Merge branch 'stretch' of https://github.com/bashrc/freedombone
This commit is contained in:
commit
85e9e38dc5
1
Makefile
1
Makefile
|
@ -27,7 +27,6 @@ install:
|
|||
cp img/backgrounds/${APP}_*.png ${DESTDIR}${PREFIX}/share
|
||||
cp img/avatars/* ${DESTDIR}/usr/share/${APP}/avatars
|
||||
cp src/* ${DESTDIR}${PREFIX}/bin
|
||||
# cp src/${APP}-controlpanel ${DESTDIR}${PREFIX}/bin/control
|
||||
cp src/${APP}-mesh-batman ${DESTDIR}${PREFIX}/bin/batman
|
||||
cp src/${APP}-backup-local ${DESTDIR}${PREFIX}/bin/backup
|
||||
cp src/${APP}-backup-local ${DESTDIR}${PREFIX}/bin/backup2friends
|
||||
|
|
|
@ -200,6 +200,9 @@ function upgrade_ghost {
|
|||
ghost_replace_services
|
||||
ghost_remove_offsite_links
|
||||
|
||||
if [ -f /usr/local/bin/ghost ]; then
|
||||
chown root:root /usr/local/bin/ghost
|
||||
fi
|
||||
chown -R ghost: /var/www/${GHOST_DOMAIN_NAME}/htdocs
|
||||
systemctl restart ghost
|
||||
}
|
||||
|
@ -526,6 +529,9 @@ function install_ghost {
|
|||
function_check add_ddns_domain
|
||||
add_ddns_domain $GHOST_DOMAIN_NAME
|
||||
|
||||
if [ -f /usr/local/bin/ghost ]; then
|
||||
chown root:root /usr/local/bin/ghost
|
||||
fi
|
||||
chown -R ghost: /var/www/${GHOST_DOMAIN_NAME}/htdocs
|
||||
set_completion_param "ghost domain" "$GHOST_DOMAIN_NAME"
|
||||
if ! grep -q "ghost version:" ${COMPLETION_FILE}; then
|
||||
|
|
|
@ -570,7 +570,9 @@ function remove_gnusocial {
|
|||
sed -i '/gnusocial/d' $COMPLETION_FILE
|
||||
remove_backup_database_local gnusocial
|
||||
|
||||
if grep -q 'gnusocial-firewall' /etc/crontab; then
|
||||
sed -i '/gnusocial-firewall/d' /etc/crontab
|
||||
fi
|
||||
|
||||
function_check remove_ddns_domain
|
||||
remove_ddns_domain $GNUSOCIAL_DOMAIN_NAME
|
||||
|
|
|
@ -48,13 +48,23 @@ kanboard_variables=(ONION_ONLY
|
|||
MY_USERNAME)
|
||||
|
||||
function logging_on_kanboard {
|
||||
read_config_param KANBOARD_DOMAIN_NAME
|
||||
if [ $KANBOARD_DOMAIN_NAME ]; then
|
||||
kanboard_configfile=/var/www/${KANBOARD_DOMAIN_NAME}/htdocs/config.php
|
||||
if [ -f $kanboard_configfile ]; then
|
||||
sed -i "s|define('LOG_FILE'.*|define('LOG_FILE', DATA_DIR.DIRECTORY_SEPARATOR.'debug.log');|g" $kanboard_configfile
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function logging_off_kanboard {
|
||||
read_config_param KANBOARD_DOMAIN_NAME
|
||||
if [ $KANBOARD_DOMAIN_NAME ]; then
|
||||
kanboard_configfile=/var/www/${KANBOARD_DOMAIN_NAME}/htdocs/config.php
|
||||
if [ -f $kanboard_configfile ]; then
|
||||
sed -i "s|define('LOG_FILE'.*|define('LOG_FILE', '/dev/null');|g" $kanboard_configfile
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function remove_user_kanboard {
|
||||
|
|
|
@ -66,7 +66,7 @@ function keyserver_watchdog {
|
|||
read_config_param KEYSERVER_DOMAIN_NAME
|
||||
|
||||
# check database size hourly
|
||||
keyserver_watchdog_script=/etc/cron.hourly/keyserver-watchdog
|
||||
keyserver_watchdog_script=/tmp/keyserver-watchdog
|
||||
echo '#!/bin/bash' > $keyserver_watchdog_script
|
||||
echo "dirsize=\$(du /var/lib/sks/DB | awk -F ' ' '{print \$1}')" >> $keyserver_watchdog_script
|
||||
echo 'if [ $dirsize -gt 450000 ]; then' >> $keyserver_watchdog_script
|
||||
|
@ -80,8 +80,18 @@ function keyserver_watchdog {
|
|||
echo " echo \"$keyserver_disabled_warning\" | mail -s \"$keyserver_mail_subject_line_disabled\" $ADMIN_EMAIL_ADDRESS" >> $keyserver_watchdog_script
|
||||
echo ' fi' >> $keyserver_watchdog_script
|
||||
echo 'fi' >> $keyserver_watchdog_script
|
||||
|
||||
chmod +x $keyserver_watchdog_script
|
||||
|
||||
if [ ! -f /etc/cron.hourly/keyserver-watchdog ]; then
|
||||
cp $keyserver_watchdog_script /etc/cron.hourly/keyserver-watchdog
|
||||
else
|
||||
HASH1=$(sha256sum $keyserver_watchdog_script | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum /etc/cron.hourly/keyserver-watchdog | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp $keyserver_watchdog_script /etc/cron.hourly/keyserver-watchdog
|
||||
fi
|
||||
fi
|
||||
rm $keyserver_watchdog_script
|
||||
}
|
||||
|
||||
|
||||
|
|
|
@ -466,16 +466,11 @@ function remove_koel {
|
|||
drop_database koel
|
||||
function_check remove_onion_service
|
||||
remove_onion_service koel ${KOEL_ONION_PORT}
|
||||
if grep -q "koel" /etc/crontab; then
|
||||
sed -i "/koel/d" /etc/crontab
|
||||
fi
|
||||
remove_app koel
|
||||
remove_completion_param install_koel
|
||||
sed -i '/koel/d' $COMPLETION_FILE
|
||||
remove_backup_database_local koel
|
||||
|
||||
sed -i '/koel-firewall/d' /etc/crontab
|
||||
|
||||
function_check remove_ddns_domain
|
||||
remove_ddns_domain $KOEL_DOMAIN_NAME
|
||||
}
|
||||
|
|
|
@ -183,9 +183,7 @@ function configure_interactive_nextcloud {
|
|||
echo -n ''
|
||||
}
|
||||
|
||||
function upgrade_nextcloud {
|
||||
CURR_NEXTCLOUD_COMMIT=$(get_completion_param "nextcloud commit")
|
||||
if [[ "$CURR_NEXTCLOUD_COMMIT" == "$NEXTCLOUD_COMMIT" ]]; then
|
||||
function upgrade_nextcloud_base {
|
||||
chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs
|
||||
chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/data
|
||||
cd /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs
|
||||
|
@ -193,6 +191,12 @@ function upgrade_nextcloud {
|
|||
sudo -u www-data ./occ files:cleanup
|
||||
sudo -u www-data ./occ files:scan --all
|
||||
sudo -u www-data ./occ maintenance:mode --off
|
||||
}
|
||||
|
||||
function upgrade_nextcloud {
|
||||
CURR_NEXTCLOUD_COMMIT=$(get_completion_param "nextcloud commit")
|
||||
if [[ "$CURR_NEXTCLOUD_COMMIT" == "$NEXTCLOUD_COMMIT" ]]; then
|
||||
upgrade_nextcloud_base
|
||||
return
|
||||
fi
|
||||
|
||||
|
@ -204,13 +208,7 @@ function upgrade_nextcloud {
|
|||
function_check set_repo_commit
|
||||
set_repo_commit /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs "nextcloud commit" "$NEXTCLOUD_COMMIT" $NEXTCLOUD_REPO
|
||||
|
||||
chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs
|
||||
chown -R www-data:www-data /var/www/$NEXTCLOUD_DOMAIN_NAME/data
|
||||
cd /var/www/$NEXTCLOUD_DOMAIN_NAME/htdocs
|
||||
sudo -u www-data ./occ maintenance:repair
|
||||
sudo -u www-data ./occ files:cleanup
|
||||
sudo -u www-data ./occ files:scan --all
|
||||
sudo -u www-data ./occ maintenance:mode --off
|
||||
upgrade_nextcloud_base
|
||||
}
|
||||
|
||||
|
||||
|
@ -374,9 +372,6 @@ function remove_nextcloud {
|
|||
drop_database nextcloud
|
||||
function_check remove_onion_service
|
||||
remove_onion_service nextcloud ${NEXTCLOUD_ONION_PORT}
