From 1d3e165d2d8c1939c93af5f010875b11ee827952 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Fri, 4 Aug 2017 23:34:42 +0100 Subject: [PATCH 1/7] Don't need daily sks script because an equivalent one is already installed by the debian package --- src/freedombone-app-keyserver | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/src/freedombone-app-keyserver b/src/freedombone-app-keyserver index 8ccbea7e..c2299b99 100755 --- a/src/freedombone-app-keyserver +++ b/src/freedombone-app-keyserver @@ -82,17 +82,6 @@ function keyserver_watchdog { echo 'fi' >> $keyserver_watchdog_script chmod +x $keyserver_watchdog_script - - # clear out log files daily - keyserver_watchdog_script=/etc/cron.daily/keyserver-db - echo '#!/bin/sh' > $keyserver_watchdog_script - echo 'if [ -d /var/lib/sks/DB ]; then' >> $keyserver_watchdog_script - echo ' cd /var/lib/sks/DB' >> $keyserver_watchdog_script - echo ' systemctl stop sks' >> $keyserver_watchdog_script - echo ' db_archive -d' >> $keyserver_watchdog_script - echo ' systemctl start sks' >> $keyserver_watchdog_script - echo 'fi' >> $keyserver_watchdog_script - chmod +x $keyserver_watchdog_script } From 26b80c868f1faa85e87331df9566272a38a859b2 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Fri, 4 Aug 2017 23:50:58 +0100 Subject: [PATCH 2/7] Don't need this if email is configured properly --- src/freedombone-base-tripwire | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/src/freedombone-base-tripwire b/src/freedombone-base-tripwire index 74772c79..f5d198ae 100755 --- a/src/freedombone-base-tripwire +++ b/src/freedombone-base-tripwire @@ -76,6 +76,7 @@ function install_tripwire { echo 'REPORTLEVEL =3' >> /etc/tripwire/twcfg.txt echo 'SYSLOGREPORTING =false' >> /etc/tripwire/twcfg.txt echo 'MAILMETHOD =SENDMAIL' >> /etc/tripwire/twcfg.txt + echo 'MAILPROGRAM =/usr/lib/sendmail -oi -t' >> /etc/tripwire/twcfg.txt echo 'SMTPHOST =localhost' >> /etc/tripwire/twcfg.txt echo 'SMTPPORT =25' >> /etc/tripwire/twcfg.txt echo 'TEMPDIRECTORY =/tmp' >> /etc/tripwire/twcfg.txt @@ -139,12 +140,6 @@ function install_tripwire { ' | reset-tripwire - if ! grep -q "tripwire" /etc/crontab; then - TRIPWIRE_MIN=$((1 + RANDOM % 49)) - TRIPWIRE_HOUR=$((1 + RANDOM % 6)) - echo "${TRIPWIRE_MIN} ${TRIPWIRE_HOUR} * * * root /usr/sbin/tripwire -m c" >> /etc/crontab - fi - mark_completed $FUNCNAME } From 80be052424092b18696606b61afd6fa7d84607a5 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 09:56:13 +0100 Subject: [PATCH 3/7] Don't try to fix stig failures because this triggers the tripwire --- src/freedombone-utils-cron | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/freedombone-utils-cron b/src/freedombone-utils-cron index f37feea0..13e19f55 100755 --- a/src/freedombone-utils-cron +++ b/src/freedombone-utils-cron @@ -82,7 +82,7 @@ function schedule_stig_tests { echo "ADMIN_EMAIL_ADDRESS=${MY_USERNAME}@\${HOSTNAME}" >> /etc/cron.daily/stig_tests echo "pkill ${PROJECT_NAME}-tests" >> /etc/cron.daily/stig_tests echo 'rm -rf /tmp/*' >> /etc/cron.daily/stig_tests - echo "${PROJECT_NAME}-tests --stig fix > /tmp/daily-stig-tests" >> /etc/cron.daily/stig_tests + echo "${PROJECT_NAME}-tests --stig yes > /tmp/daily-stig-tests" >> /etc/cron.daily/stig_tests echo 'if [ ! "$?" = "0" ]; then' >> /etc/cron.daily/stig_tests echo " echo \"\$(cat /tmp/daily-stig-tests)\" | mail -s \"${PROJECT_NAME} STIG test failures\" \$ADMIN_EMAIL_ADDRESS" >> /etc/cron.daily/stig_tests echo 'fi' >> /etc/cron.daily/stig_tests From 75d6de301b071398ade99bb5570eecf2d7fa36f6 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 10:00:34 +0100 Subject: [PATCH 4/7] Menu option to fix stig test failures --- src/freedombone-sec | 64 +++++++++++++++++++++++++-------------------- 1 file changed, 36 insertions(+), 28 deletions(-) diff --git a/src/freedombone-sec b/src/freedombone-sec index 4f1608fb..1266d931 100755 --- a/src/freedombone-sec +++ b/src/freedombone-sec @@ -969,22 +969,23 @@ function menu_security_settings { trap "rm -f $data" 0 1 2 5 15 dialog --backtitle $"Freedombone Control Panel" \ --title $"Security