920 lines
25 KiB
Bash
Executable File
920 lines
25 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# .---. . .
|
|
# | | |
|
|
# |--- .--. .-. .-. .-.| .-. .--.--. |.-. .-. .--. .-.
|
|
# | | (.-' (.-' ( | ( )| | | | )( )| | (.-'
|
|
# ' ' --' --' -' - -' ' ' -' -' -' ' - --'
|
|
#
|
|
# Freedom in the Cloud
|
|
#
|
|
# Setup functions
|
|
#
|
|
# License
|
|
# =======
|
|
#
|
|
# Copyright (C) 2014-2016 Bob Mottram <bob@freedombone.net>
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
if [ ! $PROJECT_NAME ]; then
|
|
PROJECT_NAME='freedombone'
|
|
fi
|
|
|
|
DEFAULT_DOMAIN_NAME=
|
|
DEFAULT_DOMAIN_CODE=
|
|
MY_USERNAME=
|
|
if [ ! $SYSTEM_TYPE ]; then
|
|
SYSTEM_TYPE="full"
|
|
fi
|
|
|
|
# An optional configuration file which overrides some of these variables
|
|
if [ ! $CONFIGURATION_FILE ]; then
|
|
CONFIGURATION_FILE="$HOME/${PROJECT_NAME}.cfg"
|
|
fi
|
|
|
|
# Directory where source code is downloaded and compiled
|
|
INSTALL_DIR=$HOME/build
|
|
|
|
# device name for an attached usb drive
|
|
USB_DRIVE=/dev/sda1
|
|
|
|
# Location where the USB drive is mounted to
|
|
USB_MOUNT=/mnt/usb
|
|
|
|
# Number of days to keep backups for
|
|
BACKUP_MAX_DAYS=30
|
|
|
|
# file containing a list of remote locations to backup to
|
|
# Format: [username@friendsdomain//home/username] [ssh_password]
|
|
# With the only space character being between the server and the password
|
|
FRIENDS_SERVERS_LIST=/home/$MY_USERNAME/backup.list
|
|
|
|
export DEBIAN_FRONTEND=noninteractive
|
|
|
|
# used to limit CPU usage
|
|
CPULIMIT='/usr/bin/cpulimit -l 20 -e'
|
|
|
|
# command to create a git repository
|
|
CREATE_GIT_PROJECT_COMMAND='create-project'
|
|
|
|
# File which keeps track of what has already been installed
|
|
COMPLETION_FILE=$HOME/${PROJECT_NAME}-completed.txt
|
|
|
|
# log file where details of remote backups are stored
|
|
REMOTE_BACKUPS_LOG=/var/log/remotebackups.log
|
|
|
|
# message if something fails to install
|
|
CHECK_MESSAGE="Check your internet connection, /etc/network/interfaces and /etc/resolv.conf, then delete $COMPLETION_FILE, run 'rm -fR /var/lib/apt/lists/* && apt-get update --fix-missing' and run this script again. If hash sum mismatches persist then try setting $DEBIAN_REPO to a different mirror and also change /etc/apt/sources.list."
