freedombone-utils-setup 35KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186
  1. #!/bin/bash
  2. #
  3. # .---. . .
  4. # | | |
  5. # |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
  6. # | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
  7. # ' ' --' --' -' - -' ' ' -' -' -' ' - --'
  8. #
  9. # Freedom in the Cloud
  10. #
  11. # Setup functions
  12. #
  13. # License
  14. # =======
  15. #
  16. # Copyright (C) 2014-2018 Bob Mottram <bob@freedombone.net>
  17. #
  18. # This program is free software: you can redistribute it and/or modify
  19. # it under the terms of the GNU Affero General Public License as published by
  20. # the Free Software Foundation, either version 3 of the License, or
  21. # (at your option) any later version.
  22. #
  23. # This program is distributed in the hope that it will be useful,
  24. # but WITHOUT ANY WARRANTY; without even the implied warranty of
  25. # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  26. # GNU Affero General Public License for more details.
  27. #
  28. # You should have received a copy of the GNU Affero General Public License
  29. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  30. if [ ! $PROJECT_NAME ]; then
  31. PROJECT_NAME='freedombone'
  32. fi
  33. if [ ! $LOCAL_NAME ]; then
  34. LOCAL_NAME=${PROJECT_NAME}
  35. fi
  36. DEFAULT_DOMAIN_NAME=
  37. DEFAULT_DOMAIN_CODE=
  38. MY_USERNAME=
  39. if [ ! $SYSTEM_TYPE ]; then
  40. SYSTEM_TYPE="full"
  41. fi
  42. # An optional configuration file which overrides some of these variables
  43. if [ ! $CONFIGURATION_FILE ]; then
  44. CONFIGURATION_FILE="$HOME/${PROJECT_NAME}.cfg"
  45. fi
  46. # Directory where source code is downloaded and compiled
  47. INSTALL_DIR=$HOME/build
  48. # device name for an attached usb drive
  49. USB_DRIVE=/dev/sda1
  50. # Location where the USB drive is mounted to
  51. USB_MOUNT=/mnt/usb
  52. # Number of days to keep backups for
  53. BACKUP_MAX_DAYS=30
  54. # file containing a list of remote locations to backup to
  55. # Format: [username@friendsdomain//home/username] [ssh_password]
  56. # With the only space character being between the server and the password
  57. FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list
  58. export DEBIAN_FRONTEND=noninteractive
  59. # used to limit CPU usage
  60. CPULIMIT='/usr/bin/cpulimit -l 20 -e'
  61. # command to create a git repository
  62. CREATE_GIT_PROJECT_COMMAND='create-project'
  63. # File which keeps track of what has already been installed
  64. COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
  65. # log file where details of remote backups are stored
  66. REMOTE_BACKUPS_LOG=/var/log/remotebackups.log
  67. # message if something fails to install
  68. CHECK_MESSAGE="Check your internet connection, /etc/network/interfaces and /etc/resolvconf/resolv.conf.d/head, then delete $COMPLETION_FILE, run 'rm -fR /var/lib/apt/lists/* && apt-get update --fix-missing' and run this script again. If hash sum mismatches persist then try setting $DEBIAN_REPO to a different mirror and also change /etc/apt/sources.list."
  69. # Default diffie-hellman key length in bits
  70. DH_KEYLENGTH=2048
  71. function support_256_colours {
  72. if ! grep 'xterm-256color' /etc/skel/.profile; then
  73. echo '' >> /etc/skel/.profile
  74. echo 'export TERM=xterm-256color' >> /etc/skel/.profile
  75. fi
  76. if ! grep 'xterm-256color' /home/$MY_USERNAME/.profile; then
  77. echo '' >> /home/$MY_USERNAME/.profile
  78. echo 'export TERM=xterm-256color' >> /home/$MY_USERNAME/.profile
  79. chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.profile
  80. fi
  81. }
  82. function detect_usb_drive {
  83. # sets to the highest available drive letter
  84. # which is likely to be the last drive connected
  85. read_config_param USB_DRIVE
  86. partition_number='1'
  87. if [[ "$1" == "nopath" ]]; then
  88. partition_number=''
  89. fi
  90. if [ -b /dev/sda${partition_number} ]; then
  91. USB_DRIVE=/dev/sda${partition_number}
  92. fi
  93. if [ -b /dev/sdb${partition_number} ]; then
  94. USB_DRIVE=/dev/sdb${partition_number}
  95. fi
  96. if [ -b /dev/sdc${partition_number} ]; then
  97. USB_DRIVE=/dev/sdc${partition_number}
  98. fi
  99. if [ -b /dev/sdd${partition_number} ]; then
  100. USB_DRIVE=/dev/sdd${partition_number}
  101. fi
  102. if [ -b /dev/sde${partition_number} ]; then
  103. USB_DRIVE=/dev/sde${partition_number}
  104. fi
  105. if [ -b /dev/sdf${partition_number} ]; then
  106. USB_DRIVE=/dev/sdf${partition_number}
