Merge branch 'stretch' of https://github.com/bashrc/freedombone

doc/EN/mobile.org

@@ -96,6 +96,8 @@ Now edit the hosts file which was pulled and append:
 127.0.0.1       www.google-analytics.com
 127.0.0.1       google-analytics.com
 127.0.0.1       ssl.google-analytics.com
+127.0.0.1       telemetry.mozilla.org
+127.0.0.1       incoming.telemetry.mozilla.org
 #+end_src
 
 Then upload the hosts file back again with:

src/freedombone-app-pleroma

@@ -36,7 +36,7 @@ PLEROMA_CODE=
 PLEROMA_PORT=4000
 PLEROMA_ONION_PORT=8011
 PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git"
-PLEROMA_COMMIT='5b6d6d7f2d9363c494642bfda4d6e4d12daa53c7'
+PLEROMA_COMMIT='762f6edc29a7a48e3a663e9bedec58e0036ff363'
 PLEROMA_ADMIN_PASSWORD=
 PLEROMA_DIR=/etc/pleroma
 PLEROMA_SECRET_KEY=""
@@ -733,15 +733,21 @@ function configure_interactive_pleroma {
             enablechatstr=$'Disable chat system'
         fi
 
+        pleromatorstr=$'Enable routing through Tor for onion addresses'
+        if grep -q '9050' $pleroma_secret; then
+            pleromatorstr=$'Disable routing through Tor'
+        fi
+
         W=(1 $"Set a background image"
            2 $"Set the title"
            3 $"Disable new account registrations"
            4 $"Add a custom emoji"
            5 $"Set post expiry period (currently $PLEROMA_EXPIRE_MONTHS months)"
-           6 "$enablechatstr")
+           6 "$enablechatstr"
+           7 "$pleromatorstr")
 
         # shellcheck disable=SC2068
-        selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Pleroma" --menu $"Choose an operation, or ESC to exit:" 13 60 6 "${W[@]}" 3>&2 2>&1 1>&3)
+        selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Pleroma" --menu $"Choose an operation, or ESC to exit:" 14 60 7 "${W[@]}" 3>&2 2>&1 1>&3)
 
         if [ ! "$selection" ]; then
             break
@@ -759,11 +765,25 @@ function configure_interactive_pleroma {
                    pleroma_enable_chat true
                fi
                ;;
+            7) if grep -q '9050' $pleroma_secret; then
+                   pleroma_disable_tor
+               else
+                   pleroma_enable_tor
+               fi
+               ;;
         esac
     done
 }
 
-function pleroma_upgrade_tor {
+function pleroma_disable_tor {
+    if grep -q '9050' $pleroma_secret; then
+        sed -i '/9050/d' $pleroma_secret
+        sed -i 's|# config :pleroma, :http, proxy_url:|config :pleroma, :http, proxy_url:|g' $PLEROMA_DIR/config/config.exs
+        pleroma_recompile
+    fi
+}
+
+function pleroma_enable_tor {
     pleroma_tor_update=
 
     if ! grep -q '{:socks5, :localhost, 9050}' $pleroma_secret; then
@@ -806,7 +826,7 @@ function upgrade_pleroma {
         create_pleroma_blocklist
     fi
 
-    pleroma_upgrade_tor
+    #pleroma_enable_tor
 
     CURR_PLEROMA_COMMIT=$(get_completion_param "pleroma commit")
     if [[ "$CURR_PLEROMA_COMMIT" == "$PLEROMA_COMMIT" ]]; then

src/freedombone-controlpanel

@@ -224,114 +224,153 @@ function show_tor_bridges {
 function show_domains {
     read_config_param "DEFAULT_DOMAIN_NAME"
 
-    W=()
+    while true
+    do
+        W=()
 
-    W+=("IPv4" "$(get_ipv4_address) / $(get_external_ipv4_address)")
-    ipv6_address="$(get_ipv6_address)"
-    if [ ${#ipv6_address} -gt 0 ]; then
-        W+=("IPv6" "${ipv6_address}")
-    fi
+        W+=("IPv4" "$(get_ipv4_address) / $(get_external_ipv4_address)")
+        ipv6_address="$(get_ipv6_address)"
+        if [ ${#ipv6_address} -gt 0 ]; then
+            W+=("IPv6" "${ipv6_address}")
+        fi
 
