From 3309fe281addc3f8fe28012b3458e00ae35ede41 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 18 Mar 2018 10:58:18 +0000 Subject: [PATCH] Move tripwire functions to security menu --- src/freedombone-controlpanel | 178 +++++++---------------------------- src/freedombone-sec | 174 ++++++++++++++++++++++++++++------ 2 files changed, 179 insertions(+), 173 deletions(-) diff --git a/src/freedombone-controlpanel b/src/freedombone-controlpanel index e916b806..08c75cfe 100755 --- a/src/freedombone-controlpanel +++ b/src/freedombone-controlpanel @@ -129,44 +129,10 @@ fi function any_key { echo '' + # shellcheck disable=SC2034 read -n1 -rsp $"Press any key to continue..." key } -function any_key_verify { - echo '' - read -n1 -rsp $"Press any key to continue or C to check a hash..." key - if [[ "$key" != 'c' && "$key" != 'C' ]]; then - return - fi - - data=$(mktemp 2>/dev/null) - dialog --title $"Check tripwire hash" \ - --backtitle $"Freedombone Control Panel" \ - --inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data" - sel=$? - case $sel in - 0) - GIVEN_HASH=$(<"$data") - if [ ${#GIVEN_HASH} -gt 8 ]; then - if [[ "$GIVEN_HASH" == *' '* ]]; then - dialog --title $"Check tripwire" \ - --msgbox $"\\nThe hash should not contain any spaces" 10 40 - else - DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}') - if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then - dialog --title $"Check tripwire" \ - --msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40 - else - dialog --title $"Check tripwire" \ - --msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50 - fi - fi - fi - ;; - esac - rm -f "$data" -} - function reset_password_tries { passwords_select_user if [ ! "$SELECTED_USERNAME" ]; then @@ -1182,81 +1148,6 @@ function security_settings { "${PROJECT_NAME}-sec" } -function show_tripwire_verification_code { - if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then - return - fi - clear - echo '' - echo $'Tripwire Verification Code' - echo '' - DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd") - echo -n "$DBHASH" | qrencode -t UTF8 - echo '' - echo "$DBHASH" - echo '' -} - -function reset_tripwire { - if [ ! -f /usr/bin/reset-tripwire ]; then - echo $'Missing /usr/bin/reset-tripwire' - any_key - return - fi - if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then - if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then - # shellcheck disable=SC2086 - mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key - # shellcheck disable=SC2086 - mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key - else - echo $'Error: missing local key' - any_key - return - fi - fi - clear - echo $'Turing off logging...' - "${PROJECT_NAME}-logging" off - echo $'Locking down permissions...' - lockdown_permissions - echo $'Creating configuration...' - echo ' - - ' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt - echo $'Resetting policy...' - echo ' - - ' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt - echo $'Creating tripwire database' - echo ' - -' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd" - echo $'Resetting the Tripwire...' - echo '' - echo ' - - ' | reset-tripwire - echo '' - - # Sometimes nginx fails to restart if matrix is installed - # Restart matrix first - if [ -d /etc/matrix ]; then - systemctl restart matrix - systemctl restart nginx - fi - - if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then - show_tripwire_verification_code - echo $'Tripwire is now reset. Take a note of the above hash, or record' - echo $'the QR code using a mobile device. This will enable you to independently' - echo $'verify the integrity of the tripwire.' - else - echo $'ERROR: tripwire database was not created' - fi - any_key -} - function format_drive { detect_usb_drive dialog --title $"Format USB drive $USB_DRIVE" \ @@ -2082,26 +1973,24 @@ function menu_top_level { do W=(1 $"About this system" 2 $"Backup and Restore" - 3 $"Verify Tripwire Code" - 4 $"Reset Tripwire" - 5 $"App Settings" - 6 $"Add/Remove Apps" - 7 $"Logging on/off" - 8 $"Ping enable/disable" - 9 $"Manage Users" - 10 $"Email Menu" - 11 $"Domain or User Blocking" - 12 $"Security Settings" - 13 $"Change the name of this system" - 14 $"Set a static local IP address" - 15 $"Wifi menu" - 16 $"Add Clacks" - 17 $"Check for updates" - 18 $"Power off the system" - 19 $"Restart the system") + 3 $"App Settings" + 4 $"Add/Remove Apps" + 5 $"Logging on/off" + 6 $"Ping enable/disable" + 7 $"Manage Users" + 8 $"Email Menu" + 9 $"Domain or User Blocking" + 10 $"Security Settings" + 11 $"Change the name of this system" + 12 $"Set a static local IP address" + 13 $"Wifi menu" + 14 $"Add Clacks" + 15 $"Check for updates" + 16 $"Power off the system" + 17 $"Restart the system") # shellcheck disable=SC2068 - selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 27 60 27 "${W[@]}" 3>&2 2>&1 1>&3) + selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 25 60 25 "${W[@]}" 3>&2 2>&1 1>&3) if [ ! "$selection" ]; then break @@ -2112,27 +2001,24 @@ function menu_top_level { case $selection in 1) show_about;; 2) menu_backup_restore;; - 3) show_tripwire_verification_code - any_key_verify;; - 4) reset_tripwire;; - 5) menu_app_settings;; - 6) if ! /usr/local/bin/addremove; then + 3) menu_app_settings;; + 4) if ! /usr/local/bin/addremove; then any_key fi ;; - 7) logging_on_off;; - 8) ping_enable_disable;; - 9) menu_users;; - 10) menu_email;; - 11) domain_blocking;; - 12) security_settings;; - 13) change_system_name;; - 14) set_static_IP;; - 15) menu_wifi;; - 16) add_clacks;; - 17) check_for_updates;; - 