|
||||
if grep -q "nextcloud" /etc/crontab; then
|
||||
sed -i "/nextcloud/d" /etc/crontab
|
||||
fi
|
||||
remove_app nextcloud
|
||||
remove_completion_param install_nextcloud
|
||||
sed -i '/nextcloud/d' $COMPLETION_FILE
|
||||
|
|
|
@ -65,20 +65,24 @@ function logging_on_xmpp {
|
|||
mkdir /var/log/prosody
|
||||
chown root:adm /var/log/prosody
|
||||
fi
|
||||
if ! grep -q "/var/log/prosody/prosody.log" /etc/prosody/prosody.cfg.lua; then
|
||||
sed -i 's|info = "/dev/null";|info = "/var/log/prosody/prosody.log";|g' /etc/prosody/prosody.cfg.lua
|
||||
sed -i 's|error = "/dev/null";|error = "/var/log/prosody/prosody.err";|g' /etc/prosody/prosody.cfg.lua
|
||||
sed -i 's|levels = { "error" }; to = "/dev/null";|levels = { "error" }; to = "syslog";|g' /etc/prosody/prosody.cfg.lua
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function logging_off_xmpp {
|
||||
if [ -d /etc/prosody ]; then
|
||||
if grep -q "/var/log/prosody/prosody.log" /etc/prosody/prosody.cfg.lua; then
|
||||
sed -i 's|info = "/var/log/prosody/prosody.log";|info = "/dev/null";|g' /etc/prosody/prosody.cfg.lua
|
||||
sed -i 's|error = "/var/log/prosody/prosody.err";|error = "/dev/null";|g' /etc/prosody/prosody.cfg.lua
|
||||
sed -i 's|levels = { "error" }; to = "syslog";|levels = { "error" }; to = "/dev/null";|g' /etc/prosody/prosody.cfg.lua
|
||||
$REMOVE_FILES_COMMAND /var/log/prosody/*
|
||||
rm -rf /var/log/prosody
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function xmpp_add_onion_address {
|
||||
|
@ -90,12 +94,14 @@ function xmpp_add_onion_address {
|
|||
if [ ${#onion_address} -eq 0 ]; then
|
||||
return
|
||||
fi
|
||||
if ! grep "${onion_address}" /etc/prosody/prosody.cfg.lua; then
|
||||
if grep -q "[\"${domain_name}\"]" /etc/prosody/prosody.cfg.lua; then
|
||||
sed -i "s|[\"${domain_name}\"].*|[\"${domain_name}\"] = \"${onion_address}\";|g" /etc/prosody/prosody.cfg.lua
|
||||
else
|
||||
sed -i "/onions_map = {/a [\"${domain_name}\"] = \"${onion_address}\";" /etc/prosody/prosody.cfg.lua
|
||||
fi
|
||||
systemctl restart prosody
|
||||
fi
|
||||
}
|
||||
|
||||
function xmpp_add_onion_address_interactive {
|
||||
|
@ -132,14 +138,19 @@ function xmpp_remove_onion_address {
|
|||
if [ ${#domain_name} -eq 0 ]; then
|
||||
return
|
||||
fi
|
||||
xmpp_changed=
|
||||
if grep -q "[\"${domain_name}\"]" /etc/prosody/prosody.cfg.lua; then
|
||||
sed -i "/[\"${domain_name}\"]/d" /etc/prosody/prosody.cfg.lua
|
||||
xmpp_changed=1
|
||||
fi
|
||||
|
||||
if grep -q "= \"${domain_name}\";" /etc/prosody/prosody.cfg.lua; then
|
||||
sed -i "/= \"${domain_name}\";/d" /etc/prosody/prosody.cfg.lua
|
||||
xmpp_changed=1
|
||||
fi
|
||||
if [ $xmpp_changed ]; then
|
||||
systemctl restart prosody
|
||||
fi
|
||||
}
|
||||
|
||||
function xmpp_remove_onion_address_interactive {
|
||||
|
@ -355,16 +366,6 @@ function update_prosody_modules {
|
|||
fi
|
||||
fi
|
||||
|
||||
# change to using pep rather than profile modules
|
||||
if grep -q '"pep"' /etc/prosody/prosody.cfg.lua; then
|
||||
# This strange dance seems to fix occasional breakage of PEP
|
||||
# Is there a better solution?
|
||||
sed -i 's|"pep"|"profile"|g' /etc/prosody/prosody.cfg.lua
|
||||
systemctl restart prosody
|
||||
sleep 4
|
||||
sed -i 's|"profile"|"pep"|g' /etc/prosody/prosody.cfg.lua
|
||||
systemctl restart prosody
|
||||
fi
|
||||
if ! grep -q '"vcard"' /etc/prosody/prosody.cfg.lua; then
|
||||
systemctl stop prosody
|
||||
sed -i '/"pep"/a "vcard";' /etc/prosody/prosody.cfg.lua
|
||||
|
@ -374,8 +375,11 @@ function update_prosody_modules {
|
|||
|
||||
function upgrade_xmpp {
|
||||
if [ -d /etc/letsencrypt ]; then
|
||||
prosody_groups=$(groups prosody)
|
||||
if [[ "$prosody_groups" != *'ssl-cert'* ]]; then
|
||||
usermod -a -G ssl-cert prosody
|
||||
fi
|
||||
fi
|
||||
function_check update_prosody_modules
|
||||
update_prosody_modules
|
||||
|
||||
|
|
|
@ -326,11 +326,26 @@ function encrypt_all_email {
|
|||
fi
|
||||
|
||||
if [ -f /usr/local/bin/${PROJECT_NAME}-encrypt-mail ]; then
|
||||
if [ ! -f /usr/bin/encmaildir ]; then
|
||||
cp /usr/local/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir
|
||||
else
|
||||
HASH1=$(sha256sum /usr/local/bin/${PROJECT_NAME}-encrypt-mail | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum /usr/bin/encmaildir | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp /usr/local/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir
|
||||
fi
|
||||
fi
|
||||
else
|
||||
if [ ! -f /usr/bin/encmaildir ]; then
|
||||
cp /usr/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir
|
||||
else
|
||||
HASH1=$(sha256sum /usr/bin/${PROJECT_NAME}-encrypt-mail | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum /usr/bin/encmaildir | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp /usr/bin/${PROJECT_NAME}-encrypt-mail /usr/bin/encmaildir
|
||||
fi
|
||||
chmod +x /usr/bin/encmaildir
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
|
||||
return
|
||||
|
@ -497,16 +512,35 @@ function email_archiving {
|
|||
|
||||
# ensure that the mail archive script is up to date
|
||||
if [ -f /usr/local/bin/${PROJECT_NAME}-archive-mail ]; then
|
||||
if [ ! -f /etc/cron.daily/archivemail ]; then
|
||||
cp /usr/local/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail
|
||||
chmod +x /etc/cron.daily/archivemail
|
||||
else
|
||||
HASH1=$(sha256sum /usr/local/bin/${PROJECT_NAME}-archive-mail | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum /etc/cron.daily/archivemail | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp /usr/local/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail
|
||||
chmod +x /etc/cron.daily/archivemail
|
||||
fi
|
||||
fi
|
||||
else
|
||||
if [ -f /usr/bin/${PROJECT_NAME}-archive-mail ]; then
|
||||
if [ ! -f /etc/cron.daily/archivemail ]; then
|
||||
cp /usr/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail
|
||||
chmod +x /etc/cron.daily/archivemail
|
||||
else
|
||||
HASH1=$(sha256sum /usr/local/bin/${PROJECT_NAME}-archive-mail | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum /etc/cron.daily/archivemail | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp /usr/local/bin/${PROJECT_NAME}-archive-mail /etc/cron.daily/archivemail
|
||||
chmod +x /etc/cron.daily/archivemail
|
||||
fi
|
||||
fi
|
||||
else
|
||||
echo "/usr/bin/${PROJECT_NAME}-archive-mail was not found. ${PROJECT_NAME} might not have fully installed."
