Merge branch 'stretch' of https://github.com/bashrc/freedombone
This commit is contained in:
commit
2d45c34f22
|
@ -96,6 +96,8 @@ Now edit the hosts file which was pulled and append:
|
||||||
127.0.0.1 www.google-analytics.com
|
127.0.0.1 www.google-analytics.com
|
||||||
127.0.0.1 google-analytics.com
|
127.0.0.1 google-analytics.com
|
||||||
127.0.0.1 ssl.google-analytics.com
|
127.0.0.1 ssl.google-analytics.com
|
||||||
|
127.0.0.1 telemetry.mozilla.org
|
||||||
|
127.0.0.1 incoming.telemetry.mozilla.org
|
||||||
#+end_src
|
#+end_src
|
||||||
|
|
||||||
Then upload the hosts file back again with:
|
Then upload the hosts file back again with:
|
||||||
|
|
Binary file not shown.
|
@ -36,7 +36,7 @@ PLEROMA_CODE=
|
||||||
PLEROMA_PORT=4000
|
PLEROMA_PORT=4000
|
||||||
PLEROMA_ONION_PORT=8011
|
PLEROMA_ONION_PORT=8011
|
||||||
PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git"
|
PLEROMA_REPO="https://git.pleroma.social/pleroma/pleroma.git"
|
||||||
PLEROMA_COMMIT='5b6d6d7f2d9363c494642bfda4d6e4d12daa53c7'
|
PLEROMA_COMMIT='762f6edc29a7a48e3a663e9bedec58e0036ff363'
|
||||||
PLEROMA_ADMIN_PASSWORD=
|
PLEROMA_ADMIN_PASSWORD=
|
||||||
PLEROMA_DIR=/etc/pleroma
|
PLEROMA_DIR=/etc/pleroma
|
||||||
PLEROMA_SECRET_KEY=""
|
PLEROMA_SECRET_KEY=""
|
||||||
|
@ -733,15 +733,21 @@ function configure_interactive_pleroma {
|
||||||
enablechatstr=$'Disable chat system'
|
enablechatstr=$'Disable chat system'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
pleromatorstr=$'Enable routing through Tor for onion addresses'
|
||||||
|
if grep -q '9050' $pleroma_secret; then
|
||||||
|
pleromatorstr=$'Disable routing through Tor'
|
||||||
|
fi
|
||||||
|
|
||||||
W=(1 $"Set a background image"
|
W=(1 $"Set a background image"
|
||||||
2 $"Set the title"
|
2 $"Set the title"
|
||||||
3 $"Disable new account registrations"
|
3 $"Disable new account registrations"
|
||||||
4 $"Add a custom emoji"
|
4 $"Add a custom emoji"
|
||||||
5 $"Set post expiry period (currently $PLEROMA_EXPIRE_MONTHS months)"
|
5 $"Set post expiry period (currently $PLEROMA_EXPIRE_MONTHS months)"
|
||||||
6 "$enablechatstr")
|
6 "$enablechatstr"
|
||||||
|
7 "$pleromatorstr")
|
||||||
|
|
||||||
# shellcheck disable=SC2068
|
# shellcheck disable=SC2068
|
||||||
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Pleroma" --menu $"Choose an operation, or ESC to exit:" 13 60 6 "${W[@]}" 3>&2 2>&1 1>&3)
|
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Pleroma" --menu $"Choose an operation, or ESC to exit:" 14 60 7 "${W[@]}" 3>&2 2>&1 1>&3)
|
||||||
|
|
||||||
if [ ! "$selection" ]; then
|
if [ ! "$selection" ]; then
|
||||||
break
|
break
|
||||||
|
@ -759,11 +765,25 @@ function configure_interactive_pleroma {
|
||||||
pleroma_enable_chat true
|
pleroma_enable_chat true
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
7) if grep -q '9050' $pleroma_secret; then
|
||||||
|
pleroma_disable_tor
|
||||||
|
else
|
||||||
|
pleroma_enable_tor
|
||||||
|
fi
|
||||||
|
;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
function pleroma_upgrade_tor {
|
function pleroma_disable_tor {
|
||||||
|
if grep -q '9050' $pleroma_secret; then
|
||||||
|
sed -i '/9050/d' $pleroma_secret
|
||||||
|
sed -i 's|# config :pleroma, :http, proxy_url:|config :pleroma, :http, proxy_url:|g' $PLEROMA_DIR/config/config.exs
|
||||||
|
pleroma_recompile
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
function pleroma_enable_tor {
|
||||||
pleroma_tor_update=
|
pleroma_tor_update=
|
||||||
|
|
||||||
if ! grep -q '{:socks5, :localhost, 9050}' $pleroma_secret; then
|
if ! grep -q '{:socks5, :localhost, 9050}' $pleroma_secret; then
|
||||||
|
@ -806,7 +826,7 @@ function upgrade_pleroma {
|
||||||
create_pleroma_blocklist
|
create_pleroma_blocklist
|
||||||
fi
|
fi
|
||||||
|
|
||||||
pleroma_upgrade_tor
|
#pleroma_enable_tor
|
||||||
|
|
||||||
CURR_PLEROMA_COMMIT=$(get_completion_param "pleroma commit")
|
CURR_PLEROMA_COMMIT=$(get_completion_param "pleroma commit")
|
||||||
if [[ "$CURR_PLEROMA_COMMIT" == "$PLEROMA_COMMIT" ]]; then
|
if [[ "$CURR_PLEROMA_COMMIT" == "$PLEROMA_COMMIT" ]]; then
|
||||||
|
|
|
@ -224,114 +224,153 @@ function show_tor_bridges {
|
||||||
function show_domains {
|
function show_domains {
|
||||||
read_config_param "DEFAULT_DOMAIN_NAME"
|
read_config_param "DEFAULT_DOMAIN_NAME"
|
||||||
|
|
||||||
W=()
|
while true
|
||||||
|
|
||||||
W+=("IPv4" "$(get_ipv4_address) / $(get_external_ipv4_address)")
|
|
||||||
ipv6_address="$(get_ipv6_address)"
|
|
||||||
if [ ${#ipv6_address} -gt 0 ]; then
|
|
||||||
W+=("IPv6" "${ipv6_address}")
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -f /etc/ssh/ssh_host_rsa_key.pub ]; then
|
|
||||||
W+=("ssh rsa sha256" "$(awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | sed 's|=||g')")
|
|
||||||
fi
|
|
||||||
if [ -f /etc/ssh/ssh_host_ed25519_key.pub ]; then