18) shut_down_system;; - 19) restart_system;; + 5) logging_on_off;; + 6) ping_enable_disable;; + 7) menu_users;; + 8) menu_email;; + 9) domain_blocking;; + 10) security_settings;; + 11) change_system_name;; + 12) set_static_IP;; + 13) menu_wifi;; + 14) add_clacks;; + 15) check_for_updates;; + 16) shut_down_system;; + 17) restart_system;; esac done } diff --git a/src/freedombone-sec b/src/freedombone-sec index a9b19b84..5f5ea982 100755 --- a/src/freedombone-sec +++ b/src/freedombone-sec @@ -69,6 +69,116 @@ LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory' MY_USERNAME= +function any_key_verify { + echo '' + read -n1 -rsp $"Press any key to continue or C to check a hash..." key + if [[ "$key" != 'c' && "$key" != 'C' ]]; then + return + fi + + data=$(mktemp 2>/dev/null) + dialog --title $"Check tripwire hash" \ + --backtitle $"Freedombone Control Panel" \ + --inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data" + sel=$? + case $sel in + 0) + GIVEN_HASH=$(<"$data") + if [ ${#GIVEN_HASH} -gt 8 ]; then + if [[ "$GIVEN_HASH" == *' '* ]]; then + dialog --title $"Check tripwire" \ + --msgbox $"\\nThe hash should not contain any spaces" 10 40 + else + DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}') + if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then + dialog --title $"Check tripwire" \ + --msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40 + else + dialog --title $"Check tripwire" \ + --msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50 + fi + fi + fi + ;; + esac + rm -f "$data" +} + +function show_tripwire_verification_code { + if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then + return + fi + clear + echo '' + echo $'Tripwire Verification Code' + echo '' + DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd") + echo -n "$DBHASH" | qrencode -t UTF8 + echo '' + echo "$DBHASH" + echo '' +} + +function reset_tripwire { + if [ ! -f /usr/bin/reset-tripwire ]; then + echo $'Missing /usr/bin/reset-tripwire' + any_key + return + fi + if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then + if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then + # shellcheck disable=SC2086 + mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key + # shellcheck disable=SC2086 + mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key + else + echo $'Error: missing local key' + any_key + return + fi + fi + clear + echo $'Turing off logging...' + "${PROJECT_NAME}-logging" off + echo $'Locking down permissions...' + lockdown_permissions + echo $'Creating configuration...' + echo ' + + ' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt + echo $'Resetting policy...' + echo ' + + ' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt + echo $'Creating tripwire database' + echo ' + +' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd" + echo $'Resetting the Tripwire...' + echo '' + echo ' + + ' | reset-tripwire + echo '' + + # Sometimes nginx fails to restart if matrix is installed + # Restart matrix first + if [ -d /etc/matrix ]; then + systemctl restart matrix + systemctl restart nginx + fi + + if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then + show_tripwire_verification_code + echo $'Tripwire is now reset. Take a note of the above hash, or record' + echo $'the QR code using a mobile device. This will enable you to independently' + echo $'verify the integrity of the tripwire.' + else + echo $'ERROR: tripwire database was not created' + fi + any_key +} + function passwords_show_apps { SELECTED_APP= i=0 @@ -1065,20 +1175,22 @@ function menu_security_settings { W=(1 $"Passwords" 2 $"Run STIG tests" 3 $"Fix STIG test failures" - 4 $"Show ssh host public key" - 5 $"Tor bridges" - 6 $"Password storage" - 7 $"Export passwords" - 8 $"Regenerate ssh host keys" - 9 $"Regenerate Diffie-Hellman keys" - 10 $"Update cipersuite" - 11 $"Create a new Let's Encrypt certificate" - 12 $"Renew Let's Encrypt certificate" - 13 $"Delete a Let's Encrypt certificate" - 14 $"Enable GPG based authentication (monkeysphere)" - 15 $"Register a website with monkeysphere" - 16 $"Allow ssh login with passwords" - 17 $"Show firewall") + 4 $"Show tripwire verification code" + 5 $"Reset tripwire" + 6 $"Show ssh host public key" + 7 $"Tor bridges" + 8 $"Password storage" + 9 $"Export passwords" + 10 $"Regenerate ssh host keys" + 11 $"Regenerate Diffie-Hellman keys" + 12 $"Update cipersuite" + 13 $"Create a new Let's Encrypt certificate" + 14 $"Renew Let's Encrypt certificate" + 15 $"Delete a Let's Encrypt certificate" + 16 $"Enable GPG based authentication (monkeysphere)" + 17 $"Register a website with monkeysphere" + 18 $"Allow ssh login with passwords" + 19 $"Show firewall") # shellcheck disable=SC2068 selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to exit:" 24 76 24 "${W[@]}" 3>&2 2>&1 1>&3) @@ -1122,53 +1234,61 @@ function menu_security_settings { exit 0 ;; 4) + show_tripwire_verification_code + any_key_verify + ;; + 5) + reset_tripwire + ;; + + 6) dialog --title $"SSH host public keys" \ --msgbox "\\n$(get_ssh_server_key)" 12 60 exit 0 ;; - 5) + 7) menu_tor_bridges exit 0 ;; - 6) + 8) store_passwords exit 0 ;; - 7) + 9) export_passwords exit 0 ;; - 8) + 10) regenerate_ssh_host_keys ;; - 9) + 11) regenerate_dh_keys ;; - 10) + 12) interactive_setup update_ciphersuite ;; - 11) + 13) create_letsencrypt ;; - 12) + 14) renew_letsencrypt ;; - 13) + 15) delete_letsencrypt ;; - 14) + 16) enable_monkeysphere ;; - 15) + 17) register_website ;; - 16) + 18) allow_ssh_passwords change_ssh_settings exit 0 ;; - 17) + 19) show_firewall exit 0 ;;