|
|
|
|
# Default diffie-hellman key length in bits
|
|
DH_KEYLENGTH=2048
|
|
|
|
function detect_usb_drive {
|
|
# sets to the highest available drive letter
|
|
# which is likely to be the last drive connected
|
|
read_config_param USB_DRIVE
|
|
partition_number='1'
|
|
if [[ "$1" == "nopath" ]]; then
|
|
partition_number=''
|
|
fi
|
|
if [ -b /dev/sdb${partition_number} ]; then
|
|
USB_DRIVE=/dev/sdb${partition_number}
|
|
fi
|
|
if [ -b /dev/sdc${partition_number} ]; then
|
|
USB_DRIVE=/dev/sdc${partition_number}
|
|
fi
|
|
if [ -b /dev/sdd${partition_number} ]; then
|
|
USB_DRIVE=/dev/sdd${partition_number}
|
|
fi
|
|
if [ -b /dev/sde${partition_number} ]; then
|
|
USB_DRIVE=/dev/sde${partition_number}
|
|
fi
|
|
if [ -b /dev/sdf${partition_number} ]; then
|
|
USB_DRIVE=/dev/sdf${partition_number}
|
|
fi
|
|
if [ -b /dev/sdg${partition_number} ]; then
|
|
USB_DRIVE=/dev/sdg${partition_number}
|
|
fi
|
|
if [ -b /dev/sdh${partition_number} ]; then
|
|
USB_DRIVE=/dev/sdh${partition_number}
|
|
fi
|
|
write_config_param USB_DRIVE "$USB_DRIVE"
|
|
}
|
|
|
|
function separate_tmp_filesystem {
|
|
tmp_filesystem_size_mb=$1
|
|
if [ ! -d /tmp ]; then
|
|
mkdir -p /tmp
|
|
fi
|
|
if ! grep -q '/tmp' /etc/fstab; then
|
|
mount -t tmpfs -o size=${tmp_filesystem_size_mb}m tmpfs /tmp
|
|
echo "tmpfs /tmp tmpfs nodev,nosuid,noexec,nodiratime,size=${tmp_filesystem_size_mb}M 0 0" >> /etc/fstab
|
|
fi
|
|
}
|
|
|
|
function remove_bluetooth {
|
|
rmmod -f bnep
|
|
rmmod -f bluetooth
|
|
if [ -f /etc/default/bluetooth ]; then
|
|
if grep "BLUETOOTH_ENABLED=" /etc/default/bluetooth; then
|
|
sed -i 's|BLUETOOTH_ENABLED=.*|BLUETOOTH_ENABLED=0|g' /etc/default/bluetooth
|
|
else
|
|
echo "BLUETOOTH_ENABLED=0" >> /etc/default/bluetooth
|
|
fi
|
|
fi
|
|
if ! grep 'blacklist bnep' /etc/modprobe.d/bluetooth.conf; then
|
|
echo 'blacklist bnep' >> /etc/modprobe.d/bluetooth.conf
|
|
fi
|
|
if ! grep 'blacklist btusb' /etc/modprobe.d/bluetooth.conf; then
|
|
echo 'blacklist btusb' >> /etc/modprobe.d/bluetooth.conf
|
|
fi
|
|
if ! grep 'blacklist bluetooth' /etc/modprobe.d/bluetooth.conf; then
|
|
echo 'blacklist bluetooth' >> /etc/modprobe.d/bluetooth.conf
|
|
fi
|
|
update-initramfs -u -k `uname -r` -v
|
|
update-rc.d bluetooth remove
|
|
}
|
|
|
|
function running_as_root {
|
|
if [[ $EUID != 0 ]] ; then
|
|
echo "0"
|
|
else
|
|
echo "1"
|
|
fi
|
|
}
|
|
|
|
function reset_usb_devices {
|
|
for xhci in /sys/bus/pci/drivers/?hci-pci ; do
|
|
|
|
if ! cd $xhci ; then
|
|
return
|
|
fi
|
|
|
|
echo "Resetting devices from $xhci..."
|
|
|
|
for i in ????:??:??.? ; do
|
|
echo -n "$i" > unbind
|
|
echo -n "$i" > bind
|
|
done
|
|
done
|
|
udevadm control --reload-rules
|
|
}
|
|
|
|
function install_backports_kernel {
|
|
# install backports kernel if possible
|
|
architecture_type=$(uname -a)
|
|
|
|
if [[ "$architecture_type" == *"amd64"* ]]; then
|
|
apt-get -yq install linux-image-amd64 -t jessie-backports
|
|
fi
|
|
}
|
|
|
|
function turn_off_rsys_logging {
|
|
sed -i 's|mail,news.none.*|mail,news.none /dev/null|g' /etc/rsyslog.conf
|
|
sed -i 's|auth,authpriv.\*.*|auth,authpriv.\* /dev/null|g' /etc/rsyslog.conf
|
|
sed -i 's|mail.info.*|mail.info /dev/null|g' /etc/rsyslog.conf
|
|
