => $set_dhcp_command, display_output => 1, timeout => 90, ignore_error => 1});
my $wait_message = "waiting for DHCP to be enabled on $interface_name";
if ($self->code_loop_timeout(\&is_dhcp_enabled, [$self, $interface_name], $wait_message, 65, 5)) {
notify($ERRORS{'DEBUG'}, 0, "enabled DHCP on interface '$interface_name'");
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to enable DHCP on interface '$interface_name'");
return;
}
} ## end sub enable_dhcp
#//////////////////////////////////////////////////////////////////////////////
=head2 is_dhcp_enabled
Parameters : $interface_name
Returns : 0, 1, or undefined
Description : Determines if DHCP is enabled on the interface.
=cut
sub is_dhcp_enabled {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $interface_name = shift;
if (!$interface_name) {
notify($ERRORS{'WARNING'}, 0, "interface name argument was not supplied");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $show_dhcp_command = "$system32_path/netsh.exe interface ip show address name=\"$interface_name\"";
my ($show_dhcp_status, $show_dhcp_output) = $self->execute($show_dhcp_command);
if (!defined($show_dhcp_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to determine if DHCP is enabled on interface '$interface_name'");
return;
}
elsif (grep(/DHCP enabled.*yes/i, @$show_dhcp_output)) {
notify($ERRORS{'DEBUG'}, 0, "DHCP is enabled on interface '$interface_name'");
return 1;
}
elsif (grep(/DHCP enabled.*no/i, @$show_dhcp_output)) {
notify($ERRORS{'DEBUG'}, 0, "DHCP is NOT enabled on interface '$interface_name'");
return 0;
}
else {
notify($ERRORS{'WARNING'}, 0, "unable to determine if DHCP is enabled on interface '$interface_name', command: $show_dhcp_command, output:\n" . join("\n", @$show_dhcp_output));
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 ipconfig_renew
Parameters :
Returns :
Description :
=cut
sub ipconfig_renew {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Delete cached network configuration information
delete $self->{network_configuration};
delete $self->{public_interface_name};
delete $self->{private_interface_name};
# Assemble the ipconfig command, include the interface name if argument was specified
my $ipconfig_command = "$system32_path/ipconfig.exe /renew";
notify($ERRORS{'OK'}, 0, "attempting to renew IP configuration");
my ($ipconfig_status, $ipconfig_output) = $self->execute({
command => $ipconfig_command,
timeout => 65,
max_attempts => 1,
ignore_error => 1
});
if (!defined($ipconfig_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to renew IP configuration");
return;
}
elsif ($ipconfig_status ne 0) {
notify($ERRORS{'WARNING'}, 0, "failed to renew IP configuration, exit status: $ipconfig_status, output:\n" . join("\n", @$ipconfig_output));
return;
}
else {
notify($ERRORS{'OK'}, 0, "renewed IP configuration, output:\n" . join("\n", @$ipconfig_output));
return 1;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 delete_capture_configuration_files
Parameters :
Returns :
Description : Deletes the capture configuration directory.
=cut
sub delete_capture_configuration_files {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Delete VCL scheduled task if it exists
$self->delete_scheduled_task('VCL Startup Configuration');
# Remove existing configuration files if they exist
notify($ERRORS{'OK'}, 0, "attempting to remove old configuration directory if it exists: $NODE_CONFIGURATION_DIRECTORY");
if (!$self->delete_file($NODE_CONFIGURATION_DIRECTORY)) {
notify($ERRORS{'WARNING'}, 0, "unable to remove existing configuration directory: $NODE_CONFIGURATION_DIRECTORY");
return 0;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_user_group_policy_script_info
Parameters : none
Returns : hash reference
Description : Parses the script.ini file and constructs a hash reference:
{
"logoff" => {
0 => {
"cmdline" => "C:\\logoff.cmd",
"parameters" => ">> C:\\logoff.log"
},
1 => {
"cmdline" => "logoff2.cmd",
"parameters" => ""
},
},
"logon" => {
0 => {
"cmdline" => "logon.cmd",
"parameters" => ""
}
}
}
=cut
sub get_user_group_policy_script_info {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $scripts_ini_file_path = "$system32_path/GroupPolicy/User/Scripts/scripts.ini";
my @lines;
if ($self->file_exists($scripts_ini_file_path)) {
@lines = $self->get_file_contents($scripts_ini_file_path);
notify($ERRORS{'DEBUG'}, 0, "retrieved contents of scripts.ini:\n" . join("\n", @lines));
}
# Format of scripts.ini
# <--- BLANK FIRST LINE
# [Logon]
# 0CmdLine=logon.cmd
# 0Parameters=>> C:\logon.log
# 1CmdLine=logon1.cmd
# 1Parameters=
# [Logoff]
# 0CmdLine=C:\logoff.cmd
# 0Parameters=>> C:\logoff.log
my $info = {
'logon' => {},
'logoff' => {},
};
my $current_stage;
for my $line (@lines) {
# Ignore blank lines
next unless $line =~ /\w/;
# Remove Unicode nul and special characters added to beginning of file
$line =~ s/(\x00|\xFE|\xFF)//g;
# Find script stage section heading: [Logon] or [Logoff]
if ($line =~ /\[(logon|logoff)\]/i) {
$current_stage = lc($1);
next;
}
# Parse the line, format should be either:
# 0CmdLine=logon.cmd
# 0Parameters=>> C:\logon.log
my ($index, $property, $value) = $line =~ /^\s*(\d+)(\w+)=(.*)$/;
if (!defined($index)) {
notify($ERRORS{'WARNING'}, 0, "failed to parse scripts.ini, unable to parse line: '$line'\n" . join("\n", @lines));
return;
}
$property = lc($property);
if (defined($info->{$current_stage}{$index}{$property})) {
notify($ERRORS{'WARNING'}, 0, "failed to parse scripts.ini, multiple [$current_stage] '$property' lines exist for index $index:\n" . join("\n", @lines));
return;
}
$info->{$current_stage}{$index}{$property} = $value;
}
# Guarantee each script index has both a CmdLine and Parameters entry
for my $check_stage (keys %$info) {
for my $index (keys %{$info->{$check_stage}}) {
$info->{$check_stage}{$index}{'cmdline'} = '' unless defined($info->{$check_stage}{$index}{'cmdline'});
$info->{$check_stage}{$index}{'parameters'} = '' unless defined($info->{$check_stage}{$index}{'parameters'});
}
}
notify($ERRORS{'DEBUG'}, 0, "retrieved user group policy info:\n" . format_data($info));
return $info;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 add_user_group_policy_script
Parameters : $stage_argument, $cmdline_argument, $parameters_argument
Returns : boolean
Description : Adds a traditional (non-Powershell) user group policy script to
the computer to be automatically executed at logon or logoff. The
stage argument must either be 'logon' or 'logoff'.
=cut
sub add_user_group_policy_script {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Get the arguments
my ($stage_argument, $cmdline_argument, $parameters_argument) = @_;
if (!$stage_argument) {
notify($ERRORS{'WARNING'}, 0, "stage (logon/logoff) argument was not specified");
return;
}
elsif (!$stage_argument || $stage_argument !~ /^(logon|logoff)$/i) {
notify($ERRORS{'WARNING'}, 0, "stage argument is not valid: $stage_argument, it must be 'logon' or 'logoff'");
return;
}
elsif (!$cmdline_argument) {
notify($ERRORS{'WARNING'}, 0, "CmdLine argument was not specified");
return;
}
# Use lower case for all comparisons
$stage_argument = lc($stage_argument);
# Replace slashes with double backslashes
$cmdline_argument =~ s/[\\\/]+/\\/g;
my $cmdline_argument_escaped = quotemeta($cmdline_argument);
# Construct a hash which will be inserted into the scripts.ini info hash
my $script_argument = {
'cmdline' => $cmdline_argument,
'parameters' => $parameters_argument,
};
# Path to scripts.ini file
my $scripts_ini_directory_path = "$system32_path/GroupPolicy/User/Scripts";
my $scripts_ini_file_path = "$scripts_ini_directory_path/scripts.ini";
my $info = $self->get_user_group_policy_script_info() || return;
# Figure out the index to use
# Check if a script exists with an idential command line
my $add_index;
for my $index (sort {$a <=> $b} keys %{$info->{$stage_argument}}) {
my $cmdline = $info->{$stage_argument}{$index}{cmdline};
my $cmdline_escaped = quotemeta($cmdline);
if (lc($cmdline_escaped) eq lc($cmdline_argument_escaped)) {
$add_index = $index;
notify($ERRORS{'DEBUG'}, 0, "replacing existing $stage_argument script at index $add_index:\n" .
"existing script:\n" . format_data($info->{$stage_argument}{$index}) . "\n" .
"argument:\n" . format_data($script_argument)
);
last;
}
else {
notify($ERRORS{'DEBUG'}, 0, "command line of existing $stage_argument script at index $index does not match argument:\n" .
"existing: '$cmdline_escaped'\n" .
"argument: '$cmdline_argument_escaped'"
);
}
}
if (!defined($add_index)) {
# Existing matching script not found, add to end
$add_index = scalar keys %{$info->{$stage_argument}};
notify($ERRORS{'DEBUG'}, 0, "existing $stage_argument script was not found with command line matching argument, script will be added with index $add_index");
}
# Add or replace the script defined by the arguments
$info->{$stage_argument}{$add_index} = $script_argument;
notify($ERRORS{'DEBUG'}, 0, "updated scripts.ini content:\n" . format_data($info));
# Assemble the updated scripts.ini content
my $updated_contents;
for my $stage ('logon', 'logoff') {
# Capitalize the first letter and add it to the contents
my $stage_uc = ucfirst($stage);
$updated_contents .= "[$stage_uc]\n";
for my $index (sort {$a <=> $b} keys %{$info->{$stage}}) {
my $script = $info->{$stage}{$index};
$updated_contents .= $index . "CmdLine=" . $script->{cmdline} . "\n";
$updated_contents .= $index . "Parameters=" . $script->{parameters} . "\n";
}
}
notify($ERRORS{'DEBUG'}, 0, "updated $scripts_ini_file_path contents:\n$updated_contents");
return $self->create_text_file($scripts_ini_file_path, $updated_contents);
}
#//////////////////////////////////////////////////////////////////////////////
=head2 remove_user_group_policy_script
Parameters : $stage_argument, $cmdline_argument
Returns : boolean
Description : Removes a traditional (non-Powershell) user logon or logoff
script group policy from the computer. The stage argument must
either be 'logon' or 'logoff'.
=cut
sub remove_user_group_policy_script {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Get the arguments
my ($stage_argument, $cmdline_argument, $parameters_argument) = @_;
if (!$stage_argument) {
notify($ERRORS{'WARNING'}, 0, "stage (logon/logoff) argument was not specified");
return;
}
elsif (!$stage_argument || $stage_argument !~ /^(logon|logoff)$/i) {
notify($ERRORS{'WARNING'}, 0, "stage argument is not valid: $stage_argument, it must be 'logon' or 'logoff'");
return;
}
elsif (!$cmdline_argument) {
notify($ERRORS{'WARNING'}, 0, "CmdLine argument was not specified");
return;
}
# Use lower case for all comparisons
$stage_argument = lc($stage_argument);
# Replace slashes with double backslashes
$cmdline_argument =~ s/[\\\/]+/\\/g;
my $cmdline_argument_escaped = quotemeta($cmdline_argument);
# Extract the last part of the command line if a full path was specified
my ($cmdline_argument_executable) = $cmdline_argument =~ /([^\\]+)$/;
# Path to scripts.ini file
my $scripts_ini_directory_path = "$system32_path/GroupPolicy/User/Scripts";
my $scripts_ini_file_path = "$scripts_ini_directory_path/scripts.ini";
my $info = $self->get_user_group_policy_script_info() || return;
# Attempt to delete batch or script files specified by the argument
if ($cmdline_argument =~ /\\/) {
$self->delete_file($cmdline_argument);
}
else {
$self->delete_files_by_pattern("$system32_path/GroupPolicy/User/Scripts", ".*$cmdline_argument.*", 2);
}
# Find matching scripts, delete from hash if found
my $found_match = 0;
for my $index (sort {$a <=> $b} keys %{$info->{$stage_argument}}) {
my $cmdline = $info->{$stage_argument}{$index}{cmdline};
my $cmdline_escaped = quotemeta($cmdline);
# Extract the last part of the command line if it contains a full path
my ($cmdline_executable) = $cmdline =~ /([^\\]+)$/;
if (lc($cmdline_escaped) eq lc($cmdline_argument_escaped)) {
$found_match = 1;
notify($ERRORS{'DEBUG'}, 0, "existing command line matches argument, removing $stage_argument script at index $index:\n" .
"argument: $cmdline_argument\n" .
"existing script:\n" . format_data($info->{$stage_argument}{$index})
);
delete $info->{$stage_argument}{$index};
next;
}
elsif ($cmdline_argument_executable && $cmdline_executable && lc($cmdline_argument_executable) eq lc($cmdline_executable)) {
$found_match = 1;
notify($ERRORS{'DEBUG'}, 0, "existing command line executable matches argument executable, removing $stage_argument script at index $index:\n" .
"argument: $cmdline_argument\n" .
"argument executable: $cmdline_argument_executable\n" .
"existing script:\n" . format_data($info->{$stage_argument}{$index})
);
delete $info->{$stage_argument}{$index};
next;
}
}
if (!$found_match) {
notify($ERRORS{'DEBUG'}, 0, "scripts.ini update not necessary, did not find existing script matching command line argument: $cmdline_argument");
return 1;
}
# Assemble the updated scripts.ini content
my $updated_contents;
for my $stage ('logon', 'logoff') {
# Capitalize the first letter and add it to the contents
my $stage_uc = ucfirst($stage);
$updated_contents .= "[$stage_uc]\n";
# Reindex in case there are now gaps
my $new_index = 0;
for my $original_index (sort {$a <=> $b} keys %{$info->{$stage}}) {
my $script = $info->{$stage}{$original_index};
$updated_contents .= $new_index . "CmdLine=" . $script->{cmdline} . "\n";
$updated_contents .= $new_index . "Parameters=" . $script->{parameters} . "\n";
$new_index++;
}
}
notify($ERRORS{'DEBUG'}, 0, "updated $scripts_ini_file_path contents:\n$updated_contents");
return $self->create_text_file($scripts_ini_file_path, $updated_contents);
}
#//////////////////////////////////////////////////////////////////////////////
=head2 run_gpupdate
Parameters :
Returns :
Description :
=cut
sub run_gpupdate {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $gpupdate_command = "cmd.exe /c $system32_path/gpupdate.exe /Force";
my ($gpupdate_status, $gpupdate_output) = $self->execute($gpupdate_command);
if (defined($gpupdate_output) && !grep(/error/i, @{$gpupdate_output})) {
notify($ERRORS{'OK'}, 0, "ran gpupdate /force");
}
elsif (defined($gpupdate_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to run gpupdate /force, exit status: $gpupdate_status, output:\n@{$gpupdate_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "unable to run ssh command to run gpupdate /force");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 fix_cygwin_nodosfilewarning
Parameters : none
Returns : boolean
Description : Cygwin will include a warning message in the output of a command
such as sed.exe or grep.exe which uses a DOS-style file path.
This warning is only displayed the first time this is
encountered, and not for subsequent commands. The extra warning
output can cause problems for other subroutines which parse the
output. This subroutine intentionally attempts to trigger the
warning so that it does not appear in the output for other
subroutines.
=cut
sub fix_cygwin_nodosfilewarning {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Run useless command with the goal of triggering Cygwin's "nodosfilewarning"
# This occurs one and only one time when a DOS path is used in a Cygwin command
# When it occurs, it causes problems for other subroutines which parse the output
# Example:
# cygwin warning:
# MS-DOS style path detected: C:/foo
# Preferred POSIX equivalent is: /cygdrive/c/foo
# CYGWIN environment variable option "nodosfilewarning" turns off this warning.
# Consult the user's guide for more details about POSIX paths:
# http://cygwin.com/cygwin-ug-net/using.html#using-pathnames
my $command = 'grep foo C:/foo';
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to trigger Cygwin nodosfilewarning");
return;
}
elsif (grep(/nodosfilewarning/, @$output)) {
notify($ERRORS{'DEBUG'}, 0, "intentionally triggered Cygwin nodosfilewarning, output:\n" . join("\n", @$output));
}
else {
notify($ERRORS{'DEBUG'}, 0, "Cygwin nodosfilewarning was not triggered, this is not necessarily a problem, command: '$command', output:\n" . join("\n", @$output));
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 set_text_file_line_endings
Parameters : $file_path, $line_ending (optional)
Returns : boolean
Description : Changes the line endings of a text file. This is equivalent to
running unix2dos or dos2unix. The default line ending type is
Windows. Unix-style line endings will be applied if the
$line_ending argument is supplied and does not contain 'win' or
'r'.
=cut
sub set_text_file_line_endings {
my $self = shift;
if (ref($self) !~ /VCL::Module/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my ($file_path, $line_ending) = @_;
if (!$file_path) {
notify($ERRORS{'WARNING'}, 0, "file path argument was not supplied");
return;
}
$line_ending = 'win' unless $line_ending;
return $self->SUPER::set_text_file_line_endings($file_path, $line_ending);
}
#//////////////////////////////////////////////////////////////////////////////
=head2 search_and_replace_in_files
Parameters :
Returns :
Description :
=cut
sub search_and_replace_in_files {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Get the arguments
my $base_directory = shift;
my $search_pattern = shift;
my $replace_string = shift;
if (!$base_directory) {
notify($ERRORS{'WARNING'}, 0, "base directory was not specified as an argument");
return;
}
if (!$search_pattern) {
notify($ERRORS{'WARNING'}, 0, "search pattern was not specified as an argument");
return;
}
if (!$replace_string) {
notify($ERRORS{'WARNING'}, 0, "replace string was not specified as an argument");
return;
}
# Replace backslashes with a forward slash in the base directory path
$base_directory =~ s/\\+/\//g;
# Escape forward slashes in the search pattern and replace string
$search_pattern =~ s/\//\\\//g;
$replace_string =~ s/\//\\\//g;
# Escape special characters in the search pattern
$search_pattern =~ s/([!-])/\\$1/g;
# Run grep to find files matching pattern
my $grep_command = "/bin/grep -ilr \"$search_pattern\" \"$base_directory\" 2>&1 | grep -Ev \"\.(exe|dll)\"";
my ($grep_status, $grep_output) = $self->execute($grep_command, 0);
if (!defined($grep_status)) {
notify($ERRORS{'WARNING'}, 0, "unable to run ssh command to run grep on directory: $base_directory, pattern: $search_pattern");
return;
}
elsif (grep(/No such file/i, @$grep_output)) {
notify($ERRORS{'DEBUG'}, 0, "no files to process, base directory does not exist: $base_directory");
return 1;
}
elsif ("@$grep_output" =~ /(grep|bash):/i) {
notify($ERRORS{'WARNING'}, 0, "error occurred running command '$grep_command':\n" . join("\n", @$grep_output));
return;
}
elsif ($grep_status == 1) {
notify($ERRORS{'OK'}, 0, "no files were found matching pattern '$search_pattern' in: $base_directory");
return 1;
}
elsif (grep(/(grep|bash|warning|error):/i, @$grep_output) || $grep_status != 0) {
notify($ERRORS{'WARNING'}, 0, "error occurred running command: '$grep_command'\noutput:\n" . join("\n", @$grep_output));
return;
}
else {
notify($ERRORS{'DEBUG'}, 0, "found files matching pattern '$search_pattern' in $base_directory:\n" . join("\n", @$grep_output));
}
# Run sed on each matching file to replace string
my $sed_error_count = 0;
for my $matching_file (@$grep_output) {
$matching_file =~ s/\\+/\//g;
# Run grep to find files matching pattern
my $sed_command = "/bin/sed -i -e \"s/$search_pattern/$replace_string/\" \"$matching_file\"";
my ($sed_status, $sed_output) = $self->execute($sed_command, 0);
if (!defined($sed_status)) {
notify($ERRORS{'WARNING'}, 0, "unable to run ssh command to run sed on file: $matching_file");
$sed_error_count++;
}
elsif ("@$sed_output" =~ /No such file/i) {
notify($ERRORS{'WARNING'}, 0, "file was not found: $matching_file, sed output:\n" . join("\n", @$sed_output));
$sed_error_count++;
}
elsif ("@$grep_output" =~ /(grep|sed):/i) {
notify($ERRORS{'WARNING'}, 0, "error occurred running command '$sed_command':\n" . join("\n", @$sed_output));
$sed_error_count++;
}
elsif ($sed_status != 0) {
notify($ERRORS{'WARNING'}, 0, "sed exit status is $sed_status, output:\n" . join("\n", @$sed_output));
$sed_error_count++;
}
else {
notify($ERRORS{'OK'}, 0, "replaced '$search_pattern' with '$replace_string' in $matching_file");
# Apply Windows-style line endings to scripts.ini
$self->set_text_file_line_endings($matching_file);
}
}
# Return false if any errors occurred
if ($sed_error_count) {
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 copy_capture_configuration_files
Parameters : $source_configuration_directory
Returns :
Description : Copies all required configuration files to the computer,
including scripts, utilities, drivers needed to capture an
image.
=cut
sub copy_capture_configuration_files {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL module object method");
return;
}
my $management_node_keys = $self->data->get_management_node_keys();
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Get an array containing the configuration directory paths on the management node
# This is made up of all the the $SOURCE_CONFIGURATION_DIRECTORY values for the OS class and it's parent classes
# The first array element is the value from the top-most class the OS object inherits from
my @source_configuration_directories = $self->get_source_configuration_directories();
if (!@source_configuration_directories) {
notify($ERRORS{'WARNING'}, 0, "unable to retrieve source configuration directories");
return;
}
# Delete existing configuration directory if it exists
if (!$self->delete_capture_configuration_files()) {
notify($ERRORS{'WARNING'}, 0, "unable to delete existing capture configuration files");
return;
}
# Attempt to create the configuration directory if it doesn't already exist
if (!$self->create_directory($NODE_CONFIGURATION_DIRECTORY)) {
notify($ERRORS{'WARNING'}, 0, "unable to create directory on $computer_node_name: $NODE_CONFIGURATION_DIRECTORY");
return;
}
# Copy configuration files
for my $source_configuration_directory (@source_configuration_directories) {
# Check if source configuration directory exists on this management node
unless (-d "$source_configuration_directory") {
notify($ERRORS{'OK'}, 0, "source directory does not exist on this management node: $source_configuration_directory");
next;
}
notify($ERRORS{'OK'}, 0, "copying image capture configuration files from $source_configuration_directory to $computer_node_name");
if (run_scp_command("$source_configuration_directory/*", "$computer_node_name:$NODE_CONFIGURATION_DIRECTORY", $management_node_keys)) {
notify($ERRORS{'OK'}, 0, "copied $source_configuration_directory directory to $computer_node_name:$NODE_CONFIGURATION_DIRECTORY");
notify($ERRORS{'DEBUG'}, 0, "setting permissions of $NODE_CONFIGURATION_DIRECTORY to 777 on $computer_node_name");
$self->execute("/usr/bin/chmod.exe -R 777 $NODE_CONFIGURATION_DIRECTORY");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to copy $source_configuration_directory to $computer_node_name");
return;
}
}
# Delete any Subversion files which may have been copied
if (!$self->delete_files_by_pattern($NODE_CONFIGURATION_DIRECTORY, '.*\.svn.*')) {
notify($ERRORS{'WARNING'}, 0, "unable to delete Subversion files under: $NODE_CONFIGURATION_DIRECTORY");
}
# Delete any GitIgnore files which may have been copied
if (!$self->delete_files_by_pattern($NODE_CONFIGURATION_DIRECTORY, '.*\.gitignore.*')) {
notify($ERRORS{'WARNING'}, 0, "unable to delete GitIgnore files under: $NODE_CONFIGURATION_DIRECTORY");
}
$self->set_file_owner($NODE_CONFIGURATION_DIRECTORY, 'root');
# Find any files containing a 'WINDOWS_ROOT_PASSWORD' string and replace it with the root password
if ($self->search_and_replace_in_files($NODE_CONFIGURATION_DIRECTORY, 'WINDOWS_ROOT_PASSWORD', $WINDOWS_ROOT_PASSWORD)) {
notify($ERRORS{'DEBUG'}, 0, "set the Windows root password in configuration files");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set the Windows root password in configuration files");
return;
}
return 1;
} ## end sub copy_capture_configuration_files
#//////////////////////////////////////////////////////////////////////////////
=head2 clean_hard_drive
Parameters : none
Returns : boolean
Description : Runs dism.exe and cleanmgr.exe to attempt to clean unnecessary
files from the hard drive.
=cut
sub clean_hard_drive {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
$self->run_dism_cleanup();
$self->run_cleanmgr();
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 run_dism_cleanup
Parameters : none
Returns : boolean
Description : Runs 'dism.exe /online /cleanup-image /spsuperseded' to clean up
service pack and update files from the computer's hard drive.
=cut
sub run_dism_cleanup {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_name = $self->data->get_computer_short_name();
my $system32_path = $self->get_system32_path() || return;
# Run dism.exe
my $dism_command = "$system32_path/dism.exe /online /cleanup-image /spsuperseded";
my ($dism_exit_status, $dism_output) = $self->execute($dism_command, 1);
if (!defined($dism_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to run dism.exe on $computer_name");
return;
}
elsif (grep(/not found|no such file/i, @$dism_output)) {
# The dism.exe file may not be present
notify($ERRORS{'OK'}, 0, "dism.exe is not present on $computer_name");
}
elsif (grep(/No service pack backup files/i, @$dism_output)) {
notify($ERRORS{'DEBUG'}, 0, "dism.exe did not find any service pack files to remove on $computer_name");
}
elsif (grep(/spsuperseded option is not recognized/i, @$dism_output)) {
notify($ERRORS{'DEBUG'}, 0, "dism.exe is not able to remove service pack files for the OS version on $computer_name");
}
elsif (grep(/operation completed successfully/i, @$dism_output)) {
notify($ERRORS{'OK'}, 0, "ran dism.exe to clean image on $computer_name, output:\n" . join("\n", @$dism_output));
}
else {
notify($ERRORS{'WARNING'}, 0, "unexpected output returned from dism.exe on $computer_name:\n" . join("\n", @$dism_output));
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 run_cleanmgr
Parameters : none
Returns : boolean
Description : Runs the cleanmgr.exe utility. This is the utility run by
selecting the "Disk Cleanup" option when viewing a hard drive's
properties.
=cut
sub run_cleanmgr {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
my $volume_caches_key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches';
# Add the cleanmgr.exe settings to the registry
my $registry_string .= <<EOF;
Windows Registry Editor Version 5.00
[$volume_caches_key]
EOF
# Retrieve the existing VolumeCaches registry settings
# The cleanmgr.exe options may vary depending on version and which Windows features are installed
# Dynamically determine all of the options available on the computer
my $volume_caches_info = $self->reg_query($volume_caches_key);
for my $key_path (keys %$volume_caches_info) {
# Get the key name:
# HKEY_LOCAL_MACHINE\SOFTWARE\...\VolumeCaches\Temporary Setup Files --> 'Temporary Setup Files'
my ($key) = $key_path =~ /([^\\]+)$/;
$registry_string .= "[$volume_caches_key\\$key]\n";
$registry_string .= "\"StateFlags9999\"=dword:00000002\n\n";
}
# Import the string into the registry
if (!$self->import_registry_string($registry_string)) {
notify($ERRORS{'WARNING'}, 0, "failed to set registry settings to configure the disk cleanup utility");
return;
}
# Run cleanmgr.exe
my $cleanmgr_command = "/bin/cygstart.exe $system32_path/cleanmgr.exe /SAGERUN:9999";
my ($cleanmgr_exit_status, $cleanmgr_output) = $self->execute($cleanmgr_command);
if (!defined($cleanmgr_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to run cleanmgr.exe");
return;
}
elsif (grep(/not found/i, @$cleanmgr_output)) {
# The cleanmgr.exe file may not be present - it is not installed by default on Windows Server 2008 and possibly others
notify($ERRORS{'OK'}, 0, "cleanmgr.exe is not present on $computer_node_name, this is usually because the Desktop Experience feature is not installed");
return 1;
}
# Wait for cleanmgr.exe to finish - may take a long time
my $message = 'waiting for cleanmgr.exe to finish';
my $total_wait_seconds = 600;
notify($ERRORS{'OK'}, 0, "started cleanmgr.exe, waiting up to $total_wait_seconds seconds for it to finish");
if ($self->code_loop_timeout(sub{!$self->is_process_running(@_)}, ['cleanmgr.exe'], $message, $total_wait_seconds, 15)) {
notify($ERRORS{'DEBUG'}, 0, "cleanmgr.exe has finished");
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "cleanmgr.exe has not finished after waiting $total_wait_seconds seconds, the Recycle Bin may be corrupt");
return 0;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 is_process_running
Parameters : $process_identifier
Returns : boolean
Description : Determines if a process is running identified by the argument.
The argument should be the name of an executable. Wildcards (*)
are allowed.
=cut
sub is_process_running {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method, arguments:\n" . format_data(\@_));
return;
}
my $system32_path = $self->get_system32_path() || return;
my $process_identifier = shift;
if (!defined($process_identifier)) {
notify($ERRORS{'WARNING'}, 0, "process identifier argument was not supplied");
return;
}
my $command = "$system32_path/tasklist.exe /FI \"IMAGENAME eq $process_identifier\"";
my ($status, $output) = $self->execute($command, 0);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to determine if process is running: $process_identifier");
return;
}
elsif (grep(/No tasks/i, @$output)) {
notify($ERRORS{'DEBUG'}, 0, "process is NOT running: $process_identifier");
return 0;
}
elsif (grep(/PID/, @$output)) {
notify($ERRORS{'DEBUG'}, 0, "process is running: $process_identifier");
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "unexpected output returned from command to determine if process is running: '$command', output:\n" . join("\n", @$output));
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 start_service
Parameters : $service_name
Returns : boolean
Description : Starts a service on the computer.
=cut
sub start_service {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $service_name = shift;
if (!$service_name) {
notify($ERRORS{'WARNING'}, 0, "service name was not passed as an argument");
return;
}
# The Client for NFS service should be controlled with the nfsadmin.exe utility
if ($service_name =~ /^NfsClnt$/) {
if ($self->start_nfs_client_service()) {
return 1;
}
}
my $command = $system32_path . '/net.exe start "' . $service_name . '"';
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to to start service: $service_name");
return;
}
elsif (grep(/already been started/i, @{$output})) {
notify($ERRORS{'OK'}, 0, "service is already started: $service_name");
return 1;
}
elsif (grep(/(does not exist|service name is invalid)/i, @$output)) {
notify($ERRORS{'WARNING'}, 0, "service could not be started because it does not exist: $service_name, output:\n" . join("\n", @$output));
return 0;
}
elsif ($exit_status) {
notify($ERRORS{'WARNING'}, 0, "failed to start service: $service_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
return 0;
}
else {
notify($ERRORS{'OK'}, 0, "started service: $service_name" . join("\n", @$output));
return 1;
}
} ## end sub start_service
#//////////////////////////////////////////////////////////////////////////////
=head2 stop_service
Parameters : $service_name
Returns : boolean
Description : Stops a service on the computer.
=cut
sub stop_service {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $service_name = shift;
if (!$service_name) {
notify($ERRORS{'WARNING'}, 0, "service name was not passed as an argument");
return;
}
# The Client for NFS service should be controlled with the nfsadmin.exe utility
if ($service_name =~ /^NfsClnt$/) {
if ($self->stop_nfs_client_service()) {
return 1;
}
}
my $command = $system32_path . '/net.exe stop "' . $service_name . '"';
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to to stop service: $service_name");
return;
}
elsif (grep(/is not started/i, @{$output})) {
notify($ERRORS{'OK'}, 0, "service is not started: $service_name");
return 1;
}
elsif (grep(/(does not exist|service name is invalid)/i, @$output)) {
notify($ERRORS{'OK'}, 0, "service was not stopped because it does not exist: $service_name, output:\n" . join("\n", @$output));
return 1;
}
elsif ($exit_status || grep(/could not be stopped/i, @$output)) {
notify($ERRORS{'WARNING'}, 0, "failed to stop service: $service_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
return 0;
}
else {
notify($ERRORS{'OK'}, 0, "stopped service: $service_name" . join("\n", @$output));
}
return 1;
} ## end sub stop_service
#//////////////////////////////////////////////////////////////////////////////
=head2 restart_service
Parameters : $service_name
Returns : boolean
Description : Restarts the Windows service specified by the argument. The
service is started if it is not running.
=cut
sub restart_service {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $service_name = shift;
if (!$service_name) {
notify($ERRORS{'WARNING'}, 0, "service name was not passed as an argument");
return;
}
$self->stop_service($service_name);
return $self->start_service($service_name);
}
#//////////////////////////////////////////////////////////////////////////////
=head2 service_exists
Parameters : $service_name
Returns : If service exists: 1
If service does not exist: 0
If error occurred: undefined
Description : Runs sc.exe query to determine if a service exists.
