free
/
freedombone
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge branch 'stretch' of https://github.com/bashrc/freedombone

This commit is contained in:
Bob Mottram 2018-05-08 14:09:19 +01:00
parent dcee3075c4 4a5c9c8d55
commit 2d45c34f22
17 changed files with 373 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
doc/EN/mobile.org
View File

@ -96,6 +96,8 @@ Now edit the hosts file which was pulled and append:
127.0.0.1 www.google-analytics.com
127.0.0.1 google-analytics.com
127.0.0.1 ssl.google-analytics.com
127.0.0.1 telemetry.mozilla.org
127.0.0.1 incoming.telemetry.mozilla.org
#+end_src
Then upload the hosts file back again with:

BIN
man/freedombone-image.1.gz
View File

Binary file not shown.

30
src/freedombone-app-pleroma
View File

@ -36,7 +36,7 @@ PLEROMA_CODE=
PLEROMA_PORT=4000
PLEROMA_ONION_PORT=8011
PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git"
PLEROMA_COMMIT='5b6d6d7f2d9363c494642bfda4d6e4d12daa53c7'
PLEROMA_COMMIT='762f6edc29a7a48e3a663e9bedec58e0036ff363'
PLEROMA_ADMIN_PASSWORD=
PLEROMA_DIR=/etc/pleroma
PLEROMA_SECRET_KEY=""
@ -733,15 +733,21 @@ function configure_interactive_pleroma {
enablechatstr=$'Disable chat system'
fi
pleromatorstr=$'Enable routing through Tor for onion addresses'
if grep -q '9050' $pleroma_secret; then
pleromatorstr=$'Disable routing through Tor'
fi
W=(1 $"Set a background image"
2 $"Set the title"
3 $"Disable new account registrations"
4 $"Add a custom emoji"
5 $"Set post expiry period (currently $PLEROMA_EXPIRE_MONTHS months)"
6 "$enablechatstr")
6 "$enablechatstr"
7 "$pleromatorstr")
# shellcheck disable=SC2068
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Pleroma" --menu $"Choose an operation, or ESC to exit:" 13 60 6 "${W[@]}" 3>&2 2>&1 1>&3)
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Pleroma" --menu $"Choose an operation, or ESC to exit:" 14 60 7 "${W[@]}" 3>&2 2>&1 1>&3)
if [ ! "$selection" ]; then
break
@ -759,11 +765,25 @@ function configure_interactive_pleroma {
pleroma_enable_chat true
fi
;;
7) if grep -q '9050' $pleroma_secret; then
pleroma_disable_tor
else
pleroma_enable_tor
fi
;;
esac
done
}
function pleroma_upgrade_tor {
function pleroma_disable_tor {
if grep -q '9050' $pleroma_secret; then
sed -i '/9050/d' $pleroma_secret
sed -i 's|# config :pleroma, :http, proxy_url:|config :pleroma, :http, proxy_url:|g' $PLEROMA_DIR/config/config.exs
pleroma_recompile
fi
}
function pleroma_enable_tor {
pleroma_tor_update=
if ! grep -q '{:socks5, :localhost, 9050}' $pleroma_secret; then
@ -806,7 +826,7 @@ function upgrade_pleroma {
create_pleroma_blocklist
fi
pleroma_upgrade_tor
#pleroma_enable_tor
CURR_PLEROMA_COMMIT=$(get_completion_param "pleroma commit")
if [[ "$CURR_PLEROMA_COMMIT" == "$PLEROMA_COMMIT" ]]; then