-    if [ -f /etc/ssh/ssh_host_rsa_key.pub ]; then
-        W+=("ssh rsa sha256" "$(awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | sed 's|=||g')")
-    fi
-    if [ -f /etc/ssh/ssh_host_ed25519_key.pub ]; then
-        W+=("ssh ed25519 sha256" "$(awk '{print $2}' /etc/ssh/ssh_host_ed25519_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | sed 's|=||g')")
-    fi
+        if [ -f /etc/ssh/ssh_host_rsa_key.pub ]; then
+            W+=("ssh rsa sha256" "$(awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | sed 's|=||g')")
+        fi
+        if [ -f /etc/ssh/ssh_host_ed25519_key.pub ]; then
+            W+=("ssh ed25519 sha256" "$(awk '{print $2}' /etc/ssh/ssh_host_ed25519_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | sed 's|=||g')")
+        fi
 
-    if grep -q "ssh onion domain" "$COMPLETION_FILE"; then
-        domain_onion=$(grep 'ssh onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
-        W+=("ssh" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
-    fi
-    if grep -q "email onion domain" "$COMPLETION_FILE"; then
-        domain_onion=$(grep 'email onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
-        W+=("Email" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
-    fi
-    if grep -q "sks onion domain" "$COMPLETION_FILE"; then
-        read_config_param "KEYSERVER_DOMAIN_NAME"
-        domain_onion=$(grep 'sks onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
-        W+=("SKS" "${KEYSERVER_DOMAIN_NAME} / ${domain_onion}")
-    fi
+        if grep -q "ssh onion domain" "$COMPLETION_FILE"; then
+            domain_onion=$(grep 'ssh onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
+            W+=("ssh" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
+        fi
+        if grep -q "email onion domain" "$COMPLETION_FILE"; then
+            domain_onion=$(grep 'email onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
+            W+=("Email" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
+        fi
+        if grep -q "sks onion domain" "$COMPLETION_FILE"; then
+            read_config_param "KEYSERVER_DOMAIN_NAME"
+            domain_onion=$(grep 'sks onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
+            W+=("SKS" "${KEYSERVER_DOMAIN_NAME} / ${domain_onion}")
+        fi
 
-    INTRODUCER_FILENAME=/home/tahoelafs/data/private/introducer.furl
-    if [ -f $INTRODUCER_FILENAME ]; then
-        W+=("Tahoe-LAFS" "$(cat $INTRODUCER_FILENAME)")
-    fi
+        INTRODUCER_FILENAME=/home/tahoelafs/data/private/introducer.furl
+        if [ -f $INTRODUCER_FILENAME ]; then
+            W+=("Tahoe-LAFS" "$(cat $INTRODUCER_FILENAME)")
+        fi
 
-    show_tor_bridges
+        show_tor_bridges
 
-    # shellcheck disable=SC2068
-    for app_name in ${APPS_INSTALLED_NAMES[@]}
-    do
-        if ! grep -q "SHOW_ON_ABOUT=1" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${app_name}"; then
-            continue
-        fi
+        # shellcheck disable=SC2068
+        for app_name in ${APPS_INSTALLED_NAMES[@]}
+        do
+            if ! grep -q "SHOW_ON_ABOUT=1" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${app_name}"; then
+                continue
+            fi
 
-        # handle the foibles of capitalisation
-        if ! grep -q "${app_name} domain" "$COMPLETION_FILE"; then
-            app_name_upper=$(echo "${app_name}" | awk '{print toupper($0)}')
-            if grep -q "${app_name_upper} domain" "$COMPLETION_FILE"; then
-                app_name=${app_name_upper}
-            else
-                app_name_first_upper="$(tr '[:lower:]' '[:upper:]' <<< "${app_name:0:1}")${app_name:1}"
-                if grep -q "${app_name_first_upper} domain" "$COMPLETION_FILE"; then
-                    app_name=${app_name_first_upper}
+            # handle the foibles of capitalisation
+            if ! grep -q "${app_name} domain" "$COMPLETION_FILE"; then
+                app_name_upper=$(echo "${app_name}" | awk '{print toupper($0)}')
+                if grep -q "${app_name_upper} domain" "$COMPLETION_FILE"; then
+                    app_name=${app_name_upper}
+                else
+                    app_name_first_upper="$(tr '[:lower:]' '[:upper:]' <<< "${app_name:0:1}")${app_name:1}"
+                    if grep -q "${app_name_first_upper} domain" "$COMPLETION_FILE"; then
+                        app_name=${app_name_first_upper}
+                    fi
                 fi
             fi
-        fi
 
