diff options
| -rw-r--r-- | core/bash.html | 10 | ||||
| -rw-r--r-- | core/conf/iptables/iptables-lan.sh | 143 | ||||
| -rw-r--r-- | core/conf/iptables/rules.v4 | 76 | ||||
| -rw-r--r-- | core/conf/sysctl.conf | 148 | ||||
| -rw-r--r-- | core/dash.html | 4 | ||||
| -rw-r--r-- | core/exim.html | 33 | ||||
| -rw-r--r-- | core/grsecurity.html | 85 | ||||
| -rw-r--r-- | core/hardening.html | 197 | ||||
| -rw-r--r-- | core/index.html | 51 | ||||
| -rw-r--r-- | core/linux.html | 71 | ||||
| -rw-r--r-- | core/network.html | 16 | ||||
| -rw-r--r-- | core/package.html | 16 | ||||
| -rw-r--r-- | core/ports.html | 8 | ||||
| -rw-r--r-- | core/reboot.html | 11 | ||||
| -rw-r--r-- | core/scripts/setup-install.sh | 2 | ||||
| -rw-r--r-- | core/tmux.html | 6 | ||||
| -rw-r--r-- | core/tty-terminal.html | 4 | ||||
| -rwxr-xr-x | tools/conf/etc/rc.d/dnscrypt-proxy | 5 | ||||
| -rw-r--r-- | tools/dnsmasq.html | 7 | ||||
| -rw-r--r-- | tools/gitolite.html | 3 | ||||
| -rw-r--r-- | tools/index.html | 6 | ||||
| -rw-r--r-- | tools/mutt.html | 10 | ||||
| -rw-r--r-- | tools/qemu.html | 18 | ||||
| -rw-r--r-- | tools/x.html | 28 |
24 files changed, 671 insertions, 287 deletions
diff --git a/core/bash.html b/core/bash.html index 2c1f6e9..353d7df 100644 --- a/core/bash.html +++ b/core/bash.html @@ -2,12 +2,12 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.4.2. Bash</title> + <title>2.5.2. Bash</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1 id="bash">2.4.2. Bash</h1> + <h1 id="bash">2.5.2. Bash</h1> <p>Just to be sure, setup bash as default login;<p> @@ -32,7 +32,7 @@ alias, editor.</dd> </dl> - <h2 id="profile">2.4.2.1. Profile</h2> + <h2 id="profile">2.5.2.1. Profile</h2> <p>Example of ~/.profile;</p> @@ -43,7 +43,7 @@ export SSH_AUTH_SOCK # enable gpg-agent for ssh </pre> - <h2 id="bashrc">2.4.2.2. Bash RC</h2> + <h2 id="bashrc">2.5.2.2. Bash RC</h2> <p>Example of ~/.bashrc;</p> @@ -106,7 +106,7 @@ fi </pre> - <h2 id="bash_profile">2.4.2.3. Bash profile</h2> + <h2 id="bash_profile">2.5.2.3. Bash profile</h2> <p>Example of ~/.bash_profile;</p> diff --git a/core/conf/iptables/iptables-lan.sh b/core/conf/iptables/iptables-lan.sh index fae7345..58d92c3 100644 --- a/core/conf/iptables/iptables-lan.sh +++ b/core/conf/iptables/iptables-lan.sh @@ -26,8 +26,7 @@ NIC_NAME="enp8s0 wlp7s0" # Logging options. #------------------------------------------------------------------------------ -LOG="LOG --log-level debug --log-tcp-sequence --log-tcp-options" -LOG="$LOG --log-ip-options" +LOG="LOG --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options" # Defaults for rate limiting @@ -59,9 +58,9 @@ $MODPROBE ip_conntrack_irc # Drop everything by default. $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP -$IPTABLES -P OUTPUT ACCEPT +$IPTABLES -P OUTPUT DROP -# Set the nat/mangle/raw tables' chains to ACCEPT +# Set the nat/mangle/raw tables' chains to DROP $IPTABLES -t mangle -P PREROUTING ACCEPT $IPTABLES -t mangle -P INPUT ACCEPT @@ -89,53 +88,58 @@ $IPTABLES -t mangle -Z # Block all IPv6 traffic # If the ip6tables command is available, try to block all IPv6 traffic. -if test -x $IP6TABLES; then +#if test -x $IP6TABLES; then # Set the default policies # drop everything -$IP6TABLES -P INPUT DROP 2>/dev/null -$IP6TABLES -P FORWARD DROP 2>/dev/null -$IP6TABLES -P OUTPUT DROP 2>/dev/null - -# The mangle table can pass everything -$IP6TABLES -t mangle -P PREROUTING ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P INPUT ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P FORWARD ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P OUTPUT ACCEPT 2>/dev/null -$IP6TABLES -t mangle -P POSTROUTING ACCEPT 2>/dev/null +#$IP6TABLES -P INPUT DROP +#$IP6TABLES -P FORWARD DROP +#$IP6TABLES -P OUTPUT DROP +# +## The mangle table can pass everything +#$IP6TABLES -t mangle -P PREROUTING ACCEPT +#$IP6TABLES -t mangle -P INPUT ACCEPT +#$IP6TABLES -t mangle -P FORWARD ACCEPT +#$IP6TABLES -t mangle -P OUTPUT ACCEPT +#$IP6TABLES -t mangle -P POSTROUTING ACCEPT # Delete all rules. -$IP6TABLES -F 2>/dev/null -$IP6TABLES -t mangle -F 2>/dev/null - -# Delete all chains. -$IP6TABLES -X 2>/dev/null -$IP6TABLES -t mangle -X 2>/dev/null - -# Zero all packets and counters. -$IP6TABLES -Z 2>/dev/null -$IP6TABLES -t mangle -Z 2>/dev/null -fi +#$IP6TABLES -F 2>/dev/null +#$IP6TABLES -t mangle -F 2>/dev/null +# +## Delete all chains. +#$IP6TABLES -X 2>/dev/null +#$IP6TABLES -t mangle -X 2>/dev/null +# +## Zero all packets and counters. +#$IP6TABLES -Z 2>/dev/null +#$IP6TABLES -t mangle -Z 2>/dev/null +#fi # Custom user-defined chains. #------------------------------------------------------------------------------ # LOG packets, then ACCEPT. $IPTABLES -N ACCEPTLOG -$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "ACCEPT " +$IPTABLES -A ACCEPTLOG -j $LOG $RLIMIT --log-prefix "iptables: ACCEPT " $IPTABLES -A ACCEPTLOG -j ACCEPT # LOG packets, then DROP. $IPTABLES -N DROPLOG -$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "DROP " +$IPTABLES -A DROPLOG -j $LOG $RLIMIT --log-prefix "iptables: DROP " $IPTABLES -A DROPLOG -j DROP # LOG packets, then REJECT. # TCP packets are rejected with a TCP reset. $IPTABLES -N REJECTLOG -$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "REJECT " +$IPTABLES -A REJECTLOG -j $LOG $RLIMIT --log-prefix "iptables: REJECT " $IPTABLES -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A REJECTLOG -j REJECT +# Allow loopback interface to do anything. +$IPTABLES -A INPUT -i lo -j ACCEPT +$IPTABLES -A OUTPUT -o lo -j ACCEPT + + # Only allows RELATED ICMP types # (destination-unreachable, time-exceeded, and parameter-problem). # TODO: Rate-limit this traffic? @@ -185,10 +189,6 @@ $IPTABLES -A FORWARD -p icmp -j DROPLOG # Selectively allow certain special types of traffic. #------------------------------------------------------------------------------ -# Allow loopback interface to do anything. -$IPTABLES -A INPUT -i lo -j ACCEPT -$IPTABLES -A OUTPUT -o lo -j ACCEPT - # Allow incoming connections related to existing allowed connections. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT @@ -199,7 +199,7 @@ $IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #------------------------------------------------------------------------------ # We don't care about Milkosoft, Drop SMB/CIFS/etc.. -# ^ person before me; my label = psychogreedyevilsoft +# ^ greedyevilsoft $IPTABLES -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP $IPTABLES -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP @@ -234,12 +234,13 @@ $IPTABLES -A SYN_FLOOD -m limit --limit 2/s --limit-burst 6 -j RETURN $IPTABLES -A SYN_FLOOD -j DROP -$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 -$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP - -$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " -$IPTABLES -A INPUT -f -j DROP +#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 30/min --limit-burst 7 -j DROPLOG --log-prefix "iptables: drop sync: " --log-level 7 +#$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG +#$IPTABLES -A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +#$IPTABLES -A INPUT -f -j DROP +$IPTABLES -A INPUT -f -j DROPLOG # TODO: ICQ, MSN, GTalk, Skype, Yahoo, etc... @@ -247,22 +248,67 @@ $IPTABLES -A INPUT -f -j DROP #------------------------------------------------------------------------------ # Allow incoming SSH requests. -$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT +#$IPTABLES -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT + +# Allow incoming https server +#$IPTABLES -A INPUT -p tcp -m tcp --dport 443 --sport $PHIGH -m state --state NEW,ESTABLISHED -j ACCEPT + + +# Selectively allow certain outbound connections, block the rest. +#------------------------------------------------------------------------------ +# + +# Allow ping +$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +# Allow to ssh clients +$IPTABLES -A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT + +# Allow to dns +$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow irc +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to xmmp +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 5222 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +# Allow to rsync server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to pop3s server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to