Move tripwire functions to security menu
This commit is contained in:
parent
4299a389cf
commit
3309fe281a
|
@ -129,44 +129,10 @@ fi
|
|||
|
||||
function any_key {
|
||||
echo ''
|
||||
# shellcheck disable=SC2034
|
||||
read -n1 -rsp $"Press any key to continue..." key
|
||||
}
|
||||
|
||||
function any_key_verify {
|
||||
echo ''
|
||||
read -n1 -rsp $"Press any key to continue or C to check a hash..." key
|
||||
if [[ "$key" != 'c' && "$key" != 'C' ]]; then
|
||||
return
|
||||
fi
|
||||
|
||||
data=$(mktemp 2>/dev/null)
|
||||
dialog --title $"Check tripwire hash" \
|
||||
--backtitle $"Freedombone Control Panel" \
|
||||
--inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data"
|
||||
sel=$?
|
||||
case $sel in
|
||||
0)
|
||||
GIVEN_HASH=$(<"$data")
|
||||
if [ ${#GIVEN_HASH} -gt 8 ]; then
|
||||
if [[ "$GIVEN_HASH" == *' '* ]]; then
|
||||
dialog --title $"Check tripwire" \
|
||||
--msgbox $"\\nThe hash should not contain any spaces" 10 40
|
||||
else
|
||||
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}')
|
||||
if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
|
||||
dialog --title $"Check tripwire" \
|
||||
--msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40
|
||||
else
|
||||
dialog --title $"Check tripwire" \
|
||||
--msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
rm -f "$data"
|
||||
}
|
||||
|
||||
function reset_password_tries {
|
||||
passwords_select_user
|
||||
if [ ! "$SELECTED_USERNAME" ]; then
|
||||
|
@ -1182,81 +1148,6 @@ function security_settings {
|
|||
"${PROJECT_NAME}-sec"
|
||||
}
|
||||
|
||||
function show_tripwire_verification_code {
|
||||
if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
|
||||
return
|
||||
fi
|
||||
clear
|
||||
echo ''
|
||||
echo $'Tripwire Verification Code'
|
||||
echo ''
|
||||
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd")
|
||||
echo -n "$DBHASH" | qrencode -t UTF8
|
||||
echo ''
|
||||
echo "$DBHASH"
|
||||
echo ''
|
||||
}
|
||||
|
||||
function reset_tripwire {
|
||||
if [ ! -f /usr/bin/reset-tripwire ]; then
|
||||
echo $'Missing /usr/bin/reset-tripwire'
|
||||
any_key
|
||||
return
|
||||
fi
|
||||
if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then
|
||||
if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then
|
||||
# shellcheck disable=SC2086
|
||||
mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key
|
||||
# shellcheck disable=SC2086
|
||||
mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key
|
||||
else
|
||||
echo $'Error: missing local key'
|
||||
any_key
|
||||
return
|
||||
fi
|
||||
fi
|
||||
clear
|
||||
echo $'Turing off logging...'
|
||||
"${PROJECT_NAME}-logging" off
|
||||
echo $'Locking down permissions...'
|
||||
lockdown_permissions
|
||||
echo $'Creating configuration...'
|
||||
echo '
|
||||
|
||||
' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt
|
||||
echo $'Resetting policy...'
|
||||
echo '
|
||||
|
||||
' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt
|
||||
echo $'Creating tripwire database'
|
||||
echo '
|
||||
|
||||
' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd"
|
||||
echo $'Resetting the Tripwire...'
|
||||
echo ''
|
||||
echo '
|
||||
|
||||
' | reset-tripwire
|
||||
echo ''
|
||||
|
||||
# Sometimes nginx fails to restart if matrix is installed
|
||||
# Restart matrix first
|
||||
if [ -d /etc/matrix ]; then
|
||||
systemctl restart matrix
|
||||
systemctl restart nginx
|
||||
fi
|
||||
|
||||
if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
|
||||
show_tripwire_verification_code
|
||||
echo $'Tripwire is now reset. Take a note of the above hash, or record'
|
||||
echo $'the QR code using a mobile device. This will enable you to independently'
|
||||
echo $'verify the integrity of the tripwire.'
