From 31e7b8d61903aef77725d14365b35caca5a43517 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 13:15:35 +0100 Subject: [PATCH 01/50] tripwire qr code verification --- src/freedombone-base-tripwire | 2 +- src/freedombone-controlpanel | 11 ++++++++++- src/freedombone-upgrade | 6 ------ 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/src/freedombone-base-tripwire b/src/freedombone-base-tripwire index f5d198ae..4a4c9121 100755 --- a/src/freedombone-base-tripwire +++ b/src/freedombone-base-tripwire @@ -58,7 +58,7 @@ function install_tripwire { debconf-set-selections <<< "tripwire tripwire/use-sitekey boolean false" debconf-set-selections <<< "tripwire tripwire/use-localkey boolean false" - apt-get -yq install tripwire + apt-get -yq install tripwire qrencode apt-get -yq autoremove cd /etc/tripwire diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index 1eefc388..c8892a5b 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -1298,7 +1298,16 @@ function reset_tripwire { ' | reset-tripwire echo '' - echo $'Tripwire is now reset' + if [ -f /var/lib/tripwire/${HOSTNAME}.net.twd ]; then + DBHASH=$(sha512sum /var/lib/tripwire/${HOSTNAME}.net.twd) + echo "$DBHASH" | qrencode -t UTF8 + echo '' + echo "$DBHASH" + echo '' + echo $'Tripwire is now reset' + else + echo $'ERROR: tripwire database was not created' + fi any_key } diff --git a/src/freedombone-upgrade b/src/freedombone-upgrade index 1cee7878..f855433b 100755 --- a/src/freedombone-upgrade +++ b/src/freedombone-upgrade @@ -109,10 +109,4 @@ fi # If logging was left on then turn it off ${PROJECT_NAME}-logging off -if [ -f /usr/bin/reset-tripwire ]; then - echo ' - -' | reset-tripwire -fi - # deliberately there is no 'exit 0' here From 99479d64483f0d0210bcb54a418421d9f3266b7c Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 13:19:16 +0100 Subject: [PATCH 02/50] Stray tld --- src/freedombone-controlpanel | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index c8892a5b..37e23626 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -1298,8 +1298,8 @@ function reset_tripwire { ' | reset-tripwire echo '' - if [ -f /var/lib/tripwire/${HOSTNAME}.net.twd ]; then - DBHASH=$(sha512sum /var/lib/tripwire/${HOSTNAME}.net.twd) + if [ -f /var/lib/tripwire/${HOSTNAME}.twd ]; then + DBHASH=$(sha512sum /var/lib/tripwire/${HOSTNAME}.twd) echo "$DBHASH" | qrencode -t UTF8 echo '' echo "$DBHASH" From d9adff3a9e0a573645d38cb7732ca39686e840f2 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 13:30:58 +0100 Subject: [PATCH 03/50] Option to verify the tripwire code --- src/freedombone-controlpanel | 91 ++++++++++++++++++++---------------- 1 file changed, 52 insertions(+), 39 deletions(-) diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index 37e23626..7f99155c 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -1268,6 +1268,18 @@ function security_settings { any_key } +function show_tripwire_verification_code { + clear + echo '' + echo $'Tripwire Verification Code' + echo '' + DBHASH=$(sha512sum /var/lib/tripwire/${HOSTNAME}.twd) + echo "$DBHASH" | qrencode -t UTF8 + echo '' + echo "$DBHASH" + echo '' +} + function reset_tripwire { if [ ! -f /usr/bin/reset-tripwire ]; then echo $'Missing /usr/bin/reset-tripwire' @@ -1299,12 +1311,10 @@ function reset_tripwire { ' | reset-tripwire echo '' if [ -f /var/lib/tripwire/${HOSTNAME}.twd ]; then - DBHASH=$(sha512sum /var/lib/tripwire/${HOSTNAME}.twd) - echo "$DBHASH" | qrencode -t UTF8 - echo '' - echo "$DBHASH" - echo '' - echo $'Tripwire is now reset' + show_tripwire_verification_code + echo $'Tripwire is now reset. Take a note of the above hash, or record' + echo $'the QR code using a mobile device. This will enable you to independently' + echo $'verify the integrity of the tripwire.' else echo $'ERROR: tripwire database was not created' fi @@ -2131,27 +2141,28 @@ function menu_top_level { trap "rm -f $data" 0 1 2 5 15 dialog --backtitle $"Freedombone Control Panel" \ --title $"Control Panel" \ - --radiolist $"Choose an operation:" 28 70 20 \ + --radiolist $"Choose an operation:" 29 70 21 \ 1 $"About this system" off \ 2 $"Passwords" off \ 3 $"Backup and Restore" off \ 4 $"Show Firewall" off \ - 5 $"Reset Tripwire" off \ - 6 $"App Settings" off \ - 7 $"Add/Remove Apps" off \ - 8 $"Logging on/off" off \ - 9 $"Ping enable/disable" off \ - 10 $"Manage Users" off \ - 11 $"Email Menu" off \ - 12 $"Domain or User Blocking" off \ - 13 $"Security Settings" off \ - 14 $"Change the name of this system" off \ - 15 $"Set a static local IP address" off \ - 16 $"Wifi menu" off \ - 17 $"Check for updates" off \ - 18 $"Power off the system" off \ - 19 $"Restart the system" off \ - 20 $"Exit" on 2> $data + 5 $"Verify Tripwire Code" off \ + 6 $"Reset Tripwire" off \ + 7 $"App Settings" off \ + 8 $"Add/Remove Apps" off \ + 9 $"Logging on/off" off \ + 10 $"Ping enable/disable" off \ + 11 $"Manage Users" off \ + 12 $"Email Menu" off \ + 13 $"Domain or User Blocking" off \ + 14 $"Security Settings" off \ + 15 $"Change the name of this system" off \ + 16 $"Set a static local IP address" off \ + 17 $"Wifi menu" off \ + 18 $"Check for updates" off \ + 19 $"Power off the system" off \ + 20 $"Restart the system" off \ + 21 $"Exit" on 2> $data sel=$? case $sel in 1) exit 1;; @@ -2163,26 +2174,28 @@ function menu_top_level { 2) view_or_change_passwords;; 3) menu_backup_restore;; 4) show_firewall;; - 5) reset_tripwire;; - 6) menu_app_settings;; - 7) /usr/local/bin/addremove + 5) show_tripwire_verification_code + any_key;; + 6) reset_tripwire;; + 7) menu_app_settings;; + 8) /usr/local/bin/addremove if [ ! "$?" = "0" ]; then any_key fi ;; - 8) logging_on_off;; - 9) ping_enable_disable;; - 10) menu_users;; - 11) menu_email;; - 12) domain_blocking;; - 13) security_settings;; - 14) change_system_name;; - 15) set_static_IP;; - 16) menu_wifi;; - 17) check_for_updates;; - 18) shut_down_system;; - 19) restart_system;; - 20) break;; + 9) logging_on_off;; + 10) ping_enable_disable;; + 11) menu_users;; + 12) menu_email;; + 13) domain_blocking;; + 14) security_settings;; + 15) change_system_name;; + 16) set_static_IP;; + 17) menu_wifi;; + 18) check_for_updates;; + 19) shut_down_system;; + 20) restart_system;; + 21) break;; esac done } From 61d555737e9eaadae32a107eb290e3214d7106e5 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 13:32:34 +0100 Subject: [PATCH 04/50] Don't show tripwire code if database file doesn't exist --- src/freedombone-controlpanel | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index 7f99155c..de078ab2 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -1269,6 +1269,9 @@ function security_settings { } function show_tripwire_verification_code { + if [ ! -f /var/lib/tripwire/${HOSTNAME}.twd ]; then + return + fi clear echo '' echo $'Tripwire Verification Code' From 8f1df8243da12fcca006b6f0bc966b6821014075 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 14:10:44 +0100 Subject: [PATCH 05/50] tripwire exclusions to avoid triggering on routine updates --- src/freedombone-base-tripwire | 43 +++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) diff --git a/src/freedombone-base-tripwire b/src/freedombone-base-tripwire index 4a4c9121..c778b40b 100755 --- a/src/freedombone-base-tripwire +++ b/src/freedombone-base-tripwire @@ -105,6 +105,11 @@ function install_tripwire { if ! grep -q '!/etc/tripwire' /etc/tripwire/twpol.txt; then sed -i '\|/etc\t\t->.*|a\ !/etc/tripwire ;' /etc/tripwire/twpol.txt fi + # Ignore /etc/freedombone + if ! grep -q '!/etc/tripwire' /etc/tripwire/twpol.txt; then + sed -i '\|/etc\t\t->.*|a\ !/etc/freedombone ;' /etc/tripwire/twpol.txt + fi + # Ignore /etc/pihole if ! grep -q '!/etc/pihole' /etc/tripwire/twpol.txt; then sed -i '\|/etc\t\t->.*|a\ !/etc/pihole ;' /etc/tripwire/twpol.txt fi @@ -115,6 +120,44 @@ function install_tripwire { if ! grep -q '!/etc/share/tt-rss/lock' /etc/tripwire/twpol.txt; then sed -i '\|/etc\t\t->.*|a\ !/etc/share/tt-rss/lock ;' /etc/tripwire/twpol.txt fi + # Ignore additional install files + if ! grep -q '!/usr/local/bin/freedombone' /etc/tripwire/twpol.txt; then + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/freedombone* -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + fi + if ! grep -q '!=/usr/local/bin' /etc/tripwire/twpol.txt; then + sed -i '\|/usr/local/sbin.*|a\ !=/usr/local/bin -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + fi + if ! grep -q '!/usr/local/bin/addremove' /etc/tripwire/twpol.txt; then + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/addremove -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + fi + if ! grep -q '!/usr/local/bin/backup' /etc/tripwire/twpol.txt; then + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/backup -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + fi + if ! grep -q '!/usr/local/bin/backup2friends' /etc/tripwire/twpol.txt; then + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/backup2friends -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + fi + if ! grep -q '!/usr/local/bin/batman' /etc/tripwire/twpol.txt; then + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/batman -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + fi + if ! grep -q '!/usr/local/bin/control' /etc/tripwire/twpol.txt; then + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/control -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + fi + if ! grep -q '!/usr/local/bin/controluser' /etc/tripwire/twpol.txt; then + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/controluser -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + fi + if ! grep -q '!/usr/local/bin/cronic' /etc/tripwire/twpol.txt; then + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/cronic -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + fi + if ! grep -q '!/usr/local/bin/meshavahi' /etc/tripwire/twpol.txt; then + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/meshavahi -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + fi + if ! grep -q '!/usr/local/bin/restore' /etc/tripwire/twpol.txt; then + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/restore -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + fi + if ! grep -q '!