=cut
sub service_exists {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $service_name = shift;
if (!$service_name) {
notify($ERRORS{'WARNING'}, 0, "service name was not passed as an argument");
return;
}
my $command = $system32_path . '/sc.exe query "' . $service_name . '"';
my ($status, $output) = $self->execute($command, 1);
if (defined($output) && grep(/service does not exist/i, @{$output})) {
notify($ERRORS{'DEBUG'}, 0, "service does not exist: $service_name");
return 0;
}
elsif (defined($status) && $status == 0) {
notify($ERRORS{'DEBUG'}, 0, "service exists: $service_name");
}
elsif (defined($status)) {
notify($ERRORS{'WARNING'}, 0, "unable to determine if service exists: $service_name, exit status: $status, output:\n@{$output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "unable to run ssh command to determine if service exists");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 start_nfs_client_service
Parameters : none
Returns : boolean
Description : Starts the Client for NFS (NfsClnt) service on the computer using
the nfsadmin.exe utility.
=cut
sub start_nfs_client_service {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $command = $system32_path . '/nfsadmin.exe client start';
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to to start Client for NFS service");
return;
}
elsif (grep(/already started/i, @$output)) {
notify($ERRORS{'OK'}, 0, "Client for NFS service is already started");
return 1;
}
elsif (grep(/no such file/i, @$output)) {
notify($ERRORS{'OK'}, 0, "failed to start Client for NFS service using nfsadmin.exe because utility does not exist on computer");
return;
}
elsif ($exit_status) {
notify($ERRORS{'WARNING'}, 0, "failed to start Client for NFS service, exit status: $exit_status, command: '$command', output:\n" . join("\n", @$output));
return 0;
}
else {
notify($ERRORS{'OK'}, 0, "started Client for NFS service, output:\n" . join("\n", @$output));
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 stop_nfs_client_service
Parameters : none
Returns : boolean
Description : Stops the Client for NFS (NfsClnt) service on the computer using
the nfsadmin.exe utility.
=cut
sub stop_nfs_client_service {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $command = $system32_path . '/nfsadmin.exe client stop';
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to to stop Client for NFS service");
return;
}
elsif (grep(/not been started/i, @$output)) {
notify($ERRORS{'OK'}, 0, "Client for NFS service is not started");
return 1;
}
elsif (grep(/no such file/i, @$output)) {
notify($ERRORS{'OK'}, 0, "failed to stop Client for NFS service using nfsadmin.exe because utility does not exist on computer");
return;
}
elsif ($exit_status) {
notify($ERRORS{'WARNING'}, 0, "failed to stop Client for NFS service, exit status: $exit_status, command: '$command', output:\n" . join("\n", @$output));
return 0;
}
else {
notify($ERRORS{'OK'}, 0, "stopped Client for NFS service, output:\n" . join("\n", @$output));
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_installed_applications
Parameters :
Returns :
Description : Queries the registry for applications that are installed on the computer.
Subkeys under the following key contain this information:
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall
A reference to a hash is returned. The keys of this hash are the names of the subkeys under the Uninstall key.
Each subkey contains additional data formatted as follows:
my $installed_applications = $self->os->get_installed_applications();
$installed_applications->{pdfFactory Pro}{DisplayName} = 'pdfFactory Pro'
$installed_applications->{pdfFactory Pro}{UninstallString} = 'C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppinst2.exe /uninstall'
=cut
sub get_installed_applications {
my $self = shift;
if (!ref($self)) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
# Get an optional regex filter string
my $regex_filter = shift;
if ($regex_filter) {
notify($ERRORS{'DEBUG'}, 0, "attempting to retrieve applications installed on $computer_node_name matching filter: $regex_filter");
}
else {
notify($ERRORS{'DEBUG'}, 0, "attempting to retrieve all applications installed on $computer_node_name");
}
my $uninstall_key = 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall';
my $registry_data = $self->reg_query($uninstall_key);
if (!$registry_data) {
notify($ERRORS{'WARNING'}, 0, "unable to retrieve installed applications, failed to query registry: $uninstall_key");
return;
}
if ($self->is_64_bit()) {
my $uninstall_key_32 = 'HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall';
my $registry_data_32 = $self->reg_query($uninstall_key_32);
if ($registry_data_32) {
$registry_data = {%$registry_data, %$registry_data_32};
}
}
my $installed_products = {};
my @display_names;
# Loop through registry keys
REGISTRY_KEY: for my $registry_key (keys %$registry_data) {
my ($product_key) = $registry_key =~ /Uninstall\\([^\\]+)$/;
if ($registry_key eq $uninstall_key) {
next REGISTRY_KEY;
}
elsif (!$product_key) {
notify($ERRORS{'WARNING'}, 0, "unable to parse product key from registry key: $registry_key");
next REGISTRY_KEY;
}
elsif (!scalar(keys %{$registry_data->{$registry_key}})) {
#notify($ERRORS{'DEBUG'}, 0, "registry key does not contain any information: $registry_key");
next REGISTRY_KEY;
}
my $display_name = $registry_data->{$registry_key}{DisplayName} || $registry_data->{$registry_key}{'(Default)'};
if (!$display_name) {
next REGISTRY_KEY;
}
if ($regex_filter) {
if ($product_key =~ /$regex_filter/i) {
notify($ERRORS{'DEBUG'}, 0, "found product matching filter '$regex_filter':\n$product_key");
$installed_products->{$product_key} = $registry_data->{$registry_key};
push @display_names, $display_name;
next REGISTRY_KEY;
}
foreach my $info_key (keys %{$registry_data->{$registry_key}}) {
my $info_value = $registry_data->{$registry_key}{$info_key} || '';
if ($info_value =~ /$regex_filter/i) {
#notify($ERRORS{'DEBUG'}, 0, "found value matching filter '$regex_filter':\n{$product_key}{$info_key} = '$info_value'");
$installed_products->{$product_key} = $registry_data->{$registry_key};
push @display_names, $display_name;
next REGISTRY_KEY;
}
else {
#notify($ERRORS{'DEBUG'}, 0, "value does not match filter '$regex_filter':\n{$product_key}{$info_key} = '$info_value'");
}
}
}
else {
$installed_products->{$product_key} = $registry_data->{$registry_key};
push @display_names, $display_name;
}
}
my $installed_product_count = scalar(keys(%$installed_products));
if ($installed_product_count) {
if ($regex_filter) {
notify($ERRORS{'DEBUG'}, 0, "found $installed_product_count installed applications matching filter '$regex_filter':\n" . join("\n", sort @display_names));
}
else {
notify($ERRORS{'DEBUG'}, 0, "found $installed_product_count installed applications:\n" . join("\n", sort @display_names));
}
}
else {
if ($regex_filter) {
notify($ERRORS{'DEBUG'}, 0, "no applications are installed matching filter: '$regex_filter'");
}
else {
notify($ERRORS{'DEBUG'}, 0, "no applications are installed");
}
}
return $installed_products;
} ## end sub get_installed_applications
#//////////////////////////////////////////////////////////////////////////////
=head2 get_task_list
Parameters : None, must be called as an object method ($self->os->get_task_list())
Returns : If successful: Reference to an array containing the lines of output generated by tasklist.exe
If failed: false
Description : Runs tasklist.exe and returns its output. Tasklist.exe displays a list of applications and associated tasks running on the computer.
The following switches are used when tasklist.exe is executed:
/NH - specifies the column header should not be displayed in the output
/V - specifies that verbose information should be displayed
The output is formatted as follows (column header is not included):
Image Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title
System Idle Process 0 Console 0 16 K Running NT AUTHORITY\SYSTEM
=cut
sub get_task_list {
my $self = shift;
if (!ref($self)) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Attempt to run tasklist.exe with /NH for no header
my $tasklist_command = $system32_path . '/tasklist.exe /NH /V';
my ($tasklist_exit_status, $tasklist_output) = $self->execute($tasklist_command, 0);
if (defined($tasklist_exit_status) && $tasklist_exit_status == 0) {
notify($ERRORS{'DEBUG'}, 0, "ran tasklist.exe");
}
elsif (defined($tasklist_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to run tasklist.exe, exit status: $tasklist_exit_status, output:\n@{$tasklist_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to run tasklist.exe");
return;
}
return $tasklist_output;
} ## end sub get_task_list
#//////////////////////////////////////////////////////////////////////////////
=head2 get_task_info
Parameters : $pattern (optional)
Returns : hash reference
Description : Runs tasklist.exe and returns a hash reference containing
information about the processes running on the computer. The hash
keys are the process PIDs.
=cut
sub get_task_info {
my $self = shift;
if (!ref($self)) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $pattern = shift;
my $system32_path = $self->get_system32_path() || return;
# Attempt to run tasklist.exe with /NH for no header
my $tasklist_command = $system32_path . '/tasklist.exe /V /FO CSV';
my ($tasklist_exit_status, $tasklist_output) = $self->execute($tasklist_command, 0);
if (defined($tasklist_exit_status) && $tasklist_exit_status == 0) {
notify($ERRORS{'DEBUG'}, 0, "ran tasklist.exe");
}
elsif (defined($tasklist_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to run tasklist.exe, exit status: $tasklist_exit_status, output:\n@{$tasklist_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to run tasklist.exe");
return;
}
my $csv = Text::CSV_XS->new();
my $heading_line = shift @$tasklist_output;
$csv->parse($heading_line);
my @column_names = $csv->fields();
notify($ERRORS{'DEBUG'}, 0, "column names: " . join(", ", @column_names));
$csv->column_names(@column_names);
my $tasklist_io = IO::String->new(join("\n", @$tasklist_output));
my $tasks = $csv->getline_hr_all($tasklist_io);
my $task_info = {};
for my $task (@$tasks) {
my $task_pid = $task->{'PID'};
my $task_name = $task->{'Image Name'};
if ($pattern && $task_name !~ /$pattern/i) {
next;
}
$task_info->{$task_pid} = $task;
}
notify($ERRORS{'DEBUG'}, 0, "task info:\n" . format_data($task_info));
return $task_info;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 apply_security_templates
Parameters : None
Returns : If successful: true
If failed: false
Description : Runs secedit.exe to apply the security template files configured
for the OS. Windows security template files use the .inf
extension.
Security templates are always copied from the management node
rather than using a copy stored locally on the computer. This
allows templates updated centrally to always be applied to the
computer. Template files residing locally on the computer are not
processed.
The template files should reside in a directory named "Security"
under the OS source configuration directory. An example would be:
/usr/local/vcl/tools/Windows_XP/Security/xp_security.inf
This subroutine supports OS module inheritence meaning that if an
OS module inherits from another OS module, the security templates
of both will be applied. The order is from the highest parent
class down to any template files configured specifically for the
OS module which was instantiated.
This allows any Windows OS module to inherit from another class
which has security templates defined and override any settings
from above.
Multiple .inf security template files may be configured for each
OS. They will be applied in alphabetical order.
Example: Inheritence is configured as follows, with the XP module
being the instantiated (lowest) class:
VCL::Module
^
VCL::Module::OS
^
VCL::Module::OS::Windows
^
VCL::Module::OS::Windows::Version_5
^
VCL::Module::OS::Windows::Version_5::XP
The XP and Windows classes each have 2 security template files
configured in their respective Security directories:
/usr/local/vcl/tools/Windows/Security/eventlog_512.inf
/usr/local/vcl/tools/Windows/Security/windows_security.inf
/usr/local/vcl/tools/Windows_XP/Security/xp_eventlog_4096.inf
/usr/local/vcl/tools/Windows_XP/Security/xp_security.inf
The templates will be applied in the order shown above. The
Windows templates are applied first because it is a parent class
of XP. For each class being processed, the files are applied in
alphabetical order.
Assume in the example above that the Windows module's
eventlog_512.inf file configures the event log to be a maximum of
512 KB and that it is desirable under Windows XP to configure a
larger maximum event log size. In order to achieve this,
xp_eventlog_4096.inf was placed in XP's Security directory which
contains settings to set the maximum size to 4,096 KB. The
xp_eventlog_4096.inf file is applied after the eventlog_512.inf
file, thus overridding the setting configured in the
eventlog_512.inf file. The resultant maximum event log size will
be set to 4,096 KB.
=cut
sub apply_security_templates {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module:: module object method");
return;
}
my $management_node_keys = $self->data->get_management_node_keys();
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Get an array containing the configuration directory paths on the management node
# This is made up of all the the $SOURCE_CONFIGURATION_DIRECTORY values for the OS class and it's parent classes
# The first array element is the value from the top-most class the OS object inherits from
my @source_configuration_directories = $self->get_source_configuration_directories();
if (!@source_configuration_directories) {
notify($ERRORS{'WARNING'}, 0, "unable to retrieve source configuration directories");
return;
}
# Loop through the configuration directories for each OS class on the management node
# Find any .inf files residing under Security
my @inf_file_paths;
for my $source_configuration_directory (@source_configuration_directories) {
notify($ERRORS{'OK'}, 0, "checking if any security templates exist in: $source_configuration_directory/Security");
# Check each source configuration directory for .inf files under a Security subdirectory
my $find_command = "find $source_configuration_directory/Security -name \"*.inf\" 2>&1 | sort -f";
my ($find_exit_status, $find_output) = run_command($find_command);
if (defined($find_output) && grep(/No such file/i, @$find_output)) {
notify($ERRORS{'DEBUG'}, 0, "path does not exist: $source_configuration_directory/Security");
}
elsif (defined($find_exit_status) && $find_exit_status == 0) {
notify($ERRORS{'DEBUG'}, 0, "ran find, output:\n" . join("\n", @$find_output));
push @inf_file_paths, @$find_output;
}
elsif (defined($find_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to run find, exit status: $find_exit_status, output:\n@{$find_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run local command to run find");
return;
}
}
# Remove any newlines from the file paths in the array
chomp(@inf_file_paths);
notify($ERRORS{'DEBUG'}, 0, "security templates will be applied in this order:\n" . join("\n", @inf_file_paths));
# Make sure the Security directory exists before attempting to copy files or SCP will fail
if (!$self->create_directory("$NODE_CONFIGURATION_DIRECTORY/Security")) {
notify($ERRORS{'WARNING'}, 0, "unable to create directory: $NODE_CONFIGURATION_DIRECTORY/Security");
}
# Loop through the .inf files and apply them to the node using secedit.exe
my $inf_count = 0;
my $error_occurred = 0;
for my $inf_file_path (@inf_file_paths) {
$inf_count++;
# Get the name of the file
my ($inf_file_name) = $inf_file_path =~ /.*[\\\/](.*)/g;
my ($inf_file_root) = $inf_file_path =~ /.*[\\\/](.*).inf/gi;
# Construct the target path, prepend a number to indicate the order the files were processed
my $inf_target_path = "$NODE_CONFIGURATION_DIRECTORY/Security/$inf_count\_$inf_file_name";
# Copy the file to the node and set the permissions to 644
notify($ERRORS{'DEBUG'}, 0, "attempting to copy file to: $inf_target_path");
if (run_scp_command($inf_file_path, "$computer_node_name:$inf_target_path", $management_node_keys)) {
notify($ERRORS{'DEBUG'}, 0, "copied file: $computer_node_name:$inf_target_path");
# Set permission on the copied file
if (!$self->execute("/usr/bin/chmod.exe -R 644 $inf_target_path", 0)) {
notify($ERRORS{'WARNING'}, 0, "could not set permissions on $inf_target_path");
}
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to copy $inf_file_path to $inf_target_path");
next;
}
# Assemble the paths secedit needs
my $secedit_exe = $system32_path . '/secedit.exe';
my $secedit_db = '$SYSTEMROOT/security/Database/' . "$inf_count\_$inf_file_root.sdb";
my $secedit_log = '$SYSTEMROOT/security/Logs/' . "$inf_count\_$inf_file_root.log";
# Attempt to delete an existing log file
$self->delete_file($secedit_log);
# The inf path must use backslashes or secedit.exe will fail
$inf_target_path =~ s/\//\\\\/g;
# Run secedit.exe
# Note: secedit.exe returns exit status 3 if a warning occurs, this will appear in the log file:
# Task is completed. Warnings occurred for some attributes during this operation. It's ok to ignore.
my $secedit_command = "$secedit_exe /configure /cfg \"$inf_target_path\" /db $secedit_db /log $secedit_log /overwrite /quiet";
my ($secedit_exit_status, $secedit_output) = $self->execute($secedit_command, 0);
if (defined($secedit_exit_status) && ($secedit_exit_status == 0 || $secedit_exit_status == 3)) {
notify($ERRORS{'OK'}, 0, "ran secedit.exe to apply $inf_file_name");
}
elsif (defined($secedit_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to run secedit.exe to apply $inf_target_path, exit status: $secedit_exit_status, command: $secedit_command, output:\n" . join("\n", @$secedit_output));
$error_occurred++;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to run secedit.exe to apply $inf_target_path");
$error_occurred++;
}
}
if ($error_occurred) {
return 0;
}
else {
return 1;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 kill_process
Parameters : String containing task name pattern
Returns : If successful: true
If failed: false
Description : Runs taskkill.exe to kill processes with names matching a
pattern. Wildcards can be specified using *, but task name
patterns cannot begin with a *.
Example pattern: notepad*
=cut
sub kill_process {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
# Get the task name pattern argument
my $task_pattern = shift;
unless ($task_pattern) {
notify($ERRORS{'WARNING'}, 0, "task name pattern argument was not specified");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Typical output:
# Task was killed, exit status = 0:
# SUCCESS: The process with PID 3476 child of PID 5876 has been terminated.
# No tasks match pattern, exit status = 0:
# INFO: No tasks running with the specified criteria.
# Bad search filter, exit status = 1:
# ERROR: The search filter cannot be recognized.
# Attempt to kill task
my $taskkill_command = $system32_path . "/taskkill.exe /F /T /FI \"IMAGENAME eq $task_pattern\"";
my ($taskkill_exit_status, $taskkill_output) = $self->execute($taskkill_command, '1');
if (defined($taskkill_exit_status) && $taskkill_exit_status == 0 && (my @killed = grep(/SUCCESS/, @$taskkill_output))) {
notify($ERRORS{'OK'}, 0, scalar @killed . "processe(s) killed matching pattern: $task_pattern\n" . join("\n", @killed));
}
elsif (defined($taskkill_exit_status) && $taskkill_exit_status == 0 && grep(/No tasks running/i, @{$taskkill_output})) {
notify($ERRORS{'DEBUG'}, 0, "process does not exist matching pattern: $task_pattern");
}
elsif (defined($taskkill_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "unable to kill process matching pattern: $task_pattern\n" . join("\n", @{$taskkill_output}));
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to kill process matching pattern: $task_pattern");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_ie_configuration_page
Parameters : None.
Returns : If successful: true
If failed: false
Description : Sets registry keys which prevent Internet Explorer's
configuration page from appearing the first time a user launches
it. This subroutine also enables the Internet Explorer Phishing
Filter and sets it to not display a balloon message.
=cut
sub disable_ie_configuration_page {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
my $registry_string .= <<"EOF";
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\Main]
"DisableFirstRunCustomize"=dword:00000001
"RunOnceHasShown"=dword:00000001
"RunOnceComplete"=dword:00000001
[HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Internet Explorer\\PhishingFilter]
"Enabled"=dword:00000002
"ShownVerifyBalloon"=dword:00000001
[HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Internet Explorer\\Main]
"DisableFirstRunCustomize"=dword:00000001
EOF
# Import the string into the registry
if ($self->import_registry_string($registry_string)) {
notify($ERRORS{'OK'}, 0, "set the registry keys to disable IE runonce");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set the registry key to disable IE runonce");
return 0;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 enable_rdp_audio
Parameters : None.
Returns : If successful: true
If failed: false
Description : Sets the registry keys to allow audio redirection via RDP
sessions. This is disabled by default under Windows Server 2008
and possibly other versions of Windows. Also sets the Windows
Audio service to start automatically.
=cut
sub enable_rdp_audio {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
my $registry_string .= <<"EOF";
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp]
"fDisableCam"=dword:00000000
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services]
"fDisableCam"=dword:00000000
EOF
# Import the string into the registry
if ($self->import_registry_string($registry_string)) {
notify($ERRORS{'OK'}, 0, "set the registry keys to enable RDP audio");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set the registry key to enable RDP audio");
return 0;
}
# Configure the Windows Audio service to start automatically
if ($self->set_service_startup_mode('AudioSrv', 'auto')) {
notify($ERRORS{'DEBUG'}, 0, "set the Windows Audio service startup mode to auto");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set the Windows Audio service startup mode to auto");
return 0;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 enable_client_compatible_rdp_color_depth
Parameters : None.
Returns : If successful: true
If failed: false
Description : Sets the registry keys to allow clients use 24 or 32-bit color
depth in the RDP session.
=cut
sub enable_client_compatible_rdp_color_depth {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
my $registry_string .= <<"EOF";
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Terminal Services]
"ColorDepth"=dword:000003e7
EOF
# Import the string into the registry
if ($self->import_registry_string($registry_string)) {
notify($ERRORS{'OK'}, 0, "set the registry keys to enable client compatible RDP color depth");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set the registry key to enable client compatible RDP color depth");
return 0;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_node_configuration_directory
Parameters : None.
Returns : String containing filesystem path
Description : Retrieves the $NODE_CONFIGURATION_DIRECTORY variable value the
OS. This is the path on the computer's hard drive where image
configuration files and scripts are copied.
=cut
sub get_node_configuration_directory {
return $NODE_CONFIGURATION_DIRECTORY;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_kms_client_product_keys
Parameters : none
Returns : hash reference
Description : Retrieves the $KMS_CLIENT_PRODUCT_KEYS variable.
=cut
sub get_kms_client_product_keys {
return $KMS_CLIENT_PRODUCT_KEYS;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_kms_client_product_key
Parameters : $product_name (optional)
Returns : If successful: string
If failed: false
Description : Returns a KMS client product key based on the version of Windows
either specified as an argument or installed on the computer. A
KMS client product key is a publically shared product key which
must be installed before activating using a KMS server.
=cut
sub get_kms_client_product_key {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Get the product name
my $product_name = shift || $self->get_product_name();
if (!$product_name) {
notify($ERRORS{'WARNING'}, 0, "product name was not passed as an argument and could not be retrieved from computer");
return;
}
# Remove (TM) or (R) from the product name
$product_name =~ s/ \([tmr]*\)//ig;
# Get the matching product key from the hash for the product name
my $product_key = $KMS_CLIENT_PRODUCT_KEYS->{$product_name};
if (!$product_key) {
notify($ERRORS{'WARNING'}, 0, "unsupported product name: $product_name, KMS client product key is not known");
return;
}
notify($ERRORS{'DEBUG'}, 0, "returning KMS client setup key for $product_name: $product_key");
return $product_key;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_security_center_notifications
Parameters : None.
Returns : If successful: true
If failed: false
Description : Disables Windows Security Center notifications which are
displayed in the notification area (system tray).
=cut
sub disable_security_center_notifications {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
my $registry_string .= <<'EOF';
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiSpywareDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirstRunDisabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001
"FirewallOverride"=dword:00000001
EOF
# Import the string into the registry
if ($self->import_registry_string($registry_string)) {
notify($ERRORS{'OK'}, 0, "set the registry keys to disable security center notifications");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set the registry key to disable security center notifications");
return 0;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_automatic_updates
Parameters : None
Returns : If successful: true
If failed: false
Description : Disables Windows Automatic Updates by configuring a local group
policy:
HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate=1
This must be done using a policy in order to prevent
Windows Security Center will display a warning icon in the
notification area. Windows Update can be disabled via the GUI
which configures the following key but a warning will be
presented to the user:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
=cut
sub disable_automatic_updates {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
my $registry_string .= <<'EOF';
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"NoAutoUpdate"=dword:00000001
"AUOptions"=dword:00000001
EOF
# Import the string into the registry
if ($self->import_registry_string($registry_string)) {
notify($ERRORS{'OK'}, 0, "disabled automatic updates");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set the registry key to disable automatic updates");
return 0;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_windows_defender
Parameters : None
Returns : If successful: true
If failed: false
Description : Disables Windows Defender by doing the following:
-Configures local group policy to disable Windows Defender
-Removes HKLM...Run registry key to start Windows Defender at logon
-Stops the Windows Defender service
-Disables the Windows Defender service
=cut
sub disable_windows_defender {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
my $registry_string .= <<'EOF';
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=-
EOF
# Import the string into the registry
if ($self->import_registry_string($registry_string)) {
notify($ERRORS{'DEBUG'}, 0, "set the registry keys to disable Windows defender");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set the registry key to disable Windows defender");
return 0;
}
# Check if WinDefend service exists
if ($self->service_exists('WinDefend')) {
# Stop the Windows Defender service
if ($self->stop_service('WinDefend')) {
notify($ERRORS{'DEBUG'}, 0, "stopped the Windows Defender service");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to stop the Windows Defender service");
return 0;
}
# Disable the Windows Defender service
if ($self->set_service_startup_mode('WinDefend', 'disabled')) {
notify($ERRORS{'DEBUG'}, 0, "disabled the Windows Defender service");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to disable the Windows Defender service");
return 0;
}
}
notify($ERRORS{'OK'}, 0, "disabled Windows Defender");
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 registry_query_value
Parameters : $key_name (required), $value_name (optional)
Returns : If successful: true
If failed: false
Description : Queries the registry. If a value name is specified as the 2nd
argument, the value is returned. If a value name is not
specified, the output from reg.exe /s is returned containing the
subkeys and values.
=cut
sub registry_query_value {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Get and check the arguments
my $key_name = shift;
my $value_name = shift;
if (!$key_name) {
notify($ERRORS{'WARNING'}, 0, "registry key name argument was not specified");
return;
}
# Assemble the query command string
my $reg_query_command = $system32_path . "/reg.exe QUERY \"$key_name\"";
# Check if the value name argument was specified
my $query_mode;
if ($value_name && $value_name eq '(Default)') {
# Value name argument is (Default), query default value using /ve switch
$reg_query_command .= " /ve";
$query_mode = 'default';
}
elsif ($value_name) {
# Value name argument was specified, query it using /v switch
$reg_query_command .= " /v \"$value_name\"";
$query_mode = 'value';
}
else {
# Value name argument was not specified, query all subkeys and values
$reg_query_command .= " /s";
$query_mode = 'subkeys';
}
# Attempt to query the registry key
my ($reg_query_exit_status, $reg_query_output) = $self->execute($reg_query_command, 1);
if (defined($reg_query_output) && grep(/unable to find the specified registry/i, @$reg_query_output)) {
notify($ERRORS{'OK'}, 0, "registry key or value does not exist");
return;
}
if (defined($reg_query_exit_status) && $reg_query_exit_status == 0) {
notify($ERRORS{'DEBUG'}, 0, "queried registry key, output:\n" . join("\n", @{$reg_query_output}));
}
elsif (defined($reg_query_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to query registry key, exit status: $reg_query_exit_status, output:\n@{$reg_query_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to query registry key");
return;
}
# Check to see if the output appears normal
if (@{$reg_query_output}[0] !~ /reg\.exe version/i) {
notify($ERRORS{'WARNING'}, 0, "unexpected output, 1st line doesn't contain REG.EXE VERSION:\n" . join("\n", @{$reg_query_output}));
}
# Check what was asked for, if subkeys, return entire query output string joined with newlines
if ($query_mode eq 'subkeys') {
return join("\n", @{$reg_query_output});
}
# Find the array element containing the line with the value
my ($value_line) = grep(/($value_name|no name)/i, @{$reg_query_output});
notify($ERRORS{'DEBUG'}, 0, "value output line: $value_line");
# Split the line up and return the value
my ($retrieved_key_name, $type, $retrieved_value);
if ($query_mode eq 'value') {
($retrieved_key_name, $type, $retrieved_value) = $value_line =~ /\s*([^\s]+)\s+([^\s]+)\s+([^\s]+)/;
}
else {
($retrieved_key_name, $type, $retrieved_value) = $value_line =~ /\s*(<NO NAME>)\s+([^\s]+)\s+([^\s]+)/;
}
return $retrieved_value;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 set_static_public_address
Parameters :
Returns : If successful: true
If failed: false
Description : Sets a static IP address for the public interface. The IP address
stored in the database for the computer is used. The subnet
mask, default gateway, and DNS servers configured for the
management node are used.
A persistent route is added to the routing table to the public
default gateway.
=cut
sub set_static_public_address {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $computer_name = $self->data->get_computer_short_name();
my $server_request_id = $self->data->get_server_request_id();
my $server_request_fixed_ip = $self->data->get_server_request_fixed_ip();
# Make sure public IP configuration is static or this is a server request
my $ip_configuration = $self->data->get_management_node_public_ip_configuration();
if ($ip_configuration !~ /static/i) {
if (!$server_request_fixed_ip) {
notify($ERRORS{'WARNING'}, 0, "static public address can only be set if IP configuration is static, current value: $ip_configuration \nserver_request_fixed_ip=$server_request_fixed_ip");
return;
}
}
# Get the IP configuration
my $interface_name = $self->get_public_interface_name() || '<undefined>';
my $computer_public_ip_address = $self->data->get_computer_public_ip_address() || '<undefined>';
my $subnet_mask = $self->data->get_management_node_public_subnet_mask() || '<undefined>';
my $default_gateway = $self->get_correct_default_gateway() || '<undefined>';
if ($server_request_fixed_ip) {
$computer_public_ip_address = $server_request_fixed_ip;
$subnet_mask = $self->data->get_server_request_netmask();
$default_gateway = $self->data->get_server_request_router();
}
# Assemble a string containing the static IP configuration
my $configuration_info_string = <<EOF;
public interface name: $interface_name
public IP address: $computer_public_ip_address
public subnet mask: $subnet_mask
public default gateway: $default_gateway
EOF
# Make sure required info was retrieved
if ("$interface_name $computer_public_ip_address $subnet_mask $default_gateway" =~ /undefined/) {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve required network configuration for $computer_name:\n$configuration_info_string");
return;
}
my $current_public_ip_address = $self->get_public_ip_address();
my $current_public_subnet_mask = $self->get_public_subnet_mask();
if ($current_public_ip_address eq $computer_public_ip_address) {
notify($ERRORS{'DEBUG'}, 0, "public IP address of $computer_name is already set to $current_public_ip_address, attempting to set it again in case any parameters changed");
}
else {
# Try to ping the address to make sure it is not in use
if (_pingnode($computer_public_ip_address)) {
notify($ERRORS{'WARNING'}, 0, "ip_address $computer_public_ip_address is pingable, can not assign to $computer_name ");
return;
}
}
notify($ERRORS{'OK'}, 0, "attempting to set static public IP address on $computer_name:\n$configuration_info_string");
# Delete any default routes
$self->delete_default_routes();
# Delete cached network configuration information so it is retrieved next time it is needed
delete $self->{network_configuration};
# Set the static public IP address
my $command = "$system32_path/netsh.exe interface ip set address name=\"$interface_name\" source=static addr=$computer_public_ip_address mask=$subnet_mask gateway=$default_gateway gwmetric=0";
my ($exit_status, $output) = $self->execute($command, 1, 60, 3);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to set static public IP address");
return;
}
elsif ($exit_status ne '0') {
notify($ERRORS{'WARNING'}, 0, "failed to set static public IP address, exit status: $exit_status, output:\n" . join("\n", @$output));
return;
}
else {
notify($ERRORS{'OK'}, 0, "set static public IP address: $computer_public_ip_address/$subnet_mask, default gateway: $default_gateway");
}
$self->set_static_default_gateway() || return;
$self->set_static_dns_servers() || return;
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 set_static_dns_servers
Parameters : none
Returns : boolean
Description : Configures the computer to use static DNS server addresses rather
than addresses obtained from DHCP. Static addresses will only be
used if either of the following conditions is true:
1. Server request is configured with specific DNS servers
2. The management node is configured to assign static public IP
addresses and the public DNS server list is not empty
3. The image is configured to use Active Directory authentication
and the configured domain's DNS server list is not empty
If multiple conditions are true, only the DNS servers configured
for the first condition met are used.
=cut
sub set_static_dns_servers {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_name = $self->data->get_computer_short_name();
my $image_name = $self->data->get_image_name();
my $system32_path = $self->get_system32_path() || return;
my $mn_public_ip_configuration = $self->data->get_management_node_public_ip_configuration();
my @mn_dns_servers = $self->data->get_management_node_public_dns_servers();
my $domain_dns_name = $self->data->get_image_domain_dns_name();
my @domain_dns_servers = $self->data->get_image_domain_dns_servers();
my @server_request_dns_servers = $self->data->get_server_request_dns_servers();
my @dns_servers;
if (@server_request_dns_servers) {
@dns_servers = @server_request_dns_servers;
notify($ERRORS{'DEBUG'}, 0, "server request specific DNS servers will be statically set on $computer_name: " . join(", ", @dns_servers));
}
elsif ($domain_dns_name && @domain_dns_servers) {
@dns_servers = @domain_dns_servers;
notify($ERRORS{'DEBUG'}, 0, "$image_name image is configured for Active Directory, domain DNS servers will be statically set on $computer_name: " . join(", ", @dns_servers));
}
elsif ($mn_public_ip_configuration =~ /static/i && @mn_dns_servers) {
@dns_servers = @mn_dns_servers;
notify($ERRORS{'DEBUG'}, 0, "management node IP configuration set to $mn_public_ip_configuration, management node DNS servers will be statically set on $computer_name: " . join(", ", @dns_servers));
}
else {
notify($ERRORS{'WARNING'}, 0, "$computer_name not configured to use static DNS servers:\n" .
"management node IP configuration : $mn_public_ip_configuration\n" .
"management node DNS servers configured : " . (@mn_dns_servers ? 'yes' : 'no') . "\n" .