|
||||
else
|
||||
echo $'ERROR: tripwire database was not created'
|
||||
fi
|
||||
any_key
|
||||
}
|
||||
|
||||
function format_drive {
|
||||
detect_usb_drive
|
||||
dialog --title $"Format USB drive $USB_DRIVE" \
|
||||
|
@ -2082,26 +1973,24 @@ function menu_top_level {
|
|||
do
|
||||
W=(1 $"About this system"
|
||||
2 $"Backup and Restore"
|
||||
3 $"Verify Tripwire Code"
|
||||
4 $"Reset Tripwire"
|
||||
5 $"App Settings"
|
||||
6 $"Add/Remove Apps"
|
||||
7 $"Logging on/off"
|
||||
8 $"Ping enable/disable"
|
||||
9 $"Manage Users"
|
||||
10 $"Email Menu"
|
||||
11 $"Domain or User Blocking"
|
||||
12 $"Security Settings"
|
||||
13 $"Change the name of this system"
|
||||
14 $"Set a static local IP address"
|
||||
15 $"Wifi menu"
|
||||
16 $"Add Clacks"
|
||||
17 $"Check for updates"
|
||||
18 $"Power off the system"
|
||||
19 $"Restart the system")
|
||||
3 $"App Settings"
|
||||
4 $"Add/Remove Apps"
|
||||
5 $"Logging on/off"
|
||||
6 $"Ping enable/disable"
|
||||
7 $"Manage Users"
|
||||
8 $"Email Menu"
|
||||
9 $"Domain or User Blocking"
|
||||
10 $"Security Settings"
|
||||
11 $"Change the name of this system"
|
||||
12 $"Set a static local IP address"
|
||||
13 $"Wifi menu"
|
||||
14 $"Add Clacks"
|
||||
15 $"Check for updates"
|
||||
16 $"Power off the system"
|
||||
17 $"Restart the system")
|
||||
|
||||
# shellcheck disable=SC2068
|
||||
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 27 60 27 "${W[@]}" 3>&2 2>&1 1>&3)
|
||||
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 25 60 25 "${W[@]}" 3>&2 2>&1 1>&3)
|
||||
|
||||
if [ ! "$selection" ]; then
|
||||
break
|
||||
|
@ -2112,27 +2001,24 @@ function menu_top_level {
|
|||
case $selection in
|
||||
1) show_about;;
|
||||
2) menu_backup_restore;;
|
||||
3) show_tripwire_verification_code
|
||||
any_key_verify;;
|
||||
4) reset_tripwire;;
|
||||
5) menu_app_settings;;
|
||||
6) if ! /usr/local/bin/addremove; then
|
||||
3) menu_app_settings;;
|
||||
4) if ! /usr/local/bin/addremove; then
|
||||
any_key
|
||||
fi
|
||||
;;
|
||||
7) logging_on_off;;
|
||||
8) ping_enable_disable;;
|
||||
9) menu_users;;
|
||||
10) menu_email;;
|
||||
11) domain_blocking;;
|
||||
12) security_settings;;
|
||||
13) change_system_name;;
|
||||
14) set_static_IP;;
|
||||
15) menu_wifi;;
|
||||
16) add_clacks;;
|
||||
17) check_for_updates;;
|
||||
18) shut_down_system;;
|
||||
19) restart_system;;
|
||||
5) logging_on_off;;
|
||||
6) ping_enable_disable;;
|
||||
7) menu_users;;
|
||||
8) menu_email;;
|
||||
9) domain_blocking;;
|
||||
10) security_settings;;
|
||||
11) change_system_name;;
|
||||
12) set_static_IP;;
|
||||
13) menu_wifi;;
|
||||
14) add_clacks;;
|
||||
15) check_for_updates;;
|
||||
16) shut_down_system;;
|
||||
17) restart_system;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
|
|
|
@ -69,6 +69,116 @@ LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
|
|||
|
||||
MY_USERNAME=
|
||||
|
||||
function any_key_verify {
|
||||
echo ''
|
||||
read -n1 -rsp $"Press any key to continue or C to check a hash..." key
|
||||
if [[ "$key" != 'c' && "$key" != 'C' ]]; then
|
||||
return
|
||||
fi
|
||||
|
||||
data=$(mktemp 2>/dev/null)
|
||||
dialog --title $"Check tripwire hash" \
|
||||
--backtitle $"Freedombone Control Panel" \
|
||||
--inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data"
|
||||
sel=$?