223
src/freedombone-controlpanel
View File

@ -224,114 +224,153 @@ function show_tor_bridges {
function show_domains {
read_config_param "DEFAULT_DOMAIN_NAME"
W=()
W+=("IPv4" "$(get_ipv4_address) / $(get_external_ipv4_address)")
ipv6_address="$(get_ipv6_address)"
if [ ${#ipv6_address} -gt 0 ]; then
W+=("IPv6" "${ipv6_address}")
fi
if [ -f /etc/ssh/ssh_host_rsa_key.pub ]; then
W+=("ssh rsa sha256" "$(awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | sed 's|=||g')")
fi
if [ -f /etc/ssh/ssh_host_ed25519_key.pub ]; then
W+=("ssh ed25519 sha256" "$(awk '{print $2}' /etc/ssh/ssh_host_ed25519_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | sed 's|=||g')")
fi
if grep -q "ssh onion domain" "$COMPLETION_FILE"; then
domain_onion=$(grep 'ssh onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
W+=("ssh" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
fi
if grep -q "email onion domain" "$COMPLETION_FILE"; then
domain_onion=$(grep 'email onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
W+=("Email" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
fi
if grep -q "sks onion domain" "$COMPLETION_FILE"; then
read_config_param "KEYSERVER_DOMAIN_NAME"
domain_onion=$(grep 'sks onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
W+=("SKS" "${KEYSERVER_DOMAIN_NAME} / ${domain_onion}")
fi
INTRODUCER_FILENAME=/home/tahoelafs/data/private/introducer.furl
if [ -f $INTRODUCER_FILENAME ]; then
W+=("Tahoe-LAFS" "$(cat $INTRODUCER_FILENAME)")
fi
show_tor_bridges
# shellcheck disable=SC2068
for app_name in ${APPS_INSTALLED_NAMES[@]}
while true
do
if ! grep -q "SHOW_ON_ABOUT=1" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${app_name}"; then
continue
W=()
W+=("IPv4" "$(get_ipv4_address) / $(get_external_ipv4_address)")
ipv6_address="$(get_ipv6_address)"
if [ ${#ipv6_address} -gt 0 ]; then
W+=("IPv6" "${ipv6_address}")
fi
# handle the foibles of capitalisation
if ! grep -q "${app_name} domain" "$COMPLETION_FILE"; then
app_name_upper=$(echo "${app_name}" | awk '{print toupper($0)}')
if grep -q "${app_name_upper} domain" "$COMPLETION_FILE"; then
app_name=${app_name_upper}
else
app_name_first_upper="$(tr '[:lower:]' '[:upper:]' <<< "${app_name:0:1}")${app_name:1}"
if grep -q "${app_name_first_upper} domain" "$COMPLETION_FILE"; then
app_name=${app_name_first_upper}
if [ -f /etc/ssh/ssh_host_rsa_key.pub ]; then
W+=("ssh rsa sha256" "$(awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | sed 's|=||g')")
fi
if [ -f /etc/ssh/ssh_host_ed25519_key.pub ]; then
W+=("ssh ed25519 sha256" "$(awk '{print $2}' /etc/ssh/ssh_host_ed25519_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | sed 's|=||g')")
fi
if grep -q "ssh onion domain" "$COMPLETION_FILE"; then
domain_onion=$(grep 'ssh onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
W+=("ssh" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
fi
if grep -q "email onion domain" "$COMPLETION_FILE"; then
domain_onion=$(grep 'email onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
W+=("Email" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
fi
if grep -q "sks onion domain" "$COMPLETION_FILE"; then
read_config_param "KEYSERVER_DOMAIN_NAME"
domain_onion=$(grep 'sks onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
W+=("SKS" "${KEYSERVER_DOMAIN_NAME} / ${domain_onion}")
fi
INTRODUCER_FILENAME=/home/tahoelafs/data/private/introducer.furl
if [ -f $INTRODUCER_FILENAME ]; then
W+=("Tahoe-LAFS" "$(cat $INTRODUCER_FILENAME)")
fi
show_tor_bridges
# shellcheck disable=SC2068
for app_name in ${APPS_INSTALLED_NAMES[@]}
do
if ! grep -q "SHOW_ON_ABOUT=1" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${app_name}"; then
continue
fi
# handle the foibles of capitalisation
if ! grep -q "${app_name} domain" "$COMPLETION_FILE"; then
app_name_upper=$(echo "${app_name}" | awk '{print toupper($0)}')
if grep -q "${app_name_upper} domain" "$COMPLETION_FILE"; then
app_name=${app_name_upper}
else
app_name_first_upper="$(tr '[:lower:]' '[:upper:]' <<< "${app_name:0:1}")${app_name:1}"
if grep -q "${app_name_first_upper} domain" "$COMPLETION_FILE"; then
app_name=${app_name_first_upper}
