Move tripwire functions to security menu

This commit is contained in:
Bob Mottram 2018-03-18 10:58:18 +00:00
parent 4299a389cf
commit 3309fe281a
2 changed files with 179 additions and 173 deletions

View File

@ -129,44 +129,10 @@ fi
function any_key {
echo ''
# shellcheck disable=SC2034
read -n1 -rsp $"Press any key to continue..." key
}
function any_key_verify {
echo ''
read -n1 -rsp $"Press any key to continue or C to check a hash..." key
if [[ "$key" != 'c' && "$key" != 'C' ]]; then
return
fi
data=$(mktemp 2>/dev/null)
dialog --title $"Check tripwire hash" \
--backtitle $"Freedombone Control Panel" \
--inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data"
sel=$?
case $sel in
0)
GIVEN_HASH=$(<"$data")
if [ ${#GIVEN_HASH} -gt 8 ]; then
if [[ "$GIVEN_HASH" == *' '* ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\\nThe hash should not contain any spaces" 10 40
else
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}')
if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40
else
dialog --title $"Check tripwire" \
--msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
fi
fi
fi
;;
esac
rm -f "$data"
}
function reset_password_tries {
passwords_select_user
if [ ! "$SELECTED_USERNAME" ]; then
@ -1182,81 +1148,6 @@ function security_settings {
"${PROJECT_NAME}-sec"
}
function show_tripwire_verification_code {
if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
return
fi
clear
echo ''
echo $'Tripwire Verification Code'
echo ''
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd")
echo -n "$DBHASH" | qrencode -t UTF8
echo ''
echo "$DBHASH"
echo ''
}
function reset_tripwire {
if [ ! -f /usr/bin/reset-tripwire ]; then
echo $'Missing /usr/bin/reset-tripwire'
any_key
return
fi
if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then
if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then
# shellcheck disable=SC2086
mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key
# shellcheck disable=SC2086
mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key
else
echo $'Error: missing local key'
any_key
return
fi
fi
clear
echo $'Turing off logging...'
"${PROJECT_NAME}-logging" off
echo $'Locking down permissions...'
lockdown_permissions
echo $'Creating configuration...'
echo '
' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt
echo $'Resetting policy...'
echo '
' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt
echo $'Creating tripwire database'
echo '
' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd"
echo $'Resetting the Tripwire...'
echo ''
echo '
' | reset-tripwire
echo ''
# Sometimes nginx fails to restart if matrix is installed
# Restart matrix first
if [ -d /etc/matrix ]; then
systemctl restart matrix
systemctl restart nginx
fi
if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
show_tripwire_verification_code
echo $'Tripwire is now reset. Take a note of the above hash, or record'
echo $'the QR code using a mobile device. This will enable you to independently'
echo $'verify the integrity of the tripwire.'
else
echo $'ERROR: tripwire database was not created'
fi
any_key
}
function format_drive {
detect_usb_drive
dialog --title $"Format USB drive $USB_DRIVE" \
@ -2082,26 +1973,24 @@ function menu_top_level {
do
W=(1 $"About this system"
2 $"Backup and Restore"
3 $"Verify Tripwire Code"
4 $"Reset Tripwire"
5 $"App Settings"
6 $"Add/Remove Apps"
7 $"Logging on/off"
8 $"Ping enable/disable"
9 $"Manage Users"
10 $"Email Menu"
11 $"Domain or User Blocking"
12 $"Security Settings"
13 $"Change the name of this system"
14 $"Set a static local IP address"
15 $"Wifi menu"
16 $"Add Clacks"
17 $"Check for updates"
18 $"Power off the system"
19 $"Restart the system")
3 $"App Settings"
4 $"Add/Remove Apps"
5 $"Logging on/off"
6 $"Ping enable/disable"
7 $"Manage Users"
8 $"Email Menu"
9 $"Domain or User Blocking"
10 $"Security Settings"
11 $"Change the name of this system"
12 $"Set a static local IP address"
13 $"Wifi menu"
14 $"Add Clacks"
15 $"Check for updates"
16 $"Power off the system"
17 $"Restart the system")
# shellcheck disable=SC2068
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 27 60 27 "${W[@]}" 3>&2 2>&1 1>&3)
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 25 60 25 "${W[@]}" 3>&2 2>&1 1>&3)
if [ ! "$selection" ]; then
break
@ -2112,27 +2001,24 @@ function menu_top_level {
case $selection in
1) show_about;;
2) menu_backup_restore;;
3) show_tripwire_verification_code
any_key_verify;;
4) reset_tripwire;;
5) menu_app_settings;;
6) if ! /usr/local/bin/addremove; then
3) menu_app_settings;;
4) if ! /usr/local/bin/addremove; then
any_key
fi
;;
7) logging_on_off;;
8) ping_enable_disable;;
9) menu_users;;
10) menu_email;;
11) domain_blocking;;
12) security_settings;;
13) change_system_name;;
14) set_static_IP;;
15) menu_wifi;;
16) add_clacks;;
17) check_for_updates;;
18) shut_down_system;;
19) restart_system;;
5) logging_on_off;;
6) ping_enable_disable;;
7) menu_users;;
8) menu_email;;
9) domain_blocking;;
10) security_settings;;
11) change_system_name;;
12) set_static_IP;;
13) menu_wifi;;
14) add_clacks;;
15) check_for_updates;;
16) shut_down_system;;
17) restart_system;;
esac
done
}