|
||||
exit 62379
|
||||
fi
|
||||
fi
|
||||
chmod +x /etc/cron.daily/archivemail
|
||||
|
||||
# update to the next commit
|
||||
function_check set_repo_commit
|
||||
|
@ -526,7 +560,15 @@ function email_archiving {
|
|||
git checkout $CLEANUP_MAILDIR_COMMIT -b $CLEANUP_MAILDIR_COMMIT
|
||||
set_completion_param "cleanup-maildir commit" "$CLEANUP_MAILDIR_COMMIT"
|
||||
|
||||
if [ ! -f /usr/bin/cleanup-maildir ]; then
|
||||
cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin
|
||||
else
|
||||
HASH1=$(sha256sum $INSTALL_DIR/cleanup-maildir/cleanup-maildir | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum /usr/bin/cleanup-maildir | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin
|
||||
fi
|
||||
fi
|
||||
|
||||
mark_completed $FUNCNAME
|
||||
}
|
||||
|
@ -1621,7 +1663,7 @@ function configure_gpg {
|
|||
}
|
||||
|
||||
function refresh_gpg_keys {
|
||||
REFRESH_GPG_KEYS_SCRIPT=/usr/bin/update-gpg-keys
|
||||
REFRESH_GPG_KEYS_SCRIPT=/tmp/update-gpg-keys
|
||||
echo '#!/bin/bash' > $REFRESH_GPG_KEYS_SCRIPT
|
||||
echo "if [ -f /usr/local/bin/${PROJECT_NAME}-sec ]; then" >> $REFRESH_GPG_KEYS_SCRIPT
|
||||
echo " /usr/bin/timeout 600 /usr/local/bin/${PROJECT_NAME}-sec --refresh yes" >> $REFRESH_GPG_KEYS_SCRIPT
|
||||
|
@ -1631,6 +1673,18 @@ function refresh_gpg_keys {
|
|||
echo 'exit 0' >> $REFRESH_GPG_KEYS_SCRIPT
|
||||
chmod +x $REFRESH_GPG_KEYS_SCRIPT
|
||||
|
||||
if [ ! -f /usr/bin/update-gpg-keys ]; then
|
||||
cp $REFRESH_GPG_KEYS_SCRIPT /usr/bin/update-gpg-keys
|
||||
else
|
||||
HASH1=$(sha256sum $REFRESH_GPG_KEYS_SCRIPT | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum /usr/bin/update-gpg-keys | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp $REFRESH_GPG_KEYS_SCRIPT /usr/bin/update-gpg-keys
|
||||
fi
|
||||
rm $REFRESH_GPG_KEYS_SCRIPT
|
||||
fi
|
||||
|
||||
REFRESH_GPG_KEYS_SCRIPT=/usr/bin/update-gpg-keys
|
||||
if grep -q "${PROJECT_NAME}-sec" /etc/crontab; then
|
||||
sed -i "/${PROJECT_NAME}-sec /d" /etc/crontab
|
||||
fi
|
||||
|
@ -1639,8 +1693,10 @@ function refresh_gpg_keys {
|
|||
echo "$GPG_REFRESH_TIME */$REFRESH_GPG_KEYS_HOURS * * * root cronic $REFRESH_GPG_KEYS_SCRIPT" >> /etc/crontab
|
||||
systemctl restart cron
|
||||
else
|
||||
if ! grep "root cronic $REFRESH_GPG_KEYS_SCRIPT" /etc/crontab; then
|
||||
sed -i "s|root $REFRESH_GPG_KEYS_SCRIPT.*|root cronic $REFRESH_GPG_KEYS_SCRIPT|g" /etc/crontab
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function install_email {
|
||||
|
|
|
@ -58,7 +58,7 @@ function install_tripwire {
|
|||
debconf-set-selections <<< "tripwire tripwire/use-sitekey boolean false"
|
||||
debconf-set-selections <<< "tripwire tripwire/use-localkey boolean false"
|
||||
|
||||
apt-get -yq install tripwire
|
||||
apt-get -yq install tripwire qrencode
|
||||
apt-get -yq autoremove
|
||||
cd /etc/tripwire
|
||||
|
||||
|
@ -105,6 +105,11 @@ function install_tripwire {
|
|||
if ! grep -q '!/etc/tripwire' /etc/tripwire/twpol.txt; then
|
||||
sed -i '\|/etc\t\t->.*|a\ !/etc/tripwire ;' /etc/tripwire/twpol.txt
|
||||
fi
|
||||
# Ignore /etc/freedombone
|
||||
if ! grep -q '!/etc/freedombone' /etc/tripwire/twpol.txt; then
|
||||
sed -i '\|/etc\t\t->.*|a\ !/etc/freedombone ;' /etc/tripwire/twpol.txt
|
||||
fi
|
||||
# Ignore /etc/pihole
|
||||
if ! grep -q '!/etc/pihole' /etc/tripwire/twpol.txt; then
|
||||
sed -i '\|/etc\t\t->.*|a\ !/etc/pihole ;' /etc/tripwire/twpol.txt
|
||||
fi
|
||||
|
@ -115,6 +120,15 @@ function install_tripwire {
|
|||
if ! grep -q '!/etc/share/tt-rss/lock' /etc/tripwire/twpol.txt; then
|
||||
sed -i '\|/etc\t\t->.*|a\ !/etc/share/tt-rss/lock ;' /etc/tripwire/twpol.txt
|
||||
fi
|
||||
# ignore global node modules
|
||||
if ! grep -q '!/usr/local/lib/node_modules' /etc/tripwire/twpol.txt; then
|
||||
sed -i '\|/etc\t\t->.*|a\ !/usr/local/lib/node_modules ;' /etc/tripwire/twpol.txt