  107. fi
  108. if [ -b /dev/sdg${partition_number} ]; then
  109. USB_DRIVE=/dev/sdg${partition_number}
  110. fi
  111. if [ -b /dev/sdh${partition_number} ]; then
  112. USB_DRIVE=/dev/sdh${partition_number}
  113. fi
  114. write_config_param USB_DRIVE "$USB_DRIVE"
  115. }
  116. function separate_tmp_filesystem {
  117. tmp_filesystem_size_mb=$1
  118. if [ ! -d /tmp ]; then
  119. mkdir -p /tmp
  120. fi
  121. if ! grep -q '/tmp' /etc/fstab; then
  122. mount -t tmpfs -o size=${tmp_filesystem_size_mb}m tmpfs /tmp
  123. echo "tmpfs /tmp tmpfs nodev,nosuid,noexec,nodiratime,size=${tmp_filesystem_size_mb}M 0 0" >> /etc/fstab
  124. fi
  125. }
  126. function proc_filesystem_settings {
  127. if ! grep -q "proc proc defaults,nodev,nosuid " /etc/fstab; then
  128. sed -i 's|proc /proc proc defaults |proc /proc proc defaults,nodev,nosuid |g' /etc/fstab
  129. fi
  130. }
  131. function remove_bluetooth {
  132. bluetooth_changed=
  133. bnep_exists=$(lsmod | grep bnep)
  134. if [[ "$bnep_exists" == "bnep"* ]]; then
  135. rmmod -f bnep
  136. bluetooth_changed=1
  137. fi
  138. bluetooth_exists=$(lsmod | grep bluetooth)
  139. if [[ "$bluetooth_exists" == "bluetooth"* ]]; then
  140. rmmod -f bluetooth
  141. bluetooth_changed=1
  142. fi
  143. if [ -f /etc/default/bluetooth ]; then
  144. if grep -q "BLUETOOTH_ENABLED=" /etc/default/bluetooth; then
  145. sed -i 's|BLUETOOTH_ENABLED=.*|BLUETOOTH_ENABLED=0|g' /etc/default/bluetooth
  146. else
  147. echo "BLUETOOTH_ENABLED=0" >> /etc/default/bluetooth
  148. fi
  149. bluetooth_changed=1
  150. fi
  151. if ! grep -q 'blacklist bnep' /etc/modprobe.d/bluetooth.conf; then
  152. echo 'blacklist bnep' >> /etc/modprobe.d/bluetooth.conf
  153. bluetooth_changed=1
  154. fi
  155. if ! grep -q 'blacklist btusb' /etc/modprobe.d/bluetooth.conf; then
  156. echo 'blacklist btusb' >> /etc/modprobe.d/bluetooth.conf
  157. bluetooth_changed=1
  158. fi
  159. if ! grep -q 'blacklist bluetooth' /etc/modprobe.d/bluetooth.conf; then
  160. echo 'blacklist bluetooth' >> /etc/modprobe.d/bluetooth.conf
  161. bluetooth_changed=1
  162. fi
  163. if [ $bluetooth_changed ]; then
  164. update-initramfs -u -k `uname -r` -v
  165. update-rc.d bluetooth remove
  166. fi
  167. }
  168. function running_as_root {
  169. if [[ $EUID != 0 ]] ; then
  170. echo "0"
  171. else
  172. echo "1"
  173. fi
  174. }
  175. function reset_usb_devices {
  176. for xhci in /sys/bus/pci/drivers/?hci-pci ; do
  177. if ! cd $xhci ; then
  178. return
  179. fi
  180. echo "Resetting devices from $xhci..."
  181. for i in ????:??:??.? ; do
  182. echo -n "$i" > unbind
  183. echo -n "$i" > bind
  184. done
  185. done
  186. udevadm control --reload-rules
  187. }
  188. function install_backports_kernel {
  189. # install backports kernel if possible
  190. architecture_type=$(uname -a)
  191. if [[ "$architecture_type" == *"amd64"* ]]; then
  192. package_installed=$(dpkg-query -W -f='${Package}\n' linux-image-amd64 2>/dev/null)
  193. if [ ! $package_installed ]; then
  194. apt-get -yq install linux-image-amd64
  195. fi
  196. fi
  197. }
  198. function turn_off_rsys_logging {
  199. if grep -q '/dev/null' /etc/rsyslog.conf; then
  200. return
  201. fi
  202. sed -i 's|mail,news.none.*|mail,news.none /dev/null|g' /etc/rsyslog.conf
  203. sed -i 's|auth,authpriv.\*.*|auth,authpriv.\* /dev/null|g' /etc/rsyslog.conf
  204. sed -i 's|mail.info.*|mail.info /dev/null|g' /etc/rsyslog.conf
  205. sed -i 's|mail.warn.*|mail.warn /dev/null|g' /etc/rsyslog.conf
  206. sed -i 's|mail.err.*|mail.err /dev/null|g' /etc/rsyslog.conf
  207. sed -i 's|daemon.\*.*|daemon.\* /dev/null|g' /etc/rsyslog.conf
  208. sed -i 's|mail.\*.*|mail.\* /dev/null|g' /etc/rsyslog.conf
  209. sed -i 's|user.\*.*|user.\* /dev/null|g' /etc/rsyslog.conf
  210. sed -i 's|news.none;mail.none.*|news.none;mail.none /dev/null|g' /etc/rsyslog.conf
  211. sed -i 's|\*.\*;auth,authpriv.none.*|\*.\*;auth,authpriv.none /dev/null|g' /etc/rsyslog.conf
  212. sed -i 's|#cron.\*|cron.\*|g' /etc/rsyslog.conf
  213. sed -i 's|cron.\*.*|cron.\* /dev/null|g' /etc/rsyslog.conf
  214. shred -zu /var/log/wtmp*
  215. shred -zu /var/log/debug*
  216. shred -zu /var/log/cron.*
  217. shred -zu /var/log/auth.*
  218. shred -zu /var/log/mail.*
  219. shred -zu /var/log/daemon.*
  220. shred -zu /var/log/user.*
  221. shred -zu /var/log/messages*
  222. }
  223. function initial_setup {
  224. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  225. return
  226. fi
  227. apt-get -yq remove --purge apache2-bin*