/usr/local/bin/restorefromfriend' /etc/tripwire/twpol.txt; then + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/restorefromfriend -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + fi + # Avoid logging the changed database sed -i 's|$(TWETC)/tw.pol.*||g' /etc/tripwire/twpol.txt # site key name From cd96dc6fd7b72ad5ae1cfa30a3a234f9e2400e36 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 14:21:35 +0100 Subject: [PATCH 06/50] No routing --- src/freedombone-base-tripwire | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/freedombone-base-tripwire b/src/freedombone-base-tripwire index c778b40b..9b997695 100755 --- a/src/freedombone-base-tripwire +++ b/src/freedombone-base-tripwire @@ -122,40 +122,40 @@ function install_tripwire { fi # Ignore additional install files if ! grep -q '!/usr/local/bin/freedombone' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/freedombone* -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/freedombone* ;' /etc/tripwire/twpol.txt fi if ! grep -q '!=/usr/local/bin' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !=/usr/local/bin -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + sed -i '\|/usr/local/sbin.*|a\ !=/usr/local/bin ;' /etc/tripwire/twpol.txt fi if ! grep -q '!/usr/local/bin/addremove' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/addremove -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/addremove ;' /etc/tripwire/twpol.txt fi if ! grep -q '!/usr/local/bin/backup' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/backup -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/backup ;' /etc/tripwire/twpol.txt fi if ! grep -q '!/usr/local/bin/backup2friends' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/backup2friends -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/backup2friends ;' /etc/tripwire/twpol.txt fi if ! grep -q '!/usr/local/bin/batman' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/batman -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/batman ;' /etc/tripwire/twpol.txt fi if ! grep -q '!/usr/local/bin/control' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/control -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/control ;' /etc/tripwire/twpol.txt fi if ! grep -q '!/usr/local/bin/controluser' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/controluser -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/controluser ;' /etc/tripwire/twpol.txt fi if ! grep -q '!/usr/local/bin/cronic' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/cronic -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/cronic ;' /etc/tripwire/twpol.txt fi if ! grep -q '!/usr/local/bin/meshavahi' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/meshavahi -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/meshavahi ;' /etc/tripwire/twpol.txt fi if ! grep -q '!/usr/local/bin/restore' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/restore -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/restore ;' /etc/tripwire/twpol.txt fi if ! grep -q '!/usr/local/bin/restorefromfriend' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/restorefromfriend -> $(SEC_BIN) ;' /etc/tripwire/twpol.txt + sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/restorefromfriend ;' /etc/tripwire/twpol.txt fi # Avoid logging the changed database From b7f63f6ff1c8265f132744934b6b833a912b0c68 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 14:27:41 +0100 Subject: [PATCH 07/50] Directory name --- src/freedombone-base-tripwire | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/freedombone-base-tripwire b/src/freedombone-base-tripwire index 9b997695..0ab02ba1 100755 --- a/src/freedombone-base-tripwire +++ b/src/freedombone-base-tripwire @@ -106,7 +106,7 @@ function install_tripwire { sed -i '\|/etc\t\t->.*|a\ !/etc/tripwire ;' /etc/tripwire/twpol.txt fi # Ignore /etc/freedombone - if ! grep -q '!/etc/tripwire' /etc/tripwire/twpol.txt; then + if ! grep -q '!/etc/freedombone' /etc/tripwire/twpol.txt; then sed -i '\|/etc\t\t->.*|a\ !/etc/freedombone ;' /etc/tripwire/twpol.txt fi # Ignore /etc/pihole From b432410716031653d976893fecc4e697949c2a9a Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 16:13:43 +0100 Subject: [PATCH 08/50] Fixing tripwire policy --- src/freedombone-base-tripwire | 40 +++-------------------------------- 1 file changed, 3 insertions(+), 37 deletions(-) diff --git a/src/freedombone-base-tripwire b/src/freedombone-base-tripwire index 0ab02ba1..fa7500b1 100755 --- a/src/freedombone-base-tripwire +++ b/src/freedombone-base-tripwire @@ -120,43 +120,9 @@ function install_tripwire { if ! grep -q '!/etc/share/tt-rss/lock' /etc/tripwire/twpol.txt; then sed -i '\|/etc\t\t->.*|a\ !/etc/share/tt-rss/lock ;' /etc/tripwire/twpol.txt fi - # Ignore additional install files - if ! grep -q '!/usr/local/bin/freedombone' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/freedombone* ;' /etc/tripwire/twpol.txt - fi - if ! grep -q '!=/usr/local/bin' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !=/usr/local/bin ;' /etc/tripwire/twpol.txt - fi - if ! grep -q '!/usr/local/bin/addremove' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/addremove ;' /etc/tripwire/twpol.txt - fi - if ! grep -q '!/usr/local/bin/backup' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/backup ;' /etc/tripwire/twpol.txt - fi - if ! grep -q '!/usr/local/bin/backup2friends' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/backup2friends ;' /etc/tripwire/twpol.txt - fi - if ! grep -q '!/usr/local/bin/batman' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/batman ;' /etc/tripwire/twpol.txt - fi - if ! grep -q '!/usr/local/bin/control' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/control ;' /etc/tripwire/twpol.txt - fi - if ! grep -q '!/usr/local/bin/controluser' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/controluser ;' /etc/tripwire/twpol.txt - fi - if ! grep -q '!/usr/local/bin/cronic' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/cronic ;' /etc/tripwire/twpol.txt - fi - if ! grep -q '!/usr/local/bin/meshavahi' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/meshavahi ;' /etc/tripwire/twpol.txt - fi - if ! grep -q '!/usr/local/bin/restore' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/restore ;' /etc/tripwire/twpol.txt - fi - if ! grep -q '!/usr/local/bin/restorefromfriend' /etc/tripwire/twpol.txt; then - sed -i '\|/usr/local/sbin.*|a\ !/usr/local/bin/restorefromfriend ;' /etc/tripwire/twpol.txt - fi + # Not much is in /usr/local/bin other than project commands and avoiding it removes + # problems with updates. This is a tradeoff, but not by much. + sed -i '/\/usr\/local\/bin/d' /etc/tripwire/twpol.txt # Avoid logging the changed database sed -i 's|$(TWETC)/tw.pol.*||g' /etc/tripwire/twpol.txt From 6e57b1b33b3341e9cb63ab1fb1a63b1be05f0473 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 16:59:13 +0100 Subject: [PATCH 09/50] Don't lockdown on upgrade --- src/freedombone-upgrade | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/freedombone-upgrade b/src/freedombone-upgrade index f855433b..cdf44f06 100755 --- a/src/freedombone-upgrade +++ b/src/freedombone-upgrade @@ -13,7 +13,7 @@ # License # ======= # -# Copyright (C) 2015-2016 Bob Mottram +# Copyright (C) 2015-2017 Bob Mottram # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by @@ -97,11 +97,9 @@ if [ -d $PROJECT_DIR ]; then ${PROJECT_NAME} -c $CONFIGURATION_FILE if [ ! "$?" = "0" ]; then - lockdown_permissions exit 453536 fi - lockdown_permissions defrag_filesystem fi fi From 8aec3e3da3494114424a5ad6ca3b41d7914227ad Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 17:25:27 +0100 Subject: [PATCH 10/50] Tripwire ignores global node modules --- src/freedombone-base-tripwire | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/freedombone-base-tripwire b/src/freedombone-base-tripwire index fa7500b1..11159fd3 100755 --- a/src/freedombone-base-tripwire +++ b/src/freedombone-base-tripwire @@ -120,6 +120,11 @@ function install_tripwire { if ! grep -q '!/etc/share/tt-rss/lock' /etc/tripwire/twpol.txt; then sed -i '\|/etc\t\t->.*|a\ !/etc/share/tt-rss/lock ;' /etc/tripwire/twpol.txt fi + # ignore global node modules + if ! grep -q '!/usr/local/lib/node_modules' /etc/tripwire/twpol.txt; then + sed -i '\|/etc\t\t->.*|a\ !/usr/local/lib/node_modules ;' /etc/tripwire/twpol.txt + fi + # Not much is in /usr/local/bin other than project commands and avoiding it removes # problems with updates. This is a tradeoff, but not by much. sed -i '/\/usr\/local\/bin/d' /etc/tripwire/twpol.txt From 5914a8c19031e82cca789bba34bff7948a2e8de1 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 17:48:08 +0100 Subject: [PATCH 11/50] Check inadyn commit --- src/freedombone-utils-web | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/freedombone-utils-web b/src/freedombone-utils-web index 242e8a90..3856d883 100755 --- a/src/freedombone-utils-web +++ b/src/freedombone-utils-web @@ -425,6 +425,11 @@ function install_dynamicdns { return fi + CURR_INADYN_COMMIT=$(get_completion_param "inadyn commit") + if [[ "${CURR_INADYN_COMMIT}" == "${INADYN_COMMIT}" ]]; then + return + fi + # update to the next commit function_check set_repo_commit set_repo_commit $INSTALL_DIR/inadyn "inadyn commit" "$INADYN_COMMIT" $INADYN_REPO From 6122296b591260d6f63ffcea9d5839a936feb54f Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 17:55:02 +0100 Subject: [PATCH 12/50] Only copy email archiving script if it has changed --- src/freedombone-base-email | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/src/freedombone-base-email b/src/freedombone-base-email index 08a4df75..842bb73c 100755 --- a/src/freedombone-base-email +++ b/src/freedombone-base-email @@ -497,16 +497,35 @@ function email_archiving { # ensure that the mail archive script is up to date if [ -f /usr/local/bin/${PROJECT_NAME}-archive-mail ]; then - cp /usr/local/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail + if [ ! -f /etc/cron.daily/archivemail ]; then + cp /usr/local/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail + chmod +x /etc/cron.daily/archivemail + else + HASH1=$(sha256sum /usr/local/bin/${PROJECT_NAME}-archive-mail | awk -F ' ' '{print $1}') + HASH2=$(sha256sum /etc/cron.daily/archivemail | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp /usr/local/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail + chmod +x /etc/cron.daily/archivemail + fi + fi else if [ -f /usr/bin/${PROJECT_NAME}-archive-mail ]; then - cp /usr/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail + if [ ! -f /etc/cron.daily/archivemail ]; then + cp /usr/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail + chmod +x /etc/cron.daily/archivemail + else + HASH1=$(sha256sum /usr/local/bin/${PROJECT_NAME}-archive-mail | awk -F ' ' '{print $1}') + HASH2=$(sha256sum /etc/cron.daily/archivemail | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp /usr/local/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail + chmod +x /etc/cron.daily/archivemail + fi + fi else echo "/usr/bin/${PROJECT_NAME}-archive-mail was not found. ${PROJECT_NAME} might not have fully installed." exit 62379 fi fi - chmod +x /etc/cron.daily/archivemail # update to the next commit function_check set_repo_commit From 7586c716d4e54a3c57b7ae9327da15bd970b6e1c Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 18:01:56 +0100 Subject: [PATCH 13/50] Only copy cleanup script if it has changed --- src/freedombone-base-email | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/src/freedombone-base-email b/src/freedombone-base-email index 842bb73c..4e576aee 100755 --- a/src/freedombone-base-email +++ b/src/freedombone-base-email @@ -545,7 +545,15 @@ function email_archiving { git checkout $CLEANUP_MAILDIR_COMMIT -b $CLEANUP_MAILDIR_COMMIT set_completion_param "cleanup-maildir commit" "$CLEANUP_MAILDIR_COMMIT" - cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin + if [ ! -f /usr/bin/cleanup-maildir ]; then + cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin + else + HASH1=$(sha256sum $INSTALL_DIR/cleanup-maildir/cleanup-maildir | awk -F ' ' '{print $1}') + HASH2=$(sha256sum /usr/bin/cleanup-maildir | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin + fi + fi mark_completed $FUNCNAME } From db091e1d723c7c5ea72e5a8e7d03d45ef2d50aef Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 20:08:57 +0100 Subject: [PATCH 14/50] Only update files when they change --- src/freedombone-app-keyserver | 14 ++++++++++++-- src/freedombone-base-email | 19 +++++++++++++++---- src/freedombone-client | 2 +- src/freedombone-utils-git | 4 ++-- src/freedombone-utils-setup | 4 +++- src/freedombone-utils-upgrade | 11 ++++++++++- src/freedombone-utils-web | 26 ++++++++++++++++++++++++-- 7 files changed, 67 insertions(+), 13 deletions(-) diff --git a/src/freedombone-app-keyserver b/src/freedombone-app-keyserver index c2299b99..7001920d 100755 --- a/src/freedombone-app-keyserver +++ b/src/freedombone-app-keyserver @@ -66,7 +66,7 @@ function keyserver_watchdog { read_config_param KEYSERVER_DOMAIN_NAME # check database size hourly - keyserver_watchdog_script=/etc/cron.hourly/keyserver-watchdog + keyserver_watchdog_script=/tmp/keyserver-watchdog echo '#!/bin/bash' > $keyserver_watchdog_script echo "dirsize=\$(du /var/lib/sks/DB | awk -F ' ' '{print \$1}')" >> $keyserver_watchdog_script echo 'if [ $dirsize -gt 450000 ]; then' >> $keyserver_watchdog_script @@ -80,8 +80,18 @@ function keyserver_watchdog { echo " echo \"$keyserver_disabled_warning\" | mail -s \"$keyserver_mail_subject_line_disabled\" $ADMIN_EMAIL_ADDRESS" >> $keyserver_watchdog_script echo ' fi' >> $keyserver_watchdog_script echo 'fi' >> $keyserver_watchdog_script - chmod +x $keyserver_watchdog_script + + if [ ! -f /etc/cron.hourly/keyserver-watchdog ]; then + cp $keyserver_watchdog_script /etc/cron.hourly/keyserver-watchdog + else + HASH1=$(sha256sum $keyserver_watchdog_script | awk -F ' ' '{print $1}') + HASH2=$(sha256sum /etc/cron.hourly/keyserver-watchdog | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp $keyserver_watchdog_script /etc/cron.hourly/keyserver-watchdog + fi + fi + rm $keyserver_watchdog_script } diff --git a/src/freedombone-base-email b/src/freedombone-base-email index 4e576aee..22bf49cf 100755 --- a/src/freedombone-base-email +++ b/src/freedombone-base-email @@ -326,11 +326,10 @@ function encrypt_all_email { fi if [ -f /usr/local/bin/${PROJECT_NAME}-encrypt-mail ]; then - cp /usr/local/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir + cp -u /usr/local/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir else - cp /usr/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir + cp -u /usr/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir fi - chmod +x /usr/bin/encmaildir if [[ $(is_completed $FUNCNAME) == "1" ]]; then return @@ -1648,7 +1647,7 @@ function configure_gpg { } function refresh_gpg_keys { - REFRESH_GPG_KEYS_SCRIPT=/usr/bin/update-gpg-keys + REFRESH_GPG_KEYS_SCRIPT=/tmp/update-gpg-keys echo '#!/bin/bash' > $REFRESH_GPG_KEYS_SCRIPT echo "if [ -f /usr/local/bin/${PROJECT_NAME}-sec ]; then" >> $REFRESH_GPG_KEYS_SCRIPT echo " /usr/bin/timeout 600 /usr/local/bin/${PROJECT_NAME}-sec --refresh yes" >> $REFRESH_GPG_KEYS_SCRIPT @@ -1658,6 +1657,18 @@ function refresh_gpg_keys { echo 'exit 0' >> $REFRESH_GPG_KEYS_SCRIPT chmod +x $REFRESH_GPG_KEYS_SCRIPT + if [ ! -f /usr/bin/update-gpg-keys ]; then + cp $REFRESH_GPG_KEYS_SCRIPT /usr/bin/update-gpg-keys + else + HASH1=$(sha256sum $REFRESH_GPG_KEYS_SCRIPT | awk -F ' ' '{print $1}') + HASH2=$(sha256sum /usr/bin/update-gpg-keys | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp $REFRESH_GPG_KEYS_SCRIPT /usr/bin/update-gpg-keys + fi + rm $REFRESH_GPG_KEYS_SCRIPT + fi + + REFRESH_GPG_KEYS_SCRIPT=/usr/bin/update-gpg-keys if grep -q "${PROJECT_NAME}-sec" /etc/crontab; then sed -i "/${PROJECT_NAME}-sec /d" /etc/crontab fi diff --git a/src/freedombone-client b/src/freedombone-client index 6893872c..8645f15b 100755 --- a/src/freedombone-client +++ b/src/freedombone-client @@ -96,7 +96,7 @@ function refresh_gpg_keys { fi sudo cp /etc/crontab ~/temp_crontab sudo chown $CURR_USER:$CURR_GROUP ~/temp_crontab - if ! grep -q "gpg --refresh-keys" ~/temp_crontab; then + if ! grep -q 'gpg --refresh-keys' ~/temp_crontab; then echo "0 */$REFRESH_GPG_KEYS_HOURS * * * $CURR_USER /usr/bin/gpg --refresh-keys > /dev/null" >> ~/temp_crontab sudo cp ~/temp_crontab /etc/crontab sudo chown root:root /etc/crontab diff --git a/src/freedombone-utils-git b/src/freedombone-utils-git index 310e64e4..883be12d 100755 --- a/src/freedombone-utils-git +++ b/src/freedombone-utils-git @@ -95,10 +95,10 @@ function set_repo_commit { chown -R www-data:www-data $repo_dir fi if [[ $repo_dir == *"gpgit" ]]; then - cp gpgit.pl /usr/bin/gpgit.pl + cp -u gpgit.pl /usr/bin/gpgit.pl fi if [[ $repo_dir == *"cleanup-maildir" ]]; then - cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin + cp -u $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin fi if [[ $repo_dir == *"nginx_ensite" ]]; then make install diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index f525ef99..e0fbe7f1 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -145,7 +145,9 @@ function separate_tmp_filesystem { } function proc_filesystem_settings { - sed -i 's|proc /proc proc defaults |proc /proc proc defaults,nodev,nosuid |g' /etc/fstab + if ! grep -q "proc proc defaults,nodev,nosuid " /etc/fstab; then + sed -i 's|proc /proc proc defaults |proc /proc proc defaults,nodev,nosuid |g' /etc/fstab + fi } function remove_bluetooth { diff --git a/src/freedombone-utils-upgrade b/src/freedombone-utils-upgrade index e3aebd5c..2b0894fc 100755 --- a/src/freedombone-utils-upgrade +++ b/src/freedombone-utils-upgrade @@ -32,7 +32,16 @@ UPGRADE_SCRIPT_NAME="${PROJECT_NAME}-upgrade" function create_upgrade_script { - cp $(which ${PROJECT_NAME}-upgrade) /etc/cron.weekly/$UPGRADE_SCRIPT_NAME + upgrade_command_file=$(which ${PROJECT_NAME}-upgrade) + if [ ! -f /etc/cron.weekly/$UPGRADE_SCRIPT_NAME ]; then + cp $upgrade_command_file /etc/cron.weekly/$UPGRADE_SCRIPT_NAME + else + HASH1=$(sha256sum $upgrade_command_file | awk -F ' ' '{print $1}') + HASH2=$(sha256sum /etc/cron.weekly/$UPGRADE_SCRIPT_NAME | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp $upgrade_command_file /etc/cron.weekly/$UPGRADE_SCRIPT_NAME + fi + fi if [[ $(is_completed $FUNCNAME) == "1" ]]; then return diff --git a/src/freedombone-utils-web b/src/freedombone-utils-web index 3856d883..1aa1de9d 100755 --- a/src/freedombone-utils-web +++ b/src/freedombone-utils-web @@ -318,8 +318,8 @@ function letsencrypt_renewals { return fi - renewals_script=/etc/cron.monthly/letsencrypt - renewals_retry_script=/etc/cron.daily/letsencrypt + renewals_script=/tmp/renewals_letsencrypt + renewals_retry_script=/tmp/renewals_retry_letsencrypt renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed' renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal' @@ -361,6 +361,17 @@ function letsencrypt_renewals { echo 'fi' >> $renewals_script chmod +x $renewals_script + if [ ! -f /etc/cron.monthly/letsencrypt ]; then + cp $renewals_script /etc/cron.monthly/letsencrypt + else + HASH1=$(sha256sum $renewals_script | awk -F ' ' '{print $1}') + HASH2=$(sha256sum /etc/cron.monthly/letsencrypt | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp $renewals_script /etc/cron.monthly/letsencrypt + fi + fi + rm $renewals_script + # a secondary script keeps trying to renew after a failure echo '#!