|
|
||||||
W+=("ssh ed25519 sha256" "$(awk '{print $2}' /etc/ssh/ssh_host_ed25519_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | sed 's|=||g')")
|
|
||||||
fi
|
|
||||||
|
|
||||||
if grep -q "ssh onion domain" "$COMPLETION_FILE"; then
|
|
||||||
domain_onion=$(grep 'ssh onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
|
|
||||||
W+=("ssh" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
|
|
||||||
fi
|
|
||||||
if grep -q "email onion domain" "$COMPLETION_FILE"; then
|
|
||||||
domain_onion=$(grep 'email onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
|
|
||||||
W+=("Email" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
|
|
||||||
fi
|
|
||||||
if grep -q "sks onion domain" "$COMPLETION_FILE"; then
|
|
||||||
read_config_param "KEYSERVER_DOMAIN_NAME"
|
|
||||||
domain_onion=$(grep 'sks onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
|
|
||||||
W+=("SKS" "${KEYSERVER_DOMAIN_NAME} / ${domain_onion}")
|
|
||||||
fi
|
|
||||||
|
|
||||||
INTRODUCER_FILENAME=/home/tahoelafs/data/private/introducer.furl
|
|
||||||
if [ -f $INTRODUCER_FILENAME ]; then
|
|
||||||
W+=("Tahoe-LAFS" "$(cat $INTRODUCER_FILENAME)")
|
|
||||||
fi
|
|
||||||
|
|
||||||
show_tor_bridges
|
|
||||||
|
|
||||||
# shellcheck disable=SC2068
|
|
||||||
for app_name in ${APPS_INSTALLED_NAMES[@]}
|
|
||||||
do
|
do
|
||||||
if ! grep -q "SHOW_ON_ABOUT=1" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${app_name}"; then
|
W=()
|
||||||
continue
|
|
||||||
|
W+=("IPv4" "$(get_ipv4_address) / $(get_external_ipv4_address)")
|
||||||
|
ipv6_address="$(get_ipv6_address)"
|
||||||
|
if [ ${#ipv6_address} -gt 0 ]; then
|
||||||
|
W+=("IPv6" "${ipv6_address}")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# handle the foibles of capitalisation
|
if [ -f /etc/ssh/ssh_host_rsa_key.pub ]; then
|
||||||
if ! grep -q "${app_name} domain" "$COMPLETION_FILE"; then
|
W+=("ssh rsa sha256" "$(awk '{print $2}' /etc/ssh/ssh_host_rsa_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | sed 's|=||g')")
|
||||||
app_name_upper=$(echo "${app_name}" | awk '{print toupper($0)}')
|
fi
|
||||||
if grep -q "${app_name_upper} domain" "$COMPLETION_FILE"; then
|
if [ -f /etc/ssh/ssh_host_ed25519_key.pub ]; then
|
||||||
app_name=${app_name_upper}
|
W+=("ssh ed25519 sha256" "$(awk '{print $2}' /etc/ssh/ssh_host_ed25519_key.pub | base64 -d | sha256sum -b | awk '{print $1}' | xxd -r -p | base64 | sed 's|=||g')")
|
||||||
else
|
fi
|
||||||
app_name_first_upper="$(tr '[:lower:]' '[:upper:]' <<< "${app_name:0:1}")${app_name:1}"
|
|
||||||
if grep -q "${app_name_first_upper} domain" "$COMPLETION_FILE"; then
|
if grep -q "ssh onion domain" "$COMPLETION_FILE"; then
|
||||||
app_name=${app_name_first_upper}
|
domain_onion=$(grep 'ssh onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
|
||||||
|
W+=("ssh" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
|
||||||
|
fi
|
||||||
|
if grep -q "email onion domain" "$COMPLETION_FILE"; then
|
||||||
|
domain_onion=$(grep 'email onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
|
||||||
|
W+=("Email" "${DEFAULT_DOMAIN_NAME} / ${domain_onion}")
|
||||||
|
fi
|
||||||
|
if grep -q "sks onion domain" "$COMPLETION_FILE"; then
|
||||||
|
read_config_param "KEYSERVER_DOMAIN_NAME"
|
||||||
|
domain_onion=$(grep 'sks onion domain' "${COMPLETION_FILE}" | awk -F ':' '{print $2}')
|
||||||
|
W+=("SKS" "${KEYSERVER_DOMAIN_NAME} / ${domain_onion}")
|
||||||
|
fi
|
||||||
|
|
||||||
|
INTRODUCER_FILENAME=/home/tahoelafs/data/private/introducer.furl
|
||||||
|
if [ -f $INTRODUCER_FILENAME ]; then
|
||||||
|
W+=("Tahoe-LAFS" "$(cat $INTRODUCER_FILENAME)")
|
||||||
|
fi
|
||||||
|
|
||||||
|
show_tor_bridges
|
||||||
|
|
||||||
|
# shellcheck disable=SC2068
|
||||||
|
for app_name in ${APPS_INSTALLED_NAMES[@]}
|
||||||
|
do
|
||||||
|
if ! grep -q "SHOW_ON_ABOUT=1" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${app_name}"; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
# handle the foibles of capitalisation
|
||||||
|
if ! grep -q "${app_name} domain" "$COMPLETION_FILE"; then
|
||||||
|
app_name_upper=$(echo "${app_name}" | awk '{print toupper($0)}')
|
||||||
|
if grep -q "${app_name_upper} domain" "$COMPLETION_FILE"; then
|
||||||
|
app_name=${app_name_upper}
|
||||||
|
else
|
||||||
|
app_name_first_upper="$(tr '[:lower:]' '[:upper:]' <<< "${app_name:0:1}")${app_name:1}"
|
||||||
|
if grep -q "${app_name_first_upper} domain" "$COMPLETION_FILE"; then
|
||||||
|
app_name=${app_name_first_upper}
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
|
||||||
|
|
||||||
if [ ${#app_name} -gt 0 ]; then
|
if [ ${#app_name} -gt 0 ]; then
|
||||||
icann_address=$(get_app_icann_address "$app_name")
|
icann_address=$(get_app_icann_address "$app_name")
|
||||||
if grep -q "SHOW_ICANN_ADDRESS_ON_ABOUT=0" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${app_name}"; then