  228. apt-get -yq dist-upgrade
  229. apt-get -yq install ca-certificates
  230. apt-get -yq install apt-utils
  231. apt-get -yq install cryptsetup libgfshare-bin duplicity sshpass wget avahi-daemon
  232. apt-get -yq install avahi-utils avahi-discover connect-proxy openssh-server
  233. apt-get -yq install sudo git dialog build-essential avahi-daemon avahi-utils
  234. apt-get -yq install avahi-discover iptables dnsutils net-tools
  235. apt-get -yq install network-manager iputils-ping libnss-mdns libnss-myhostname
  236. apt-get -yq install libnss-gw-name nano man ntp locales locales-all debconf
  237. apt-get -yq install wireless-tools wpasupplicant usbutils zsh cpulimit screen
  238. apt-get -yq install pinentry-curses eatmydata iotop bc hostapd
  239. # With some VMs, the hardware cycles counter is emulated and deterministic,
  240. # and thus predictible, so havege should not be used
  241. if [[ $ARCHITECTURE != 'qemu'* ]]; then
  242. apt-get -yq install haveged
  243. fi
  244. if [[ $ARCHITECTURE == 'qemu'* || $ARCHITECTURE == 'amd64' || $ARCHITECTURE == 'x86_64' || $ARCHITECTURE == 'i686' || $ARCHITECTURE == 'i386' ]]; then
  245. apt-get -yq install grub2 lvm2
  246. fi
  247. if [ ! -d $INSTALL_DIR ]; then
  248. mkdir -p $INSTALL_DIR
  249. fi
  250. mark_completed $FUNCNAME
  251. }
  252. function turn_off_magic_sysrq {
  253. if grep -q 'kernel.sysrq = 0' /etc/sysctl.conf; then
  254. return
  255. fi
  256. if grep -q 'kernel.sysrq' /etc/sysctl.conf; then
  257. sed -i 's|#kernel.sysrq.*|kernel.sysrq = 0|g' /etc/sysctl.conf
  258. sed -i 's|kernel.sysrq.*|kernel.sysrq = 0|g' /etc/sysctl.conf
  259. else
  260. echo 'kernel.sysrq = 0' >> /etc/sysctl.conf
  261. fi
  262. }
  263. function setup_grub {
  264. if [[ $ARCHITECTURE == 'qemu'* || $ARCHITECTURE == 'amd64' || $ARCHITECTURE == 'x86_64' || $ARCHITECTURE == 'i686' || $ARCHITECTURE == 'i386' ]]; then
  265. if ! grep -q 'ifnames=0' /etc/default/grub; then
  266. sed -i 's|GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT="quiet ifnames=0 slub_debug=FZP slab_nomerge page_poison=1 panic=0"|g' /etc/default/grub
  267. update-grub
  268. fi
  269. fi
  270. }
  271. function admin_user_sudo {
  272. if ! grep -q "$MY_USERNAME ALL=(ALL) ALL" $rootdir/etc/sudoers; then
  273. echo "$MY_USERNAME ALL=(ALL) ALL" >> $rootdir/etc/sudoers
  274. fi
  275. }
  276. function search_for_attached_usb_drive {
  277. # If a USB drive is attached then search for email,
  278. # gpg, ssh keys and emacs configuration
  279. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  280. return
  281. fi
  282. detect_usb_drive
  283. if [ -b $USB_DRIVE ]; then
  284. if [ ! -d $USB_MOUNT ]; then
  285. echo $'Mounting USB drive'
  286. mkdir $USB_MOUNT
  287. mount $USB_DRIVE $USB_MOUNT
  288. fi
  289. if [ -d $USB_MOUNT/.gnupg ]; then
  290. echo $'Importing GPG keyring'
  291. cp -r $USB_MOUNT/.gnupg /home/$MY_USERNAME
  292. chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
  293. if [ ! -f /home/$MY_USERNAME/.gnupg/secring.gpg ]; then
  294. echo $'GPG files did not copy'
  295. exit 73529
  296. fi
  297. fi
  298. if [ -f $USB_MOUNT/private_key.gpg ]; then
  299. echo $'GPG private key found on USB drive'
  300. MY_GPG_PRIVATE_KEY=$USB_MOUNT/private_key.gpg
  301. fi
  302. if [ -f $USB_MOUNT/public_key.gpg ]; then
  303. echo $'GPG public key found on USB drive'
  304. MY_GPG_PUBLIC_KEY=$USB_MOUNT/public_key.gpg
  305. fi
  306. if [ -f $USB_MOUNT/letsencrypt ]; then
  307. echo $'Copying letsencrypt keys"'
  308. cp -r $USB_MOUNT/letsencrypt /etc
  309. fi
  310. if [ -d $USB_MOUNT/.ssh ]; then
  311. echo $'Importing ssh keys'
  312. cp -r $USB_MOUNT/.ssh /home/$MY_USERNAME
  313. chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh
  314. # for security delete the ssh keys from the usb drive
  315. if [ ! -f /home/$MY_USERNAME/.ssh/id_rsa ]; then
  316. echo $'ssh files did not copy'
  317. exit 8
  318. fi
  319. fi
  320. if [ -f $USB_MOUNT/.emacs ]; then
  321. echo $'Importing .emacs file'
  322. cp -f $USB_MOUNT/.emacs /home/$MY_USERNAME/.emacs
  323. chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs
  324. fi
  325. if [ -d $USB_MOUNT/.emacs.d ]; then
  326. echo $'Importing .emacs.d directory'
  327. cp -r $USB_MOUNT/.emacs.d /home/$MY_USERNAME
  328. chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs.d
  329. fi
  330. if [ -d $USB_MOUNT/ssl ]; then
  331. echo $'Importing SSL certificates'
  332. cp -r $USB_MOUNT/ssl/* /etc/ssl
  333. chmod 640 /etc/ssl/certs/*
  334. chmod 400 /etc/ssl/private/*
