"harden" action for cb-build.sh

18 years ago · 7aaba8761c
parent 00066a317b
commit 7aaba8761c
3 changed files with 99 additions and 42 deletions
--- a/cbox-build.sh
+++ b/cbox-build.sh
@ -6,6 +6,7 @@
 #   dfsbuild	- create the image directory with dfsbuild and copy it to
 #		  the working directory
 #   config	- apply cryptobox specific changes to the working directory
+#   harden	- remove unnecessary packages (for release CD)
 #   iso		- create the iso image (out of the working directory)
 #   burn	- tries to burn the the image on a cd-rw (maybe it works)
 #
@ -89,6 +90,7 @@ function qemu_boot()

 function init_working_directory()
 {
+	cat /proc/mounts | grep -q "`basename $IMAGEDIR`/proc" && umount "$IMAGEDIR/proc"
 	[ -e "$IMAGEDIR" ] && echo "Removing old image dir ..." && rm -r "$IMAGEDIR"
 	echo "Copying the dfsbuild-image ..."
 	cp -a "$IMAGEDIR_ORIG" "$IMAGEDIR"
@ -112,9 +114,13 @@ function configure_cb()
 		rm -rf "$TMPDIR"

 	echo "Configuring the cryptobox ..."
-		sed -i "s/^Version:.*/Revision: $(fetch_revision)/" "$IMAGEDIR/etc/issue"
+		# "harden" removes /etc/issue ...
+		if [ -e "$IMAGEDIR/etc/issue" ]
+		  then	sed -i "s/^Version:.*/Revision: $(fetch_revision)/" "$IMAGEDIR/etc/issue"
+		  else	echo "Version:.*/Revision: $(fetch_revision)" >"$IMAGEDIR/etc/issue"
+		 fi
 		fetch_revision >"$IMAGEDIR/etc/cryptobox/revision"
-		chroot "$IMAGEDIR" "/usr/lib/cryptobox/configure-cryptobox.sh"
+		chroot "$IMAGEDIR" "$CHROOTSTART" /usr/lib/cryptobox/configure-cryptobox.sh normal
 }

 function fetch_revision()
@ -179,7 +185,7 @@ while [ $# -gt 0 ]
 		init_working_directory
 		;;
 	    config )
-		configure_cb
+		configure_cb normal
 		;;
 	    iso )
 		create_iso
@ -197,6 +203,9 @@ while [ $# -gt 0 ]
 	    merge )
 	 	merge_from_devel
 		;;
+	    harden )
+		chroot "$IMAGEDIR" "$CHROOTSTART" /usr/lib/cryptobox/configure-cryptobox.sh secure
+	    	;;
 	    upload )
 	 	upload2devel
 		;;
@ -216,10 +225,10 @@ while [ $# -gt 0 ]
 		blanknburn_cdrw
 		;;
 	    release )
-	    	$0 dfsbuild config iso
+	    	$0 dfsbuild config harden iso
 		;;
 	    help|--help )
-		echo "Syntax: `basename $0` ( dfsbuild | config | iso | release | qemu | revert | chroot | devel | burn | help )"
+		echo "Syntax: `basename $0` ( dfsbuild | config | iso | release | qemu | revert | chroot | devel | burn | harden | release | help )"
 		echo "  (you may specify more than one action)"
 		echo
 	    	;;
--- a/cryptobox.conf.d/usr/lib/cryptobox/chroot-start.sh
+++ b/cryptobox.conf.d/usr/lib/cryptobox/chroot-start.sh
@ -2,11 +2,14 @@
 #
 # FOR DEVELOPMENT ONLY!
 #
-# this script is used to prepare a chroot session for testing
+# this script is used to prepare a chroot session for testing or configuring
 #
 # called by:
 #	- cbox-build.sh
 #
+# parameter: [commandline]
+#
+# if "commandline" is empty, "bash" will be used

 set -eu

@ -17,16 +20,19 @@ TMP_DIR="/tmp-`basename $0`-$$"


 cp -a "$MNT_SRC/." "$TMP_DIR"
-mount --bind "$TMP_DIR" "$MNT_DST"
+mount -n --bind "$TMP_DIR" "$MNT_DST"

 [ ! -e /dev/null ] && mknod "/dev/null" c 1 3 && chmod 666 "/dev/null"
 [ ! -e /dev/urandom ] && mknod "/dev/urandom" c 1 9 && chmod 444 "/dev/urandom"
 [ ! -e /dev/console ] && mknod "/dev/console" c 1 5 && chmod 660 "/dev/console"