fi
fi
fi
fi
if [ ${#app_name} -gt 0 ]; then
icann_address=$(get_app_icann_address "$app_name")
if grep -q "SHOW_ICANN_ADDRESS_ON_ABOUT=0" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${app_name}"; then
icann_address='-'
fi
if [[ "$ONION_ONLY" != 'no' ]]; then
if [[ "${icann_address}" != "${LOCAL_NAME}.local" ]]; then
if [ ${#app_name} -gt 0 ]; then
icann_address=$(get_app_icann_address "$app_name")
if grep -q "SHOW_ICANN_ADDRESS_ON_ABOUT=0" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${app_name}"; then
icann_address='-'
fi
fi
onion_address=$(get_app_onion_address "$app_name")
if [ ${#onion_address} -eq 0 ]; then
onion_address="-"
fi
if [[ "${icann_address}" != '-' ]]; then
if [[ "${onion_address}" != '-' ]]; then
W+=("${app_name}" "${icann_address} / ${onion_address}")
else
W+=("${app_name}" "${icann_address}")
if [[ "$ONION_ONLY" != 'no' ]]; then
if [[ "${icann_address}" != "${LOCAL_NAME}.local" ]]; then
icann_address='-'
fi
fi
onion_address=$(get_app_onion_address "$app_name")
if [ ${#onion_address} -eq 0 ]; then
onion_address="-"
fi
else
W+=("${app_name}" "${onion_address}")
fi
if grep -q "mobile${app_name} onion domain" "$COMPLETION_FILE"; then
onion_address=$(get_app_onion_address "${app_name}" "mobile")
if [[ "${icann_address}" != '-' ]]; then
W+=("${app_name} (mobile)" "${icann_address} / ${onion_address}")
if [[ "${onion_address}" != '-' ]]; then
W+=("${app_name}" "${icann_address} / ${onion_address}")
else
W+=("${app_name}" "${icann_address}")
fi
else
W+=("${app_name} (mobile)" "${onion_address}")
W+=("${app_name}" "${onion_address}")
fi
if grep -q "mobile${app_name} onion domain" "$COMPLETION_FILE"; then
onion_address=$(get_app_onion_address "${app_name}" "mobile")
if [[ "${icann_address}" != '-' ]]; then
W+=("${app_name} (mobile)" "${icann_address} / ${onion_address}")
else
W+=("${app_name} (mobile)" "${onion_address}")
fi
fi
fi
done
if grep -q "rss reader domain" "$COMPLETION_FILE"; then
if [ -d /var/lib/tor/hidden_service_ttrss ]; then
domain_onion=$(cat /var/lib/tor/hidden_service_ttrss/hostname)
W+=("RSS Reader" "${domain_onion}")
fi
if [ -d /var/lib/tor/hidden_service_mobilerss ]; then
domain_onion=$(cat /var/lib/tor/hidden_service_mobilerss/hostname)
W+=("RSS mobile" "${domain_onion}")
fi
fi
width=$(tput cols)
height=$(tput lines)
# shellcheck disable=SC2068
selected=$(dialog --backtitle $"Freedombone Control Panel" --title $"Domains" --menu $"Use Shift+cursors to select and copy onion addresses" $((height-4)) $((width-4)) $((height-4)) "${W[@]}" 3>&2 2>&1 1>&3)
if [ ! "$selected" ]; then
break
fi
# obtain the addresses from the key by itterating through
# the array. This is quite crude and maybe there's a better way
key_found=
selected_addresses=
for key in "${W[@]}";
do
if [ $key_found ]; then
selected_addresses="$key"
break
fi
if [[ "$key" == "$selected" ]]; then
key_found=1
fi
done
# Was the key matched?
if [ ! "$selected_addresses" ]; then
break
fi
# addresses were found - is this an onion?
if [[ "$selected_addresses" != *".onion"* ]]; then
continue
fi
# There are two forms of addresses: "x / y.onion" and "x.onion"
if [[ "$selected_addresses" == *'/'* ]]; then
onion_addr=$(echo "$selected_addresses" | awk -F '/' '{print $2}' | awk -F ' ' '{print $1}')
else
onion_addr="$selected_addresses"
fi
# show the onion address as a QR code
clear
echo "${selected}: ${onion_addr}"
echo -n "$onion_addr" | qrencode -t UTF8
any_key
done
if grep -q "rss reader domain" "$COMPLETION_FILE"; then
if [ -d /var/lib/tor/hidden_service_ttrss ]; then
domain_onion=$(cat /var/lib/tor/hidden_service_ttrss/hostname)
W+=("RSS Reader" "${domain_onion}")
fi
if [ -d /var/lib/tor/hidden_service_mobilerss ]; then
domain_onion=$(cat /var/lib/tor/hidden_service_mobilerss/hostname)
W+=("RSS mobile" "${domain_onion}")
fi
fi
width=$(tput cols)
height=$(tput lines)
# shellcheck disable=SC2068
dialog --backtitle $"Freedombone Control Panel" --title $"Domains" --menu $"Use Shift+cursors to select and copy onion addresses" $((height-4)) $((width-4)) $((height-4)) "${W[@]}" 3>&2 2>&1 1>&3
}
function show_users {