|
if grep -q "SHOW_ICANN_ADDRESS_ON_ABOUT=0" "/usr/share/${PROJECT_NAME}/apps/${PROJECT_NAME}-app-${app_name}"; then
|
||||||
icann_address='-'
|
|
||||||
fi
|
|
||||||
if [[ "$ONION_ONLY" != 'no' ]]; then
|
|
||||||
if [[ "${icann_address}" != "${LOCAL_NAME}.local" ]]; then
|
|
||||||
icann_address='-'
|
icann_address='-'
|
||||||
fi
|
fi
|
||||||
fi
|
if [[ "$ONION_ONLY" != 'no' ]]; then
|
||||||
onion_address=$(get_app_onion_address "$app_name")
|
if [[ "${icann_address}" != "${LOCAL_NAME}.local" ]]; then
|
||||||
if [ ${#onion_address} -eq 0 ]; then
|
icann_address='-'
|
||||||
onion_address="-"
|
fi
|
||||||
fi
|
fi
|
||||||
|
onion_address=$(get_app_onion_address "$app_name")
|
||||||
if [[ "${icann_address}" != '-' ]]; then
|
if [ ${#onion_address} -eq 0 ]; then
|
||||||
if [[ "${onion_address}" != '-' ]]; then
|
onion_address="-"
|
||||||
W+=("${app_name}" "${icann_address} / ${onion_address}")
|
|
||||||
else
|
|
||||||
W+=("${app_name}" "${icann_address}")
|
|
||||||
fi
|
fi
|
||||||
else
|
|
||||||
W+=("${app_name}" "${onion_address}")
|
|
||||||
fi
|
|
||||||
|
|
||||||
if grep -q "mobile${app_name} onion domain" "$COMPLETION_FILE"; then
|
|
||||||
onion_address=$(get_app_onion_address "${app_name}" "mobile")
|
|
||||||
if [[ "${icann_address}" != '-' ]]; then
|
if [[ "${icann_address}" != '-' ]]; then
|
||||||
W+=("${app_name} (mobile)" "${icann_address} / ${onion_address}")
|
if [[ "${onion_address}" != '-' ]]; then
|
||||||
|
W+=("${app_name}" "${icann_address} / ${onion_address}")
|
||||||
|
else
|
||||||
|
W+=("${app_name}" "${icann_address}")
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
W+=("${app_name} (mobile)" "${onion_address}")
|
W+=("${app_name}" "${onion_address}")
|
||||||
|
fi
|
||||||
|
|
||||||
|
if grep -q "mobile${app_name} onion domain" "$COMPLETION_FILE"; then
|
||||||
|
onion_address=$(get_app_onion_address "${app_name}" "mobile")
|
||||||
|
if [[ "${icann_address}" != '-' ]]; then
|
||||||
|
W+=("${app_name} (mobile)" "${icann_address} / ${onion_address}")
|
||||||
|
else
|
||||||
|
W+=("${app_name} (mobile)" "${onion_address}")
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if grep -q "rss reader domain" "$COMPLETION_FILE"; then
|
||||||
|
if [ -d /var/lib/tor/hidden_service_ttrss ]; then
|
||||||
|
domain_onion=$(cat /var/lib/tor/hidden_service_ttrss/hostname)
|
||||||
|
W+=("RSS Reader" "${domain_onion}")
|
||||||
|
fi
|
||||||
|
if [ -d /var/lib/tor/hidden_service_mobilerss ]; then
|
||||||
|
domain_onion=$(cat /var/lib/tor/hidden_service_mobilerss/hostname)
|
||||||
|
W+=("RSS mobile" "${domain_onion}")
|
||||||
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
width=$(tput cols)
|
||||||
|
height=$(tput lines)
|
||||||
|
|
||||||
|
# shellcheck disable=SC2068
|
||||||
|
selected=$(dialog --backtitle $"Freedombone Control Panel" --title $"Domains" --menu $"Use Shift+cursors to select and copy onion addresses" $((height-4)) $((width-4)) $((height-4)) "${W[@]}" 3>&2 2>&1 1>&3)
|
||||||
|
if [ ! "$selected" ]; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
# obtain the addresses from the key by itterating through
|
||||||
|
# the array. This is quite crude and maybe there's a better way
|
||||||
|
key_found=
|
||||||
|
selected_addresses=
|
||||||
|
for key in "${W[@]}";
|
||||||
|
do
|
||||||
|
if [ $key_found ]; then
|
||||||
|
selected_addresses="$key"
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
if [[ "$key" == "$selected" ]]; then
|
||||||
|
key_found=1
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
# Was the key matched?
|
||||||
|
if [ ! "$selected_addresses" ]; then
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
# addresses were found - is this an onion?
|
||||||
|
if [[ "$selected_addresses" != *".onion"* ]]; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
# There are two forms of addresses: "x / y.onion" and "x.onion"
|
||||||
|
if [[ "$selected_addresses" == *'/'* ]]; then
|
||||||
|
onion_addr=$(echo "$selected_addresses" | awk -F '/' '{print $2}' | awk -F ' ' '{print $1}')
|
||||||
|
else
|
||||||
|
onion_addr="$selected_addresses"
|
||||||
|
fi
|
||||||
|
# show the onion address as a QR code
|
||||||
|
clear
|
||||||
|
echo "${selected}: ${onion_addr}"
|
||||||
|
echo -n "$onion_addr" | qrencode -t UTF8
|
||||||
|
any_key
|
||||||
done
|
done
|
||||||
|
|
||||||
if grep -q "rss reader domain" "$COMPLETION_FILE"; then
|
|
||||||
if [ -d /var/lib/tor/hidden_service_ttrss ]; then
|
|
||||||
domain_onion=$(cat /var/lib/tor/hidden_service_ttrss/hostname)
|
|
||||||
W+=("RSS Reader" "${domain_onion}")
|
|
||||||
fi
|
|
||||||
if [ -d /var/lib/tor/hidden_service_mobilerss ]; then
|
|
||||||
domain_onion=$(cat /var/lib/tor/hidden_service_mobilerss/hostname)
|
|
||||||
W+=("RSS mobile" "${domain_onion}")
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