-        if [ ${#app_name} -gt 0 ]; then
-            icann_address=$(get_app_icann_address "$app_name")
-            if grep -q "SHOW_ICANN_ADDRESS_ON_ABOUT=0" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${app_name}"; then
-                icann_address='-'
-            fi
-            if [[ "$ONION_ONLY" != 'no' ]]; then
-                if [[ "${icann_address}" != "${LOCAL_NAME}.local" ]]; then
+            if [ ${#app_name} -gt 0 ]; then
+                icann_address=$(get_app_icann_address "$app_name")
+                if grep -q "SHOW_ICANN_ADDRESS_ON_ABOUT=0" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${app_name}"; then
                     icann_address='-'
                 fi
-            fi
-            onion_address=$(get_app_onion_address "$app_name")
-            if [ ${#onion_address} -eq 0 ]; then
-                onion_address="-"
-            fi
-
-            if [[ "${icann_address}" != '-' ]]; then
-                if [[ "${onion_address}" != '-' ]]; then
-                    W+=("${app_name}" "${icann_address} / ${onion_address}")
-                else
-                    W+=("${app_name}" "${icann_address}")
+                if [[ "$ONION_ONLY" != 'no' ]]; then
+                    if [[ "${icann_address}" != "${LOCAL_NAME}.local" ]]; then
+                        icann_address='-'
+                    fi
+                fi
+                onion_address=$(get_app_onion_address "$app_name")
+                if [ ${#onion_address} -eq 0 ]; then
+                    onion_address="-"
                 fi
-            else
-                W+=("${app_name}" "${onion_address}")
-            fi
 
-            if grep -q "mobile${app_name} onion domain" "$COMPLETION_FILE"; then
-                onion_address=$(get_app_onion_address "${app_name}" "mobile")
                 if [[ "${icann_address}" != '-' ]]; then
-                    W+=("${app_name} (mobile)" "${icann_address} / ${onion_address}")
+                    if [[ "${onion_address}" != '-' ]]; then
+                        W+=("${app_name}" "${icann_address} / ${onion_address}")
+                    else
+                        W+=("${app_name}" "${icann_address}")
+                    fi
                 else
-                    W+=("${app_name} (mobile)" "${onion_address}")
+                    W+=("${app_name}" "${onion_address}")
+                fi
+
+                if grep -q "mobile${app_name} onion domain" "$COMPLETION_FILE"; then
+                    onion_address=$(get_app_onion_address "${app_name}" "mobile")
+                    if [[ "${icann_address}" != '-' ]]; then
+                        W+=("${app_name} (mobile)" "${icann_address} / ${onion_address}")
+                    else
+                        W+=("${app_name} (mobile)" "${onion_address}")
+                    fi
                 fi
             fi
-        fi
-    done
+        done
 
-    if grep -q "rss reader domain" "$COMPLETION_FILE"; then
-        if [ -d /var/lib/tor/hidden_service_ttrss ]; then
-            domain_onion=$(cat /var/lib/tor/hidden_service_ttrss/hostname)
-            W+=("RSS Reader" "${domain_onion}")
-        fi
-        if [ -d /var/lib/tor/hidden_service_mobilerss ]; then
-            domain_onion=$(cat /var/lib/tor/hidden_service_mobilerss/hostname)
-            W+=("RSS mobile" "${domain_onion}")
+        if grep -q "rss reader domain" "$COMPLETION_FILE"; then
+            if [ -d /var/lib/tor/hidden_service_ttrss ]; then
+                domain_onion=$(cat /var/lib/tor/hidden_service_ttrss/hostname)
+                W+=("RSS Reader" "${domain_onion}")
+            fi
+            if [ -d /var/lib/tor/hidden_service_mobilerss ]; then
+                domain_onion=$(cat /var/lib/tor/hidden_service_mobilerss/hostname)
+                W+=("RSS mobile" "${domain_onion}")
+            fi
         fi
-    fi
 
-    width=$(tput cols)
-    height=$(tput lines)
+        width=$(tput cols)
+        height=$(tput lines)
 
-    # shellcheck disable=SC2068
-    dialog --backtitle $"Freedombone Control Panel" --title $"Domains" --menu $"Use Shift+cursors to select and copy onion addresses" $((height-4)) $((width-4)) $((height-4)) "${W[@]}" 3>&2 2>&1 1>&3
+        # shellcheck disable=SC2068
+        selected=$(dialog --backtitle $"Freedombone Control Panel" --title $"Domains" --menu $"Use Shift+cursors to select and copy onion addresses" $((height-4)) $((width-4)) $((height-4)) "${W[@]}" 3>&2 2>&1 1>&3)
+        if [ ! "$selected" ]; then
+            break
+        fi
+        # obtain the addresses from the key by itterating through
+        # the array. This is quite crude and maybe there's a better way
+        key_found=
+        selected_addresses=
+        for key in "${W[@]}";
+        do
+            if [ $key_found ]; then
+                selected_addresses="$key"
+                break
+            fi
+            if [[ "$key" == "$selected" ]]; then
+                key_found=1
+            fi
+        done
+        # Was the key matched?
+        if [ ! "$selected_addresses" ]; then
+            break
+        fi
+        # addresses were found - is this an onion?
+        if [[ "$selected_addresses" != *".onion"* ]]; then
+            continue
+        fi
+        # There are two forms of addresses: "x / y.onion" and "x.onion"
+        if [[ "$selected_addresses" == *'/'* ]]; then
+            onion_addr=$(echo "$selected_addresses" | awk -F '/' '{print $2}' | awk -F ' ' '{print $1}')
+        else
+            onion_addr="$selected_addresses"
+        fi
+        # show the onion address as a QR code
+        clear
+        echo "${selected}: ${onion_addr}"
+        echo -n "$onion_addr" | qrencode -t UTF8
+        any_key
+    done
 }
 