4
src/freedombone-controlpanel-user
View File

@ -434,6 +434,10 @@ function show_gpg_key {
dialog --title $"My PGP/GPG Key" \
--backtitle $"Freedombone User Control Panel" \
--msgbox $"Email Address: $MY_EMAIL_ADDRESS\\n\\nKey ID: $GPG_ID\\n\\nFingerprint: $GPG_FINGERPRINT\\n\\nCreated: $GPG_DATE" 12 70
clear
echo $"Your GPG/PGP public key:"
gpg --armor --export "$GPG_ID" | qrencode -t UTF8
any_key
}
function show_full_gpg_key {

11
src/freedombone-image
View File

@ -74,6 +74,8 @@ IMAGE_NAME='full'
USERNAME="$USER"
PASSWORD=
CONTINUOUS_INTEGRATION=
# IP address of the router (gateway)
ROUTER_IP_ADDRESS="192.168.1.254"
@ -378,6 +380,10 @@ do
shift
INTERACTIVE="$1"
;;
--ci)
shift
CONTINUOUS_INTEGRATION="$1"
;;
-g|--generic)
shift
GENERIC_IMAGE="$1"
@ -614,6 +620,7 @@ make "$IMAGE_TYPE" \
AMNESIC="$AMNESIC" \
SOCIALINSTANCE="$SOCIALINSTANCE" \
EXTERNAL_DRIVE="$EXTERNAL_DRIVE" \
CONTINUOUS_INTEGRATION="$CONTINUOUS_INTEGRATION" \
LOCAL_NAME="$LOCAL_NAME"
# shellcheck disable=SC2181
@ -641,8 +648,8 @@ fi
for im in ${image_types[@]}
do
# shellcheck disable=SC2012,SC2086
no_of_files=$(ls -afq build/${PROJECT_NAME}*.${im} | wc -l)
if (( no_of_files > 0 )); then
no_of_files=$(ls -l build/${PROJECT_NAME}*.${im} | wc -l)
if [ "$no_of_files" -gt 0 ]; then
# shellcheck disable=SC2086
mv build/${PROJECT_NAME}*.${im} ${CURR_DIR}/
# shellcheck disable=SC2086

6
src/freedombone-image-customise
View File

@ -139,6 +139,8 @@ BMX6_COMMIT='39dd1f2d99ac5a3fa28e92f8173c15039132e181'
BMX7_REPO="https://github.com/bmx-routing/bmx7"
BMX7_COMMIT='0a82c7c10fef44b259b35e77ab33632aa132d219'
CONTINUOUS_INTEGRATION=
PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
# Whether to use a SATA drive and if so what its device/partition name is
@ -1766,8 +1768,8 @@ image_setup_utils() {
chroot "$rootdir" apt-get -yq -t stretch-backports install tor
chroot "$rootdir" apt-get -yq install connect-proxy
chroot "$rootdir" connect-proxy
sed -i 's|#Log notice file.*|Log notice file /dev/null|g' "$rootdir/etc/tor/torrc"
sed -i 's|Log notice file.*|Log notice file /dev/null|g' "$rootdir/etc/tor/torrc"
sed -i 's|#Log notice file.*|Log notice file /var/log/tor/notices.log|g' "$rootdir/etc/tor/torrc"
sed -i 's|Log notice file.*|Log notice file /var/log/tor/notices.log|g' "$rootdir/etc/tor/torrc"
sed -i "s|#AccountingMax.*|AccountingMax $TOR_MAX_TRAFFIC_PER_MONTH_GB GBytes|g" "$rootdir/etc/tor/torrc"
sed -i "s|AccountingMax.*|AccountingMax $TOR_MAX_TRAFFIC_PER_MONTH_GB GBytes|g" "$rootdir/etc/tor/torrc"
if ! grep -q 'Host *.onion' "$rootdir/root/.ssh/config"; then