|
||||
fi
|
||||
|
||||
# Not much is in /usr/local/bin other than project commands and avoiding it removes
|
||||
# problems with updates. This is a tradeoff, but not by much.
|
||||
sed -i '/\/usr\/local\/bin/d' /etc/tripwire/twpol.txt
|
||||
|
||||
# Avoid logging the changed database
|
||||
sed -i 's|$(TWETC)/tw.pol.*||g' /etc/tripwire/twpol.txt
|
||||
# site key name
|
||||
|
|
|
@ -96,7 +96,7 @@ function refresh_gpg_keys {
|
|||
fi
|
||||
sudo cp /etc/crontab ~/temp_crontab
|
||||
sudo chown $CURR_USER:$CURR_GROUP ~/temp_crontab
|
||||
if ! grep -q "gpg --refresh-keys" ~/temp_crontab; then
|
||||
if ! grep -q 'gpg --refresh-keys' ~/temp_crontab; then
|
||||
echo "0 */$REFRESH_GPG_KEYS_HOURS * * * $CURR_USER /usr/bin/gpg --refresh-keys > /dev/null" >> ~/temp_crontab
|
||||
sudo cp ~/temp_crontab /etc/crontab
|
||||
sudo chown root:root /etc/crontab
|
||||
|
|
|
@ -1268,6 +1268,21 @@ function security_settings {
|
|||
any_key
|
||||
}
|
||||
|
||||
function show_tripwire_verification_code {
|
||||
if [ ! -f /var/lib/tripwire/${HOSTNAME}.twd ]; then
|
||||
return
|
||||
fi
|
||||
clear
|
||||
echo ''
|
||||
echo $'Tripwire Verification Code'
|
||||
echo ''
|
||||
DBHASH=$(sha512sum /var/lib/tripwire/${HOSTNAME}.twd)
|
||||
echo "$DBHASH" | qrencode -t UTF8
|
||||
echo ''
|
||||
echo "$DBHASH"
|
||||
echo ''
|
||||
}
|
||||
|
||||
function reset_tripwire {
|
||||
if [ ! -f /usr/bin/reset-tripwire ]; then
|
||||
echo $'Missing /usr/bin/reset-tripwire'
|
||||
|
@ -1280,6 +1295,10 @@ function reset_tripwire {
|
|||
return
|
||||
fi
|
||||
clear
|
||||
echo $'Turing off logging...'
|
||||
${PROJECT_NAME}-logging off
|
||||
echo $'Locking down permissions...'
|
||||
lockdown_permissions
|
||||
echo $'Creating configuration...'
|
||||
echo '
|
||||
|
||||
|
@ -1298,7 +1317,14 @@ function reset_tripwire {
|
|||
|
||||
' | reset-tripwire
|
||||
echo ''
|
||||
echo $'Tripwire is now reset'
|
||||
if [ -f /var/lib/tripwire/${HOSTNAME}.twd ]; then
|
||||
show_tripwire_verification_code
|
||||
echo $'Tripwire is now reset. Take a note of the above hash, or record'
|
||||
echo $'the QR code using a mobile device. This will enable you to independently'
|
||||
echo $'verify the integrity of the tripwire.'
|
||||
else
|
||||
echo $'ERROR: tripwire database was not created'
|
||||
fi
|
||||
any_key
|
||||
}
|
||||
|
||||
|
@ -2122,27 +2148,28 @@ function menu_top_level {
|
|||
trap "rm -f $data" 0 1 2 5 15
|
||||
dialog --backtitle $"Freedombone Control Panel" \
|
||||
--title $"Control Panel" \
|
||||
--radiolist $"Choose an operation:" 28 70 20 \
|
||||
--radiolist $"Choose an operation:" 29 70 21 \
|
||||
1 $"About this system" off \
|
||||
2 $"Passwords" off \
|
||||
3 $"Backup and Restore" off \
|
||||
4 $"Show Firewall" off \
|
||||
5 $"Reset Tripwire" off \
|
||||
6 $"App Settings" off \
|
||||
7 $"Add/Remove Apps" off \
|
||||
8 $"Logging on/off" off \
|
||||
9 $"Ping enable/disable" off \
|
||||
10 $"Manage Users" off \
|
||||
11 $"Email Menu" off \
|
||||
12 $"Domain or User Blocking" off \
|
||||
13 $"Security Settings" off \
|
||||
14 $"Change the name of this system" off \
|
||||
15 $"Set a static local IP address" off \
|
||||
16 $"Wifi menu" off \
|
||||
17 $"Check for updates" off \
|
||||
18 $"Power off the system" off \
|
||||
19 $"Restart the system" off \
|
||||
20 $"Exit" on 2> $data
|
||||
5 $"Verify Tripwire Code" off \
|
||||
6 $"Reset Tripwire" off \
|
||||
7 $"App Settings" off \
|
||||
8 $"Add/Remove Apps" off \
|
||||
9 $"Logging on/off" off \
|
||||
10 $"Ping enable/disable" off \
|
||||
11 $"Manage Users" off \
|
||||
12 $"Email Menu" off \
|
||||
13 $"Domain or User Blocking" off \
|
||||
14 $"Security Settings" off \
|
||||
15 $"Change the name of this system" off \
|
||||
16 $"Set a static local IP address" off \
|
||||
17 $"Wifi menu" off \
|
||||
18 $"Check for updates" off \
|
||||
19 $"Power off the system" off \
|
||||
20 $"Restart the system" off \
|
||||
21 $"Exit" on 2> $data
|
||||
sel=$?
|
||||
case $sel in
|
||||
1) exit 1;;
|
||||
|
@ -2154,26 +2181,28 @@ function menu_top_level {
|
|||
2) view_or_change_passwords;;
|
||||
3) menu_backup_restore;;
|
||||
4) show_firewall;;
|
||||
5) reset_tripwire;;
|
||||
6) menu_app_settings;;
|
||||
7) /usr/local/bin/addremove
|
||||
5) show_tripwire_verification_code
|
||||
any_key;;
|
||||
6) reset_tripwire;;
|
||||
7) menu_app_settings;;
|
||||
8) /usr/local/bin/addremove
|
||||
if [ ! "$?" = "0" ]; then
|
||||
any_key
|
||||
fi
|
||||
;;
|
||||
8) logging_on_off;;
|
||||
9) ping_enable_disable;;
|
||||
10) menu_users;;
|
||||
11) menu_email;;
|
||||
12) domain_blocking;;
|
||||
13) security_settings;;
|
||||
14) change_system_name;;
|
||||
15) set_static_IP;;
|
||||
16) menu_wifi;;
|
||||
17) check_for_updates;;
|
||||
18) shut_down_system;;
|
||||
19) restart_system;;
|
||||
20) break;;
|
||||
9) logging_on_off;;
|
||||
10) ping_enable_disable;;
|
||||
11) menu_users;;
|
||||
12) menu_email;;
|
||||
13) domain_blocking;;
|
||||
14) security_settings;;
|
||||
15) change_system_name;;
|
||||
16) set_static_IP;;
|
||||
17) menu_wifi;;
|
||||
18) check_for_updates;;
|
||||
19) shut_down_system;;
|
||||
20) restart_system;;
|
||||
21) break;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
|
|
@ -1074,7 +1074,7 @@ function image_setup_utils {
|
|||
chroot "$rootdir" apt-get -yq install wireless-tools wpasupplicant usbutils cryptsetup zsh
|
||||
chroot "$rootdir" apt-get -yq install pinentry-curses eatmydata iotop bc hostapd haveged
|
||||
chroot "$rootdir" apt-get -yq install cpulimit screen elinks libpam-cracklib
|
||||
chroot "$rootdir" apt-get -yq install fail2ban vim-common python3 unattended-upgrades
|
||||
chroot "$rootdir" apt-get -yq install vim-common python3 unattended-upgrades
|
||||
|
||||
# Tor and ssh over tor
|
||||
chroot "$rootdir" apt-get -yq install tor connect-proxy
|
||||
|
|
|
@ -40,6 +40,14 @@ WEBSERVER_LOG_LEVEL='warn'
|
|||