Settings" \ - --radiolist $"Choose an operation:" 22 76 22 \ + --radiolist $"Choose an operation:" 23 76 23 \ 1 $"Run STIG tests" off \ - 2 $"Show ssh host public key" off \ - 3 $"Tor bridges" off \ - 4 $"Password storage" off \ - 5 $"Export passwords" off \ - 6 $"Regenerate ssh host keys" off \ - 7 $"Regenerate Diffie-Hellman keys" off \ - 8 $"Update cipersuite" off \ - 9 $"Create a new Let's Encrypt certificate" off \ - 10 $"Renew Let's Encrypt certificate" off \ - 11 $"Delete a Let's Encrypt certificate" off \ - 12 $"Enable GPG based authentication (monkeysphere)" off \ - 13 $"Register a website with monkeysphere" off \ - 14 $"Allow ssh login with passwords" off \ - 15 $"Go Back/Exit" on 2> $data + 2 $"Fix STIG test failures" off \ + 3 $"Show ssh host public key" off \ + 4 $"Tor bridges" off \ + 5 $"Password storage" off \ + 6 $"Export passwords" off \ + 7 $"Regenerate ssh host keys" off \ + 8 $"Regenerate Diffie-Hellman keys" off \ + 9 $"Update cipersuite" off \ + 10 $"Create a new Let's Encrypt certificate" off \ + 11 $"Renew Let's Encrypt certificate" off \ + 12 $"Delete a Let's Encrypt certificate" off \ + 13 $"Enable GPG based authentication (monkeysphere)" off \ + 14 $"Register a website with monkeysphere" off \ + 15 $"Allow ssh login with passwords" off \ + 16 $"Go Back/Exit" on 2> $data sel=$? case $sel in 1) exit 1;; @@ -1014,53 +1015,60 @@ function menu_security_settings { exit 0 ;; 2) + clear + echo $'Fixing any STIG failures...' + echo '' + ${PROJECT_NAME}-tests --stig fix + exit 0 + ;; + 3) dialog --title $"SSH host public keys" \ --msgbox "\n$(get_ssh_server_key)" 12 60 exit 0 ;; - 3) + 4) menu_tor_bridges exit 0 ;; - 4) + 5) store_passwords exit 0 ;; - 5) + 6) export_passwords exit 0 ;; - 6) + 7) regenerate_ssh_host_keys ;; - 7) + 8) regenerate_dh_keys ;; - 8) + 9) interactive_setup update_ciphersuite ;; - 9) + 10) create_letsencrypt ;; - 10) + 11) renew_letsencrypt ;; - 11) + 12) delete_letsencrypt ;; - 12) + 13) enable_monkeysphere ;; - 13) + 14) register_website ;; - 14) + 15) allow_ssh_passwords change_ssh_settings exit 0 ;; - 15) + 16) exit 0 ;; esac From 07942a701bd29680e2a592e9aa3d517fd8c04f3d Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 10:07:33 +0100 Subject: [PATCH 5/7] End of fixes message --- src/freedombone-sec | 1 + 1 file changed, 1 insertion(+) diff --git a/src/freedombone-sec b/src/freedombone-sec index 1266d931..5cad98fc 100755 --- a/src/freedombone-sec +++ b/src/freedombone-sec @@ -1019,6 +1019,7 @@ function menu_security_settings { echo $'Fixing any STIG failures...' echo '' ${PROJECT_NAME}-tests --stig fix + echo $'Fixes applied. You will need to run the STIG tests again to be sure that they were all fixed.' exit 0 ;; 3) From 0485e73a7d9e2a238af94fdbb1b0760066ea4410 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 11:26:24 +0100 Subject: [PATCH 6/7] More comprehensive tripwire reset --- src/freedombone-controlpanel | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index a92b53e5..2a2c8dce 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -1280,8 +1280,20 @@ function reset_tripwire { return fi clear + echo $'Creating configuration...' + echo ' + + ' | twadmin --create-cfgfile -S /etc/tripwire/${HOSTNAME}-site.key /etc/tripwire/twcfg.txt + echo $'Resetting policy...' + echo ' + + ' | twadmin --create-polfile -S /etc/tripwire/${HOSTNAME}-site.key /etc/tripwire/twpol.txt + echo $'Creating tripwire database' + echo ' + +' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile /var/lib/tripwire/${HOSTNAME}.twd echo $'Resetting the Tripwire...' - echo ' ' + echo '' echo ' ' | reset-tripwire From f2c17eddd5b9229338bf7879f9e5276b60b965dc Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 11:33:13 +0100 Subject: [PATCH 7/7] Message at the end of tripwire reset --- src/freedombone-controlpanel | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index 2a2c8dce..1eefc388 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -1297,6 +1297,8 @@ function reset_tripwire { echo ' ' | reset-tripwire + echo '' + echo $'Tripwire is now reset' any_key }