/bin/bash' > $renewals_retry_script echo '' >> $renewals_retry_script @@ -398,6 +409,17 @@ function letsencrypt_renewals { echo ' fi' >> $renewals_retry_script echo 'fi' >> $renewals_retry_script chmod +x $renewals_retry_script + + if [ ! -f /etc/cron.daily/letsencrypt ]; then + cp $renewals_retry_script /etc/cron.daily/letsencrypt + else + HASH1=$(sha256sum $renewals_retry_script | awk -F ' ' '{print $1}') + HASH2=$(sha256sum /etc/cron.daily/letsencrypt | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp $renewals_retry_script /etc/cron.daily/letsencrypt + fi + fi + rm $renewals_retry_script } function configure_php { From a15759e39402ad6c596b4813267c24faa4e13e67 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 20:13:11 +0100 Subject: [PATCH 15/50] Lockdown before tripwire reset --- src/freedombone-controlpanel | 1 + 1 file changed, 1 insertion(+) diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index de078ab2..1732f9b2 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -1294,6 +1294,7 @@ function reset_tripwire { any_key return fi + lockdown_permissions clear echo $'Creating configuration...' echo ' From 1b6782f12afcfa09d0d6f4e9674321798e6386f5 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 20:21:14 +0100 Subject: [PATCH 16/50] Remove clears --- src/freedombone-controlpanel | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index 1732f9b2..fccf8bf2 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -1272,7 +1272,7 @@ function show_tripwire_verification_code { if [ ! -f /var/lib/tripwire/${HOSTNAME}.twd ]; then return fi - clear + #clear echo '' echo $'Tripwire Verification Code' echo '' @@ -1295,7 +1295,7 @@ function reset_tripwire { return fi lockdown_permissions - clear + #clear echo $'Creating configuration...' echo ' From 50867e77703ee826fd804490bdbe957e8c4b5e3e Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 20:22:45 +0100 Subject: [PATCH 17/50] Clear before lockdown --- src/freedombone-controlpanel | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index fccf8bf2..b3693131 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -1272,7 +1272,7 @@ function show_tripwire_verification_code { if [ ! -f /var/lib/tripwire/${HOSTNAME}.twd ]; then return fi - #clear + clear echo '' echo $'Tripwire Verification Code' echo '' @@ -1294,8 +1294,8 @@ function reset_tripwire { any_key return fi + clear lockdown_permissions - #clear echo $'Creating configuration...' echo ' From 9cf9388131d2432f9178e478e00312773a7c5a41 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 20:24:46 +0100 Subject: [PATCH 18/50] Indicate permissions lockdown --- src/freedombone-controlpanel | 1 + 1 file changed, 1 insertion(+) diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index b3693131..281a83e8 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -1295,6 +1295,7 @@ function reset_tripwire { return fi clear + echo $'Locking down permissions...' lockdown_permissions echo $'Creating configuration...' echo ' From f703a959717af4a1749b4986d296d5a1b95df2e1 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 20:41:21 +0100 Subject: [PATCH 19/50] Only copy stig tests script if it changes --- src/freedombone-utils-cron | 36 ++++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/src/freedombone-utils-cron b/src/freedombone-utils-cron index 13e19f55..5fa3dd14 100755 --- a/src/freedombone-utils-cron +++ b/src/freedombone-utils-cron @@ -78,18 +78,30 @@ function randomize_cron { } function schedule_stig_tests { - echo '#!/bin/bash' > /etc/cron.daily/stig_tests - echo "ADMIN_EMAIL_ADDRESS=${MY_USERNAME}@\${HOSTNAME}" >> /etc/cron.daily/stig_tests - echo "pkill ${PROJECT_NAME}-tests" >> /etc/cron.daily/stig_tests - echo 'rm -rf /tmp/*' >> /etc/cron.daily/stig_tests - echo "${PROJECT_NAME}-tests --stig yes > /tmp/daily-stig-tests" >> /etc/cron.daily/stig_tests - echo 'if [ ! "$?" = "0" ]; then' >> /etc/cron.daily/stig_tests - echo " echo \"\$(cat /tmp/daily-stig-tests)\" | mail -s \"${PROJECT_NAME} STIG test failures\" \$ADMIN_EMAIL_ADDRESS" >> /etc/cron.daily/stig_tests - echo 'fi' >> /etc/cron.daily/stig_tests - echo 'if [ -f /tmp/daily-stig-tests ]; then' >> /etc/cron.daily/stig_tests - echo ' rm /tmp/daily-stig-tests' >> /etc/cron.daily/stig_tests - echo 'fi' >> /etc/cron.daily/stig_tests - chmod +x /etc/cron.daily/stig_tests + stig_tests_script=/tmp/stig_tests_script + echo '#!/bin/bash' > $stig_tests_script + echo "ADMIN_EMAIL_ADDRESS=${MY_USERNAME}@\${HOSTNAME}" >> $stig_tests_script + echo "pkill ${PROJECT_NAME}-tests" >> $stig_tests_script + echo 'rm -rf /tmp/*' >> $stig_tests_script + echo "${PROJECT_NAME}-tests --stig yes > /tmp/daily-stig-tests" >> $stig_tests_script + echo 'if [ ! "$?" = "0" ]; then' >> $stig_tests_script + echo " echo \"\$(cat /tmp/daily-stig-tests)\" | mail -s \"${PROJECT_NAME} STIG test failures\" \$ADMIN_EMAIL_ADDRESS" >> $stig_tests_script + echo 'fi' >> $stig_tests_script + echo 'if [ -f /tmp/daily-stig-tests ]; then' >> $stig_tests_script + echo ' rm /tmp/daily-stig-tests' >> $stig_tests_script + echo 'fi' >> $stig_tests_script + chmod +x $stig_tests_script + + if [ ! -f /etc/cron.daily/stig_tests ]; then + cp $stig_tests_script /etc/cron.daily/stig_tests + else + HASH1=$(sha256sum $stig_tests_script | awk -F ' ' '{print $1}') + HASH2=$(sha256sum /etc/cron.daily/stig_tests | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp $stig_tests_script /etc/cron.daily/stig_tests + fi + fi + rm $stig_tests_script } # NOTE: deliberately there is no "exit 0" From bbcc17f2d1bdaaf6827fb1c3bfb1e28e19f8f059 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 21:16:37 +0100 Subject: [PATCH 20/50] Only copy files which have changed --- src/freedombone-base-email | 20 ++++++++++++++++++-- src/freedombone-utils-firewall | 7 +++++-- src/freedombone-utils-git | 24 +++++++++++++++++++++--- 3 files changed, 44 insertions(+), 7 deletions(-) diff --git a/src/freedombone-base-email b/src/freedombone-base-email index 22bf49cf..68f75862 100755 --- a/src/freedombone-base-email +++ b/src/freedombone-base-email @@ -326,9 +326,25 @@ function encrypt_all_email { fi if [ -f /usr/local/bin/${PROJECT_NAME}-encrypt-mail ]; then - cp -u /usr/local/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir + if [ ! -f /usr/bin/encmaildir ]; then + cp /usr/local/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir + else + HASH1=$(sha256sum /usr/local/bin/${PROJECT_NAME}-encrypt-mail | awk -F ' ' '{print $1}') + HASH2=$(sha256sum /usr/bin/encmaildir | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp /usr/local/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir + fi + fi else - cp -u /usr/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir + if [ ! -f /usr/bin/encmaildir ]; then + cp /usr/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir + else + HASH1=$(sha256sum /usr/bin/${PROJECT_NAME}-encrypt-mail | awk -F ' ' '{print $1}') + HASH2=$(sha256sum /usr/bin/encmaildir | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp /usr/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir + fi + fi fi if [[ $(is_completed $FUNCNAME) == "1" ]]; then diff --git a/src/freedombone-utils-firewall b/src/freedombone-utils-firewall index 0c646f34..d82306ac 100755 --- a/src/freedombone-utils-firewall +++ b/src/freedombone-utils-firewall @@ -90,10 +90,13 @@ function firewall_block_bad_ip_ranges { function global_rate_limit { if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf + sysctl -p -q else - sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf + if ! grep -q "net.ipv4.tcp_challenge_ack_limit = 999999999" /etc/sysctl.conf; then + sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf + sysctl -p -q + fi fi - sysctl -p -q } function enable_ipv6 { diff --git a/src/freedombone-utils-git b/src/freedombone-utils-git index 883be12d..34a8b1d8 100755 --- a/src/freedombone-utils-git +++ b/src/freedombone-utils-git @@ -95,13 +95,31 @@ function set_repo_commit { chown -R www-data:www-data $repo_dir fi if [[ $repo_dir == *"gpgit" ]]; then - cp -u gpgit.pl /usr/bin/gpgit.pl + if [ ! -f /usr/bin/gpgit.pl ]; then + cp gpgit.pl /usr/bin/gpgit.pl + else + HASH1=$(sha256sum gpgit.pl | awk -F ' ' '{print $1}') + HASH2=$(sha256sum /usr/bin/gpgit.pl | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp gpgit.pl /usr/bin/gpgit.pl + fi + fi fi if [[ $repo_dir == *"cleanup-maildir" ]]; then - cp -u $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin + if [ ! -f /usr/bin/cleanup-maildir ]; then + cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin + else + HASH1=$(sha256sum $INSTALL_DIR/cleanup-maildir/cleanup-maildir | awk -F ' ' '{print $1}') + HASH2=$(sha256sum /usr/bin/cleanup-maildir | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin + fi + fi fi if [[ $repo_dir == *"nginx_ensite" ]]; then - make install + if [ ! -f /usr/local/bin/nginx_ensite ]; then + make install + fi fi if [[ $repo_dir == *"inadyn" ]]; then ./configure From c713c613c95c6326aa0f95007164fccec30041a1 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 22:11:02 +0100 Subject: [PATCH 21/50] Don't repeatedly config congestion control --- src/freedombone-utils-setup | 49 +++++++++++++++++++++++++++++++------ src/freedombone-utils-web | 16 +++++++++--- 2 files changed, 54 insertions(+), 11 deletions(-) diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index e0fbe7f1..33833bf2 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -667,12 +667,45 @@ function setup_firewall { function setup_powerline { if [ -f ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ]; then - cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash - cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash + if [ ! -f ~/.powerline.bash ]; then + cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash + else + HASH1=$(sha256sum ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}') + HASH2=$(sha256sum ~/.powerline.bash | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash + fi + fi + if [ ! -f /etc/skel/.powerline.bash ]; then + cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash + else + HASH1=$(sha256sum ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}') + HASH2=$(sha256sum /etc/skel/.powerline.bash | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash + fi + fi else if [ -f /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ]; then - cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash - cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash + if [ ! -f ~/.powerline.bash ]; then + cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash + else + HASH1=$(sha256sum /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}') + HASH2=$(sha256sum ~/.powerline.bash | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash + fi + fi + + if [ ! -f /etc/skel/.powerline.bash ]; then + cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash + else + HASH1=$(sha256sum /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}') + HASH2=$(sha256sum /etc/skel/.powerline.bash | awk -F ' ' '{print $1}') + if [[ "$HASH1" != "$HASH2" ]]; then + cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash + fi + fi fi fi if ! grep -q "powerline" ~/.bashrc; then @@ -689,9 +722,11 @@ function setup_powerline { function congestion_control { # see /proc/sys/net/ipv4/tcp_congestion_control - echo 'net.core.default_qdisc=fq' > /etc/sysctl.d/10-custom-kernel-bbr.conf - echo 'net.ipv4.tcp_congestion_control=bbr' >> /etc/sysctl.d/10-custom-kernel-bbr.conf - sysctl --system + if [ ! -f /etc/sysctl.d/10-custom-kernel-bbr.conf ]; then + echo 'net.core.default_qdisc=fq' > /etc/sysctl.d/10-custom-kernel-bbr.conf + echo 'net.ipv4.tcp_congestion_control=bbr' >> /etc/sysctl.d/10-custom-kernel-bbr.conf + sysctl --system + fi } function setup_utils { diff --git a/src/freedombone-utils-web b/src/freedombone-utils-web index 1aa1de9d..76399a90 100755 --- a/src/freedombone-utils-web +++ b/src/freedombone-utils-web @@ -789,11 +789,19 @@ function update_default_domain { cp /etc/ssl/certs/xmpp* /etc/prosody/certs if [ /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then usermod -a -G ssl-cert prosody - sed -i "s|/etc/prosody/certs/xmpp.