width=$(tput cols)
|
|
||||||
height=$(tput lines)
|
|
||||||
|
|
||||||
# shellcheck disable=SC2068
|
|
||||||
dialog --backtitle $"Freedombone Control Panel" --title $"Domains" --menu $"Use Shift+cursors to select and copy onion addresses" $((height-4)) $((width-4)) $((height-4)) "${W[@]}" 3>&2 2>&1 1>&3
|
|
||||||
}
|
}
|
||||||
|
|
||||||
function show_users {
|
function show_users {
|
||||||
|
|
|
@ -434,6 +434,10 @@ function show_gpg_key {
|
||||||
dialog --title $"My PGP/GPG Key" \
|
dialog --title $"My PGP/GPG Key" \
|
||||||
--backtitle $"Freedombone User Control Panel" \
|
--backtitle $"Freedombone User Control Panel" \
|
||||||
--msgbox $"Email Address: $MY_EMAIL_ADDRESS\\n\\nKey ID: $GPG_ID\\n\\nFingerprint: $GPG_FINGERPRINT\\n\\nCreated: $GPG_DATE" 12 70
|
--msgbox $"Email Address: $MY_EMAIL_ADDRESS\\n\\nKey ID: $GPG_ID\\n\\nFingerprint: $GPG_FINGERPRINT\\n\\nCreated: $GPG_DATE" 12 70
|
||||||
|
clear
|
||||||
|
echo $"Your GPG/PGP public key:"
|
||||||
|
gpg --armor --export "$GPG_ID" | qrencode -t UTF8
|
||||||
|
any_key
|
||||||
}
|
}
|
||||||
|
|
||||||
function show_full_gpg_key {
|
function show_full_gpg_key {
|
||||||
|
|
|
@ -74,6 +74,8 @@ IMAGE_NAME='full'
|
||||||
USERNAME="$USER"
|
USERNAME="$USER"
|
||||||
PASSWORD=
|
PASSWORD=
|
||||||
|
|
||||||
|
CONTINUOUS_INTEGRATION=
|
||||||
|
|
||||||
# IP address of the router (gateway)
|
# IP address of the router (gateway)
|
||||||
ROUTER_IP_ADDRESS="192.168.1.254"
|
ROUTER_IP_ADDRESS="192.168.1.254"
|
||||||
|
|
||||||
|
@ -378,6 +380,10 @@ do
|
||||||
shift
|
shift
|
||||||
INTERACTIVE="$1"
|
INTERACTIVE="$1"
|
||||||
;;
|
;;
|
||||||
|
--ci)
|
||||||
|
shift
|
||||||
|
CONTINUOUS_INTEGRATION="$1"
|
||||||
|
;;
|
||||||
-g|--generic)
|
-g|--generic)
|
||||||
shift
|
shift
|
||||||
GENERIC_IMAGE="$1"
|
GENERIC_IMAGE="$1"
|
||||||
|
@ -614,6 +620,7 @@ make "$IMAGE_TYPE" \
|
||||||
AMNESIC="$AMNESIC" \
|
AMNESIC="$AMNESIC" \
|
||||||
SOCIALINSTANCE="$SOCIALINSTANCE" \
|
SOCIALINSTANCE="$SOCIALINSTANCE" \
|
||||||
EXTERNAL_DRIVE="$EXTERNAL_DRIVE" \
|
EXTERNAL_DRIVE="$EXTERNAL_DRIVE" \
|
||||||
|
CONTINUOUS_INTEGRATION="$CONTINUOUS_INTEGRATION" \
|
||||||
LOCAL_NAME="$LOCAL_NAME"
|
LOCAL_NAME="$LOCAL_NAME"
|
||||||
|
|
||||||
# shellcheck disable=SC2181
|
# shellcheck disable=SC2181
|
||||||
|
@ -641,8 +648,8 @@ fi
|
||||||
for im in ${image_types[@]}
|
for im in ${image_types[@]}
|
||||||
do
|
do
|
||||||
# shellcheck disable=SC2012,SC2086
|
# shellcheck disable=SC2012,SC2086
|
||||||
no_of_files=$(ls -afq build/${PROJECT_NAME}*.${im} | wc -l)
|
no_of_files=$(ls -l build/${PROJECT_NAME}*.${im} | wc -l)
|
||||||
if (( no_of_files > 0 )); then
|
if [ "$no_of_files" -gt 0 ]; then
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
mv build/${PROJECT_NAME}*.${im} ${CURR_DIR}/
|
mv build/${PROJECT_NAME}*.${im} ${CURR_DIR}/
|
||||||
# shellcheck disable=SC2086
|
# shellcheck disable=SC2086
|
||||||
|
|
|
@ -139,6 +139,8 @@ BMX6_COMMIT='39dd1f2d99ac5a3fa28e92f8173c15039132e181'
|
||||||
BMX7_REPO="https://github.com/bmx-routing/bmx7"
|
BMX7_REPO="https://github.com/bmx-routing/bmx7"
|
||||||
BMX7_COMMIT='0a82c7c10fef44b259b35e77ab33632aa132d219'
|
BMX7_COMMIT='0a82c7c10fef44b259b35e77ab33632aa132d219'
|
||||||
|
|
||||||
|
CONTINUOUS_INTEGRATION=
|
||||||
|
|
||||||
PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
|
PATH=/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin
|
||||||
|
|
||||||
# Whether to use a SATA drive and if so what its device/partition name is
|
# Whether to use a SATA drive and if so what its device/partition name is
|
||||||
|
@ -1766,8 +1768,8 @@ image_setup_utils() {
|
||||||
chroot "$rootdir" apt-get -yq -t stretch-backports install tor
|
chroot "$rootdir" apt-get -yq -t stretch-backports install tor
|
||||||
chroot "$rootdir" apt-get -yq install connect-proxy
|
chroot "$rootdir" apt-get -yq install connect-proxy
|
||||||
chroot "$rootdir" connect-proxy
|
chroot "$rootdir" connect-proxy
|
||||||
sed -i 's|#Log notice file.*|Log notice file /dev/null|g' "$rootdir/etc/tor/torrc"
|
sed -i 's|#Log notice file.*|Log notice file /var/log/tor/notices.log|g' "$rootdir/etc/tor/torrc"
|
||||||
sed -i 's|Log notice file.*|Log notice file /dev/null|g' "$rootdir/etc/tor/torrc"
|
sed -i 's|Log notice file.*|Log notice file /var/log/tor/notices.log|g' "$rootdir/etc/tor/torrc"
|
||||||
sed -i "s|#AccountingMax.*|AccountingMax $TOR_MAX_TRAFFIC_PER_MONTH_GB GBytes|g" "$rootdir/etc/tor/torrc"
|
sed -i "s|#AccountingMax.*|AccountingMax $TOR_MAX_TRAFFIC_PER_MONTH_GB GBytes|g" "$rootdir/etc/tor/torrc"
|
||||||
sed -i "s|AccountingMax.*|AccountingMax $TOR_MAX_TRAFFIC_PER_MONTH_GB GBytes|g" "$rootdir/etc/tor/torrc"
|
sed -i "s|AccountingMax.*|AccountingMax $TOR_MAX_TRAFFIC_PER_MONTH_GB GBytes|g" "$rootdir/etc/tor/torrc"
|
||||||
if ! grep -q 'Host *.onion' "$rootdir/root/.ssh/config"; then