 function show_users {

src/freedombone-controlpanel-user

@@ -434,6 +434,10 @@ function show_gpg_key {
     dialog --title $"My PGP/GPG Key" \
            --backtitle $"Freedombone User Control Panel" \
            --msgbox $"Email Address: $MY_EMAIL_ADDRESS\\n\\nKey ID: $GPG_ID\\n\\nFingerprint: $GPG_FINGERPRINT\\n\\nCreated: $GPG_DATE" 12 70
+    clear
+    echo $"Your GPG/PGP public key:"
+    gpg --armor --export "$GPG_ID" | qrencode -t UTF8
+    any_key
 }
 
 function show_full_gpg_key {

src/freedombone-image

@@ -74,6 +74,8 @@ IMAGE_NAME='full'
 USERNAME="$USER"
 PASSWORD=
 
+CONTINUOUS_INTEGRATION=
+
 # IP address of the router (gateway)
 ROUTER_IP_ADDRESS="192.168.1.254"
 
@@ -378,6 +380,10 @@ do
             shift
             INTERACTIVE="$1"
             ;;
+        --ci)
+            shift
+            CONTINUOUS_INTEGRATION="$1"
+            ;;
         -g|--generic)
             shift
             GENERIC_IMAGE="$1"
@@ -614,6 +620,7 @@ make "$IMAGE_TYPE" \
      AMNESIC="$AMNESIC" \
      SOCIALINSTANCE="$SOCIALINSTANCE" \
      EXTERNAL_DRIVE="$EXTERNAL_DRIVE" \
+     CONTINUOUS_INTEGRATION="$CONTINUOUS_INTEGRATION" \
      LOCAL_NAME="$LOCAL_NAME"
 
 # shellcheck disable=SC2181
@@ -641,8 +648,8 @@ fi
 for im in ${image_types[@]}
 do
     # shellcheck disable=SC2012,SC2086
-    no_of_files=$(ls -afq build/${PROJECT_NAME}*.${im} | wc -l)
-    if (( no_of_files > 0 )); then
+    no_of_files=$(ls -l build/${PROJECT_NAME}*.${im} | wc -l)
+    if [ "$no_of_files" -gt 0 ]; then
         # shellcheck disable=SC2086
         mv build/${PROJECT_NAME}*.${im} ${CURR_DIR}/
         # shellcheck disable=SC2086

src/freedombone-image-customise

@@ -139,6 +139,8 @@ BMX6_COMMIT='39dd1f2d99ac5a3fa28e92f8173c15039132e181'
 BMX7_REPO="https://github.com/bmx-routing/bmx7"
 BMX7_COMMIT='0a82c7c10fef44b259b35e77ab33632aa132d219'
 
+CONTINUOUS_INTEGRATION=
+
 PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
 
 # Whether to use a SATA drive and if so what its device/partition name is
@@ -1766,8 +1768,8 @@ image_setup_utils() {
     chroot "$rootdir" apt-get -yq -t stretch-backports install tor
     chroot "$rootdir" apt-get -yq install connect-proxy
     chroot "$rootdir" connect-proxy
-    sed -i 's|#Log notice file.*|Log notice file /dev/null|g' "$rootdir/etc/tor/torrc"
-    sed -i 's|Log notice file.*|Log notice file /dev/null|g' "$rootdir/etc/tor/torrc"
+    sed -i 's|#Log notice file.*|Log notice file /var/log/tor/notices.log|g' "$rootdir/etc/tor/torrc"
+    sed -i 's|Log notice file.*|Log notice file /var/log/tor/notices.log|g' "$rootdir/etc/tor/torrc"
     sed -i "s|#AccountingMax.*|AccountingMax $TOR_MAX_TRAFFIC_PER_MONTH_GB GBytes|g" "$rootdir/etc/tor/torrc"
     sed -i "s|AccountingMax.*|AccountingMax $TOR_MAX_TRAFFIC_PER_MONTH_GB GBytes|g" "$rootdir/etc/tor/torrc"
     if ! grep -q 'Host *.onion' "$rootdir/root/.ssh/config"; then

src/freedombone-image-make

@@ -78,6 +78,7 @@ export AMNESIC
 export SOCIALINSTANCE
 export LOCAL_NAME
 export EXTERNAL_DRIVE
+export CONTINUOUS_INTEGRATION
 