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/conf.avail/xmpp.cfg.lua - sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua + if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then + sed -i "s|/etc/prosody/certs/xmpp.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/conf.avail/xmpp.cfg.lua + fi + if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/conf.avail/xmpp.cfg.lua; then + sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua + fi - sed -i "s|/etc/prosody/certs/xmpp.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/prosody.cfg.lua - sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/prosody.cfg.lua + if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/prosody.cfg.lua; then + sed -i "s|/etc/prosody/certs/xmpp.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/prosody.cfg.lua + fi + if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/prosody.cfg.lua; then + sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/prosody.cfg.lua + fi fi if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then From bd86c4b19ad6c3a03514ef267f823f6b47b1b710 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 22:15:32 +0100 Subject: [PATCH 22/50] Only remove motd instructions once --- src/freedombone-utils-setup | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index 33833bf2..1fe5e0c3 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -379,7 +379,9 @@ function mark_admin_user_account { } function remove_instructions_from_motd { - sed -i '/## /d' /etc/motd + if grep -q "## " /etc/motd; then + sed -i '/## /d' /etc/motd + fi } function remove_default_user { From 259e061dcf34706d447f80f1e1b524d54dffa6d4 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 22:23:52 +0100 Subject: [PATCH 23/50] Turing rsyslog on or off --- src/freedombone-controlpanel | 2 ++ src/freedombone-logging | 6 ++++++ src/freedombone-utils-setup | 3 +++ 3 files changed, 11 insertions(+) diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index 281a83e8..49c1108b 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -1295,6 +1295,8 @@ function reset_tripwire { return fi clear + echo $'Turing off logging...' + ${PROJECT_NAME}-logging off echo $'Locking down permissions...' lockdown_permissions echo $'Creating configuration...' diff --git a/src/freedombone-logging b/src/freedombone-logging index 2bc9ea74..5e6bbf53 100755 --- a/src/freedombone-logging +++ b/src/freedombone-logging @@ -83,6 +83,9 @@ function turn_logging_off { } function turn_off_rsys_logging { + if grep -q '/var/log/auth.log' /etc/rsyslog.conf; then + return + fi sed -i 's|mail,news.none.*|mail,news.none /dev/null|g' /etc/rsyslog.conf sed -i 's|auth,authpriv.\*.*|auth,authpriv.\* /dev/null|g' /etc/rsyslog.conf sed -i 's|mail.info.*|mail.info /dev/null|g' /etc/rsyslog.conf @@ -106,6 +109,9 @@ function turn_off_rsys_logging { } function turn_on_rsys_logging { + if ! grep -q '/var/log/auth.log' /etc/rsyslog.conf; then + return + fi sed -i 's|mail,news.none.*|mail,news.none -/var/log/messages|g' /etc/rsyslog.conf sed -i 's|auth,authpriv.\*.*|auth,authpriv.\* /var/log/auth.log|g' /etc/rsyslog.conf sed -i 's|mail.info.*|mail.info -/var/log/mail.info|g' /etc/rsyslog.conf diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index 1fe5e0c3..07e30de8 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -208,6 +208,9 @@ function install_backports_kernel { } function turn_off_rsys_logging { + if grep -q '/var/log/auth.log' /etc/rsyslog.conf; then + return + fi sed -i 's|mail,news.none.*|mail,news.none /dev/null|g' /etc/rsyslog.conf sed -i 's|auth,authpriv.\*.*|auth,authpriv.\* /dev/null|g' /etc/rsyslog.conf sed -i 's|mail.info.*|mail.info /dev/null|g' /etc/rsyslog.conf From 7e24becb9cc25d2a960815f8ab76cc04757b5743 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 23:00:46 +0100 Subject: [PATCH 24/50] Only disable ctrl-alt-del once --- src/freedombone-utils-setup | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index 07e30de8..c8962404 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -500,7 +500,10 @@ function set_sticky_bits { } function disable_ctrl_alt_del { - ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target + ctrl_alt_del=$(ls -l /etc/systemd/system/ctrl-alt-del.target) + if [[ "$ctrl_alt_del" != *'/dev/null' ]]; then + ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target + fi } function lockdown_permissions { From c1650ae415ad4f1075c24e791a547382600ed798 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 23:07:31 +0100 Subject: [PATCH 25/50] Only update limits when needed --- src/freedombone-utils-setup | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index c8962404..fd772f62 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -473,14 +473,18 @@ function limit_user_logins { if ! grep -q '* hard maxsyslogins' /etc/security/limits.conf; then echo '* hard maxsyslogins 10' >> /etc/security/limits.conf else - sed -i 's|hard maxsyslogins.*|hard maxsyslogins 10|g' /etc/security/limits.conf + if ! grep -q '* hard maxsyslogins 10' /etc/security/limits.conf; then + sed -i 's|hard maxsyslogins.*|hard maxsyslogins 10|g' /etc/security/limits.conf + fi fi # Max logins for each user if ! grep -q '* hard maxlogins' /etc/security/limits.conf; then echo '* hard maxlogins 2' >> /etc/security/limits.conf else - sed -i 's|hard maxlogins.*|hard maxlogins 2|g' /etc/security/limits.conf + if ! grep -q '* hard maxlogins 2' /etc/security/limits.conf; then + sed -i 's|hard maxlogins.*|hard maxlogins 2|g' /etc/security/limits.conf + fi fi } @@ -609,10 +613,12 @@ function lockdown_permissions { } function disable_core_dumps { - if ! grep -q '* hard core 0' /etc/security/limits.conf; then + if ! grep -q '* hard core' /etc/security/limits.conf; then echo '* hard core 0' >> /etc/security/limits.conf else - sed -i 's|hard core.*|hard core 0|g' /etc/security/limits.conf + if ! grep -q '* hard core 0' /etc/security/limits.conf; then + sed -i 's|hard core.*|hard core 0|g' /etc/security/limits.conf + fi fi } From f7f323b763486a76a1231760e5eaa8d42f6d772d Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 23:13:28 +0100 Subject: [PATCH 26/50] Only change pam values when needed --- src/freedombone-utils-setup | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index fd772f62..c8bed2c4 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -458,13 +458,17 @@ function set_max_login_tries { if ! grep -q ' deny=' /etc/pam.d/common-auth; then sed -i "/pam_deny.so/a auth required\t\t\tpam_tally.so onerr=fail no_lock_time per_user deny=$max_tries" /etc/pam.d/common-auth else - sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-auth + if ! grep -q " deny=$max_tries" /etc/pam.d/common-auth; then + sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-auth + fi fi if ! grep -q ' deny=' /etc/pam.d/common-account; then sed -i '/pam_deny.so/a account required\t\t\tpam_tally.so' /etc/pam.d/common-account else - sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-account + if ! grep -q " deny=$max_tries" /etc/pam.d/common-account; then + sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-account + fi fi } @@ -630,7 +634,9 @@ function dummy_nologin_command { } function disable_null_passwords { - sed -i 's| nullok_secure||g' /etc/pam.d/common-auth + if grep -q ' nullok_secure' /etc/pam.d/common-auth; then + sed -i 's| nullok_secure||g' /etc/pam.d/common-auth + fi } function create_usb_canary { From c8de324376b646ea7138cbbb6b85454693a59457 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 23:16:37 +0100 Subject: [PATCH 27/50] Only change login umask when needed --- src/freedombone-utils-setup | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index c8bed2c4..9d204f4a 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -437,7 +437,9 @@ function remove_management_engine_interface { } function set_login_umask { - sed -i 's|UMASK\t.*|UMASK\t\t077|g' /etc/login.defs + if ! grep -q 'UMASK\t\t077' /etc/login.defs; then + sed -i 's|UMASK\t.