2
src/freedombone-image-make
View File

@ -78,6 +78,7 @@ export AMNESIC
export SOCIALINSTANCE
export LOCAL_NAME
export EXTERNAL_DRIVE
export CONTINUOUS_INTEGRATION
# Locate vmdebootstrap program fetched in Makefile
basedir=`pwd`
@ -228,6 +229,7 @@ sed -i "s|SOCIALINSTANCE=.*|SOCIALINSTANCE=\"${SOCIALINSTANCE}\"|g" "$TEMP_CUSTO
sed -i "s|LOCAL_NAME=.*|LOCAL_NAME=\"${LOCAL_NAME}\"|g" "$TEMP_CUSTOMISE3"
sed -i "s|EXTERNAL_DRIVE=.*|EXTERNAL_DRIVE=\"${EXTERNAL_DRIVE}\"|g" "$TEMP_CUSTOMISE3"
sed -i 's|#!/bin/bash||g' "$TEMP_CUSTOMISE3"
sed -i "s|CONTINUOUS_INTEGRATION=.*|CONTINUOUS_INTEGRATION=${CONTINUOUS_INTEGRATION}|g" "$TEMP_CUSTOMISE3"
cat $TEMP_CUSTOMISE2 $TEMP_CUSTOMISE3 > $TEMP_CUSTOMISE4
if [ -f $TEMP_CUSTOMISE ]; then

35
src/freedombone-image-makefile
View File

@ -41,8 +41,13 @@ IMAGE = $(NAME).img
ARCHIVE = $(IMAGE).xz
SIGNATURE = $(ARCHIVE).sig
OWNER = 1000
XZ = xz --no-warn --verbose --keep --threads=0 -3
SIGN = -gpg --output $(SIGNATURE) --detach-sig $(ARCHIVE)
ifeq ("$CONTINUOUS_INTEGRATION", "")
XZ = xz --no-warn --verbose --keep --threads=0 -3 $(IMAGE)
SIGN = -gpg --output $(SIGNATURE) --detach-sig $(ARCHIVE)
else
XZ =
SIGN =
endif
# settings for `make test`
TEST_SSH_PORT = 2222
@ -90,7 +95,7 @@ beaglebone: prep
$(eval MACHINE = beaglebone)
$(MAKE_IMAGE)
@rm -f $(ARCHIVE)
$(XZ) $(IMAGE)
$(XZ)
@echo ""
$(SIGN)
@echo "Build complete."
@ -101,7 +106,7 @@ cubieboard2: prep
$(eval MACHINE = cubieboard2)
$(MAKE_IMAGE)
@rm -f $(ARCHIVE)
$(XZ) $(IMAGE)
$(XZ)
@echo ""
$(SIGN)
@echo "Build complete."
@ -112,7 +117,7 @@ pcduino3: prep
$(eval MACHINE = pcduino3)
$(MAKE_IMAGE)
@rm -f $(ARCHIVE)
$(XZ) $(IMAGE)
$(XZ)
@echo ""
$(SIGN)
@echo "Build complete."
@ -123,7 +128,7 @@ cubietruck: prep
$(eval MACHINE = cubietruck)
$(MAKE_IMAGE)
@rm -f $(ARCHIVE)
$(XZ) $(IMAGE)
$(XZ)
@echo ""
$(SIGN)
@echo "Build complete."
@ -135,7 +140,7 @@ a20-olinuxino-lime: prep
$(eval IMAGE = $(NAME).img)
$(MAKE_IMAGE)
rm -f $(ARCHIVE)
$(XZ) $(IMAGE)
$(XZ)
@echo ""
$(SIGN)
@ -145,7 +150,7 @@ a20-olinuxino-lime2: prep
$(eval MACHINE = a20-olinuxino-lime2)
$(MAKE_IMAGE)
@rm -f $(ARCHIVE)
$(XZ) $(IMAGE)
$(XZ)
@echo ""
$(SIGN)
@echo "Build complete."
@ -156,7 +161,7 @@ a20-olinuxino-micro: prep
$(eval MACHINE = a20-olinuxino-micro)
$(MAKE_IMAGE)
@rm -f $(ARCHIVE)
$(XZ) $(IMAGE)
$(XZ)
@echo ""
$(SIGN)
@echo "Build complete."
@ -167,7 +172,7 @@ i386: prep
$(eval MACHINE = all)
$(MAKE_IMAGE)
@rm -f $(ARCHIVE)
$(XZ) $(IMAGE)
$(XZ)
@echo ""
$(SIGN)
@echo "Build complete."
@ -178,7 +183,7 @@ i686: prep
$(eval MACHINE = all)
$(MAKE_IMAGE)
@rm -f $(ARCHIVE)
$(XZ) $(IMAGE)
$(XZ)
@echo ""
$(SIGN)
@echo "Build complete."
@ -189,7 +194,7 @@ amd64: prep
$(eval MACHINE = all)
$(MAKE_IMAGE)
@rm -f $(ARCHIVE)
$(XZ) $(IMAGE)
$(XZ)
@echo ""
$(SIGN)
@echo "Build complete."
@ -200,7 +205,7 @@ apu: prep
$(eval MACHINE = all)
$(MAKE_IMAGE)
@rm -f $(ARCHIVE)
$(XZ) $(IMAGE)
$(XZ)
@echo ""
$(SIGN)
@echo "Build complete."
@ -215,7 +220,7 @@ qemu-i386: prep
# Convert image to qemu format
qemu-img convert -O qcow2 $(NAME).img $(NAME).qcow2
@rm -f $(ARCHIVE)
$(XZ) $(IMAGE)
$(XZ)
@echo ""
$(SIGN)
@echo "Build complete."
@ -227,7 +232,7 @@ qemu-x86_64: prep
# Convert image to qemu format
qemu-img convert -O qcow2 $(NAME).img $(NAME).qcow2
@rm -f $(ARCHIVE)
$(XZ) $(IMAGE)
$(XZ)
@echo ""
$(SIGN)
@echo "Build complete."

