free
/
freedomboneeee
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Avoid nfs altogether

This commit is contained in:
Bob Mottram 2017-06-27 10:32:46 +01:00
parent 33b7625b77
commit e634287f32
3 changed files with 1 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/freedombone-image-customise
View File

@ -1039,7 +1039,6 @@ function image_setup_utils {
chroot "$rootdir" apt-get -yq dist-upgrade chroot "$rootdir" apt-get -yq dist-upgrade
chroot "$rootdir" apt-get -yq install ca-certificates chroot "$rootdir" apt-get -yq install ca-certificates
chroot "$rootdir" apt-get -yq install apt-utils chroot "$rootdir" apt-get -yq install apt-utils
chroot "$rootdir" apt-get -yq install nfs-kernel-server
if [[ $ARCHITECTURE == 'amd64' ]]; then if [[ $ARCHITECTURE == 'amd64' ]]; then
chroot "$rootdir" apt-get -yq install linux-image-amd64 chroot "$rootdir" apt-get -yq install linux-image-amd64
@ -1206,7 +1205,7 @@ function image_setup_utils {
chroot "$rootdir" apt-get -yq install tripwire chroot "$rootdir" apt-get -yq install tripwire
# filesystem optimisations # filesystem optimisations
sed -i 's|btrfs subvol=@|btrfs defaults,subvol=@,compress=lzo,ssd|g' $rootdir/etc/fstab #sed -i 's|btrfs subvol=@|btrfs defaults,subvol=@,compress=lzo,ssd|g' $rootdir/etc/fstab
} }
function image_install_nodejs { function image_install_nodejs {

38
src/freedombone-tests
View File

@ -844,26 +844,6 @@ function test_stig {
output "V-38641" $? ${SETLANG} output "V-38641" $? ${SETLANG}
################ ################
##RHEL-06-000269
##Remote file systems must be mounted with the nodev option.
if [ "$(mount | grep nfs | wc -l)" -gt 0 ];then
bash $STIG_TESTS_DIR/check-nfs.sh nodev >/dev/null 2>&1 &
stig_spinner $!
output "V-38652" $? ${SETLANG}
fi
################
##RHEL-06-000270
##Remote file systems must be mounted with the nosuid option.
if [ "$(mount | grep nfs | wc -l)" -gt 0 ];then
bash $STIG_TESTS_DIR/check-nfs.sh nosuid >/dev/null 2>&1 &
stig_spinner $!
output "V-38654" $? ${SETLANG}
fi
################
##RHEL-06-000271 ##RHEL-06-000271
##The noexec option must be added to removable media partitions. ##The noexec option must be added to removable media partitions.
if [ "$(grep -Hv ^0$ /sys/block/*/removable | sed s/removable:.*$/device\\/uevent/ | xargs grep -H ^DRIVER=sd | sed s/device.uevent.*$/size/ | xargs grep -Hv ^0$ | cut -d / -f 4 | wc -l)" -gt 0 ];then if [ "$(grep -Hv ^0$ /sys/block/*/removable | sed s/removable:.*$/device\\/uevent/ | xargs grep -H ^DRIVER=sd | sed s/device.uevent.*$/size/ | xargs grep -Hv ^0$ | cut -d / -f 4 | wc -l)" -gt 0 ];then
@ -946,15 +926,6 @@ function test_stig {
output "V-38675" $? ${SETLANG} output "V-38675" $? ${SETLANG}
################ ################
##RHEL-06-000309
##The NFS server must not have the insecure file locking option enabled.
bash $STIG_TESTS_DIR/check-nfs-insecure.sh > /dev/null 2>&1 &
stig_spinner $!
output "V-38677" $? ${SETLANG}
################
##RHEL-06-000319 ##RHEL-06-000319
##The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements. ##The system must limit users to 10 simultaneous system logins, or a site-defined number, in accordance with operational requirements.
@ -1046,15 +1017,6 @@ function test_stig {
output "V-38462" $? ${SETLANG} output "V-38462" $? ${SETLANG}
################ ################
##RHEL-06-000515
##The NFS server must not have the all_squash option enabled.
bash $STIG_TESTS_DIR/check-nfs-all-squash.sh > /dev/null 2>&1 &
stig_spinner $!
output "V-38460" $? ${SETLANG}
################
##RHEL-06-000523 ##RHEL-06-000523
##The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets. ##The systems local IPv6 firewall must implement a deny-all, allow-by-exception policy for inbound packets.

23
src/freedombone-utils-setup
View File

@ -381,15 +381,6 @@ function create_completion_file {
fi fi
} }
function disable_nfs_insecure_locks {
apt-get -yq install nfs-kernel-server
if grep 'insecure_locks' /etc/exports; then
sed -i 's|,insecure_locks||g' /etc/exports
sed -i 's|insecure_locks,||g' /etc/exports
exportfs -a
fi
}
function remove_management_engine_interface { function remove_management_engine_interface {
# see https://www.kernel.org/doc/Documentation/misc-devices/mei/mei.txt # see https://www.kernel.org/doc/Documentation/misc-devices/mei/mei.txt
# Disabling this interface doesn't cure the problems of ME, but it # Disabling this interface doesn't cure the problems of ME, but it
@ -488,9 +479,6 @@ function disable_ctrl_alt_del {
} }
function lockdown_permissions { function lockdown_permissions {
if [ -d /etc/fs/nfs ]; then
remove_nfs
fi
if [ -d /root/.npm ]; then if [ -d /root/.npm ]; then
find /root/.npm -name package.json -exec chmod 700 {} \; find /root/.npm -name package.json -exec chmod 700 {} \;
fi fi
@ -625,11 +613,6 @@ function create_usb_canary {
mark_completed $FUNCNAME mark_completed $FUNCNAME
} }
function remove_nfs {
apt-get -yq remove nfs-kernel-server
apt-get -yq remove nfs-common
}
function setup_firewall { function setup_firewall {
function_check create_completion_file function_check create_completion_file
create_completion_file create_completion_file
@ -700,9 +683,6 @@ function setup_utils {
function_check proc_filesystem_settings function_check proc_filesystem_settings
proc_filesystem_settings proc_filesystem_settings
function_check remove_nfs
remove_nfs
function_check optimise_filesystem function_check optimise_filesystem
optimise_filesystem optimise_filesystem
@ -730,9 +710,6 @@ function setup_utils {
function_check remove_bluetooth function_check remove_bluetooth
remove_bluetooth remove_bluetooth
function_check disable_nfs_insecure_locks
disable_nfs_insecure_locks
function_check set_login_umask function_check set_login_umask
set_login_umask set_login_umask