"image configured for Active Directory : " . ($domain_dns_name ? 'yes' : 'no') . "\n" .
"Active Directory domain DNS servers configured : " . (@domain_dns_servers ? 'yes' : 'no')
);
return;
}
my $private_interface_name = $self->get_private_interface_name();
if (!$private_interface_name) {
notify($ERRORS{'WARNING'}, 0, "unable to set static DNS servers on $computer_name, private interface name could not be retrieved");
return;
}
my $public_interface_name = $self->get_public_interface_name();
if (!$public_interface_name) {
notify($ERRORS{'WARNING'}, 0, "unable to set static DNS servers on $computer_name, public interface name could not be retrieved");
return;
}
for my $interface_name ($private_interface_name, $public_interface_name) {
# Get the first address from the array - the netsh.exe syntax is different for the first/primary DNS server and others
# netsh interface ipv4 set dnsservers [name=]<string> [source=]dhcp|static [[address=]<IP address>|none] [[register=]none|primary|both] [[validate=]yes|no]
# name - The name or index of the interface.
# source - One of the following values:
# dhcp: Sets DHCP as the source for configuring DNS servers for the specific interface.
# static: Sets the source for configuring DNS servers to local static configuration.
# address - One of the following values:
# <IP address>: An IP address for a DNS server.
# none: Clears the list of DNS servers.
# register - One of the following values:
# none: Disables Dynamic DNS registration.
# primary: Register under the primary DNS suffix only.
# both: Register under both the primary DNS suffix, as well as under the connection-specific suffix.
# validate - Specifies whether validation of the DNS server setting will be performed. The value is yes by default.
my $primary_dns_server = $dns_servers[0];
my $command = "$system32_path/netsh.exe interface ipv4 set dnsservers name=\"$interface_name\" source=static address=$primary_dns_server validate=no";
# netsh interface ipv4 add dnsservers [name=]<string> [address=]<IPv4 address> [[index=]<integer>] [[validate=]yes|no]
# name - The name or index of the interface where DNS servers are added.
# address - The IP address for the DNS server you are adding.
# index - Specifies the index (preference) for the specified DNS server address.
# validate - Specifies whether validation of the DNS server setting will be performed. The value is yes by default.
for (my $i=1; $i<scalar(@dns_servers); $i++) {
my $secondary_dns_server = $dns_servers[$i];
$command .= " ; $system32_path/netsh.exe interface ipv4 add dnsservers name=\"$interface_name\" address=$secondary_dns_server validate=no";
}
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to configure static DNS servers for $interface_name interface on $computer_name: $command");
return;
}
elsif ($exit_status ne '0') {
notify($ERRORS{'WARNING'}, 0, "failed to configure static DNS servers for $interface_name interface on $computer_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
return 0;
}
else {
notify($ERRORS{'OK'}, 0, "configured static DNS servers for $interface_name interface on $computer_name: " . join(", ", @dns_servers));
}
}
# Flush the DNS cache - not sure if this is necessary but AD computers sometimes have trouble finding things for some reason
my $command = "$system32_path/ipconfig.exe /flushdns";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to flush DNS resolver cache on $computer_name: $command");
}
elsif ($exit_status ne '0') {
notify($ERRORS{'WARNING'}, 0, "failed to flush DNS resolver cache on $computer_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
}
else {
notify($ERRORS{'OK'}, 0, "flushed DNS resolver cache on $computer_name");
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 delete_default_routes
Parameters :
Returns : If successful: true
If failed: false
Description : Deletes all default (0.0.0.0) routes.
=cut
sub delete_default_routes {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
# Delete all default routes
my $route_delete_command = "route delete 0.0.0.0";
my ($route_delete_exit_status, $route_delete_output) = $self->execute($route_delete_command);
if (defined($route_delete_exit_status) && $route_delete_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "deleted all default routes");
}
elsif (defined($route_delete_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to delete all default routes, exit status: $route_delete_exit_status, output:\n@{$route_delete_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run ssh command to delete all default routes");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 set_static_default_gateway
Parameters : $default_gateway (optional)
Returns : boolean
Description : Adds a persistent route to the default gateway for the public
network.
=cut
sub set_static_default_gateway {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
my $computer_name = $self->data->get_computer_short_name();
my $default_gateway = shift || $self->get_correct_default_gateway();
if (!$default_gateway) {
notify($ERRORS{'WARNING'}, 0, "unable to set static default gateway on $computer_name, argument was not supplied and correct default gateway IP address could not be determined");
return;
}
# Delete all default routes before adding
# Do this only after successfully retrieving default gateway address
if (!$self->delete_default_routes()) {
notify($ERRORS{'WARNING'}, 0, "unable to delete existing default routes");
return;
}
# Add a persistent route to the public default gateway
my $route_add_command = "route -p ADD 0.0.0.0 MASK 0.0.0.0 $default_gateway METRIC 1";
my ($route_add_exit_status, $route_add_output) = $self->execute($route_add_command);
if (!defined($route_add_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to add persistent route to public default gateway: $default_gateway");
return;
}
elsif ($route_add_exit_status ne '0' || grep(/failed/i, @$route_add_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to add persistent route to public default gateway: $default_gateway, exit status: $route_add_exit_status, command: '$route_add_command', output:\n" . join("\n", @$route_add_output));
return;
}
else {
notify($ERRORS{'OK'}, 0, "added persistent route to public default gateway: $default_gateway");
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_volume_list
Parameters : None
Returns : If successful: array containing volume drive letters
If failed: false
Description :
=cut
sub get_volume_list {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
# Echo the diskpart script to a temp file on the node
my $for_command = 'for i in `ls /cygdrive 2>/dev/null`; do echo $i; done;';
my ($for_exit_status, $for_output) = $self->execute($for_command, 1);
if (defined($for_exit_status) && $for_exit_status == 0) {
notify($ERRORS{'OK'}, 0, "retrieved drive letter list under /cygdrive:\n" . join("\n", @$for_output));
}
elsif ($for_exit_status) {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve drive letter list under /cygdrive, exit status: $for_exit_status, output:\n@{$for_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to retrieve drive letter list under /cygdrive");
return;
}
my @drive_letters;
for my $for_output_line (@$for_output) {
if ($for_output_line =~ /^[a-z]$/) {
push @drive_letters, $for_output_line;
}
else {
notify($ERRORS{'WARNING'}, 0, "unexpected output from for command: $for_output_line");
}
}
return @drive_letters;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 configure_time_synchronization
Parameters : None
Returns : boolean
Description : Configures the Windows Time service and synchronizes the time.
=cut
sub configure_time_synchronization {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
my $time_string_before = $self->get_current_computer_time('before configure_time_synchronization');
my $system32_path = $self->get_system32_path() || return;
my $computer_name = $self->data->get_computer_node_name();
my $time_source_variable;
my $variable_name = "timesource|" . $self->data->get_management_node_hostname();
my $variable_name_global = "timesource|global";
if (is_variable_set($variable_name)) {
$time_source_variable = get_variable($variable_name);
}
elsif (is_variable_set($variable_name_global)) {
$time_source_variable = get_variable($variable_name_global);
}
else {
$time_source_variable = 'pool.ntp.org';
}
my $key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers';
# Delete existing key
$self->reg_delete($key);
# Update the registry
my $index = 1;
my @time_sources = split(/[,;\s]/, $time_source_variable);
my $manual_peer_list;
for my $time_source (@time_sources) {
# Remove leading and trailing spaces
$time_source =~ s/(^\s+|\s+$)//g;
# Make sure it isn't blank
next unless $time_source =~ /\S/;
$self->reg_add($key, $index, "REG_SZ", $time_source);
$index++;
$manual_peer_list .= ' ' if $manual_peer_list;
$manual_peer_list .= $time_source;
}
# Make sure the service is stopped before calling /unregister or it will fail
$self->stop_service('w32time');
# Call /unregister the time service first - calling only /register doesn't seem to reset everything
# Unexpected results may occur if this isn't done
$self->get_current_computer_time('before unregister');
my $unregister_command = "$system32_path/w32tm.exe /unregister";
my ($unregister_exit_status, $unregister_output) = $self->execute({command => $unregister_command, timeout_seconds => 20, max_attempts => 1, display_output => 0});
if (!defined($unregister_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to unregister W32Time on $computer_name: $unregister_command");
return;
}
elsif ($unregister_exit_status ne '0') {
notify($ERRORS{'WARNING'}, 0, "failed to unregister W32Time on $computer_name, exit status: $unregister_exit_status, command:\n$unregister_command\noutput:\n" . join("\n", @$unregister_output));
}
else {
notify($ERRORS{'OK'}, 0, "unregistered W32Time on $computer_name");
}
# Make sure no remnants are leftover
$self->reg_delete('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time');
# Call /register - registers w32time service and sets default configuration to the registry
my $register_command = "$system32_path/w32tm.exe /register";
my ($register_exit_status, $register_output) = $self->execute({command => $register_command, timeout_seconds => 20, max_attempts => 1, display_output => 0});
if (!defined($register_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to register W32Time on $computer_name: $register_command");
return;
}
elsif ($register_exit_status ne '0') {
notify($ERRORS{'WARNING'}, 0, "failed to register W32Time on $computer_name, exit status: $register_exit_status, command:\n$register_command\noutput:\n" . join("\n", @$register_output));
}
else {
notify($ERRORS{'OK'}, 0, "registered W32Time on $computer_name");
}
# Uncomment the next few lines for for debugging
#my $debug_command = "$system32_path/w32tm.exe /debug /enable /file:C:/Windows/Debug/w32tm.log /size:1024000000 /entries:0-300";
#my ($debug_exit_status, $debug_output) = $self->execute({command => $debug_command, timeout_seconds => 20, max_attempts => 1, display_output => 0});
#if (!defined($debug_output)) {
# notify($ERRORS{'WARNING'}, 0, "failed to execute command to enable W32Time debugging on $computer_name: $debug_command");
# return;
#}
#elsif ($debug_exit_status ne '0') {
# notify($ERRORS{'WARNING'}, 0, "failed to enable W32Time debugging on $computer_name, exit status: $debug_exit_status, command:\n$debug_command\noutput:\n" . join("\n", @$debug_output));
#}
#else {
# notify($ERRORS{'OK'}, 0, "enabled W32Time debugging on $computer_name, output:\n" . join("\n", @$debug_output));
#}
# Only care about w32tm.exe config and sync duration
my $start_time = time;
# By default, Windows time service will only allow the time to be changes by 15 hours (54,000 seconds) or less
# Set the following keys to allow any time adjustment
# This must be done after w32tm.exe /register because that command will reset the values to the defaults
$self->reg_add('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config', 'MaxPosPhaseCorrection', 'REG_DWORD', '0xFFFFFFFF');
$self->reg_add('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config', 'MaxNegPhaseCorrection', 'REG_DWORD', '0xFFFFFFFF');
# Start the service before calling /config or else /config will fail
$self->start_service('w32time') || return;
my $config_command = "$system32_path/w32tm.exe /config /manualpeerlist:\"$manual_peer_list\" /syncfromflags:manual";
# The following argument shouldn't be necessary if the service is later restarted:
$config_command .= " /update";
my ($config_exit_status, $config_output) = $self->execute({command => $config_command, timeout_seconds => 20, max_attempts => 1, display_output => 0});
if (!defined($config_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to configure W32Time on $computer_name: $config_command");
return;
}
elsif ($config_exit_status ne '0') {
notify($ERRORS{'WARNING'}, 0, "failed to configure W32Time on $computer_name to use time source(s): $manual_peer_list, exit status: $config_exit_status, command:\n$config_command\noutput:\n" . join("\n", @$config_output));
}
else {
notify($ERRORS{'DEBUG'}, 0, "configured W32Time on $computer_name to use time source(s): $manual_peer_list");
}
# Restart the service
# This shouldn't be necessary if the /config command above includes /update
#$self->restart_service('w32time') || return;
# Call /resync
my $resync_command = "$system32_path/w32tm.exe /resync";
$resync_command .= " /force";
my ($resync_exit_status, $resync_output) = $self->execute({command => $resync_command, timeout_seconds => 20, max_attempts => 1, display_output => 0});
if (!defined($resync_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to resync W32Time on $computer_name: $resync_command");
return;
}
elsif (grep(/success/, @$resync_output)) {
notify($ERRORS{'DEBUG'}, 0, "resynchronized W32Time on $computer_name, output:\n" . join("\n", @$resync_output));
}
else {
notify($ERRORS{'DEBUG'}, 0, "W32Time resynchronization may have failed on $computer_name:\n" . join("\n", @$resync_output));
}
my $duration = (time - $start_time);
# Set the w32time service startup mode to auto
if ($self->set_service_startup_mode('w32time', 'auto')) {
notify($ERRORS{'DEBUG'}, 0, "set w32time service startup mode to auto");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set w32time service startup mode to auto");
return;
}
# For debugging:
#$self->get_time_service_events() if $self->can('get_time_service_events');
# Set the maximum time change parameters back to the defaults for security
$self->reg_add('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config', 'MaxPosPhaseCorrection', 'REG_DWORD', 50000000);
$self->reg_add('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config', 'MaxNegPhaseCorrection', 'REG_DWORD', 50000000);
my $time_string_after = $self->get_current_computer_time('after configure_time_synchronization');
notify($ERRORS{'DEBUG'}, 0, "configured time synchronization duration: $duration seconds\n" .
"time before configuration : $time_string_before\n" .
"time after configuration : $time_string_after"
);
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_current_computer_time
Parameters : $message (optional)
Returns : string
Description : Used for debugging and troubleshooting purposes. Simply displays
the current date, time, and timezone offset according to the
computer. Example:
2017-08-02 11:35:32 PDT -07:00
=cut
sub get_current_computer_time {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
my $message = shift;
my $computer_name = $self->data->get_computer_node_name();
#my $command = 'cmd.exe /c "echo %date% %time%"';
my $command = 'date +"%Y-%m-%d %H:%M:%S %Z %:z"';
my ($exit_status, $output) = $self->execute({command => $command, max_attempts => 1, display_output => 0});
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to retrieve current time on $computer_name: $command");
return;
}
elsif ($exit_status ne '0') {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve current time on $computer_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
return 0;
}
my ($current_time) = grep(/\d:/, @$output);
if ($current_time) {
notify($ERRORS{'OK'}, 0, "retrieved current time on $computer_name: $current_time" . (defined($message) ? " ($message)" : ''));
return $current_time;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to parse output in order to retrieve current time on $computer_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 is_64_bit
Parameters : None
Returns : If 64-bit: true
If 32-bit: false
Description : Determines if Windows OS is 64 or 32-bit.
=cut
sub is_64_bit {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
# Check if architecture has previously been determined
if (defined($self->{OS_ARCHITECTURE}) && $self->{OS_ARCHITECTURE} eq '64') {
#notify($ERRORS{'DEBUG'}, 0, '64-bit Windows OS previously detected');
return 1;
}
elsif (defined($self->{OS_ARCHITECTURE}) && $self->{OS_ARCHITECTURE} eq '32') {
#notify($ERRORS{'DEBUG'}, 0, '32-bit Windows OS previously detected');
return 0;
}
my $registry_key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment';
my $registry_value = 'PROCESSOR_IDENTIFIER';
# Run reg.exe QUERY
my $query_registry_command .= "reg.exe QUERY \"$registry_key\" /v \"$registry_value\"";
my ($query_registry_exit_status, $query_registry_output) = $self->execute($query_registry_command, 0);
if (!defined($query_registry_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to query registry key: $registry_key, value: $registry_value");
return;
}
my ($output_line) = grep(/^\s*$registry_value/i, @$query_registry_output);
if (!$output_line) {
notify($ERRORS{'WARNING'}, 0, "unable to find registry value line in reg.exe output:\n" . join("\n", @$query_registry_output));
return;
}
my ($registry_data) = $output_line =~ /\s*$registry_value\s+[\w_]+\s+(.*)/;
if ($registry_data && $registry_data =~ /64/) {
$self->{OS_ARCHITECTURE} = 64;
notify($ERRORS{'DEBUG'}, 0, "64-bit Windows OS detected, PROCESSOR_IDENTIFIER: $registry_data");
return 1;
}
elsif ($registry_value) {
$self->{OS_ARCHITECTURE} = 32;
notify($ERRORS{'DEBUG'}, 0, "32-bit Windows OS detected, PROCESSOR_IDENTIFIER: $registry_data");
return 0;
}
else {
notify($ERRORS{'WARNING'}, 0, "unable to determine if OS is 32 or 64-bit, failed to query PROCESSOR_IDENTIFIER registry key, reg.exe output:\n" . join("\n", @$query_registry_output));
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_system32
Parameters : None
Returns : If 64-bit: true
If 32-bit: false
Description :
=cut
sub get_system32_path {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
# Check if architecture has previously been determined
return $self->{SYSTEM32_PATH} if $self->{SYSTEM32_PATH};
my $computer_name = $self->data->get_computer_short_name();
my $is_64_bit = $self->is_64_bit();
if (!defined($is_64_bit)) {
notify($ERRORS{'DEBUG'}, 0, "failed to determine the architecture of the Windows OS installed on $computer_name, unable to determine correct system32 path");
return;
}
elsif ($is_64_bit) {
$self->{SYSTEM32_PATH} = 'C:/Windows/Sysnative';
if (!$self->file_exists($self->{SYSTEM32_PATH})) {
$self->{SYSTEM32_PATH} = 'C:/Windows/System32';
notify($ERRORS{'DEBUG'}, 0, "64-bit Windows OS installed on $computer_name, C: Windows Sysnative not found, using $self->{SYSTEM32_PATH}");
}
else {
notify($ERRORS{'DEBUG'}, 0, "64-bit Windows OS installed on $computer_name, using $self->{SYSTEM32_PATH}");
}
}
else {
$self->{SYSTEM32_PATH} = 'C:/Windows/System32';
notify($ERRORS{'DEBUG'}, 0, "32-bit Windows OS installed on $computer_name, using $self->{SYSTEM32_PATH}");
}
return $self->{SYSTEM32_PATH};
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_product_name
Parameters : None
Returns : If successful: string containing Windows product name
If failed: false
Description : Retrieves the Windows product name from the registry. This is
stored at:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProductName
The product name stored in the registry is used in the
winProductKey table to match a product key up with a product. It
must match exactly. Known strings for some versions of Windows:
"Microsoft Windows XP"
"Microsoft Windows Server 2003"
"Windows Server (R) 2008 Datacenter"
"Windows Vista (TM) Enterprise"
=cut
sub get_product_name {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
# Check if product name has previously been retrieved from registry
if ($self->{PRODUCT_NAME}) {
notify($ERRORS{'DEBUG'}, 0, "Windows product name previously retrieved: $self->{PRODUCT_NAME}");
return $self->{PRODUCT_NAME};
}
# Get the Windows product name from the registry
my $product_name = $self->reg_query('HKLM/Software/Microsoft/Windows NT/CurrentVersion', 'ProductName');
if ($product_name) {
notify($ERRORS{'DEBUG'}, 0, "retrieved Windows product name: $product_name");
$self->{PRODUCT_NAME} = $product_name;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve Windows product name from registry");
return;
}
return $self->{PRODUCT_NAME};
}
#//////////////////////////////////////////////////////////////////////////////
=head2 format_path_unix
Parameters : path
Returns : If successful: path formatted for Unix
If failed: false
Description :
=cut
sub format_path_unix {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
# Get the path argument
my $path = shift;
if (!$path) {
notify($ERRORS{'WARNING'}, 0, "path argument was not specified");
return;
}
# Replace all forward slashes and backslashes with a single forward slash
$path =~ s/[\/\\]+/\//g;
# Escape all spaces
$path =~ s/ /\\ /g;
# Change %VARIABLE% to $VARIABLE
$path =~ s/\%(.+)\%/\$$1/g;
#notify($ERRORS{'DEBUG'}, 0, "formatted path for Unix: $path");
return $path;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 format_path_dos
Parameters : path
Returns : If successful: path formatted for DOS
If failed: false
Description :
=cut
sub format_path_dos {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
# Get the path argument
my $path = shift;
if (!$path) {
notify($ERRORS{'WARNING'}, 0, "path argument was not specified");
return;
}
# Replace all forward slashes with 2 backslashes
$path =~ s/[\/\\]/\\\\/g;
# Change $VARIABLE to %VARIABLE%
$path =~ s/\$([^\\]+)/\%$1\%/g;
#notify($ERRORS{'DEBUG'}, 0, "formatted path for DOS: $path");
return $path;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_system_restore
Parameters : None
Returns : If successful: true
If failed: false
Description : Sets registry key to disable Windows System Restore. Disabling
System Restore helps reduce the image size.
=cut
sub disable_system_restore {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $registry_string .= <<"EOF";
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\SystemRestore]
"DisableConfig"=dword:00000001
"DisableSR"=dword:00000001
EOF
# Import the string into the registry
if ($self->import_registry_string($registry_string)) {
notify($ERRORS{'OK'}, 0, "disabled system restore");
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to disable system restore");
return 0;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 user_logged_in
Parameters :
Returns :
Description :
=cut
sub user_logged_in {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
# Attempt to get the username from the arguments
# If no argument was supplied, use the user specified in the DataStructure
my $username = shift || $self->data->get_user_login_id();
my @logged_in_users = $self->get_logged_in_users();
if (grep { $username eq $_ } @logged_in_users) {
notify($ERRORS{'DEBUG'}, 0, "$username is logged in to $computer_node_name");
return 1;
}
else {
notify($ERRORS{'DEBUG'}, 0, "$username is NOT logged in to $computer_node_name");
return 0;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_logged_in_users
Parameters : none
Returns : array
Description : Retrieves the names of users logged in to the computer.
=cut
sub get_logged_in_users {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Run qwinsta.exe to display terminal session information
# Set command timeout argument because this command occasionally hangs
my $command = "$system32_path/qwinsta.exe";
my ($exit_status, $output) = $self->execute({
command => $command,
timeout => 60,
});
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run qwinsta.exe command on $computer_node_name");
return;
}
elsif (!grep(/USERNAME/, @$output)) {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve logged in users on $computer_node_name, command: $command, output:\n" . join("\n", @$output));
return;
}
# SESSIONNAME USERNAME ID STATE TYPE DEVICE
# services 0 Disc
# root 1 Disc
# console 2 Conn
#>rdp-tcp#1 Administrator 3 Active rdpwd
# rdp-tcp#2 test user 4 Active rdpwd
# rdp-tcp 65536 Listen
my @usernames;
for my $line (@$output) {
my ($session_name, $username, $session_id, $state) = $line =~ /^[\s>]([^\s]+)?\s+(.+[^\s])?\s+(\d+)\s+(Active)/i;
push @usernames, $username if defined($username);
}
my $username_count = scalar(@usernames);
notify($ERRORS{'DEBUG'}, 0, "$username_count user" . ($username_count == 1 ? '' : 's') . " logged in to $computer_node_name: " . join(', ', @usernames));
return @usernames;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 wait_for_logoff
Parameters : Username (optional), maximum number of minutes to wait (optional)
Returns : True if user is not logged in
False if user is still logged in after waiting
Description : Waits the specified amount of time for the user to log off. The
default username is the reservation user and the default time to
wait is 2 minutes.
=cut
sub wait_for_logoff {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
# Attempt to get the username from the arguments
# If no argument was supplied, use the user specified in the DataStructure
my $username = shift;
# Remove spaces from beginning and end of username argument
# Fixes problem if string containing only spaces is passed
$username =~ s/(^\s+|\s+$)//g if $username;
# Check if username argument was passed
if (!$username) {
$username = $self->data->get_user_login_id();
}
# Attempt to get the total number of minutes to wait from the arguments
my $total_wait_minutes = shift;
if (!defined($total_wait_minutes) || $total_wait_minutes !~ /^\d+$/) {
$total_wait_minutes = 2;
}
# Looping configuration variables
# Seconds to wait in between loop attempts
my $attempt_delay = 5;
# Total loop attempts made
# Add 1 to the number of attempts because if you're waiting for x intervals, you check x+1 times including at 0
my $attempts = ($total_wait_minutes * 12) + 1;
notify($ERRORS{'DEBUG'}, 0, "waiting for $username to logoff, maximum of $total_wait_minutes minutes");
# Loop until computer is user is not logged in
for (my $attempt = 1; $attempt <= $attempts; $attempt++) {
if ($attempt > 1) {
notify($ERRORS{'OK'}, 0, "attempt " . ($attempt - 1) . "/" . ($attempts - 1) . ": $username is logged in, sleeping for $attempt_delay seconds");
sleep $attempt_delay;
}
if (!$self->user_logged_in($username)) {
notify($ERRORS{'OK'}, 0, "$username is NOT logged in to $computer_node_name, returning 1");
return 1;
}
}
# Calculate how long this waited
my $total_wait = ($attempts * $attempt_delay);
notify($ERRORS{'WARNING'}, 0, "$username is still logged in to $computer_node_name after waiting for $total_wait seconds");
return 0;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_product_key
Parameters : $affiliation_identifier (optional), $product_name (optional)
Returns : If successful: string containing product key
If failed: false
Description : Retrieves the Windows product key from the database. This is
stored in the winProductKey table.
Optional affiliation identifier and product name arguments may be
passed. Either both arguments must be passed or none. The
affiliation identifier may either be an affiliation ID or name.
If passed, the only data returned will be the data matching that
specific identifier. Global affiliation data will not be
returned.
If the affiliation identifier argument is not passed, the
affiliation is determined by the affiliation of the owner of the
image for the reservation. If a product key has not been
configured for that specific affiliation, the product key
configured for the Global affiliation is returned.
=cut
sub get_product_key {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Remember if this sub was called with arguments
# Used to determine whether or not Global activation data will be checked
# If affiliation ID argument is specified, assume caller only wants the data for that affiliation and not the Global data
my $include_global;
if (scalar(@_) == 2) {
$include_global = 0;
notify($ERRORS{'DEBUG'}, 0, "subroutine was called with arguments, global affiliation data will be ignored");
}
elsif (scalar(@_) == 0) {
$include_global = 1;
notify($ERRORS{'DEBUG'}, 0, "subroutine was NOT called with arguments, global affiliation data will be included");
}
else {
notify($ERRORS{'WARNING'}, 0, "subroutine argument count = " . scalar(@_) . ", it must only be called with 0 or 2 arguments");
return;
}
# Get the affiliation identifer, may be ID or name
my $affiliation_identifier = shift;
if (!defined($affiliation_identifier)) {
$affiliation_identifier = $self->data->get_image_affiliation_id();
}
if (!defined($affiliation_identifier)) {
notify($ERRORS{'WARNING'}, 0, "affiliation identifier argument was not passed and could not be determined from image");
return;
}
# Get the product name from the registry on the computer
my $product_name = shift || $self->get_product_name();
if (!$product_name) {
notify($ERRORS{'WARNING'}, 0, "product name argument was not passed and could not be determined from computer");
return;
}
# Normalize the product name string from the registry
# Remove Microsoft from the beginning - some products have this and some don't
$product_name =~ s/Microsoft//ig;
# Remove anything in parenthesis such as (R) or (TM)
$product_name =~ s/\(.*\)//ig;
# Replace spaces with %
$product_name =~ s/\s/%/ig;
# Add % to the beginning and end
$product_name = "%$product_name%";
# Replace multiple % characters with a single %
$product_name =~ s/%+/%/ig;
# Create the affiliation-specific select statement
# Check if the affiliation identifier is a number or word
# If a number, use affiliation.id directly
# If a word, reference affiliation.name
my $affiliation_select_statement;
if ($affiliation_identifier =~ /^\d+$/) {
notify($ERRORS{'DEBUG'}, 0, "affiliation identifier is a number, retrieving winProductKey.affiliationid=$affiliation_identifier");
$affiliation_select_statement = <<EOF;
SELECT
winProductKey.*
FROM
winProductKey
WHERE
winProductKey.productname LIKE '$product_name'
AND winProductKey.affiliationid = $affiliation_identifier
EOF
}
else {
notify($ERRORS{'DEBUG'}, 0, "affiliation identifier is NOT a number, retrieving affiliation.name=$affiliation_identifier");
$affiliation_select_statement = <<EOF;
SELECT
winProductKey.*
FROM
winProductKey,
affiliation
WHERE
winProductKey.productname LIKE '$product_name'
AND winProductKey.affiliationid = affiliation.id
AND affiliation.name LIKE '$affiliation_identifier'
EOF
}
# Create the select statement
my $global_select_statement = <<EOF;
SELECT
winProductKey.*
FROM
winProductKey,
affiliation
WHERE
winProductKey.productname LIKE '$product_name'
AND winProductKey.affiliationid = affiliation.id
AND affiliation.name LIKE 'Global'
EOF
# Call the database select subroutine
my @affiliation_rows = database_select($affiliation_select_statement);
# Get the rows for the Global affiliation if this subroutine wasn't called with arguments
my @global_rows = ();
if ($include_global) {
@global_rows = database_select($global_select_statement);
}
# Create an array containing the combined rows
my @combined_rows = (@affiliation_rows, @global_rows);
# Check to make sure rows were returned
if (!@combined_rows) {
notify($ERRORS{'OK'}, 0, "winProductKey table does not contain information for affiliation: $affiliation_identifier, product: '$product_name'");
return;
}
notify($ERRORS{'DEBUG'}, 0, "retrieved rows from winProductKey table for affiliation=$affiliation_identifier, product=$product_name:\n" . format_data(\@combined_rows));
my $product_key = $combined_rows[0]->{productkey};
notify($ERRORS{'DEBUG'}, 0, "returning product key: $product_key");
return $product_key;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_product_key_info
Parameters : none
Returns : hash reference
Description : Returns the contents of the winProductKey table as a hash
reference. The hash keys are the affiliation IDs.
=cut
sub get_product_key_info {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Create the select statement
my $select_statement = <<EOF;
SELECT
*
FROM
winProductKey
EOF
# Call the database select subroutine
my @selected_rows = database_select($select_statement);
# Transform the array of database rows into a hash
my %product_key_info;
map { $product_key_info{$_->{affiliationid}}{$_->{productname}} = $_->{productkey} } @selected_rows;
notify($ERRORS{'DEBUG'}, 0, "retrieved product key info:\n" . format_data(\%product_key_info));
return \%product_key_info;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_kms_server_info
Parameters : none
Returns : hash reference
Description : Returns the contents of the winKMS table as a hash
reference. The hash keys are the affiliation IDs.
=cut
sub get_kms_server_info {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Create the select statement
my $select_statement = <<EOF;
SELECT
*
FROM
winKMS
EOF
# Call the database select subroutine
my @selected_rows = database_select($select_statement);
# Transform the array of database rows into a hash
my %kms_server_info;
map { $kms_server_info{$_->{affiliationid}}{$_->{address}} = $_->{port} } @selected_rows;
notify($ERRORS{'DEBUG'}, 0, "retrieved KMS server info:\n" . format_data(\%kms_server_info));
return \%kms_server_info;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 set_product_key
Parameters : $affiliation_id, $product_name, $product_key
Returns : If successful: true
If failed: false
Description : Inserts or updates a row in the winProductKey table in the
database.
=cut
sub set_product_key {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Get and check the arguments
my ($affiliation_identifier, $product_name, $product_key) = @_;
if (!defined($affiliation_identifier) || !defined($product_name) || !defined($product_key)) {
notify($ERRORS{'WARNING'}, 0, "affiliation ID, product name, and product key arguments not passed correctly");
return;
}
# Create the insert statement
# Check if the affiliation identifier is a number or word
# If a number, set affiliation.id directly
# If a word, reference affiliation.name
my $insert_statement;
if ($affiliation_identifier =~ /^\d+$/) {
notify($ERRORS{'DEBUG'}, 0, "affiliation identifier is a number, setting winProductKey.affiliationid=$affiliation_identifier");
$insert_statement = <<"EOF";
INSERT INTO winProductKey
(
affiliationid,
productname,
productkey
)
VALUES
(
'$affiliation_identifier',
'$product_name',
'$product_key'
)
ON DUPLICATE KEY UPDATE
affiliationid=VALUES(affiliationid),
productname=VALUES(productname),
productkey=VALUES(productkey)
EOF
}
else {
notify($ERRORS{'DEBUG'}, 0, "affiliation identifier is NOT a number, setting affiliation.name=$affiliation_identifier");
$insert_statement = <<"EOF";
INSERT INTO winProductKey
(
affiliationid,
productname,
productkey
)
VALUES
(
(SELECT id FROM affiliation WHERE name='$affiliation_identifier'),
'$product_name',
'$product_key'
)
ON DUPLICATE KEY UPDATE
affiliationid=VALUES(affiliationid),
productname=VALUES(productname),
productkey=VALUES(productkey)
EOF
}
# Execute the insert statement, the return value should be the id of the row
my $insert_result = database_execute($insert_statement);
if (defined($insert_result)) {
notify($ERRORS{'DEBUG'}, 0, "set product key in database:\naffiliation ID: $affiliation_identifier\nproduct name: $product_name\nproduct key: $product_key");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set product key in database:\naffiliation ID: $affiliation_identifier\nproduct name: $product_name\nproduct key: $product_key");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 delete_product_key
Parameters : $affiliation_id, $product_name
Returns : If successful: true
If failed: false
Description : Deletes a row from the winProductKey table in the database.