 # Locate vmdebootstrap program fetched in Makefile
 basedir=`pwd`
@@ -228,6 +229,7 @@ sed -i "s|SOCIALINSTANCE=.*|SOCIALINSTANCE=\"${SOCIALINSTANCE}\"|g" "$TEMP_CUSTO
 sed -i "s|LOCAL_NAME=.*|LOCAL_NAME=\"${LOCAL_NAME}\"|g" "$TEMP_CUSTOMISE3"
 sed -i "s|EXTERNAL_DRIVE=.*|EXTERNAL_DRIVE=\"${EXTERNAL_DRIVE}\"|g" "$TEMP_CUSTOMISE3"
 sed -i 's|#!/bin/bash||g' "$TEMP_CUSTOMISE3"
+sed -i "s|CONTINUOUS_INTEGRATION=.*|CONTINUOUS_INTEGRATION=${CONTINUOUS_INTEGRATION}|g" "$TEMP_CUSTOMISE3"
 
 cat $TEMP_CUSTOMISE2 $TEMP_CUSTOMISE3 > $TEMP_CUSTOMISE4
 if [ -f $TEMP_CUSTOMISE ]; then

src/freedombone-image-makefile

@@ -41,8 +41,13 @@ IMAGE = $(NAME).img
 ARCHIVE = $(IMAGE).xz
 SIGNATURE = $(ARCHIVE).sig
 OWNER = 1000
-XZ = xz --no-warn --verbose --keep --threads=0 -3
-SIGN = -gpg --output $(SIGNATURE) --detach-sig $(ARCHIVE)
+ifeq ("$CONTINUOUS_INTEGRATION", "")
+    XZ = xz --no-warn --verbose --keep --threads=0 -3 $(IMAGE)
+    SIGN = -gpg --output $(SIGNATURE) --detach-sig $(ARCHIVE)
+else
+	XZ =
+	SIGN =
+endif
 
 # settings for `make test`
 TEST_SSH_PORT = 2222
@@ -90,7 +95,7 @@ beaglebone: prep
 	$(eval MACHINE = beaglebone)
 	$(MAKE_IMAGE)
 	@rm -f $(ARCHIVE)
-	$(XZ) $(IMAGE)
+	$(XZ)
 	@echo ""
 	$(SIGN)
 	@echo "Build complete."
@@ -101,7 +106,7 @@ cubieboard2: prep
 	$(eval MACHINE = cubieboard2)
 	$(MAKE_IMAGE)
 	@rm -f $(ARCHIVE)
-	$(XZ) $(IMAGE)
+	$(XZ)
 	@echo ""
 	$(SIGN)
 	@echo "Build complete."
@@ -112,7 +117,7 @@ pcduino3: prep
 	$(eval MACHINE = pcduino3)
 	$(MAKE_IMAGE)
 	@rm -f $(ARCHIVE)
-	$(XZ) $(IMAGE)
+	$(XZ)
 	@echo ""
 	$(SIGN)
 	@echo "Build complete."
@@ -123,7 +128,7 @@ cubietruck: prep
 	$(eval MACHINE = cubietruck)
 	$(MAKE_IMAGE)
 	@rm -f $(ARCHIVE)
-	$(XZ) $(IMAGE)
+	$(XZ)
 	@echo ""
 	$(SIGN)
 	@echo "Build complete."
@@ -135,7 +140,7 @@ a20-olinuxino-lime: prep
 	$(eval IMAGE = $(NAME).img)
 	$(MAKE_IMAGE)
 	rm -f $(ARCHIVE)
-	$(XZ) $(IMAGE)
+	$(XZ)
 	@echo ""
 	$(SIGN)
 