# Also the shred command can be very slow on Beaglebone Black
|
||||
REMOVE_FILES_COMMAND='rm -rf'
|
||||
|
||||
source /usr/local/bin/${PROJECT_NAME}-vars
|
||||
|
||||
UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*
|
||||
for f in $UTILS_FILES
|
||||
do
|
||||
source $f
|
||||
done
|
||||
|
||||
APP_FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
|
||||
for f in $APP_FILES
|
||||
do
|
||||
|
@ -83,6 +91,9 @@ function turn_logging_off {
|
|||
}
|
||||
|
||||
function turn_off_rsys_logging {
|
||||
if ! grep -q '/var/log/auth.log' /etc/rsyslog.conf; then
|
||||
return
|
||||
fi
|
||||
sed -i 's|mail,news.none.*|mail,news.none /dev/null|g' /etc/rsyslog.conf
|
||||
sed -i 's|auth,authpriv.\*.*|auth,authpriv.\* /dev/null|g' /etc/rsyslog.conf
|
||||
sed -i 's|mail.info.*|mail.info /dev/null|g' /etc/rsyslog.conf
|
||||
|
@ -106,6 +117,9 @@ function turn_off_rsys_logging {
|
|||
}
|
||||
|
||||
function turn_on_rsys_logging {
|
||||
if grep -q '/var/log/auth.log' /etc/rsyslog.conf; then
|
||||
return
|
||||
fi
|
||||
sed -i 's|mail,news.none.*|mail,news.none -/var/log/messages|g' /etc/rsyslog.conf
|
||||
sed -i 's|auth,authpriv.\*.*|auth,authpriv.\* /var/log/auth.log|g' /etc/rsyslog.conf
|
||||
sed -i 's|mail.info.*|mail.info -/var/log/mail.info|g' /etc/rsyslog.conf
|
||||
|
@ -127,10 +141,6 @@ fi
|
|||
if [[ "$1" == "on" || "$1" == "On" || "$1" == "ON" ]]; then
|
||||
turn_logging_on
|
||||
|
||||
if [ -f /etc/fail2ban/fail2ban.conf ]; then
|
||||
sed -i 's|loglevel.*|loglevel = 3|g' /etc/fail2ban/fail2ban.conf
|
||||
sed -i 's|logtarget.*|logtarget = /var/log/fail2ban.log|g' /etc/fail2ban/fail2ban.conf
|
||||
fi
|
||||
if [ -d /etc/tor ]; then
|
||||
if [ ! -d /var/log/tor ]; then
|
||||
mkdir /var/log/tor
|
||||
|
@ -238,11 +248,6 @@ else
|
|||
sed -i 's|log_error =.*|log_error = /dev/null|g' /etc/mysql/my.cnf
|
||||
fi
|
||||
fi
|
||||
if [ -f /etc/fail2ban/fail2ban.conf ]; then
|
||||
sed -i 's|loglevel.*|loglevel = 1|g' /etc/fail2ban/fail2ban.conf
|
||||
sed -i 's|logtarget.*|logtarget = /dev/null|g' /etc/fail2ban/fail2ban.conf
|
||||
$REMOVE_FILES_COMMAND /var/log/fail2ban.*
|
||||
fi
|
||||
turn_off_rsys_logging
|
||||
fi
|
||||
|
||||
|
@ -286,9 +291,6 @@ fi
|
|||
if [ -d /var/www/radicale ]; then
|
||||
systemctl restart radicale
|
||||
fi
|
||||
if [ -d /etc/fail2ban ]; then
|
||||
systemctl restart fail2ban
|
||||
fi
|
||||
if [ -d /etc/matrix ]; then
|
||||
systemctl restart matrix
|
||||
fi
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
# License
|
||||
# =======
|
||||
#
|
||||
# Copyright (C) 2015-2016 Bob Mottram <bob@freedombone.net>
|
||||
# Copyright (C) 2015-2017 Bob Mottram <bob@freedombone.net>
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU Affero General Public License as published by
|
||||
|
@ -65,15 +65,7 @@ if grep -q "cat /root/dbpass" /usr/bin/backupdatabases; then
|
|||
sed -i "s|cat /root/dbpass|freedombone-pass -u root -a mariadb|g" /usr/bin/backupdatabases
|
||||
fi
|
||||
|
||||
update-ca-certificates
|
||||
|
||||
# remove any keyserver log files
|
||||
if [ -d /var/lib/sks/DB ]; then
|
||||
cd /var/lib/sks/DB
|
||||
systemctl stop sks
|
||||
db_archive -d
|
||||
systemctl start sks
|
||||
fi
|
||||
#update-ca-certificates
|
||||
|
||||
if [ ! -d $PROJECT_DIR ]; then
|
||||
git_clone $PROJECT_REPO $PROJECT_DIR
|
||||
|
@ -97,11 +89,9 @@ if [ -d $PROJECT_DIR ]; then
|
|||
|
||||
${PROJECT_NAME} -c $CONFIGURATION_FILE
|
||||
if [ ! "$?" = "0" ]; then
|
||||
lockdown_permissions
|
||||
exit 453536
|
||||
fi
|
||||
|
||||
lockdown_permissions
|
||||
defrag_filesystem
|
||||
fi
|
||||
fi
|
||||
|
@ -109,10 +99,4 @@ fi
|
|||
# If logging was left on then turn it off
|
||||
${PROJECT_NAME}-logging off
|
||||
|
||||
if [ -f /usr/bin/reset-tripwire ]; then
|
||||
echo '
|
||||
|
||||
' | reset-tripwire
|
||||
fi
|
||||
|
||||
# deliberately there is no 'exit 0' here
|
||||
|
|
|
@ -78,18 +78,30 @@ function randomize_cron {
|
|||
}
|
||||
|
||||
function schedule_stig_tests {
|
||||
echo '#!/bin/bash' > /etc/cron.daily/stig_tests
|
||||
echo "ADMIN_EMAIL_ADDRESS=${MY_USERNAME}@\${HOSTNAME}" >> /etc/cron.daily/stig_tests
|
||||
echo "pkill ${PROJECT_NAME}-tests" >> /etc/cron.daily/stig_tests
|
||||
echo 'rm -rf /tmp/*' >> /etc/cron.daily/stig_tests
|
||||
echo "${PROJECT_NAME}-tests --stig yes > /tmp/daily-stig-tests" >> /etc/cron.daily/stig_tests
|
||||
echo 'if [ ! "$?" = "0" ]; then' >> /etc/cron.daily/stig_tests
|
||||
echo " echo \"\$(cat /tmp/daily-stig-tests)\" | mail -s \"${PROJECT_NAME} STIG test failures\" \$ADMIN_EMAIL_ADDRESS" >> /etc/cron.daily/stig_tests
|
||||
echo 'fi' >> /etc/cron.daily/stig_tests
|
||||
echo 'if [ -f /tmp/daily-stig-tests ]; then' >> /etc/cron.daily/stig_tests
|
||||
echo ' rm /tmp/daily-stig-tests' >> /etc/cron.daily/stig_tests
|
||||
echo 'fi' >> /etc/cron.daily/stig_tests
|
||||
chmod +x /etc/cron.daily/stig_tests
|
||||
stig_tests_script=/tmp/stig_tests_script
|
||||
echo '#!/bin/bash' > $stig_tests_script
|
||||
echo "ADMIN_EMAIL_ADDRESS=${MY_USERNAME}@\${HOSTNAME}" >> $stig_tests_script
|
||||
echo "pkill ${PROJECT_NAME}-tests" >> $stig_tests_script
|
||||
echo 'rm -rf /tmp/*' >> $stig_tests_script
|
||||
echo "${PROJECT_NAME}-tests --stig yes > /tmp/daily-stig-tests" >> $stig_tests_script
|
||||
echo 'if [ ! "$?" = "0" ]; then' >> $stig_tests_script
|
||||
echo " echo \"\$(cat /tmp/daily-stig-tests)\" | mail -s \"${PROJECT_NAME} STIG test failures\" \$ADMIN_EMAIL_ADDRESS" >> $stig_tests_script
|
||||
echo 'fi' >> $stig_tests_script
|
||||
echo 'if [ -f /tmp/daily-stig-tests ]; then' >> $stig_tests_script
|
||||
echo ' rm /tmp/daily-stig-tests' >> $stig_tests_script
|
||||
echo 'fi' >> $stig_tests_script
|
||||
chmod +x $stig_tests_script
|
||||
|
||||
if [ ! -f /etc/cron.daily/stig_tests ]; then
|
||||
cp $stig_tests_script /etc/cron.daily/stig_tests
|
||||
else
|
||||
HASH1=$(sha256sum $stig_tests_script | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum /etc/cron.daily/stig_tests | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp $stig_tests_script /etc/cron.daily/stig_tests