=cut
sub delete_product_key {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Get and check the arguments
my ($affiliation_id, $product_name, $product_key) = @_;
if (!defined($affiliation_id) || !defined($product_name) || !defined($product_key)) {
notify($ERRORS{'WARNING'}, 0, "affiliation ID, product name, and product key arguments not passed correctly");
return;
}
# Construct the delete statement
my $delete_statement = <<"EOF";
DELETE FROM
winProductKey
WHERE
affiliationid = $affiliation_id
AND productname = '$product_name'
AND productkey = '$product_key'
EOF
# Execute the delete statement
my $delete_result = database_execute($delete_statement);
if (defined($delete_result)) {
notify($ERRORS{'DEBUG'}, 0, "deleted product key from database:\naffiliation ID: $affiliation_id\nproduct name: $product_name\nproduct key: $product_key, result: $delete_result");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to delete product key from database:\naffiliation ID: $affiliation_id\nproduct name: $product_name\nproduct key: $product_key");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 delete_kms_server
Parameters : $affiliation_id, $address
Returns : If successful: true
If failed: false
Description : Deletes a row from the winKMS table in the database.
=cut
sub delete_kms_server {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Get and check the arguments
my ($affiliation_id, $address) = @_;
if (!defined($affiliation_id) || !defined($address)) {
notify($ERRORS{'WARNING'}, 0, "affiliation ID and KMS server address arguments not passed correctly");
return;
}
# Construct the delete statement
my $delete_statement = <<"EOF";
DELETE FROM
winKMS
WHERE
affiliationid = $affiliation_id
AND address = '$address'
EOF
# Execute the delete statement
my $delete_result = database_execute($delete_statement);
if (defined($delete_result)) {
notify($ERRORS{'DEBUG'}, 0, "deleted KMS server from database:\naffiliation ID: $affiliation_id\naddress: $address, result: $delete_result");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to delete product key from database:\naffiliation ID: $affiliation_id\naddress: $address");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_kms_servers
Parameters : $affiliation_identifier (optional)
Returns : If successful: reference to array of hashes
If failed: false
Description : Retrieves the KMS server data from the database. This is
stored in the winKMS table.
An optional affiliation identifier argument may be passed. This
may either be an affiliation ID or name. If passed, the only data
returned will be the data matching that specific identifier.
Global affiliation data will not be returned.
If the affiliation identifier argument is not passed, the
affiliation is determined by the affiliation of the owner of the
image for the reservation. If a KMS server has not been
configured for that specific affiliation, the KMS server
configured for the Global affiliation is returned.
This subroutine returns an array reference. Each array element
contains a hash reference representing a row in the winKMS table.
Example of returned data:
@{$kms_servers}[0] =
|--{address} = 'kms.affiliation.edu'
|--{affiliationid} = '1'
|--{port} = '1688'
@{$kms_servers}[1] =
|--{address} = 'kms.global.edu'
|--{affiliationid} = '0'
|--{port} = '1688'
Example usage:
my $kms_servers = $self->os->get_kms_servers();
my $kms_address = @{$kms_servers[0]}->{address};
=cut
sub get_kms_servers {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Remember if this sub was called with arguments
# Used to determine whether or not global affiliation data will be checked
my $include_global;
if (scalar(@_) == 1) {
$include_global = 0;
notify($ERRORS{'DEBUG'}, 0, "subroutine was called with an affiliation argument, global affiliation data will be ignored");
}
elsif (scalar(@_) == 0) {
$include_global = 1;
notify($ERRORS{'DEBUG'}, 0, "subroutine was NOT called with arguments, global affiliation data will be included");
}
else {
notify($ERRORS{'WARNING'}, 0, "subroutine argument count = " . scalar(@_) . ", it must only be called with 0 or 1 arguments");
return;
}
# Get the image affiliation identifier, may be ID or name
my $affiliation_identifier = shift;
if (!defined($affiliation_identifier)) {
$affiliation_identifier = $self->data->get_image_affiliation_id();
}
if (!defined($affiliation_identifier)) {
notify($ERRORS{'WARNING'}, 0, "affiliation argument was not passed and could not be determined from image");
return;
}
# Create the affiliation-specific select statement
# Check if the affiliation identifier is a number or word
# If a number, use affiliation.id directly
# If a word, reference affiliation.name
my $affiliation_select_statement;
if ($affiliation_identifier =~ /^\d+$/) {
notify($ERRORS{'DEBUG'}, 0, "affiliation identifier is a number, retrieving winKMS.affiliationid=$affiliation_identifier");
$affiliation_select_statement = <<EOF;
SELECT
winKMS.*
FROM
winKMS
WHERE
winKMS.affiliationid = $affiliation_identifier
EOF
}
else {
notify($ERRORS{'DEBUG'}, 0, "affiliation identifier is NOT a number, retrieving affiliation.name=$affiliation_identifier");
$affiliation_select_statement .= <<EOF;
SELECT
winKMS.*
FROM
winKMS,
affiliation
WHERE
winKMS.affiliationid = affiliation.id
AND affiliation.name LIKE '$affiliation_identifier'
EOF
}
# Create the Global affiliation select statement
my $global_select_statement .= <<EOF;
SELECT
winKMS.*
FROM
winKMS,
affiliation
WHERE
winKMS.affiliationid = affiliation.id
AND affiliation.name LIKE 'Global'
EOF
# Call the database select subroutine
my @affiliation_rows = database_select($affiliation_select_statement);
# Get the rows for the Global affiliation if this subroutine wasn't called with arguments
my @global_rows = ();
if ($include_global) {
@global_rows = database_select($global_select_statement);
}
# Create an array containing the combined rows
my @combined_rows = (@affiliation_rows, @global_rows);
# Check to make sure rows were returned
if (!@combined_rows) {
notify($ERRORS{'OK'}, 0, "entry does not exist in winKMS table for affiliation=$affiliation_identifier");
return;
}
notify($ERRORS{'DEBUG'}, 0, "returning row array from winKMS table for affiliation=$affiliation_identifier:\n" . format_data(\@combined_rows));
return \@combined_rows;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 set_kms_server
Parameters : $affiliation_id, $address, $port (optional)
Returns : If successful: true
If failed: false
Description : Inserts or updates a row in the winKMS table in the database.
=cut
sub set_kms_server {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Get and check the arguments
my ($affiliation_identifier, $address, $port) = @_;
if (!defined($affiliation_identifier) || !defined($address)) {
notify($ERRORS{'WARNING'}, 0, "affiliation ID and KMS address arguments not passed correctly");
return;
}
# Set the default port if argument wasn't passed
if (!defined($port)) {
$port = 1688;
}
# Create the insert statement
# Check if the affiliation identifier is a number or word
# If a number, set affiliation.id directly
# If a word, reference affiliation.name
my $insert_statement;
if ($affiliation_identifier =~ /^\d+$/) {
notify($ERRORS{'DEBUG'}, 0, "affiliation identifier is a number, setting winKMS.affiliationid=$affiliation_identifier");
$insert_statement = <<"EOF";
INSERT INTO winKMS
(
affiliationid,
address,
port
)
VALUES
(
'$affiliation_identifier',
'$address',
'$port'
)
ON DUPLICATE KEY UPDATE
affiliationid=VALUES(affiliationid),
address=VALUES(address),
port=VALUES(port)
EOF
}
else {
notify($ERRORS{'DEBUG'}, 0, "affiliation identifier is NOT a number, setting affiliation.name=$affiliation_identifier");
$insert_statement = <<"EOF";
INSERT INTO winKMS
(
affiliationid,
address,
port
)
VALUES
(
(SELECT id FROM affiliation WHERE name='$affiliation_identifier'),
'$address',
'$port'
)
ON DUPLICATE KEY UPDATE
affiliationid=VALUES(affiliationid),
address=VALUES(address),
port=VALUES(port)
EOF
}
# Execute the insert statement, the return value should be the id of the row
my $insert_result = database_execute($insert_statement);
if (defined($insert_result)) {
notify($ERRORS{'OK'}, 0, "set KMS address in database:\naffiliation ID: $affiliation_identifier\naddress: $address\nport: $port");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set KMS address in database:\naffiliation ID: $affiliation_identifier\naddress: $address\nport: $port");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_driver_inf_paths
Parameters : Driver class (optional)
Returns : Array containing driver .inf paths
Description : This subroutine searches the node configuration drivers directory
on the computer for .inf files and returns an array containing
the paths of the .inf files. The node configuration drivers
directory is: C:\cygwin\home\root\VCL\Drivers
An optional driver class argument can be supplied which will
cause this subroutine to only return drivers matching the class
specified. Each driver .inf file should have a Class= line which
specified the type of device the driver is intended for. This
argument can be a regular expression. For example, to search for
all storage drivers, pass the following string to this
subroutine:
(scsiadapter|hdc)
The driver paths are formatted with forward slashes.
=cut
sub get_driver_inf_paths {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Check if a driver class argument was specified
my $driver_class = shift;
if ($driver_class) {
notify($ERRORS{'DEBUG'}, 0, "attempting to locate driver .inf paths matching class: $driver_class");
}
else {
notify($ERRORS{'DEBUG'}, 0, "attempting to locate driver .inf paths matching any class");
}
my $drivers_directory = $self->get_node_configuration_directory() . '/Drivers';
# Find the paths of .inf files in the drivers directory with a Class=SCSIAdapter or HDC line
# These are the storage driver .inf files
my @inf_paths = ();
my $grep_command .= '/usr/bin/grep.exe -Eirl --include="*.[iI][nN][fF]" ';
if ($driver_class) {
$grep_command .= '"class[ ]*=[ ]*' . $driver_class . '" ';
}
else {
$grep_command .= '".*" ';
}
$grep_command .= $drivers_directory;
my ($grep_exit_status, $grep_output) = $self->execute($grep_command, 1);
if (defined($grep_exit_status) && $grep_exit_status > 1) {
notify($ERRORS{'WARNING'}, 0, "failed to find driver paths, exit status: $grep_exit_status, output:\n@{$grep_output}");
return;
}
elsif (defined($grep_output)) {
my @inf_paths = grep(/:[\\\/]/, @$grep_output);
notify($ERRORS{'DEBUG'}, 0, "found " . scalar(@inf_paths) . " driver .inf paths, grep output:\n". join("\n", @$grep_output));
return @inf_paths;
}
elsif (defined($grep_exit_status)) {
notify($ERRORS{'WARNING'}, 0, "failed to find driver paths, exit status: $grep_exit_status, output:\n@{$grep_output}");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to run SSH command to find driverpaths");
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 set_device_path_key
Parameters : None
Returns : If successful: true
If failed: false
Description : Determines the paths to all of the driver .inf files copied to
the computer and sets the following Windows registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DevicePath
This key contains paths to driver .inf files. Windows searches
these files when attempting to load a device driver.
=cut
sub set_device_path_key {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $device_path_value;
# Find the paths of .inf files in the drivers directory
my @inf_paths = $self->get_driver_inf_paths();
if (!@inf_paths || $inf_paths[0] eq '0') {
# No driver paths were found, just use the inf path
$device_path_value = '%SystemRoot%\\inf';
notify($ERRORS{'DEBUG'}, 0, "no driver .inf paths were found");
}
else {
# Remove the .inf filenames from the paths
map(s/\/[^\/]*$//, @inf_paths);
# Remove duplicate paths, occurs if a directory has more than 1 .inf file
my %inf_path_hash;
my @inf_paths_unique = grep { !$inf_path_hash{$_}++ } @inf_paths;
notify($ERRORS{'DEBUG'}, 0, "found " . scalar(@inf_paths_unique) . " unique driver .inf paths");
# Assemble the device path value
$device_path_value = '%SystemRoot%\\inf;' . join(";", @inf_paths_unique);
# Replace forward slashes with backslashes
$device_path_value =~ s/\//\\/g;
}
notify($ERRORS{'DEBUG'}, 0, "device path value: $device_path_value");
# Attempt to set the DevicePath key
my $registry_key = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion';
if ($self->reg_add($registry_key, 'DevicePath', 'REG_EXPAND_SZ', $device_path_value)) {
notify($ERRORS{'OK'}, 0, "set the DevicePath registry key");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set the DevicePath registry key");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 enable_hibernation
Parameters : none
Returns : boolean
Description : Enables the hibernation feature.
=cut
sub enable_hibernation {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Rename disableGuestHibernate.dll if it exists, this can prevent hibernation from working as expected
my $disable_hibernate_file_path = 'C:\Program Files\VMware\VMware Tools\plugins\vmsvc\disableGuestHibernate.dll';
if ($self->file_exists($disable_hibernate_file_path)) {
$self->move_file($disable_hibernate_file_path, "$disable_hibernate_file_path.disabled");
}
# Run powercfg.exe to enable hibernation
my $command = "$system32_path/powercfg.exe -HIBERNATE ON";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to enable hibernation on $computer_node_name");
return;
}
elsif ($exit_status == 0) {
notify($ERRORS{'OK'}, 0, "enabled hibernation on $computer_node_name" . (scalar(@$output) ? ", output:\n" . join("\n", @$output) : ''));
}
elsif (grep(/PAE mode/i, @$output)) {
# The following may be displayed:
# Hibernation failed with the following error: The request is not supported.
# The following items are preventing hibernation on this system.
# The system is running in PAE mode, and hibernation is not allowed in PAE mode.
notify($ERRORS{'OK'}, 0, "hibernation NOT enabled because $computer_node_name is running in PAE mode");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to enable hibernation on $computer_node_name, exit status: $exit_status, output:\n" . join("\n", @$output));
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_hibernation
Parameters : None
Returns : If successful: true
If failed: false
Description : Disables hibernation mode.
=cut
sub disable_hibernation {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Rename disableGuestHibernate.dll if it exists, this can prevent hibernation from working as expected
my $disable_hibernate_file_path = 'C:\Program Files\VMware\VMware Tools\plugins\vmsvc\disableGuestHibernate.dll';
if ($self->file_exists($disable_hibernate_file_path)) {
$self->move_file($disable_hibernate_file_path, "$disable_hibernate_file_path.disabled");
}
# Run powercfg.exe to disable hibernation
my $command = "$system32_path/powercfg.exe -HIBERNATE OFF";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to disable hibernation on $computer_node_name");
return;
}
elsif ($exit_status == 0) {
notify($ERRORS{'OK'}, 0, "disabled hibernation on $computer_node_name" . (scalar(@$output) ? ", output:\n" . join("\n", @$output) : ''));
}
elsif (grep(/PAE mode/i, @$output)) {
# The following may be displayed:
# Hibernation failed with the following error: The request is not supported.
# The following items are preventing hibernation on this system.
# The system is running in PAE mode, and hibernation is not allowed in PAE mode.
notify($ERRORS{'OK'}, 0, "hibernation NOT disabled because $computer_node_name is running in PAE mode");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to disable hibernation on $computer_node_name, exit status: $exit_status, output:\n" . join("\n", @$output));
return;
}
# Delete hiberfil.sys
if (!$self->delete_file('$SYSTEMDRIVE/hiberfil.sys')) {
notify($ERRORS{'WARNING'}, 0, "failed to disable hibernation, hiberfil.sys could not be deleted");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 hibernate
Parameters : none
Returns : boolean
Description : Hibernate the computer.
=cut
sub hibernate {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine can only be called as a VCL::Module module object method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
if (!$self->enable_hibernation()) {
notify($ERRORS{'WARNING'}, 0, "failed to hibernate $computer_node_name, hibernation could not be enabled");
return;
}
# Run powercfg.exe to enable hibernation
my $command = "/bin/cygstart.exe \$SYSTEMROOT/system32/cmd.exe /c \"$system32_path/shutdown.exe -h -f\"";
my $start_time = time;
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to hibernate $computer_node_name");
return;
}
elsif ($exit_status eq 0) {
notify($ERRORS{'OK'}, 0, "executed command to hibernate $computer_node_name: $command" . (scalar(@$output) ? "\noutput:\n" . join("\n", @$output) : ''));
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to hibernate $computer_node_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
return;
}
# Wait for the computer to stop responding
my $wait_seconds = 300;
if ($self->provisioner->wait_for_power_off($wait_seconds, 3)) {
my $duration = (time - $start_time);
notify($ERRORS{'DEBUG'}, 0, "hibernate successful, $computer_node_name stopped responding after $duration seconds");
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to hibernate $computer_node_name, still responding to ping after $wait_seconds seconds");
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_ceip
Parameters : None
Returns : If successful: true
If failed: false
Description : Disables the Windows Customer Experience Improvement Program
features.
=cut
sub disable_ceip {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Attempt to set the CEIPEnable key
my $registry_key_software = 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\SQMClient\\Windows';
if ($self->reg_add($registry_key_software, 'CEIPEnable', 'REG_DWORD', 0)) {
notify($ERRORS{'OK'}, 0, "set the CEIPEnable software registry key to 0");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set the CEIPEnable registry key to 0");
return;
}
# Attempt to set the CEIPEnable policy key
my $registry_key_policy = 'HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\SQMClient\\Windows';
if ($self->reg_add($registry_key_policy, 'CEIPEnable', 'REG_DWORD', 0)) {
notify($ERRORS{'OK'}, 0, "set the CEIPEnable policy registry key to 0");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set the CEIPEnable policy registry key to 0");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_shutdown_event_tracker
Parameters : None
Returns : If successful: true
If failed: false
Description : Disables the Shutdown Event Tracker. This is enabled by default
on Windows Server 2003. It is what causes a box to appear which
asks for a reason when the computer is shutdown or rebooted. The
box also appears during login if the computer is shut down
unexpectedly. This causes the autologon sequence to break.
=cut
sub disable_shutdown_event_tracker {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Attempt to set the ShutdownReasonOn key
my $registry_key_software = 'HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\Reliability';
if ($self->reg_add($registry_key_software, 'ShutdownReasonOn', 'REG_DWORD', 0)) {
notify($ERRORS{'OK'}, 0, "set the ShutdownReasonOn software registry key to 0");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set the ShutdownReasonOn registry key to 0");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 setup_get_menu
Parameters : none
Returns :
Description :
=cut
sub setup_get_menu {
my $menu = {
'Windows Image Configuration' => {
'Activation' => {
'Configure Multiple Activation Key (MAK) Activation' => \&setup_product_keys,
'Configure Key Management Service (KMS) Activation' => \&setup_kms_servers,
}
},
};
return $menu;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 setup_product_keys
Parameters : none
Returns : nothing
Description : Used to list, set, and delete product keys from the winProductKey
table in the database when vcld is run in setup mode.
=cut
sub setup_product_keys {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Get a hash containing all of the information from the affiliation table
my $affiliation_info = get_affiliation_info();
if (!$affiliation_info) {
notify($ERRORS{'WARNING'}, 0, "unable to retrieve affiliation info");
return;
}
my @product_names = sort keys %$KMS_CLIENT_PRODUCT_KEYS;
push @product_names, (
'Windows XP',
'Windows Server 2003',
'Windows Server 2003 R2',
'Other',
);
my @operation_choices = (
'List Product Keys',
'Add Product Key',
'Delete Product Key',
);
my @setup_path = @{$ENV->{setup_path}};
OPERATION: while (1) {
@{$ENV->{setup_path}} = @setup_path;
print '-' x 76 . "\n";
print "Choose an operation:\n";
my $operation_choice_index = setup_get_array_choice(@operation_choices);
last if (!defined($operation_choice_index));
my $operation_name = $operation_choices[$operation_choice_index];
print "\n";
push @{$ENV->{setup_path}}, $operation_name;
if ($operation_name =~ /list/i) {
$self->setup_display_product_key_info();
print "\n";
}
elsif ($operation_name =~ /add/i) {
print "Choose an affiliation:\n";
my $affiliation_id = setup_get_hash_choice($affiliation_info, 'name');
next if (!defined($affiliation_id));
my $affiliation_name = $affiliation_info->{$affiliation_id}{name};
print "Selected affiliation: $affiliation_name\n\n";
$self->setup_display_product_key_info($affiliation_id);
print "\n";
print "Choose a Windows product:\n";
my $product_choice_index = setup_get_array_choice(@product_names);
next OPERATION if (!defined($product_choice_index));
my $product_name = $product_names[$product_choice_index];
if ($product_name eq 'Other') {
$product_name = setup_get_input_string("Enter a product name");
next OPERATION if (!defined($product_name));
}
print "Windows product: $product_name\n\n";
my $product_key;
while (!$product_key) {
$product_key = setup_get_input_string("Enter the product key xxxxx-xxxxx-xxxxx-xxxxx-xxxxx");
next OPERATION if (!defined($product_key));
if ($product_key !~ /(\w{5}-?){5}/) {
print "Product key is not in the correct format: $product_key\n";
$product_key = 0;
}
}
$product_key = uc($product_key);
print "\n";
# Attempt to set the product key in the database
if ($self->set_product_key($affiliation_id, $product_name, $product_key)) {
print "Product key has been saved to the database:\nAffiliation: $affiliation_name\nProduct name: $product_name\nProduct key: $product_key\n";
}
else {
print "ERROR: failed to save product key to the database:\nAffiliation: $affiliation_name\nProduct name: $product_name\nProduct key: $product_key\n";
}
}
elsif ($operation_name =~ /delete/i) {
# Get the product key information from the database
my $product_key_info = $self->get_product_key_info();
if (!defined($product_key_info)) {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve product key information from the database");
next;
}
my %product_keys;
for my $affiliation_id (keys %$product_key_info) {
my $affiliation_name = $affiliation_info->{$affiliation_id}{name};
for my $product_name (keys %{$product_key_info->{$affiliation_id}}) {
my $product_key = $product_key_info->{$affiliation_id}{$product_name};
my $product_key_choice_name = "$affiliation_name: '$product_name' ($product_key)";
$product_keys{$product_key_choice_name}{affiliation_id} = $affiliation_id;
$product_keys{$product_key_choice_name}{product_name} = $product_name;
$product_keys{$product_key_choice_name}{product_key} = $product_key;
}
}
# Choose an affiliation with populated product keys
print "Choose a product key to delete:\n";
my $product_key_choice_name = setup_get_hash_choice(\%product_keys);
next if (!defined($product_key_choice_name));
print "\n";
my $affiliation_id = $product_keys{$product_key_choice_name}{affiliation_id};
my $affiliation_name = $affiliation_info->{$affiliation_id}{name};
my $product_name = $product_keys{$product_key_choice_name}{product_name};
my $product_key = $product_keys{$product_key_choice_name}{product_key};
# Attempt to delete the product key from the database
if ($self->delete_product_key($affiliation_id, $product_name, $product_key)) {
print "Product key for has been deleted from the database:\nAffiliation: $affiliation_name\nProduct name: $product_name\nProduct key: $product_key\n";
}
else {
print "ERROR: failed to delete product key from the database:\nAffiliation: $affiliation_name\nProduct name: $product_name\nProduct key: $product_key\n";
}
}
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 setup_display_product_key_info
Parameters : $affiliation_id (optional)
Returns :
Description : Displays the product keys configured in the winProductKey table
in the database. If an affiliation ID argument is specified, only
the information for that affiliation is displayed.
=cut
sub setup_display_product_key_info {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Get a hash containing all of the information from the affiliation table
my $affiliation_info = get_affiliation_info();
if (!$affiliation_info) {
notify($ERRORS{'WARNING'}, 0, "unable to retrieve affiliation info");
return;
}
# Get the affiliation ID argument if it was specified
my $affiliation_id_argument = shift;
if ($affiliation_id_argument && !defined($affiliation_info->{$affiliation_id_argument})) {
notify($ERRORS{'WARNING'}, 0, "affiliation does not exist for affiliation ID argument: $affiliation_id_argument");
return;
}
# Get the product key information from the database
my $product_key_info = $self->get_product_key_info();
if (!defined($product_key_info)) {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve product key information from the database");
return;
}
# Print the title
if ($affiliation_id_argument) {
my $affiliation_name = $affiliation_info->{$affiliation_id_argument}{name};
print "Product key configuration for $affiliation_name ($affiliation_id_argument):\n";
}
else {
print "Product key configuration for all affiliations:\n";
}
my $product_key_info_string;
for my $affiliation_id (sort { $a <=> $b } keys %$product_key_info) {
if (defined($affiliation_id_argument) && $affiliation_id ne $affiliation_id_argument) {
next;
}
my $affiliation_name = $affiliation_info->{$affiliation_id}{name};
$product_key_info_string .= "$affiliation_name ($affiliation_id):\n";
for my $product_name (keys %{$product_key_info->{$affiliation_id}}) {
my $product_key = $product_key_info->{$affiliation_id}{$product_name};
$product_key_info_string .= " $product_name: $product_key\n";
}
}
$product_key_info_string = "<not configured>\n" if !$product_key_info_string;
print "$product_key_info_string";
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 setup_kms_servers
Parameters : none
Returns : nothing
Description : Configures KMS servers in the winKMS table in the database when
vcld is run in setup mode.
=cut
sub setup_kms_servers {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Get a hash containing all of the information from the affiliation table
my $affiliation_info = get_affiliation_info();
if (!$affiliation_info) {
notify($ERRORS{'WARNING'}, 0, "unable to retrieve affiliation info");
return;
}
my @operation_choices = (
'List KMS Servers',
'Add KMS Server',
'Delete KMS Server',
);
my @setup_path = @{$ENV->{setup_path}};
OPERATION: while (1) {
@{$ENV->{setup_path}} = @setup_path;
print '-' x 76 . "\n";
print "Choose an operation:\n";
my $operation_choice_index = setup_get_array_choice(@operation_choices);
last if (!defined($operation_choice_index));
my $operation_name = $operation_choices[$operation_choice_index];
print "\n";
push @{$ENV->{setup_path}}, $operation_name;
if ($operation_name =~ /list/i) {
$self->setup_display_kms_server_info();
print "\n";
}
elsif ($operation_name =~ /add/i) {
print "Choose an affiliation:\n";
my $affiliation_id = setup_get_hash_choice($affiliation_info, 'name');
next if (!defined($affiliation_id));
my $affiliation_name = $affiliation_info->{$affiliation_id}{name};
print "Selected affiliation: $affiliation_name\n\n";
$self->setup_display_kms_server_info($affiliation_id);
print "\n";
my $address;
while (!$address) {
$address = setup_get_input_string("Enter the KMS server host name or address");
next OPERATION if (!defined($address));
if (!is_valid_dns_host_name($address) && !is_valid_ip_address($address)) {
print "Address is not a valid DNS host name or IP address: $address\n";
$address = '';
}
}
print "\n";
my $port;
while (!$port) {
$port = setup_get_input_string("Enter the KMS server port", 1688);
next OPERATION if (!defined($port));
if ($port !~ /^\d+$/) {
print "Port must be an integer: $port\n";
$port = '';
}
}
print "\n";
# Attempt to set the KMS server in the database
if ($self->set_kms_server($affiliation_id, $address, $port)) {
print "KMS server added to the database:\nAffiliation: $affiliation_name\nAddress: $address\nPort: $port\n";
}
else {
print "ERROR: failed to save product key to the database:\nAffiliation: $affiliation_name\nAddress: $address\nPort: $port\n";
}
}
elsif ($operation_name =~ /delete/i) {
# Get the KMS server information from the database
my $kms_server_info = $self->get_kms_server_info();
if (!defined($kms_server_info)) {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve KMS server information from the database");
next;
}
my %kms_servers;
for my $affiliation_id (keys %$kms_server_info) {
my $affiliation_name = $affiliation_info->{$affiliation_id}{name};
for my $address (keys %{$kms_server_info->{$affiliation_id}}) {
my $port = $kms_server_info->{$affiliation_id}{$address};
my $kms_server_choice_name = "$affiliation_name: $address:$port";
$kms_servers{$kms_server_choice_name}{affiliation_id} = $affiliation_id;
$kms_servers{$kms_server_choice_name}{address} = $address;
$kms_servers{$kms_server_choice_name}{port} = $port;
}
}
# Choose an affiliation populated with a KMS server
print "Choose a KMS server to delete:\n";
my $kms_server_choice_name = setup_get_hash_choice(\%kms_servers);
next if (!defined($kms_server_choice_name));
print "\n";
my $affiliation_id = $kms_servers{$kms_server_choice_name}{affiliation_id};
my $affiliation_name = $affiliation_info->{$affiliation_id}{name};
my $address = $kms_servers{$kms_server_choice_name}{address};
my $port = $kms_servers{$kms_server_choice_name}{port};
## Attempt to delete the product key from the database
if ($self->delete_kms_server($affiliation_id, $address)) {
print "KMS server has been deleted from the database:\nAffiliation: $affiliation_name\nAddress: $address\nPort: $port\n";
}
else {
print "ERROR: failed to delete product key from the database:\nAffiliation: $affiliation_name\nAddress: $address\nPort: $port\n";
}
}
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 setup_display_kms_server_info
Parameters : $affiliation_id (optional)
Returns :
Description : Displays the KMS server configuration stored in the winKMS table
in the database to STDOUT.
=cut
sub setup_display_kms_server_info {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Get a hash containing all of the information from the affiliation table
my $affiliation_info = get_affiliation_info();
if (!$affiliation_info) {
notify($ERRORS{'WARNING'}, 0, "unable to retrieve affiliation info");
return;
}
# Get the affiliation ID argument if it was specified
my $affiliation_id_argument = shift;
if ($affiliation_id_argument && !defined($affiliation_info->{$affiliation_id_argument})) {
notify($ERRORS{'WARNING'}, 0, "affiliation does not exist for affiliation ID argument: $affiliation_id_argument");
return;
}
# Get the KMS server information from the database
my $kms_server_info = $self->get_kms_server_info();
if (!defined($kms_server_info)) {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve KMS server information from the database");
return;
}
# Print the title
if ($affiliation_id_argument) {
my $affiliation_name = $affiliation_info->{$affiliation_id_argument}{name};
print "KMS server configuration for $affiliation_name ($affiliation_id_argument):\n";
}
else {
print "KMS server configuration for all affiliations:\n";
}
# Print the KMS serer information
my $kms_server_info_string;
for my $affiliation_id (sort { $a <=> $b } keys %$kms_server_info) {
# Ignore non-matching affiliations if the affiliation ID argument was specified
if (defined($affiliation_id_argument) && $affiliation_id ne $affiliation_id_argument) {
next;
}
my $affiliation_name = $affiliation_info->{$affiliation_id}{name};
$kms_server_info_string .= "$affiliation_name ($affiliation_id):\n";
for my $address (keys %{$kms_server_info->{$affiliation_id}}) {
my $port = $kms_server_info->{$affiliation_id}{$address};
$kms_server_info_string .= " $address:$port\n";
}
}
$kms_server_info_string = "<not configured>\n" if !$kms_server_info_string;
print "$kms_server_info_string";
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_time_zone_name
Parameters : none
Returns : string
Description : Returns the name of the time zone configured for the management
node. The date command is run locally on the management node and
the time zone abbreviation is parsed from the output. This
%TIME_ZONE_INFO hash is searched for matching time zone
information and the time zone name is returned. If a matching
time zone is not found, 'Eastern Standard Time' is returned.
Example: 'HVL' returns 'Tasmania Standard Time'
=cut
sub get_time_zone_name {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $default_time_zone_name = 'Eastern Standard Time';
# Call date to determine the time zone abbreviation in use on the management node
my ($exit_status, $output) = run_command('date +%Z');
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run command to determine time zone configured for management node, returning '$default_time_zone_name'");
return $default_time_zone_name;
}
# Extract the time zone abbreviation from the output
my ($set_abbreviation) = grep(/^\w{3}$/, @$output);
if (!$set_abbreviation) {
notify($ERRORS{'WARNING'}, 0, "failed to determine time zone abbreviation from output, returning '$default_time_zone_name':\n" . join("\n", @$output));
return $default_time_zone_name;
}
# Windows time zone codes don't include corresponding daylight time abbreviations, e.g. EDT
# Convert *DT --> *ST
if ($set_abbreviation =~ /(.)DT/i) {
$set_abbreviation = "$1ST";
notify($ERRORS{'DEBUG'}, 0, "time zone abbreviation converted to standard time: $1DT --> $set_abbreviation");
}
# Loop through the time zone codes until a matching abbreviation is found
for my $time_zone_name (sort keys %TIME_ZONE_INFO) {
my $time_zone_abbreviation = $TIME_ZONE_INFO{$time_zone_name}{abbreviation};
next if (!$time_zone_abbreviation || $set_abbreviation !~ /^$time_zone_abbreviation$/i);
notify($ERRORS{'DEBUG'}, 0, "determined name of time zone configured for management node: '$time_zone_name'");
return $time_zone_name;
}
# Return the code for EST if a match was not found
notify($ERRORS{'WARNING'}, 0, "unable to determine name of time zone configured for management node, abbreviation: $set_abbreviation, returning '$default_time_zone_name'");
return $default_time_zone_name;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_time_zone_code
Parameters : none
Returns : string
Description : Returns the Windows numerical code of the time zone configured
for the management node. If a matching time zone is not found, 35
is returned.
Example: 'HVL' returns 265
=cut
sub get_time_zone_code {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $time_zone_name = $self->get_time_zone_name() || return;
my $time_zone_code = $TIME_ZONE_INFO{$time_zone_name}{code};
if ($time_zone_code) {
notify($ERRORS{'DEBUG'}, 0, "determined Windows code of time zone configured for management node: $time_zone_code");
return $time_zone_code;
}
else {
my $default = 35;
notify($ERRORS{'WARNING'}, 0, "time zone code could not be determined for time zone: '$time_zone_name', returning $default");
return $default;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 sanitize_files
Parameters : @file_paths (optional)
Returns : boolean
Description : Removes the Windows root password from files on the computer.