@@ -145,7 +150,7 @@ a20-olinuxino-lime2: prep
 	$(eval MACHINE = a20-olinuxino-lime2)
 	$(MAKE_IMAGE)
 	@rm -f $(ARCHIVE)
-	$(XZ) $(IMAGE)
+	$(XZ)
 	@echo ""
 	$(SIGN)
 	@echo "Build complete."
@@ -156,7 +161,7 @@ a20-olinuxino-micro: prep
 	$(eval MACHINE = a20-olinuxino-micro)
 	$(MAKE_IMAGE)
 	@rm -f $(ARCHIVE)
-	$(XZ) $(IMAGE)
+	$(XZ)
 	@echo ""
 	$(SIGN)
 	@echo "Build complete."
@@ -167,7 +172,7 @@ i386: prep
 	$(eval MACHINE = all)
 	$(MAKE_IMAGE)
 	@rm -f $(ARCHIVE)
-	$(XZ) $(IMAGE)
+	$(XZ)
 	@echo ""
 	$(SIGN)
 	@echo "Build complete."
@@ -178,7 +183,7 @@ i686: prep
 	$(eval MACHINE = all)
 	$(MAKE_IMAGE)
 	@rm -f $(ARCHIVE)
-	$(XZ) $(IMAGE)
+	$(XZ)
 	@echo ""
 	$(SIGN)
 	@echo "Build complete."
@@ -189,7 +194,7 @@ amd64: prep
 	$(eval MACHINE = all)
 	$(MAKE_IMAGE)
 	@rm -f $(ARCHIVE)
-	$(XZ) $(IMAGE)
+	$(XZ)
 	@echo ""
 	$(SIGN)
 	@echo "Build complete."
@@ -200,7 +205,7 @@ apu: prep
 	$(eval MACHINE = all)
 	$(MAKE_IMAGE)
 	@rm -f $(ARCHIVE)
-	$(XZ) $(IMAGE)
+	$(XZ)
 	@echo ""
 	$(SIGN)
 	@echo "Build complete."
@@ -215,7 +220,7 @@ qemu-i386: prep
 	# Convert image to qemu format
 	qemu-img convert -O qcow2 $(NAME).img $(NAME).qcow2
 	@rm -f $(ARCHIVE)
-	$(XZ) $(IMAGE)
+	$(XZ)
 	@echo ""
 	$(SIGN)
 	@echo "Build complete."
@@ -227,7 +232,7 @@ qemu-x86_64: prep
 	# Convert image to qemu format
 	qemu-img convert -O qcow2 $(NAME).img $(NAME).qcow2
 	@rm -f $(ARCHIVE)
-	$(XZ) $(IMAGE)
+	$(XZ)
 	@echo ""
 	$(SIGN)
 	@echo "Build complete."

src/freedombone-logging

@@ -179,9 +179,8 @@ if [[ "$1" == "on" || "$1" == "On" || "$1" == "ON" ]]; then
 else
     turn_logging_off
 
-    if [ -d /etc/tor ]; then
-        echo 'Log notice file /dev/null' > /etc/torrc.d/logging
-        rm /var/log/tor/*
+    if [ -d /etc/torrc.d ]; then
+        echo 'Log notice file /var/log/tor/notices.log' > /etc/torrc.d/logging
     fi
     if [ -d /var/log/radicale ]; then
         $REMOVE_FILES_COMMAND /var/log/radicale/*

src/freedombone-tests

@@ -759,6 +759,12 @@ function test_stig {
     output "V-38605" $? ${SETLANG}
     ################
 
+    ##Check that openssh client and server are installed
+    bash $STIG_TESTS_DIR/check-ssh.sh installed >/dev/null 2>&1 &
+    stig_spinner $!
+    output "SV-86857r1_rule" $? ${SETLANG}
+    ################
+    
     ##RHEL-06-000227
     ##The SSH daemon must be configured to use only the SSHv2 protocol.
 

src/freedombone-tor-health

@@ -0,0 +1,62 @@
+#!/bin/bash
+#  _____               _           _
+# |   __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
+# |   __|  _| -_| -_| . | . |     | . | . |   | -_|
+# |__|  |_| |___|___|___|___|_|_|_|___|___|_|_|___|
+#
+#                              Freedom in the Cloud
+#
+# Returns a health status for Tor
+#
+# License
+# =======
+#
+# Copyright (C) 2018 Bob Mottram <bob@freedombone.net>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+PROJECT_NAME='freedombone'
+
+export TEXTDOMAIN=${PROJECT_NAME}-tor-health
+export TEXTDOMAINDIR="/usr/share/locale"
+
+d1=$(date --date="-10 min" "+%b %d %H:%M"):00
+d2=$(date "+%b %d %H:%M"):00
+ctr=0
+echo -n '' > /var/log/tor/notices_new.log
+while read -r line; do
+    datestr=$(echo "$line" | awk -F '.' '{print $1}')
+    if [[ "$datestr" > "$d1" && "$datestr" < "$d2" || "$datestr" =~ $d2 ]]; then
+        if [[ "$line" == *'Retrying'* ]]; then
+            ctr=$((ctr+1))
+        fi
+        echo "$line" >> /var/log/tor/notices_new.log
+    fi
+done < /var/log/tor/notices.log
+
+mv /var/log/tor/notices_new.log /var/log/tor/notices.log
+chown -R debian-tor:adm /var/log/tor
+
+if [ $ctr -gt 5 ]; then
+    echo $'Failed'
+    exit 0
+fi
+
+if [ $ctr -gt 0 ]; then
+    echo $'Poor'
+    exit 0
+fi
+
+echo $'Good'
+exit 0