5
src/freedombone-logging
View File

@ -179,9 +179,8 @@ if [[ "$1" == "on" || "$1" == "On" || "$1" == "ON" ]]; then
else
turn_logging_off
if [ -d /etc/tor ]; then
echo 'Log notice file /dev/null' > /etc/torrc.d/logging
rm /var/log/tor/*
if [ -d /etc/torrc.d ]; then
echo 'Log notice file /var/log/tor/notices.log' > /etc/torrc.d/logging
fi
if [ -d /var/log/radicale ]; then
$REMOVE_FILES_COMMAND /var/log/radicale/*

6
src/freedombone-tests
View File

@ -759,6 +759,12 @@ function test_stig {
output "V-38605" $? ${SETLANG}
################
##Check that openssh client and server are installed
bash $STIG_TESTS_DIR/check-ssh.sh installed >/dev/null 2>&1 &
stig_spinner $!
output "SV-86857r1_rule" $? ${SETLANG}
################
##RHEL-06-000227
##The SSH daemon must be configured to use only the SSHv2 protocol.

62
src/freedombone-tor-health Executable file
View File

@ -0,0 +1,62 @@
#!/bin/bash
# _____ _ _
# | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
# | __| _| -_| -_| . | . | | . | . | | -_|
# |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___|
#
# Freedom in the Cloud
#
# Returns a health status for Tor
#
# License
# =======
#
# Copyright (C) 2018 Bob Mottram <bob@freedombone.net>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
PROJECT_NAME='freedombone'
export TEXTDOMAIN=${PROJECT_NAME}-tor-health
export TEXTDOMAINDIR="/usr/share/locale"
d1=$(date --date="-10 min" "+%b %d %H:%M"):00
d2=$(date "+%b %d %H:%M"):00
ctr=0
echo -n '' > /var/log/tor/notices_new.log
while read -r line; do
datestr=$(echo "$line" | awk -F '.' '{print $1}')
if [[ "$datestr" > "$d1" && "$datestr" < "$d2" || "$datestr" =~ $d2 ]]; then
if [[ "$line" == *'Retrying'* ]]; then
ctr=$((ctr+1))
fi
echo "$line" >> /var/log/tor/notices_new.log
fi
done < /var/log/tor/notices.log
mv /var/log/tor/notices_new.log /var/log/tor/notices.log
chown -R debian-tor:adm /var/log/tor
if [ $ctr -gt 5 ]; then
echo $'Failed'
exit 0
fi
if [ $ctr -gt 0 ]; then
echo $'Poor'
exit 0
fi
echo $'Good'
exit 0