=cut
sub sanitize_files {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my @file_paths = @_;
# Get the file path arguments, add the node configuration directory
my $node_configuration_directory = $self->get_node_configuration_directory();
push @file_paths, "$node_configuration_directory/Scripts";
push @file_paths, "$node_configuration_directory/Logs";
# Attempt to get the existing Windows root password from autologon_enable.cmd
# This is necessary in case a different password was used when the image was captured
my $existing_password;
my $grep_command = "/bin/grep -i \"set PASSWORD\" \"$node_configuration_directory/Scripts/autologon_enable.cmd\" 2>&1";
my ($grep_status, $grep_output) = $self->execute($grep_command, 0);
if (!defined($grep_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to retrieve Windows root password from autologon_enable.cmd");
}
elsif (grep(/No such file/i, @$grep_output)) {
notify($ERRORS{'DEBUG'}, 0, "existing Windows root password not retrieved from autologon_enable.cmd because the file does not exist");
}
else {
($existing_password) = map { $_ =~ /set PASSWORD=(.+)/; $1;} @$grep_output;
if ($existing_password) {
notify($ERRORS{'DEBUG'}, 0, "retrieved password from autologon_enable.cmd: $existing_password");
}
else {
notify($ERRORS{'DEBUG'}, 0, "password not found in autologon_enable.cmd:\n" . join("\n", @$grep_output));
}
}
my $password_pattern;
if ($existing_password && $existing_password ne $WINDOWS_ROOT_PASSWORD) {
$password_pattern = "\\\($WINDOWS_ROOT_PASSWORD\\\|$existing_password\\\)";
}
else {
$password_pattern = $WINDOWS_ROOT_PASSWORD;
}
# Loop through each file path, remove the Windows root password from each
my $error_occurred = 0;
for my $file_path (@file_paths) {
if (!$self->search_and_replace_in_files($file_path, $password_pattern, 'WINDOWS_ROOT_PASSWORD')) {
notify($ERRORS{'WARNING'}, 0, "failed to remove the Windows root password from: $file_path");
$error_occurred = 1;
}
}
if ($error_occurred) {
return;
}
else {
return 1;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 clear_event_log
Parameters : @logfile_names (optional)
Returns : boolean
Description : Clears the Windows 'Application', 'Security', 'System' event
logs. One or more event logfile names may be specified to only
clear certain event logs.
=cut
sub clear_event_log {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my @logfile_names = @_;
@logfile_names = ('Application', 'Security', 'System') if !@logfile_names;
my $system32_path = $self->get_system32_path() || return;
# Assemble the command
# Call wmic.exe - the WMI shell
# wmic.exe will hang if it is called by itself. It has something to do with TTY/PTY
# Piping the echo command seems to prevent it from hanging
my $command;
for my $logfile_name (@logfile_names) {
$command .= "echo | $system32_path/Wbem/wmic.exe NTEVENTLOG WHERE LogFileName=\\\"$logfile_name\\\" CALL ClearEventLog ; ";
}
# Remove the last ' ; ' added to the command
$command =~ s/[\s;]*$//g;
my ($status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'DEBUG'}, 0, "failed to run SSH command to clear the event log: @logfile_names");
return;
}
elsif (grep(/ERROR/i, @$output)) {
notify($ERRORS{'WARNING'}, 0, "failed to clear event log: @logfile_names, output:\n" . join("\n", @$output));
return;
}
elsif (grep(/Method execution successful/i, @$output)) {
notify($ERRORS{'DEBUG'}, 0, "cleared event log: @logfile_names");
$self->create_eventlog_entry("Event log cleared by VCL");
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "unexpected output while clearing event log: @logfile_names, output:\n" . join("\n", @$output));
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_login_screensaver
Parameters : None
Returns :
Description : Sets the registry keys to disable to login screensaver.
=cut
sub disable_login_screensaver {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $registry_key = 'HKEY_USERS\\.DEFAULT\\Control Panel\\Desktop';
if ($self->reg_add($registry_key, 'ScreenSaveActive', 'REG_SZ', 0) && $self->reg_add($registry_key, 'ScreenSaveTimeOut', 'REG_SZ', 0)) {
notify($ERRORS{'DEBUG'}, 0, "set registry keys to disable the login screensaver");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set registry keys to disable the login screensaver");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 fix_default_profile
Parameters : none
Returns : boolean
Description : Attempts to correct common problems with the default user
profile by loading the default user registry hive from the
ntuser.dat file into the registry, making changes, then unloading
the hive.
=cut
sub fix_default_profile {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $root_key = 'HKEY_USERS\DEFAULT_USER_PROFILE';
my $profile_list_key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList';
# Determine the default user profile path
my $profile_list_registry_info = $self->reg_query($profile_list_key);
if (!$profile_list_registry_info) {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve profile information from the registry on $computer_node_name");
return;
}
elsif (!$profile_list_registry_info->{$profile_list_key}) {
notify($ERRORS{'WARNING'}, 0, "unable to determine default profile path, '$profile_list_key' key does not exist in the registry data:\n" . format_data($profile_list_registry_info));
return;
}
# The default profile path should either be stored in the 'Default' value or can be assembled from combining the 'ProfilesDirectory' and 'DefaultUserProfile' values
my $default_profile_path;
if ($profile_list_registry_info->{$profile_list_key}{Default}) {
$default_profile_path = $profile_list_registry_info->{$profile_list_key}{Default};
}
elsif ($profile_list_registry_info->{$profile_list_key}{ProfilesDirectory} && $profile_list_registry_info->{$profile_list_key}{DefaultUserProfile}) {
$default_profile_path = "$profile_list_registry_info->{$profile_list_key}{ProfilesDirectory}\\$profile_list_registry_info->{$profile_list_key}{DefaultUserProfile}";
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to determine default profile path from the registry on $computer_node_name:\n" . format_data($profile_list_registry_info->{$profile_list_key}));
return;
}
notify($ERRORS{'DEBUG'}, 0, "determined default profile path from the registry on $computer_node_name: '$default_profile_path'");
# Load the default profile hive file into the registry
my $hive_file_path = "$default_profile_path\\ntuser.dat";
if (!$self->reg_load($root_key, $hive_file_path)) {
notify($ERRORS{'WARNING'}, 0, "failed to load the default profile hive into the registry on $computer_node_name");
return;
}
# Fix registry values known to cause problems
# The "Shell Folders" key may contain paths pointing to a specific user's profile
# Any paths under "Shell Folders" can be deleted
my $registry_string .= <<EOF;
Windows Registry Editor Version 5.00
[-$root_key\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders]
[$root_key\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders]
EOF
# Import the string into the registry
if (!$self->import_registry_string($registry_string)) {
notify($ERRORS{'WARNING'}, 0, "failed to fix problematic registry settings in the default profile");
return;
}
# Unoad the default profile hive
if (!$self->reg_unload($root_key)) {
notify($ERRORS{'WARNING'}, 0, "failed to unload the default profile hive from the registry on $computer_node_name");
return;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_environment_variable_value
Parameters : $environment_variable_name
Returns : string
Description : Retrieves the value of the environment variable specified by the
argument. An empty string is returned if the variable is not set.
=cut
sub get_environment_variable_value {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
# Get the environment variable name argument
my $environment_variable_name = shift;
if (!defined($environment_variable_name)) {
notify($ERRORS{'WARNING'}, 0, "environment variable name argument was not supplied");
return;
}
# Determine how the environment variable should be echo'd
my $command = 'bash --login -c "';
if ($environment_variable_name =~ /^\$/) {
# Unix-style environment variable name passed beginning with a '$', echo it from the Cygwin bash shell
$environment_variable_name = uc($environment_variable_name);
$command .= "echo \\$environment_variable_name";
}
elsif ($environment_variable_name =~ /^\%.*\%$/) {
# DOS-style environment variable name passed enclosed in '%...%', echo it from a command prompt
$command .= "cmd.exe /c echo $environment_variable_name";
}
else {
# Plain-word environment variable name passed, enclose it in '%...%' and echo it from a command prompt
$command .= "cmd.exe /c echo \%$environment_variable_name\%";
}
$command .= '"';
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to run command to retrieve value of '$environment_variable_name' environment variable on $computer_node_name");
return;
}
elsif ($exit_status ne '0' || grep(/bash:/, @$output)) {
notify($ERRORS{'WARNING'}, 0, "error occurred attempting to retrieve value of '$environment_variable_name' environment variable on $computer_node_name\ncommand: '$command'\noutput:\n" . join("\n", @$output));
return;
}
elsif (scalar @$output > 1) {
notify($ERRORS{'WARNING'}, 0, "unexpected output returned from command to retrieve value of '$environment_variable_name' environment variable on $computer_node_name\ncommand: '$command'\noutput:\n" . join("\n", @$output));
return;
}
my $value = @$output[0];
if (scalar @$output == 0 || $value =~ /^\%.*\%$/) {
notify($ERRORS{'DEBUG'}, 0, "'$environment_variable_name' environment variable is not set on $computer_node_name");
return '';
}
else {
notify($ERRORS{'DEBUG'}, 0, "retrieved value of '$environment_variable_name' environment variable on $computer_node_name: '$value'");
return $value;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 check_connection_on_port
Parameters : $port
Returns : boolean
Description : Checks if a connection is established to the port specified from
the reservation remote IP address. If a connection is detected
from another address and the user is logged in,
reservation.remoteIP is updated.
=cut
sub check_connection_on_port {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $remote_ip = $self->data->get_reservation_remote_ip();
my $computer_public_ip_address = $self->get_public_ip_address();
my $request_state_name = $self->data->get_request_state_name();
my $port = shift;
if (!$port) {
notify($ERRORS{'WARNING'}, 0, "port variable was not passed as an argument");
return "failed";
}
my $port_connection_info = $self->get_port_connection_info();
for my $protocol (keys %$port_connection_info) {
if (!defined($port_connection_info->{$protocol}{$port})) {
next;
}
for my $connection (@{$port_connection_info->{$protocol}{$port}}) {
my $connection_local_ip = $connection->{local_ip};
my $connection_remote_ip = $connection->{remote_ip};
if ($connection_local_ip ne $computer_public_ip_address) {
notify($ERRORS{'DEBUG'}, 0, "ignoring connection, not connected to public IP address ($computer_public_ip_address): $connection_remote_ip --> $connection_local_ip:$port ($protocol)");
next;
}
if ($connection_remote_ip eq $remote_ip) {
notify($ERRORS{'DEBUG'}, 0, "connection detected from reservation remote IP: $connection_remote_ip --> $connection_local_ip:$port ($protocol)");
return 1;
}
# Connection is not from reservation remote IP address, check if user is logged in
if ($self->user_logged_in()) {
notify($ERRORS{'DEBUG'}, 0, "connection detected from different remote IP address than current reservation remote IP ($remote_ip): $connection_remote_ip --> $connection_local_ip:$port ($protocol), updating reservation remote IP to $connection_remote_ip");
$self->data->set_reservation_remote_ip($connection_remote_ip);
return 1;
}
notify($ERRORS{'DEBUG'}, 0, "ignoring connection, user is not logged in and remote IP address does not match current reservation remote IP ($remote_ip): $connection_remote_ip --> $connection_local_ip:$port ($protocol)");
}
}
return 0;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_cpu_core_count
Parameters : none
Returns : integer
Description : Retrieves the number of CPU cores the computer has by querying
the NUMBER_OF_PROCESSORS environment variable.
=cut
sub get_cpu_core_count {
my $self = shift;
if (ref($self) !~ /module/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
return $self->get_environment_variable_value('NUMBER_OF_PROCESSORS');
}
#//////////////////////////////////////////////////////////////////////////////
=head2 run_script
Parameters : $script_path, $timeout_seconds (optional)
Returns : boolean
Description : Checks if script exists on the computer and attempts to run it.
=cut
sub run_script {
my $self = shift;
if (ref($self) !~ /VCL::Module/) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Get the script path argument
my $script_path = shift;
if (!$script_path) {
notify($ERRORS{'WARNING'}, 0, "script path argument was not specified");
return;
}
my $timeout_seconds = shift || 300;
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# Check if script exists
if (!$self->file_exists($script_path)) {
notify($ERRORS{'WARNING'}, 0, "script does NOT exist on $computer_node_name: $script_path");
return;
}
# Determine the script name
my ($script_name, $script_directory_path, $script_extension) = fileparse($script_path, qr/\.[^.]*/);
(my $script_path_escaped = $script_path) =~ s/( )/\^$1/g;
# Get the node configuration directory, make sure it exists, create if necessary
my $node_configuration_directory = $self->get_node_configuration_directory();
my $node_log_directory = "$node_configuration_directory/Logs";
# Assemble the log file path
my $log_file_path;
# If the script resides in the VCL node configuration directory, append the intermediate directory paths to the logfile path
if ($script_directory_path =~ /$node_configuration_directory[\\\/](.+)/) {
$log_file_path = "$node_log_directory/$1$script_name.log";
}
else {
$log_file_path = "$node_log_directory/$script_name.log";
}
my $timestamp = makedatestring();
# Assemble the command
my $command;
if ($script_extension =~ /vbs/i) {
$command = "cmd.exe /c \"$system32_path/cscript.exe $script_path_escaped & exit %ERRORLEVEL%\"";
}
else {
$command = "cmd.exe /c \"$script_path_escaped & exit %ERRORLEVEL%\"";
}
# Execute the command
notify($ERRORS{'DEBUG'}, 0, "executing script on $computer_node_name:\nscript path: $script_path\nlog file path: $log_file_path\nscript timeout: $timeout_seconds seconds");
my ($exit_status, $output) = $self->execute($command, 1, $timeout_seconds);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute script on $computer_node_name: '$script_path', command: '$command'");
return;
}
# Create a log file containing the output
my $logfile_contents = "$timestamp - $script_path executed by vcld";
my $header_line_length = length($logfile_contents);
$logfile_contents = '=' x $header_line_length . "\r\n$logfile_contents\r\n" . '=' x $header_line_length . "\r\n";
$logfile_contents .= join("\r\n", @$output) . "\r\n";
$self->create_text_file($log_file_path, $logfile_contents, 1);
if ($exit_status == 0) {
notify($ERRORS{'OK'}, 0, "successfully executed script on $computer_node_name: '$script_path'\nlog file: log_file_path\ncommand: $command, output:\n" . join("\n", @$output));
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "script '$script_path' returned a non-zero exit status: $exit_status\nlog file: $log_file_path\ncommand: '$command'\noutput:\n" . join("\n", @$output));
return 0;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 install_updates
Parameters : none
Returns : boolean
Description : Installs Windows update files stored in under the tools directory
on the management node. Update files which exist on the
management node but not on the computer are copied. Files which
are named the same but differ are replaced.
=cut
sub install_updates {
my $self = shift;
if (ref($self) !~ /VCL::Module/) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
my $image_name = $self->data->get_image_name();
# Get the node configuration directory, make sure it exists, create if necessary
my $node_configuration_directory = $self->get_node_configuration_directory();
my @computer_tools_files = $self->get_tools_file_paths("/Updates/");
if (@computer_tools_files) {
notify($ERRORS{'DEBUG'}, 0, scalar(@computer_tools_files) . " updates found which apply to $image_name:\n" . join("\n", @computer_tools_files));
}
else {
notify($ERRORS{'DEBUG'}, 0, "no updates have been saved to the management node which apply to $image_name");
return 1;
}
my $logfile_directory_path = "$node_configuration_directory/Logs/Updates";
$self->create_directory($logfile_directory_path);
my %installed_updates = map { $_ => 1 } $self->get_installed_updates();
my @update_ids;
# Loop through all update files on the computer
for my $file_path (@computer_tools_files) {
my ($file_name, $directory_path, $file_extension) = fileparse($file_path, qr/\.[^.]*/);
if ($file_path !~ /\.(msu|exe)$/i) {
notify($ERRORS{'DEBUG'}, 0, "file on $computer_node_name not installed because file extension is not .exe or .msu: $file_path");
next;
}
# Get the update ID (KBxxxxxx) from the file name
my ($update_id) = uc($file_name) =~ /(kb\d+)/i;
$update_id = $file_name if !$update_id;
# Check if the update is already installed based on the list returned from the OS
if ($installed_updates{$update_id}) {
notify($ERRORS{'DEBUG'}, 0, "update $update_id is already installed on $computer_node_name");
next;
}
else {
# Add ID to @update_ids array, this list will be checked after all updates are installed to verify update is installed on computer
push @update_ids, $update_id;
}
if ($file_path =~ /\.msu$/i) {
$self->install_msu_update($file_path);
}
elsif ($file_path =~ /\.exe$/i) {
$self->install_exe_update($file_path);
}
}
# If any updates were installed, verify they appear on the OS
if (@update_ids) {
# Retrieve the installed updated from the OS to check if the update was installed
%installed_updates = map { $_ => 1 } $self->get_installed_updates(1);
for my $update_id (@update_ids) {
if ($installed_updates{$update_id}) {
notify($ERRORS{'DEBUG'}, 0, "verified update $update_id is installed on $computer_node_name");
}
else {
notify($ERRORS{'WARNING'}, 0, "update $update_id does not appear in the list of updates installed on $computer_node_name");
}
}
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 install_exe_update
Parameters : $update_file_path
Returns : boolean
Description : Installs a Windows Update .exe update package.
=cut
sub install_exe_update {
my $self = shift;
if (ref($self) !~ /VCL::Module/) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $file_path = shift;
if (!$file_path) {
notify($ERRORS{'WARNING'}, 0, "path to .msu update file was not supplied");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
my ($file_name, $directory_path, $file_extension) = fileparse($file_path, qr/\.[^.]*/);
my ($update_id) = uc($file_name) =~ /(kb\d+)/i;
$update_id = $file_name if !$update_id;
# Assemble the log file path
# wusa.exe creates log files in the Event Log format - not plain text
my $node_configuration_directory = $self->get_node_configuration_directory();
my $logfile_directory_path = "$node_configuration_directory/Logs/Updates";
my $log_file_path = "$logfile_directory_path/$file_name.log";
# Delete old log files for the update being installed so log output can be parsed without including old data
$self->delete_file("$logfile_directory_path/*$update_id*");
my $command;
$command .= "chmod -Rv 755 \"$file_path\" ; ";
$command .= "\"$file_path\" /quiet /norestart /log:\"$log_file_path\"";
notify($ERRORS{'DEBUG'}, 0, "installing update on $computer_node_name\ncommand: $command");
my ($exit_status, $output) = $self->execute($command, 1, 180);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to install update on $computer_node_name: $command");
return;
}
elsif ($exit_status eq '194') {
# Exit status 194 - installed but reboot required
notify($ERRORS{'DEBUG'}, 0, "installed update on $computer_node_name, exit status $exit_status indicates a reboot is required");
push @{$self->{reboot_required}}, "installed update: $file_path, exit status indicates a reboot is required";
return 1;
}
elsif ($exit_status eq '0') {
notify($ERRORS{'DEBUG'}, 0, "installed update on $computer_node_name");
}
else {
notify($ERRORS{'WARNING'}, 0, "command to install update on $computer_node_name returned exit status: $exit_status\ncommand: $command\noutput:\n" . join("\n", @$output));
}
# Check the log file to determine if a reboot is required, skip if exit status was 194
my @log_file_lines = $self->get_file_contents($log_file_path);
for my $line (@log_file_lines) {
if ($line =~ /RebootNecessary = 1|reboot is required/i) {
push @{$self->{reboot_required}}, "installed update: $file_path, log file indicates a reboot is required: $line";
}
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 install_msu_update
Parameters : $msu_file_path
Returns : boolean
Description : Installs a Windows Update Stand-alone Installer .msu update
package.
=cut
sub install_msu_update {
my $self = shift;
if (ref($self) !~ /VCL::Module/) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $file_path = shift;
if (!$file_path) {
notify($ERRORS{'WARNING'}, 0, "path to .msu update file was not supplied");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
my ($file_name, $directory_path, $file_extension) = fileparse($file_path, qr/\.[^.]*/);
my ($update_id) = uc($file_name) =~ /(kb\d+)/i;
$update_id = $file_name if !$update_id;
# Assemble the log file path
# wusa.exe creates log files in the Event Log format - not plain text
my $node_configuration_directory = $self->get_node_configuration_directory();
my $logfile_directory_path = "$node_configuration_directory/Logs/Updates";
my $event_log_file_path = "$logfile_directory_path/$file_name.evtx";
my $log_file_path = "$logfile_directory_path/$file_name.log";
# Delete old log files for the update being installed so log output can be parsed without including old data
$self->delete_file("$logfile_directory_path/*$update_id*");
my $wusa_command;
$wusa_command .= "chmod -Rv 755 \"$file_path\" ; ";
$wusa_command .= "$system32_path/wusa.exe \"$file_path\" /quiet /norestart /log:\"$event_log_file_path\"";
notify($ERRORS{'DEBUG'}, 0, "installing update on $computer_node_name\ncommand: $wusa_command");
my ($wusa_exit_status, $wusa_output) = $self->execute($wusa_command, 1, 180);
if (!defined($wusa_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to install update on $computer_node_name: $wusa_command");
return;
}
else {
notify($ERRORS{'DEBUG'}, 0, "executed command to install update on $computer_node_name, exit status: $wusa_exit_status\ncommand: $wusa_command\noutput:\n" . join("\n", @$wusa_output));
}
# Convert Event Log format log file to plain text
# Use the wevtutil.exe - the Windows Events Command Line Utility
my $wevtutil_command = "$system32_path/wevtutil.exe qe \"$event_log_file_path\" /lf:true /f:XML /e:root > \"$log_file_path\"";
my ($wevtutil_exit_status, $wevtutil_output) = $self->execute($wevtutil_command);
if (!defined($wevtutil_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to convert event log file to plain text on $computer_node_name: $wevtutil_command");
return;
}
else {
#notify($ERRORS{'DEBUG'}, 0, "executed command to convert event log file to plain text $computer_node_name, exit status: $wevtutil_exit_status\ncommand: $wevtutil_command\noutput:\n" . join("\n", @$wevtutil_output));
}
my @log_file_lines = $self->get_file_contents($log_file_path);
#notify($ERRORS{'DEBUG'}, 0, "log file contents from installation of $file_path:\n" . join("\n", @log_file_lines));
my $log_xml_hash = xml_string_to_hash(@log_file_lines);
#notify($ERRORS{'DEBUG'}, 0, "XML hash:\n" . format_data($log_xml_hash));
my @events = @{$log_xml_hash->{Event}};
for my $event (@events) {
my $event_record_id = $event->{System}[0]->{EventRecordID}[0];
my %event_data = map { $_->{Name} => $_->{content} } @{$event->{EventData}[0]->{Data}};
#notify($ERRORS{'DEBUG'}, 0, "event $event_record_id:\n" . format_data(\%event_data));
if (my $error_code = $event_data{ErrorCode}) {
my $error_string = $event_data{ErrorString} || '<none>';
if ($error_code eq '2359302') {
# Already installed but reboot is required
notify($ERRORS{'DEBUG'}, 0, "update $update_id is already installed but a reboot is required:\n" . format_data(\%event_data));
push @{$self->{reboot_required}}, "installed update: $file_path, event log indicates a reboot is required";
}
else {
notify($ERRORS{'WARNING'}, 0, "error occurred installing update $update_id:\n" . format_data(\%event_data));
}
}
elsif (my $debug_message = $event_data{DebugMessage}) {
if ($debug_message =~ /IsRebootRequired: 1/i) {
# RebootIfRequested.01446: Reboot is not scheduled. IsRunWizardStarted: 0, IsRebootRequired: 0, RestartMode: 1
notify($ERRORS{'DEBUG'}, 0, "installed update $update_id, reboot is required:\n$debug_message");
push @{$self->{reboot_required}}, "installed update: $file_path, event message indicates a reboot is required: $debug_message";
}
elsif ($debug_message =~ /Update is already installed/i) {
# InstallWorker.01051: Update is already installed
notify($ERRORS{'DEBUG'}, 0, "update $update_id is already installed:\n$debug_message");
}
elsif ($debug_message =~ /0X240006/i) {
# InstallWorker.01051: Update is already installed
notify($ERRORS{'DEBUG'}, 0, "error 0X240006 indicates that update $update_id is already installed:\n$debug_message");
}
elsif ($debug_message =~ /0X80240017/i) {
notify($ERRORS{'WARNING'}, 0, "update is not intended for OS installed on $computer_node_name:\n$debug_message");
return;
}
elsif ($debug_message !~ /((start|end) of search|Failed to get message for error)/i) {
notify($ERRORS{'DEBUG'}, 0, "debug message for installation of update $update_id:\n$debug_message");
}
}
else {
notify($ERRORS{'DEBUG'}, 0, "event generated while installing update $update_id:\n" . format_data(\%event_data));
}
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_installed_updates
Parameters : $no_cache (optional)
Returns : array
Description : Retrieves the list of updates installed on the computer.
=cut
sub get_installed_updates {
my $self = shift;
if (ref($self) !~ /VCL::Module/) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $no_cache = shift;
return $self->{update_ids} if (!$no_cache && $self->{update_ids});
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
# wmic.exe will hang if it is called by itself. It has something to do with TTY/PTY
# Piping the echo command seems to prevent it from hanging
my $command = "echo | $system32_path/Wbem/wmic.exe QFE LIST BRIEF";
notify($ERRORS{'DEBUG'}, 0, "retrieving list of installed updates on $computer_node_name, command: $command");
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to list updates installed on $computer_node_name: $command");
return;
}
# Add update IDs found to a hash and then convert it to an array to eliminate duplicates
my %update_id_hash;
for my $line (@$output) {
# Parse the update ID from the line, may be in the form KB000000
my ($update_id) = $line =~ /(kb\d+)/i;
$update_id_hash{$update_id} = 1 if $update_id;
}
my @update_ids = sort keys %update_id_hash;
$self->{update_ids} = \@update_ids;
notify($ERRORS{'DEBUG'}, 0, "retrieved list updates installed on $computer_node_name(" . scalar(@update_ids) . "): " . join(", ", @update_ids));
return @update_ids;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_user_names
Parameters : none
Returns : array
Description : Retrieves the user account names which exist on the computer.
=cut
sub get_user_names {
my $self = shift;
if (ref($self) !~ /VCL::Module/) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $image_name = $self->data->get_image_name();
my $command = "net user";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to retrieve user info from OS");
return;
}
my $found_dash_line;
my @user_names;
for my $line (@$output) {
if ($line =~ /^---/) {
$found_dash_line = 1;
next;
}
elsif (!$found_dash_line || $line =~ /command completed/) {
next;
}
my @line_user_names = split(/[ \t]{2,}/, $line);
push @user_names, @line_user_names if @line_user_names;
}
notify($ERRORS{'DEBUG'}, 0, "retrieved user names from $image_name: " . join(", ", sort { lc($a) cmp lc($b) } @user_names));
return @user_names;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 check_image
Parameters : none
Returns : boolean
Description : Checks the image currently loaded on the computer and updates the
imagerevisioninfo table if necessary. If the
windows_disable_users variable is set in the variable table, the
list of user accounts is retrieved from the computer and compared
against the variable. Any user accounts listed in the variable
which reside in the image have a random password set and are
disabled.
=cut
sub check_image {
my $self = shift;
if (ref($self) !~ /VCL::Module/) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
#set_variable('ignore_users', 'Administrator,cyg_server,Guest,root,sshd,HelpAssistant,SUPPORT_388945a0,ASPNET');
#set_variable('disable_users', 'test');
my $imagerevision_id = $self->data->get_imagerevision_id();
my $image_name = $self->data->get_image_name();
my $computer_node_name = $self->data->get_computer_node_name();
my @image_user_names_report = ();
my @image_user_names_reservation = ();
my @image_user_names_ignore = ();
# Get list of user names which should be disabled in images - known bad, unsafe
my $disable_user_names_variable = get_variable('windows_disable_users');
if (!$disable_user_names_variable) {
notify($ERRORS{'DEBUG'}, 0, "$image_name not being checked for bad user accounts, windows_disable_users is not set in the variable table");
}
else {
my @disable_user_names = sort {lc($a) cmp lc($b)} (split(/[,;]+/, $disable_user_names_variable));
my $disable_user_names_regex = join("|", @disable_user_names);
# Get list of user names which should be ignored in images (safe, normal users: Administrator, guest...)
my $ignore_user_names_variable = get_variable('windows_ignore_users') || '';
my @ignore_user_names = sort {lc($a) cmp lc($b)} (split(/[,;]+/, $ignore_user_names_variable));
my $ignore_user_names_regex = join("|", @ignore_user_names);
# Get list of user names from loaded image
my @image_user_names = $self->get_user_names();
if (!@image_user_names) {
notify($ERRORS{'DEBUG'}, 0, "skipping image check, unable to retrieve user names from $computer_node_name");
return;
}
# Get the list of reservation users - includes imagemeta users and server profile users
my $reservation_user_hashref = $self->data->get_reservation_users();
my @reservation_user_names = sort {lc($a) cmp lc($b)} (map { $reservation_user_hashref->{$_}{unityid} } (keys %$reservation_user_hashref));
my $reservation_user_names_regex = join("|", @reservation_user_names);
notify($ERRORS{'DEBUG'}, 0, "image users:\n" .
"users on $image_name: " . join(", ", @image_user_names) . "\n" .
"reservation users: " . join(", ", @reservation_user_names) . "\n" .
"users which should be disabled for all images: " . join(", ", @disable_user_names) . "\n" .
"users which can be ignored for all images: " . join(", ", @ignore_user_names) . "\n"
);
OS_USER_NAME: for my $image_user_name (sort {lc($a) cmp lc($b)} @image_user_names) {
for my $disable_user_name_pattern (@disable_user_names) {
if ($image_user_name =~ /$disable_user_name_pattern/i) {
notify($ERRORS{'DEBUG'}, 0, "found user on $image_name which should be disabled: '$image_user_name' (matches pattern: '$disable_user_name_pattern')");
my $random_password = getpw(11);
if (!$self->set_password($image_user_name, $random_password, 1)) {
notify($ERRORS{'WARNING'}, 0, "failed to set random password for user: '$image_user_name'");
}
else {
notify($ERRORS{'OK'}, 0, "set random password for user: '$image_user_name', '$random_password'");
}
$self->disable_user($image_user_name);
}
}
if ($image_user_name =~ /^($reservation_user_names_regex)$/i) {
notify($ERRORS{'DEBUG'}, 0, "ignoring reservation user in image: '$image_user_name'");
push @image_user_names_reservation, $image_user_name;
}
elsif ($image_user_name =~ /^($ignore_user_names_regex)$/i) {
notify($ERRORS{'DEBUG'}, 0, "ignoring user in image: '$image_user_name'");
push @image_user_names_ignore, $image_user_name;
}
else {
notify($ERRORS{'DEBUG'}, 0, "reporting user in image: '$image_user_name'");
push @image_user_names_report, $image_user_name;
}
}
}
my $firewall_state = $self->get_firewall_state();
if (scalar(@image_user_names_report) > 0 || !$firewall_state || $firewall_state !~ /(1|yes|on|enabled)/i) {
notify($ERRORS{'DEBUG'}, 0, "reporting $image_name image to imagerevisioninfo table (imagerevision ID: $imagerevision_id):\n" .
"firewall state: $firewall_state\n" .
"reservation users found on image: " . join(", ", @image_user_names_reservation) . "\n" .
"ignored users found on image: " . join(", ", @image_user_names_ignore) . "\n" .
"users which might not belong on image: " . join(", ", @image_user_names_report)
);
$self->update_imagerevision_info($imagerevision_id, join(",", @image_user_names_report), $firewall_state);
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 update_imagerevision_info
Parameters : $imagerevision_id, $usernames, $firewall_enabled
Returns : boolean
Description : Updates the imagerevisioninfo table in the database.
=cut
sub update_imagerevision_info {
my $self = shift;
if (ref($self) !~ /VCL::Module/) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $imagerevision_id = shift;
my $usernames = shift;
my $firewall_enabled = shift;
if (!defined($imagerevision_id)) {
notify($ERRORS{'WARNING'}, 0, "imagerevision ID argument was not specified");
return;
}
elsif (!defined($usernames) && !defined($firewall_enabled)) {
notify($ERRORS{'WARNING'}, 0, "usernames or firewall_enabled argument was not specified");
return;
}
$usernames = '' if !$usernames;
if (!defined($firewall_enabled)) {
$firewall_enabled = 'unknown';
}
elsif ($firewall_enabled =~ /^(1|yes|on|enabled)$/i) {
$firewall_enabled = 'yes';
}
elsif ($firewall_enabled =~ /^(0|no|off|disabled)$/i) {
$firewall_enabled = 'no';
}
else {
$firewall_enabled = 'unknown';
}
my $update_statement = <<EOF;
INSERT INTO imagerevisioninfo
(
imagerevisionid,
usernames,
firewallenabled,
timestamp
)
VALUES
(
'$imagerevision_id',
'$usernames',
'$firewall_enabled',
NOW()
)
ON DUPLICATE KEY UPDATE
imagerevisionid=VALUES(imagerevisionid),
usernames=VALUES(usernames),
firewallenabled=VALUES(firewallenabled),
timestamp=VALUES(timestamp)
EOF
return database_execute($update_statement);
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_firewall_state
Parameters : None
Returns : If successful: string "ON" or "OFF"
Description : Determines if the Windows firewall is on or off.