*|UMASK\t\t077|g' /etc/login.defs + fi } function disable_deferred_execution { From 42754613df138c9b38165e113f9f99e87a4f83e9 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sat, 5 Aug 2017 23:30:38 +0100 Subject: [PATCH 28/50] xmpp logging conditions --- src/freedombone-app-xmpp | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/src/freedombone-app-xmpp b/src/freedombone-app-xmpp index 2ae11a3b..832cf9d9 100755 --- a/src/freedombone-app-xmpp +++ b/src/freedombone-app-xmpp @@ -65,19 +65,23 @@ function logging_on_xmpp { mkdir /var/log/prosody chown root:adm /var/log/prosody fi - sed -i 's|info = "/dev/null";|info = "/var/log/prosody/prosody.log";|g' /etc/prosody/prosody.cfg.lua - sed -i 's|error = "/dev/null";|error = "/var/log/prosody/prosody.err";|g' /etc/prosody/prosody.cfg.lua - sed -i 's|levels = { "error" }; to = "/dev/null";|levels = { "error" }; to = "syslog";|g' /etc/prosody/prosody.cfg.lua + if ! grep -q "/var/log/prosody/prosody.log" /etc/prosody/prosody.cfg.lua; then + sed -i 's|info = "/dev/null";|info = "/var/log/prosody/prosody.log";|g' /etc/prosody/prosody.cfg.lua + sed -i 's|error = "/dev/null";|error = "/var/log/prosody/prosody.err";|g' /etc/prosody/prosody.cfg.lua + sed -i 's|levels = { "error" }; to = "/dev/null";|levels = { "error" }; to = "syslog";|g' /etc/prosody/prosody.cfg.lua + fi fi } function logging_off_xmpp { if [ -d /etc/prosody ]; then - sed -i 's|info = "/var/log/prosody/prosody.log";|info = "/dev/null";|g' /etc/prosody/prosody.cfg.lua - sed -i 's|error = "/var/log/prosody/prosody.err";|error = "/dev/null";|g' /etc/prosody/prosody.cfg.lua - sed -i 's|levels = { "error" }; to = "syslog";|levels = { "error" }; to = "/dev/null";|g' /etc/prosody/prosody.cfg.lua - $REMOVE_FILES_COMMAND /var/log/prosody/* - rm -rf /var/log/prosody + if grep -q "/var/log/prosody/prosody.log" /etc/prosody/prosody.cfg.lua; then + sed -i 's|info = "/var/log/prosody/prosody.log";|info = "/dev/null";|g' /etc/prosody/prosody.cfg.lua + sed -i 's|error = "/var/log/prosody/prosody.err";|error = "/dev/null";|g' /etc/prosody/prosody.cfg.lua + sed -i 's|levels = { "error" }; to = "syslog";|levels = { "error" }; to = "/dev/null";|g' /etc/prosody/prosody.cfg.lua + $REMOVE_FILES_COMMAND /var/log/prosody/* + rm -rf /var/log/prosody + fi fi } From 267851bd898208380bb9af6a4014c07b7efbcfbb Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 6 Aug 2017 12:50:31 +0100 Subject: [PATCH 29/50] Only alter fstab if needed --- src/freedombone-utils-filesystem | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/freedombone-utils-filesystem b/src/freedombone-utils-filesystem index f88d6548..f2bd79a3 100755 --- a/src/freedombone-utils-filesystem +++ b/src/freedombone-utils-filesystem @@ -124,7 +124,11 @@ function defrag_filesystem { } function optimise_filesystem { - sed -i 's|btrfs subvol=@|btrfs defaults,subvol=@,compress=lzo,ssd|g' /etc/fstab + if grep -q "btrfs" /etc/fstab; then + if ! grep -q "btrfs defaults,subvol=@,compress=lzo,ssd" /etc/fstab; then + sed -i 's|btrfs subvol=@|btrfs defaults,subvol=@,compress=lzo,ssd|g' /etc/fstab + fi + fi } # NOTE: deliberately no exit 0 From 5950438ced6e3cadc307893f29547be2362e2a70 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 6 Aug 2017 13:50:52 +0100 Subject: [PATCH 30/50] Fix account required --- src/freedombone-utils-setup | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index 9d204f4a..ecfe5d1f 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -465,12 +465,8 @@ function set_max_login_tries { fi fi - if ! grep -q ' deny=' /etc/pam.d/common-account; then + if ! grep -q 'account required\t\t\tpam_tally.so' /etc/pam.d/common-account; then sed -i '/pam_deny.so/a account required\t\t\tpam_tally.so' /etc/pam.d/common-account - else - if ! grep -q " deny=$max_tries" /etc/pam.d/common-account; then - sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-account - fi fi } From 66f784ed55cce0dd1dbe51b99b45c421f66d69fb Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 6 Aug 2017 14:34:48 +0100 Subject: [PATCH 31/50] Only change xmpp config if needed --- src/freedombone-app-xmpp | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/freedombone-app-xmpp b/src/freedombone-app-xmpp index 832cf9d9..cfad1cc8 100755 --- a/src/freedombone-app-xmpp +++ b/src/freedombone-app-xmpp @@ -94,12 +94,14 @@ function xmpp_add_onion_address { if [ ${#onion_address} -eq 0 ]; then return fi - if grep -q "[\"${domain_name}\"]" /etc/prosody/prosody.cfg.lua; then - sed -i "s|[\"${domain_name}\"].*|[\"${domain_name}\"] = \"${onion_address}\";|g" /etc/prosody/prosody.cfg.lua - else - sed -i "/onions_map = {/a [\"${domain_name}\"] = \"${onion_address}\";" /etc/prosody/prosody.cfg.lua + if ! grep "[\"${domain_name}\"] = \"${onion_address}\";" /etc/prosody/prosody.cfg.lua; then + if grep -q "[\"${domain_name}\"]" /etc/prosody/prosody.cfg.lua; then + sed -i "s|[\"${domain_name}\"].*|[\"${domain_name}\"] = \"${onion_address}\";|g" /etc/prosody/prosody.cfg.lua + else + sed -i "/onions_map = {/a [\"${domain_name}\"] = \"${onion_address}\";" /etc/prosody/prosody.cfg.lua + fi + systemctl restart prosody fi - systemctl restart prosody } function xmpp_add_onion_address_interactive { From bb64427344ffd749ed622314e628334ec28cdbca Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 6 Aug 2017 17:12:03 +0100 Subject: [PATCH 32/50] Reverse logic --- src/freedombone-app-gnusocial | 4 +++- src/freedombone-app-koel | 5 ----- src/freedombone-app-nextcloud | 3 --- src/freedombone-logging | 4 ++-- 4 files changed, 5 insertions(+), 11 deletions(-) diff --git a/src/freedombone-app-gnusocial b/src/freedombone-app-gnusocial index 32255ab3..9d82390b 100755 --- a/src/freedombone-app-gnusocial +++ b/src/freedombone-app-gnusocial @@ -570,7 +570,9 @@ function remove_gnusocial { sed -i '/gnusocial/d' $COMPLETION_FILE remove_backup_database_local gnusocial - sed -i '/gnusocial-firewall/d' /etc/crontab + if grep -q 'gnusocial-firewall' /etc/crontab; then + sed -i '/gnusocial-firewall/d' /etc/crontab + fi function_check remove_ddns_domain remove_ddns_domain $GNUSOCIAL_DOMAIN_NAME diff --git a/src/freedombone-app-koel b/src/freedombone-app-koel index 95225708..c5447035 100755 --- a/src/freedombone-app-koel +++ b/src/freedombone-app-koel @@ -466,16 +466,11 @@ function remove_koel { drop_database koel function_check remove_onion_service remove_onion_service koel ${KOEL_ONION_PORT} - if grep -q "koel" /etc/crontab; then - sed -i "/koel/d" /etc/crontab - fi remove_app koel remove_completion_param install_koel sed -i '/koel/d' $COMPLETION_FILE remove_backup_database_local koel - sed -i '/koel-firewall/d' /etc/crontab - function_check remove_ddns_domain remove_ddns_domain $KOEL_DOMAIN_NAME } diff --git a/src/freedombone-app-nextcloud b/src/freedombone-app-nextcloud index aa48ffea..40e1fec6 100755 --- a/src/freedombone-app-nextcloud +++ b/src/freedombone-app-nextcloud @@ -374,9 +374,6 @@ function remove_nextcloud { drop_database nextcloud function_check remove_onion_service remove_onion_service nextcloud ${NEXTCLOUD_ONION_PORT} - if grep -q "nextcloud" /etc/crontab; then - sed -i "/nextcloud/d" /etc/crontab - fi remove_app nextcloud remove_completion_param install_nextcloud sed -i '/nextcloud/d' $COMPLETION_FILE diff --git a/src/freedombone-logging b/src/freedombone-logging index 5e6bbf53..c7f364f4 100755 --- a/src/freedombone-logging +++ b/src/freedombone-logging @@ -83,7 +83,7 @@ function turn_logging_off { } function turn_off_rsys_logging { - if grep -q '/var/log/auth.log' /etc/rsyslog.conf; then + if ! grep -q '/var/log/auth.log' /etc/rsyslog.conf; then return fi sed -i 's|mail,news.none.*|mail,news.none /dev/null|g' /etc/rsyslog.conf @@ -109,7 +109,7 @@ function turn_off_rsys_logging { } function turn_on_rsys_logging { - if ! grep -q '/var/log/auth.log' /etc/rsyslog.conf; then + if grep -q '/var/log/auth.log' /etc/rsyslog.conf; then return fi sed -i 's|mail,news.none.*|mail,news.none -/var/log/messages|g' /etc/rsyslog.conf From db322c02d3a59aa2f4fc3df1dacf27576144c5f9 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 6 Aug 2017 21:07:02 +0100 Subject: [PATCH 33/50] keyserver database gets cleaned up anyway via the daily sks script --- src/freedombone-upgrade | 8 -------- 1 file changed, 8 deletions(-) diff --git a/src/freedombone-upgrade b/src/freedombone-upgrade index cdf44f06..efff6999 100755 --- a/src/freedombone-upgrade +++ b/src/freedombone-upgrade @@ -67,14 +67,6 @@ fi update-ca-certificates -# remove any keyserver log files -if [ -d /var/lib/sks/DB ]; then - cd /var/lib/sks/DB - systemctl stop sks - db_archive -d - systemctl start sks -fi - if [ ! -d $PROJECT_DIR ]; then git_clone $PROJECT_REPO $PROJECT_DIR fi From b654846c865ebc45e00185e2ed01810bf5bf01db Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 6 Aug 2017 21:21:51 +0100 Subject: [PATCH 34/50] Fix typo --- Makefile | 1 - src/freedombone-utils-setup | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 48abd4c0..42381cc9 100644 --- a/Makefile +++ b/Makefile @@ -27,7 +27,6 @@ install: cp img/backgrounds/${APP}_*.png ${DESTDIR}${PREFIX}/share cp img/avatars/* ${DESTDIR}/usr/share/${APP}/avatars cp src/* ${DESTDIR}${PREFIX}/bin -# cp src/${APP}-controlpanel ${DESTDIR}${PREFIX}/bin/control cp src/${APP}-mesh-batman ${DESTDIR}${PREFIX}/bin/batman cp src/${APP}-backup-local ${DESTDIR}${PREFIX}/bin/backup cp src/${APP}-backup-local ${DESTDIR}${PREFIX}/bin/backup2friends diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index ecfe5d1f..d8d2704d 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -208,7 +208,7 @@ function install_backports_kernel { } function turn_off_rsys_logging { - if grep -q '/var/log/auth.log' /etc/rsyslog.conf; then + if grep -q '/dev/null' /etc/rsyslog.conf; then return fi sed -i 's|mail,news.none.*|mail,news.none /dev/null|g' /etc/rsyslog.conf @@ -270,7 +270,7 @@ function initial_setup { function setup_grub { if [[ $ARCHITECTURE == 'qemu'* || $ARCHITECTURE == 'amd64' || $ARCHITECTURE == 'x86_64' || $ARCHITECTURE == 'i686' || $ARCHITECTURE == 'i386' ]]; then - if ! grep -q 'iframes=0' /etc/default/grub; then + if ! grep -q 'ifnames=0' /etc/default/grub; then sed -i 's|GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT="quiet ifnames=0 slub_debug=FZP slab_nomerge page_poison=1"|g' /etc/default/grub update-grub fi From b8a873f9d2bafdf8e14f39c823ee76c5b3c694bd Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 10:34:49 +0100 Subject: [PATCH 35/50] Show non-root files on stig test --- tests/check-cmd-owner.sh | 78 +++++++++++++++++++++------------------- 1 file changed, 42 insertions(+), 36 deletions(-) diff --git a/tests/check-cmd-owner.sh b/tests/check-cmd-owner.sh index 058b1e62..0f86c681 100644 --- a/tests/check-cmd-owner.sh +++ b/tests/check-cmd-owner.sh @@ -2,61 +2,67 @@ if [ -d "/bin" ];then - COUNT=$(find -L /bin \! -user root -exec ls -l {} \; |wc -l) + COUNT=$(find -L /bin \! -user root -exec ls -l {} \; |wc -l) - if [ $COUNT -eq 0 ];then - : - else - exit 1 - fi + if [ $COUNT -eq 0 ];then + : + else + find -L /bin \! -user root -exec ls -l {} \; + exit 1 + fi fi if [ -d "/usr/bin" ];then - COUNT=$(find -L /usr/bin \! -user root -exec ls -l {} \; |wc -l) + COUNT=$(find -L /usr/bin \! -user root -exec ls -l {} \; |wc -l) - if [ $COUNT -eq 0 ];then - : - else - exit 1 - fi + if [ $COUNT -eq 0 ];then + : + else + find -L /usr/bin \! -user root -exec ls -l {} \; + exit 1 + fi fi if [ -d "/usr/local/bin" ];then - COUNT=$(find -L /usr/local/bin \! -user root -exec ls -l {} \; |wc -l) + COUNT=$(find -L /usr/local/bin \! -user root -exec ls -l {} \; |wc -l) - if [ $COUNT -eq 0 ];then - : - else - exit 1 - fi + if [ $COUNT -eq 0 ];then + : + else + find -L /usr/local/bin \! -user root -exec ls -l {} \; + exit 1 + fi fi if [ -d "/sbin" ];then - COUNT=$(find -L /sbin \! -user root -exec ls -l {} \; |wc -l) + COUNT=$(find -L /sbin \! -user root -exec ls -l {} \; |wc -l) - if [ $COUNT -eq 0 ];then - : - else - exit 1 - fi + if [ $COUNT -eq 0 ];then + : + else + find -L /sbin \! -user root -exec ls -l {} \; + exit 1 + fi fi if [ -d "/usr/sbin" ];then - COUNT=$(find -L /usr/sbin \! -user root -exec ls -l {} \; |wc -l) + COUNT=$(find -L /usr/sbin \! -user root -exec ls -l {} \; |wc -l) - if [ $COUNT -eq 0 ];then - : - else - exit 1 - fi + if [ $COUNT -eq 0 ];then + : + else + find -L /usr/sbin \! -user root -exec ls -l {} \; + exit 1 + fi fi if [ -d "/usr/local/sbin" ];then - COUNT=$(find -L /usr/local/sbin \! -user root -exec ls -l {} \; |wc -l) + COUNT=$(find -L /usr/local/sbin \! -user root -exec ls -l {} \; |wc -l) - if [ $COUNT -eq 0 ];then - : - else - exit 1 - fi + if [ $COUNT -eq 0 ];then + : + else + find -L /usr/local/sbin \! -user root -exec ls -l {} \; + exit 1 + fi fi From 079c5acc7829dbc22f4faebd33bb084c927cee10 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 10:48:38 +0100 Subject: [PATCH 36/50] Show non-root files in stig result --- tests/check-cmd-owner.sh | 6 ------ tests/output.sh | 8 +++++++- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tests/check-cmd-owner.sh b/tests/check-cmd-owner.sh index 0f86c681..d862c591 100644 --- a/tests/check-cmd-owner.sh +++ b/tests/check-cmd-owner.sh @@ -7,7 +7,6 @@ if [ -d "/bin" ];then if [ $COUNT -eq 0 ];then : else - find -L /bin \! -user root -exec ls -l {} \; exit 1 fi fi @@ -18,7 +17,6 @@ if [ -d "/usr/bin" ];then if [ $COUNT -eq 0 ];then : else - find -L /usr/bin \! -user root -exec ls -l {} \; exit 1 fi fi @@ -29,7 +27,6 @@ if [ -d "/usr/local/bin" ];then if [ $COUNT -eq 0 ];then : else - find -L /usr/local/bin \! -user root -exec ls -l {} \; exit 1 fi fi @@ -40,7 +37,6 @@ if [ -d "/sbin" ];then if [ $COUNT -eq 0 ];then : else - find -L /sbin \! -user root -exec ls -l {} \; exit 1 fi fi @@ -51,7 +47,6 @@ if [ -d "/usr/sbin" ];then if [ $COUNT -eq 0 ];then : else - find -L /usr/sbin \! -user root -exec ls -l {} \; exit 1 fi fi @@ -62,7 +57,6 @@ if [ -d "/usr/local/sbin" ];then if [ $COUNT -eq 0 ];then : else - find -L /usr/local/sbin \! -user root -exec ls -l {} \; exit 1 fi fi diff --git a/tests/output.sh b/tests/output.sh index 78debf9b..2174039b 100644 --- a/tests/output.sh +++ b/tests/output.sh @@ -495,7 +495,13 @@ time, are stored in the following directories by default:\n\n/lib\n/lib64\n/usr/ printf '\n######################\n\nSTIG-ID:RHEL-06-000047\n\nVulnerability Discussion: System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.\n\nFix text: System executables are stored in the following directories by default:\n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nIf any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:\n\n#chmod go-w [FILE]\n\n######################\n\n' >> $LOG fi ;; - V-38472) if [ "$3" = "en" ]; then + V-38472) find -L /bin \! -user root -exec ls -l {} \; + find -L /usr/bin \! -user root -exec ls -l {} \; + find -L /usr/local/bin \! -user root -exec ls -l {} \; + find -L /sbin \! -user root -exec ls -l {} \; + find -L /usr/sbin \! -user root -exec ls -l {} \; + find -L /usr/local/sbin \! -user root -exec ls -l {} \; + if [ "$3" = "en" ]; then log_msg $2 'All system command files must be owned by root.' else log_msg $2 '所有系统命令文件的属主必须为root用户。' From 0ee00f775cee434f4887c47b016496c154c618c9 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 10:51:21 +0100 Subject: [PATCH 37/50] Ownership of ghost binary --- src/freedombone-app-ghost | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/freedombone-app-ghost b/src/freedombone-app-ghost index 7767c1b4..fe513353 100755 --- a/src/freedombone-app-ghost +++ b/src/freedombone-app-ghost @@ -200,6 +200,9 @@ function upgrade_ghost { ghost_replace_services ghost_remove_offsite_links + if [ -f /usr/local/bin/ghost ]; then + chown root:root /usr/local/bin/ghost + fi chown -R ghost: /var/www/${GHOST_DOMAIN_NAME}/htdocs systemctl restart ghost } @@ -526,6 +529,9 @@ function install_ghost { function_check add_ddns_domain add_ddns_domain $GHOST_DOMAIN_NAME + if [ -f /usr/local/bin/ghost ]; then + chown root:root /usr/local/bin/ghost + fi chown -R ghost: /var/www/${GHOST_DOMAIN_NAME}/htdocs set_completion_param "ghost domain" "$GHOST_DOMAIN_NAME" if ! grep -q "ghost version:" ${COMPLETION_FILE}; then From 22557c635930bc20f89b90bd69a3a84c5f9c78f9 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 13:16:47 +0100 Subject: [PATCH 38/50] Don't repeatedly try to install amd64 kernel --- src/freedombone-utils-setup | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index d8d2704d..ed45eb5c 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -203,7 +203,10 @@ function install_backports_kernel { architecture_type=$(uname -a) if [[ "$architecture_type" == *"amd64"* ]]; then - apt-get -yq install linux-image-amd64 + package_installed=$(dpkg-query -W -f='${Package}\n' linux-image-amd64 2>/dev/null) + if [ ! $package_installed ]; then + apt-get -yq install linux-image-amd64 + fi fi } From a59a84a0a3bb0038ef636d6d674afbb4a8e0ed33 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 13:32:16 +0100 Subject: [PATCH 39/50] kanboard logging functions --- src/freedombone-app-kanboard | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/src/freedombone-app-kanboard b/src/freedombone-app-kanboard index a33da4ef..ce5d2d74 100755 --- a/src/freedombone-app-kanboard +++ b/src/freedombone-app-kanboard @@ -48,13 +48,23 @@ kanboard_variables=(ONION_ONLY MY_USERNAME) function logging_on_kanboard { - kanboard_configfile=/var/www/${KANBOARD_DOMAIN_NAME}/htdocs/config.php - sed -i "s|define('LOG_FILE'.*|define('LOG_FILE', DATA_DIR.DIRECTORY_SEPARATOR.'debug.log');|g" $kanboard_configfile + read_config_param KANBOARD_DOMAIN_NAME + if [ $KANBOARD_DOMAIN_NAME ]; then + kanboard_configfile=/var/www/${KANBOARD_DOMAIN_NAME}/htdocs/config.php + if [ -f $kanboard_configfile ]; then + sed -i "s|define('LOG_FILE'.*|define('LOG_FILE', DATA_DIR.DIRECTORY_SEPARATOR.'debug.log');|g" $kanboard_configfile + fi + fi } function logging_off_kanboard { - kanboard_configfile=/var/www/${KANBOARD_DOMAIN_NAME}/htdocs/config.php - sed -i "s|define('LOG_FILE'.*|define('LOG_FILE', '/dev/null');|g" $kanboard_configfile + read_config_param KANBOARD_DOMAIN_NAME + if [ $KANBOARD_DOMAIN_NAME ]; then + kanboard_configfile=/var/www/${KANBOARD_DOMAIN_NAME}/htdocs/config.php + if [ -f $kanboard_configfile ]; then + sed -i "s|define('LOG_FILE'.*|define('LOG_FILE', '/dev/null');|g" $kanboard_configfile + fi + fi } function remove_user_kanboard { From fb811406e9e730d69f18de1b556c88f4d6ba9c72 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 13:42:05 +0100 Subject: [PATCH 40/50] Include utils in logging command So that functions can be called by logging app routines --- src/freedombone-logging | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/freedombone-logging b/src/freedombone-logging index c7f364f4..53edd165 100755 --- a/src/freedombone-logging +++ b/src/freedombone-logging @@ -40,6 +40,14 @@ WEBSERVER_LOG_LEVEL='warn' # Also the shred command can be very slow on Beaglebone Black REMOVE_FILES_COMMAND='rm -rf' +source /usr/local/bin/${PROJECT_NAME}-vars + +UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-* +for f in $UTILS_FILES +do + source $f +done + APP_FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-* for f in $APP_FILES do From 8c5aaeddc0fa7590595885da92970589187c16a5 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 13:56:25 +0100 Subject: [PATCH 41/50] fail2ban isn't useful when logging is turned off most of the time --- src/freedombone-image-customise | 2 +- src/freedombone-logging | 12 ------------ src/freedombone-utils-ssh | 2 +- 3 files changed, 2 insertions(+), 14 deletions(-) diff --git a/src/freedombone-image-customise b/src/freedombone-image-customise index 2c22c1c9..57dd0371 100755 --- a/src/freedombone-image-customise +++ b/src/freedombone-image-customise @@ -1074,7 +1074,7 @@ function image_setup_utils { chroot "$rootdir" apt-get -yq install wireless-tools wpasupplicant usbutils cryptsetup zsh chroot "$rootdir" apt-get -yq install pinentry-curses eatmydata iotop bc hostapd haveged chroot "$rootdir" apt-get -yq install cpulimit screen elinks libpam-cracklib - chroot "$rootdir" apt-get -yq install fail2ban vim-common python3 unattended-upgrades + chroot "$rootdir" apt-get -yq install vim-common python3 unattended-upgrades # Tor and ssh over tor chroot "$rootdir" apt-get -yq install tor connect-proxy diff --git a/src/freedombone-logging b/src/freedombone-logging index 53edd165..4ce76633 100755 --- a/src/freedombone-logging +++ b/src/freedombone-logging @@ -141,10 +141,6 @@ fi if [[ "$1" == "on" || "$1" == "On" || "$1" == "ON" ]]; then turn_logging_on - if [ -f /etc/fail2ban/fail2ban.conf ]; then - sed -i 's|loglevel.*|loglevel = 3|g' /etc/fail2ban/fail2ban.conf - sed -i 's|logtarget.*|logtarget = /var/log/fail2ban.log|g' /etc/fail2ban/fail2ban.conf - fi if [ -d /etc/tor ]; then if [ ! -d /var/log/tor ]; then mkdir /var/log/tor @@ -252,11 +248,6 @@ else sed -i 's|log_error =.*|log_error = /dev/null|g' /etc/mysql/my.cnf fi fi - if [ -f /etc/fail2ban/fail2ban.conf ]; then - sed -i 's|loglevel.*|loglevel = 1|g' /etc/fail2ban/fail2ban.conf - sed -i 's|logtarget.*|logtarget = /dev/null|g' /etc/fail2ban/fail2ban.conf - $REMOVE_FILES_COMMAND /var/log/fail2ban.* - fi turn_off_rsys_logging fi @@ -300,9 +291,6 @@ fi if [ -d /var/www/radicale ]; then systemctl restart radicale fi -if [ -d /etc/fail2ban ]; then - systemctl restart fail2ban -fi if [ -d /etc/matrix ]; then systemctl restart matrix fi diff --git a/src/freedombone-utils-ssh b/src/freedombone-utils-ssh index 9e35d088..a261c5e5 100755 --- a/src/freedombone-utils-ssh +++ b/src/freedombone-utils-ssh @@ -121,7 +121,7 @@ function configure_ssh { sed -i 's|#UsePrivilegeSeparation .*|UsePrivilegeSeparation sandbox|g' /etc/ssh/sshd_config sed -i 's|UsePrivilegeSeparation .