  335. # change ownership of some certificates
  336. if [ -d /etc/prosody ]; then
  337. chown prosody:prosody /etc/ssl/private/xmpp.*
  338. chown prosody:prosody /etc/ssl/certs/xmpp.*
  339. fi
  340. if [ -d /etc/dovecot ]; then
  341. chown root:dovecot /etc/ssl/certs/dovecot.*
  342. chown root:dovecot /etc/ssl/private/dovecot.*
  343. fi
  344. if [ -f /etc/ssl/private/exim.key ]; then
  345. cp /etc/ssl/private/exim.key /etc/exim4
  346. cp /etc/ssl/certs/exim.crt /etc/exim4
  347. cp /etc/ssl/certs/exim.dhparam /etc/exim4
  348. chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
  349. chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
  350. fi
  351. fi
  352. if [ -d $USB_MOUNT/personal ]; then
  353. echo $'Importing personal directory'
  354. cp -r $USB_MOUNT/personal /home/$MY_USERNAME
  355. chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/personal
  356. fi
  357. else
  358. if [ -d $USB_MOUNT ]; then
  359. umount $USB_MOUNT
  360. rm -rf $USB_MOUNT
  361. fi
  362. echo $'No USB drive attached'
  363. fi
  364. mark_completed $FUNCNAME
  365. }
  366. function mark_admin_user_account {
  367. set_completion_param "Admin user" "$MY_USERNAME"
  368. }
  369. function remove_instructions_from_motd {
  370. if grep -q "## " /etc/motd; then
  371. sed -i '/## /d' /etc/motd
  372. fi
  373. }
  374. function remove_default_user {
  375. # make sure you don't use the default user account
  376. if [[ $MY_USERNAME == "debian" ]]; then
  377. echo 'Do not use the default debian user account. Create a different user with: adduser [username]'
  378. exit 68
  379. fi
  380. # remove the default debian user to prevent it from becoming an attack vector
  381. if [ -d /home/debian ]; then
  382. userdel -r debian
  383. echo 'Default debian user account removed'
  384. fi
  385. }
  386. function create_completion_file {
  387. if [ ! -f $COMPLETION_FILE ]; then
  388. touch $COMPLETION_FILE
  389. fi
  390. }
  391. function remove_management_engine_interface {
  392. # see https://www.kernel.org/doc/Documentation/misc-devices/mei/mei.txt
  393. # Disabling this interface doesn't cure the problems of ME, but it
  394. # might stop an adversary in control of AMT from using the command
  395. # interface to control the operating system.
  396. if [ -f /dev/mei0 ]; then
  397. rmmod mei_me
  398. rmmod mei0
  399. fi
  400. blacklist_changed=
  401. if [ ! -f /etc/modprobe.d/blacklist.conf ]; then
  402. touch /etc/modprobe.d/blacklist.conf
  403. blacklist_changed=1
  404. fi
  405. if ! grep -q "blacklist mei" /etc/modprobe.d/blacklist.conf; then
  406. echo "blacklist mei" >> /etc/modprobe.d/blacklist.conf
  407. blacklist_changed=1
  408. fi
  409. if ! grep -q "blacklist mei_me" /etc/modprobe.d/blacklist.conf; then
  410. echo "blacklist mei_me" >> /etc/modprobe.d/blacklist.conf
  411. blacklist_changed=1
  412. fi
  413. if [ $blacklist_changed ]; then
  414. depmod -ae -E
  415. update-initramfs -u
  416. fi
  417. }
  418. function set_login_umask {
  419. logindefs_umask=$(cat /etc/login.defs | grep UMASK | grep -v '#')
  420. if [[ "$logindefs_umask" != *'077' ]]; then
  421. sed -i 's|UMASK\t.*|UMASK\t\t077|g' /etc/login.defs
  422. fi
  423. }
  424. function disable_deferred_execution {
  425. systemctl stop atd
  426. systemctl disable atd
  427. }
  428. function set_shadow_permissions {
  429. chown root:root /etc/shadow
  430. chmod 0000 /etc/shadow
  431. chown root:root /etc/gshadow
  432. chmod 0000 /etc/gshadow
  433. }
  434. function set_max_login_tries {
  435. max_tries=$1
  436. if ! grep -q ' deny=' /etc/pam.d/common-auth; then
  437. sed -i "/pam_deny.so/a auth required\t\t\tpam_tally.so onerr=fail no_lock_time per_user deny=$max_tries" /etc/pam.d/common-auth
  438. else
  439. if ! grep -q " deny=$max_tries" /etc/pam.d/common-auth; then
  440. sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-auth
  441. fi
  442. fi
  443. if ! grep -q 'pam_tally.so' /etc/pam.d/common-account; then
  444. sed -i '/pam_deny.so/a account required\t\t\tpam_tally.so' /etc/pam.d/common-account
  445. fi
  446. }
  447. function limit_user_logins {
  448. # overall max logins
  449. if ! grep -q '* hard maxsyslogins' /etc/security/limits.conf; then
  450. echo '* hard maxsyslogins 10' >> /etc/security/limits.conf
  451. else
  452. if ! grep -q '* hard maxsyslogins 10' /etc/security/limits.conf; then
  453. sed -i 's|hard maxsyslogins.*|hard maxsyslogins 10|g' /etc/security/limits.conf
  454. fi
  455. fi
  456. # Max logins for each user