sed -i 's|mail.warn.*|mail.warn /dev/null|g' /etc/rsyslog.conf
|
|
sed -i 's|mail.err.*|mail.err /dev/null|g' /etc/rsyslog.conf
|
|
sed -i 's|daemon.\*.*|daemon.\* /dev/null|g' /etc/rsyslog.conf
|
|
sed -i 's|mail.\*.*|mail.\* /dev/null|g' /etc/rsyslog.conf
|
|
sed -i 's|user.\*.*|user.\* /dev/null|g' /etc/rsyslog.conf
|
|
sed -i 's|news.none;mail.none.*|news.none;mail.none /dev/null|g' /etc/rsyslog.conf
|
|
sed -i 's|\*.\*;auth,authpriv.none.*|\*.\*;auth,authpriv.none /dev/null|g' /etc/rsyslog.conf
|
|
sed -i 's|#cron.\*|cron.\*|g' /etc/rsyslog.conf
|
|
sed -i 's|cron.\*.*|cron.\* /dev/null|g' /etc/rsyslog.conf
|
|
shred -zu /var/log/wtmp*
|
|
shred -zu /var/log/debug*
|
|
shred -zu /var/log/cron.*
|
|
shred -zu /var/log/auth.*
|
|
shred -zu /var/log/mail.*
|
|
shred -zu /var/log/daemon.*
|
|
shred -zu /var/log/user.*
|
|
shred -zu /var/log/messages*
|
|
}
|
|
|
|
function initial_setup {
|
|
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
|
|
return
|
|
fi
|
|
|
|
apt-get -yq remove --purge apache*
|
|
apt-get -yq dist-upgrade
|
|
apt-get -yq install ca-certificates
|
|
apt-get -yq install apt-utils
|
|
apt-get -yq install cryptsetup libgfshare-bin obnam sshpass wget avahi-daemon
|
|
apt-get -yq install avahi-utils avahi-discover connect-proxy openssh-server
|
|
apt-get -yq install sudo git dialog build-essential avahi-daemon avahi-utils
|
|
apt-get -yq install avahi-discover avahi-autoipd iptables dnsutils net-tools
|
|
apt-get -yq install network-manager iputils-ping libnss-mdns libnss-myhostname
|
|
apt-get -yq install libnss-gw-name nano man ntp locales locales-all debconf
|
|
apt-get -yq install wireless-tools wpasupplicant usbutils cryptsetup zsh
|
|
apt-get -yq install pinentry-curses eatmydata iotop bc grub2 hostapd haveged
|
|
apt-get -yq install cpulimit screen
|
|
|
|
if [ ! -d $INSTALL_DIR ]; then
|
|
mkdir -p $INSTALL_DIR
|
|
fi
|
|
|
|
mark_completed $FUNCNAME
|
|
}
|
|
|
|
function admin_user_sudo {
|
|
if ! grep -q "$MY_USERNAME ALL=(ALL) ALL" $rootdir/etc/sudoers; then
|
|
echo "$MY_USERNAME ALL=(ALL) ALL" >> $rootdir/etc/sudoers
|
|
fi
|
|
}
|
|
|
|
function search_for_attached_usb_drive {
|
|
# If a USB drive is attached then search for email,
|
|
# gpg, ssh keys and emacs configuration
|
|
if [[ $(is_completed $FUNCNAME) == "1" ]]; then
|
|
return
|
|
fi
|
|
detect_usb_drive
|
|
if [ -b $USB_DRIVE ]; then
|
|
if [ ! -d $USB_MOUNT ]; then
|
|
echo $'Mounting USB drive'
|
|
mkdir $USB_MOUNT
|
|
mount $USB_DRIVE $USB_MOUNT
|
|
fi
|
|
if [ -d $USB_MOUNT/.gnupg ]; then
|
|
echo $'Importing GPG keyring'
|
|
cp -r $USB_MOUNT/.gnupg /home/$MY_USERNAME
|
|
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.gnupg
|
|
GPG_KEYS_IMPORTED="yes"
|
|
if [ ! -f /home/$MY_USERNAME/.gnupg/secring.gpg ]; then
|
|
echo $'GPG files did not copy'
|
|
exit 73529
|
|
fi
|
|
fi
|
|
|
|
if [ -f $USB_MOUNT/private_key.gpg ]; then
|
|
echo $'GPG private key found on USB drive'
|
|
MY_GPG_PRIVATE_KEY=$USB_MOUNT/private_key.gpg
|
|
fi
|
|
if [ -f $USB_MOUNT/public_key.gpg ]; then
|
|
echo $'GPG public key found on USB drive'
|
|
MY_GPG_PUBLIC_KEY=$USB_MOUNT/public_key.gpg
|
|
fi
|
|
|
|
if [ -f $USB_MOUNT/letsencrypt ]; then
|
|
echo $'Copying letsencrypt keys"'
|
|
cp -r $USB_MOUNT/letsencrypt /etc
|
|
fi
|
|
|
|