-[ ! -e /proc/mounts ] && mount -t proc proc /proc
+[ ! -e /proc/mounts ] && mount -n -t proc proc /proc

-bash
+if [ $# -gt 0 ]
+	then	"$@"
+	else	bash
+  fi

-umount "$MNT_DST"
-umount proc
+umount -n "$MNT_DST"
+umount -n proc
 rm -r "$TMP_DIR"
--- a/cryptobox.conf.d/usr/lib/cryptobox/configure-cryptobox.sh
+++ b/cryptobox.conf.d/usr/lib/cryptobox/configure-cryptobox.sh
@ -14,34 +14,76 @@ set -eu
 RUNTIMEDIR=/opt/dfsruntime/runtimerd
 TUNDEV=$RUNTIMEDIR/dev/net/tun

-[ ! -e "/proc/mounts" ] && mount -t proc proc /proc
-
-######### devices ##########
-# create tun device for running under qemu
-if [ ! -e "$TUNDEV" ]
-	then	mkdir -p `dirname "$TUNDEV"`
-		mknod "$TUNDEV" c 10 200
-  fi
-
-######### thttpd ###########
-# change thttpd's config from 'chroot' to 'nochroot' - otherwise no perl script will run
-sed -i "s/^chroot$/nochroot/" /etc/thttpd/thttpd.conf
-# change thttpd-user from www-data to root (permissions for mount, cryptsetup, ...)
-sed -i "s/^user=.*/user=root/" /etc/thttpd/thttpd.conf
-
-######### bashrc ###########
-# remove dfshints from bashrc
-sed -i "/^dfshints$/d" $RUNTIMEDIR/root/.bashrc
-
-########## sshd ############
-# allow empty passwords for ssh
-#  the daemon is NOT started automatically, so you have to start it
-#  manually in case of need - as the root pw is empty and passwd is ro, you
-#  have to allow empty passwords for this rare case
-sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
-# turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
-sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
-# allow nput of password
-sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
-
-umount /proc
+SECURITY_REMOVE_PACKAGES="ssh strace telnet unzip tar zip wget ppp pppconfig nvi nano gzip curl bzip2 aptitude tasksel pppoe pppoeconf"
+
+
+function configure_normal()
+# the usual stuff - not optimized for security
+{
+	######### devices ##########
+	# create tun device for running under qemu
+	if [ ! -e "$TUNDEV" ]
+		then	mkdir -p `dirname "$TUNDEV"`
+			mknod "$TUNDEV" c 10 200
+	  fi
+
+	######### thttpd ###########
+	# change thttpd's config from 'chroot' to 'nochroot' - otherwise no perl script will run
+	sed -i "s/^chroot$/nochroot/" /etc/thttpd/thttpd.conf
+	# change thttpd-user from www-data to root (permissions for mount, cryptsetup, ...)
+	sed -i "s/^user=.*/user=root/" /etc/thttpd/thttpd.conf
+
+	######### bashrc ###########
+	# remove dfshints from bashrc
+	sed -i "/^dfshints$/d" $RUNTIMEDIR/root/.bashrc
+
+	if [ -e "/etc/ssh" ]; then
+	    ########## sshd ############
+	    # allow empty passwords for ssh
+	    #  the daemon is NOT started automatically, so you have to start it
+	    #  manually in case of need - as the root pw is empty and passwd is ro, you
+	    #  have to allow empty passwords for this rare case
+	    sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
+	    # turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
+	    sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
+	    # allow nput of password
+	    sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
+	  fi
+}
+
+
+function configure_secure()
+# remove everything that could weaken security
+# configure_normal should be called too!
+{
+	# disable keyboard login
+	sed -i '/getty/d' /etc/inittab
+	
+	# remove unnecessary packages
+	dpkg --force-all -P $SECURITY_REMOVE_PACKAGES
+
+	# remove development files
+	rm -f "$DEVELOPMENT_MARKER"
+	rm -f "$DEV_FEATURES_SCRIPT"
+}
+
+
+################ main ####################
+
+
+ACTION=help
+[ $# -gt 0 ] && ACTION=$1
+
+case "$ACTION" in
+	normal )
+		configure_normal
+		;;
+	secure )
+		configure_secure
+		;;
+	* )
+		echo "Syntax: `basename $0` { normal | secure }"
+		echo
+		;;
+  esac
+