smtps server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ntp server +$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to ftp server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to https server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT +#$IPTABLES -A OUTPUT -p udp -m udp --sport $PHIGH --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +# Allow to http server +$IPTABLES -A OUTPUT -p tcp -m tcp --sport $PHIGH --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT + +# Selectively allow certain outbound server connections, block the rest. +#------------------------------------------------------------------------------ + +# Allow from https server +#$IPTABLES -A OUTPUT -p tcp -m tcp --sport 443 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT + +# Allow from dns server +#$IPTABLES -A OUTPUT -p udp -m udp --sport 53 --dport $PHIGH -m state --state ESTABLISHED -j ACCEPT # Explicitly log and reject everything else. #------------------------------------------------------------------------------ # Use REJECT instead of REJECTLOG if you don't need/want logging. -$IPTABLES -A INPUT -j REJECTLOG -$IPTABLES -A OUTPUT -j REJECTLOG +$IPTABLES -A INPUT -j DROPLOG +$IPTABLES -A OUTPUT -j DROPLOG $IPTABLES -A FORWARD -j REJECTLOG # Counter hits -for i in $NIC_NAME -do - iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set - iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP -done +#for i in $NIC_NAME +#do +# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --set +# iptables -I INPUT -p tcp -m multiport --dports 22 -i $i -m state --state NEW -m recent --update --seconds 50 --hitcount 3 -j DROP +#done #------------------------------------------------------------------------------ # Testing the firewall. @@ -273,5 +319,4 @@ done # Exit gracefully. #------------------------------------------------------------------------------ - - exit 0 +exit 0 diff --git a/core/conf/iptables/rules.v4 b/core/conf/iptables/rules.v4 index 5a2ffe8..568455a 100644 --- a/core/conf/iptables/rules.v4 +++ b/core/conf/iptables/rules.v4 @@ -1,25 +1,25 @@ -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *security -:INPUT ACCEPT [3624:2121853] +:INPUT ACCEPT [4559:2307887] :FORWARD ACCEPT [0:0] -:OUTPUT ACCEPT [3590:999020] +:OUTPUT ACCEPT [4459:962215] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *raw -:PREROUTING ACCEPT [5432:2268406] -:OUTPUT ACCEPT [3623:1011362] +:PREROUTING ACCEPT [18446:3412851] +:OUTPUT ACCEPT [4467:962535] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *nat -:PREROUTING ACCEPT [1808:146553] -:INPUT ACCEPT [0:0] -:OUTPUT ACCEPT [322:28410] -:POSTROUTING ACCEPT [289:16068] +:PREROUTING ACCEPT [13936:1107904] +:INPUT ACCEPT [49:2940] +:OUTPUT ACCEPT [504:40037] +:POSTROUTING ACCEPT [504:40037] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] @@ -27,21 +27,18 @@ COMMIT :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT -# Completed on Tue Feb 21 13:55:04 2017 -# Generated by iptables-save v1.6.1 on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 +# Generated by iptables-save v1.6.1 on Sat Feb 25 18:34:17 2017 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] -:OUTPUT ACCEPT [0:0] +:OUTPUT DROP [0:0] :ACCEPTLOG - [0:0] :DROPLOG - [0:0] :REJECTLOG - [0:0] :RELATED_ICMP - [0:0] :SYN_FLOOD - [0:0] --A INPUT -i wlp7s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --update --seconds 50 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP --A INPUT -i wlp7s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource --A INPUT -i enp8s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --update --seconds 50 --hitcount 3 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP --A INPUT -i enp8s0 -p tcp -m multiport --dports 22 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource +-A INPUT -i lo -j ACCEPT -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j ACCEPT -A INPUT -p icmp -m limit --limit 1/sec --limit-burst 2 -j LOG --log-prefix "PING-DROP:" -A INPUT -p icmp -j DROP @@ -50,7 +47,6 @@ COMMIT -A INPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT -A INPUT -p icmp -j DROPLOG --A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP -A INPUT -p udp -m multiport --dports 135,137,138,139,445,1433,1434 -j DROP @@ -68,31 +64,41 @@ COMMIT -A INPUT -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROPLOG -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROPLOG -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j SYN_FLOOD --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 --A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP --A INPUT -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " --A INPUT -f -j DROP --A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT --A INPUT -j REJECTLOG +-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROPLOG +-A INPUT -f -j DROPLOG +-A INPUT -j DROPLOG -A FORWARD -p icmp -f -j DROPLOG -A FORWARD -p icmp -j DROPLOG -A FORWARD -m state --state INVALID -j DROP -A FORWARD -j REJECTLOG +-A OUTPUT -o lo -j ACCEPT -A OUTPUT -p icmp -j ACCEPT -A OUTPUT -p icmp -f -j DROPLOG -A OUTPUT -p icmp -m state --state ESTABLISHED -m limit --limit 3/sec --limit-burst 8 -j ACCEPT -A OUTPUT -p icmp -m state --state RELATED -m limit --limit 3/sec --limit-burst 8 -j RELATED_ICMP -A OUTPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec --limit-burst 8 -j ACCEPT -A OUTPUT -p icmp -j DROPLOG --A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -m state --state INVALID -j DROP --A OUTPUT -j REJECTLOG --A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A OUTPUT -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 5222 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A OUTPUT -j DROPLOG +-A ACCEPTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: ACCEPT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options -A ACCEPTLOG -j ACCEPT --A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A DROPLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: DROP " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options -A DROPLOG -j DROP --A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options +-A REJECTLOG -m limit --limit 3/sec --limit-burst 8 -j LOG --log-prefix "iptables: REJECT " --log-level 7 --log-tcp-sequence --log-tcp-options --log-ip-options -A REJECTLOG -p tcp -j REJECT --reject-with tcp-reset -A REJECTLOG -j REJECT --reject-with icmp-port-unreachable -A RELATED_ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT @@ -102,4 +108,4 @@ COMMIT -A SYN_FLOOD -m limit --limit 2/sec --limit-burst 6 -j RETURN -A SYN_FLOOD -j DROP COMMIT -# Completed on Tue Feb 21 13:55:04 2017 +# Completed on Sat Feb 25 18:34:17 2017 diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index b60d3e6..d17c0c6 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -2,9 +2,13 @@ # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) # -kernel.printk = 15 1 1 4 -kernel.randomize_va_space = 1 -kernel.shmmax = 500000000 +kernel.printk = 7 1 1 4 +kernel.randomize_va_space = 2 +# Shared Memory +#kernel.shmmax = 500000000 +# Total allocated file handlers that can be allocated +# fs.file-nr= +vm.mmap_min_addr=65536 # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 @@ -16,14 +20,13 @@ kernel.pid_max = 65536 # Ioperm and iopl can be used to modify the running kernel. # Unfortunately, some programs need this access to operate properly, # the most notable of which are XFree86 and hwclock. hwclock can be -# remedied by having RTC support in the kernel, so real-time -# clock support is enabled if this option is enabled, to ensure +# remedied by having RTC support in the kernel, so real-time +# clock support is enabled if this option is enabled, to ensure # that hwclock operates correctly. -# +# # If you're using XFree86 or a version of Xorg from 2012 or earlier, # you may not be able to boot into a graphical environment with this # option enabled. In this case, you should use the RBAC system instead. -#kernel.grsecurity.disable_priv_io = 1 kernel.grsecurity.disable_priv_io = 0 # If you say Y here, attempts to bruteforce exploits against forking @@ -36,13 +39,13 @@ kernel.grsecurity.disable_priv_io = 0 # In the suid/sgid case, the attempt is logged, the user has all their # existing instances of the suid/sgid binary terminated and will # be unable to