free
/
freedomboneeee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Move tripwire functions to security menu

This commit is contained in:
Bob Mottram 2018-03-18 10:58:18 +00:00
parent 4299a389cf
commit 3309fe281a
2 changed files with 179 additions and 173 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
src/freedombone-controlpanel
View File

@ -129,44 +129,10 @@ fi
function any_key { function any_key {
echo '' echo ''
# shellcheck disable=SC2034
read -n1 -rsp $"Press any key to continue..." key read -n1 -rsp $"Press any key to continue..." key
} }
function any_key_verify {
echo ''
read -n1 -rsp $"Press any key to continue or C to check a hash..." key
if [[ "$key" != 'c' && "$key" != 'C' ]]; then
return
fi
data=$(mktemp 2>/dev/null)
dialog --title $"Check tripwire hash" \
--backtitle $"Freedombone Control Panel" \
--inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data"
sel=$?
case $sel in
0)
GIVEN_HASH=$(<"$data")
if [ ${#GIVEN_HASH} -gt 8 ]; then
if [[ "$GIVEN_HASH" == *' '* ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\\nThe hash should not contain any spaces" 10 40
else
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}')
if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40
else
dialog --title $"Check tripwire" \
--msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
fi
fi
fi
;;
esac
rm -f "$data"
}
function reset_password_tries { function reset_password_tries {
passwords_select_user passwords_select_user
if [ ! "$SELECTED_USERNAME" ]; then if [ ! "$SELECTED_USERNAME" ]; then
@ -1182,81 +1148,6 @@ function security_settings {
"${PROJECT_NAME}-sec" "${PROJECT_NAME}-sec"
} }
function show_tripwire_verification_code {
if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
return
fi
clear
echo ''
echo $'Tripwire Verification Code'
echo ''
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd")
echo -n "$DBHASH" | qrencode -t UTF8
echo ''
echo "$DBHASH"
echo ''
}
function reset_tripwire {
if [ ! -f /usr/bin/reset-tripwire ]; then
echo $'Missing /usr/bin/reset-tripwire'
any_key
return
fi
if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then
if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then
# shellcheck disable=SC2086
mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key
# shellcheck disable=SC2086
mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key
else
echo $'Error: missing local key'
any_key
return
fi
fi
clear
echo $'Turing off logging...'
"${PROJECT_NAME}-logging" off
echo $'Locking down permissions...'
lockdown_permissions
echo $'Creating configuration...'
echo '
' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt
echo $'Resetting policy...'
echo '
' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt
echo $'Creating tripwire database'
echo '
' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd"
echo $'Resetting the Tripwire...'
echo ''
echo '
' | reset-tripwire
echo ''
# Sometimes nginx fails to restart if matrix is installed
# Restart matrix first
if [ -d /etc/matrix ]; then
systemctl restart matrix
systemctl restart nginx
fi
if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
show_tripwire_verification_code
echo $'Tripwire is now reset. Take a note of the above hash, or record'
echo $'the QR code using a mobile device. This will enable you to independently'
echo $'verify the integrity of the tripwire.'
else
echo $'ERROR: tripwire database was not created'
fi
any_key
}
function format_drive { function format_drive {
detect_usb_drive detect_usb_drive
dialog --title $"Format USB drive $USB_DRIVE" \ dialog --title $"Format USB drive $USB_DRIVE" \
@ -2082,26 +1973,24 @@ function menu_top_level {
do do
W=(1 $"About this system" W=(1 $"About this system"
2 $"Backup and Restore" 2 $"Backup and Restore"
3 $"Verify Tripwire Code" 3 $"App Settings"
4 $"Reset Tripwire" 4 $"Add/Remove Apps"
5 $"App Settings" 5 $"Logging on/off"
6 $"Add/Remove Apps" 6 $"Ping enable/disable"
7 $"Logging on/off" 7 $"Manage Users"
8 $"Ping enable/disable" 8 $"Email Menu"