|
if ! grep -q 'Host *.onion' "$rootdir/root/.ssh/config"; then
|
||||||
|
|
|
@ -78,6 +78,7 @@ export AMNESIC
|
||||||
export SOCIALINSTANCE
|
export SOCIALINSTANCE
|
||||||
export LOCAL_NAME
|
export LOCAL_NAME
|
||||||
export EXTERNAL_DRIVE
|
export EXTERNAL_DRIVE
|
||||||
|
export CONTINUOUS_INTEGRATION
|
||||||
|
|
||||||
# Locate vmdebootstrap program fetched in Makefile
|
# Locate vmdebootstrap program fetched in Makefile
|
||||||
basedir=`pwd`
|
basedir=`pwd`
|
||||||
|
@ -228,6 +229,7 @@ sed -i "s|SOCIALINSTANCE=.*|SOCIALINSTANCE=\"${SOCIALINSTANCE}\"|g" "$TEMP_CUSTO
|
||||||
sed -i "s|LOCAL_NAME=.*|LOCAL_NAME=\"${LOCAL_NAME}\"|g" "$TEMP_CUSTOMISE3"
|
sed -i "s|LOCAL_NAME=.*|LOCAL_NAME=\"${LOCAL_NAME}\"|g" "$TEMP_CUSTOMISE3"
|
||||||
sed -i "s|EXTERNAL_DRIVE=.*|EXTERNAL_DRIVE=\"${EXTERNAL_DRIVE}\"|g" "$TEMP_CUSTOMISE3"
|
sed -i "s|EXTERNAL_DRIVE=.*|EXTERNAL_DRIVE=\"${EXTERNAL_DRIVE}\"|g" "$TEMP_CUSTOMISE3"
|
||||||
sed -i 's|#!/bin/bash||g' "$TEMP_CUSTOMISE3"
|
sed -i 's|#!/bin/bash||g' "$TEMP_CUSTOMISE3"
|
||||||
|
sed -i "s|CONTINUOUS_INTEGRATION=.*|CONTINUOUS_INTEGRATION=${CONTINUOUS_INTEGRATION}|g" "$TEMP_CUSTOMISE3"
|
||||||
|
|
||||||
cat $TEMP_CUSTOMISE2 $TEMP_CUSTOMISE3 > $TEMP_CUSTOMISE4
|
cat $TEMP_CUSTOMISE2 $TEMP_CUSTOMISE3 > $TEMP_CUSTOMISE4
|
||||||
if [ -f $TEMP_CUSTOMISE ]; then
|
if [ -f $TEMP_CUSTOMISE ]; then
|
||||||
|
|
|
@ -41,8 +41,13 @@ IMAGE = $(NAME).img
|
||||||
ARCHIVE = $(IMAGE).xz
|
ARCHIVE = $(IMAGE).xz
|
||||||
SIGNATURE = $(ARCHIVE).sig
|
SIGNATURE = $(ARCHIVE).sig
|
||||||
OWNER = 1000
|
OWNER = 1000
|
||||||
XZ = xz --no-warn --verbose --keep --threads=0 -3
|
ifeq ("$CONTINUOUS_INTEGRATION", "")
|
||||||
SIGN = -gpg --output $(SIGNATURE) --detach-sig $(ARCHIVE)
|
XZ = xz --no-warn --verbose --keep --threads=0 -3 $(IMAGE)
|
||||||
|
SIGN = -gpg --output $(SIGNATURE) --detach-sig $(ARCHIVE)
|
||||||
|
else
|
||||||
|
XZ =
|
||||||
|
SIGN =
|
||||||
|
endif
|
||||||
|
|
||||||
# settings for `make test`
|
# settings for `make test`
|
||||||
TEST_SSH_PORT = 2222
|
TEST_SSH_PORT = 2222
|
||||||
|
@ -90,7 +95,7 @@ beaglebone: prep
|
||||||
$(eval MACHINE = beaglebone)
|
$(eval MACHINE = beaglebone)
|
||||||
$(MAKE_IMAGE)
|
$(MAKE_IMAGE)
|
||||||
@rm -f $(ARCHIVE)
|
@rm -f $(ARCHIVE)
|
||||||
$(XZ) $(IMAGE)
|
$(XZ)
|
||||||
@echo ""
|
@echo ""
|
||||||
$(SIGN)
|
$(SIGN)
|
||||||
@echo "Build complete."
|
@echo "Build complete."
|
||||||
|
@ -101,7 +106,7 @@ cubieboard2: prep
|
||||||
$(eval MACHINE = cubieboard2)
|
$(eval MACHINE = cubieboard2)
|
||||||
$(MAKE_IMAGE)
|
$(MAKE_IMAGE)
|
||||||
@rm -f $(ARCHIVE)
|
@rm -f $(ARCHIVE)
|
||||||
$(XZ) $(IMAGE)
|
$(XZ)
|
||||||
@echo ""
|
@echo ""
|
||||||
$(SIGN)
|
$(SIGN)
|
||||||
@echo "Build complete."
|
@echo "Build complete."
|
||||||
|
@ -112,7 +117,7 @@ pcduino3: prep
|
||||||
$(eval MACHINE = pcduino3)
|
$(eval MACHINE = pcduino3)
|
||||||
$(MAKE_IMAGE)
|
$(MAKE_IMAGE)
|
||||||
@rm -f $(ARCHIVE)
|
@rm -f $(ARCHIVE)
|
||||||
$(XZ) $(IMAGE)
|
$(XZ)
|
||||||
@echo ""
|
@echo ""
|
||||||
$(SIGN)
|
$(SIGN)
|
||||||
@echo "Build complete."
|
@echo "Build complete."
|
||||||
|
@ -123,7 +128,7 @@ cubietruck: prep
|
||||||
$(eval MACHINE = cubietruck)
|
$(eval MACHINE = cubietruck)
|
||||||
$(MAKE_IMAGE)
|
$(MAKE_IMAGE)
|
||||||
@rm -f $(ARCHIVE)
|
@rm -f $(ARCHIVE)
|
||||||
$(XZ) $(IMAGE)
|
$(XZ)
|
||||||
@echo ""
|
@echo ""
|
||||||
$(SIGN)
|
$(SIGN)
|
||||||
@echo "Build complete."
|
@echo "Build complete."
|
||||||
|
@ -135,7 +140,7 @@ a20-olinuxino-lime: prep
|
||||||
$(eval IMAGE = $(NAME).img)
|
$(eval IMAGE = $(NAME).img)
|
||||||
$(MAKE_IMAGE)
|
$(MAKE_IMAGE)
|
||||||
rm -f $(ARCHIVE)
|
rm -f $(ARCHIVE)
|
||||||
$(XZ) $(IMAGE)
|
$(XZ)
|
||||||
@echo ""
|
@echo ""
|
||||||
$(SIGN)
|
$(SIGN)
|
||||||
|
|
||||||
|
@ -145,7 +150,7 @@ a20-olinuxino-lime2: prep
|
||||||
$(eval MACHINE = a20-olinuxino-lime2)
|
$(eval MACHINE = a20-olinuxino-lime2)
|
||||||
$(MAKE_IMAGE)
|
$(MAKE_IMAGE)
|
||||||
@rm -f $(ARCHIVE)
|
@rm -f $(ARCHIVE)
|
||||||
$(XZ) $(IMAGE)
|
$(XZ)
|
||||||
@echo ""
|
@echo ""
|
||||||
$(SIGN)
|
$(SIGN)
|
||||||
@echo "Build complete."
|
@echo "Build complete."
|
||||||
|
@ -156,7 +161,7 @@ a20-olinuxino-micro: prep
|
||||||
$(eval MACHINE = a20-olinuxino-micro)
|
$(eval MACHINE = a20-olinuxino-micro)
|
||||||
$(MAKE_IMAGE)
|
$(MAKE_IMAGE)
|
||||||
@rm -f $(ARCHIVE)
|
@rm -f $(ARCHIVE)
|
||||||
$(XZ) $(IMAGE)
|
$(XZ)
|
||||||
@echo ""
|
@echo ""
|
||||||
$(SIGN)
|
$(SIGN)
|
||||||
@echo "Build complete."
|
@echo "Build complete."
|
||||||
|
@ -167,7 +172,7 @@ i386: prep
|
||||||
$(eval MACHINE = all)
|
$(eval MACHINE = all)
|
||||||
$(MAKE_IMAGE)
|
$(MAKE_IMAGE)
|
||||||
@rm -f $(ARCHIVE)
|
@rm -f $(ARCHIVE)
|
||||||
$(XZ) $(IMAGE)
|
$(XZ)
|
||||||
@echo ""
|
@echo ""
|
||||||
$(SIGN)
|
$(SIGN)
|
||||||
@echo "Build complete."
|
@echo "Build complete."