src/freedombone-utils-firewall

@@ -32,6 +32,7 @@ FIREWALL_CONFIG=$HOME/${PROJECT_NAME}-firewall.cfg
 FIREWALL_DOMAINS=$HOME/${PROJECT_NAME}-firewall-domains.cfg
 FIREWALL_EIFACE=eth0
 EXTERNAL_IPV4_ADDRESS=
+FIREFOX_TELEMETRY_IP='52.88.27.118'
 
 function save_firewall_settings {
     iptables-save > /etc/firewall.conf
@@ -47,6 +48,25 @@ function save_firewall_settings {
     fi
 }
 
+function block_firefox_telemetry {
+    # This shouldn't be needed on a server, but we'll do it anyway
+    # to be on the safe side
+    # Within firefox source code see submit_telemetry_data.py
+
+    if ! grep -q 'telemetry.mozilla' /etc/hosts; then
+	echo '127.0.0.1  telemetry.mozilla.org' >> /etc/hosts
+	echo '127.0.0.1  incoming.telemetry.mozilla.org' >> /etc/hosts
+    fi
+        
+    if grep -q "$FIREFOX_TELEMETRY_IP" /etc/firewall.conf; then
+        return
+    fi
+
+    iptables -A INPUT -s $FIREFOX_TELEMETRY_IP -j DROP
+    iptables -A OUTPUT -s $FIREFOX_TELEMETRY_IP -j DROP
+    save_firewall_settings
+}
+
 function firewall_block_bad_ip_ranges {
     if [ "$INSTALLING_MESH" ]; then
         return
@@ -340,6 +360,32 @@ function mesh_firewall {
     FIREWALL_FILENAME="${rootdir}/etc/systemd/system/meshfirewall.service"
     MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall
 
+    if ! grep -q 'telemetry.mozilla' ${rootdir}/etc/hosts; then
+	echo '127.0.0.1       telemetry.mozilla.org' >> ${rootdir}/etc/hosts
+	echo '127.0.0.1       incoming.telemetry.mozilla.org' >> ${rootdir}/etc/hosts
+    fi
+
+    if ! grep -q 'facebook' ${rootdir}/etc/hosts; then
+	{ echo '127.0.0.1       www.facebook.com';
+	  echo '127.0.0.1       facebook.com';
+	  echo '127.0.0.1       static.ak.fbcdn.net';
+	  echo '127.0.0.1       www.static.ak.fbcdn.net';
+	  echo '127.0.0.1       login.facebook.com';
+	  echo '127.0.0.1       www.login.facebook.com';
+	  echo '127.0.0.1       fbcdn.net';
+	  echo '127.0.0.1       www.fbcdn.net';
+	  echo '127.0.0.1       fbcdn.com';
+	  echo '127.0.0.1       www.fbcdn.com';
+	  echo '127.0.0.1       static.ak.connect.facebook.com';
+	  echo '127.0.0.1       www.static.ak.connect.facebook.com'; } >> ${rootdir}/etc/hosts	
+    fi
+    
+    if ! grep -q 'google' ${rootdir}/etc/hosts; then
+	{ echo '127.0.0.1       www.google-analytics.com';
+	  echo '127.0.0.1       google-analytics.com';
+	  echo '127.0.0.1       ssl.google-analytics.com'; } >> ${rootdir}/etc/hosts
+    fi    
+    
     { echo '#!/bin/bash';
       echo 'iptables -P INPUT ACCEPT';
       echo 'ip6tables -P INPUT ACCEPT';
@@ -387,7 +433,9 @@ function mesh_firewall {
       echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
       echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
       echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT";
-      echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT"; } > "$MESH_FIREWALL_SCRIPT"
+      echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT";
+      echo "iptables -A INPUT -s $FIREFOX_TELEMETRY_IP -j DROP";
+      echo "iptables -A OUTPUT -s $FIREFOX_TELEMETRY_IP -j DROP"; } > "$MESH_FIREWALL_SCRIPT"
     chmod +x "$MESH_FIREWALL_SCRIPT"
 
     { echo '[Unit]';

src/freedombone-utils-onion

@@ -311,6 +311,34 @@ function configure_ssh_onion {
     mark_completed "${FUNCNAME[0]}"
 }
 