  457. if ! grep -q '* hard maxlogins' /etc/security/limits.conf; then
  458. echo '* hard maxlogins 2' >> /etc/security/limits.conf
  459. else
  460. if ! grep -q '* hard maxlogins 2' /etc/security/limits.conf; then
  461. sed -i 's|hard maxlogins.*|hard maxlogins 2|g' /etc/security/limits.conf
  462. fi
  463. fi
  464. }
  465. function remove_serial_logins {
  466. if grep -q 'ttyS' /etc/securetty; then
  467. cp /etc/securetty /etc/securetty_old
  468. sed -i '/ttyS/d' /etc/securetty
  469. fi
  470. }
  471. function set_sticky_bits {
  472. world_writable=$(find / -xdev -type d -perm -002 \! -perm -1000)
  473. for w in $world_writable; do
  474. echo "Setting sticky bit on $w"
  475. chmod +t $w
  476. done
  477. }
  478. function disable_ctrl_alt_del {
  479. ctrl_alt_del=$(ls -l /etc/systemd/system/ctrl-alt-del.target)
  480. if [[ "$ctrl_alt_del" != *'/dev/null' ]]; then
  481. ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
  482. fi
  483. }
  484. function lockdown_permissions {
  485. if [ -d /root/.npm ]; then
  486. chmod -R 700 /root/.npm
  487. fi
  488. # All commands owned by root
  489. if [ -d /root/.cache/yarn ]; then
  490. rm -rf /root/.cache/yarn
  491. fi
  492. if [ -d /usr/local/share/.cache/yarn ]; then
  493. rm -rf /usr/local/share/.cache/yarn
  494. fi
  495. if [ -f /usr/lib/ssl/certs/ssl-cert-snakeoil.pem ]; then
  496. chown root:root /usr/lib/ssl/certs/ssl-cert-snake*
  497. fi
  498. if [ -d /bin ]; then
  499. chown root:root /bin/*
  500. fi
  501. if [ -d /usr/bin ]; then
  502. chown root:root /usr/bin/*
  503. fi
  504. if [ -d /usr/local/bin ]; then
  505. chown root:root /usr/local/bin/*
  506. fi
  507. if [ -d /sbin ]; then
  508. chown root:root /sbin/*
  509. fi
  510. if [ -d /usr/sbin ]; then
  511. chown root:root /usr/sbin/*
  512. fi
  513. if [ -d /usr/local/sbin ]; then
  514. chown root:root /usr/local/sbin/*
  515. fi
  516. if [ -d /usr/share/${PROJECT_NAME} ]; then
  517. chown -R root:root /usr/share/${PROJECT_NAME}
  518. chmod -R +r /usr/share/${PROJECT_NAME}
  519. fi
  520. # All libraries owned by root
  521. if [ -d /lib ]; then
  522. chown -R root:root /lib/*
  523. fi
  524. if [ -d /lib64 ]; then
  525. chown -R root:root /lib64/*
  526. fi
  527. if [ -d /usr/lib ]; then
  528. chown -R root:root /usr/lib/*
  529. if [ -d /usr/lib/node_modules ]; then
  530. chmod -R 750 /usr/lib/node_modules/*
  531. fi
  532. if [ -d /usr/lib/prosody ]; then
  533. chown -R prosody:prosody /usr/lib/prosody
  534. fi
  535. fi
  536. if [ -d /usr/lib64 ]; then
  537. chown -R root:root /usr/lib64/*
  538. fi
  539. # sudo permissions
  540. chmod 4755 /usr/bin/sudo
  541. chmod 4755 /usr/lib/sudo/sudoers.so
  542. chown root:root /etc/sudoers
  543. # permissions on email commands
  544. if [ -f /usr/bin/procmail ]; then
  545. chmod 6755 /usr/bin/procmail
  546. fi
  547. if [ -f /usr/sbin/exim ]; then
  548. chmod u+s /usr/sbin/exim
  549. fi
  550. if [ -f /usr/sbin/exim4 ]; then
  551. chmod u+s /usr/sbin/exim4
  552. fi
  553. set_sticky_bits
  554. # Create some directories to correspond with users in passwords file
  555. if [ ! -d /var/spool/lpd ]; then
  556. mkdir /var/spool/lpd
  557. fi
  558. if [ ! -d /var/spool/news ]; then
  559. mkdir /var/spool/news
  560. fi
  561. if [ ! -d /var/spool/uucp ]; then
  562. mkdir /var/spool/uucp
  563. fi
  564. if [ ! -d /var/list ]; then
  565. mkdir /var/list
  566. fi
  567. if [ ! -d /var/lib/gnats ]; then
  568. mkdir /var/lib/gnats
  569. fi
  570. if [ ! -d /var/lib/saned ]; then
  571. mkdir /var/lib/saned
  572. fi
  573. if [ -d /etc/prosody ]; then
  574. chown -R prosody /etc/prosody
  575. chmod -R 700 /etc/prosody/conf.d
  576. fi
  577. if [ -d /var/lib/prosody ]; then
  578. chown -R prosody /var/lib/prosody
  579. fi
  580. if [ -d /etc/letsencrypt ]; then
  581. chmod -R 600 /etc/letsencrypt
  582. chmod -R g=rX /etc/letsencrypt
  583. chown -R root:ssl-cert /etc/letsencrypt
  584. fi
  585. chown -f root:root /etc/motd /etc/issue*
  586. chmod -f 0444 /etc/motd /etc/issue*
  587. }
  588. function disable_core_dumps {
  589. if ! grep -q '* hard core' /etc/security/limits.conf; then
  590. echo '* hard core 0' >> /etc/security/limits.conf
  591. else
  592. if ! grep -q '* hard core 0' /etc/security/limits.conf; then
  593. sed -i 's|hard core.*|hard core 0|g' /etc/security/limits.conf
  594. fi
  595. fi
  596. }
  597. function dummy_nologin_command {
  598. if [ ! -f /sbin/nologin ]; then
  599. echo '#!/bin/bash' > /sbin/nologin