execute any suid/sgid binaries for 15 minutes. -# +# # It is recommended that you also enable signal logging in the auditing # section so that logs are generated when a process triggers a suspicious # signal. # If the sysctl option is enabled, a sysctl option with name # "deter_bruteforce" is created. -#kernel.grsecurity.deter_bruteforce = 1 +kernel.grsecurity.deter_bruteforce = 1 # # Filesystem Protections @@ -58,7 +61,7 @@ fs.file-max = 65535 # symlink is the owner of the directory. users will also not be # able to hardlink to files they do not own. If the sysctl option is # enabled, a sysctl option with name "linking_restrictions" is created. -kernel.grsecurity.linking_restrictions = 1 +kernel.grsecurity.linking_restrictions = 0 # Apache's SymlinksIfOwnerMatch option has an inherent race condition @@ -72,7 +75,7 @@ kernel.grsecurity.linking_restrictions = 1 # will be in place for the group you specify. If the sysctl option # is enabled, a sysctl option with name "enforce_symlinksifowner" is # created. -#kernel.grsecurity.enforce_symlinksifowner = 1 +kernel.grsecurity.enforce_symlinksifowner = 0 #kernel.grsecurity.symlinkown_gid = 33 # if you say Y here, users will not be able to write to FIFOs they don't @@ -80,7 +83,7 @@ kernel.grsecurity.linking_restrictions = 1 # the FIFO is the same owner of the directory it's held in. If the sysctl # option is enabled, a sysctl option with name "fifo_restrictions" is # created. -#kernel.grsecurity.fifo_restrictions = 1 +kernel.grsecurity.fifo_restrictions = 0 # If you say Y here, a sysctl option with name "romount_protect" will # be created. By setting this option to 1 at runtime, filesystems @@ -115,14 +118,14 @@ kernel.grsecurity.chroot_caps = 1 # against another published method of breaking a chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_deny_chmod" is # created. -kernel.grsecurity.chroot_deny_chmod = 1 +kernel.grsecurity.chroot_deny_chmod = 1 # If you say Y here, processes inside a chroot will not be able to chroot # again outside the chroot. This is a widely used method of breaking -# out of a chroot jail and should not be allowed. If the sysctl -# option is enabled, a sysctl option with name +# out of a chroot jail and should not be allowed. If the sysctl +# option is enabled, a sysctl option with name # "chroot_deny_chroot" is created. -kernel.grsecurity.chroot_deny_chroot = 1 +kernel.grsecurity.chroot_deny_chroot = 1 # If you say Y here, a well-known method of breaking chroots by fchdir'ing # to a file descriptor of the chrooting process that points to a directory @@ -182,14 +185,14 @@ kernel.grsecurity.chroot_deny_unix = 1 # directory, so that `.' can be outside the tree rooted at # `/'. In particular, the super-user can escape from a # `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. -# +# # It is recommended that you say Y here, since it's not known to break # any software. If the sysctl option is enabled, a sysctl option with # name "chroot_enforce_chdir" is created. kernel.grsecurity.chroot_enforce_chdir = 1 # If you say Y here, processes inside a chroot will not be able to -# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, +# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, # getsid, or view any process outside of the chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_findtask" is # created. @@ -212,7 +215,7 @@ kernel.grsecurity.chroot_restrict_nice = 1 # watch certain users instead of having a large amount of logs from the # entire system. If the sysctl option is enabled, a sysctl option with # name "audit_group" is created. -kernel.grsecurity.audit_group = 0 +kernel.grsecurity.audit_group = 0 # If you say Y here, the exec and chdir logging features will only operate # on a group you specify. This option is recommended if you only want to @@ -228,67 +231,64 @@ kernel.grsecurity.audit_group = 0 # name "exec_logging" is created. # WARNING: This option when enabled will produce a LOT of logs, especially # on an active system. -kernel.grsecurity.exec_logging = 0 +kernel.grsecurity.exec_logging = 0 # If you say Y here, all attempts to overstep resource limits will # be logged with the resource name, the requested size, and the current # limit. It is highly recommended that you say Y here. If the sysctl # option is enabled, a sysctl option with name "resource_logging" is # created. If the RBAC system is enabled, the sysctl value is ignored. -#kernel.grsecurity.resource_logging = 1 -kernel.grsecurity.resource_logging = 0 +kernel.grsecurity.resource_logging = 1 # If you say Y here, all executions inside a chroot jail will be logged # to syslog. This can cause a large amount of logs if certain # applications (eg. djb's daemontools) are installed on the system, and # is therefore left as an option. If the sysctl option is enabled, a # sysctl option with name "chroot_execlog" is created. -kernel.grsecurity.chroot_execlog = 0 +kernel.grsecurity.chroot_execlog = 0 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. -#kernel.grsecurity.audit_ptrace = 1 -kernel.grsecurity.audit_ptrace = 0 +kernel.grsecurity.audit_ptrace = 1 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. -kernel.grsecurity.audit_chdir = 0 +kernel.grsecurity.audit_chdir = 0 # If you say Y here, all mounts and unmounts will be logged. If the # sysctl option is enabled, a sysctl option with name "audit_mount" is # created. -#kernel.grsecurity.audit_mount = 1 -kernel.grsecurity.audit_mount = 0 +kernel.grsecurity.audit_mount = 1 # If you say Y here, certain important signals will be logged, such as # SIGSEGV, which will as a result inform you of when a error in a program # occurred, which in some cases could mean a possible exploit attempt. # If the sysctl option is enabled, a sysctl option with name # "signal_logging" is created. -kernel.grsecurity.signal_logging = 0 +kernel.grsecurity.signal_logging = 1 # If you say Y here, all failed fork() attempts will be logged. # This could suggest a fork bomb, or someone attempting to overstep # their process limit. If the sysctl option is enabled, a sysctl option # with name "forkfail_logging" is created. #kernel.grsecurity.forkfail_logging = 1 -kernel.grsecurity.forkfail_logging = 0 +kernel.grsecurity.forkfail_logging = 1 # If you say Y here, any changes of the system clock will be logged. # If the sysctl option is enabled, a sysctl option with name # "timechange_logging" is created. -#kernel.grsecurity.timechange_logging = 1 +kernel.grsecurity.timechange_logging = 1 # if you say Y here, calls to mmap() and mprotect() with explicit # usage of PROT_WRITE and PROT_EXEC together will be logged when # denied by the PAX_MPROTECT feature. This feature will also # log other problematic scenarios that can occur when PAX_MPROTECT -# is enabled on a binary, like textrels and PT_GNU_STACK. If the +# is enabled on a binary, like textrels and PT_GNU_STACK. If the # sysctl option is enabled, a sysctl option with name "rwxmap_logging" # is created. -#kernel.grsecurity.rwxmap_logging = 1 +kernel.grsecurity.rwxmap_logging = 1 # # Executable Protections @@ -305,14 +305,14 @@ kernel.grsecurity.forkfail_logging = 0 kernel.grsecurity.dmesg = 1 # Hide symbol addresses in /proc/kallsyms -kernel.kptr_restrict = 1 +#kernel.kptr_restrict = 2 # If you say Y here, TTY sniffers and other malicious monitoring # programs implemented through ptrace will be defeated. If you # have been using the RBAC system, this option has already been # enabled for several years for all users, with the ability to make # fine-grained exceptions. -# +# # This option only affects the ability of non-root users to ptrace # processes that are not a descendent of the ptracing process. # This means that strace ./binary and gdb ./binary will still work, @@ -327,7 +327,7 @@ kernel.grsecurity.harden_ptrace = 1 # prevent infoleaking of their contents. This option adds # consistency to the use of that file mode, as the binary could normally # be read out when run without privileges while ptracing. -# +# # If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" # is created. kernel.grsecurity.ptrace_readexec = 1 @@ -341,7 +341,7 @@ kernel.grsecurity.ptrace_readexec = 1 # same way, allowing the other threads of the process to continue # running with root privileges. If the sysctl option is enabled, # a sysctl option with name "consistent_setxid" is