50
src/freedombone-utils-firewall
View File

@ -32,6 +32,7 @@ FIREWALL_CONFIG=$HOME/${PROJECT_NAME}-firewall.cfg
FIREWALL_DOMAINS=$HOME/${PROJECT_NAME}-firewall-domains.cfg
FIREWALL_EIFACE=eth0
EXTERNAL_IPV4_ADDRESS=
FIREFOX_TELEMETRY_IP='52.88.27.118'
function save_firewall_settings {
iptables-save > /etc/firewall.conf
@ -47,6 +48,25 @@ function save_firewall_settings {
fi
}
function block_firefox_telemetry {
# This shouldn't be needed on a server, but we'll do it anyway
# to be on the safe side
# Within firefox source code see submit_telemetry_data.py
if ! grep -q 'telemetry.mozilla' /etc/hosts; then
echo '127.0.0.1 telemetry.mozilla.org' >> /etc/hosts
echo '127.0.0.1 incoming.telemetry.mozilla.org' >> /etc/hosts
fi
if grep -q "$FIREFOX_TELEMETRY_IP" /etc/firewall.conf; then
return
fi
iptables -A INPUT -s $FIREFOX_TELEMETRY_IP -j DROP
iptables -A OUTPUT -s $FIREFOX_TELEMETRY_IP -j DROP
save_firewall_settings
}
function firewall_block_bad_ip_ranges {
if [ "$INSTALLING_MESH" ]; then
return
@ -340,6 +360,32 @@ function mesh_firewall {
FIREWALL_FILENAME="${rootdir}/etc/systemd/system/meshfirewall.service"
MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall
if ! grep -q 'telemetry.mozilla' ${rootdir}/etc/hosts; then
echo '127.0.0.1 telemetry.mozilla.org' >> ${rootdir}/etc/hosts
echo '127.0.0.1 incoming.telemetry.mozilla.org' >> ${rootdir}/etc/hosts
fi
if ! grep -q 'facebook' ${rootdir}/etc/hosts; then
{ echo '127.0.0.1 www.facebook.com';
echo '127.0.0.1 facebook.com';
echo '127.0.0.1 static.ak.fbcdn.net';
echo '127.0.0.1 www.static.ak.fbcdn.net';
echo '127.0.0.1 login.facebook.com';
echo '127.0.0.1 www.login.facebook.com';
echo '127.0.0.1 fbcdn.net';
echo '127.0.0.1 www.fbcdn.net';
echo '127.0.0.1 fbcdn.com';
echo '127.0.0.1 www.fbcdn.com';
echo '127.0.0.1 static.ak.connect.facebook.com';
echo '127.0.0.1 www.static.ak.connect.facebook.com'; } >> ${rootdir}/etc/hosts
fi
if ! grep -q 'google' ${rootdir}/etc/hosts; then
{ echo '127.0.0.1 www.google-analytics.com';
echo '127.0.0.1 google-analytics.com';
echo '127.0.0.1 ssl.google-analytics.com'; } >> ${rootdir}/etc/hosts
fi
{ echo '#!/bin/bash';
echo 'iptables -P INPUT ACCEPT';
echo 'ip6tables -P INPUT ACCEPT';
@ -387,7 +433,9 @@ function mesh_firewall {
echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT";
echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT"; } > "$MESH_FIREWALL_SCRIPT"
echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT";
echo "iptables -A INPUT -s $FIREFOX_TELEMETRY_IP -j DROP";
echo "iptables -A OUTPUT -s $FIREFOX_TELEMETRY_IP -j DROP"; } > "$MESH_FIREWALL_SCRIPT"
chmod +x "$MESH_FIREWALL_SCRIPT"
{ echo '[Unit]';