=cut
sub get_firewall_state {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
# Run netsh.exe to get the state of the current firewall profile
my $command = "$system32_path/netsh.exe firewall show state";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to retrieve firewall state");
return;
}
# Get the lines containing 'Operational mode'
# Operational mode = Enable
my @mode_lines = grep(/Operational mode/i, @$output);
if (!@mode_lines) {
notify($ERRORS{'WARNING'}, 0, "unable to find 'Operational mode' line in output:\n" . join("\n", @$output));
return;
}
# Loop through lines, if any contain "ON", return "ON"
for my $mode_line (@mode_lines) {
if ($mode_line =~ /on/i) {
notify($ERRORS{'OK'}, 0, "firewall state: ON");
return "ON";
}
elsif ($mode_line =~ /off/i) {
notify($ERRORS{'OK'}, 0, "firewall state: OFF");
return "OFF";
}
else {
notify($ERRORS{'WARNING'}, 0, "firewall state line does not contain ON or OFF: '$mode_line'");
}
}
# No lines were found containing "ON", return "OFF"
notify($ERRORS{'WARNING'}, 0, "unable to determine firewall state, output:\n" . join("\n", @$output));
return;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 check_rdp_port_configuration
Parameters : none
Returns : boolean
Description : Checks if the RDP port number configured in the registry matches
the port number configured for the RDP connect method. If they
don't match, the registry is modified and the TermService service
is restarted.
=cut
sub check_rdp_port_configuration {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_name = $self->data->get_computer_short_name();
my $connect_method_info = $self->data->get_connect_methods();
if (!$connect_method_info) {
notify($ERRORS{'WARNING'}, 0, "unable to check RDP port, connect method info could not be retrieved");
return;
}
# Find the RDP method, retrieve the port
my $connect_method;
for my $connect_method_id (keys %$connect_method_info) {
my $connect_method_name = $connect_method_info->{$connect_method_id}{name};
if ($connect_method_name =~ /^rdp$/i) {
$connect_method = $connect_method_info->{$connect_method_id};
last;
}
}
if (!defined($connect_method)) {
notify($ERRORS{'DEBUG'}, 0, "no connect method exists named 'rdp':\n" . format_data($connect_method_info));
return 1;
}
# Get the port information
my $connect_method_port_info = $connect_method->{connectmethodport};
if (!defined($connect_method_port_info) || scalar keys %$connect_method_port_info == 0) {
notify($ERRORS{'WARNING'}, 0, "no ports are defined for connect method:\n" . format_data($connect_method_info));
return;
}
# Extract the port numbers - multiple ports may be defined, for example TCP/3389 and UDP/3389
my %connect_method_port_hash;
for my $connect_method_port_id (keys %$connect_method_port_info) {
my $port = $connect_method_port_info->{$connect_method_port_id}{port};
$connect_method_port_hash{$port} = 1;
}
# Make sure a single port number is defined for the RDP connect method
my @connect_method_ports = keys(%connect_method_port_hash);
if (!@connect_method_ports) {
notify($ERRORS{'WARNING'}, 0, "port is not defined for connect method:\n" . format_data($connect_method_port_info));
return;
}
elsif (scalar(@connect_method_ports) > 1) {
notify($ERRORS{'WARNING'}, 0, "unable to determine which port is supposed to be used for RDP, multiple ports are defined for connect method:\n" . format_data($connect_method_port_info));
return;
}
my $connect_method_rdp_port = $connect_method_ports[0];
my $rdp_port_key = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp';
my $rdp_port_value = 'PortNumber';
my $existing_rdp_port = $self->reg_query($rdp_port_key, $rdp_port_value);
if (!defined($existing_rdp_port)) {
notify($ERRORS{'WARNING'}, 0, "unable to check RDP port on $computer_name, failed to retrieve existing value from registry");
return;
}
elsif ($existing_rdp_port eq $connect_method_rdp_port) {
notify($ERRORS{'DEBUG'}, 0, "existing RDP port value in registry matches connect method port: $connect_method_rdp_port");
return 1;
}
notify($ERRORS{'DEBUG'}, 0, "existing RDP port value in registry $existing_rdp_port does NOT match connect method port $connect_method_rdp_port");
# Set the registry key
if (!$self->reg_add($rdp_port_key, $rdp_port_value, 'REG_DWORD', $connect_method_rdp_port)) {
notify($ERRORS{'WARNING'}, 0, "failed to set RDP port value in registry");
return;
}
# The services that depend on TermService must be stopped first or else the restart will fail
$self->stop_service('UmRdpService');
$self->stop_service('Mcx2Svc');
if ($self->restart_service('TermService')) {
notify($ERRORS{'OK'}, 0, "configured $computer_name to use RDP port $connect_method_rdp_port");
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to configure $computer_name to use RDP port $connect_method_rdp_port, failed to restart Remote Desktop Service (TermService)");
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_port_connection_info
Parameters : none
Returns : hash reference
Description : Retrieves information about established connections from the
computer. A hash is constructed:
{
"TCP" => {
22 => [
{
"local_ip" => "10.25.10.197",
"pid" => 3648,
"remote_ip" => "10.25.0.241",
"remote_port" => 54692
}
],
3389 => [
{
"local_ip" => "192.168.16.238",
"pid" => 332,
"remote_ip" => "192.168.53.54",
"remote_port" => 55892
}
]
}
}
=cut
sub get_port_connection_info {
my $self = shift;
if (ref($self) !~ /VCL::Module/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_node_name = $self->data->get_computer_node_name();
my $command = "netstat -ano";
my ($exit_status, $output) = $self->execute($command, 0);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command: $command");
return;
}
elsif (grep(/^netstat: /, @$output)) {
notify($ERRORS{'WARNING'}, 0, "error occurred executing command: '$command', exit status: $exit_status, output:\n" . join("\n", @$output));
return;
}
my $connection_info = {};
for my $line (@$output) {
# Proto Local Address Foreign Address State PID
# TCP 192.168.1.53:3389 192.168.53.54:55892 ESTABLISHED 332
my ($protocol, $local_ip_address, $local_port, $remote_ip_address, $remote_port, $state, $pid) = $line =~ /^\s*(\w+)\s+([\d\.]+):(\d+)\s+([\d\.]+):(\d+)\s+(\w+)\s+(\d+)/i;
if (!$state) {
#notify($ERRORS{'DEBUG'}, 0, "connection state could not be determined from line:\n$line");
next;
}
elsif ($state !~ /ESTABLISHED/i) {
next;
}
my $connection = {
local_ip => $local_ip_address,
remote_ip => $remote_ip_address,
remote_port => $remote_port,
};
$connection->{pid} = $pid if $pid;
push @{$connection_info->{$protocol}{$local_port}}, $connection;
}
if ($connection_info) {
notify($ERRORS{'DEBUG'}, 0, "retrieved connection info from $computer_node_name:\n" . format_data($connection_info));
}
else {
notify($ERRORS{'DEBUG'}, 0, "did not detect any connections on $computer_node_name");
}
return $connection_info;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_timezone_offset_minutes
Parameters : none
Returns : integer
Description : Retrieves the number of minutes the system time of the computer
is offset from UTC. It may be positive or negative. This is used
to adjust times returned by the computer which are not adjusted
to the computer's time zone such as from event log entries.
=cut
sub get_timezone_offset_minutes {
my $self = shift;
if (ref($self) !~ /VCL::Module/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
return $self->{timezone_offset_minutes} if defined($self->{timezone_offset_minutes});
my $system32_path = $self->get_system32_path();
my $command = "$system32_path/Wbem/wmic.exe OS Get CurrentTimeZone";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to retrieve timezone offset");
return;
}
my ($offset_minutes) = grep(/^-?\d+$/, @$output);
if (defined($offset_minutes)) {
notify($ERRORS{'DEBUG'}, 0, "retrieved OS timezone offset minutes: $offset_minutes");
$self->{timezone_offset_minutes} = $offset_minutes;
return $self->{timezone_offset_minutes};
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve OS timezone offset minutes, command: $command, output:\n" . join("\n", @$output));
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 notify_user_console
Parameters : message, username(optional)
Returns : boolean
Description : Send a message to the user on the console
=cut
sub notify_user_console {
my $self = shift;
if (ref($self) !~ /Module/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $message = shift;
if (!$message) {
notify($ERRORS{'WARNING'}, 0, "message argument was not supplied");
return;
}
my $username = shift || $self->data->get_user_login_id();
my $computer_node_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path();
my $cmd = "$system32_path/msg.exe $username /TIME:180 '$message'";
my ($exit_status, $output) = $self->execute($cmd, 1);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to determine if the '$cmd' shell command exists on $computer_node_name");
return;
}
else {
notify($ERRORS{'DEBUG'}, 0, "executed command to determine if the '$cmd' shell command exists on $computer_node_name");
return 1;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_cygwin_installation_directory_path
Parameters : none
Returns : string
Description : Retrieves the directory path where Cygwin is installed on the
computer. 32-bit and 64-bit versions of Cygwin may use different
paths.
=cut
sub get_cygwin_installation_directory_path {
my $self = shift;
if (ref($self) !~ /Module/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
return $self->{CYGWIN_PATH} if $self->{CYGWIN_PATH};
my $computer_node_name = $self->data->get_computer_node_name();
my $default_path = 'C:/cygwin';
my $command = "cygpath.exe -m /";
my ($exit_status, $output) = $self->execute($command, 1);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to determine Cygwin installation directory path on $computer_node_name, returning default path: $default_path");
$self->{CYGWIN_PATH} = $default_path;
return $self->{CYGWIN_PATH};
}
elsif (grep(/^cygpath:/, @$output)) {
notify($ERRORS{'WARNING'}, 0, "error occurred determining Cygwin installation directory path on $computer_node_name, returning default path: $default_path, output:\n" . join("\n", @$output));
$self->{CYGWIN_PATH} = $default_path;
return $self->{CYGWIN_PATH};
}
my ($directory_path) = grep(/^[a-z]/i, @$output);
if ($directory_path) {
notify($ERRORS{'DEBUG'}, 0, "determined Cygwin installation directory path on $computer_node_name: $directory_path");
$self->{CYGWIN_PATH} = $directory_path;
return $self->{CYGWIN_PATH};
}
else {
notify($ERRORS{'WARNING'}, 0, "error occurred determining Cygwin installation directory path on $computer_node_name, returning default path: $default_path, did not find a line beginning with a letter in the output:\n" . join("\n", @$output));
$self->{CYGWIN_PATH} = $default_path;
return $self->{CYGWIN_PATH};
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_cygwin_unix_file_path
Parameters : $file_path
Returns : string
Description : Converts a Windows-style path to a Cygwin/Unix-style path.
Example: C:\Windows\file.txt --> /cygdrive/c/Windows/file.txt
=cut
sub get_cygwin_unix_file_path {
my $self = shift;
if (ref($self) !~ /Module/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $file_path_argument = shift;
if (!$file_path_argument) {
notify($ERRORS{'WARNING'}, 0, "file path argument was not specified");
return;
}
if ($file_path_argument =~ /^\//) {
notify($ERRORS{'DEBUG'}, 0, "file path not converted because it begins with a forward slash: $file_path_argument");
return $file_path_argument;
}
elsif ($file_path_argument !~ /[\/\\:]/) {
notify($ERRORS{'DEBUG'}, 0, "file path not converted because it does not contain a forward slash, backslash, or colon: $file_path_argument");
return $file_path_argument;
}
# Change backslashes to forward slashes
$file_path_argument =~ s/\\+/\//g;
my $command = "cygpath.exe -u \"$file_path_argument\"";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to determine Cygwin/Unix-style path, returning argument: $file_path_argument");
return $file_path_argument;
}
my ($unix_file_path) = grep(/^\//, @$output);
if (!$unix_file_path || grep(/^cygpath:/, @$output)) {
notify($ERRORS{'WARNING'}, 0, "error occurred attempting to determine Cygwin/Unix-style path, returning argument: $file_path_argument, command:\n$command\noutput:\n" . join("\n", @$output));
return $file_path_argument;
}
else {
notify($ERRORS{'DEBUG'}, 0, "determined Cygwin/Unix-style path: $file_path_argument --> $unix_file_path");
return $unix_file_path;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_cluster_info_file_path
Parameters : none
Returns : string
Description : Returns the location where the cluster_info files resides on the
Windows computer, normally C:/cluster_info.
=cut
sub get_cluster_info_file_path {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
return $self->{cluster_info_file_path} if $self->{cluster_info_file_path};
my $systemroot_value = $self->get_environment_variable_value('SYSTEMDRIVE') || 'C:';
$self->{cluster_info_file_path} = "$systemroot_value/cluster_info";
notify($ERRORS{'DEBUG'}, 0, "determined cluster_info file path for Windows: $self->{cluster_info_file_path}");
return $self->{cluster_info_file_path};
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_reservation_info_json_file_path
Parameters : none
Returns : string
Description : Returns the location where the files resides on the computer that
contains JSON formatted information about the reservation.
=cut
sub get_reservation_info_json_file_path {
my $self = shift;
if (ref($self) !~ /VCL::Module::OS/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
return $self->{reservation_info_json_file_path} if $self->{reservation_info_json_file_path};
my $systemroot_value = $self->get_environment_variable_value('SYSTEMDRIVE') || 'C:';
$self->{reservation_info_json_file_path} = "$systemroot_value/Users/Administrator/reservation_info.json";
notify($ERRORS{'DEBUG'}, 0, "determined reservation info JSON file path file path for " . ref($self) . " OS module: $self->{reservation_info_json_file_path}");
return $self->{reservation_info_json_file_path};
}
#//////////////////////////////////////////////////////////////////////////////
=head2 disable_set_network_location_prompt
Parameters : none
Returns : boolean
Description : Adds a registry key to disable the "Select a location for the
'Network' network" -- Home, Work, or Public prompt when users log
in to Windows.
=cut
sub disable_set_network_location_prompt {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $registry_key = 'HKLM\SYSTEM\CurrentControlSet\Control\Network\NewNetworkWindowOff';
return $self->reg_add($registry_key);
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_current_computer_hostname
Parameters : none
Returns : string
Description : Retrieves the current hostname the computer is using. If a
computer was renamed but not rebooted, this will return the
previous name.
=cut
sub get_current_computer_hostname {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_name = $self->data->get_computer_node_name();
my $command = 'cmd.exe /c "C:/Windows/Sysnative/Wbem/wmic.exe COMPUTERSYSTEM GET Name /Value"';
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command on $computer_name: $command");
return;
}
elsif ($exit_status ne '0') {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve current computer hostname from $computer_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
return 0;
}
# Output should be:
# Name=vm-100
my ($line) = grep(/Name=(.+)/i, @$output);
if (!$line) {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve current computer name from $computer_name, output does not contain a 'Name=' line:\n" . join("\n", @$output));
return;
}
my ($current_computer_name) = $line =~ /Name=(.+)$/ig;
if (!$current_computer_name) {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve current computer name from $computer_name, failed to parse line: '$line'");
return;
}
notify($ERRORS{'OK'}, 0, "retrieved current computer hostname from $computer_name: '$current_computer_name'");
return $current_computer_name;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 set_computer_hostname
Parameters : $new_computer_name (optional)
Returns : boolean
Description : Changes the computer name. If successful, the postoption flag is
set to 'reboot' which should trigger a reboot after post_load is
complete.
=cut
sub set_computer_hostname {
my $self = shift;
unless (ref($self) && $self->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $use_database_hostnames = $self->data->get_image_domain_usedbhostnames();
my $database_computer_hostname = $self->data->get_computer_hostname();
my $system32_path = $self->get_system32_path() || return;
my $new_computer_name = shift;
if ($new_computer_name) {
notify($ERRORS{'DEBUG'}, 0, "attempting to set computer hostname to specified value: $new_computer_name");
}
else {
# Computer name argument was not specified, get the IP address of the public adapter
my $public_ip_address = $self->get_public_ip_address();
if ($public_ip_address) {
# Get the hostname the public IP address resolves to
$new_computer_name = ip_address_to_hostname($public_ip_address);
if ($new_computer_name) {
notify($ERRORS{'DEBUG'}, 0, "resolved public IP address $public_ip_address, attempting to set computer hostname: $new_computer_name");
}
else {
$new_computer_name = $database_computer_hostname;
notify($ERRORS{'DEBUG'}, 0, "public IP address $public_ip_address does not resolve, attempting to set computer hostname to value specified in database: $new_computer_name");
}
}
else {
# IP address of the public adapter could not be determined, use the hostname in the database
$new_computer_name = $database_computer_hostname;
notify($ERRORS{'DEBUG'}, 0, "attempting to set computer hostname to value specified in database: $new_computer_name");
}
}
# Check if the new computer name contains a period
# If so, split the computer name and DNS suffix
my $dns_suffix;
if ($new_computer_name =~ /^([^\.]+)\.(.+)$/) {
$new_computer_name = $1;
$dns_suffix = $2;
}
if ($use_database_hostnames == 1) {
$new_computer_name = $database_computer_hostname;
notify($ERRORS{'DEBUG'}, 0, "active directory forces using database configured hostname: $new_computer_name");
# Enable 'Change primary DNS suffix when domain membership changes'
$self->reg_add('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters', 'SyncDomainWithMembership', 'REG_DWORD', 1);
}
else {
# Disable 'Change primary DNS suffix when domain membership changes'
$self->reg_add('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters', 'SyncDomainWithMembership', 'REG_DWORD', 0);
# Set the DNS suffix registry key
if ($dns_suffix) {
$self->reg_add('HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters', 'NV Domain', 'REG_SZ', $dns_suffix);
}
}
# Assemble the command
my $command = "echo | cmd.exe /c \"$system32_path/Wbem/wmic.exe COMPUTERSYSTEM WHERE Name=\\\"%COMPUTERNAME%\\\" Rename \\\"$new_computer_name\\\"\"";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'DEBUG'}, 0, "failed to execute command to set computer name of $database_computer_hostname to $new_computer_name");
return;
}
elsif (grep(/(ReturnValue = 0|Method execution successful)/i, @$output)) {
notify($ERRORS{'OK'}, 0, "set computer name of $database_computer_hostname to $new_computer_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
push @{$self->{reboot_required}}, "computer hostname was changed";
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to set computer name of $database_computer_hostname to $new_computer_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
return 0;
}
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 _get_os_perl_package
Parameters : $windows_os
Returns : string
Description :
=cut
sub _get_os_perl_package {
my $windows_os = shift;
unless (ref($windows_os) && $windows_os->isa('VCL::Module')) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $product_name = $windows_os->get_product_name();
my $perl_package;
if (!$product_name) {
return;
}
elsif ($product_name =~ /(XP|2003)/i) {
$perl_package = "VCL::Module::OS::Windows::Version_5::$1";
}
elsif ($product_name =~ /(Vista|2008|2012|7|8)/ig) {
$perl_package = "VCL::Module::OS::Windows::Version_6::$1";
}
elsif ($product_name =~ /(2016|10)/ig) {
$perl_package = "VCL::Module::OS::Windows::Version_10::$1";
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to determine OS installed on computer, unsupported Windows product name: $product_name");
return;
}
notify($ERRORS{'DEBUG'}, 0, "perl package to use for '$product_name': $perl_package");
return $perl_package;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 mount_nfs_windows
Parameters : $remote_nfs_share, $drive_letter (optional), $options (optional)
Returns : boolean
Description : Mounts an NFS share on the computer using the Windows NFS client.
=cut
sub mount_nfs_windows {
my $self = shift;
if (ref($self) !~ /VCL::Module/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my ($remote_nfs_share, $drive_letter, $options) = @_;
if (!defined($remote_nfs_share)) {
notify($ERRORS{'WARNING'}, 0, "remote target argument was not supplied");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $computer_name = $self->data->get_computer_node_name();
# Usage: mount [-o options] [-u:username] [-p:<password | *>] <\\computername\sharename> <devicename | *>
#
# -o rsize=size To set the size of the read buffer in kilobytes.
# -o wsize=size To set the size of the write buffer in kilobytes.
# -o timeout=time To set the timeout value in seconds for an RPC call.
# -o retry=number To set the number of retries for a soft mount.
# -o mtype=soft|hard To set the mount type.
# -o lang=euc-jp|euc-tw|euc-kr|shift-jis|big5|ksc5601|gb2312-80|ansi
# To specify the encoding used for file and directory
# names.
# -o fileaccess=mode To specify the permission mode of the file.
# These are used for new files created on NFS
# servers. Specified using UNIX style mode bits.
# -o anon To mount as an anonymous user.
# -o nolock To disable locking.
# -o casesensitive=yes|no To specify case sensitivity of file lookup on server.
# -o sec=sys|krb5|krb5i
# These formats work:
# mount x.x.x.x:/sharename n:
# mount \\x.x.x.x\sharename n:
# Windows can't mount directly to a directory, check if a drive letter was passed
if (!$drive_letter) {
$drive_letter = '*';
}
elsif ($drive_letter !~ /^[a-z]:?$/i) {
notify($ERRORS{'WARNING'}, 0, "invalid drive letter argument was specified: $drive_letter, using next available drive letter");
$drive_letter = '*';
}
# Add a trailing colon
$drive_letter =~ s/:*$/:/;
my $command = "$system32_path/mount.exe";
# Figure out which options to use
# If using Netapp, see: https://library.netapp.com/ecmdocs/ECMP12365051/html/GUID-B7080A75-610D-46E1-A0EE-6CF1716636A0.html
# According to doc, must use hard mounts for Netapp
if ($options) {
# Check if mtype was specified, don't override
if ($options !~ /mtype/) {
$options .= ",mtype=hard";
}
}
else {
$options = "mtype=hard";
}
$command .= " -o $options";
$command .= " $remote_nfs_share $drive_letter";
# Escape *
$command =~ s/\*/\\\*/g;
notify($ERRORS{'DEBUG'}, 0, "attempting to mount NFS share on $computer_name: '$command'");
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command on $computer_name: '$command'");
return;
}
elsif ($exit_status ne '0') {
notify($ERRORS{'WARNING'}, 0, "failed to mount Windows client NFS share on $computer_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
return 0;
}
else {
notify($ERRORS{'OK'}, 0, "mounted Windows client NFS share on $computer_name: '$command'\noutput:\n" . join("\n", @$output));
return 1;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 unmount_nfs_windows
Parameters : none
Returns : boolean
Description : Unmounts all NFS shares on the computer using the Windows NFS
client.
=cut
sub unmount_nfs_windows {
my $self = shift;
if (ref($self) !~ /VCL::Module/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $computer_name = $self->data->get_computer_node_name();
# Usage: [-f] <-a | drive_letters | network_mounts>
# -a Delete all NFS network mount points
# -f Force delete NFS network mount points
my $command = "$system32_path/umount.exe -a -f";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command on $computer_name: $command");
return;
}
elsif ($exit_status ne '0') {
notify($ERRORS{'WARNING'}, 0, "failed to unmount Windows client NFS shares on $computer_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
return 0;
}
else {
notify($ERRORS{'OK'}, 0, "unmounted Windows client NFS shares on $computer_name: '$command'\noutput:\n" . join("\n", @$output));
return 1;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_nfs_mounts_windows
Parameters : none
Returns :
Description : Retrieves all currently mounted NFS shares on the computer using
the Windows NFS client.
=cut
sub get_nfs_mounts_windows {
my $self = shift;
if (ref($self) !~ /VCL::Module/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $computer_name = $self->data->get_computer_node_name();
my $command = "$system32_path/mount.exe";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command on $computer_name: $command");
return;
}
elsif ($exit_status ne '0') {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve mounted Windows client NFS shares on $computer_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
return 0;
}
else {
notify($ERRORS{'OK'}, 0, "retrieved mounted Windows client NFS shares on $computer_name, command: '$command', output:\n" . join("\n", @$output));
return 1;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_windows_features
Parameters : none
Returns : hash reference
Description : Retrieves a list of all features available on the Windows OS. If
called in scalar context, a hash reference is returned:
{
"Chess" => {
"State" => "Disabled"
},
"ClientForNFS-Infrastructure" => {
"State" => "Enabled"
},
...
}
If called in array context, an array of feature names is
returned:
(
Chess,
ClientForNFS-Infrastructure,
...
)
=cut
sub get_windows_features {
my $self = shift;
if (ref($self) !~ /Windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
notify($ERRORS{'DEBUG'}, 0, "retrieving Windows features on $computer_name");
my $command = "$system32_path/cmd.exe /c \"dism /online /get-features /format:table\"";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command on $computer_name: $command");
return;
}
elsif ($exit_status ne '0') {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve feature info from $computer_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
return;
}
my $feature_info = {};
for my $line (@$output) {
# Line format:
# FreeCell | Disabled
my ($feature_name, $state) = $line =~ /^(\S+)\s+.*(Enabled|Disabled)\s*$/i;
if (defined($feature_name) && defined($state)) {
$feature_info->{$feature_name}{State} = $state;
}
}
if (!keys(%$feature_info)) {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve feature info from $computer_name, failed to parse any feature names and states from output:\n" . join("\n", @$output));
return;
}
if (wantarray) {
my @feature_names = sort { lc($a) cmp lc($b) } keys %$feature_info;
notify($ERRORS{'DEBUG'}, 0, "retrieved feature info from $computer_name, returning array:\n" . join("\n", @feature_names));
return $feature_info;
}
else {
notify($ERRORS{'DEBUG'}, 0, "retrieved feature info from $computer_name, returning hash reference:\n" . format_data($feature_info));
return $feature_info;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_windows_feature_info
Parameters : $feature_name
Returns : hash reference
Description : Retrieves info for a single Windows feature and constructs a
hash:
{
"Description" => "Install the .NET Environment for supporting managed code activation",
"Display Name" => ".NET Environment",
"Feature Name" => "WAS-NetFxEnvironment",
"Restart Required" => "Possible",
"State" => "Enabled"
}
=cut
sub get_windows_feature_info {
my $self = shift;
if (ref($self) !~ /Windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $feature_name = shift;
if (!$feature_name) {
notify($ERRORS{'WARNING'}, 0, "feature name argument was not specified");
return;
}
my $computer_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
notify($ERRORS{'DEBUG'}, 0, "retrieving info for Windows feature on $computer_name: $feature_name");
my $command = "$system32_path/cmd.exe /c \"DISM.exe /Online /Get-FeatureInfo /FeatureName=$feature_name\"";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command on $computer_name: $command");
return;
}
elsif (grep(/Feature name.*is unknown/, @$output)) {
# Feature name foo is unknown
notify($ERRORS{'OK'}, 0, "Windows feature is unknown on $computer_name: $feature_name, returning empty hash reference");
return {};
}
elsif ($exit_status ne '0') {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve feature info from $computer_name, exit status: $exit_status, command:\n$command\noutput:\n" . join("\n", @$output));
return;
}
my $feature_information_line_found = 0;
my $feature_info = {};
for my $line (@$output) {
if ($line !~ /\w/) {
next;
}
elsif (!$feature_information_line_found) {
# Ignore all lines until a 'Feature Information:' line is found
if ($line =~ /Feature Information:/) {
$feature_information_line_found = 1;
}
next;
}
# Line format:
# Display Name : Windows Media Player
my ($property, $value) = $line =~ /^(\w.*\S)\s+:\s+(\S.*)$/i;
if (defined($property) && defined($value)) {
$feature_info->{$property} = $value;
}
else {
notify($ERRORS{'DEBUG'}, 0, "line does not contain property:value: '$line'");
}
}
if (keys(%$feature_info)) {
notify($ERRORS{'DEBUG'}, 0, "retrieved Windows feature info from $computer_name: $feature_name\n" . format_data($feature_info));
return $feature_info;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to retrieve Windows feature info from $computer_name: $feature_name, failed to parse any properties from output:\n" . join("\n", @$output));
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 is_windows_feature_enabled
Parameters : $feature_name
Returns : boolean
Description : Determines whether or not a Windows feature such as the NFS
client is enabled.
=cut
sub is_windows_feature_enabled {
my $self = shift;
if (ref($self) !~ /Windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $feature_name = shift;
if (!$feature_name) {
notify($ERRORS{'WARNING'}, 0, "feature name argument was not specified");
return;
}
my $computer_name = $self->data->get_computer_node_name();
my $feature_info = $self->get_windows_feature_info($feature_name) || return;
if (!keys(%$feature_info)) {
notify($ERRORS{'DEBUG'}, 0, "Windows feature is NOT enabled on $computer_name because the feature is unknown: $feature_name");
return 0;
}
elsif (!defined($feature_info->{State})) {
notify($ERRORS{'WARNING'}, 0, "failed to determine if Windows feature is enabled on $computer_name: $feature_name, feature info does not contain a 'State' key:\n" . format_data($feature_info));
return;
}
my $state = $feature_info->{State};
if ($state =~ /Enabled/i) {
notify($ERRORS{'DEBUG'}, 0, "Windows feature is enabled on $computer_name: $feature_name");
return 1;
}
else {
notify($ERRORS{'DEBUG'}, 0, "Windows feature is NOT enabled on $computer_name: $feature_name");
return 0;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 enable_windows_feature
Parameters : $feature_name
Returns : boolean
Description : Enables a Windows feature. This will also recursively enable any
parent features which must be enabled before the feature
specified by the argument can be enabled.
=cut
sub enable_windows_feature {
my $self = shift;
if (ref($self) !~ /Windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my ($feature_name, $no_recurse) = @_;
if (!$feature_name) {
notify($ERRORS{'WARNING'}, 0, "feature name argument was not specified");
return;
}
my $computer_name = $self->data->get_computer_node_name();
my $system32_path = $self->get_system32_path() || return;
my $log_path = "C:/Windows/Logs/DISM/$feature_name.log";
my $command = "$system32_path/cmd.exe /c \"DISM.exe /Online /Enable-Feature /FeatureName:$feature_name /NoRestart /LogPath=$log_path\"";
notify($ERRORS{'DEBUG'}, 0, "enabling Windows feature on $computer_name: $feature_name, command:\n$command");
my ($exit_status, $output) = $self->execute({
command => $command,
timeout_seconds => 120,
display_output => 0,
});
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command on $computer_name: $command");
return;
}
elsif (grep(/completed successfully/, @$output)) {
notify($ERRORS{'OK'}, 0, "enabled Windows feature on $computer_name: $feature_name");
return 1;
}
my $parent_feature_found = 0;
if (!$no_recurse) {
# Check if parent features need to be enabled first, line like this will exist:
# Ensure that the following parent feature(s) are enabled first
# IIS-Security, IIS-WebServer, IIS-WebServerRole
my $parent_feature_line_found = 0;
LINE: for my $line (@$output) {
if ($line !~ /\w/) {
next LINE;
}
elsif (!$parent_feature_line_found) {
if ($line =~ /Ensure that the following parent feature.*enabled first/) {
$parent_feature_line_found = 1;
}
next LINE;
}
# Stop checking if this line is found:
# The DISM log file can be found at C:\Windows\Logs\DISM\dism.log
if ($line =~ /DISM log file/) {
last LINE;
}
my @parent_feature_names = split(/,\s+/, $line);
if (@parent_feature_names) {
$parent_feature_found = 1;
notify($ERRORS{'DEBUG'}, 0, "parent Windows feature(s) need to be enabled before $feature_name can be enabled: " . join("\n", @parent_feature_names));
for my $parent_feature_name (@parent_feature_names) {
if (!$self->enable_windows_feature($parent_feature_name)) {
notify($ERRORS{'WARNING'}, 0, "failed to enable Windows feature on $computer_name: $feature_name, failed to enable parent feature: $parent_feature_name");
return;
}
}
}
else {
notify($ERRORS{'DEBUG'}, 0, "line does not appear to contain the name of a parent feature: '$line'");
next LINE;
}
}
}
# Check if any parent features were found which need to be enabled first
# If not, failed to enable feature for some other reason
if ($parent_feature_found) {
# Make one more attempt to enable the feature, do not attempt to install parent features again ($no_recurse = 1)
return $self->enable_windows_feature($feature_name, 1);
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to enable Windows feature on $computer_name: $feature_name, exit status: $exit_status, command: '$command', output:\n" . join("\n", @$output));
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 run_powershell_command
Parameters : $powershell_script_contents, $display_output (optional), $encode_command (optional)
Returns : array ($exit_status, $output)
Description : Runs Powershell code as a command.