|
||||
case $sel in
|
||||
0)
|
||||
GIVEN_HASH=$(<"$data")
|
||||
if [ ${#GIVEN_HASH} -gt 8 ]; then
|
||||
if [[ "$GIVEN_HASH" == *' '* ]]; then
|
||||
dialog --title $"Check tripwire" \
|
||||
--msgbox $"\\nThe hash should not contain any spaces" 10 40
|
||||
else
|
||||
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}')
|
||||
if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
|
||||
dialog --title $"Check tripwire" \
|
||||
--msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40
|
||||
else
|
||||
dialog --title $"Check tripwire" \
|
||||
--msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
rm -f "$data"
|
||||
}
|
||||
|
||||
function show_tripwire_verification_code {
|
||||
if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
|
||||
return
|
||||
fi
|
||||
clear
|
||||
echo ''
|
||||
echo $'Tripwire Verification Code'
|
||||
echo ''
|
||||
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd")
|
||||
echo -n "$DBHASH" | qrencode -t UTF8
|
||||
echo ''
|
||||
echo "$DBHASH"
|
||||
echo ''
|
||||
}
|
||||
|
||||
function reset_tripwire {
|
||||
if [ ! -f /usr/bin/reset-tripwire ]; then
|
||||
echo $'Missing /usr/bin/reset-tripwire'
|
||||
any_key
|
||||
return
|
||||
fi
|
||||
if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then
|
||||
if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then
|
||||
# shellcheck disable=SC2086
|
||||
mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key
|
||||
# shellcheck disable=SC2086
|
||||
mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key
|
||||
else
|
||||
echo $'Error: missing local key'
|
||||
any_key
|
||||
return
|
||||
fi
|
||||
fi
|
||||
clear
|
||||
echo $'Turing off logging...'
|
||||
"${PROJECT_NAME}-logging" off
|
||||
echo $'Locking down permissions...'
|
||||
lockdown_permissions
|
||||
echo $'Creating configuration...'
|
||||
echo '
|
||||
|
||||
' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt
|
||||
echo $'Resetting policy...'
|
||||
echo '
|
||||
|
||||
' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt
|
||||
echo $'Creating tripwire database'
|
||||
echo '
|
||||
|
||||
' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd"
|
||||
echo $'Resetting the Tripwire...'
|
||||
echo ''
|
||||
echo '
|
||||
|
||||
' | reset-tripwire
|
||||
echo ''
|
||||
|
||||
# Sometimes nginx fails to restart if matrix is installed
|
||||
# Restart matrix first
|
||||
if [ -d /etc/matrix ]; then
|
||||
systemctl restart matrix
|
||||
systemctl restart nginx
|
||||
fi
|
||||
|
||||
if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
|
||||
show_tripwire_verification_code
|
||||
echo $'Tripwire is now reset. Take a note of the above hash, or record'
|
||||
echo $'the QR code using a mobile device. This will enable you to independently'
|
||||
echo $'verify the integrity of the tripwire.'