30
src/freedombone-utils-onion
View File

@ -311,6 +311,34 @@ function configure_ssh_onion {
mark_completed "${FUNCNAME[0]}"
}
function check_tor_health {
{ echo '#!/bin/bash';
echo "status=\$(${PROJECT_NAME}-tor-health)";
echo "ADMIN_USER=\$(grep \"MY_USERNAME=\" ~/${PROJECT_NAME}.cfg | awk -F '=' '{print \$2}')";
echo "if [[ \"\$status\" == 'G'* ]]; then";
echo ' if [ -f /tmp/.torfailed ]; then';
echo ' rm /tmp/.torfailed';
echo " tail -n 3 /var/log/tor/notices.log | mail -s \"[${PROJECT_NAME}] Tor status is now \$status\" \$ADMIN_USER@\$HOSTNAME";
echo ' fi';
echo ' exit 0';
echo 'fi';
echo 'if [ ! -f /tmp/.torfailed ]; then';
echo " tail -n 3 /var/log/tor/notices.log | mail -s \"[${PROJECT_NAME}] Tor status is \$status\" \$ADMIN_USER@\$HOSTNAME";
echo " echo \"\$status\" > /tmp/.torfailed";
echo 'else';
echo " prev_status=\$(cat /tmp/.torfailed)";
echo " if [[ \"\$prev_status\" != \"\$status\" ]]; then";
echo " tail -n 3 /var/log/tor/notices.log | mail -s \"[${PROJECT_NAME}] Tor status is \$status\" \$ADMIN_USER@\$HOSTNAME";
echo " echo \"\$status\" > /tmp/.torfailed";
echo ' fi';
echo 'fi'; } > /usr/bin/check_tor_health
chmod +x /usr/bin/check_tor_health
if ! grep -q 'check_tor_health' /etc/crontab; then
cron_add_mins 10 "/usr/bin/check_tor_health"
fi
}
function install_tor {
if [[ $SYSTEM_TYPE == "mesh*" ]]; then
return
@ -336,7 +364,7 @@ function install_tor {
echo '%include /etc/torrc.d' >> /etc/tor/torrc
fi
echo 'Log notice file /dev/null' > /etc/torrc.d/logging
echo 'Log notice file /var/log/tor/notices.log' > /etc/torrc.d/logging
echo "AccountingMax $TOR_MAX_TRAFFIC_PER_MONTH_GB GBytes" > /etc/torrc.d/maxtraffic
mark_completed "${FUNCNAME[0]}"

6
src/freedombone-utils-setup
View File

@ -720,6 +720,9 @@ function setup_firewall {
function_check configure_firewall
configure_firewall
function_check block_firefox_telemetry
block_firefox_telemetry
function_check configure_firewall_ping
configure_firewall_ping
@ -971,6 +974,9 @@ function setup_utils {
function_check install_tor
install_tor
function_check check_tor_health
check_tor_health
function_check install_command_line_browser
install_command_line_browser

13
tests/check-ssh.sh
View File

@ -44,6 +44,19 @@ case $1 in
exit 1
fi
;;
installed)
OPENSSH_SERVER=$(dpkg -s openssh-server | grep -i "Status:.*install.*ok.*installed" | wc -l)
OPENSSH_CLIENT=$(dpkg -s openssh-client | grep -i "Status:.*install.*ok.*installed" | wc -l)
if [ ${OPENSSH_SERVER} -eq 1 ]; then
if [ ${OPENSSH_CLIENT} -eq 1 ]; then
:
else
exit 1
fi
else
exit 1
fi
;;
sshd_status)
if systemctl status sshd | grep "Active:.*(running)";then
:

9
tests/output.sh
View File

@ -1399,6 +1399,15 @@ disabled. The "nis" service can be disabled with the following commands:\n\n#upd
printf '\n######################\n\nSTIG-ID:RHEL-06-000224\n\nVulnerability Discussion: Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.\n\nFix text: The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands:\n\n#update-rc.d cron defaults\nservice cron start\n\n######################\n\n' >> $LOG
fi
;;
SV-86857r1_rule) if [ "$3" = "en" ]; then
log_msg $2 'OpenSSH server and client must be installed.'
else
log_msg $2 '必须安装OpenSSH服务器和客户端'
fi
if [ $2 -ne 0 ];then
printf '\n######################\n\nWithout protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.\n\n######################\n\n' >> $LOG
fi
;;
V-38607) if [ "$3" = "en" ]; then
log_msg $2 'The SSH daemon must be configured to use only the SSHv2 protocol.'
else