created. -#kernel.grsecurity.consistent_setxid = 1 +kernel.grsecurity.consistent_setxid = 0 # If you say Y here, access to overly-permissive IPC objects (shared # memory, message queues, and semaphores) will be denied for processes @@ -359,7 +359,7 @@ kernel.grsecurity.ptrace_readexec = 1 # CAP_IPC_OWNER are still permitted to access these IPC objects. # If the sysctl option is enabled, a sysctl option with name # "harden_ipc" is created. -kernel.grsecurity.harden_ipc = 1 +kernel.grsecurity.harden_ipc = 0 # If you say Y here, you will be able to choose a gid to add to the # supplementary groups of users you want to mark as "untrusted." @@ -367,7 +367,7 @@ kernel.grsecurity.harden_ipc = 1 # root-owned directories writable only by root. If the sysctl option # is enabled, a sysctl option with name "tpe" is created. kernel.grsecurity.tpe = 1 -kernel.grsecurity.tpe_gid = 101 +kernel.grsecurity.tpe_gid = 4 # If you say Y here, the group you specify in the TPE configuration will # decide what group TPE restrictions will be *disabled* for. This @@ -386,10 +386,11 @@ kernel.grsecurity.tpe_invert = 1 # world-writable, or in directories owned by root and writable only by # root. If the sysctl option is enabled, a sysctl option with name # "tpe_restrict_all" is created. -kernel.grsecurity.tpe_restrict_all = 0 +kernel.grsecurity.tpe_restrict_all = 1 + +kernel.grsecurity.harden_tty = 1 -#kernel.grsecurity.harden_tty = 1 # # Network Protections # @@ -418,7 +419,7 @@ net.ipv6.conf.lo.disable_ipv6 = 1 #net.ipv6.conf.default.dad_transmits = 0 #net.ipv6.conf.default.max_addresses = 0 -# Avoid a smurf attack +# Avoid a smurf attack, ping scanning net.ipv4.icmp_echo_ignore_broadcasts = 1 # Turn on protection for bad icmp error messages @@ -447,10 +448,6 @@ net.ipv4.conf.default.log_martians = 1 ## ignore echo broadcast requests to prevent being part of smurf attacks (default) net.ipv4.icmp_echo_ignore_broadcasts = 1 -# No source routed packets here -net.ipv4.conf.all.accept_source_route = 0 -net.ipv4.conf.default.accept_source_route = 0 - ## sets the kernels reverse path filtering mechanism to value 1(on) ## will do source validation of the packet's recieved from all the interfaces on the machine ## protects from attackers that are using ip spoofing methods to do harm @@ -459,16 +456,23 @@ net.ipv4.conf.default.rp_filter = 1 #net.ipv6.conf.default.rp_filter = 1 #net.ipv6.conf.all.rp_filter = 1 + # Make sure no one can alter the routing tables +# Act as a router, necessary for Access Point net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 +# No source routed packets here +# Discard packets with source routes, ip spoofing +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 -# Act as a router, necessary for Access Point -net.ipv4.ip_forward = 1 -net.ipv4.conf.all.send_redirects = 1 -net.ipv4.conf.default.send_redirects = 1 + +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 + +net.ipv4.ip_forward = 0 # Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000 @@ -477,15 +481,29 @@ net.ipv4.ip_local_port_range = 2000 65000 net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 +# Disable proxy_arp +net.ipv4.conf.default.proxy_arp = 0 +net.ipv4.conf.all.proxy_arp = 0 + +# Disable bootp_relay +net.ipv4.conf.default.bootp_relay = 0 +net.ipv4.conf.all.bootp_relay = 0 + +# Decrease TCP fin timeout +net.ipv4.tcp_fin_timeout = 30 +# Decrease TCP keep alive time +net.ipv4.tcp_keepalive_time = 1800 +# Sen SynAck retries to 3 +net.ipv4.tcp_synack_retries = 3 # If you say Y here, neither TCP resets nor ICMP # destination-unreachable packets will be sent in response to packets # sent to ports for which no associated listening process exists. -# This feature supports both IPV4 and IPV6 and exempts the -# loopback interface from blackholing. Enabling this feature +# This feature supports both IPV4 and IPV6 and exempts the +# loopback interface from blackholing. Enabling this feature # makes a host more resilient to DoS attacks and reduces network # visibility against scanners. -# +# # The blackhole feature as-implemented is equivalent to the FreeBSD # blackhole feature, as it prevents RST responses to all packets, not # just SYNs. Under most application behavior this causes no @@ -498,7 +516,7 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # can spend in LAST_ACK state. If you're using haproxy and not # all servers it connects to have this option enabled, consider # disabling this feature on the haproxy host. -# +# # If the sysctl option is enabled, two sysctl options with names # "ip_blackhole" and "lastack_retries" will be created. # While "ip_blackhole" takes the standard zero/non-zero on/off @@ -506,14 +524,14 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # "tcp_retries1" and "tcp_retries2". The default value of 4 # prevents a socket from lasting more than 45 seconds in LAST_ACK # state. -#kernel.grsecurity.ip_blackhole = 1 -#kernel.grsecurity.lastack_retries = 4 +kernel.grsecurity.ip_blackhole = 1 +kernel.grsecurity.lastack_retries = 4 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine or run server # applications from your machine. If the sysctl option is enabled, a # sysctl option with name "socket_all" is created. -#kernel.grsecurity.socket_all = 1 +kernel.grsecurity.socket_all = 0 # Here you can choose the GID to disable socket access for. Remember to # add the users you want socket access disabled for to the GID @@ -527,13 +545,13 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. -#kernel.grsecurity.socket_client = 1 +kernel.grsecurity.socket_client = 1 # Here you can choose the GID to disable client socket access for. # Remember to add the users you want client socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_client_gid" is created. -#kernel.grsecurity.socket_client_gid = 203 +kernel.grsecurity.socket_client_gid = 15 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine, but will be @@ -541,13 +559,13 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. -#kernel.grsecurity.socket_server = 1 +kernel.grsecurity.socket_server = 1 # Here you can choose the GID to disable server socket access for. # Remember to add the users you want server socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_server_gid" is created. -#kernel.grsecurity.socket_server_gid = 204 +kernel.grsecurity.socket_server_gid = 99 # # Physical Protections @@ -559,17 +577,15 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # device insertion will be logged. This option is intended to be # used against custom USB devices designed to exploit vulnerabilities # in various USB device drivers. -# +# # For greatest effectiveness, this sysctl should be set after any # relevant init scripts. This option is safe to enable in distros # as each user can choose whether or not to toggle the sysctl. -#kernel.grsecurity.deny_new_usb = 0 +kernel.grsecurity.deny_new_usb = 0 # # Restrict grsec sysctl changes after this was set # -#kernel.grsecurity.grsec_lock = 1 - - +kernel.grsecurity.grsec_lock = 0 # End of file diff --git a/core/dash.html b/core/dash.html index ed6dbab..a926ce7 100644 --- a/core/dash.html +++ b/core/dash.html @@ -2,13 +2,13 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.4.1. Dash</title> + <title>2.5.1. Dash</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>2.4.1. Dash</h1> + <h1>2.5.1. Dash</h1> <p>By default dash installed as /bin/sh, if not relink;</p> diff --git a/core/exim.html b/core/exim.html index c1fd494..e922789 100644 --- a/core/exim.html +++ b/core/exim.html @@ -2,24 +2,33 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.5. Exim</title> + <title>2.6. Exim</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>2.5. Exim</h1> + <h1>2.6. Exim</h1> - <h2 id="conf">2.5.1. Exim Configuration</h2> + <h2 id="conf">2.6.1. Exim Configuration</h2> <p>Exim come with default configuration we will change to mach system settings <a href="conf/etc/exim/exim.conf">/etc/exim/exim.conf</a>.