*|UsePrivilegeSeparation sandbox|g' /etc/ssh/sshd_config - apt-get -yq install fail2ban vim-common + apt-get -yq install vim-common function_check configure_firewall_for_ssh configure_firewall_for_ssh From 90dc589eb9d0f981ca4c9868a959181994ff78a1 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 14:18:59 +0100 Subject: [PATCH 42/50] Removing of bluetooth kernel module --- src/freedombone-utils-setup | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index ed45eb5c..f997eaa6 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -151,26 +151,41 @@ function proc_filesystem_settings { } function remove_bluetooth { - rmmod -f bnep - rmmod -f bluetooth + bluetooth_changed= + bnep_exists=$(lsmod | grep bnep) + if [[ "$bnep_exists" == "bnep"* ]]; then + rmmod -f bnep + bluetooth_changed=1 + fi + bluetooth_exists=$(lsmod | grep bluetooth) + if [[ "$bluetooth_exists" == "bluetooth"* ]]; then + rmmod -f bluetooth + bluetooth_changed=1 + fi if [ -f /etc/default/bluetooth ]; then if grep -q "BLUETOOTH_ENABLED=" /etc/default/bluetooth; then sed -i 's|BLUETOOTH_ENABLED=.*|BLUETOOTH_ENABLED=0|g' /etc/default/bluetooth else echo "BLUETOOTH_ENABLED=0" >> /etc/default/bluetooth fi + bluetooth_changed=1 fi if ! grep -q 'blacklist bnep' /etc/modprobe.d/bluetooth.conf; then echo 'blacklist bnep' >> /etc/modprobe.d/bluetooth.conf + bluetooth_changed=1 fi if ! grep -q 'blacklist btusb' /etc/modprobe.d/bluetooth.conf; then echo 'blacklist btusb' >> /etc/modprobe.d/bluetooth.conf + bluetooth_changed=1 fi if ! grep -q 'blacklist bluetooth' /etc/modprobe.d/bluetooth.conf; then echo 'blacklist bluetooth' >> /etc/modprobe.d/bluetooth.conf + bluetooth_changed=1 + fi + if [ $bluetooth_changed ]; then + update-initramfs -u -k `uname -r` -v + update-rc.d bluetooth remove fi - update-initramfs -u -k `uname -r` -v - update-rc.d bluetooth remove } function running_as_root { From ee6925eeb63550db84667aec35d40e5e2e1f7589 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 14:46:08 +0100 Subject: [PATCH 43/50] Test for predictable device names --- src/freedombone-utils-wifi | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/freedombone-utils-wifi b/src/freedombone-utils-wifi index cdfa4ee7..2e3bfb38 100755 --- a/src/freedombone-utils-wifi +++ b/src/freedombone-utils-wifi @@ -49,8 +49,11 @@ function default_network_config { # device names get assigned random names. This is a hacky workaround. # Also adding net.ifnames=0 to kernel options on bootloader may work. function enable_predictable_device_names { - ln -s /dev/null /etc/udev/rules.d/80-net-setup-link.rules - update-initramfs -u + test_predictable=$(ls -la /etc/udev/rules.d/80-net-setup-link.rules) + if [[ "$test_predictable" != *"/dev/null" ]]; then + ln -s /dev/null /etc/udev/rules.d/80-net-setup-link.rules + update-initramfs -u + fi } function wifi_is_running { From 51de0ff9b35d46cf15ac6dbf60cf17431b5c3b1a Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 15:17:41 +0100 Subject: [PATCH 44/50] grep string --- src/freedombone-utils-setup | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index f997eaa6..cc3a1893 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -483,7 +483,7 @@ function set_max_login_tries { fi fi - if ! grep -q 'account required\t\t\tpam_tally.so' /etc/pam.d/common-account; then + if ! grep -q 'pam_tally.so' /etc/pam.d/common-account; then sed -i '/pam_deny.so/a account required\t\t\tpam_tally.so' /etc/pam.d/common-account fi } From c80feb676894200aedba4db4b85d18d456f02e30 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 17:31:37 +0100 Subject: [PATCH 45/50] Only update logindefs when needed --- src/freedombone-utils-setup | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index cc3a1893..b7ad2e96 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -455,7 +455,8 @@ function remove_management_engine_interface { } function set_login_umask { - if ! grep -q 'UMASK\t\t077' /etc/login.defs; then + logindefs_umask=$(cat /etc/login.defs | grep UMASK | grep -v '#') + if [[ "$logindefs_umask" != *'077' ]]; then sed -i 's|UMASK\t.*|UMASK\t\t077|g' /etc/login.defs fi } From d3b3bd1d9b82ccf279aa06850b7122045b10521d Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 18:15:36 +0100 Subject: [PATCH 46/50] Try without the pep dance --- src/freedombone-app-xmpp | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/src/freedombone-app-xmpp b/src/freedombone-app-xmpp index cfad1cc8..1ca05029 100755 --- a/src/freedombone-app-xmpp +++ b/src/freedombone-app-xmpp @@ -94,7 +94,7 @@ function xmpp_add_onion_address { if [ ${#onion_address} -eq 0 ]; then return fi - if ! grep "[\"${domain_name}\"] = \"${onion_address}\";" /etc/prosody/prosody.cfg.lua; then + if ! grep "${onion_address}" /etc/prosody/prosody.cfg.lua; then if grep -q "[\"${domain_name}\"]" /etc/prosody/prosody.cfg.lua; then sed -i "s|[\"${domain_name}\"].*|[\"${domain_name}\"] = \"${onion_address}\";|g" /etc/prosody/prosody.cfg.lua else @@ -138,14 +138,19 @@ function xmpp_remove_onion_address { if [ ${#domain_name} -eq 0 ]; then return fi + xmpp_changed= if grep -q "[\"${domain_name}\"]" /etc/prosody/prosody.cfg.lua; then sed -i "/[\"${domain_name}\"]/d" /etc/prosody/prosody.cfg.lua + xmpp_changed=1 fi if grep -q "= \"${domain_name}\";" /etc/prosody/prosody.cfg.lua; then sed -i "/= \"${domain_name}\";/d" /etc/prosody/prosody.cfg.lua + xmpp_changed=1 + fi + if [ $xmpp_changed ]; then + systemctl restart prosody fi - systemctl restart prosody } function xmpp_remove_onion_address_interactive { @@ -361,16 +366,6 @@ function update_prosody_modules { fi fi - # change to using pep rather than profile modules - if grep -q '"pep"' /etc/prosody/prosody.cfg.lua; then - # This strange dance seems to fix occasional breakage of PEP - # Is there a better solution? - sed -i 's|"pep"|"profile"|g' /etc/prosody/prosody.cfg.lua - systemctl restart prosody - sleep 4 - sed -i 's|"profile"|"pep"|g' /etc/prosody/prosody.cfg.lua - systemctl restart prosody - fi if ! grep -q '"vcard"' /etc/prosody/prosody.cfg.lua; then systemctl stop prosody sed -i '/"pep"/a "vcard";' /etc/prosody/prosody.cfg.lua From 99d88d8792632c3c80a9dd5145a0b79a82de3ab6 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 18:45:39 +0100 Subject: [PATCH 47/50] Don't update certs on upgrade --- src/freedombone-upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/freedombone-upgrade b/src/freedombone-upgrade index efff6999..7c9f7d74 100755 --- a/src/freedombone-upgrade +++ b/src/freedombone-upgrade @@ -65,7 +65,7 @@ if grep -q "cat /root/dbpass" /usr/bin/backupdatabases; then sed -i "s|cat /root/dbpass|freedombone-pass -u root -a mariadb|g" /usr/bin/backupdatabases fi -update-ca-certificates +#update-ca-certificates if [ ! -d $PROJECT_DIR ]; then git_clone $PROJECT_REPO $PROJECT_DIR From 68bbd5e6933719509f2dfe2477c0d1650647f2a5 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 19:04:16 +0100 Subject: [PATCH 48/50] Updating gpg keys --- src/freedombone-base-email | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/freedombone-base-email b/src/freedombone-base-email index 68f75862..5cd12d23 100755 --- a/src/freedombone-base-email +++ b/src/freedombone-base-email @@ -1693,7 +1693,9 @@ function refresh_gpg_keys { echo "$GPG_REFRESH_TIME */$REFRESH_GPG_KEYS_HOURS * * * root cronic $REFRESH_GPG_KEYS_SCRIPT" >> /etc/crontab systemctl restart cron else - sed -i "s|root $REFRESH_GPG_KEYS_SCRIPT.*|root cronic $REFRESH_GPG_KEYS_SCRIPT|g" /etc/crontab + if ! grep "root cronic $REFRESH_GPG_KEYS_SCRIPT" /etc/crontab; then + sed -i "s|root $REFRESH_GPG_KEYS_SCRIPT.*|root cronic $REFRESH_GPG_KEYS_SCRIPT|g" /etc/crontab + fi fi } From 5096ba9cc1f65cf89029f9785aebc195648b56d3 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 21:29:31 +0100 Subject: [PATCH 49/50] Tidying --- src/freedombone-app-nextcloud | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/src/freedombone-app-nextcloud b/src/freedombone-app-nextcloud index 40e1fec6..4fa51ee1 100755 --- a/src/freedombone-app-nextcloud +++ b/src/freedombone-app-nextcloud @@ -183,16 +183,20 @@ function configure_interactive_nextcloud { echo -n '' } +function upgrade_nextcloud_base { + chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs + chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/data + cd /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs + sudo -u www-data ./occ maintenance:repair + sudo -u www-data ./occ files:cleanup + sudo -u www-data ./occ files:scan --all + sudo -u www-data ./occ maintenance:mode --off +} + function upgrade_nextcloud { CURR_NEXTCLOUD_COMMIT=$(get_completion_param "nextcloud commit") if [[ "$CURR_NEXTCLOUD_COMMIT" == "$NEXTCLOUD_COMMIT" ]]; then - chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs - chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/data - cd /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs - sudo -u www-data ./occ maintenance:repair - sudo -u www-data ./occ files:cleanup - sudo -u www-data ./occ files:scan --all - sudo -u www-data ./occ maintenance:mode --off + upgrade_nextcloud_base return fi @@ -204,13 +208,7 @@ function upgrade_nextcloud { function_check set_repo_commit set_repo_commit /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs "nextcloud commit" "$NEXTCLOUD_COMMIT" $NEXTCLOUD_REPO - chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs - chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/data - cd /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs - sudo -u www-data ./occ maintenance:repair - sudo -u www-data ./occ files:cleanup - sudo -u www-data ./occ files:scan --all - sudo -u www-data ./occ maintenance:mode --off + upgrade_nextcloud_base } From 70813b5a659e07190dde12308dc9328e61b889d7 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Mon, 7 Aug 2017 21:40:19 +0100 Subject: [PATCH 50/50] Setting prosody group --- src/freedombone-app-xmpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/freedombone-app-xmpp b/src/freedombone-app-xmpp index 1ca05029..9cf78788 100755 --- a/src/freedombone-app-xmpp +++ b/src/freedombone-app-xmpp @@ -375,7 +375,10 @@ function update_prosody_modules { function upgrade_xmpp { if [ -d /etc/letsencrypt ]; then - usermod -a -G ssl-cert prosody + prosody_groups=$(groups prosody) + if [[ "$prosody_groups" != *'ssl-cert'* ]]; then + usermod -a -G ssl-cert prosody + fi fi function_check update_prosody_modules update_prosody_modules