=cut
sub run_powershell_command {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my ($powershell_command_argument, $display_output, $encode_command) = @_;
if (!$powershell_command_argument) {
notify($ERRORS{'WARNING'}, 0, "powershell script contents argument was not supplied");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $computer_name = $self->data->get_computer_short_name();
# -Version Starts the specified version of Windows PowerShell
# -NoLogo Hides the copyright banner at startup
# -NoExit Does not exit after running startup commands
# -Sta Start the shell using a single-threaded apartment
# -NoProfile Does not use the user profile
# -NonInteractive Does not present an interactive prompt to the user.
# -InputFormat Valid values are "Text" (text strings) or "XML"
# -OutputFormat Valid values are "Text" (text strings) or "XML"
# -EncodedCommand Accepts a base-64-encoded string version of a command
# -File Execute a script file.
# -ExecutionPolicy Sets the default execution policy for the session
# -Command Executes the specified commands
#my $command = "$system32_path/WindowsPowerShell/v1.0/powershell.exe -NoLogo -NoProfile -NonInteractive";
my $command;
$command .= 'cmd.exe /c "';
$command .= "$system32_path/WindowsPowerShell/v1.0/powershell.exe -NoLogo -NoProfile -NonInteractive";
if ($encode_command) {
# Use the -EncodedCommand argument to avoid the need to escape various special characters
# The 2nd argument to encode_base64 needs to be an empty string or else it will break the encoded string up into 76 character lines
my $powershell_command_encoded = encode_base64(encode("UTF-16LE", $powershell_command_argument), "");
#$command .= " -InputFormat Text";
$command .= " -OutputFormat Text";
$command .= " -EncodedCommand $powershell_command_encoded";
}
else {
# Replace newlines with semicolon
$powershell_command_argument =~ s/[\n\r]+/ ; /g;
# Clean up semicolons
$powershell_command_argument =~ s/\s+;[\s;]*/ ; /g;
# Remove semicolons from before and after curly brackets
$powershell_command_argument =~ s/[\s;]*([{}])[\s;]*/ $1 /g;
#$powershell_command_argument .= ' ; [Environment]::Exit(!\$?)';
$command .= " -Command \\\"$powershell_command_argument\\\"";
}
$command .= ' < NUL"';
notify($ERRORS{'DEBUG'}, 0, "attempting to run PowerShell command on $computer_name:\n$command") if $display_output;
my ($exit_status, $output) = $self->execute({
command => $command,
display_output => 0,
timeout_seconds => 30,
#no_persistent_connection => 1,
max_attempts => 1,
});
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to run PowerShell command on $computer_name");
return;
}
else {
notify($ERRORS{'OK'}, 0, "ran PowerShell command on $computer_name, exit status: $exit_status, command: '$command', output:\n" . join("\n", @$output)) if $display_output;
return ($exit_status, $output);
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 run_powershell_as_script
Parameters : $powershell_script_contents, $display_output (optional), $retain_script_file (optional)
Returns : array ($exit_status, $output)
Description : Accepts a string containing the contents of a Powershell script,
creates the script on the computer under C:\cygwin\VCL\Scripts,
and executes the script. The script is named after the calling
subroutine, so ad_join_ps.ps1 would be generated when invoked from
ad_join_ps().
By default, the script file is deleted after it is executed for
safety. This can be overridden if the $retain_script_file
argument is true.
=cut
sub run_powershell_as_script {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my ($script_contents_argument, $display_output, $retain_script_file) = @_;
if (!$script_contents_argument) {
notify($ERRORS{'WARNING'}, 0, "powershell script contents argument was not supplied");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $computer_name = $self->data->get_computer_short_name();
# Figure out the script location
my $node_configuration_directory = $self->get_node_configuration_directory();
my $calling_subroutine = get_calling_subroutine();
$calling_subroutine =~ s/.*:://g;
my $powershell_script_path = "$node_configuration_directory/Scripts/$calling_subroutine.ps1";
# Remove trailing newlines and blank lines
$script_contents_argument =~ s/[\r\n]+$//g;
# Create copy of script contents, use this for execution, copied in case transformations need to be made in the future
my $script_contents = $script_contents_argument;
$self->create_text_file($powershell_script_path, $script_contents);
# Running Powershell scripts/commands via Cygwin has issues because Powershell.exe does screwy things with the terminal
# If OS.pm::execute_new is used (persistent SSH connection), script hangs if
# run normally and does not exit with [Environment]::Exit(x)
# Using run_ssh_command fails to determine the correct exit status but does not hang regardless of how script exits.
# Wrapping the script in cmd.exe /c "... < NUL" seems to prevent execute_new from hanging and the exit status is correct
my $command;
$command .= 'cmd.exe /c "';
$command .= "$system32_path/WindowsPowerShell/v1.0/powershell.exe -NoLogo -NoProfile -NonInteractive -ExecutionPolicy Bypass -File $powershell_script_path";
$command .= ' < NUL"';
notify($ERRORS{'DEBUG'}, 0, "attempting to execute PowerShell script: $powershell_script_path, contents:\n$script_contents") if $display_output;
my ($exit_status, $output) = $self->execute({
command => $command,
display_output => 1,
timeout_seconds => 60,
#no_persistent_connection => 1,
max_attempts => 1,
});
# Delete the script file unless retain flag was specified
if ($retain_script_file) {
notify($ERRORS{'DEBUG'}, 0, "script NOT deleted because \$retain_script_file argument was specified");
# TODO: add subs to correctly set Windows file permissions
# Open up permissions so Powershell file can easily be debugged on the Windows computer by users other than root
$self->execute("chmod -v 777 `cygpath \"$powershell_script_path\"`", 1);
}
else {
$self->delete_file($powershell_script_path);
}
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to run PowerShell commands as script on $computer_name");
return;
}
else {
notify($ERRORS{'OK'}, 0, "ran PowerShell commands as script on $computer_name, exit status: $exit_status, command: '$command', script contents:\n$script_contents_argument\noutput:\n" . join("\n", @$output)) if $display_output;
return ($exit_status, $output);
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 powershell_command_exists
Parameters : $powershell_command
Returns : boolean
Description : Checks if a PowerShell command or cmdlets exists on the computer.
=cut
sub powershell_command_exists {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $powershell_command_argument = shift;
if (!$powershell_command_argument) {
notify($ERRORS{'WARNING'}, 0, "powershell command argument was not supplied");
return;
}
my $computer_name = $self->data->get_computer_short_name();
my $powershell_command = "Get-Command $powershell_command_argument | Format-List Name";
my ($exit_status, $output) = $self->run_powershell_command($powershell_command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to determine if '$powershell_command' PowerShell command exists on $computer_name");
return;
}
elsif (grep(/(NotFound)/, @$output)) {
notify($ERRORS{'DEBUG'}, 0, "PowerShell command does NOT exist on $computer_name: $powershell_command_argument, output:\n" . join("\n", @$output));
return 0;
}
else {
notify($ERRORS{'DEBUG'}, 0, "PowerShell command exists on $computer_name: $powershell_command_argument, output:\n" . join("\n", @$output));
return 1;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 get_ad_computer_ou_dn
Parameters : none
Returns : boolean
Description : Converts an OU path as displayed on the Object tab when viewing
an OU's properties in the Active Directory Users and Computers
tool from:
my.ad.domain/Org/Unit/ComputerOU
To:
OU=ComputerOU,OU=Unit,OU=Org,DC=domain,DC=ad,DC=my
=cut
sub get_ad_computer_ou_dn {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $domain_dns_name = $self->data->get_image_domain_dns_name();
# Accepts a $computer_ou argument but should only be used for testing
my $computer_ou = shift || $self->data->get_image_domain_base_ou();
my $computer_ou_original = $computer_ou;
if (!defined($domain_dns_name)) {
notify($ERRORS{'WARNING'}, 0, "AD domain DNS name is not configured");
return;
}
elsif (!defined($computer_ou)) {
notify($ERRORS{'DEBUG'}, 0, "AD domain computer OU is not configured");
return;
}
# Possible cases:
# OU=ComputerOU,OU=VCL,DC=my,DC=ad,DC=domain
# OU=ComputerOU,OU=VCL
# ComputerOU,VCL
# ComputerOU
# my.ad.domain/VCL/ComputerOU
# VCL/ComputerOU
# OU can either contain commas or slashes but not both - determines which order to put OU parts back together in
if ($computer_ou =~ /,/ && $computer_ou =~ /\//) {
notify($ERRORS{'WARNING'}, 0, "invalid AD OU, it can't contain both a comma and slash: $computer_ou");
return;
}
# Remove domain DN section if it was specified for the image
$computer_ou =~ s/,DC=.*//g;
# Strip out OU= parts, will be added later
$computer_ou =~ s/\s*OU=//g;
# Assemble the domain part of the DN based on the domain DNS name
my @domain_parts = split(/\./, $domain_dns_name);
my $domain_section = "DC=" . join(",DC=", @domain_parts);
# Check which order the OU parts should be reassembled in
my @ou_parts;
if ($computer_ou =~ /\//) {
# my.ad.domain/VCL/ComputerOU
# VCL/ComputerOU
@ou_parts = reverse split(/\/+/, $computer_ou);
# Check if last part contains a period, if so, strip it
if ($ou_parts[-1] =~ /\./) {
pop @ou_parts;
}
}
else {
@ou_parts = split(/,+/, $computer_ou);
}
my $ou_section = "OU=" . join(",OU=", @ou_parts);
my $dn = "$ou_section,$domain_section";
notify($ERRORS{'DEBUG'}, 0, "converted computer OU to DN: $computer_ou_original --> $dn");
return $dn;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 ad_join_prepare
Parameters : none
Returns : boolean
Description : Performs tasks necessary prior to joining a computer to an Active
Directory domain:
* Ensures the 'TCP NetBIOS helper' service is started
* Sets static DNS servers if configured for the domain
* Deletes existing matching computer objects
=cut
sub ad_join_prepare {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Enable and start the TCP NetBIOS helper service
$self->set_service_startup_mode('lmhosts', 'auto');
$self->start_service('lmhosts');
# Set specific DNS servers for private and public interfaces if DNS servers are configured
$self->set_static_dns_servers();
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 node_status_os_check
Parameters : none
Returns : boolean
Description : Called from provisioning module's node_status subroutine. This
checks if the loaded computer's Active Directory configuration is
correct if image is configured to join an AD domain.
=cut
sub node_status_os_check {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Check if computer AD configuration is correct if image is configured for AD
# Returning false indicates AD configuration could not be corrected and calling subroutine should reload the computer
return $self->ad_check();
}
#//////////////////////////////////////////////////////////////////////////////
=head2 ad_check
Parameters : none
Returns : boolean
Description : Checks if the computer is joined to an Active Directory domain
and located in the correct OU.
=cut
sub ad_check {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_name = $self->data->get_computer_short_name();
my $image_domain_dns_name = $self->data->get_image_domain_dns_name();
# Check if the computer is joined to any AD domain
my $computer_current_domain_name = $self->ad_get_current_domain();
if (!$image_domain_dns_name) {
# Computer should NOT be joined to an AD domain
if (!$computer_current_domain_name) {
notify($ERRORS{'OK'}, 0, "image is not configured for Active Directory and $computer_name is not joined to a domain, returning 1");
return 1;
}
# Computer incorrectly joined to an AD domain, attempt to unjoin the domain
notify($ERRORS{'OK'}, 0, "$computer_name is joined to the $computer_current_domain_name domain but the image is not configured for Active Directory, attempting to unjoin the domain");
if ($self->ad_unjoin()) {
notify($ERRORS{'OK'}, 0, "image is not configured for Active Directory, unjoined $computer_name from $computer_current_domain_name domain, returning 1");
return 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "image is not configured for Active Directory, failed to unjoin $computer_name from $computer_current_domain_name domain, returning undefined");
return;
}
}
# Computer should be joined to AD domain
if (!$computer_current_domain_name) {
# Computer is not joined to an AD domain, return the result of attempting to join
notify($ERRORS{'OK'}, 0, "image is configured to join the $image_domain_dns_name domain, $computer_name is not joined to a domain, attempting to join the domain");
return $self->ad_join_ps();
}
# Computer is joined to an AD domain, check if it's in the correct domain
if ($computer_current_domain_name ne $image_domain_dns_name) {
# Computer is not joined to the correct domain, attempt to unjoin and then rejoin
notify($ERRORS{'DEBUG'}, 0, "$computer_name is joined to the $computer_current_domain_name domain, image is configured to join the $image_domain_dns_name, attempting to unjoin then join the correct domain");
if (!$self->ad_unjoin()) {
notify($ERRORS{'WARNING'}, 0, "image is configured to join the $image_domain_dns_name, failed to unjoin $computer_name from the $computer_current_domain_name domain, returning undefined");
return;
}
elsif (!$self->ad_join_ps()) {
notify($ERRORS{'WARNING'}, 0, "image is configured to join the $image_domain_dns_name, unjoined $computer_name from the incorrect $computer_current_domain_name domain but failed to rejoin the correct $image_domain_dns_name domain, returning undefined");
return;
}
else {
notify($ERRORS{'OK'}, 0, "unjoined $computer_name from the incorrect $computer_current_domain_name and rejoined to the correct domain: $image_domain_dns_name, returning 1");
return 1;
}
}
# Computer is joined to the correct AD domain, make sure computer object is in the correct OU
# Determine the OU configured for the image
my $image_ou_dn = $self->get_ad_computer_ou_dn();
if (!$image_ou_dn) {
notify($ERRORS{'WARNING'}, 0, "image is configured to join the $image_domain_dns_name domain but proper computer OU DN could not be determined, returning undefined");
return;
}
# Get the computer's current OU
my $computer_current_dn = $self->ad_search_computer();
if (!$computer_current_dn) {
notify($ERRORS{'WARNING'}, 0, "$computer_name is joined to the correct $computer_current_domain_name domain but current OU could not be determined, assuming computer object is in the correct OU, returning 1");
return 1;
}
# Extract the OU DN from the DN of the computer object
my ($computer_current_ou_dn) = $computer_current_dn =~ /^[^,]+,(OU=.+)$/;
if (!$computer_current_ou_dn) {
notify($ERRORS{'WARNING'}, 0, "$computer_name is joined to the correct $computer_current_domain_name domain but current OU DN could not be parsed from current computer object DN: '$computer_current_dn', assuming computer object is in the correct OU, returning 1");
return 1;
}
if ($computer_current_ou_dn =~ /^$image_ou_dn$/i) {
notify($ERRORS{'OK'}, 0, "$computer_name is joined to the correct domain and in the correct OU, returning 1:\n" .
"current domain: $computer_current_domain_name\n" .
"computer object OU: $computer_current_ou_dn"
);
return 1;
}
# Computer is in the wrong OU
notify($ERRORS{'OK'}, 0, "$computer_name is joined to the correct $computer_current_domain_name domain but located in the wrong OU, attempting to unjoin then rejoin the domain in the correct OU:\n" .
"OU configured for image : $image_ou_dn\n" .
"current computer object OU : $computer_current_ou_dn"
);
if (!$self->ad_unjoin()) {
notify($ERRORS{'WARNING'}, 0, "failed to unjoin $computer_name from the $computer_current_domain_name domain in order to rejoin in the correct OU, returning undefined");
return;
}
elsif (!$self->ad_join_ps()) {
notify($ERRORS{'WARNING'}, 0, "failed to rejoin $computer_name to the correct OU in the $image_domain_dns_name domain: '$image_ou_dn', returning undefined");
return;
}
else {
notify($ERRORS{'OK'}, 0, "rejoined $computer_name to the correct OU in the $image_domain_dns_name domain: '$image_ou_dn', returning 1");
return 1;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 ad_join_ps
Parameters : none
Returns : boolean
Description : Joins the computer to the Active Directory domain configured for
the image.
=cut
sub ad_join_ps {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Calculate how long the tasks take
my $start_time = time;
my $rename_computer_reboot_duration = 0;
my $ad_join_reboot_duration = 0;
my $computer_name = $self->data->get_computer_short_name();
my $image_name = $self->data->get_image_name();
my $image_domain_id = $self->data->get_image_domain_id();
my $domain_dns_name = $self->data->get_image_domain_dns_name();
my $domain_username = $self->data->get_image_domain_username();
my $domain_password = $self->data->get_image_domain_password();
my $computer_ou_dn = $self->get_ad_computer_ou_dn();
if (!defined($domain_dns_name)) {
notify($ERRORS{'WARNING'}, 0, "unable to add $computer_name to AD, image $image_name is not assigned to a domain");
return;
}
elsif (!defined($domain_username)) {
notify($ERRORS{'WARNING'}, 0, "unable to add $computer_name to AD, user name is not configured for $domain_dns_name domain");
return;
}
elsif (!defined($domain_password)) {
notify($ERRORS{'WARNING'}, 0, "unable to add $computer_name to AD, password is not configured for $domain_dns_name domain");
return;
}
# Figure out/fix the computer OU and assemble optional section to add to PowerShell command
my $domain_computer_command_section = '';
if ($computer_ou_dn) {
$domain_computer_command_section = "-OUPath '$computer_ou_dn'";
}
my $domain_user_string = "$domain_username\@$domain_dns_name";
# Escape single quotes by doubling them
(my $domain_password_escaped = $domain_password) =~ s/(['])/$1$1/g;
notify($ERRORS{'DEBUG'}, 0, "attempting to join $computer_name to AD\n" .
"domain DNS name : $domain_dns_name\n" .
"domain user string : $domain_user_string\n" .
#"domain password : $domain_password (escaped: $domain_password_escaped)\n" .
"domain computer OU : " . ($computer_ou_dn ? $computer_ou_dn : '<not configured>')
);
# Perform preparation tasks
$self->ad_join_prepare() || return;
# Note: commented out because this isn't consistently working
# The rename occasionally fails with 'The directory service is busy.'
# Check if the computer needs to be renamed
#my $current_computer_hostname = $self->get_current_computer_hostname() || '<unknown>';
#if (lc($current_computer_hostname) ne lc($computer_name)) {
# notify($ERRORS{'DEBUG'}, 0, "$computer_name needs to be renamed, current hostname: '$current_computer_hostname'");
#
# # Check if computer supports PowerShell Rename-Computer cmdlet
# # If it does, computer can be renamed and joined to AD in 1 step with 1 reboot
# # Otherwise, computer name needs to be changed, rebooted, then added to AD
# my $powershell_supports_rename = $self->powershell_command_exists('Rename-Computer');
# if ($powershell_supports_rename) {
# $ad_powershell_script .= "Start-Sleep -Seconds 10\n";
# $ad_powershell_script .= "Rename-Computer -NewName $computer_name -DomainCredential \$ps_credential -Force -Verbose\n";
# }
# else {
# notify($ERRORS{'DEBUG'}, 0, "PowerShell version on $computer_name does NOT support Rename-Computer, renaming computer");
if (!$self->set_computer_hostname()) {
notify($ERRORS{'WARNING'}, 0, "failed to join $computer_name to Active Directory domain, PowerShell version does NOT support Rename-Computer, failed to rename using traditional method");
return;
}
my $rename_computer_reboot_start = time;
if (!$self->reboot(300, 3, 1)) {
notify($ERRORS{'WARNING'}, 0, "failed to join $computer_name to Active Directory domain, failed to reboot computer after it was renamed");
return;
}
$rename_computer_reboot_duration = (time - $rename_computer_reboot_start);
# }
#}
# Need to make sure computer object with same name doesn't already exist
# If object exists in different OU, the following error will occur when attempting to join the domain:
# This command cannot be executed on target computer('<name>') due to following error: The account already exists.
# Don't bother moving existing objects
$self->ad_delete_computer();
# Assemble the PowerShell script
my $ad_powershell_script = <<EOF;
\$Host.UI.RawUI.BufferSize = New-Object Management.Automation.Host.Size(5000, 500)
Clear-Host
\$username = '$domain_user_string'
\$password = '$domain_password_escaped'
Write-Host "username (between >*<): `n>\$username<`n"
\$ps_credential = New-Object System.Management.Automation.PsCredential(\$username, (ConvertTo-SecureString \$password -AsPlainText -Force))
Add-Computer -DomainName '$domain_dns_name' -Credential \$ps_credential $domain_computer_command_section -Verbose -ErrorAction Stop
EOF
# move and uncomment below line to above EOF to include decrypted password in output for debugging
#Write-Host "password (between >*<): `n>\$password<`n"
(my $sanitized_password = $domain_password_escaped) =~ s/./*/g;
(my $sanitized_script = $ad_powershell_script) =~ s/password = '.*'\n/password = '$sanitized_password'\n/;
notify($ERRORS{'DEBUG'}, 0, "attempting to join $computer_name to $domain_dns_name domain using PowerShell script:\n$sanitized_script");
my ($exit_status, $output) = $self->run_powershell_as_script($ad_powershell_script, 0, 0); # (path, show output, retain file)
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute PowerShell script to join $computer_name to Active Directory domain");
return;
}
# Success:
# WARNING: The changes will take effect after you restart the computer
# VCLV98-248.
# Possible errors:
# File C:\Users\Administrator\Desktop\ad_join_ps.ps1 cannot be loaded because
# the execution of scripts is disabled on this system. Please see "get-help
# about_signing" for more details.
# OU doesn't exist:
# Add-Computer : This command cannot be executed on target
# computer('VCLV98-248') due to following error: The system cannot find the
# file specified.
# Could happen if DNS isn't properly configured:
# This command cannot be executed on target computer('WIN7') due to following
# error: The specified domain either does not exist or could not be
# contacted.
# Computer already added to AD in another OU:
# Add-Computer : This command cannot be executed on target
# computer('VCLV98-247') due to following error: The account already exists.
my $reboot_after_join = 1;
if (grep(/(failed to join|error:|does not exist|cannot be loaded)/i, @$output)) {
notify($ERRORS{'WARNING'}, 0, "failed to join $computer_name to Active Directory domain, output:\n" . join("\n", @$output));
return 0;
}
elsif (grep(/already in that domain/i, @$output)) {
# Add-Computer : Cannot add computer '<hostname>' to domain '<domain DNS name>' because it is already in that domain.
notify($ERRORS{'OK'}, 0, "$computer_name is already joined to Active Directory domain, output:\n" . join("\n", @$output));
$reboot_after_join = 0;
}
else {
notify($ERRORS{'OK'}, 0, "executed PowerShell script to join $computer_name to Active Directory domain, output:\n" . join("\n", @$output));
}
if ($reboot_after_join) {
# Reboot, computer should be joined to AD with the correct hostname
# If computer had to be rebooted to be renamed, certain tasks in reboot() don't need to be performed again
# Set reboot()'s last $pre_configure flag accordingly
my $ad_join_reboot_pre_configure = ($rename_computer_reboot_duration ? 0 : 1);
my $ad_join_reboot_start = time;
if (!$self->reboot(300, 3, 1, $ad_join_reboot_pre_configure)) {
notify($ERRORS{'WARNING'}, 0, "failed to join $computer_name to Active Directory domain, failed to reboot computer after it joined the domain");
return;
}
$ad_join_reboot_duration = (time - $ad_join_reboot_start);
}
else {
notify($ERRORS{'DEBUG'}, 0, "$computer_name does NOT need to be rebooted because it was already joined to the domain");
}
my $total_duration = (time - $start_time);
my $other_tasks_duration = ($total_duration - $rename_computer_reboot_duration - $ad_join_reboot_duration);
# Verify computer is now in the correct AD domain
my $current_domain = $self->ad_get_current_domain();
if (!$current_domain) {
notify($ERRORS{'WARNING'}, 0, "attempted to join $computer_name to $domain_dns_name domain but name of domain computer is currently joined to could not be retrieved, PowerShell script execution output:\n" . join("\n", @$output));
return;
}
elsif ($domain_dns_name !~ /^$current_domain/) {
notify($ERRORS{'WARNING'}, 0, "attempted to join $computer_name to $domain_dns_name domain but computer is currently joined to $current_domain domain, PowerShell script execution output:\n" . join("\n", @$output));
return;
}
else {
$self->set_current_image_tag('addomain_id', $image_domain_id);
notify($ERRORS{'DEBUG'}, 0, "successfully joined $computer_name to Active Directory domain: $domain_dns_name, time statistics:\n" .
"computer rename reboot : $rename_computer_reboot_duration seconds\n" .
"AD join reboot : $ad_join_reboot_duration seconds\n" .
"other tasks : $other_tasks_duration seconds\n" .
"-------------------------------------\n" .
"total : $total_duration seconds"
);
return 1;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 ad_join_wmic
Parameters : none
Returns : boolean
Description : Joins the computer to the Active Directory domain configured for
the image using the wmic.exe utility as opposed to a PowerShell
script.
=cut
sub ad_join_wmic {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# Calculate how long the tasks take
my $start_time = time;
my $rename_computer_reboot_duration = 0;
my $ad_join_reboot_duration = 0;
my $computer_name = $self->data->get_computer_node_name();
my $image_name = $self->data->get_image_name();
my $system32_path = $self->get_system32_path() || return;
my $domain_dns_name = $self->data->get_image_domain_dns_name();
my $domain_username = $self->data->get_image_domain_username();
my $domain_password = $self->data->get_image_domain_password();
my $computer_ou_dn = $self->get_ad_computer_ou_dn();
if (!defined($domain_dns_name)) {
notify($ERRORS{'WARNING'}, 0, "unable to add $computer_name to AD, image $image_name is not assigned to a domain");
return;
}
elsif (!defined($domain_username)) {
notify($ERRORS{'WARNING'}, 0, "unable to add $computer_name to AD, user name is not configured for $domain_dns_name domain");
return;
}
elsif (!defined($domain_password)) {
notify($ERRORS{'WARNING'}, 0, "unable to add $computer_name to AD, password is not configured for $domain_dns_name domain");
return;
}
if ($computer_ou_dn) {
# OU=testOU,DC=domain,DC=Domain,DC=com --> OU=testOU; DC=domain; DC=Domain; DC=com
$computer_ou_dn =~ s/\s*,\s*/; /g;
}
my $domain_password_escaped = quotemeta($domain_password);
# Check if the computer needs to be renamed
my $current_computer_hostname = $self->get_current_computer_hostname() || '<unknown>';
if (lc($current_computer_hostname) ne lc($computer_name)) {
notify($ERRORS{'DEBUG'}, 0, "$computer_name needs to be renamed, current hostname: '$current_computer_hostname'");
if (!$self->set_computer_hostname()) {
notify($ERRORS{'WARNING'}, 0, "failed to join $computer_name to Active Directory domain, PowerShell version does NOT support Rename-Computer, failed to rename using traditional method");
return;
}
my $rename_computer_reboot_start = time;
if (!$self->reboot(300, 3, 1)) {
notify($ERRORS{'WARNING'}, 0, "failed to join $computer_name to Active Directory domain, failed to reboot computer after it was renamed");
return;
}
$rename_computer_reboot_duration = (time - $rename_computer_reboot_start);
}
$self->ad_delete_computer();
my $error_messages = {
5 => 'Access is denied',
53 => 'Network path not found',
87 => 'The parameter is incorrect',
110 => 'The system cannot open the specified object',
1323 => 'Unable to update the password',
1332 =>'No mapping between account names and security IDs was done',
1326 => 'Logon failure: unknown username or bad password',
1355 => 'The specified domain either does not exist or could not be contacted',
1909 => 'User account locked out',
2224 => 'The account already exists',
2691 => 'The machine is already joined to the domain',
2692 => 'The machine is not currently joined to a domain',
2695 => 'The specified workgroup name is invalid',
2697 => 'The specified computer account could not be found',
8206 => 'The directory service is busy',
};
# Perform preparation tasks
$self->ad_join_prepare() || return;
# NETSETUP_JOIN_DOMAIN 1 (0x00000001) - Join domain. If not specified, joins workgroup.
# NETSETUP_ACCT_CREATE 2 (0x00000002) - Create domain computer account
# NETSETUP_DOMAIN_JOIN_IF_JOINED 32 (0x00000020) - Join domain if computer is already joined to a domain.
# NETSETUP_DEFER_SPN_SET 256 (0x00000100) - Don't update service principal name (SPN) and the DnsHostName properties on the computer. They should be updated in a subsequent call to Rename
# NETSETUP_JOIN_WITH_NEW_NAME 512 (0x00000400) -
my $join_options = 0;
$join_options += 1;
$join_options += 2;
#$join_options += 32;
#$join_options += 256;
#$join_options += 512;
# Assemble the join command
# Name - domain or workgroup to join
# Password
# UserName - NetBIOS name Domain\sAMAccountName or user principal name: username@domain.
# AccountOU - format: "OU=testOU; DC=domain; DC=Domain; DC=com"
# FJoinOptions - join option bit flags, (0) Default. No join options.
my $join_command = 'echo | cmd.exe /c "';
$join_command .= "$system32_path/Wbem/wmic.exe /INTERACTIVE:OFF ComputerSystem WHERE Name=\\\"%COMPUTERNAME%\\\" Call JoinDomainOrWorkgroup";
$join_command .= " Name=$domain_dns_name";
$join_command .= " UserName=\\\"$domain_username\@$domain_dns_name\\\"";
$join_command .= " Password=\"$domain_password_escaped\"";
$join_command .= " AccountOU=\\\"$computer_ou_dn\\\"" if ($computer_ou_dn);
$join_command .= " FjoinOptions=$join_options";
$join_command .= '"';
notify($ERRORS{'DEBUG'}, 0, "attempting to join $computer_name to Active Directory domain $domain_dns_name using wmic.exe, command:\n$join_command");
my ($join_exit_status, $join_output) = $self->execute($join_command);
if (!defined($join_output)) {
notify($ERRORS{'DEBUG'}, 0, "failed to execute command to join $computer_name to Active Directory domain $domain_dns_name using wmic.exe");
return;
}
# Executing (\\WIN7\ROOT\CIMV2:Win32_ComputerSystem.Name="WIN7")->JoinDomainOrWorkgroup()
# Method execution successful.
# Out Parameters:
# instance of __PARAMETERS
# {
# ReturnValue = 0;
# };
my $join_output_string = join("\n", @$join_output);
my ($join_return_value) = $join_output_string =~ /ReturnValue = (\d+);/;
if (!defined($join_return_value)) {
notify($ERRORS{'WARNING'}, 0, "failed to join $computer_name to Active Directory domain $domain_dns_name using wmic.exe, output does not contain 'ReturnValue =':\n$join_output_string");
return;
}
elsif ($join_return_value == 0) {
notify($ERRORS{'OK'}, 0, "joined $computer_name to Active Directory domain $domain_dns_name using wmic.exe");
}
elsif (my $error_message = $error_messages->{$join_return_value}) {
notify($ERRORS{'WARNING'}, 0, "failed to join $computer_name to Active Directory domain $domain_dns_name using wmic.exe, reason: $error_message\noutput:\n$join_output_string");
return;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to join $computer_name to Active Directory domain $domain_dns_name using wmic.exe for an unknown reason, to troubleshoot, search the web for 'wmic.exe ComputerSystem JoinDomainOrWorkgroup ReturnValue $join_return_value', output:\n$join_output_string");
return;
}
# Reboot, computer should be joined to AD with the correct hostname
# If computer had to be rebooted to be renamed, certain tasks in reboot() don't need to be performed again
# Set reboot()'s last $pre_configure flag accordingly
my $ad_join_reboot_pre_configure = ($rename_computer_reboot_duration ? 0 : 1);
my $ad_join_reboot_start = time;
if (!$self->reboot(300, 3, 1, $ad_join_reboot_pre_configure)) {
notify($ERRORS{'WARNING'}, 0, "failed to join $computer_name to Active Directory domain, failed to reboot computer after it joined the domain");
return;
}
$ad_join_reboot_duration = (time - $ad_join_reboot_start);
my $total_duration = (time - $start_time);
my $other_tasks_duration = ($total_duration - $rename_computer_reboot_duration - $ad_join_reboot_duration);
notify($ERRORS{'DEBUG'}, 0, "successfully joined $computer_name to Active Directory domain: $domain_dns_name, time statistics:\n" .
"computer rename reboot : $rename_computer_reboot_duration seconds\n" .
"AD join reboot : $ad_join_reboot_duration seconds\n" .
"other tasks : $other_tasks_duration seconds\n" .
"total : $total_duration seconds"
);
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 ad_unjoin
Parameters : none
Returns : boolean
Description : Unjoins the computer from the Active Directory domain by
attempting to add the computer to a workgroup named 'VCL'. If
successful, the computer object is deleted from the domain.