</p> - <h2 id="cert">2.5.2. Certificates</h2> + <pre> + $ sudo prt-get depinst mailx + </pre> - <p>Create private key, this example issues a certificate to - core.privat-server.net, if you wish get a subdomain from - <a href="http://freedns.afraid.org">afraid.org</a> - pointing to your public ip. - </p> + <h2 id="cert">2.6.2. Certificates</h2> + + <p>Exim creates a key for you if you just copy exim.conf and start daemon;</p> + + <pre> + # cp /home/silvino/data/git/c9/c9-doc/core/conf/exim/exim.conf /etc/exim/exim.conf + # sh /etc/rc.d/exim start + SSL certificate /etc/ssl/certs/exim.crt with key /etc/ssl/keys/exim.key for host c9.core created + # + </pre> + + <p>Manually create a private key;</p> <pre> $ sudo mkdir /etc/ssl/keys @@ -55,7 +64,7 @@ # chmod 644 /etc/ssl/certs/exim.cert </pre> - <h2 id="alias">2.5.3. Aliases</h2> + <h2 id="alias">2.6.3. Aliases</h2> <p>Exim come with default aliases we will change to mach system settings <a href="conf/etc/exim/aliases">/etc/exim/aliases;</a></p> @@ -100,7 +109,7 @@ #### </pre> - <h2 id="smarthost">2.5.4. Smarthost</h2> + <h2 id="smarthost">2.6.4. Smarthost</h2> <p>Tony Finch publish a nice <a href="http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/exim/etc/etc.cam/configure">configuration reference</a>. @@ -124,7 +133,7 @@ # exim -bt bob@remote.com </pre> - <h2 id="fetchmail">2.5. Fetchmail</h2> + <h2 id="fetchmail">2.6. Fetchmail</h2> <pre> $ prt-get depinst fetchmail diff --git a/core/grsecurity.html b/core/grsecurity.html new file mode 100644 index 0000000..cda9bfb --- /dev/null +++ b/core/grsecurity.html @@ -0,0 +1,85 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>Grsecurity</title> + </head> + <body> + + <a href="index.html">Tools Index</a> + + <h1>Grsecurity</h1> + + <p>Grsecurity utilities are installed and configured in + <a href="hardening.html">hardening</a>, kernel witch grsecurity + patch is installed using + <a href="../core/reboot.html#linux">linux port</a>.</p> + + + <h2>Special Groups</h2> + <pre> + getent group tpe >/dev/null || groupadd -g 200 tpe + getent group audit >/dev/null || groupadd -g 201 audit + getent group socket-deny-all >/dev/null || groupadd -g 202 socket-deny-all + getent group socket-deny-client >/dev/null || groupadd -g 203 socket-deny-client + getent group socket-deny-server >/dev/null || groupadd -g 204 socket-deny-server + </pre> + + <h2>Pax</h2> + + <p>Grub uses nested functions and thus needs either PAX_EMUTRAMP enabled in the kernel and EMUTRAMP enabled on affected binaries, or if PAX_EMUTRAMP is not enabled in the kernel, needs MPROTECT disabled on affected binaries. Depending on the version of grub in use, some of the following files may not exist, but you should mark all those that exist. To add EMUTRAMP, use the '-CE' argument to paxctl. To remove MPROTECT, use '-Cm'.</p> + + /usr/bin/grub-script-check + /usr/sbin/grub-probe + /usr/sbin/grub-mkdevicemap + + <h2 id="gradm">Gradm</h2> + + <p>Gradm is grsecurity access control lists administration utility. Gradm + have a + <a href="https://en.wikibooks.org/wiki/Grsecurity/The_Administration_Utility#Learning_Mode">learning mode</a> + per-subject, per-role or system-wide. Learning mode gather information that + RBAC system supports, it reduces policy size, increase readability and enforces + that is configurable. Protected resources can be added to /etc/grsec/learn_cong + to learning system.</p> + + <p>Entering in learning mode;</p> + + <pre> + # gradm -F -L /etc/grsec/learning.log + </pre> + + <p>To perform administrative tasks while system learning is running, + authenticate to admin role;</p> + + <pre> + # gradm -a admin + </pre> + + <p>When learning system have gather sufficient data disable RBAC system;</p> + + <pre> + # gradm -D + </pre> + + <p>Now that RBAC is disable data collected can be used to generate ACLs;</p> + + <pre> + # gradm -F -L /etc/grsec/learning.logs -O /etc/grset/policy + </pre> + + <p>Start RBAC with policy;</p> + + <pre> + # gradm -E + </pre> + + <a href="index.html">Tools Index</a> + <p>This is part of the c9-doc Manual. + Copyright (C) 2017 + c9 team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + + </body> +</html> diff --git a/core/hardening.html b/core/hardening.html new file mode 100644 index 0000000..478c911 --- /dev/null +++ b/core/hardening.html @@ -0,0 +1,197 @@ +<!DOCTYPE html> +<html dir="ltr" lang="en"> + <head> + <meta charset='utf-8'> + <title>Hardening</title> + </head> + <body> + + <a href="index.html">Tools Index</a> + + <h1>Hardening</h1> + + <p>Kernel in ports have upstream linux kernel and + grsecurity patch, it should break some functionality + for the user and pkgmk user if tpe protection is active.</p> + + <pre> + $ sudo prt-get depinst gradm paxtest paxd checksec lynis + </pre> + + <p>Check <a href="grsecurity.html">grsecurity</a> on how to setup + kernel, pax and gradm.</p> + + <p>Lynis tries to give system overall configuration, without + changing default profile run irrelevant tests. Create a lynis + profile by coping default one and run lynis;</p> + + <pre> + $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf + $ sudo lynis configure settings color=yes + $ sudo lynis show settings + $ sudo lynis show profile + </pre> + + <pre> + $ lynis audit system > lynis_report + $ mv /tmp/lynis.log . + $ mv /tmp/lynis-report.dat . + </pre> + + <p>Add unnecessary tests to profile to have less noise.</p> + + <h2 id="toolchain">Rebuild Toolchain</h2> + + <p>Add flags to pkgmk configuration and change specific ports that + don't build with hardening flags. More information about + <a href="https://wiki.archlinux.org/index.php/DeveloperWiki:Security">arch security</a>, + gentoo security, + <a href="http://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#Instrumentation-Options">gcc</a> instrumentation-options + and <a href="http://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html">glibc</a> + configuring and compiling. Edit /etc/pkgmk.conf;</p> + + <pre> + export CPPFLAGS="-D_FORTIFY_SOURCE=2" + export CFLAGS="-O2 -march=native -mtune=native -fstack-protector-strong --param=ssp-buffer-size=4" + export CXXFLAGS="${CFLAGS}" + export LDFLAGS="-z relro" + </pre> + + <h3>Core</h3> + + <p>Ports in core collection that need to be changed in order + to build with pkgmk harden configuration.</p> + + <h4>Glibc</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/glibc.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glibc">arch</a></li> + </ul> + + <pre> + export CPPFLAGS="" + export CFLAGS="-O2 -march=native -mtune=native" + export CXXFLAGS="${CFLAGS}" + export LDFLAGS="" + </pre> + + <pre> + ../$name-${version:0:4}/configure --prefix=/usr \ + --libexecdir=/usr/lib \ + --with-headers=$PKG/usr/include \ + --enable-kernel=3.12 \ + --enable-add-ons \ + --enable-static-nss \ + --disable-profile \ + --disable-werror \ + --without-gd \ + --enable-obsolete-rpc \ + --enable-multi-arch \ + --enable-stackguard-randomization \ + --enable-stack-protector=strong + </pre> + + <h4>Gcc</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/gcc.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gcc">arch</a></li> + </ul> + + <pre> + export CPPFLAGS="" + export CFLAGS="-O2 -march=native -mtune=native" + export CXXFLAGS="${CFLAGS}" + export LDFLAGS="" + </pre> + + <h4>libcap</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/libcap.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/libcap">arch</a></li> + </ul> + + <h4>bzip2</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/bzip2.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/bzip2">arch</a></li> + </ul> + + <h4>hdparm</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/hdparm.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/hdparm">arch</a></li> + </ul> + + <h3>Opt</h3> + + <h4>lsof</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/lsof.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/lsof">arch</a></li> + </ul> + + <h4>python</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/python2.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/python2">arch</a></li> + </ul> + + <h4>zip</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/zip.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/zip">arch</a></li> + </ul> + + <h4>glew</h4> + + <ul> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glew">arch</a></li> + </ul> + + <h4>dmenu</h4> + + <ul> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/dmenu">arch</a></li> + </ul> + + <h4>Boost</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/boost.