9 $"Manage Users" 9 $"Domain or User Blocking"
10 $"Email Menu" 10 $"Security Settings"
11 $"Domain or User Blocking" 11 $"Change the name of this system"
12 $"Security Settings" 12 $"Set a static local IP address"
13 $"Change the name of this system" 13 $"Wifi menu"
14 $"Set a static local IP address" 14 $"Add Clacks"
15 $"Wifi menu" 15 $"Check for updates"
16 $"Add Clacks" 16 $"Power off the system"
17 $"Check for updates" 17 $"Restart the system")
18 $"Power off the system"
19 $"Restart the system")
# shellcheck disable=SC2068 # shellcheck disable=SC2068
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 27 60 27 "${W[@]}" 3>&2 2>&1 1>&3) selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Administrator Control Panel" --menu $"Choose an operation, or ESC to exit:" 25 60 25 "${W[@]}" 3>&2 2>&1 1>&3)
if [ ! "$selection" ]; then if [ ! "$selection" ]; then
break break
@ -2112,27 +2001,24 @@ function menu_top_level {
case $selection in case $selection in
1) show_about;; 1) show_about;;
2) menu_backup_restore;; 2) menu_backup_restore;;
3) show_tripwire_verification_code 3) menu_app_settings;;
any_key_verify;; 4) if ! /usr/local/bin/addremove; then
4) reset_tripwire;;
5) menu_app_settings;;
6) if ! /usr/local/bin/addremove; then
any_key any_key
fi fi
;; ;;
7) logging_on_off;; 5) logging_on_off;;
8) ping_enable_disable;; 6) ping_enable_disable;;
9) menu_users;; 7) menu_users;;
10) menu_email;; 8) menu_email;;
11) domain_blocking;; 9) domain_blocking;;
12) security_settings;; 10) security_settings;;
13) change_system_name;; 11) change_system_name;;
14) set_static_IP;; 12) set_static_IP;;
15) menu_wifi;; 13) menu_wifi;;
16) add_clacks;; 14) add_clacks;;
17) check_for_updates;; 15) check_for_updates;;
18) shut_down_system;; 16) shut_down_system;;
19) restart_system;; 17) restart_system;;
esac esac
done done
} }

174
src/freedombone-sec
View File

@ -69,6 +69,116 @@ LETSENCRYPT_SERVER='https://acme-v01.api.letsencrypt.org/directory'
MY_USERNAME= MY_USERNAME=
function any_key_verify {
echo ''
read -n1 -rsp $"Press any key to continue or C to check a hash..." key
if [[ "$key" != 'c' && "$key" != 'C' ]]; then
return
fi
data=$(mktemp 2>/dev/null)
dialog --title $"Check tripwire hash" \
--backtitle $"Freedombone Control Panel" \
--inputbox $"Paste your tripwire hash below and it will be checked against the current database" 12 60 2>"$data"
sel=$?
case $sel in
0)
GIVEN_HASH=$(<"$data")
if [ ${#GIVEN_HASH} -gt 8 ]; then
if [[ "$GIVEN_HASH" == *' '* ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\\nThe hash should not contain any spaces" 10 40
else
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd" | awk -F ' ' '{print $1}')
if [[ "$DBHASH" == "$GIVEN_HASH" ]]; then
dialog --title $"Check tripwire" \
--msgbox $"\\nSuccess\\n\\nThe hash you gave matches the current tripwire database" 10 40
else
dialog --title $"Check tripwire" \
--msgbox $"\\nFailed\\n\\nThe hash you gave does not match the current tripwire database. This might be because you reset the tripwire, or there could have been an unauthorised modification of the system" 12 50
fi
fi
fi
;;
esac
rm -f "$data"
}
function show_tripwire_verification_code {
if [ ! -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
return
fi
clear
echo ''
echo $'Tripwire Verification Code'
echo ''
DBHASH=$(sha512sum "/var/lib/tripwire/${HOSTNAME}.twd")
echo -n "$DBHASH" | qrencode -t UTF8
echo ''
echo "$DBHASH"
echo ''
}
function reset_tripwire {
if [ ! -f /usr/bin/reset-tripwire ]; then
echo $'Missing /usr/bin/reset-tripwire'
any_key
return
fi
if [ ! -f "/etc/tripwire/${HOSTNAME}-local.key" ]; then
if [ -f "/etc/tripwire/${PROJECT_NAME}-local.key" ]; then
# shellcheck disable=SC2086
mv /etc/tripwire/${PROJECT_NAME}-local.key /etc/tripwire/${HOSTNAME}-local.key
# shellcheck disable=SC2086
mv /etc/tripwire/${PROJECT_NAME}-site.key /etc/tripwire/${HOSTNAME}-site.key
else
echo $'Error: missing local key'
any_key
return
fi
fi
clear
echo $'Turing off logging...'