|
||||
fi
|
||||
fi
|
||||
rm $stig_tests_script
|
||||
}
|
||||
|
||||
# NOTE: deliberately there is no "exit 0"
|
||||
|
|
|
@ -124,7 +124,11 @@ function defrag_filesystem {
|
|||
}
|
||||
|
||||
function optimise_filesystem {
|
||||
if grep -q "btrfs" /etc/fstab; then
|
||||
if ! grep -q "btrfs defaults,subvol=@,compress=lzo,ssd" /etc/fstab; then
|
||||
sed -i 's|btrfs subvol=@|btrfs defaults,subvol=@,compress=lzo,ssd|g' /etc/fstab
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# NOTE: deliberately no exit 0
|
||||
|
|
|
@ -90,10 +90,13 @@ function firewall_block_bad_ip_ranges {
|
|||
function global_rate_limit {
|
||||
if ! grep -q "tcp_challenge_ack_limit" /etc/sysctl.conf; then
|
||||
echo 'net.ipv4.tcp_challenge_ack_limit = 999999999' >> /etc/sysctl.conf
|
||||
else
|
||||
sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
|
||||
fi
|
||||
sysctl -p -q
|
||||
else
|
||||
if ! grep -q "net.ipv4.tcp_challenge_ack_limit = 999999999" /etc/sysctl.conf; then
|
||||
sed -i 's|net.ipv4.tcp_challenge_ack_limit.*|net.ipv4.tcp_challenge_ack_limit = 999999999|g' /etc/sysctl.conf
|
||||
sysctl -p -q
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function enable_ipv6 {
|
||||
|
|
|
@ -95,14 +95,32 @@ function set_repo_commit {
|
|||
chown -R www-data:www-data $repo_dir
|
||||
fi
|
||||
if [[ $repo_dir == *"gpgit" ]]; then
|
||||
if [ ! -f /usr/bin/gpgit.pl ]; then
|
||||
cp gpgit.pl /usr/bin/gpgit.pl
|
||||
else
|
||||
HASH1=$(sha256sum gpgit.pl | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum /usr/bin/gpgit.pl | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp gpgit.pl /usr/bin/gpgit.pl
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
if [[ $repo_dir == *"cleanup-maildir" ]]; then
|
||||
if [ ! -f /usr/bin/cleanup-maildir ]; then
|
||||
cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin
|
||||
else
|
||||
HASH1=$(sha256sum $INSTALL_DIR/cleanup-maildir/cleanup-maildir | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum /usr/bin/cleanup-maildir | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp $INSTALL_DIR/cleanup-maildir/cleanup-maildir /usr/bin
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
if [[ $repo_dir == *"nginx_ensite" ]]; then
|
||||
if [ ! -f /usr/local/bin/nginx_ensite ]; then
|
||||
make install
|
||||
fi
|
||||
fi
|
||||
if [[ $repo_dir == *"inadyn" ]]; then
|
||||
./configure
|
||||
USE_OPENSSL=1 make
|
||||
|
|
|
@ -145,30 +145,47 @@ function separate_tmp_filesystem {
|
|||
}
|
||||
|
||||
function proc_filesystem_settings {
|
||||
if ! grep -q "proc proc defaults,nodev,nosuid " /etc/fstab; then
|
||||
sed -i 's|proc /proc proc defaults |proc /proc proc defaults,nodev,nosuid |g' /etc/fstab
|
||||
fi
|
||||
}
|
||||
|
||||
function remove_bluetooth {
|
||||
bluetooth_changed=
|
||||
bnep_exists=$(lsmod | grep bnep)
|
||||
if [[ "$bnep_exists" == "bnep"* ]]; then
|
||||
rmmod -f bnep
|
||||
bluetooth_changed=1
|
||||
fi
|
||||
bluetooth_exists=$(lsmod | grep bluetooth)
|
||||
if [[ "$bluetooth_exists" == "bluetooth"* ]]; then
|
||||
rmmod -f bluetooth
|
||||
bluetooth_changed=1
|
||||
fi
|
||||
if [ -f /etc/default/bluetooth ]; then
|
||||
if grep -q "BLUETOOTH_ENABLED=" /etc/default/bluetooth; then
|
||||
sed -i 's|BLUETOOTH_ENABLED=.*|BLUETOOTH_ENABLED=0|g' /etc/default/bluetooth
|
||||
else
|
||||
echo "BLUETOOTH_ENABLED=0" >> /etc/default/bluetooth
|
||||
fi
|
||||
bluetooth_changed=1
|
||||
fi
|
||||
if ! grep -q 'blacklist bnep' /etc/modprobe.d/bluetooth.conf; then
|
||||
echo 'blacklist bnep' >> /etc/modprobe.d/bluetooth.conf
|
||||
bluetooth_changed=1
|
||||
fi
|
||||
if ! grep -q 'blacklist btusb' /etc/modprobe.d/bluetooth.conf; then
|
||||
echo 'blacklist btusb' >> /etc/modprobe.d/bluetooth.conf
|
||||
bluetooth_changed=1
|
||||
fi
|
||||
if ! grep -q 'blacklist bluetooth' /etc/modprobe.d/bluetooth.conf; then
|
||||
echo 'blacklist bluetooth' >> /etc/modprobe.d/bluetooth.conf
|
||||
bluetooth_changed=1
|
||||
fi
|
||||
if [ $bluetooth_changed ]; then
|
||||
update-initramfs -u -k `uname -r` -v
|
||||
update-rc.d bluetooth remove
|
||||
fi
|
||||
}
|
||||
|
||||
function running_as_root {
|
||||
|
@ -201,11 +218,17 @@ function install_backports_kernel {
|
|||
architecture_type=$(uname -a)
|
||||
|
||||
if [[ "$architecture_type" == *"amd64"* ]]; then
|
||||
package_installed=$(dpkg-query -W -f='${Package}\n' linux-image-amd64 2>/dev/null)
|
||||
if [ ! $package_installed ]; then
|
||||
apt-get -yq install linux-image-amd64
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function turn_off_rsys_logging {
|
||||
if grep -q '/dev/null' /etc/rsyslog.conf; then
|
||||
return
|
||||
fi
|
||||
sed -i 's|mail,news.none.*|mail,news.none /dev/null|g' /etc/rsyslog.conf
|
||||
sed -i 's|auth,authpriv.\*.*|auth,authpriv.\* /dev/null|g' /etc/rsyslog.conf
|
||||
sed -i 's|mail.info.*|mail.info /dev/null|g' /etc/rsyslog.conf
|
||||
|
@ -265,7 +288,7 @@ function initial_setup {
|
|||
|
||||
function setup_grub {
|
||||
if [[ $ARCHITECTURE == 'qemu'* || $ARCHITECTURE == 'amd64' || $ARCHITECTURE == 'x86_64' || $ARCHITECTURE == 'i686' || $ARCHITECTURE == 'i386' ]]; then
|
||||
if ! grep -q 'iframes=0' /etc/default/grub; then
|
||||
if ! grep -q 'ifnames=0' /etc/default/grub; then
|
||||
sed -i 's|GRUB_CMDLINE_LINUX_DEFAULT=.*|GRUB_CMDLINE_LINUX_DEFAULT="quiet ifnames=0 slub_debug=FZP slab_nomerge page_poison=1"|g' /etc/default/grub
|
||||
update-grub
|
||||
fi
|
||||
|
@ -377,7 +400,9 @@ function mark_admin_user_account {
|
|||
}
|
||||
|
||||
function remove_instructions_from_motd {
|
||||
if grep -q "## " /etc/motd; then
|
||||
sed -i '/## /d' /etc/motd
|
||||
fi
|
||||
}
|
||||
|
||||
function remove_default_user {
|
||||
|
@ -430,7 +455,10 @@ function remove_management_engine_interface {
|
|||
}
|
||||
|
||||
function set_login_umask {
|
||||
logindefs_umask=$(cat /etc/login.defs | grep UMASK | grep -v '#')
