Categories
Uncategorized

phpIPAM 1.4 on CentOS 8.2 – Install and Config Guide

This guide was run on CentOS 8.2 installed from the minimal ISO, running on KVM virtual machine. During install I chose the “Minimal Install”. My guide is based on the CentOS 7 guide here: https://phpipam.net/news/phpipam-installation-on-centos-7/

Preparing the Environment and Installing requirements

Take a snapshot of the VM

# install all the updates
sudo dnf update
# useful extras
sudo dnf install vim fish
# install all the phpIPAM dependencies
sudo dnf install httpd mariadb-server php php-cli php-gd php-common php-ldap php-pdo php-pear php-snmp php-xml php-mysqlnd php-mbstring php-json php-gmp git

Note – in the CentOS 7 guide it says to install php-mcrypt but I wasn’t able to find that package for CentOS 8, so I just skipped it.

Configuring and running MySQL (MariaDB) database server

Take a snapshot of the VM

# start and enable the mariadb service
systemctl enable --now mariadb

Now set up the database

# make mariadb install secure
mysql_secure_installation

Follow the prompts to get a secure config

Configuring and running Apache webserver

Take a snapshot of the VM

# enable and start httpd
systemctl enable --now httpd

Main apache configuration is in file /etc/httpd/conf/httpd.conf. Open it and change directory settings for /var/www/html to allow mod_rewrite URL rewrites:

# uncomment and modify this line:
ServerName locahost:80

# Set all this
<Directory "/var/www/html">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride All
    Order allow,deny
    Allow from all

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

Set correct timezone to /etc/php.ini to avoid php warnings:

[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
date.timezone = Australia/Darwin

And restart apache

systemctl restart httpd

And enable some firewall rules

root@ipam ~# firewall-cmd --permanent --add-port=80/tcp
success
root@ipam ~# firewall-cmd --permanent --add-port=443/tcp
success

Downloading phpipam files and configure phpipam

Get all the files from git

root@ipam ~# cd /var/www/html
root@ipam /v/w/html# ls
root@ipam /v/w/html# git clone https://github.com/phpipam/phpipam.git .
Cloning into '.'...
remote: Enumerating objects: 19, done.
remote: Counting objects: 100% (19/19), done.
remote: Compressing objects: 100% (19/19), done.
remote: Total 26190 (delta 2), reused 3 (delta 0), pack-reused 26171
Receiving objects: 100% (26190/26190), 18.39 MiB | 4.61 MiB/s, done.
Resolving deltas: 100% (19193/19193), done.
root@ipam /v/w/html (master)# git checkout 1.4
Branch '1.4' set up to track remote branch '1.4' from 'origin'.
Switched to a new branch '1.4'
root@ipam /v/w/html (1.4)# git submodule init
Submodule 'app/login/captcha' (https://github.com/dapphp/securimage.git) registered for path 'app/login/captcha'
Submodule 'functions/GoogleAuthenticator' (https://github.com/PHPGangsta/GoogleAuthenticator) registered for path 'functions/GoogleAuthenticator'
Submodule 'functions/PHPMailer' (https://github.com/PHPMailer/PHPMailer.git) registered for path 'functions/PHPMailer'
Submodule 'functions/php-saml' (https://github.com/onelogin/php-saml.git) registered for path 'functions/php-saml'
Submodule 'functions/qrcodejs' (https://github.com/davidshimjs/qrcodejs) registered for path 'functions/qrcodejs'
root@ipam /v/w/html (1.4)# git submodule update
Cloning into '/var/www/html/app/login/captcha'...
Cloning into '/var/www/html/functions/GoogleAuthenticator'...
Cloning into '/var/www/html/functions/PHPMailer'...
Cloning into '/var/www/html/functions/php-saml'...
Cloning into '/var/www/html/functions/qrcodejs'...
Submodule path 'app/login/captcha': checked out '1ecb884797c66e01a875c058def46c85aecea45b'
Submodule path 'functions/GoogleAuthenticator': checked out '3baa997f399d4afd5d6a81d42244ec9cc3eeb080'
Submodule path 'functions/PHPMailer': checked out '59495db0b14c17f5a370359df0ad7b2e004391a2'
Submodule path 'functions/php-saml': checked out 'ea5b7822aa1b4ce14aa88d0e35edf65ebb2f91c8'
Submodule path 'functions/qrcodejs': checked out '04f46c6a0708418cb7b96fc563eacae0fbf77674'
root@ipam /v/w/html (1.4)# 