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/boost">arch</a></li> + </ul> + + <pre> + export CPPFLAGS="" + export CFLAGS="-O2 -march=native -mtune=native" + export CXXFLAGS="${CFLAGS}" + export LDFLAGS="" + </pre> + + <h3>Contrib</h3> + + <h4>gsl</h4> + + <ul> + <li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/gsl.html">lfs</a></li> + <li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gsl">arch</a></li> + </ul> + + + <a href="index.html">Tools Index</a> + <p>This is part of the c9-doc Manual. + Copyright (C) 2017 + c9 team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> + + </body> +</html> diff --git a/core/index.html b/core/index.html index 6859376..97376f4 100644 --- a/core/index.html +++ b/core/index.html @@ -79,41 +79,46 @@ <li><a href="linux.html#sysctl">2.1.5. Sysctl</a></li> </ul> </li> - - <li><a href="network.html">2.2. Network</a> + <li><a href="hardening.html">2.2. Hardening</a> + <ul> + <li><a href="grsecurity.html">2.2.1 Grsecurity</a></li> + <li><a href="samhain.html">2.2.2 Samhain</a></li> + </ul> + </li> + <li><a href="network.html">2.3. Network</a> <ul> - <li><a href="network.html#resolv">2.2.1. Resolver</a></li> - <li><a href="network.html#static">2.2.2. Static ip</a></li> - <li><a href="network.html#iptables">2.2.3. Iptables</a></li> - <li><a href="network.html#wpa">2.2.4. Wpa and dhcpd</a></li> + <li><a href="network.html#resolv">2.3.1. Resolver</a></li> + <li><a href="network.html#static">2.3.2. Static ip</a></li> + <li><a href="network.html#iptables">2.3.3. Iptables</a></li> + <li><a href="network.html#wpa">2.3.4. Wpa and dhcpd</a></li> </ul> </li> - <li><a href="package.html">2.3. Package Management</a> + <li><a href="package.html">2.4. Package Management</a> <ul> - <li><a href="package.html#sysup">2.3.1. Update system</a></li> - <li><a href="package.html#depinst">2.3.2. Install ports and dependencies</a></li> - <li><a href="package.html#ports">2.3.3. Ports collections</a></li> - <li><a href="package.html#info">2.3.3. Show port information</a></li> - <li><a href="package.html#depends">2.3.4. Show port dependencies</a></li> - <li><a href="package.html#printf">2.3.5. Print information</a></li> + <li><a href="package.html#sysup">2.4.1. Update system</a></li> + <li><a href="package.html#depinst">2.4.2. Install ports and dependencies</a></li> + <li><a href="package.html#ports">2.4.3. Ports collections</a></li> + <li><a href="package.html#info">2.4.3. Show port information</a></li> + <li><a href="package.html#depends">2.4.4. Show port dependencies</a></li> + <li><a href="package.html#printf">2.4.5. Print information</a></li> </ul> </li> - <li><a href="tty-terminal.html">2.4. Terminals and shells</a> + <li><a href="tty-terminal.html">2.5. Terminals and shells</a> <ul> - <li><a href="dash.html">2.4.1. Dash</a></li> - <li><a href="bash.html">2.4.2. Bash</a></li> - <li><a href="tmux.html">2.4.3. Tmux</a></li> + <li><a href="dash.html">2.5.1. Dash</a></li> + <li><a href="bash.html">2.5.2. Bash</a></li> + <li><a href="tmux.html">2.5.3. Tmux</a></li> </ul> </li> - <li><a href="exim.html">2.5. Exim</a> + <li><a href="exim.html">2.6. Exim</a> <ul> - <li><a href="exim.html#conf">2.5.1. Exim Configuration</a></li> - <li><a href="exim.html#cert">2.5.2. Certificates</a></li> - <li><a href="exim.html#alias">2.5.3. Aliases</a></li> - <li><a href="exim.html#smarthost">2.5.4. Smarthost</a></li> - <li><a href="exim.html#fetchmail">2.5.5. Fetchmail</a></li> + <li><a href="exim.html#conf">2.6.1. Exim Configuration</a></li> + <li><a href="exim.html#cert">2.6.2. Certificates</a></li> + <li><a href="exim.html#alias">2.6.3. Aliases</a></li> + <li><a href="exim.html#smarthost">2.6.4. Smarthost</a></li> + <li><a href="exim.html#fetchmail">2.6.5. Fetchmail</a></li> </ul> </li> diff --git a/core/linux.html b/core/linux.html index 903d9e2..888b916 100644 --- a/core/linux.html +++ b/core/linux.html @@ -164,9 +164,8 @@ kernel.printk = 7 1 1 4 kernel.randomize_va_space = 2 - kernel.kptr_restrict = 2 # Shared Memory - kernel.shmmax = 500000000 + #kernel.shmmax = 500000000 # Total allocated file handlers that can be allocated # fs.file-nr= vm.mmap_min_addr=65536 @@ -188,7 +187,6 @@ # If you're using XFree86 or a version of Xorg from 2012 or earlier, # you may not be able to boot into a graphical environment with this # option enabled. In this case, you should use the RBAC system instead. - #kernel.grsecurity.disable_priv_io = 1 kernel.grsecurity.disable_priv_io = 0 # If you say Y here, attempts to bruteforce exploits against forking @@ -207,7 +205,7 @@ # signal. # If the sysctl option is enabled, a sysctl option with name # "deter_bruteforce" is created. - #kernel.grsecurity.deter_bruteforce = 1 + kernel.grsecurity.deter_bruteforce = 1 # # Filesystem Protections @@ -223,7 +221,7 @@ # symlink is the owner of the directory. users will also not be # able to hardlink to files they do not own. If the sysctl option is # enabled, a sysctl option with name "linking_restrictions" is created. - kernel.grsecurity.linking_restrictions = 1 + kernel.grsecurity.linking_restrictions = 0 # Apache's SymlinksIfOwnerMatch option has an inherent race condition @@ -237,7 +235,7 @@ # will be in place for the group you specify. If the sysctl option # is enabled, a sysctl option with name "enforce_symlinksifowner" is # created. - #kernel.grsecurity.enforce_symlinksifowner = 1 + kernel.grsecurity.enforce_symlinksifowner = 0 #kernel.grsecurity.symlinkown_gid = 33 # if you say Y here, users will not be able to write to FIFOs they don't @@ -245,7 +243,7 @@ # the FIFO is the same owner of the directory it's held in. If the sysctl # option is enabled, a sysctl option with name "fifo_restrictions" is # created. - #kernel.grsecurity.fifo_restrictions = 1 + kernel.grsecurity.fifo_restrictions = 0 # If you say Y here, a sysctl option with name "romount_protect" will # be created. By setting this option to 1 at runtime, filesystems @@ -280,14 +278,14 @@ # against another published method of breaking a chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_deny_chmod" is # created. - kernel.grsecurity.chroot_deny_chmod = 1 + kernel.grsecurity.chroot_deny_chmod = 1 # If you say Y here, processes inside a chroot will not be able to chroot # again outside the chroot. This is a widely used method of breaking # out of a chroot jail and should not be allowed. If the sysctl # option is enabled, a sysctl option with name # "chroot_deny_chroot" is created. - kernel.grsecurity.chroot_deny_chroot = 1 + kernel.grsecurity.chroot_deny_chroot = 1 # If you say Y here, a well-known method of breaking chroots by fchdir'ing # to a file descriptor of the chrooting process that points to a directory @@ -400,7 +398,7 @@ # limit. It is highly recommended that you say Y here. If the sysctl # option is enabled, a sysctl option with name "resource_logging" is # created. If the RBAC system is enabled, the sysctl value is ignored. - #kernel.grsecurity.resource_logging = 1 + kernel.grsecurity.resource_logging = 1 # If you say Y here, all executions inside a chroot jail will be logged # to syslog. This can cause a large amount of logs if certain @@ -412,8 +410,7 @@ # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. - #kernel.grsecurity.audit_ptrace = 1 - kernel.grsecurity.audit_ptrace = 0 + kernel.grsecurity.audit_ptrace = 1 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option @@ -423,27 +420,26 @@ # If you say Y here, all mounts and unmounts will be logged. If the # sysctl option is enabled, a sysctl option with name "audit_mount" is # created. - #kernel.grsecurity.audit_mount = 1 - kernel.grsecurity.audit_mount = 0 + kernel.grsecurity.audit_mount = 1 # If you say Y here, certain important signals will be logged, such as # SIGSEGV, which will as a result inform you of when a error in a program # occurred, which in some cases could mean a possible exploit attempt. # If the sysctl option is enabled, a sysctl option with name # "signal_logging" is created. - kernel.grsecurity.signal_logging = 0 + kernel.grsecurity.signal_logging = 1 # If you say Y here, all failed fork() attempts will be logged. # This could suggest a fork bomb, or someone attempting to overstep # their process limit. If the sysctl option is enabled, a sysctl option # with name "forkfail_logging" is created. #kernel.grsecurity.forkfail_logging = 1 - kernel.grsecurity.forkfail_logging = 0 + kernel.grsecurity.forkfail_logging = 1 # If you say Y here, any changes of the system clock will be logged. # If the sysctl option is enabled, a sysctl option with name # "timechange_logging" is