=cut
sub ad_unjoin {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_name = $self->data->get_computer_short_name();
my $image_name = $self->data->get_image_name();
my $system32_path = $self->get_system32_path() || return;
my $computer_current_domain = $self->ad_get_current_domain();
if (!$computer_current_domain) {
notify($ERRORS{'DEBUG'}, 0, "$computer_name does not need to be removed from AD because it is not currently joined to a domain");
return 1;
}
# check that node is not a domain controller
my $check_dc = $self->ad_check_domain_controller();
if (!defined($check_dc) || $check_dc == 0) {
# if call to ad_check_domain_controller fails, still attempt to
# delete from domain; unusual for node to be a domain controller
notify($ERRORS{'DEBUG'}, 0, "attempting to delete computer from domain");
}
elsif ($check_dc == 1) {
notify($ERRORS{'DEBUG'}, 0, "computer is a domain controller, not attempting to delete computer from its own domain");
return 1;
}
# Expected output:
# Executing (\\<COMPUTERNAME>\ROOT\CIMV2:Win32_ComputerSystem.Name="<COMPUTERNAME>")->UnJoinDomainOrWorkgroup()
# Method execution successful.s
# Out Parameters:
# instance of __PARAMETERS
# {
# ReturnValue = 0;
# };
# Assemble the unjoin command
my $unjoin_command = "echo | cmd.exe /c \"$system32_path/Wbem/wmic.exe /INTERACTIVE:OFF COMPUTERSYSTEM WHERE Name=\\\"%COMPUTERNAME%\\\" Call UnJoinDomainOrWorkgroup FUnjoinOptions=0\"";
notify($ERRORS{'DEBUG'}, 0, "attempting to unjoin $computer_name from $computer_current_domain Active Directory domain");
my ($unjoin_exit_status, $unjoin_output) = $self->execute($unjoin_command);
if (!defined($unjoin_output)) {
notify($ERRORS{'DEBUG'}, 0, "failed to execute command to unjoin the $computer_current_domain Active Directory domain");
return;
}
elsif (grep(/ERROR/i, @$unjoin_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to unjoin $computer_current_domain Active Directory domain, output:\n" . join("\n", @$unjoin_output));
return;
}
elsif (grep(/ReturnValue\s+=\s+[1-9]/i, @$unjoin_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to unjoin $computer_current_domain Active Directory domain, return value is not 0, output:\n" . join("\n", @$unjoin_output));
return;
}
elsif (grep(/Method execution successful/i, @$unjoin_output)) {
notify($ERRORS{'OK'}, 0, "unjoined $computer_current_domain Active Directory domain, output:\n" . join("\n", @$unjoin_output));
}
else {
notify($ERRORS{'WARNING'}, 0, "unexpected output unjoining $computer_current_domain Active Directory domain, output:\n" . join("\n", @$unjoin_output));
}
# Assemble the join workgroup command
my $join_workgroup_command = "echo | cmd.exe /c \"$system32_path/Wbem/wmic.exe /INTERACTIVE:OFF COMPUTERSYSTEM WHERE Name=\\\"%COMPUTERNAME%\\\" Call JoinDomainOrWorkgroup name=VCL\"";
my ($join_workgroup_exit_status, $join_workgroup_output) = $self->execute($join_workgroup_command);
if (!defined($join_workgroup_output)) {
notify($ERRORS{'DEBUG'}, 0, "failed to execute command to join workgroup");
return;
}
elsif (grep(/ERROR/i, @$join_workgroup_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to join workgroup, output:\n" . join("\n", @$join_workgroup_output));
}
elsif (grep(/ReturnValue\s+=\s+[1-9]/i, @$join_workgroup_output)) {
notify($ERRORS{'WARNING'}, 0, "failed to join workgroup, return value is not 0, output:\n" . join("\n", @$join_workgroup_output));
}
elsif (grep(/Method execution successful/i, @$join_workgroup_output)) {
notify($ERRORS{'OK'}, 0, "joined workgroup, output:\n" . join("\n", @$join_workgroup_output));
}
else {
notify($ERRORS{'WARNING'}, 0, "unexpected output joining workgroup, output:\n" . join("\n", @$join_workgroup_output));
}
if (!$self->reboot(300, 3, 1)) {
notify($ERRORS{'WARNING'}, 0, "failed to unjoin $computer_name from Active Directory domain, failed to reboot computer after unjoining domain");
return;
}
# Verify the computer no longer is joined to a domain
my $new_computer_current_domain = $self->ad_get_current_domain();
if ($new_computer_current_domain) {
notify($ERRORS{'WARNING'}, 0, "failed to unjoin $computer_name from Active Directory domain, it appears to still be a member of the $new_computer_current_domain domain");
return;
}
#if (!defined($domain_dns_name)) {
# notify($ERRORS{'WARNING'}, 0, "unable to remove $computer_name from AD, image $image_name is not assigned to a domain");
# return;
#}
#elsif (!defined($domain_username)) {
# notify($ERRORS{'WARNING'}, 0, "unable to remove $computer_name from AD, user name is not configured for $domain_dns_name domain");
# return;
#}
#elsif (!defined($domain_password)) {
# notify($ERRORS{'WARNING'}, 0, "unable to remove $computer_name from AD, password is not configured for $domain_dns_name domain");
# return;
#}
# # Assemble the PowerShell script
# my $ad_powershell_script = <<EOF;
#\$Host.UI.RawUI.BufferSize = New-Object Management.Automation.Host.Size(5000, 500)
#\$ps_credential = New-Object System.Management.Automation.PsCredential("$domain_username\@$domain_dns_name", (ConvertTo-SecureString "$domain_password" -AsPlainText -Force))
#try {
# Add-Computer -WorkgroupName VCL -Credential \$ps_credential -ErrorAction Stop
#}
#catch {
# Write-Host "ERROR: failed to add computer to workgroup, error: \$(\$_.Exception.Message)"
# exit 1
#}
#EOF
#
# my ($exit_status, $output) = $self->run_powershell_as_script($ad_powershell_script, 0, 0);
# if (!defined($output)) {
# notify($ERRORS{'WARNING'}, 0, "failed to execute PowerShell script to remove $computer_name from Active Directory domain");
# return;
# }
# elsif (grep(/ERROR/, @$output)) {
# # Computer object was already or deleted or can't be found for some reason:
# # This command cannot be executed on target computer('') due to following error: No mapping between account names and security IDs was done.
# if (grep(/No mapping between account names/, @$output)) {
# notify($ERRORS{'WARNING'}, 0, "failed to remove $computer_name from Active Directory domain, the computer object may have been deleted from the domain, output:\n" . join("\n", @$output));
# }
# else {
# notify($ERRORS{'WARNING'}, 0, "failed to remove $computer_name from Active Directory domain, output:\n" . join("\n", @$output));
# }
# return 0;
# }
#
# notify($ERRORS{'OK'}, 0, "removed $computer_name from Active Directory domain, output:\n" . join("\n", @$output));
$self->ad_delete_computer();
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 ad_get_current_domain
Parameters : none
Returns : boolean
Description : Checks if the computer is joined to any Active Directory domain.
Returns the following:
* undefined - Error occurred, unable to determine if computer is
joined to a domain.
* 0 - Computer is not joined to a domain.
* string - Computer is joined to a domain. The domain name is
returned.
* 1 - Computer is joined to a domain but the domain name could
not be determined.
=cut
sub ad_get_current_domain {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $computer_name = $self->data->get_computer_short_name();
my $system32_path = $self->get_system32_path() || return;
my $command = "echo | $system32_path/Wbem/wmic.exe COMPUTERSYSTEM GET PartOfDomain,Domain /FORMAT:LIST";
my ($exit_status, $output) = $self->execute($command);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute command to determine if $computer_name is joined to a domain: $command");
return;
}
my ($part_of_domain_line) = grep(/^PartOfDomain/i, @$output);
if (!$part_of_domain_line) {
notify($ERRORS{'WARNING'}, 0, "unable to determine if $computer_name is joined to a domain, output does not contain a 'PartOfDomain' line:\n" . join("\n", @$output));
return;
}
elsif ($part_of_domain_line =~ /FALSE/i) {
notify($ERRORS{'DEBUG'}, 0, "$computer_name is NOT joined to a domain, output:\n" . join("\n", @$output));
return 0;
}
my ($domain_line) = grep(/^Domain/i, @$output);
my ($domain_name) = $domain_line =~ /Domain=(.+)/;
if ($domain_name) {
notify($ERRORS{'DEBUG'}, 0, "$computer_name is joined to a domain, returning '$domain_name'\n" . join("\n", @$output));
return $domain_name;
}
else {
notify($ERRORS{'WARNING'}, 0, "$computer_name is joined to a domain but 'Domain=' line could not be parsed from the output, returning 1:\n" . join("\n", @$output));
return 1;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 ad_search
Parameters : $ldap_filter_argument, $attempt_limit (optional)
Returns : array
Description : Searches for a contain or object in Active Directory based on the
argument hash reference. The keys of the argument represent LDAP
attributes.
By default, up to 3 attempts will be made if the search fails.
This is mainly done to overcome an issue during the reserve()
sequence if static IP addresses are used. After the static IP is
set on the AD-joined computer, there is a brief delay before DNS
resolution works properly. As a result, the first AD search often
fails.
=cut
sub ad_search {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $arguments = shift;
my $computer_name = $self->data->get_computer_short_name();
my $ldap_filter_argument = $arguments->{ldap_filter};
if (!defined($ldap_filter_argument)) {
notify($ERRORS{'WARNING'}, 0, "LDAP filter hash reference argument was not supplied");
return;
}
elsif (!ref($ldap_filter_argument) || ref($ldap_filter_argument) ne 'HASH') {
notify($ERRORS{'WARNING'}, 0, "LDAP filter argument is not a hash reference:\n" . format_data($ldap_filter_argument));
return;
}
elsif (!scalar(keys %$ldap_filter_argument)) {
notify($ERRORS{'WARNING'}, 0, "empty LDAP FILTER hash reference argument was supplied");
return;
}
elsif (!defined($ldap_filter_argument->{objectClass})) {
# Make sure objectClass was specified
notify($ERRORS{'WARNING'}, 0, "LDAP FILTER hash reference argument does not contain an objectClass value:\n" . format_data($ldap_filter_argument));
return;
}
elsif ($ldap_filter_argument->{objectClass} !~ /^(computer|organizationalUnit|user)$/) {
notify($ERRORS{'WARNING'}, 0, "LDAP FILTER objectClass value not allowed: " . $ldap_filter_argument->{objectClass});
return;
}
my $domain_dns_name;
my $domain_username;
my $domain_password;
my $image_domain_dns_name = $self->data->get_image_domain_dns_name(0) || '';
if (defined($arguments->{domain_dns_name})) {
$domain_dns_name = $arguments->{domain_dns_name};
$domain_username = $arguments->{domain_username};
$domain_password = $arguments->{domain_password};
if (!defined($domain_username) || !defined($domain_password)) {
notify($ERRORS{'WARNING'}, 0, "unable to search domain: $domain_dns_name, domain DNS name argument was specified but credentials could not be determined");
return;
}
}
else {
$domain_dns_name = $self->data->get_image_domain_dns_name();
$domain_username = $self->data->get_image_domain_username();
$domain_password = $self->data->get_image_domain_password();
}
if (!defined($domain_dns_name)) {
notify($ERRORS{'WARNING'}, 0, "unable to determine if AD object exists on $computer_name, domain DNS name is not configured for the image and was not passed as an argument");
return;
}
elsif (!defined($domain_username)) {
notify($ERRORS{'WARNING'}, 0, "unable to determine if AD object exists on $computer_name, user name is not configured for $domain_dns_name domain");
return;
}
elsif (!defined($domain_password)) {
notify($ERRORS{'WARNING'}, 0, "unable to determine if AD object exists on $computer_name, password is not configured for $domain_dns_name domain");
return;
}
my $attempt_limit = $arguments->{attempt_limit} || 3;
# This sub handles both search and delete under very strict conditions
# This is somewhat ugly but was done to reduce code duplication - especially with the Powershell below
my $operation;
my $calling_subroutine = get_calling_subroutine();
if ($calling_subroutine =~ /(ad_delete_computer)/) {
$operation = 'delete';
}
else {
$operation = 'search for';
}
my $search_attribute_count = scalar(keys %$ldap_filter_argument);
my $ldap_filter;
$ldap_filter .= '(&' if ($search_attribute_count > 1);
for my $attribute (keys %$ldap_filter_argument) {
my $value = $ldap_filter_argument->{$attribute};
$ldap_filter .= "($attribute=$value)";
}
$ldap_filter .= ')' if ($search_attribute_count > 1);
notify($ERRORS{'DEBUG'}, 0, "assembled LDAP filter: '$ldap_filter'");
my $domain_user_string = "$domain_username\@$domain_dns_name";
# Escape single quotes by doubling them
(my $domain_password_escaped = $domain_password) =~ s/(['])/$1$1/g;
my $delete = ($operation eq 'delete' ? 1 : 0);
# Assemble the PowerShell script
my $powershell_script_contents = <<EOF;
\$Host.UI.RawUI.BufferSize = New-Object Management.Automation.Host.Size(5000, 500)
Clear-Host
\$domain_dns_name = '$domain_dns_name'
\$domain_username = '$domain_user_string'
\$domain_password = '$domain_password_escaped'
\$ldap_filter = '$ldap_filter'
\$delete = '$delete'
Write-Host "domain: $domain_dns_name"
Write-Host "domain username (between >*<): >\$domain_username<"
EOF
# move and uncomment below line to above EOF to include decrypted password in output for debugging
#Write-Host "domain password (between >*<): >\$domain_password<"
$powershell_script_contents .= <<'EOF';
$type = [System.DirectoryServices.ActiveDirectory.DirectoryContextType]"Domain"
$directory_context = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext($type, $domain_dns_name, $domain_username, $domain_password)
try {
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($directory_context)
}
catch {
if ($_.Exception.InnerException) {
$exception_message = $_.Exception.InnerException.Message
}
else {
$exception_message = $_.Exception.Message
}
Write-Host "ERROR: failed to connect to $domain_dns_name domain, username: $domain_username, error: $exception_message"
exit
}
$searcher = New-Object System.DirectoryServices.DirectorySearcher($domain.GetDirectoryEntry())
$searcher.filter = "$ldap_filter"
try {
$results = $searcher.FindAll()
# Try to output the results to catch this exception:
# An error occurred while enumerating through a collection: The <...> search filter is invalid.
$results | Out-Null
}
catch {
Write-Host "ERROR: failed to search for entries matching LDAP filter: --> '$ldap_filter', error: $($_.Exception.Message)"
exit 1
}
if ($delete -eq 1) {
Write-Host "delete true : $delete"
if ($results.Count -eq 0) {
Write-Host "no entries found to delete matching LDAP filter: '$ldap_filter'"
exit 0
}
elseif ($results.Count -gt 1) {
Write-Host "ERROR: delete not performed for safety, multiple entries found to delete matching LDAP filter: '$ldap_filter'`n$($results | Select -ExpandProperty Path | Out-String)"
exit 1
}
}
ForEach($result in $results) {
$entry = $result.GetDirectoryEntry();
$dn = $entry.distinguishedName
if ($delete -eq 1) {
Write-Host "attempting to delete entry: $dn"
try {
$entry.DeleteTree();
Write-Host "deleted entry: $dn"
}
catch {
Write-Host "ERROR: failed to delete entry: $dn, error: $($_.Exception.Message)"
exit 1
}
}
else {
Write-Host $dn
}
}
EOF
my ($exit_status, $output);
for (my $attempt=1; $attempt<=$attempt_limit; $attempt++) {
($exit_status, $output) = $self->run_powershell_as_script($powershell_script_contents, 0, 0);
if (!defined($output)) {
notify($ERRORS{'WARNING'}, 0, "failed to execute PowerShell script on $computer_name to $operation objects in $domain_dns_name AD domain matching LDAP filter: '$ldap_filter'");
return;
}
elsif (grep(/(WARNING:|ERROR:|exception)/i, @$output)) {
# Only display a warning on the last attempt
# Known issue, see comment in sub header
my $notify_type = ($attempt < $attempt_limit ? $ERRORS{'DEBUG'} : $ERRORS{'WARNING'});
notify($notify_type, 0, "attempt $attempt/$attempt_limit: failed to $operation objects on $computer_name in $domain_dns_name AD domain matching LDAP filter: '$ldap_filter', error occurred:\n" . join("\n", @$output));
}
else {
last;
}
return if $attempt == $attempt_limit;
}
if ($operation eq 'delete') {
notify($ERRORS{'OK'}, 0, "deleted objects on $computer_name in $domain_dns_name AD domain matching LDAP filter: '$ldap_filter', output:\n" . join("\n", @$output));
return 1;
}
my @matching_dns;
for my $line (@$output) {
next if ($line !~ /\w/);
# Remove leading and trailing spaces
$line =~ s/(^\s+|\s+$)//g;
if ($line =~ /^[A-Z]{2}=.+/i) {
push @matching_dns, $line;
}
elsif ($line !~ /^domain.*:/) {
notify($ERRORS{'WARNING'}, 0, "unexpected output found $operation objects on $computer_name in $domain_dns_name AD domain matching LDAP filter: '$ldap_filter':\n$line");
}
}
my $matching_count = scalar(@matching_dns);
if ($matching_count) {
notify($ERRORS{'OK'}, 0, "found $matching_count object" . ($matching_count > 1 ? 's' : '') . " matching LDAP filter in $domain_dns_name AD domain on $computer_name: '$ldap_filter'\n" . join("\n", sort @matching_dns));
}
else {
notify($ERRORS{'OK'}, 0, "object NOT found matching LDAP filter in $domain_dns_name AD domain on $computer_name: '$ldap_filter'");
}
return @matching_dns;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 ad_delete_computer
Parameters : none
Returns : boolean
Description : Deletes a computer object from the active directory domain with a
sAMAccountName attribute matching the short name of the
reservation computer that is used.
=cut
sub ad_delete_computer {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
# static variable to track if function being call recursively
CORE::state $recursion = 0;
my $computer_samaccountname = $self->data->get_computer_short_name();
my ($domain_dns_name, $username, $decrypted_password);
my $return;
if($recursion == 0) {
($domain_dns_name, $username, $decrypted_password) = $self->data->get_domain_credentials();
}
else {
my $addomain_id = $self->get_current_image_tag('addomain_id');
$addomain_id =~ s/ \(.*$//;
if (!defined($addomain_id)) {
return 0;
}
($domain_dns_name, $username, $decrypted_password) = $self->data->get_domain_credentials($addomain_id);
}
if (!defined($domain_dns_name) || !defined($username) || !defined($decrypted_password)) {
notify($ERRORS{'WARNING'}, 0, "failed to get domain credentials for $computer_samaccountname");
if ($recursion == 0) {
$recursion = 1;
$return = $self->ad_delete_computer();
$recursion = 0;
return $return;
}
return;
}
$computer_samaccountname =~ s/\$*$/\$/g;
my $ad_search_arguments = {
'ldap_filter' => {
'objectClass' => 'computer',
'sAMAccountName' => $computer_samaccountname,
},
'domain_dns_name' => $domain_dns_name,
'domain_username' => $username,
'domain_password' => $decrypted_password,
};
#notify($ERRORS{'DEBUG'}, 0, "attempting to delete Active Directory computer object, arguments:\n" . format_data($ad_search_arguments));
$return = $self->ad_search($ad_search_arguments);
if ($return == 1) {
return 1;
}
elsif ($recursion == 1) {
return 0;
}
else {
notify($ERRORS{'DEBUG'}, 0, "Failed to delete computer from AD using AD domain info from image; trying again with info from currentimage.txt");
$recursion = 1;
$return = $self->ad_delete_computer();
$recursion = 0;
return $return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 ad_search_computer
Parameters : $computer_samaccountname (optional), $domain_dns_name (optional)
Returns : string
Description : Checks if a computer exists in the Active Directory domain with a
sAMAccountName attribute matching the argument. If found, a
string containing the computer DN is returned.
=cut
sub ad_search_computer {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my ($computer_samaccountname, $domain_dns_name, $ad_search_arguments) = @_;
$computer_samaccountname = $self->data->get_computer_short_name() unless $computer_samaccountname;
# Make sure computer samAccountName does not contain a trailing dollar sign
# A dollar sign will be present if retrieved directly from AD
$computer_samaccountname =~ s/\$*$/\$/g;
$ad_search_arguments->{ldap_filter}{objectClass} = 'computer';
$ad_search_arguments->{ldap_filter}{sAMAccountName} = $computer_samaccountname;
# If a specific domain was specified, retrieve the username and password for that domain
if ($domain_dns_name) {
$ad_search_arguments->{domain_dns_name} = $domain_dns_name;
}
my @computer_dns = $self->ad_search($ad_search_arguments);
if (@computer_dns) {
return $computer_dns[0];
}
else {
return 0;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 ad_search_ou
Parameters : $ou_identifier
Returns : array
Description : Checks if an OU exists in the Active Directory domain with a
matching the identifier argument. The identifier may either be
the short name of an OU:
'Test VMs'
Or the full distinguished name:
OU=Test VMs,OU=VCL,DC=ad,DC=example,DC=edu'
An array of matching DNs is returned.
=cut
sub ad_search_ou {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $ou_identifier = shift;
if (!defined($ou_identifier)) {
notify($ERRORS{'WARNING'}, 0, "OU identifier argument was not supplied");
return;
}
# Check if a DN or single name was provided
my $attribute_name;
if ($ou_identifier =~ /^OU=/i) {
$attribute_name = 'distinguishedName';
}
else {
$attribute_name = 'ou';
}
return $self->ad_search(
{
'ldap_filter' => {
'objectClass' => 'organizationalUnit',
$attribute_name => $ou_identifier,
}
}
);
}
#//////////////////////////////////////////////////////////////////////////////
=head2 ad_user_exists
Parameters : $user_samaccountname
Returns : boolean
Description : Checks if a user exists in the Active Directory domain with a
matching sAMAccountName.
=cut
sub ad_user_exists {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my ($user_samaccountname, $no_cache) = @_;
if (!defined($user_samaccountname)) {
notify($ERRORS{'WARNING'}, 0, "user sAMAccountName argument was not supplied");
return;
}
my $domain_dns_name = $self->data->get_image_domain_dns_name();
if (!defined($domain_dns_name)) {
notify($ERRORS{'WARNING'}, 0, "unable to determine if user exists in Active Directory, domain DNS name is not configured");
return;
}
if (!$no_cache && defined($self->{ad_user_exists}{$user_samaccountname})) {
return $self->{ad_user_exists}{$user_samaccountname};
}
my @user_dns = $self->ad_search(
{
'ldap_filter' => {
'objectClass' => 'user',
'sAMAccountName' => $user_samaccountname,
}
}
);
if (@user_dns) {
$self->{ad_user_exists}{$user_samaccountname} = 1;
notify($ERRORS{'DEBUG'}, 0, "user exists in Active Directory domain: $user_samaccountname");
}
else {
$self->{ad_user_exists}{$user_samaccountname} = 0;
notify($ERRORS{'DEBUG'}, 0, "user does NOT exist in Active Directory domain: $user_samaccountname");
}
return $self->{ad_user_exists}{$user_samaccountname};
}
#//////////////////////////////////////////////////////////////////////////////
=head2 ad_check_domain_controller
Parameters : none
Returns : boolean
Description : Checks if computer is configured as a domain controller; returns
0 if not a domain controller, 1 if a domain controller, and
no value on error
=cut
sub ad_check_domain_controller {
my $self = shift;
if (ref($self) !~ /windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $system32_path = $self->get_system32_path() || return;
my $check_dc_command = "echo | cmd.exe /c \"$system32_path/Wbem/wmic.exe /INTERACTIVE:OFF COMPUTERSYSTEM GET DomainRole\"";
my ($check_dc_exit_status, $check_dc_output) = $self->execute($check_dc_command);
if (!defined($check_dc_output)) {
notify($ERRORS{'DEBUG'}, 0, "failed to check for node being a domain controller");
return;
}
elsif (grep(/ERROR/i, @$check_dc_output)) {
notify($ERRORS{'DEBUG'}, 0, "failed to check for node being a domain controller, output:\n" . join("\n", @$check_dc_output));
return;
}
elsif (@{$check_dc_output}[1] =~ /^[0-3]$/) {
notify($ERRORS{'OK'}, 0, "node is a not a domain controller");
return 0;
}
elsif (@{$check_dc_output}[1] =~ /^[4-5]$/) {
notify($ERRORS{'OK'}, 0, "node is a domain controller");
return 1;
}
else {
notify($ERRORS{'DEBUG'}, 0, "unexpected output checking for node being a domain controller, output:\n" . join("\n", @$check_dc_output));
return;
}
}
#//////////////////////////////////////////////////////////////////////////////
=head2 grant_administrative_access
Parameters : $username
Returns : boolean
Description : Adds the user to the local Administrators group.
=cut
sub grant_administrative_access {
my $self = shift;
if (ref($self) !~ /Windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $username = shift;
if (!defined($username)) {
notify($ERRORS{'WARNING'}, 0, "username argument was not supplied");
return;
}
return $self->add_user_to_group($username, "Administrators");
}
#//////////////////////////////////////////////////////////////////////////////
=head2 revoke_administrative_access
Parameters : $username
Returns : boolean
Description : Removes the user to the local Administrators group.
=cut
sub revoke_administrative_access {
my $self = shift;
if (ref($self) !~ /Windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $username = shift;
if (!defined($username)) {
notify($ERRORS{'WARNING'}, 0, "username argument was not supplied");
return;
}
return $self->remove_user_from_group($username, 'Administrators');
}
#//////////////////////////////////////////////////////////////////////////////
=head2 _escape_password
Parameters : $password
Returns : string
Description : Adds a backslash before all of the following characters in a
password:
* " (double quote)
* $ (dollar sign)
* \ (backslash)
* ` (backtick)
=cut
sub _escape_password {
my $password_argument = shift;
my $password_escaped = $password_argument;
$password_escaped =~ s/(["\$\\`])/\\$1/gx;
#notify($ERRORS{'DEBUG'}, 0, "escaped password:\n" .
# "original : '$password_argument'\n" .
# "escaped : '$password_escaped'"
#);
return $password_escaped;
}
#//////////////////////////////////////////////////////////////////////////////
=head2 reserve
Parameters : none
Returns : boolean
Description : Calls parent OS.pm::reserve then mounts NFS shares.
=cut
sub reserve {
my $self = shift;
if (ref($self) !~ /Windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return 0;
}
# Call OS.pm's reserve subroutine
$self->SUPER::reserve() || return;
notify($ERRORS{'OK'}, 0, "beginning Windows reserve tasks");
# Attempt to mount NFS shares configured for the management node (Site Configuration > NFS Mounts)
$self->mount_nfs_shares();
notify($ERRORS{'OK'}, 0, "Windows reserve tasks complete");
return 1;
}
#/////////////////////////////////////////////////////////////////////////////
=head2 nfs_mount_share
Parameters : $remote_target
Returns : boolean
Description : Prepares a Windows image to automatically mount a user's NFS
shares when the user logs in.
The Windows image is checked to determine if the required Windows
features are installed in the image. If not installed, an attempt
is made to install them. If any features are installed, a reboot
is performed.
=cut
sub nfs_mount_share {
my $self = shift;
if (ref($self) !~ /Windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my ($remote_target) = @_;
if (!$remote_target) {
notify($ERRORS{'WARNING'}, 0, "remote NFS target argument was not supplied");
return;
}
# This subroutine may be called multiple times to allow multiple shares to be mounted
# If this is not the first call, append to the batch file instead of recreating it
my $previously_called = $self->{nfs_mount_share_called};
if ($previously_called && !$self->{nfs_mount_share_preparation_complete}) {
notify($ERRORS{'DEBUG'}, 0, "skipping subsequent NFS mount attempt, this subroutine was previously called but the preparation tasks failed to complete");
return;
}
$self->{nfs_mount_share_called} = 1;
my $username = $self->data->get_user_login_id();
my $uid = $self->data->get_user_uid();
my $reservation_id = $self->data->get_reservation_id();
my $computer_name = $self->data->get_computer_node_name();
my $management_node_id = $self->data->get_management_node_id;
my $nfs_mount_batch_file_path = 'C:/mount_nfs.cmd';
# Only perform the prep tasks the first time this subroutine is called
if ($previously_called) {
notify($ERRORS{'DEBUG'}, 0, "Windows NFS preparation tasks not necessary, this subroutine was previously executed");
}
else {
notify($ERRORS{'DEBUG'}, 0, "beginning Windows NFS preparation tasks");
$self->delete_file($nfs_mount_batch_file_path);
my $windows_product_name = $self->get_product_name();
if ($windows_product_name =~ /(Windows.*Professional)/) {
notify($ERRORS{'WARNING'}, 0, "Windows NFS share not mounted, Client for NFS is not available on this edition: $windows_product_name");
return 0;
}
# Check if required Windows features are installed in the image
# Attempt to install them if missing
# A reboot is required if any features are installed
my @required_windows_feature_names = (
'ServicesForNFS-ClientOnly',
'ClientForNFS-Infrastructure',
);
my $installed_feature_count = 0;
for my $required_windows_feature_name (@required_windows_feature_names) {
#notify($ERRORS{'DEBUG'}, 0, "sleeping 10 seconds before installing next Windows feature");
#sleep_uninterrupted(10) if $installed_feature_count > 0;
if (!$self->is_windows_feature_enabled($required_windows_feature_name)) {
if ($self->enable_windows_feature($required_windows_feature_name)) {
$self->{windows_nfs_reboot_required} = 1;
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to prepare Windows NFS, '$required_windows_feature_name' Windows feature could not be enabled");
return;
}
}
$installed_feature_count++;
}
# Stop and disable the "TCP/IP NetBIOS Helper" service - it causes delays using NFS shares
$self->stop_service('lmhosts');
$self->set_service_startup_mode('lmhosts', 'disabled');
# Set the anonymous UID
$self->set_windows_nfs_client_uid($uid) || return;
#if ($self->{windows_nfs_reboot_required}) {
# notify($ERRORS{'DEBUG'}, 0, "attempting to reboot $computer_name to complete the configuration of the NFS Client");
# if (!$self->reboot()) {
# notify($ERRORS{'WARNING'}, 0, "failed to prepare Windows NFS, failed to reboot $computer_name after configuring NFS client");
# return;
# }
#}
# Attempt to start the NFS client or make sure it's already started
$self->start_service('NfsClnt') || return;
#if (!$self->start_service('NfsClnt')) {
# if ($self->{windows_nfs_reboot_required}) {
# notify($ERRORS{'WARNING'}, 0, "failed to prepare Windows NFS, failed to start the NFS client, $computer_name was already rebooted");
# return;
# }
# else {
# if (!$self->reboot()) {
# notify($ERRORS{'WARNING'}, 0, "failed to prepare Windows NFS, failed to reboot $computer_name after attempting to start the NFS client");
# return;
# }
#
# if (!$self->start_service('NfsClnt')) {
# notify($ERRORS{'WARNING'}, 0, "failed to prepare Windows NFS, failed to start the NFS client on $computer_name after it was rebooted");
# return;
# }
# }
#}
#notify($ERRORS{'DEBUG'}, 0, "Windows NFS preparation tasks complete");
$self->{nfs_mount_share_preparation_complete} = 1;
}
my $mount_script_contents;
if (!$previously_called) {
$mount_script_contents = "nfsadmin.exe client start\r\n";
}
$mount_script_contents .= "C:\\Windows\\system32\\mount.exe -o mtype=hard $remote_target *";
if ($previously_called) {
notify($ERRORS{'DEBUG'}, 0, "appending line to $nfs_mount_batch_file_path: $mount_script_contents");
if (!$self->append_text_file($nfs_mount_batch_file_path, $mount_script_contents)) {
notify($ERRORS{'WARNING'}, 0, "failed to append batch file to mount NFS shares: $nfs_mount_batch_file_path");
return;
}
}
else {
notify($ERRORS{'DEBUG'}, 0, "creating Windows NFS mount batch file: $nfs_mount_batch_file_path, contents:\n$mount_script_contents");
if (!$self->create_text_file($nfs_mount_batch_file_path, $mount_script_contents)) {
notify($ERRORS{'WARNING'}, 0, "failed to create Windows NFS mount batch file: $nfs_mount_batch_file_path");
return;
}
$self->add_hklm_run_registry_key('VCL Mount NFS', $nfs_mount_batch_file_path) || return;
$self->execute("chmod 777 $nfs_mount_batch_file_path");
}
notify($ERRORS{'DEBUG'}, 0, "finished Windows NFS mount tasks");
return 1;
}
#/////////////////////////////////////////////////////////////////////////////
=head2 nfs_unmount_share
Parameters : none
Returns : boolean
Description : This doesn't actually unmount any shares but deletes the registry
key and batch file created to mount NFS shares when a user logs
in.
=cut
sub nfs_unmount_share {
my $self = shift;
if (ref($self) !~ /Windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
$self->delete_file('C:/mount_nfs.cmd');
$self->delete_hklm_run_registry_key('VCL Mount NFS');
return 1;
}
#/////////////////////////////////////////////////////////////////////////////
=head2 set_windows_nfs_client_uid
Parameters : $uid_number
Returns : boolean
Description : Sets registry values used by the Windows NFS Client to determine
which user UID number to use when accessing NFS shares.
=cut
sub set_windows_nfs_client_uid {
my $self = shift;
if (ref($self) !~ /Windows/i) {
notify($ERRORS{'CRITICAL'}, 0, "subroutine was called as a function, it must be called as a class method");
return;
}
my $uid = shift || $self->data->get_user_uid();
my $computer_name = $self->data->get_computer_node_name();
notify($ERRORS{'DEBUG'}, 0, "attempting to configure the Windows NFS Client to use anonymous UID $uid");
my $nfs_client_service_name = 'NfsClnt';
my $base_key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ClientForNFS\CurrentVersion\Default';
my $uid_key = 'AnonymousUid';
# Check if UID already set correctly
my $existing_uid = $self->reg_query($base_key, $uid_key, 1) || '';
if ($existing_uid eq $uid) {
notify($ERRORS{'DEBUG'}, 0, "anonymous UID ($existing_uid) value are already set correctly in the registry on $computer_name");
}
else {
# Set the registry keys
if (!$self->reg_add($base_key, $uid_key, 'REG_DWORD', $uid)) {
notify($ERRORS{'WARNING'}, 0, "failed to set Windows NFS Client anonymous UID in the registry");
return;
}
}
# Stop the NFS service, this may fail if something is already mounted
if (!$self->{windows_nfs_reboot_required}) {
if ($self->stop_service($nfs_client_service_name)) {
## Service won't restart immediately after stopping it
#sleep_uninterrupted(10);
if ($self->start_service($nfs_client_service_name)) {
notify($ERRORS{'DEBUG'}, 0, "set Windows NFS Client anonymous UID value in registry and restarted $nfs_client_service_name service");
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to restart Windows NFS Client service, it may be in use, $computer_name will be rebooted");
$self->{windows_nfs_reboot_required} = 1;
}
}
else {
notify($ERRORS{'WARNING'}, 0, "failed to stop Windows NFS Client service, it may be in use, $computer_name will be rebooted");
$self->{windows_nfs_reboot_required} = 1;
}
}
notify($ERRORS{'DEBUG'}, 0, "set Windows NFS Client anonymous UID values in registry");
return 1;
}
#//////////////////////////////////////////////////////////////////////////////
1;
__END__
=head1 SEE ALSO
L<http://cwiki.apache.org/VCL/>
=cut