|
||||||
|
@ -178,7 +183,7 @@ i686: prep
|
||||||
$(eval MACHINE = all)
|
$(eval MACHINE = all)
|
||||||
$(MAKE_IMAGE)
|
$(MAKE_IMAGE)
|
||||||
@rm -f $(ARCHIVE)
|
@rm -f $(ARCHIVE)
|
||||||
$(XZ) $(IMAGE)
|
$(XZ)
|
||||||
@echo ""
|
@echo ""
|
||||||
$(SIGN)
|
$(SIGN)
|
||||||
@echo "Build complete."
|
@echo "Build complete."
|
||||||
|
@ -189,7 +194,7 @@ amd64: prep
|
||||||
$(eval MACHINE = all)
|
$(eval MACHINE = all)
|
||||||
$(MAKE_IMAGE)
|
$(MAKE_IMAGE)
|
||||||
@rm -f $(ARCHIVE)
|
@rm -f $(ARCHIVE)
|
||||||
$(XZ) $(IMAGE)
|
$(XZ)
|
||||||
@echo ""
|
@echo ""
|
||||||
$(SIGN)
|
$(SIGN)
|
||||||
@echo "Build complete."
|
@echo "Build complete."
|
||||||
|
@ -200,7 +205,7 @@ apu: prep
|
||||||
$(eval MACHINE = all)
|
$(eval MACHINE = all)
|
||||||
$(MAKE_IMAGE)
|
$(MAKE_IMAGE)
|
||||||
@rm -f $(ARCHIVE)
|
@rm -f $(ARCHIVE)
|
||||||
$(XZ) $(IMAGE)
|
$(XZ)
|
||||||
@echo ""
|
@echo ""
|
||||||
$(SIGN)
|
$(SIGN)
|
||||||
@echo "Build complete."
|
@echo "Build complete."
|
||||||
|
@ -215,7 +220,7 @@ qemu-i386: prep
|
||||||
# Convert image to qemu format
|
# Convert image to qemu format
|
||||||
qemu-img convert -O qcow2 $(NAME).img $(NAME).qcow2
|
qemu-img convert -O qcow2 $(NAME).img $(NAME).qcow2
|
||||||
@rm -f $(ARCHIVE)
|
@rm -f $(ARCHIVE)
|
||||||
$(XZ) $(IMAGE)
|
$(XZ)
|
||||||
@echo ""
|
@echo ""
|
||||||
$(SIGN)
|
$(SIGN)
|
||||||
@echo "Build complete."
|
@echo "Build complete."
|
||||||
|
@ -227,7 +232,7 @@ qemu-x86_64: prep
|
||||||
# Convert image to qemu format
|
# Convert image to qemu format
|
||||||
qemu-img convert -O qcow2 $(NAME).img $(NAME).qcow2
|
qemu-img convert -O qcow2 $(NAME).img $(NAME).qcow2
|
||||||
@rm -f $(ARCHIVE)
|
@rm -f $(ARCHIVE)
|
||||||
$(XZ) $(IMAGE)
|
$(XZ)
|
||||||
@echo ""
|
@echo ""
|
||||||
$(SIGN)
|
$(SIGN)
|
||||||
@echo "Build complete."
|
@echo "Build complete."
|
||||||
|
|
|
@ -179,9 +179,8 @@ if [[ "$1" == "on" || "$1" == "On" || "$1" == "ON" ]]; then
|
||||||
else
|
else
|
||||||
turn_logging_off
|
turn_logging_off
|
||||||
|
|
||||||
if [ -d /etc/tor ]; then
|
if [ -d /etc/torrc.d ]; then
|
||||||
echo 'Log notice file /dev/null' > /etc/torrc.d/logging
|
echo 'Log notice file /var/log/tor/notices.log' > /etc/torrc.d/logging
|
||||||
rm /var/log/tor/*
|
|
||||||
fi
|
fi
|
||||||
if [ -d /var/log/radicale ]; then
|
if [ -d /var/log/radicale ]; then
|
||||||
$REMOVE_FILES_COMMAND /var/log/radicale/*
|
$REMOVE_FILES_COMMAND /var/log/radicale/*
|
||||||
|
|
|
@ -759,6 +759,12 @@ function test_stig {
|
||||||
output "V-38605" $? ${SETLANG}
|
output "V-38605" $? ${SETLANG}
|
||||||
################
|
################
|
||||||
|
|
||||||
|
##Check that openssh client and server are installed
|
||||||
|
bash $STIG_TESTS_DIR/check-ssh.sh installed >/dev/null 2>&1 &
|
||||||
|
stig_spinner $!
|
||||||
|
output "SV-86857r1_rule" $? ${SETLANG}
|
||||||
|
################
|
||||||
|
|
||||||
##RHEL-06-000227
|
##RHEL-06-000227
|
||||||
##The SSH daemon must be configured to use only the SSHv2 protocol.
|
##The SSH daemon must be configured to use only the SSHv2 protocol.