created. - #kernel.grsecurity.timechange_logging = 1 + kernel.grsecurity.timechange_logging = 1 # if you say Y here, calls to mmap() and mprotect() with explicit # usage of PROT_WRITE and PROT_EXEC together will be logged when @@ -452,7 +448,7 @@ # is enabled on a binary, like textrels and PT_GNU_STACK. If the # sysctl option is enabled, a sysctl option with name "rwxmap_logging" # is created. - #kernel.grsecurity.rwxmap_logging = 1 + kernel.grsecurity.rwxmap_logging = 1 # # Executable Protections @@ -469,7 +465,7 @@ kernel.grsecurity.dmesg = 1 # Hide symbol addresses in /proc/kallsyms - kernel.kptr_restrict = 1 + #kernel.kptr_restrict = 2 # If you say Y here, TTY sniffers and other malicious monitoring # programs implemented through ptrace will be defeated. If you @@ -505,7 +501,7 @@ # same way, allowing the other threads of the process to continue # running with root privileges. If the sysctl option is enabled, # a sysctl option with name "consistent_setxid" is created. - #kernel.grsecurity.consistent_setxid = 1 + kernel.grsecurity.consistent_setxid = 0 # If you say Y here, access to overly-permissive IPC objects (shared # memory, message queues, and semaphores) will be denied for processes @@ -523,7 +519,7 @@ # CAP_IPC_OWNER are still permitted to access these IPC objects. # If the sysctl option is enabled, a sysctl option with name # "harden_ipc" is created. - kernel.grsecurity.harden_ipc = 1 + kernel.grsecurity.harden_ipc = 0 # If you say Y here, you will be able to choose a gid to add to the # supplementary groups of users you want to mark as "untrusted." @@ -531,7 +527,7 @@ # root-owned directories writable only by root. If the sysctl option # is enabled, a sysctl option with name "tpe" is created. kernel.grsecurity.tpe = 1 - kernel.grsecurity.tpe_gid = 101 + kernel.grsecurity.tpe_gid = 4 # If you say Y here, the group you specify in the TPE configuration will # decide what group TPE restrictions will be *disabled* for. This @@ -550,10 +546,11 @@ # world-writable, or in directories owned by root and writable only by # root. If the sysctl option is enabled, a sysctl option with name # "tpe_restrict_all" is created. - kernel.grsecurity.tpe_restrict_all = 0 + kernel.grsecurity.tpe_restrict_all = 1 - #kernel.grsecurity.harden_tty = 1 + kernel.grsecurity.harden_tty = 1 + # # Network Protections # @@ -687,14 +684,14 @@ # "tcp_retries1" and "tcp_retries2". The default value of 4 # prevents a socket from lasting more than 45 seconds in LAST_ACK # state. - #kernel.grsecurity.ip_blackhole = 1 - #kernel.grsecurity.lastack_retries = 4 + kernel.grsecurity.ip_blackhole = 1 + kernel.grsecurity.lastack_retries = 4 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine or run server # applications from your machine. If the sysctl option is enabled, a # sysctl option with name "socket_all" is created. - #kernel.grsecurity.socket_all = 1 + kernel.grsecurity.socket_all = 0 # Here you can choose the GID to disable socket access for. Remember to # add the users you want socket access disabled for to the GID @@ -708,13 +705,13 @@ # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. - #kernel.grsecurity.socket_client = 1 + kernel.grsecurity.socket_client = 1 # Here you can choose the GID to disable client socket access for. # Remember to add the users you want client socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_client_gid" is created. - #kernel.grsecurity.socket_client_gid = 203 + kernel.grsecurity.socket_client_gid = 15 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine, but will be @@ -722,13 +719,13 @@ # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. - #kernel.grsecurity.socket_server = 1 + kernel.grsecurity.socket_server = 1 # Here you can choose the GID to disable server socket access for. # Remember to add the users you want server socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_server_gid" is created. - #kernel.grsecurity.socket_server_gid = 204 + kernel.grsecurity.socket_server_gid = 99 # # Physical Protections @@ -744,12 +741,12 @@ # For greatest effectiveness, this sysctl should be set after any # relevant init scripts. This option is safe to enable in distros # as each user can choose whether or not to toggle the sysctl. - #kernel.grsecurity.deny_new_usb = 0 + kernel.grsecurity.deny_new_usb = 0 # # Restrict grsec sysctl changes after this was set # - #kernel.grsecurity.grsec_lock = 1 + kernel.grsecurity.grsec_lock = 0 # End of file </pre> @@ -757,10 +754,10 @@ <a href="index.html">Core OS Index</a> <p>This is part of the c9-doc Manual. -Copyright (C) 2017 -c9 team. -See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> -for copying conditions.</p> + Copyright (C) 2017 + c9 team. + See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> + for copying conditions.</p> </body> </html> diff --git a/core/network.html b/core/network.html index bcf52f5..4f1f20a 100644 --- a/core/network.html +++ b/core/network.html @@ -2,12 +2,12 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2. Network</title> + <title>2.3. Network</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>2. Network</h1> + <h1>2.3. Network</h1> <p>Operation of the network can be handle with init scripts;</p> @@ -49,7 +49,7 @@ described scripts then proceed to <a href="package.html#sysup">update system.</a></p> - <h2 id="resolv">2.2.1. Resolver</h2> + <h2 id="resolv">2.3.1. Resolver</h2> <p>This example will use <a href="http://www.chaoscomputerclub.de/en/censorship/dns-howto">Chaos Computer Club</a> @@ -65,7 +65,7 @@ # chattr +i /etc/resolv.conf </pre> - <h2 id="static">2.2.2. Static IP</h2> + <h2 id="static">2.3.2. Static IP</h2> <p>Current example of <a href="conf/rc.d/net">/etc/rc.d/net</a>;</p> @@ -112,7 +112,7 @@ # ip route add default via ${GW} </pre> - <h2 id="iptables">2.2.3. Iptables</h2> + <h2 id="iptables">2.3.3. Iptables</h2> <p>For more information about iptables read <a href="https://wiki.archlinux.org/index.php/Iptables">arch wiki</a>. @@ -149,7 +149,7 @@ <p> - <h2 id="wpa">2.2.4. Wpa and dhcpd</h2> + <h2 id="wpa">2.3.4. Wpa and dhcpd</h2> <p>There is more information on <a href="http://crux.nu/Wiki/WifiStartScripts">Wiki Wifi Start Scripts</a> and @@ -167,7 +167,7 @@ # iwconfig wlp2s0 essid NAME key s:ABCDE12345 </pre> - <h3>2.2.4.1. Wpa Supplicant</h3> + <h3>2.3.4.1. Wpa Supplicant</h3> <p>Configure wpa supplicant edit;</p> @@ -197,7 +197,7 @@ init script to auto load wpa configuration and dhcp client.</p> - <h3>2.2.4.2. Wpa Cli</h3> + <h3>2.3.4.2. Wpa Cli</h3> <pre> # wpa_cli diff --git a/core/package.html b/core/package.html index 3c59669..327029e 100644 --- a/core/package.html +++ b/core/package.html @@ -2,13 +2,13 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.3. Package Management</title> + <title>2.4. Package Management</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>2.3. Package Management</h1> + <h1>2.4. Package Management</h1> <p>For more information read crux handbook Package management front-end: @@ -57,7 +57,7 @@ $ prt-get depinst prt-utils prt-get-bashcompletion </pre> - <h2 id="sysup">2.3.1. Update System</h2> + <h2 id="sysup">2.4.1. Update System</h2> <p>Before build software get latest version of port collections;</p> @@ -87,7 +87,7 @@ $ prt-get update -fr $(revdep) </pre> - <h2 id="depinst">2.3.2. Install port and dependencies</h2> + <h2 id="depinst">2.4.2. Install port and dependencies</h2> <p>Installing using prt-get tool;</p> @@ -111,7 +111,7 @@ <p>If you user pkgmk and pkgadd allways check if README, pre and post instal files exist.</p> - <h3 id="ports">2.3.3. Ports collections</h3> + <h3 id="ports">2.4.3. Ports collections</h3> <p>Clone this documentation;</p> @@ -146,7 +146,7 @@ $ sudo ports -u 6c37 </pre> - <h2 id="info">2.3.4. Show port information</h2> + <h2 id="info">2.4.4. Show port information</h2> <pre> $ prt-get info port_name @@ -164,13 +164,13 @@ $ pkginfo -o filename </pre> - <h2 id="depends">2.3.5. Show port dependencies</h2> + <h2 id="depends">2.4.5. Show port dependencies</h2> <pre> $ prt-get depends port_name </pre> - <h2 id="printf">2.3.6. Print information</h2> + <h2 id="printf">2.4.6. Print information</h2> <p>Example how to get ports installed from contrib. Maybe there is a "cleaner" way to this, for now is ok;</p> diff --git a/core/ports.html b/core/ports.html index 98ccbba..9662e43 100644 --- a/core/ports.html +++ b/core/ports.html @@ -23,8 +23,8 @@ # useradd -U -M -d /usr/ports -s /bin/false pkgmk </pre> - <p>You can add your self to group pkgmk, Members of this group will - not be under <a href="linux.html#sysctl">tpe</a> protection.