  600. chmod +x /sbin/nologin
  601. fi
  602. }
  603. function disable_null_passwords {
  604. if grep -q ' nullok_secure' /etc/pam.d/common-auth; then
  605. sed -i 's| nullok_secure||g' /etc/pam.d/common-auth
  606. fi
  607. }
  608. function create_usb_canary {
  609. if [[ $SYSTEM_TYPE == "mesh"* ]]; then
  610. return
  611. fi
  612. if [[ $(is_completed $FUNCNAME) == "1" ]]; then
  613. return
  614. fi
  615. echo "ACTION==\"add\", KERNEL==\"sd*[!0-9]\", RUN+=\"/usr/local/bin/${PROJECT_NAME}-usb-canary\"" > /etc/udev/rules.d/00-usb-canary.rules
  616. udevadm control --reload-rules
  617. mark_completed $FUNCNAME
  618. }
  619. function setup_firewall {
  620. function_check create_completion_file
  621. create_completion_file
  622. function_check configure_firewall
  623. configure_firewall
  624. function_check configure_firewall_ping
  625. configure_firewall_ping
  626. function_check firewall_drop_telnet
  627. firewall_drop_telnet
  628. function_check firewall_drop_spoofed_packets
  629. firewall_drop_spoofed_packets
  630. function_check firewall_rate_limits
  631. firewall_rate_limits
  632. function_check configure_firewall_for_dns
  633. configure_firewall_for_dns
  634. function_check configure_firewall_for_avahi
  635. configure_firewall_for_avahi
  636. function_check global_rate_limit
  637. global_rate_limit
  638. function_check firewall_block_bad_ip_ranges
  639. firewall_block_bad_ip_ranges
  640. }
  641. function setup_powerline {
  642. if [ -f ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ]; then
  643. if [ ! -f ~/.powerline.bash ]; then
  644. cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
  645. else
  646. HASH1=$(sha256sum ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
  647. HASH2=$(sha256sum ~/.powerline.bash | awk -F ' ' '{print $1}')
  648. if [[ "$HASH1" != "$HASH2" ]]; then
  649. cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
  650. fi
  651. fi
  652. if [ ! -f /etc/skel/.powerline.bash ]; then
  653. cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
  654. else
  655. HASH1=$(sha256sum ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
  656. HASH2=$(sha256sum /etc/skel/.powerline.bash | awk -F ' ' '{print $1}')
  657. if [[ "$HASH1" != "$HASH2" ]]; then
  658. cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
  659. fi
  660. fi
  661. else
  662. if [ -f /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ]; then
  663. if [ ! -f ~/.powerline.bash ]; then
  664. cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
  665. else
  666. HASH1=$(sha256sum /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
  667. HASH2=$(sha256sum ~/.powerline.bash | awk -F ' ' '{print $1}')
  668. if [[ "$HASH1" != "$HASH2" ]]; then
  669. cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
  670. fi
  671. fi
  672. if [ ! -f /etc/skel/.powerline.bash ]; then
  673. cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
  674. else
  675. HASH1=$(sha256sum /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
  676. HASH2=$(sha256sum /etc/skel/.powerline.bash | awk -F ' ' '{print $1}')
  677. if [[ "$HASH1" != "$HASH2" ]]; then
  678. cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
  679. fi
  680. fi
  681. fi
  682. fi
  683. if ! grep -q "powerline" ~/.bashrc; then
  684. if [ -f ~/.powerline.bash ]; then
  685. echo 'source ~/.powerline.bash' >> ~/.bashrc
  686. fi
  687. fi
  688. if ! grep -q "powerline" /etc/skel/.bashrc; then
  689. if [ -f /etc/skel/.powerline.bash ]; then
  690. echo 'source ~/.powerline.bash' >> /etc/skel/.bashrc
  691. fi
  692. fi
  693. }
  694. function congestion_control {
  695. # see /proc/sys/net/ipv4/tcp_congestion_control
  696. if [ ! -f /etc/sysctl.d/10-custom-kernel-bbr.conf ]; then
  697. echo 'net.core.default_qdisc=fq' > /etc/sysctl.d/10-custom-kernel-bbr.conf
  698. echo 'net.ipv4.tcp_congestion_control=bbr' >> /etc/sysctl.d/10-custom-kernel-bbr.conf
  699. sysctl --system
  700. fi
  701. }
  702. function setup_utils {
  703. read_config_param "PROJECT_REPO"
  704. write_config_param "PROJECT_REPO" "$PROJECT_REPO"
  705. function_check remove_management_engine_interface
  706. remove_management_engine_interface
  707. function_check support_256_colours
  708. support_256_colours
  709. function_check congestion_control
  710. congestion_control
  711. function_check enable_predictable_device_names
  712. enable_predictable_device_names
  713. function_check turn_off_magic_sysrq
  714. turn_off_magic_sysrq
  715. function_check separate_tmp_filesystem