if [ -d $USB_MOUNT/.ssh ]; then
|
|
echo $'Importing ssh keys'
|
|
cp -r $USB_MOUNT/.ssh /home/$MY_USERNAME
|
|
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.ssh
|
|
# for security delete the ssh keys from the usb drive
|
|
if [ ! -f /home/$MY_USERNAME/.ssh/id_rsa ]; then
|
|
echo $'ssh files did not copy'
|
|
exit 8
|
|
fi
|
|
fi
|
|
if [ -f $USB_MOUNT/.emacs ]; then
|
|
echo $'Importing .emacs file'
|
|
cp -f $USB_MOUNT/.emacs /home/$MY_USERNAME/.emacs
|
|
chown $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs
|
|
fi
|
|
if [ -d $USB_MOUNT/.emacs.d ]; then
|
|
echo $'Importing .emacs.d directory'
|
|
cp -r $USB_MOUNT/.emacs.d /home/$MY_USERNAME
|
|
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/.emacs.d
|
|
fi
|
|
if [ -d $USB_MOUNT/ssl ]; then
|
|
echo $'Importing SSL certificates'
|
|
cp -r $USB_MOUNT/ssl/* /etc/ssl
|
|
chmod 640 /etc/ssl/certs/*
|
|
chmod 400 /etc/ssl/private/*
|
|
# change ownership of some certificates
|
|
if [ -d /etc/prosody ]; then
|
|
chown prosody:prosody /etc/ssl/private/xmpp.*
|
|
chown prosody:prosody /etc/ssl/certs/xmpp.*
|
|
fi
|
|
if [ -d /etc/dovecot ]; then
|
|
chown root:dovecot /etc/ssl/certs/dovecot.*
|
|
chown root:dovecot /etc/ssl/private/dovecot.*
|
|
fi
|
|
if [ -f /etc/ssl/private/exim.key ]; then
|
|
cp /etc/ssl/private/exim.key /etc/exim4
|
|
cp /etc/ssl/certs/exim.crt /etc/exim4
|
|
cp /etc/ssl/certs/exim.dhparam /etc/exim4
|
|
chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
|
|
chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt /etc/exim4/exim.dhparam
|
|
fi
|
|
fi
|
|
if [ -d $USB_MOUNT/personal ]; then
|
|
echo $'Importing personal directory'
|
|
cp -r $USB_MOUNT/personal /home/$MY_USERNAME
|
|
chown -R $MY_USERNAME:$MY_USERNAME /home/$MY_USERNAME/personal
|
|
fi
|
|
else
|
|
if [ -d $USB_MOUNT ]; then
|
|
umount $USB_MOUNT
|
|
rm -rf $USB_MOUNT
|
|
fi
|
|
echo $'No USB drive attached'
|
|
fi
|
|
mark_completed $FUNCNAME
|
|
}
|
|
|
|
function mark_admin_user_account {
|
|
set_completion_param "Admin user" "$MY_USERNAME"
|
|
}
|
|
|
|
function remove_instructions_from_motd {
|
|
sed -i '/## /d' /etc/motd
|
|
}
|
|
|
|
function remove_default_user {
|
|
# make sure you don't use the default user account
|
|
if [[ $MY_USERNAME == "debian" ]]; then
|
|
echo 'Do not use the default debian user account. Create a different user with: adduser [username]'
|
|
exit 68
|
|
fi
|
|
# remove the default debian user to prevent it from becoming an attack vector
|
|
if [ -d /home/debian ]; then
|
|
userdel -r debian
|
|
echo 'Default debian user account removed'
|
|
fi
|
|
}
|
|
|
|
function create_completion_file {
|
|
if [ ! -f $COMPLETION_FILE ]; then
|
|
touch $COMPLETION_FILE
|
|
fi
|
|
}
|
|
|
|
function disable_nfs_insecure_locks {
|
|
apt-get -yq install nfs-kernel-server
|
|
if grep 'insecure_locks' /etc/exports; then
|
|
sed -i 's|,insecure_locks||g' /etc/exports
|
|
sed -i 's|insecure_locks,||g' /etc/exports
|
|
exportfs -a
|
|
fi
|
|
}
|
|
|
|
function set_login_umask {
|
|
sed -i 's|UMASK\t.*|UMASK\t\t077|g' /etc/login.defs
|
|
}
|
|
|
|
function disable_deferred_execution {
|
|
systemctl stop atd
|
|
systemctl disable atd
|
|
}
|
|
|
|
function set_shadow_permissions {
|
|
chown root:root /etc/shadow
|
|
chmod 0000 /etc/shadow
