"harden" action for cb-build.sh
This commit is contained in:
parent
00066a317b
commit
7aaba8761c
3 changed files with 94 additions and 37 deletions
|
@ -6,6 +6,7 @@
|
|||
# dfsbuild - create the image directory with dfsbuild and copy it to
|
||||
# the working directory
|
||||
# config - apply cryptobox specific changes to the working directory
|
||||
# harden - remove unnecessary packages (for release CD)
|
||||
# iso - create the iso image (out of the working directory)
|
||||
# burn - tries to burn the the image on a cd-rw (maybe it works)
|
||||
#
|
||||
|
@ -89,6 +90,7 @@ function qemu_boot()
|
|||
|
||||
function init_working_directory()
|
||||
{
|
||||
cat /proc/mounts | grep -q "`basename $IMAGEDIR`/proc" && umount "$IMAGEDIR/proc"
|
||||
[ -e "$IMAGEDIR" ] && echo "Removing old image dir ..." && rm -r "$IMAGEDIR"
|
||||
echo "Copying the dfsbuild-image ..."
|
||||
cp -a "$IMAGEDIR_ORIG" "$IMAGEDIR"
|
||||
|
@ -112,9 +114,13 @@ function configure_cb()
|
|||
rm -rf "$TMPDIR"
|
||||
|
||||
echo "Configuring the cryptobox ..."
|
||||
sed -i "s/^Version:.*/Revision: $(fetch_revision)/" "$IMAGEDIR/etc/issue"
|
||||
# "harden" removes /etc/issue ...
|
||||
if [ -e "$IMAGEDIR/etc/issue" ]
|
||||
then sed -i "s/^Version:.*/Revision: $(fetch_revision)/" "$IMAGEDIR/etc/issue"
|
||||
else echo "Version:.*/Revision: $(fetch_revision)" >"$IMAGEDIR/etc/issue"
|
||||
fi
|
||||
fetch_revision >"$IMAGEDIR/etc/cryptobox/revision"
|
||||
chroot "$IMAGEDIR" "/usr/lib/cryptobox/configure-cryptobox.sh"
|
||||
chroot "$IMAGEDIR" "$CHROOTSTART" /usr/lib/cryptobox/configure-cryptobox.sh normal
|
||||
}
|
||||
|
||||
function fetch_revision()
|
||||
|
@ -179,7 +185,7 @@ while [ $# -gt 0 ]
|
|||
init_working_directory
|
||||
;;
|
||||
config )
|
||||
configure_cb
|
||||
configure_cb normal
|
||||
;;
|
||||
iso )
|
||||
create_iso
|
||||
|
@ -197,6 +203,9 @@ while [ $# -gt 0 ]
|
|||
merge )
|
||||
merge_from_devel
|
||||
;;
|
||||
harden )
|
||||
chroot "$IMAGEDIR" "$CHROOTSTART" /usr/lib/cryptobox/configure-cryptobox.sh secure
|
||||
;;
|
||||
upload )
|
||||
upload2devel
|
||||
;;
|
||||
|
@ -216,10 +225,10 @@ while [ $# -gt 0 ]
|
|||
blanknburn_cdrw
|
||||
;;
|
||||
release )
|
||||
$0 dfsbuild config iso
|
||||
$0 dfsbuild config harden iso
|
||||
;;
|
||||
help|--help )
|
||||
echo "Syntax: `basename $0` ( dfsbuild | config | iso | release | qemu | revert | chroot | devel | burn | help )"
|
||||
echo "Syntax: `basename $0` ( dfsbuild | config | iso | release | qemu | revert | chroot | devel | burn | harden | release | help )"
|
||||
echo " (you may specify more than one action)"
|
||||
echo
|
||||
;;