View File

@ -69,6 +69,116 @@ LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
MY_USERNAME=
function any_key_verify {
echo ''
read -n1 -rsp $"Press any key to continue or C to check a hash..." key
if [[ "$key" != 'c' && "$key" != 'C' ]]; then
return
fi
data=$(mktemp 2>/dev/null)
dialog --title $"Check tripwire hash" \
--backtitle $"Freedombone Control Panel" \
--inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data"
sel=$?
case $sel in
0)
GIVEN_HASH=$(<"$data")
if [ ${#GIVEN_HASH} -gt 8 ]; then
if [[ "$GIVEN_HASH" == *' '* ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\\nThe hash should not contain any spaces" 10 40
else
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}')
if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40
else
dialog --title $"Check tripwire" \
--msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
fi
fi
fi
;;
esac
rm -f "$data"
}
function show_tripwire_verification_code {
if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
return
fi
clear
echo ''
echo $'Tripwire Verification Code'
echo ''
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd")
echo -n "$DBHASH" | qrencode -t UTF8
echo ''
echo "$DBHASH"
echo ''
}
function reset_tripwire {
if [ ! -f /usr/bin/reset-tripwire ]; then
echo $'Missing /usr/bin/reset-tripwire'
any_key
return
fi
if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then
if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then
# shellcheck disable=SC2086
mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key
# shellcheck disable=SC2086
mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key
else
echo $'Error: missing local key'
any_key
return
fi
fi
clear
echo $'Turing off logging...'
"${PROJECT_NAME}-logging" off
echo $'Locking down permissions...'
lockdown_permissions
echo $'Creating configuration...'
echo '
' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt
echo $'Resetting policy...'
echo '
' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt
echo $'Creating tripwire database'
echo '
' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd"
echo $'Resetting the Tripwire...'
echo ''
echo '
' | reset-tripwire
echo ''
# Sometimes nginx fails to restart if matrix is installed
# Restart matrix first
if [ -d /etc/matrix ]; then
systemctl restart matrix
systemctl restart nginx
fi
if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
show_tripwire_verification_code
echo $'Tripwire is now reset. Take a note of the above hash, or record'
echo $'the QR code using a mobile device. This will enable you to independently'
echo $'verify the integrity of the tripwire.'
else
echo $'ERROR: tripwire database was not created'
fi
any_key
}
function passwords_show_apps {
SELECTED_APP=
i=0
@ -1065,20 +1175,22 @@ function menu_security_settings {
W=(1 $"Passwords"
2 $"Run STIG tests"
3 $"Fix STIG test failures"
4 $"Show ssh host public key"
5 $"Tor bridges"
6 $"Password storage"
7 $"Export passwords"
8 $"Regenerate ssh host keys"
9 $"Regenerate Diffie-Hellman keys"
10 $"Update cipersuite"
11 $"Create a new Let's Encrypt certificate"
12 $"Renew Let's Encrypt certificate"
13 $"Delete a Let's Encrypt certificate"
14 $"Enable GPG based authentication (monkeysphere)"
15 $"Register a website with monkeysphere"
16 $"Allow ssh login with passwords"
17 $"Show firewall")
4 $"Show tripwire verification code"
5 $"Reset tripwire"
6 $"Show ssh host public key"
7 $"Tor bridges"
8 $"Password storage"
9 $"Export passwords"
10 $"Regenerate ssh host keys"
11 $"Regenerate Diffie-Hellman keys"
12 $"Update cipersuite"
13 $"Create a new Let's Encrypt certificate"
14 $"Renew Let's Encrypt certificate"
15 $"Delete a Let's Encrypt certificate"
16 $"Enable GPG based authentication (monkeysphere)"
17 $"Register a website with monkeysphere"
18 $"Allow ssh login with passwords"
19 $"Show firewall")
# shellcheck disable=SC2068
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to exit:" 24 76 24 "${W[@]}" 3>&2 2>&1 1>&3)
@ -1122,53 +1234,61 @@ function menu_security_settings {
exit 0
;;
4)
show_tripwire_verification_code
any_key_verify
;;
5)
reset_tripwire
;;
6)
dialog --title $"SSH host public keys" \
--msgbox "\\n$(get_ssh_server_key)" 12 60
exit 0
;;
5)
7)
menu_tor_bridges
exit 0
;;
6)
8)
store_passwords
exit 0
;;
7)
9)
export_passwords
exit 0
;;
8)
10)
regenerate_ssh_host_keys
;;
9)
11)
regenerate_dh_keys
;;
10)
12)
interactive_setup
update_ciphersuite
;;
11)
13)
create_letsencrypt
;;
12)
14)
renew_letsencrypt
;;
13)
15)
delete_letsencrypt
;;
14)
16)
enable_monkeysphere
;;
15)
17)
register_website
;;
16)
18)
allow_ssh_passwords
change_ssh_settings
exit 0
;;
17)
19)
show_firewall
exit 0
;;