|
|
chown root:root /etc/gshadow
|
|
chmod 0000 /etc/gshadow
|
|
}
|
|
|
|
function set_max_login_tries {
|
|
max_tries=$1
|
|
|
|
if ! grep ' deny=' /etc/pam.d/common-auth; then
|
|
sed -i "/pam_deny.so/a auth required\t\t\tpam_tally.so onerr=fail no_lock_time per_user deny=$max_tries" /etc/pam.d/common-auth
|
|
else
|
|
sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-auth
|
|
fi
|
|
|
|
if ! grep ' deny=' /etc/pam.d/common-account; then
|
|
sed -i '/pam_deny.so/a account required\t\t\tpam_tally.so' /etc/pam.d/common-account
|
|
else
|
|
sed -i "s| deny=.*| deny=$max_tries|g" /etc/pam.d/common-account
|
|
fi
|
|
}
|
|
|
|
function limit_user_logins {
|
|
# overall max logins
|
|
if ! grep '* hard maxsyslogins' /etc/security/limits.conf; then
|
|
echo '* hard maxsyslogins 10' >> /etc/security/limits.conf
|
|
else
|
|
sed -i 's|hard maxsyslogins.*|hard maxsyslogins 10|g' /etc/security/limits.conf
|
|
fi
|
|
|
|
# Max logins for each user
|
|
if ! grep '* hard maxlogins' /etc/security/limits.conf; then
|
|
echo '* hard maxlogins 2' >> /etc/security/limits.conf
|
|
else
|
|
sed -i 's|hard maxlogins.*|hard maxlogins 2|g' /etc/security/limits.conf
|
|
fi
|
|
}
|
|
|
|
function remove_serial_logins {
|
|
if grep 'ttyS' /etc/securetty; then
|
|
cp /etc/securetty /etc/securetty_old
|
|
sed -i '/ttyS/d' /etc/securetty
|
|
fi
|
|
}
|
|
|
|
function set_sticky_bits {
|
|
world_writable=$(find / -xdev -type d -perm -002 \! -perm -1000)
|
|
for w in $world_writable; do
|
|
echo "Setting sticky bit on $w"
|
|
chmod +t $w
|
|
done
|
|
}
|
|
|
|
function disable_ctrl_alt_del {
|
|
ln -sf /dev/null /etc/systemd/system/ctrl-alt-del.target
|
|
}
|
|
|
|
function lockdown_permissions {
|
|
# All commands owned by root
|
|
if [ -d /bin ]; then
|
|
chown root:root /bin/*
|
|
fi
|
|
if [ -d /usr/bin ]; then
|
|
chown root:root /usr/bin/*
|
|
fi
|
|
if [ -d /usr/local/bin ]; then
|
|
chown root:root /usr/local/bin/*
|
|
fi
|
|
if [ -d /sbin ]; then
|
|
chown root:root /sbin/*
|
|
fi
|
|
if [ -d /usr/sbin ]; then
|
|
chown root:root /usr/sbin/*
|
|
fi
|
|
if [ -d /usr/local/sbin ]; then
|
|
chown root:root /usr/local/sbin/*
|
|
fi
|
|
if [ -d /usr/share/${PROJECT_NAME} ]; then
|
|
chown -R root:root /usr/share/${PROJECT_NAME}
|
|
chmod -R +r /usr/share/${PROJECT_NAME}
|
|
fi
|
|
|
|
# All libraries owned by root
|
|
if [ -d /lib ]; then
|
|
chown -R root:root /lib/*
|
|
fi
|
|
if [ -d /lib64 ]; then
|
|
chown -R root:root /lib64/*
|
|
fi
|
|
if [ -d /usr/lib ]; then
|
|
chown -R root:root /usr/lib/*
|
|
fi
|
|
if [ -d /usr/lib64 ]; then
|
|
chown -R root:root /usr/lib64/*
|
|
fi
|
|
|
|
# sudo permissions
|
|
chmod 4755 /usr/bin/sudo
|
|
chmod 4755 /usr/lib/sudo/sudoers.so
|
|
chown root:root /etc/sudoers
|
|
|
|
# permissions on email commands
|
|
if [ -f /usr/bin/procmail ]; then
|
|
chmod 6755 /usr/bin/procmail
|
|
fi
|
|
if [ -f /usr/sbin/exim ]; then
|
|
chmod u+s /usr/sbin/exim
|
|
fi
|
|
if [ -f /usr/sbin/exim4 ]; then
|
|
chmod u+s /usr/sbin/exim4
|
|
fi
|
|
|
|
set_sticky_bits
|
|
|
|
# Create some directories to correspond with users in passwords file
|
|
if [ ! -d /var/spool/lpd ]; then
|
|
mkdir /var/spool/lpd
|
|
fi
|
|
if [ ! -d /var/spool/news ]; then
|
|
mkdir /var/spool/news
|
|
fi
|
|