|
||||
if [[ "$logindefs_umask" != *'077' ]]; then
|
||||
sed -i 's|UMASK\t.*|UMASK\t\t077|g' /etc/login.defs
|
||||
fi
|
||||
}
|
||||
|
||||
function disable_deferred_execution {
|
||||
|
@ -451,13 +479,13 @@ function set_max_login_tries {
|
|||
if ! grep -q ' deny=' /etc/pam.d/common-auth; then
|
||||
sed -i "/pam_deny.so/a auth required\t\t\tpam_tally.so onerr=fail no_lock_time per_user deny=$max_tries" /etc/pam.d/common-auth
|
||||
else
|
||||
if ! grep -q " deny=$max_tries" /etc/pam.d/common-auth; then
|
||||
sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-auth
|
||||
fi
|
||||
fi
|
||||
|
||||
if ! grep -q ' deny=' /etc/pam.d/common-account; then
|
||||
if ! grep -q 'pam_tally.so' /etc/pam.d/common-account; then
|
||||
sed -i '/pam_deny.so/a account required\t\t\tpam_tally.so' /etc/pam.d/common-account
|
||||
else
|
||||
sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-account
|
||||
fi
|
||||
}
|
||||
|
||||
|
@ -466,15 +494,19 @@ function limit_user_logins {
|
|||
if ! grep -q '* hard maxsyslogins' /etc/security/limits.conf; then
|
||||
echo '* hard maxsyslogins 10' >> /etc/security/limits.conf
|
||||
else
|
||||
if ! grep -q '* hard maxsyslogins 10' /etc/security/limits.conf; then
|
||||
sed -i 's|hard maxsyslogins.*|hard maxsyslogins 10|g' /etc/security/limits.conf
|
||||
fi
|
||||
fi
|
||||
|
||||
# Max logins for each user
|
||||
if ! grep -q '* hard maxlogins' /etc/security/limits.conf; then
|
||||
echo '* hard maxlogins 2' >> /etc/security/limits.conf
|
||||
else
|
||||
if ! grep -q '* hard maxlogins 2' /etc/security/limits.conf; then
|
||||
sed -i 's|hard maxlogins.*|hard maxlogins 2|g' /etc/security/limits.conf
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function remove_serial_logins {
|
||||
|
@ -493,7 +525,10 @@ function set_sticky_bits {
|
|||
}
|
||||
|
||||
function disable_ctrl_alt_del {
|
||||
ctrl_alt_del=$(ls -l /etc/systemd/system/ctrl-alt-del.target)
|
||||
if [[ "$ctrl_alt_del" != *'/dev/null' ]]; then
|
||||
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
|
||||
fi
|
||||
}
|
||||
|
||||
function lockdown_permissions {
|
||||
|
@ -599,11 +634,13 @@ function lockdown_permissions {
|
|||
}
|
||||
|
||||
function disable_core_dumps {
|
||||
if ! grep -q '* hard core 0' /etc/security/limits.conf; then
|
||||
if ! grep -q '* hard core' /etc/security/limits.conf; then
|
||||
echo '* hard core 0' >> /etc/security/limits.conf
|
||||
else
|
||||
if ! grep -q '* hard core 0' /etc/security/limits.conf; then
|
||||
sed -i 's|hard core.*|hard core 0|g' /etc/security/limits.conf
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
function dummy_nologin_command {
|
||||
|
@ -614,7 +651,9 @@ function dummy_nologin_command {
|
|||
}
|
||||
|
||||
function disable_null_passwords {
|
||||
if grep -q ' nullok_secure' /etc/pam.d/common-auth; then
|
||||
sed -i 's| nullok_secure||g' /etc/pam.d/common-auth
|
||||
fi
|
||||
}
|
||||
|
||||
function create_usb_canary {
|
||||
|
@ -665,12 +704,45 @@ function setup_firewall {
|
|||
|
||||
function setup_powerline {
|
||||
if [ -f ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ]; then
|
||||
if [ ! -f ~/.powerline.bash ]; then
|
||||
cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
|
||||
else
|
||||
HASH1=$(sha256sum ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum ~/.powerline.bash | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
|
||||
fi
|
||||
fi
|
||||
if [ ! -f /etc/skel/.powerline.bash ]; then
|
||||
cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
|
||||
else
|
||||
HASH1=$(sha256sum ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum /etc/skel/.powerline.bash | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp ~/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
|
||||
fi
|
||||
fi
|
||||
else
|
||||
if [ -f /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ]; then
|
||||
if [ ! -f ~/.powerline.bash ]; then
|
||||
cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
|
||||
else
|
||||
HASH1=$(sha256sum /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum ~/.powerline.bash | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline ~/.powerline.bash
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -f /etc/skel/.powerline.bash ]; then
|
||||
cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
|
||||
else
|
||||
HASH1=$(sha256sum /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum /etc/skel/.powerline.bash | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp /home/${MY_USERNAME}/${PROJECT_NAME}/src/${PROJECT_NAME}-powerline /etc/skel/.powerline.bash
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
if ! grep -q "powerline" ~/.bashrc; then
|
||||
|
@ -687,9 +759,11 @@ function setup_powerline {
|
|||
|
||||
function congestion_control {
|
||||
# see /proc/sys/net/ipv4/tcp_congestion_control
|
||||
if [ ! -f /etc/sysctl.d/10-custom-kernel-bbr.conf ]; then
|
||||
echo 'net.core.default_qdisc=fq' > /etc/sysctl.d/10-custom-kernel-bbr.conf
|
||||
echo 'net.ipv4.tcp_congestion_control=bbr' >> /etc/sysctl.d/10-custom-kernel-bbr.conf
|
||||
sysctl --system
|
||||
fi
|
||||
}
|
||||
|
||||
function setup_utils {
|
||||
|
|
|
@ -121,7 +121,7 @@ function configure_ssh {
|
|||
sed -i 's|#UsePrivilegeSeparation .*|UsePrivilegeSeparation sandbox|g' /etc/ssh/sshd_config
|
||||
sed -i 's|UsePrivilegeSeparation .*|UsePrivilegeSeparation sandbox|g' /etc/ssh/sshd_config
|
||||
|
||||
apt-get -yq install fail2ban vim-common
|
||||
apt-get -yq install vim-common
|
||||
|
||||
function_check configure_firewall_for_ssh
|
||||
configure_firewall_for_ssh
|
||||
|
|
|
@ -32,7 +32,16 @@
|
|||
UPGRADE_SCRIPT_NAME="${PROJECT_NAME}-upgrade"
|
||||
|
||||
function create_upgrade_script {
|
||||
cp $(which ${PROJECT_NAME}-upgrade) /etc/cron.weekly/$UPGRADE_SCRIPT_NAME
|
||||
upgrade_command_file=$(which ${PROJECT_NAME}-upgrade)
|
||||
if [ ! -f /etc/cron.weekly/$UPGRADE_SCRIPT_NAME ]; then