</p> + <p>You can add your self to group pkgmk. Check if members of this + group are under <a href="linux.html#sysctl">tpe</a> protection.</p> <pre> # usermod -a -G pkgmk c9admin @@ -62,7 +62,7 @@ <p>Edit fstab, change uid to id of pkgmk, this example 102;</p> <pre> - pkgmk /usr/ports/work tmpfs size=30G,uid=102,defaults 0 0 + pkgmk /usr/ports/work tmpfs size=30G,uid=102,defaults,mode=0750 0 0 </pre> @@ -86,8 +86,6 @@ export CFLAGS="-O2 -march=native -mtune=native" </pre> - <p>"-protector-strong" which only insert stack canaries in fuctions where overflow might actually happen</p> - <p>Discover number of cores/cpus to hard code -j option.</p> <pre> diff --git a/core/reboot.html b/core/reboot.html index 7bc22ea..23e2996 100644 --- a/core/reboot.html +++ b/core/reboot.html @@ -33,13 +33,22 @@ <h2 id="linux">1.4.1. Linux Kernel</h2> - <p>Core ports have two kernels, linux-libre and linux-blob. + <p>Core ports have two + <a href="linux.html">linux kernels</a>, + <a href="ports/linux-libre">linux-libre</a> and + <a href="ports/linux-blob">linux-blob</a>. Port linux-libre kernel is a true source based kernel that respects your freedoms, is x86_64 but not generic configured, select modules (drivers) for your hardware, for example correct graphic driver and disk. Port linux-blob is dangerous, contain blobs (from bad corporations).</p> + <p>Addition to upstream kernel is applied a patch with + more cpu families gcc optimizations and grsecurity patch. + Check tpe protection configuration on + <a href="linux.html#sysctl">sysctl</a> if breaks functionality + during initial configuration.</p> + <pre> # cd /usr/ports/c9-ports/linux-libre # pkgmk -d diff --git a/core/scripts/setup-install.sh b/core/scripts/setup-install.sh index 01e3bd1..0e0a720 100644 --- a/core/scripts/setup-install.sh +++ b/core/scripts/setup-install.sh @@ -270,7 +270,7 @@ setup_ports() { PATH=/bin:/usr/bin:/sbin:/usr/sbin \ /bin/bash -c "id pkgmk >> /etc/fstab" - echo "pkgmk /usr/ports/work tmpfs size=30G,gid=102,uid=101,defaults 0 0" >> $CHROOT/etc/fstab + echo "pkgmk /usr/ports/work tmpfs size=30G,gid=102,uid=101,defaults,mode=0750 0 0" >> $CHROOT/etc/fstab vim $CHROOT/etc/fstab diff --git a/core/tmux.html b/core/tmux.html index d1ab587..fe494b5 100644 --- a/core/tmux.html +++ b/core/tmux.html @@ -2,13 +2,13 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.4.3. Tmux</title> + <title>2.5.3. Tmux</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1 id="tmux">2.4.3. Tmux</h1> + <h1 id="tmux">2.5.3. Tmux</h1> <p>Install tmux, improves cli work efficiency;</p> @@ -79,7 +79,7 @@ key } swap pane </pre> - <h2 id="cpypst">2.4.3.1. Copy paste</h2> + <h2 id="cpypst">2.5.3.1. Copy paste</h2> <p>This instructions are valid if tmux.conf file discribed in this document is used;</p> diff --git a/core/tty-terminal.html b/core/tty-terminal.html index 47f7bf0..1abf15e 100644 --- a/core/tty-terminal.html +++ b/core/tty-terminal.html @@ -2,13 +2,13 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.4. Consoles, terminals and shells</title> + <title>2.5. Consoles, terminals and shells</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>2.4. Consoles, terminals and shells</h1> + <h1>2.5. Consoles, terminals and shells</h1> <dl> <dt>Consoles</dt> diff --git a/tools/conf/etc/rc.d/dnscrypt-proxy b/tools/conf/etc/rc.d/dnscrypt-proxy index 0874fa6..db8cd77 100755 --- a/tools/conf/etc/rc.d/dnscrypt-proxy +++ b/tools/conf/etc/rc.d/dnscrypt-proxy @@ -12,7 +12,7 @@ # Authors: https://github.com/simonclausen/dnscrypt-autoinstall/graphs/contributors # Project site: https://github.com/simonclausen/dnscrypt-autoinstall -USER=nobody +USER=net PATH=/usr/sbin:/usr/bin:/sbin:/bin DAEMON=/usr/sbin/dnscrypt-proxy NAME=dnscrypt-proxy @@ -24,7 +24,8 @@ PKEY1=3748:5585:E3B9:D088:FD25:AD36:B037:01F5:520C:D648:9E9A:DD52:1457:4955:9F0A case "$1" in start) echo "Starting $NAME" - $DAEMON --daemonize --ephemeral-keys --user=nobody --local-address=127.0.0.1:40 \ + $DAEMON --daemonize --ephemeral-keys --user=nobody \ + --local-address=127.0.0.1:40 \ --resolver-address=$ADDRESS3 \ --provider-name=$PNAME1 \ --provider-key=$PKEY3 \ diff --git a/tools/dnsmasq.html b/tools/dnsmasq.html index 2aa7b82..720979b 100644 --- a/tools/dnsmasq.html +++ b/tools/dnsmasq.html @@ -14,6 +14,11 @@ censorship there for respect your freedom and privacy. Read <a href="https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver/PublicDnsResolvers#PublicDNSServers">Tor Dns Resolver</a> for more information.</p> + <pre> + $ sudo useradd -M -r -s /bin/false -g net net + </pre> + + <h2 id="dnscrypt">1. Dnscrypt</h2> <pre> @@ -28,7 +33,7 @@ nobody user. Basic usage example;</p> <pre> - $ sudo -u nobody dnscrypt-proxy --daemonize --resolver-name=<resolver name> + $ sudo -u net dnscrypt-proxy --daemonize --resolver-name=<resolver name> </pre> <h2 id="dnsmasq">2. Dnsmasq</h2> diff --git a/tools/gitolite.html b/tools/gitolite.html index 94abda0..ab1ad3a 100644 --- a/tools/gitolite.html +++ b/tools/gitolite.html @@ -22,8 +22,7 @@ <p>Create user and home directory;</p> <pre> - # mkdir -p /srv/gitolite - # useradd -r -s /bin/bash -m -d /srv/gitolite gitolite + # useradd -r -s /bin/bash -U -m -d /srv/gitolite gitolite # chown gitolite:gitolite /srv/gitolite </pre> diff --git a/tools/index.html b/tools/index.html index da1cd40..2f84114 100644 --- a/tools/index.html +++ b/tools/index.html @@ -68,12 +68,6 @@ <h2>System Administration</h2> <ul> - <li><a href="hardening.html">Hardening</a> - <ul> - <li><a href="grsecurity.html">Grsecurity</a></li> - <li><a href="samhain.html">Samhain</a></li> - </ul> - </li> <li><a href="network.html">Network Tools</a> <ul> <li><a href="dnsmasq.html">Dnscrypt and Dnsmasq</a></li> diff --git a/tools/mutt.html b/tools/mutt.html index ef7cdbd..5c72e0c 100644 --- a/tools/mutt.html +++ b/tools/mutt.html @@ -162,7 +162,15 @@ <h3 id="system">2.1. System Email</h3> - <p>Content of <a href="conf/etc/skel/.mutt/system">.mutt/system</a>;</p> + <p>Check and point enviroment mail variable to new local maildir;</p> + + <pre> + $ echo "MAIL=$HOME/.mail/" >> ~/.bashrc + $ source ~/.bashrc + $ env | grep MAIL + </pre> + + <p>Content of <a href="conf/etc/skel/.mutt/system">.mutt/system</a>;<p> <pre> color status green default diff --git a/tools/qemu.html b/tools/qemu.html index 1c58e49..c914d74 100644 --- a/tools/qemu.html +++ b/tools/qemu.html @@ -43,22 +43,17 @@ this describes how to create a qcow2 type;</p> <pre> - $ qemu-img create -f qcow2 crux-img.qcow2 15G + $ qemu-img create -f qcow2 crux-img.qcow2 20G </pre> - <p>You can mount disk image;</p> + <p>Qemu disk images can be treated as regular disks using + qemu disk network block device server;</p> <pre> $ sudo modprobe nbd $ sudo qemu-nbd -c /dev/nbd0 /crux-img.qcow2 </pre> - <p>To disconnect image disk (ndb);</p> - - <pre> - $ sudo qemu-nbd -d /dev/nbd0 - </pre> - <p>Information about preparing <a href="../core/install.html#step2">partitions</a> and <a href="storage.html">storage</a> administration. @@ -100,6 +95,13 @@ # mount $BLK_VAR $CHROOT/var </pre> + <p>Before disconnecting image, clean dev mappings;</p> + + <pre> + $ sudo kpartx -d /dev/nbd0 + $ sudo qemu-nbd -d /dev/nbd0 + </pre> + <h2 id="net">2. Network</h2> <p>Network configuration;</p> diff --git a/tools/x.html b/tools/x.html index e01aaca..ad5ea6d 100644 --- a/tools/x.html +++ b/tools/x.html @@ -40,6 +40,12 @@ $ prt-get search xorg-font-bh | xargs sudo prt-get depinst </pre> + <p>From 6c37 collection;</p> + + <pre> + $ prt-get depinst otf-sourcecode + </pre> + <h2>Configure</h2> <p>Example of <a href="conf/etc/skel/.xinitrc">/etc/skel/.xinitrc</a>;</p> @@ -170,24 +176,26 @@ <h2>Window Managers</h2> - <h3>Dwm</h3> <pre> - $ sudo prt-get depinst dmenu \ - dwm \ - spectrwm \ + $ sudo prt-get depinst \ + alsa-utils \ + libdrm \ + mesa3d \ + ffmpeg \ + gstreamer \ + gstreamer-vaapi \ + gst-plugins-base \ + gst-plugins-good \ + adwaita-icon-theme \ + dmenu \ st \ conky \ dillo \ - adwaita-icon-theme \ + spectrwm \ gparted \ gimp \ libreoffice \ - ffmpeg \ - gstreamer \ - gstreamer-vaapi \ - gst-plugins-base \ - gst-plugins-good \ epiphany </pre> |