|
||||
|
|
|
@ -2,11 +2,14 @@
|
|||
#
|
||||
# FOR DEVELOPMENT ONLY!
|
||||
#
|
||||
# this script is used to prepare a chroot session for testing
|
||||
# this script is used to prepare a chroot session for testing or configuring
|
||||
#
|
||||
# called by:
|
||||
# - cbox-build.sh
|
||||
#
|
||||
# parameter: [commandline]
|
||||
#
|
||||
# if "commandline" is empty, "bash" will be used
|
||||
|
||||
set -eu
|
||||
|
||||
|
@ -17,16 +20,19 @@ TMP_DIR="/tmp-`basename $0`-$$"
|
|||
|
||||
|
||||
cp -a "$MNT_SRC/." "$TMP_DIR"
|
||||
mount --bind "$TMP_DIR" "$MNT_DST"
|
||||
mount -n --bind "$TMP_DIR" "$MNT_DST"
|
||||
|
||||
[ ! -e /dev/null ] && mknod "/dev/null" c 1 3 && chmod 666 "/dev/null"
|
||||
[ ! -e /dev/urandom ] && mknod "/dev/urandom" c 1 9 && chmod 444 "/dev/urandom"
|
||||
[ ! -e /dev/console ] && mknod "/dev/console" c 1 5 && chmod 660 "/dev/console"
|
||||
|
||||
[ ! -e /proc/mounts ] && mount -t proc proc /proc
|
||||
[ ! -e /proc/mounts ] && mount -n -t proc proc /proc
|
||||
|
||||
bash
|
||||
if [ $# -gt 0 ]
|
||||
then "$@"
|
||||
else bash
|
||||
fi
|
||||
|
||||
umount "$MNT_DST"
|
||||
umount proc
|
||||
umount -n "$MNT_DST"
|
||||
umount -n proc
|
||||
rm -r "$TMP_DIR"
|
||||
|
|
|
@ -14,34 +14,76 @@ set -eu
|
|||
RUNTIMEDIR=/opt/dfsruntime/runtimerd
|
||||
TUNDEV=$RUNTIMEDIR/dev/net/tun
|
||||
|
||||
[ ! -e "/proc/mounts" ] && mount -t proc proc /proc
|
||||
SECURITY_REMOVE_PACKAGES="ssh strace telnet unzip tar zip wget ppp pppconfig nvi nano gzip curl bzip2 aptitude tasksel pppoe pppoeconf"
|
||||
|
||||
######### devices ##########
|
||||
# create tun device for running under qemu
|
||||
if [ ! -e "$TUNDEV" ]
|
||||
then mkdir -p `dirname "$TUNDEV"`
|
||||
mknod "$TUNDEV" c 10 200
|
||||
fi
|
||||
|
||||
######### thttpd ###########
|
||||
# change thttpd's config from 'chroot' to 'nochroot' - otherwise no perl script will run
|
||||
sed -i "s/^chroot$/nochroot/" /etc/thttpd/thttpd.conf
|
||||
# change thttpd-user from www-data to root (permissions for mount, cryptsetup, ...)
|
||||
sed -i "s/^user=.*/user=root/" /etc/thttpd/thttpd.conf
|
||||
function configure_normal()
|
||||
# the usual stuff - not optimized for security
|
||||
{
|
||||
######### devices ##########
|
||||
# create tun device for running under qemu
|
||||
if [ ! -e "$TUNDEV" ]
|
||||
then mkdir -p `dirname "$TUNDEV"`
|
||||
mknod "$TUNDEV" c 10 200
|
||||
fi
|
||||
|
||||
######### bashrc ###########
|
||||
# remove dfshints from bashrc
|
||||
sed -i "/^dfshints$/d" $RUNTIMEDIR/root/.bashrc
|
||||
######### thttpd ###########
|
||||
# change thttpd's config from 'chroot' to 'nochroot' - otherwise no perl script will run
|
||||
sed -i "s/^chroot$/nochroot/" /etc/thttpd/thttpd.conf
|
||||
# change thttpd-user from www-data to root (permissions for mount, cryptsetup, ...)
|
||||
sed -i "s/^user=.*/user=root/" /etc/thttpd/thttpd.conf
|
||||
|
||||
########## sshd ############
|
||||
# allow empty passwords for ssh
|
||||
# the daemon is NOT started automatically, so you have to start it
|
||||
# manually in case of need - as the root pw is empty and passwd is ro, you
|
||||
# have to allow empty passwords for this rare case
|
||||
sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
|
||||
# turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
|
||||
sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
|
||||
# allow nput of password
|
||||
sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
|
||||
######### bashrc ###########
|
||||
# remove dfshints from bashrc
|
||||
sed -i "/^dfshints$/d" $RUNTIMEDIR/root/.bashrc
|
||||
|
||||
if [ -e "/etc/ssh" ]; then
|
||||
########## sshd ############
|
||||
# allow empty passwords for ssh
|
||||
# the daemon is NOT started automatically, so you have to start it
|
||||
# manually in case of need - as the root pw is empty and passwd is ro, you
|
||||
# have to allow empty passwords for this rare case
|
||||
sed -i 's/^PermitEmptyPass.*$/PermitEmptyPasswords yes/' /etc/ssh/sshd_config
|
||||
# turn off PAM for ssh, as it prevents the use of empty passwords (stange behaviour)
|
||||
sed -i 's/^UsePAM.*$/UsePAM no/' /etc/ssh/sshd_config
|
||||
# allow nput of password
|
||||
sed -i 's/^PasswordAuthentication.*$/PasswordAuthentication yes/' /etc/ssh/sshd_config
|
||||
fi
|
||||
}
|
||||
|
||||
|
||||
function configure_secure()
|
||||
# remove everything that could weaken security
|
||||
# configure_normal should be called too!
|
||||
{
|
||||
# disable keyboard login
|
||||
sed -i '/getty/d' /etc/inittab
|
||||
|
||||
# remove unnecessary packages
|
||||
dpkg --force-all -P $SECURITY_REMOVE_PACKAGES
|
||||
|
||||
# remove development files
|
||||
rm -f "$DEVELOPMENT_MARKER"
|
||||
rm -f "$DEV_FEATURES_SCRIPT"
|
||||
}
|
||||
|
||||
|
||||
################ main ####################
|
||||
|
||||
|
||||
ACTION=help
|
||||
[ $# -gt 0 ] && ACTION=$1
|
||||
|
||||
case "$ACTION" in
|
||||
normal )
|
||||
configure_normal
|
||||
;;
|
||||
secure )
|
||||
configure_secure
|
||||
;;
|
||||
* )
|
||||
echo "Syntax: `basename $0` { normal | secure }"
|
||||
echo
|
||||
;;
|
||||
esac
|
||||
|
||||
umount /proc
|
||||
|
|
Loading…
Reference in a new issue