|
||||
cp $upgrade_command_file /etc/cron.weekly/$UPGRADE_SCRIPT_NAME
|
||||
else
|
||||
HASH1=$(sha256sum $upgrade_command_file | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum /etc/cron.weekly/$UPGRADE_SCRIPT_NAME | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp $upgrade_command_file /etc/cron.weekly/$UPGRADE_SCRIPT_NAME
|
||||
fi
|
||||
fi
|
||||
|
||||
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
|
||||
return
|
||||
|
|
|
@ -318,8 +318,8 @@ function letsencrypt_renewals {
|
|||
return
|
||||
fi
|
||||
|
||||
renewals_script=/etc/cron.monthly/letsencrypt
|
||||
renewals_retry_script=/etc/cron.daily/letsencrypt
|
||||
renewals_script=/tmp/renewals_letsencrypt
|
||||
renewals_retry_script=/tmp/renewals_retry_letsencrypt
|
||||
renewal_failure_msg=$'The certificate for $LETSENCRYPT_DOMAIN could not be renewed'
|
||||
renewal_email_title=$'${PROJECT_NAME} Lets Encrypt certificate renewal'
|
||||
|
||||
|
@ -361,6 +361,17 @@ function letsencrypt_renewals {
|
|||
echo 'fi' >> $renewals_script
|
||||
chmod +x $renewals_script
|
||||
|
||||
if [ ! -f /etc/cron.monthly/letsencrypt ]; then
|
||||
cp $renewals_script /etc/cron.monthly/letsencrypt
|
||||
else
|
||||
HASH1=$(sha256sum $renewals_script | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum /etc/cron.monthly/letsencrypt | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp $renewals_script /etc/cron.monthly/letsencrypt
|
||||
fi
|
||||
fi
|
||||
rm $renewals_script
|
||||
|
||||
# a secondary script keeps trying to renew after a failure
|
||||
echo '#!/bin/bash' > $renewals_retry_script
|
||||
echo '' >> $renewals_retry_script
|
||||
|
@ -398,6 +409,17 @@ function letsencrypt_renewals {
|
|||
echo ' fi' >> $renewals_retry_script
|
||||
echo 'fi' >> $renewals_retry_script
|
||||
chmod +x $renewals_retry_script
|
||||
|
||||
if [ ! -f /etc/cron.daily/letsencrypt ]; then
|
||||
cp $renewals_retry_script /etc/cron.daily/letsencrypt
|
||||
else
|
||||
HASH1=$(sha256sum $renewals_retry_script | awk -F ' ' '{print $1}')
|
||||
HASH2=$(sha256sum /etc/cron.daily/letsencrypt | awk -F ' ' '{print $1}')
|
||||
if [[ "$HASH1" != "$HASH2" ]]; then
|
||||
cp $renewals_retry_script /etc/cron.daily/letsencrypt
|
||||
fi
|
||||
fi
|
||||
rm $renewals_retry_script
|
||||
}
|
||||
|
||||
function configure_php {
|
||||
|
@ -425,6 +447,11 @@ function install_dynamicdns {
|
|||
return
|
||||
fi
|
||||
|
||||
CURR_INADYN_COMMIT=$(get_completion_param "inadyn commit")
|
||||
if [[ "${CURR_INADYN_COMMIT}" == "${INADYN_COMMIT}" ]]; then
|
||||
return
|
||||
fi
|
||||
|
||||
# update to the next commit
|
||||
function_check set_repo_commit
|
||||
set_repo_commit $INSTALL_DIR/inadyn "inadyn commit" "$INADYN_COMMIT" $INADYN_REPO
|
||||
|
@ -762,12 +789,20 @@ function update_default_domain {
|
|||
cp /etc/ssl/certs/xmpp* /etc/prosody/certs
|
||||
if [ /etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem ]; then
|
||||
usermod -a -G ssl-cert prosody
|
||||
if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then
|
||||
sed -i "s|/etc/prosody/certs/xmpp.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/conf.avail/xmpp.cfg.lua
|
||||
fi
|
||||
if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/conf.avail/xmpp.cfg.lua; then
|
||||
sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/conf.avail/xmpp.cfg.lua
|
||||
fi
|
||||
|
||||
if grep -q "/etc/prosody/certs/xmpp.key" /etc/prosody/prosody.cfg.lua; then
|
||||
sed -i "s|/etc/prosody/certs/xmpp.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/prosody.cfg.lua
|
||||
fi
|
||||
if grep -q "/etc/prosody/certs/xmpp.crt" /etc/prosody/prosody.cfg.lua; then
|
||||
sed -i "s|/etc/prosody/certs/xmpp.crt|/etc/ssl/certs/${DEFAULT_DOMAIN_NAME}.pem|g" /etc/prosody/prosody.cfg.lua
|
||||
fi
|
||||
fi
|
||||
|
||||
if grep -q "/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key" /etc/prosody/conf.avail/xmpp.cfg.lua; then
|
||||
sed -i "s|/etc/prosody/certs/${DEFAULT_DOMAIN_NAME}.key|/etc/ssl/private/${DEFAULT_DOMAIN_NAME}.key|g" /etc/prosody/conf.avail/xmpp.cfg.lua
|
||||
|
|
|
@ -49,8 +49,11 @@ function default_network_config {
|
|||
# device names get assigned random names. This is a hacky workaround.
|
||||
# Also adding net.ifnames=0 to kernel options on bootloader may work.
|
||||
function enable_predictable_device_names {
|
||||
test_predictable=$(ls -la /etc/udev/rules.d/80-net-setup-link.rules)
|
||||
if [[ "$test_predictable" != *"/dev/null" ]]; then
|
||||
ln -s /dev/null /etc/udev/rules.d/80-net-setup-link.rules
|
||||
update-initramfs -u
|
||||
fi
|
||||
}
|
||||
|
||||
function wifi_is_running {
|
||||
|
|
|
@ -495,7 +495,13 @@ time, are stored in the following directories by default:\n\n/lib\n/lib64\n/usr/
|
|||
printf '\n######################\n\nSTIG-ID:RHEL-06-000047\n\nVulnerability Discussion: System binaries are executed by privileged users, as well as system services, and restrictive permissions are necessary to ensure execution of these programs cannot be co-opted.\n\nFix text: System executables are stored in the following directories by default:\n\n/bin\n/usr/bin\n/usr/local/bin\n/sbin\n/usr/sbin\n/usr/local/sbin\n\nIf any file in these directories is found to be group-writable or world-writable, correct its permission with the following command:\n\n#chmod go-w [FILE]\n\n######################\n\n' >> $LOG
|
||||
fi
|
||||
;;
|
||||
V-38472) if [ "$3" = "en" ]; then
|
||||
V-38472) find -L /bin \! -user root -exec ls -l {} \;
|
||||
find -L /usr/bin \! -user root -exec ls -l {} \;
|
||||
find -L /usr/local/bin \! -user root -exec ls -l {} \;
|
||||
find -L /sbin \! -user root -exec ls -l {} \;
|
||||
find -L /usr/sbin \! -user root -exec ls -l {} \;
|
||||
find -L /usr/local/sbin \! -user root -exec ls -l {} \;
|
||||
if [ "$3" = "en" ]; then
|
||||
log_msg $2 'All system command files must be owned by root.'
|
||||
else
|
||||
log_msg $2 '所有系统命令文件的属主必须为root用户。'
|
||||
|
|
Loading…
Reference in New Issue