From e634287f3282ce26200862f6e943a278764a3fe3 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 27 Jun 2017 10:32:46 +0100 Subject: [PATCH] Avoid nfs altogether --- src/freedombone-image-customise | 3 +-- src/freedombone-tests | 38 --------------------------------- src/freedombone-utils-setup | 23 -------------------- 3 files changed, 1 insertion(+), 63 deletions(-) diff --git a/src/freedombone-image-customise b/src/freedombone-image-customise index 66bf38f5..8943069e 100755 --- a/src/freedombone-image-customise +++ b/src/freedombone-image-customise @@ -1039,7 +1039,6 @@ function image_setup_utils { chroot "$rootdir" apt-get -yq dist-upgrade chroot "$rootdir" apt-get -yq install ca-certificates chroot "$rootdir" apt-get -yq install apt-utils - chroot "$rootdir" apt-get -yq install nfs-kernel-server if [[ $ARCHITECTURE == 'amd64' ]]; then chroot "$rootdir" apt-get -yq install linux-image-amd64 @@ -1206,7 +1205,7 @@ function image_setup_utils { chroot "$rootdir" apt-get -yq install tripwire # filesystem optimisations - sed -i 's|btrfs subvol=@|btrfs defaults,subvol=@,compress=lzo,ssd|g' $rootdir/etc/fstab + #sed -i 's|btrfs subvol=@|btrfs defaults,subvol=@,compress=lzo,ssd|g' $rootdir/etc/fstab } function image_install_nodejs { diff --git a/src/freedombone-tests b/src/freedombone-tests index 2ee1678d..cc6f2f9c 100755 --- a/src/freedombone-tests +++ b/src/freedombone-tests @@ -844,26 +844,6 @@ function test_stig { output "V-38641" $? ${SETLANG} ################ - ##RHEL-06-000269 - ##Remote file systems must be mounted with the nodev option. - if [ "$(mount | grep nfs | wc -l)" -gt 0 ];then - bash $STIG_TESTS_DIR/check-nfs.sh nodev >/dev/null 2>&1 & - - stig_spinner $! - output "V-38652" $? ${SETLANG} - fi - ################ - - ##RHEL-06-000270 - ##Remote file systems must be mounted with the nosuid option. - if [ "$(mount | grep nfs | wc -l)" -gt 0 ];then - bash $STIG_TESTS_DIR/check-nfs.sh nosuid >/dev/null 2>&1 & - - stig_spinner $! - output "V-38654" $? ${SETLANG} - fi - ################ - ##RHEL-06-000271 ##The noexec option must be added to removable media partitions. if [ "$(grep -Hv ^0$ /sys/block/*/removable | sed s/removable:.*$/device\\/uevent/ | xargs grep -H ^DRIVER=sd | sed s/device.uevent.*$/size/ | xargs grep -Hv ^0$ | cut -d / -f 4 | wc -l)" -gt 0 ];then @@ -946,15 +926,6 @@ function test_stig { output "V-38675" $? ${SETLANG} ################ - ##RHEL-06-000309 - ##The NFS server must not have the insecure file locking option enabled. - - bash $STIG_TESTS_DIR/check-nfs-insecure.sh > /dev/null 2>&1 & - - stig_spinner $! - output "V-38677" $? ${SETLANG} - ################ - ##RHEL-06-000319 ##The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements. @@ -1046,15 +1017,6 @@ function test_stig { output "V-38462" $? ${SETLANG} ################ - ##RHEL-06-000515 - ##The NFS server must not have the all_squash option enabled. - - bash $STIG_TESTS_DIR/check-nfs-all-squash.sh > /dev/null 2>&1 & - - stig_spinner $! - output "V-38460" $? ${SETLANG} - ################ - ##RHEL-06-000523 ##The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets. diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index be4311e8..5e0f139e 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -381,15 +381,6 @@ function create_completion_file { fi } -function disable_nfs_insecure_locks { - apt-get -yq install nfs-kernel-server - if grep 'insecure_locks' /etc/exports; then - sed -i 's|,insecure_locks||g' /etc/exports - sed -i 's|insecure_locks,||g' /etc/exports - exportfs -a - fi -} - function remove_management_engine_interface { # see https://www.kernel.org/doc/Documentation/misc-devices/mei/mei.txt # Disabling this interface doesn't cure the problems of ME, but it @@ -488,9 +479,6 @@ function disable_ctrl_alt_del { } function lockdown_permissions { - if [ -d /etc/fs/nfs ]; then - remove_nfs - fi if [ -d /root/.npm ]; then find /root/.npm -name package.json -exec chmod 700 {} \; fi @@ -625,11 +613,6 @@ function create_usb_canary { mark_completed $FUNCNAME } -function remove_nfs { - apt-get -yq remove nfs-kernel-server - apt-get -yq remove nfs-common -} - function setup_firewall { function_check create_completion_file create_completion_file @@ -700,9 +683,6 @@ function setup_utils { function_check proc_filesystem_settings proc_filesystem_settings - function_check remove_nfs - remove_nfs - function_check optimise_filesystem optimise_filesystem @@ -730,9 +710,6 @@ function setup_utils { function_check remove_bluetooth remove_bluetooth - function_check disable_nfs_insecure_locks - disable_nfs_insecure_locks - function_check set_login_umask set_login_umask