|
||||
else
|
||||
echo $'ERROR: tripwire database was not created'
|
||||
fi
|
||||
any_key
|
||||
}
|
||||
|
||||
function passwords_show_apps {
|
||||
SELECTED_APP=
|
||||
i=0
|
||||
|
@ -1065,20 +1175,22 @@ function menu_security_settings {
|
|||
W=(1 $"Passwords"
|
||||
2 $"Run STIG tests"
|
||||
3 $"Fix STIG test failures"
|
||||
4 $"Show ssh host public key"
|
||||
5 $"Tor bridges"
|
||||
6 $"Password storage"
|
||||
7 $"Export passwords"
|
||||
8 $"Regenerate ssh host keys"
|
||||
9 $"Regenerate Diffie-Hellman keys"
|
||||
10 $"Update cipersuite"
|
||||
11 $"Create a new Let's Encrypt certificate"
|
||||
12 $"Renew Let's Encrypt certificate"
|
||||
13 $"Delete a Let's Encrypt certificate"
|
||||
14 $"Enable GPG based authentication (monkeysphere)"
|
||||
15 $"Register a website with monkeysphere"
|
||||
16 $"Allow ssh login with passwords"
|
||||
17 $"Show firewall")
|
||||
4 $"Show tripwire verification code"
|
||||
5 $"Reset tripwire"
|
||||
6 $"Show ssh host public key"
|
||||
7 $"Tor bridges"
|
||||
8 $"Password storage"
|
||||
9 $"Export passwords"
|
||||
10 $"Regenerate ssh host keys"
|
||||
11 $"Regenerate Diffie-Hellman keys"
|
||||
12 $"Update cipersuite"
|
||||
13 $"Create a new Let's Encrypt certificate"
|
||||
14 $"Renew Let's Encrypt certificate"
|
||||
15 $"Delete a Let's Encrypt certificate"
|
||||
16 $"Enable GPG based authentication (monkeysphere)"
|
||||
17 $"Register a website with monkeysphere"
|
||||
18 $"Allow ssh login with passwords"
|
||||
19 $"Show firewall")
|
||||
|
||||
# shellcheck disable=SC2068
|
||||
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to exit:" 24 76 24 "${W[@]}" 3>&2 2>&1 1>&3)
|
||||
|
@ -1122,53 +1234,61 @@ function menu_security_settings {
|
|||
exit 0
|
||||
;;
|
||||
4)
|
||||
show_tripwire_verification_code
|
||||
any_key_verify
|
||||
;;
|
||||
5)
|
||||
reset_tripwire
|
||||
;;
|
||||
|
||||
6)
|
||||
dialog --title $"SSH host public keys" \
|
||||
--msgbox "\\n$(get_ssh_server_key)" 12 60
|
||||
exit 0
|
||||
;;
|
||||
5)
|
||||
7)
|
||||
menu_tor_bridges
|
||||
exit 0
|
||||
;;
|
||||
6)
|
||||
8)
|
||||
store_passwords
|
||||
exit 0
|
||||
;;
|
||||
7)
|
||||
9)
|
||||
export_passwords
|
||||
exit 0
|
||||
;;
|
||||
8)
|
||||
10)
|
||||
regenerate_ssh_host_keys
|
||||
;;
|
||||
9)
|
||||
11)
|
||||
regenerate_dh_keys
|
||||
;;
|
||||
10)
|
||||
12)
|
||||
interactive_setup
|
||||
update_ciphersuite
|
||||
;;
|
||||
11)
|
||||
13)
|
||||
create_letsencrypt
|
||||
;;
|
||||
12)
|
||||
14)
|
||||
renew_letsencrypt
|
||||
;;
|
||||
13)
|
||||
15)
|
||||
delete_letsencrypt
|
||||
;;
|
||||
14)
|
||||
16)
|
||||
enable_monkeysphere
|
||||
;;
|
||||
15)
|
||||
17)
|
||||
register_website
|
||||
;;
|
||||
16)
|
||||
18)
|
||||
allow_ssh_passwords
|
||||
change_ssh_settings
|
||||
exit 0
|
||||
;;
|
||||
17)
|
||||
19)
|
||||
show_firewall
|
||||
exit 0
|
||||
;;
|
||||
|
|
Loading…
Reference in New Issue