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,62 @@
|
||||||
|
#!/bin/bash
|
||||||
|
# _____ _ _
|
||||||
|
# | __|___ ___ ___ _| |___ _____| |_ ___ ___ ___
|
||||||
|
# | __| _| -_| -_| . | . | | . | . | | -_|
|
||||||
|
# |__| |_| |___|___|___|___|_|_|_|___|___|_|_|___|
|
||||||
|
#
|
||||||
|
# Freedom in the Cloud
|
||||||
|
#
|
||||||
|
# Returns a health status for Tor
|
||||||
|
#
|
||||||
|
# License
|
||||||
|
# =======
|
||||||
|
#
|
||||||
|
# Copyright (C) 2018 Bob Mottram <bob@freedombone.net>
|
||||||
|
#
|
||||||
|
# This program is free software: you can redistribute it and/or modify
|
||||||
|
# it under the terms of the GNU Affero General Public License as published by
|
||||||
|
# the Free Software Foundation, either version 3 of the License, or
|
||||||
|
# (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU Affero General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU Affero General Public License
|
||||||
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
PROJECT_NAME='freedombone'
|
||||||
|
|
||||||
|
export TEXTDOMAIN=${PROJECT_NAME}-tor-health
|
||||||
|
export TEXTDOMAINDIR="/usr/share/locale"
|
||||||
|
|
||||||
|
d1=$(date --date="-10 min" "+%b %d %H:%M"):00
|
||||||
|
d2=$(date "+%b %d %H:%M"):00
|
||||||
|
ctr=0
|
||||||
|
echo -n '' > /var/log/tor/notices_new.log
|
||||||
|
while read -r line; do
|
||||||
|
datestr=$(echo "$line" | awk -F '.' '{print $1}')
|
||||||
|
if [[ "$datestr" > "$d1" && "$datestr" < "$d2" || "$datestr" =~ $d2 ]]; then
|
||||||
|
if [[ "$line" == *'Retrying'* ]]; then
|
||||||
|
ctr=$((ctr+1))
|
||||||
|
fi
|
||||||
|
echo "$line" >> /var/log/tor/notices_new.log
|
||||||
|
fi
|
||||||
|
done < /var/log/tor/notices.log
|
||||||
|
|
||||||
|
mv /var/log/tor/notices_new.log /var/log/tor/notices.log
|
||||||
|
chown -R debian-tor:adm /var/log/tor
|
||||||
|
|
||||||
|
if [ $ctr -gt 5 ]; then
|
||||||
|
echo $'Failed'
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $ctr -gt 0 ]; then
|
||||||
|
echo $'Poor'
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo $'Good'
|
||||||
|
exit 0
|
|
@ -32,6 +32,7 @@ FIREWALL_CONFIG=$HOME/${PROJECT_NAME}-firewall.cfg
|
||||||
FIREWALL_DOMAINS=$HOME/${PROJECT_NAME}-firewall-domains.cfg
|
FIREWALL_DOMAINS=$HOME/${PROJECT_NAME}-firewall-domains.cfg
|
||||||
FIREWALL_EIFACE=eth0
|
FIREWALL_EIFACE=eth0
|
||||||
EXTERNAL_IPV4_ADDRESS=
|
EXTERNAL_IPV4_ADDRESS=
|
||||||
|
FIREFOX_TELEMETRY_IP='52.88.27.118'
|
||||||
|
|
||||||
function save_firewall_settings {
|
function save_firewall_settings {
|
||||||
iptables-save > /etc/firewall.conf
|
iptables-save > /etc/firewall.conf
|
||||||
|
@ -47,6 +48,25 @@ function save_firewall_settings {
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function block_firefox_telemetry {
|
||||||
|
# This shouldn't be needed on a server, but we'll do it anyway
|
||||||
|
# to be on the safe side
|
||||||
|
# Within firefox source code see submit_telemetry_data.py
|
||||||
|
|
||||||
|
if ! grep -q 'telemetry.mozilla' /etc/hosts; then
|
||||||
|
echo '127.0.0.1 telemetry.mozilla.org' >> /etc/hosts
|
||||||
|
echo '127.0.0.1 incoming.telemetry.mozilla.org' >> /etc/hosts
|
||||||
|
fi
|
||||||
|
|
||||||
|
if grep -q "$FIREFOX_TELEMETRY_IP" /etc/firewall.conf; then
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
iptables -A INPUT -s $FIREFOX_TELEMETRY_IP -j DROP
|
||||||
|
iptables -A OUTPUT -s $FIREFOX_TELEMETRY_IP -j DROP
|
||||||
|
save_firewall_settings
|
||||||
|
}
|
||||||
|
|
||||||
function firewall_block_bad_ip_ranges {
|
function firewall_block_bad_ip_ranges {
|
||||||
if [ "$INSTALLING_MESH" ]; then
|
if [ "$INSTALLING_MESH" ]; then
|
||||||
return
|
return
|
||||||
|
@ -340,6 +360,32 @@ function mesh_firewall {
|
||||||
FIREWALL_FILENAME="${rootdir}/etc/systemd/system/meshfirewall.service"
|
FIREWALL_FILENAME="${rootdir}/etc/systemd/system/meshfirewall.service"
|
||||||
MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall
|
MESH_FIREWALL_SCRIPT=${rootdir}/usr/bin/mesh-firewall
|
||||||
|
|
||||||
|
if ! grep -q 'telemetry.mozilla' ${rootdir}/etc/hosts; then
|
||||||
|
echo '127.0.0.1 telemetry.mozilla.org' >> ${rootdir}/etc/hosts
|
||||||
|
echo '127.0.0.1 incoming.telemetry.mozilla.org' >> ${rootdir}/etc/hosts
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! grep -q 'facebook' ${rootdir}/etc/hosts; then
|
||||||
|
{ echo '127.0.0.1 www.facebook.com';
|
||||||
|
echo '127.0.0.1 facebook.com';
|
||||||
|
echo '127.0.0.1 static.ak.fbcdn.net';
|
||||||
|
echo '127.0.0.1 www.static.ak.fbcdn.net';
|
||||||
|
echo '127.0.0.1 login.facebook.com';
|
||||||
|
echo '127.0.0.1 www.login.facebook.com';
|
||||||
|
echo '127.0.0.1 fbcdn.net';
|
||||||
|
echo '127.0.0.1 www.fbcdn.net';
|
||||||
|
echo '127.0.0.1 fbcdn.com';
|
||||||
|
echo '127.0.0.1 www.fbcdn.com';
|
||||||
|
echo '127.0.0.1 static.ak.connect.facebook.com';
|
||||||
|
echo '127.0.0.1 www.static.ak.connect.facebook.com'; } >> ${rootdir}/etc/hosts
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! grep -q 'google' ${rootdir}/etc/hosts; then
|
||||||
|
{ echo '127.0.0.1 www.google-analytics.com';
|
||||||
|
echo '127.0.0.1 google-analytics.com';
|
||||||
|
echo '127.0.0.1 ssl.google-analytics.com'; } >> ${rootdir}/etc/hosts
|
||||||
|
fi
|
||||||
|
|
||||||
{ echo '#!/bin/bash';
|
{ echo '#!/bin/bash';
|
||||||
echo 'iptables -P INPUT ACCEPT';
|
echo 'iptables -P INPUT ACCEPT';
|
||||||
echo 'ip6tables -P INPUT ACCEPT';
|
echo 'ip6tables -P INPUT ACCEPT';
|
||||||
|
@ -387,7 +433,9 @@ function mesh_firewall {
|
||||||
echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
|
echo "iptables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
|
||||||
echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
|
echo "ip6tables -A INPUT -p tcp --dport $TRACKER_PORT -j ACCEPT";
|
||||||
echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT";
|
echo "iptables -A INPUT -p udp --dport 1900 -j ACCEPT";
|
||||||
echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT"; } > "$MESH_FIREWALL_SCRIPT"
|
echo "ip6tables -A INPUT -p udp --dport 1900 -j ACCEPT";
|
||||||
|
echo "iptables -A INPUT -s $FIREFOX_TELEMETRY_IP -j DROP";
|
||||||
|
echo "iptables -A OUTPUT -s $FIREFOX_TELEMETRY_IP -j DROP"; } > "$MESH_FIREWALL_SCRIPT"
|
||||||
chmod +x "$MESH_FIREWALL_SCRIPT"
|
chmod +x "$MESH_FIREWALL_SCRIPT"
|
||||||
|
|
||||||
{ echo '[Unit]';
|