Fix any permissions

sudo chown -R apache:apache /var/www/html/
sudo chcon -t httpd_sys_content_t –R /var/www/html/

cd /var/www/html/
find . -type f -exec chmod 0644 {} \;
find . -type d -exec chmod 0755 {} \;

sudo chcon -R -t httpd_sys_rw_content_t app/admin/import-export/upload/
sudo chcon -R -t httpd_sys_rw_content_t app/subnets/import-subnet/upload/
sudo chcon -R -t httpd_sys_rw_content_t css/1.4.0/images/logo/

Configuring database connection

Copy and modify the out-of-box config file

root@ipam /v/w/html (1.4) [1]# cp config.dist.php config.php
root@ipam /v/w/html (1.4)# vim config.php 

Change the block at the top for your config, then any other parts you want to use

Installing phpIPAM

We are now ready to install phpipam. Open browser and go to http://ip_address/ to start with automatic database installation. For MySQL connection enter root username and password you created in point 1.4, this will only be used to create required databases, tables and grants. After installation is completed phpipam will used username/password entered in config.php file to access database, root password is not stored anywhere.

I personally went for the “Mysql Import Instructions” as I didn’t have any luck with the automatic install

Enabling network scanning – Setting up SELinux rules

By default ip scanning using ping won’t work from phpIPAM, because selinux will block the access to the ping sockets and things. However, the selinux module to fix this is easy to make. The general flow goes like this:

# Make sure the auditing tools are available
dnf install policycoreutils-python-utils setroubleshoot

# disable the dontaudit logs to show all blocked things.
semodule --build --disable_dontaudit

# set enforcing mode off so we get all things that would have been denied
setenforce 0


# watch the audit logs to find what is being blocked - saving to ipam-selinux-blocks.log file
tail -f /var/log/audit/audit.log -n0 | grep denied --line-buffered | tee ipam-selinux-blocks.log

# now go try running the scan/ping in phpIPAM

# Now you can create a policy module from the logs
cat ipam-selinux-blocks.log | audit2allow -M phpipam
semodule -i phpipam.pp


# reboot

# Log back in, and make sure you are in enforcing mode
root@ipam ~# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

# Now try re-running the phpIPAM scan to see if it works with enforcing on

My SELinux Type Enforcement file

root@ipamprd1 ~/p/s/files (master)# cat phpipam.te
## SELinux module for phpIPAM

module phpipam 1.0;

require {
  type squid_port_t;
  type snmpd_var_lib_t;
  type httpd_t;
  type smtp_port_t;
  class tcp_socket name_connect;
        class icmp_socket create;
  class dir read;
  class file { open read write getattr setattr };
        class rawip_socket { create getopt setopt read write };
  class capability { net_raw net_admin };
}

#============= httpd_t ==============
allow httpd_t self:capability { net_raw net_admin };
allow httpd_t self:icmp_socket create;
allow httpd_t self:rawip_socket { create getopt setopt read write };

allow httpd_t snmpd_var_lib_t:dir read;
allow httpd_t snmpd_var_lib_t:file { open read write getattr setattr };

root@ipamprd1 ~/p/s/files (master)# cat build_selinux_module.sh
#!/bin/sh

checkmodule -M -m -o /tmp/phpipam.mod phpipam.te
semodule_package -o phpipam.pp -m /tmp/phpipam.mod

Leave a Reply

Your email address will not be published.