if [ ! -d /var/spool/uucp ]; then
|
|
mkdir /var/spool/uucp
|
|
fi
|
|
if [ ! -d /var/list ]; then
|
|
mkdir /var/list
|
|
fi
|
|
if [ ! -d /var/lib/gnats ]; then
|
|
mkdir /var/lib/gnats
|
|
fi
|
|
if [ ! -d /var/lib/saned ]; then
|
|
mkdir /var/lib/saned
|
|
fi
|
|
if [ -d /etc/prosody ]; then
|
|
chown -R prosody /etc/prosody
|
|
chmod -R 700 /etc/prosody/conf.d
|
|
fi
|
|
if [ -d /var/lib/prosody ]; then
|
|
chown -R prosody /var/lib/prosody
|
|
fi
|
|
}
|
|
|
|
function disable_core_dumps {
|
|
if ! grep '* hard core 0' /etc/security/limits.conf; then
|
|
echo '* hard core 0' >> /etc/security/limits.conf
|
|
else
|
|
sed -i 's|hard core.*|hard core 0|g' /etc/security/limits.conf
|
|
fi
|
|
}
|
|
|
|
function dummy_nologin_command {
|
|
if [ ! -f /sbin/nologin ]; then
|
|
echo '#!/bin/bash' > /sbin/nologin
|
|
chmod +x /sbin/nologin
|
|
fi
|
|
}
|
|
|
|
function disable_null_passwords {
|
|
sed -i 's| nullok_secure||g' /etc/pam.d/common-auth
|
|
}
|
|
|
|
function setup_firewall {
|
|
function_check create_completion_file
|
|
create_completion_file
|
|
|
|
function_check configure_firewall
|
|
configure_firewall
|
|
|
|
function_check configure_firewall_ping
|
|
configure_firewall_ping
|
|
|
|
function_check configure_firewall_for_dns
|
|
configure_firewall_for_dns
|
|
|
|
function_check configure_firewall_for_avahi
|
|
configure_firewall_for_avahi
|
|
|
|
function_check global_rate_limit
|
|
global_rate_limit
|
|
}
|
|
|
|
function setup_utils {
|
|
read_config_param "PROJECT_REPO"
|
|
write_config_param "PROJECT_REPO" "$PROJECT_REPO"
|
|
|
|
function_check separate_tmp_filesystem
|
|
separate_tmp_filesystem 100
|
|
|
|
function_check disable_null_passwords
|
|
disable_null_passwords
|
|
|
|
function_check disable_ctrl_alt_del
|
|
disable_ctrl_alt_del
|
|
|
|
function_check dummy_nologin_command
|
|
dummy_nologin_command
|
|
|
|
function_check disable_core_dumps
|
|
disable_core_dumps
|
|
|
|
function_check remove_serial_logins
|
|
remove_serial_logins
|
|
|
|
function_check set_max_login_tries
|
|
set_max_login_tries 10
|
|
|
|
function_check set_shadow_permissions
|
|
set_shadow_permissions
|
|
|
|
function_check remove_bluetooth
|
|
remove_bluetooth
|
|
|
|
function_check disable_nfs_insecure_locks
|
|
disable_nfs_insecure_locks
|
|
|
|
function_check set_login_umask
|
|
set_login_umask
|
|
|
|
function_check disable_deferred_execution
|
|
disable_deferred_execution
|
|
|
|
function_check turn_off_rsys_logging
|
|
turn_off_rsys_logging
|
|
|
|
function_check install_backports_kernel
|
|
install_backports_kernel
|
|
|
|
function_check create_completion_file
|
|
create_completion_file
|
|
|
|
function_check read_configuration
|
|
read_configuration
|
|
|
|
function_check check_system_type
|
|
check_system_type
|
|
|
|
function_check set_default_onion_domains
|
|
set_default_onion_domains
|
|
|
|
function_check locale_setup
|
|
locale_setup
|
|
|
|
function_check parse_args
|
|
parse_args
|
|
|
|
function_check check_domains
|
|
check_domains
|
|
|
|
function_check install_static_network
|
|
install_static_network
|
|
|
|
function_check remove_default_user
|
|
remove_default_user
|
|
|
|
function_check setup_firewall
|
|
setup_firewall
|
|
|
|
function_check create_repo_sources
|
|