  716. separate_tmp_filesystem 150
  717. function_check proc_filesystem_settings
  718. proc_filesystem_settings
  719. function_check optimise_filesystem
  720. optimise_filesystem
  721. function_check disable_null_passwords
  722. disable_null_passwords
  723. function_check disable_ctrl_alt_del
  724. disable_ctrl_alt_del
  725. function_check dummy_nologin_command
  726. dummy_nologin_command
  727. function_check disable_core_dumps
  728. disable_core_dumps
  729. function_check remove_serial_logins
  730. remove_serial_logins
  731. function_check set_max_login_tries
  732. set_max_login_tries 10
  733. function_check set_shadow_permissions
  734. set_shadow_permissions
  735. function_check remove_bluetooth
  736. remove_bluetooth
  737. function_check set_login_umask
  738. set_login_umask
  739. function_check disable_deferred_execution
  740. disable_deferred_execution
  741. function_check turn_off_rsys_logging
  742. turn_off_rsys_logging
  743. function_check install_backports_kernel
  744. install_backports_kernel
  745. function_check create_completion_file
  746. create_completion_file
  747. function_check read_configuration
  748. read_configuration
  749. function_check check_system_type
  750. check_system_type
  751. function_check set_default_onion_domains
  752. set_default_onion_domains
  753. function_check locale_setup
  754. locale_setup
  755. function_check parse_args
  756. parse_args
  757. function_check check_domains
  758. check_domains
  759. function_check install_static_network
  760. install_static_network
  761. function_check remove_default_user
  762. remove_default_user
  763. function_check setup_firewall
  764. setup_firewall
  765. function_check create_repo_sources
  766. create_repo_sources
  767. function_check configure_dns
  768. configure_dns
  769. function_check initial_setup
  770. initial_setup
  771. function_check setup_grub
  772. setup_grub
  773. function_check install_tor
  774. install_tor
  775. #function_check resolve_dns_via_tor
  776. #resolve_dns_via_tor
  777. function_check install_command_line_browser
  778. install_command_line_browser
  779. function_check enable_ssh_via_onion
  780. enable_ssh_via_onion
  781. function_check check_date
  782. check_date
  783. function_check install_dynamicdns
  784. install_dynamicdns
  785. function_check randomize_cron
  786. randomize_cron
  787. function_check create_freedns_updater
  788. create_freedns_updater
  789. function_check mark_admin_user_account
  790. mark_admin_user_account
  791. function_check enforce_good_passwords
  792. enforce_good_passwords
  793. function_check change_login_message
  794. change_login_message
  795. function_check enable_zram
  796. enable_zram
  797. function_check random_number_generator
  798. random_number_generator
  799. function_check set_your_domain_name
  800. set_your_domain_name
  801. function_check configure_internet_protocol
  802. configure_internet_protocol
  803. function_check create_git_project
  804. create_git_project
  805. function_check setup_wifi
  806. setup_wifi
  807. function_check configure_ssh
  808. configure_ssh
  809. function_check configure_ssh_onion
  810. configure_ssh_onion
  811. function_check allow_ssh_to_onion_address
  812. allow_ssh_to_onion_address
  813. function_check remove_instructions_from_motd
  814. remove_instructions_from_motd
  815. function_check check_hwrng
  816. check_hwrng
  817. function_check search_for_attached_usb_drive
  818. search_for_attached_usb_drive
  819. function_check regenerate_ssh_keys
  820. regenerate_ssh_keys
  821. function_check create_upgrade_script
  822. create_upgrade_script
  823. function_check letsencrypt_renewals
  824. letsencrypt_renewals
  825. function_check install_watchdog_script
  826. install_watchdog_script
  827. function_check install_avahi
  828. install_avahi
  829. function_check create_avahi_onion_domains
  830. create_avahi_onion_domains
  831. #function_check install_atheros_wifi
  832. #install_atheros_wifi
  833. function_check route_outgoing_traffic_through_tor
  834. route_outgoing_traffic_through_tor
  835. function_check upgrade_golang
  836. upgrade_golang
  837. function_check install_tomb
  838. install_tomb
  839. function_check admin_user_sudo
  840. admin_user_sudo
  841. function_check limit_user_logins
  842. limit_user_logins
  843. function_check schedule_stig_tests
  844. schedule_stig_tests
  845. function_check create_usb_canary
  846. create_usb_canary
  847. function_check setup_powerline