+function check_tor_health {
+    { echo '#!/bin/bash';
+      echo "status=\$(${PROJECT_NAME}-tor-health)";
+      echo "ADMIN_USER=\$(grep \"MY_USERNAME=\" ~/${PROJECT_NAME}.cfg | awk -F '=' '{print \$2}')";
+      echo "if [[ \"\$status\" == 'G'* ]]; then";
+      echo '    if [ -f /tmp/.torfailed ]; then';
+      echo '        rm /tmp/.torfailed';
+      echo "        tail -n 3 /var/log/tor/notices.log | mail -s \"[${PROJECT_NAME}] Tor status is now \$status\" \$ADMIN_USER@\$HOSTNAME";
+      echo '    fi';
+      echo '    exit 0';
+      echo 'fi';
+      echo 'if [ ! -f /tmp/.torfailed ]; then';
+      echo "    tail -n 3 /var/log/tor/notices.log | mail -s \"[${PROJECT_NAME}] Tor status is \$status\" \$ADMIN_USER@\$HOSTNAME";
+      echo "    echo \"\$status\" > /tmp/.torfailed";
+      echo 'else';
+      echo "    prev_status=\$(cat /tmp/.torfailed)";
+      echo "    if [[ \"\$prev_status\" != \"\$status\" ]]; then";
+      echo "        tail -n 3 /var/log/tor/notices.log | mail -s \"[${PROJECT_NAME}] Tor status is \$status\" \$ADMIN_USER@\$HOSTNAME";
+      echo "        echo \"\$status\" > /tmp/.torfailed";
+      echo '    fi';
+      echo 'fi'; } > /usr/bin/check_tor_health
+    chmod +x /usr/bin/check_tor_health
+
+    if ! grep -q 'check_tor_health' /etc/crontab; then
+        cron_add_mins 10 "/usr/bin/check_tor_health"
+    fi
+}
+
 function install_tor {
     if [[ $SYSTEM_TYPE == "mesh*" ]]; then
         return
@@ -336,7 +364,7 @@ function install_tor {
         echo '%include /etc/torrc.d' >> /etc/tor/torrc
     fi
 
-    echo 'Log notice file /dev/null' > /etc/torrc.d/logging
+    echo 'Log notice file /var/log/tor/notices.log' > /etc/torrc.d/logging
     echo "AccountingMax $TOR_MAX_TRAFFIC_PER_MONTH_GB GBytes" > /etc/torrc.d/maxtraffic
 
     mark_completed "${FUNCNAME[0]}"

src/freedombone-utils-setup

@@ -720,6 +720,9 @@ function setup_firewall {
     function_check configure_firewall
     configure_firewall
 
+    function_check block_firefox_telemetry
+    block_firefox_telemetry
+
     function_check configure_firewall_ping
     configure_firewall_ping
 
@@ -971,6 +974,9 @@ function setup_utils {
     function_check install_tor
     install_tor
 
+    function_check check_tor_health
+    check_tor_health
+
     function_check install_command_line_browser
     install_command_line_browser
 

tests/check-ssh.sh

@@ -44,6 +44,19 @@ case $1 in
             exit 1
         fi
         ;;
+    installed)
+	OPENSSH_SERVER=$(dpkg -s openssh-server | grep -i "Status:.*install.*ok.*installed" | wc -l)
+	OPENSSH_CLIENT=$(dpkg -s openssh-client | grep -i "Status:.*install.*ok.*installed" | wc -l)
+	if [ ${OPENSSH_SERVER} -eq 1 ]; then
+	    if [ ${OPENSSH_CLIENT} -eq 1 ]; then
+		:
+	    else
+		exit 1
+	    fi
+	else
+	    exit 1
+	fi	
+	;;    
     sshd_status)
         if systemctl status sshd | grep "Active:.*(running)";then
             :

tests/output.sh

@@ -1399,6 +1399,15 @@ disabled. The "nis" service can be disabled with the following commands:\n\n#upd
                   printf '\n######################\n\nSTIG-ID:RHEL-06-000224\n\nVulnerability Discussion: Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.\n\nFix text: The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands:\n\n#update-rc.d cron defaults\nservice cron start\n\n######################\n\n' >> $LOG
               fi
               ;;
+    SV-86857r1_rule) if [ "$3" = "en" ]; then
+			 log_msg $2 'OpenSSH server and client must be installed.'
+		     else
+			 log_msg $2 '必须安装OpenSSH服务器和客户端'
+		     fi		     
+		     if [ $2 -ne 0 ];then
+			 printf '\n######################\n\nWithout protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.\n\n######################\n\n' >> $LOG
+		     fi
+		     ;;
     V-38607)  if [ "$3" = "en" ]; then
                   log_msg $2 'The SSH daemon must be configured to use only the SSHv2 protocol.'
               else