{ echo '[Unit]';
|
||||||
|
|
|
@ -311,6 +311,34 @@ function configure_ssh_onion {
|
||||||
mark_completed "${FUNCNAME[0]}"
|
mark_completed "${FUNCNAME[0]}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function check_tor_health {
|
||||||
|
{ echo '#!/bin/bash';
|
||||||
|
echo "status=\$(${PROJECT_NAME}-tor-health)";
|
||||||
|
echo "ADMIN_USER=\$(grep \"MY_USERNAME=\" ~/${PROJECT_NAME}.cfg | awk -F '=' '{print \$2}')";
|
||||||
|
echo "if [[ \"\$status\" == 'G'* ]]; then";
|
||||||
|
echo ' if [ -f /tmp/.torfailed ]; then';
|
||||||
|
echo ' rm /tmp/.torfailed';
|
||||||
|
echo " tail -n 3 /var/log/tor/notices.log | mail -s \"[${PROJECT_NAME}] Tor status is now \$status\" \$ADMIN_USER@\$HOSTNAME";
|
||||||
|
echo ' fi';
|
||||||
|
echo ' exit 0';
|
||||||
|
echo 'fi';
|
||||||
|
echo 'if [ ! -f /tmp/.torfailed ]; then';
|
||||||
|
echo " tail -n 3 /var/log/tor/notices.log | mail -s \"[${PROJECT_NAME}] Tor status is \$status\" \$ADMIN_USER@\$HOSTNAME";
|
||||||
|
echo " echo \"\$status\" > /tmp/.torfailed";
|
||||||
|
echo 'else';
|
||||||
|
echo " prev_status=\$(cat /tmp/.torfailed)";
|
||||||
|
echo " if [[ \"\$prev_status\" != \"\$status\" ]]; then";
|
||||||
|
echo " tail -n 3 /var/log/tor/notices.log | mail -s \"[${PROJECT_NAME}] Tor status is \$status\" \$ADMIN_USER@\$HOSTNAME";
|
||||||
|
echo " echo \"\$status\" > /tmp/.torfailed";
|
||||||
|
echo ' fi';
|
||||||
|
echo 'fi'; } > /usr/bin/check_tor_health
|
||||||
|
chmod +x /usr/bin/check_tor_health
|
||||||
|
|
||||||
|
if ! grep -q 'check_tor_health' /etc/crontab; then
|
||||||
|
cron_add_mins 10 "/usr/bin/check_tor_health"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
function install_tor {
|
function install_tor {
|
||||||
if [[ $SYSTEM_TYPE == "mesh*" ]]; then
|
if [[ $SYSTEM_TYPE == "mesh*" ]]; then
|
||||||
return
|
return
|
||||||
|
@ -336,7 +364,7 @@ function install_tor {
|
||||||
echo '%include /etc/torrc.d' >> /etc/tor/torrc
|
echo '%include /etc/torrc.d' >> /etc/tor/torrc
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo 'Log notice file /dev/null' > /etc/torrc.d/logging
|
echo 'Log notice file /var/log/tor/notices.log' > /etc/torrc.d/logging
|
||||||
echo "AccountingMax $TOR_MAX_TRAFFIC_PER_MONTH_GB GBytes" > /etc/torrc.d/maxtraffic
|
echo "AccountingMax $TOR_MAX_TRAFFIC_PER_MONTH_GB GBytes" > /etc/torrc.d/maxtraffic
|
||||||
|
|
||||||
mark_completed "${FUNCNAME[0]}"
|
mark_completed "${FUNCNAME[0]}"
|
||||||
|
|
|
@ -720,6 +720,9 @@ function setup_firewall {
|
||||||
function_check configure_firewall
|
function_check configure_firewall
|
||||||
configure_firewall
|
configure_firewall
|
||||||
|
|
||||||
|
function_check block_firefox_telemetry
|
||||||
|
block_firefox_telemetry
|
||||||
|
|
||||||
function_check configure_firewall_ping
|
function_check configure_firewall_ping
|
||||||
configure_firewall_ping
|
configure_firewall_ping
|
||||||
|
|
||||||
|
@ -971,6 +974,9 @@ function setup_utils {
|
||||||
function_check install_tor
|
function_check install_tor
|
||||||
install_tor
|
install_tor
|
||||||
|
|
||||||
|
function_check check_tor_health
|
||||||
|
check_tor_health
|
||||||
|
|
||||||
function_check install_command_line_browser
|
function_check install_command_line_browser
|
||||||
install_command_line_browser
|
install_command_line_browser
|
||||||
|
|
||||||
|
|
|
@ -44,6 +44,19 @@ case $1 in
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
installed)
|
||||||
|
OPENSSH_SERVER=$(dpkg -s openssh-server | grep -i "Status:.*install.*ok.*installed" | wc -l)
|
||||||
|
OPENSSH_CLIENT=$(dpkg -s openssh-client | grep -i "Status:.*install.*ok.*installed" | wc -l)
|
||||||
|
if [ ${OPENSSH_SERVER} -eq 1 ]; then
|
||||||
|
if [ ${OPENSSH_CLIENT} -eq 1 ]; then
|
||||||
|
:
|
||||||
|
else
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
;;
|
||||||
sshd_status)
|
sshd_status)
|
||||||
if systemctl status sshd | grep "Active:.*(running)";then
|
if systemctl status sshd | grep "Active:.*(running)";then
|
||||||
:
|
:
|
||||||
|
|
|
@ -1399,6 +1399,15 @@ disabled. The "nis" service can be disabled with the following commands:\n\n#upd
|
||||||
printf '\n######################\n\nSTIG-ID:RHEL-06-000224\n\nVulnerability Discussion: Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.\n\nFix text: The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands:\n\n#update-rc.d cron defaults\nservice cron start\n\n######################\n\n' >> $LOG
|
printf '\n######################\n\nSTIG-ID:RHEL-06-000224\n\nVulnerability Discussion: Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.\n\nFix text: The "crond" service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The "crond" service can be enabled with the following commands:\n\n#update-rc.d cron defaults\nservice cron start\n\n######################\n\n' >> $LOG
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
|
SV-86857r1_rule) if [ "$3" = "en" ]; then
|
||||||
|
log_msg $2 'OpenSSH server and client must be installed.'
|
||||||
|
else
|
||||||
|
log_msg $2 '必须安装OpenSSH服务器和客户端'
|
||||||
|
fi
|
||||||
|
if [ $2 -ne 0 ];then
|
||||||
|
printf '\n######################\n\nWithout protection of the transmitted information, confidentiality and integrity may be compromised because unprotected communications can be intercepted and either read or altered. \n\nThis requirement applies to both internal and external networks and all types of information system components from which information can be transmitted (e.g., servers, mobile devices, notebook computers, printers, copiers, scanners, and facsimile machines). Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of interception and modification. \n\nProtecting the confidentiality and integrity of organizational information can be accomplished by physical means (e.g., employing physical distribution systems) or by logical means (e.g., employing cryptographic techniques). If physical means of protection are employed, logical means (cryptography) do not have to be employed, and vice versa.\n\n######################\n\n' >> $LOG
|
||||||
|
fi
|
||||||
|
;;
|
||||||
V-38607) if [ "$3" = "en" ]; then
|
V-38607) if [ "$3" = "en" ]; then
|
||||||
log_msg $2 'The SSH daemon must be configured to use only the SSHv2 protocol.'
|
log_msg $2 'The SSH daemon must be configured to use only the SSHv2 protocol.'
|
||||||
else
|
else
|
||||||
|
|
Loading…
Reference in New Issue