  848. setup_powerline
  849. }
  850. function setup_email {
  851. function_check create_completion_file
  852. create_completion_file
  853. function_check install_email
  854. install_email
  855. function_check create_procmail
  856. create_procmail
  857. function_check handle_admin_emails
  858. handle_admin_emails
  859. function_check spam_filtering
  860. spam_filtering
  861. function_check configure_imap
  862. configure_imap
  863. #function_check configure_imap_client_certs
  864. #configure_imap_client_certs
  865. function_check configure_gpg
  866. configure_gpg
  867. function_check refresh_gpg_keys
  868. refresh_gpg_keys
  869. function_check configure_backup_key
  870. configure_backup_key
  871. #function_check install_monkeysphere
  872. #install_monkeysphere
  873. function_check email_client
  874. email_client
  875. function_check encrypt_incoming_email
  876. encrypt_incoming_email
  877. function_check encrypt_outgoing_email
  878. encrypt_outgoing_email
  879. function_check email_archiving
  880. email_archiving
  881. function_check email_from_address
  882. email_from_address
  883. function_check create_public_mailing_list
  884. #create_public_mailing_list
  885. #function check create_private_mailing_list
  886. #create_private_mailing_list
  887. function_check encrypt_all_email
  888. encrypt_all_email
  889. function_check import_email
  890. import_email
  891. }
  892. function setup_web {
  893. function_check create_completion_file
  894. create_completion_file
  895. function_check install_web_server
  896. install_web_server
  897. function_check install_web_server_access_control
  898. install_web_server_access_control
  899. function_check install_web_local_user_interface
  900. install_web_local_user_interface
  901. }
  902. function upgrade_apps {
  903. function_check create_completion_file
  904. create_completion_file
  905. APPS_COMPLETED=()
  906. FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
  907. # for all the app scripts
  908. for filename in $FILES
  909. do
  910. app_name=$(echo "${filename}" | awk -F '-app-' '{print $2}')
  911. item_in_array "${app_name}" "${APPS_COMPLETED[@]}"
  912. if [[ $? != 0 ]]; then
  913. function_check app_is_installed
  914. if [[ "$(app_is_installed $app_name)" == "1" ]]; then
  915. echo ''
  916. echo ''
  917. echo $"Upgrading $app_name"
  918. app_load_variables ${app_name}
  919. APPS_COMPLETED+=("${app_name}")
  920. function_check upgrade_${app_name}
  921. upgrade_${app_name}
  922. fi
  923. fi
  924. done
  925. }
  926. function setup_apps {
  927. is_interactive=$1
  928. function_check create_completion_file
  929. create_completion_file
  930. function_check detect_installable_apps
  931. detect_installable_apps
  932. function_check choose_apps_for_variant
  933. choose_apps_for_variant "$SYSTEM_TYPE"
  934. echo $"System variant: $SYSTEM_TYPE"
  935. #echo $'The following apps have been selected'
  936. #echo ''
  937. #function_check list_chosen_apps
  938. #list_chosen_apps
  939. #echo ''
  940. function_check upgrade_apps
  941. upgrade_apps
  942. if [[ $is_interactive == "noninteractive" || $is_interactive == "headless" ]]; then
  943. function_check install_apps
  944. install_apps
  945. if [ ! $APP_INSTALLED_SUCCESS ]; then
  946. echo $'One or more apps failed to install'
  947. fi
  948. fi
  949. }
  950. function combine_all_scripts {
  951. combined_filename=$1
  952. # initial variables
  953. cp $PROJECT_INSTALL_DIR/${PROJECT_NAME}-vars $combined_filename
  954. # utilities
  955. UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*
  956. for f in $UTILS_FILES
  957. do
  958. # this removes the first line, which is #!/bin/bash
  959. tail -n +2 "$f" >> $combined_filename
  960. done
  961. # base system
  962. BASE_SYSTEM_FILES=/usr/share/${PROJECT_NAME}/base/${PROJECT_NAME}-base-*
  963. for f in $BASE_SYSTEM_FILES
  964. do
  965. tail -n +2 "$f" >> $combined_filename
  966. done
  967. # apps
  968. APP_FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
  969. for f in $APP_FILES
  970. do
  971. tail -n +2 "$f" >> $combined_filename
  972. done
  973. }
  974. function check_ram_availability {
  975. minimum_ram_MB="$1"
  976. minimum_ram_bytes=$((minimum_ram_MB * 1024))
  977. ram_available=$(grep MemTotal /proc/meminfo | awk '{print $2}')
  978. if [ $ram_available -lt $minimum_ram_bytes ]; then
  979. echo $"Need at least ${minimum_ram_gb}MB RAM to install this app"
  980. exit 783524
  981. fi
  982. }
  983. # NOTE: deliberately no exit 0