create_repo_sources
|
|
|
|
function_check configure_dns
|
|
configure_dns
|
|
|
|
function_check initial_setup
|
|
initial_setup
|
|
|
|
function_check install_tor
|
|
install_tor
|
|
|
|
#function_check resolve_dns_via_tor
|
|
#resolve_dns_via_tor
|
|
|
|
function_check install_command_line_browser
|
|
install_command_line_browser
|
|
|
|
function_check enable_ssh_via_onion
|
|
enable_ssh_via_onion
|
|
|
|
function_check check_date
|
|
check_date
|
|
|
|
function_check install_dynamicdns
|
|
install_dynamicdns
|
|
|
|
function_check randomize_cron
|
|
randomize_cron
|
|
|
|
function_check create_freedns_updater
|
|
create_freedns_updater
|
|
|
|
function_check mark_admin_user_account
|
|
mark_admin_user_account
|
|
|
|
function_check enforce_good_passwords
|
|
enforce_good_passwords
|
|
|
|
function_check change_login_message
|
|
change_login_message
|
|
|
|
function_check enable_zram
|
|
enable_zram
|
|
|
|
function_check random_number_generator
|
|
random_number_generator
|
|
|
|
function_check set_your_domain_name
|
|
set_your_domain_name
|
|
|
|
function_check configure_internet_protocol
|
|
configure_internet_protocol
|
|
|
|
function_check create_git_project
|
|
create_git_project
|
|
|
|
function_check setup_wifi
|
|
setup_wifi
|
|
|
|
function_check configure_ssh
|
|
configure_ssh
|
|
|
|
function_check configure_ssh_onion
|
|
configure_ssh_onion
|
|
|
|
function_check allow_ssh_to_onion_address
|
|
allow_ssh_to_onion_address
|
|
|
|
function_check remove_instructions_from_motd
|
|
remove_instructions_from_motd
|
|
|
|
function_check check_hwrng
|
|
check_hwrng
|
|
|
|
function_check search_for_attached_usb_drive
|
|
search_for_attached_usb_drive
|
|
|
|
function_check regenerate_ssh_keys
|
|
regenerate_ssh_keys
|
|
|
|
function_check create_mirrors
|
|
create_mirrors
|
|
|
|
function_check create_upgrade_script
|
|
create_upgrade_script
|
|
|
|
function_check letsencrypt_renewals
|
|
letsencrypt_renewals
|
|
|
|
function_check install_watchdog_script
|
|
install_watchdog_script
|
|
|
|
function_check install_avahi
|
|
install_avahi
|
|
|
|
function_check create_avahi_onion_domains
|
|
create_avahi_onion_domains
|
|
|
|
#function_check install_atheros_wifi
|
|
#install_atheros_wifi
|
|
|
|
function_check route_outgoing_traffic_through_tor
|
|
route_outgoing_traffic_through_tor
|
|
|
|
function_check upgrade_golang
|
|
upgrade_golang
|
|
|
|
function_check install_tomb
|
|
install_tomb
|
|
|
|
function_check admin_user_sudo
|
|
admin_user_sudo
|
|
|
|
function_check limit_user_logins
|
|
limit_user_logins
|
|
|
|
function_check schedule_stig_tests
|
|
schedule_stig_tests
|
|
}
|
|
|
|
function setup_email {
|
|
function_check create_completion_file
|
|
create_completion_file
|
|
|
|
function_check install_email
|
|
install_email
|
|
|
|
function_check create_procmail
|
|
create_procmail
|
|
|
|
function_check handle_admin_emails
|
|
handle_admin_emails
|
|
|
|
function_check spam_filtering
|
|
spam_filtering
|
|
|
|
function_check configure_imap
|
|
configure_imap
|
|
|
|
#function_check configure_imap_client_certs
|
|
#configure_imap_client_certs
|
|
|
|
function_check configure_gpg
|
|
configure_gpg
|
|
|
|
function_check refresh_gpg_keys
|
|
refresh_gpg_keys
|
|
|
|
function_check configure_backup_key