"${PROJECT_NAME}-logging" off
echo $'Locking down permissions...'
lockdown_permissions
echo $'Creating configuration...'
echo '
' | twadmin --create-cfgfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twcfg.txt
echo $'Resetting policy...'
echo '
' | twadmin --create-polfile -S "/etc/tripwire/${HOSTNAME}-site.key" /etc/tripwire/twpol.txt
echo $'Creating tripwire database'
echo '
' | tripwire --init --cfgfile /etc/tripwire/tw.cfg --polfile /etc/tripwire/tw.pol --dbfile "/var/lib/tripwire/${HOSTNAME}.twd"
echo $'Resetting the Tripwire...'
echo ''
echo '
' | reset-tripwire
echo ''
# Sometimes nginx fails to restart if matrix is installed
# Restart matrix first
if [ -d /etc/matrix ]; then
systemctl restart matrix
systemctl restart nginx
fi
if [ -f "/var/lib/tripwire/${HOSTNAME}.twd" ]; then
show_tripwire_verification_code
echo $'Tripwire is now reset. Take a note of the above hash, or record'
echo $'the QR code using a mobile device. This will enable you to independently'
echo $'verify the integrity of the tripwire.'
else
echo $'ERROR: tripwire database was not created'
fi
any_key
}
function passwords_show_apps { function passwords_show_apps {
SELECTED_APP= SELECTED_APP=
i=0 i=0
@ -1065,20 +1175,22 @@ function menu_security_settings {
W=(1 $"Passwords" W=(1 $"Passwords"
2 $"Run STIG tests" 2 $"Run STIG tests"
3 $"Fix STIG test failures" 3 $"Fix STIG test failures"
4 $"Show ssh host public key" 4 $"Show tripwire verification code"
5 $"Tor bridges" 5 $"Reset tripwire"
6 $"Password storage" 6 $"Show ssh host public key"
7 $"Export passwords" 7 $"Tor bridges"
8 $"Regenerate ssh host keys" 8 $"Password storage"
9 $"Regenerate Diffie-Hellman keys" 9 $"Export passwords"
10 $"Update cipersuite" 10 $"Regenerate ssh host keys"
11 $"Create a new Let's Encrypt certificate" 11 $"Regenerate Diffie-Hellman keys"
12 $"Renew Let's Encrypt certificate" 12 $"Update cipersuite"
13 $"Delete a Let's Encrypt certificate" 13 $"Create a new Let's Encrypt certificate"
14 $"Enable GPG based authentication (monkeysphere)" 14 $"Renew Let's Encrypt certificate"
15 $"Register a website with monkeysphere" 15 $"Delete a Let's Encrypt certificate"
16 $"Allow ssh login with passwords" 16 $"Enable GPG based authentication (monkeysphere)"
17 $"Show firewall") 17 $"Register a website with monkeysphere"
18 $"Allow ssh login with passwords"
19 $"Show firewall")
# shellcheck disable=SC2068 # shellcheck disable=SC2068
selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to exit:" 24 76 24 "${W[@]}" 3>&2 2>&1 1>&3) selection=$(dialog --backtitle $"Freedombone Administrator Control Panel" --title $"Security Settings" --menu $"Choose an operation, or ESC to exit:" 24 76 24 "${W[@]}" 3>&2 2>&1 1>&3)
@ -1122,53 +1234,61 @@ function menu_security_settings {
exit 0 exit 0
;; ;;
4) 4)
show_tripwire_verification_code
any_key_verify
;;
5)
reset_tripwire
;;
6)
dialog --title $"SSH host public keys" \ dialog --title $"SSH host public keys" \
--msgbox "\\n$(get_ssh_server_key)" 12 60 --msgbox "\\n$(get_ssh_server_key)" 12 60
exit 0 exit 0
;; ;;
5) 7)
menu_tor_bridges menu_tor_bridges
exit 0 exit 0
;; ;;
6) 8)
store_passwords store_passwords
exit 0 exit 0
;; ;;
7) 9)
export_passwords export_passwords
exit 0 exit 0
;; ;;
8) 10)
regenerate_ssh_host_keys regenerate_ssh_host_keys
;; ;;
9) 11)
regenerate_dh_keys regenerate_dh_keys
;; ;;
10) 12)
interactive_setup interactive_setup
update_ciphersuite update_ciphersuite
;; ;;
11) 13)
create_letsencrypt create_letsencrypt
;; ;;
12) 14)
renew_letsencrypt renew_letsencrypt
;; ;;
13) 15)
delete_letsencrypt delete_letsencrypt
;; ;;
14) 16)
enable_monkeysphere enable_monkeysphere
;; ;;
15) 17)
register_website register_website
;; ;;
16) 18)
allow_ssh_passwords allow_ssh_passwords
change_ssh_settings change_ssh_settings
exit 0 exit 0
;; ;;
17) 19)
show_firewall show_firewall
exit 0 exit 0
;; ;;