|
|
configure_backup_key
|
|
|
|
function_check install_monkeysphere
|
|
install_monkeysphere
|
|
|
|
function_check encrypt_incoming_email
|
|
encrypt_incoming_email
|
|
|
|
function_check encrypt_outgoing_email
|
|
encrypt_outgoing_email
|
|
|
|
function_check email_client
|
|
email_client
|
|
|
|
function_check email_archiving
|
|
email_archiving
|
|
|
|
function_check email_from_address
|
|
email_from_address
|
|
|
|
function_check create_public_mailing_list
|
|
create_public_mailing_list
|
|
|
|
#function check create_private_mailing_list
|
|
#create_private_mailing_list
|
|
|
|
function_check encrypt_all_email
|
|
encrypt_all_email
|
|
|
|
function_check import_email
|
|
import_email
|
|
}
|
|
|
|
function setup_web {
|
|
function_check create_completion_file
|
|
create_completion_file
|
|
|
|
function_check install_web_server
|
|
install_web_server
|
|
|
|
function_check install_web_server_access_control
|
|
install_web_server_access_control
|
|
}
|
|
|
|
function upgrade_apps {
|
|
function_check create_completion_file
|
|
create_completion_file
|
|
|
|
APPS_COMPLETED=()
|
|
FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
|
|
|
|
# for all the app scripts
|
|
for filename in $FILES
|
|
do
|
|
app_name=$(echo "${filename}" | awk -F '-app-' '{print $2}')
|
|
|
|
item_in_array "${app_name}" "${APPS_COMPLETED[@]}"
|
|
if [[ $? != 0 ]]; then
|
|
function_check app_is_installed
|
|
if [[ "$(app_is_installed $a)" == "1" ]]; then
|
|
echo ''
|
|
echo ''
|
|
echo $"Upgrading $a"
|
|
app_load_variables ${app_name}
|
|
APPS_COMPLETED+=("${app_name}")
|
|
function_check upgrade_${app_name}
|
|
upgrade_${app_name}
|
|
fi
|
|
fi
|
|
done
|
|
}
|
|
|
|
function setup_apps {
|
|
is_interactive=$1
|
|
|
|
function_check create_completion_file
|
|
create_completion_file
|
|
|
|
function_check detect_installable_apps
|
|
detect_installable_apps
|
|
|
|
function_check choose_apps_for_variant
|
|
choose_apps_for_variant "$SYSTEM_TYPE"
|
|
|
|
echo $"System variant: $SYSTEM_TYPE"
|
|
echo $'The following apps have been selected'
|
|
echo ''
|
|
function_check list_chosen_apps
|
|
list_chosen_apps
|
|
echo ''
|
|
|
|
function_check upgrade_apps
|
|
upgrade_apps
|
|
|
|
if [[ $is_interactive == "noninteractive" || $is_interactive == "headless" ]]; then
|
|
function_check install_apps
|
|
install_apps
|
|
if [ ! $APP_INSTALLED_SUCCESS ]; then
|
|
echo $'One or more apps failed to install'
|
|
fi
|
|
fi
|
|
}
|
|
|
|
function combine_all_scripts {
|
|
combined_filename=$1
|
|
|
|
# initial variables
|
|
cp $PROJECT_INSTALL_DIR/${PROJECT_NAME}-vars $combined_filename
|
|
|
|
# utilities
|
|
UTILS_FILES=/usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-*
|
|
for f in $UTILS_FILES
|
|
do
|
|
# this removes the first line, which is #!/bin/bash
|
|
tail -n +2 "$f" >> $combined_filename
|
|
done
|
|
|
|
# base system
|
|
BASE_SYSTEM_FILES=/usr/share/${PROJECT_NAME}/base/${PROJECT_NAME}-base-*
|
|
for f in $BASE_SYSTEM_FILES
|
|
do
|
|
tail -n +2 "$f" >> $combined_filename
|
|
done
|
|
|
|
# apps
|
|
APP_FILES=/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-*
|
|
for f in $APP_FILES
|
|
do
|
|
tail -n +2 "$f" >> $combined_filename
|
|
done
|
|
}
|
|
|
|
# NOTE: deliberately no exit 0
|