diff options
Diffstat (limited to 'core')
30 files changed, 1263 insertions, 1380 deletions
diff --git a/core/apparmor.html b/core/apparmor.html index 9954593..8b7a30c 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -2,16 +2,16 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.2.1. AppArmor</title> + <title>2.6.1. AppArmor</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>2.2.1. AppArmor</h1> + <h1>2.6.1. AppArmor</h1> <p>Check <a href="linux.html#configure">kernel configuration</a> or - use the provided with <a href="reboot.html#linux">linux-gnu</a> port + use the provided with <a href="reboot.html#linux">linux-gnu</a> port to support apparmor. <a href="https://gitlab.com/apparmor/apparmor/wikis/home">AppArmor</a> enforce rules on applications based on security policies. User space tools are provided by apparmor port and its dependencies, install them;</p> @@ -48,7 +48,20 @@ aa-decode aa-exec aa-remove-unknown </pre> - <p>apparmor_parser options;</p> + <h2 id="profiles">Profiles</h2> + + <p>Profiles are located at /etc/apparmor.d/ and + /usr/share/apparmor/extra-profiles contain profiles + that require testing; + + <pre> + # cp -r /usr/share/apparmor/extra-profiles/* /etc/apparmor.d/ + # sudo rm /etc/apparmor.d/README + # bash /etc/rc.d/apparmor restart + </pre> + + <p>Profiles are parsed using + apparmor_parser;</p> <pre> Usage: apparmor_parser [options] [profile] @@ -93,11 +106,68 @@ --skip-bad-cache-rebuild Do not try rebuilding the cache if it is rejected by the kernel --warn n Enable warnings (see --help=warn) </pre> - # + + <h3 id="auto_profiles">Create profile with audit</h3> + + <p>Tools use log as a source to build profiles, it is + necessary to disable log rate limit;</p> + + <pre> + # sysctl -w kernel.printk_ratelimit=0 + </pre> + + <p>Start aa-genprof;</p> + + <pre> + $ sudo aa-genprof /usr/bin/lynx + </pre> + + <p>Execute application with all common application options + and parts;</p> + + <P>After initial automatic configuration enable profile in + complain mode. Use aa-logprof when rules need to be adapted.</p> + + <pre> + # aa-logprof + </pre> + + <p>Once profile rules become well defined enable profile in + enforce mode with aa-enforce;</p> + + <p>Monitor logs with aa-notify;</a> + + + <h3 id="man_profiles">Create profile manually</h3> + + <p>To create a new profile, let's say for lynx, + first find where the application is;</p> + + <pre> + $ whereis lynx + lynx: /usr/bin/lynx /usr/etc/lynx.lss /usr/etc/lynx.cfg /usr/etc/lynx.cfg~ /usr/share/man/man1/lynx.1.gz + </pre> + + <p>Now create a file with path to executable in + /etc/apparmor.d;</p> + + <pre> + # vim /etc/apparmor.d/usr.bin.lynx + </pre> + + <p>Create basic profile template;</p> + + <pre> + #include <tunables/global> + + profile lynx /usr/bin/lynx { + #include <abstractions/base> + } + </pre> <a href="index.html">Core OS Index</a> <p>This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/core/conf/default/grub b/core/conf/default/grub new file mode 100644 index 0000000..e1a4636 --- /dev/null +++ b/core/conf/default/grub @@ -0,0 +1,4 @@ +GRUB_DISABLE_LINUX_UUID=false +GRUB_ENABLE_LINUX_LABEL=false +GRUB_CMDLINE_LINUX="rd.luks.uuid=luks-15f15024-e994-43e3-9de4-694ba94aaf7f rd.lvm.lv=vg_system/lv_root apparmor=1 security=apparmor" +GRUB_ENABLE_CRYPTODISK=y diff --git a/core/conf/distcc.conf b/core/conf/distcc.conf new file mode 100644 index 0000000..723338b --- /dev/null +++ b/core/conf/distcc.conf @@ -0,0 +1,3 @@ +DISTCC_ALLOW="10.0.0.0/8" +DISTCC_USER="pkgmk" +DISTCC_LOG_LEVEL="info" diff --git a/core/conf/iptables/ipt-bridge.sh b/core/conf/iptables/ipt-bridge.sh index fa987a5..cd93687 100644 --- a/core/conf/iptables/ipt-bridge.sh +++ b/core/conf/iptables/ipt-bridge.sh @@ -1,7 +1,9 @@ #!/bin/bash - -echo "setting bridge ${BR_IF} network..." -echo 1 > /proc/sys/net/ipv4/ip_forward +echo "setting bridge network..." +source ipt-conf.sh +source ipt-firewall.sh +ipt_clear +ipt_tables # Unlimited on loopback $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT @@ -9,174 +11,126 @@ $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT $IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT $IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT -####### NAT Prerouting Chain ###### +######## NAT Prerouting Chain ###### #$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p udp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53 -#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53 -$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443 -#$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " - -####### Forward Chain ###### -$IPT -A FORWARD -j blocker -$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT - -# Allow access from bridge to gateway wifi interface -$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in -$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out -$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in -$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out -$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in -$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out +##$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 53 --sport 1024:65535 -j DNAT --to 10.0.0.254:53 +#$IPT -t nat -A PREROUTING -i ${WIFI_IF} -p tcp --dport 443 --sport 1024:65535 -j DNAT --to 10.0.0.4:443 +##$IPT -t nat -A PREROUTING -j LOG --log-level 7 --log-prefix "iptables: PREROUTING: " -#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in -#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out -$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in -$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out - -# allow output from BR_NET to external -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT - -# allow input from public bridged interface facing Internet -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_http_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_https_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_git_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d ${BR_NET} -j cli_ftp_in - -######## Forward TAP2 ssh, http and https ###### -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_ssh_in -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out +######## Forward Chain ###### +#$IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +#$IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT # -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_http_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_http_out - -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out +## Allow all for BR_NET +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -d ${BR_NET} -j ACCEPT +## DHCP +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s 0.0.0.0 -d 255.255.255.255 -j srv_dhcp -#Less noise -$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 519 --sport 520 -j DROP +## Allow access from bridge to gateway wifi interface +#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_http_in +#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_http_out +#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_https_in +#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_https_out +#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j cli_ftp_in +#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j cli_ftp_out +##$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_dns_in +##$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_dns_out +#$IPT -A FORWARD -i ${WIFI_IF} -o ${BR_IF} -j srv_https_in +#$IPT -A FORWARD -i ${BR_IF} -o ${WIFI_IF} -j srv_https_out -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT -# -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap1 -s ${BR_NET} -d ${BR_NET} -j ACCEPT -# -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out tap2 -s ${BR_NET} -d ${BR_NET} -j ACCEPT -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out tap3 -s ${BR_NET} -d ${BR_NET} -j ACCEPT -# -# -# Tap1 -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_http_in -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_http_out -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_https_in -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_https_out -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap1 -j cli_ftp_in -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap1 --physdev-out ${PUB_IF} -j cli_ftp_out -# -# -## Tap3 -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_git_out -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_git_in -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_http_in -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_http_out -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap3 --physdev-out ${PUB_IF} -j cli_https_out -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap3 -j cli_https_in -# -# -# Tap1, Tap2 and Tap3 can access external https - -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out -#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in - +## allow output from BR_NET to external +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -s ${BR_NET} -j ACCEPT +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${DNS} -d ${PUB_IP} -j cli_dns_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_http_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_https_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_ssh_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -d 10.0.0.4 -j srv_git_in +$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} -p tcp --sport 443 --dport 1024:65535 -j ACCEPT -# -# #$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip -# -# $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp -# $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp +##Less noise +#$IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -p udp --dport 519 --sport 520 -j DROP -# -####### Input Chain ###### +######## Input Chain ###### $IPT -A INPUT -j blocker -#Less noise -$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP -$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 137 --dport 137 -j DROP -$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 138 --dport 138 -j DROP -$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp -$IPT -A INPUT -i ${BR_IF} -d ${WIFI_NET} -s ${BR_NET} -j srv_icmp +##Less noise +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -p tcp --sport 3030 --dport 1024:65535 -j DROP +#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp --sport 137 --dport 137 -j ACCEPT +#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${PUB_IF} -s ${GW} -p udp --sport 137 --dport 137 -j ACCEPT +#$IPT -A INPUT -i ${BR_IF} -s ${BR_NET} -d 10.255.255.255 -p udp --sport 520 --dport 520 -j ACCEPT +#$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 137 --dport 137 -j ACCEPT +#$IPT -A INPUT -i ${WIFI_IF} -p udp --sport 138 --dport 138 -j ACCEPT -$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in -$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in -$IPT -A INPUT -i ${WIFI_IF} -s ${WIFI_NET} -d ${WIFI_NET} -j srv_dns_in - $IPT -A INPUT -i ${BR_IF} -j srv_dhcp -$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_dns_in +$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_https_in -$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_git_in $IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_ssh_in $IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap3 -d ${PUB_IP} -j srv_ssh_in -$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in -$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in -$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in -$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in -$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in +#$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in ${WIFI_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_icmp +#$IPT -A INPUT -i ${WIFI_IF} -d ${PUB_IP} -s ${WIFI_NET} -j srv_dns_in +#$IPT -A INPUT -i ${BR_IF} -s ${GW} -d ${PUB_IP} -j srv_dhcp +#$IPT -A INPUT -i ${BR_IF} -d ${PUB_IP} -j cli_http_in +#$IPT -A INPUT -i ${WIFI_IF} -s ${DNS} -j cli_dns_in +#$IPT -A INPUT -i ${WIFI_IF} -j cli_https_in +#$IPT -A INPUT -i ${WIFI_IF} -j cli_http_in +#$IPT -A INPUT -i ${WIFI_IF} -j cli_git_in +#$IPT -A INPUT -i ${WIFI_IF} -j cli_ssh_in -# c2.ank /iso -> c9.ank /srv/qemu/iso -$IPT -A INPUT -i ${BR_IF} -m physdev --physdev-in tap2 -d ${PUB_IP} -j srv_http_in -# hyperbola servers -$IPT -A INPUT -p tcp --dport 1024:65535 --sport 50100 -m state --state RELATED,ESTABLISHED -j ACCEPT +## PXE server +#$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 69 --sport 1024:65535 -j ACCEPT +#$IPT -A INPUT -i ${BR_IF} -p udp -d ${PUB_IP} -s ${BR_NET} --dport 1024:65535 --sport 1024:65535 -j ACCEPT -####### Output Chain ###### -$IPT -A OUTPUT -j blocker +######## Output Chain ###### -#Less noise +##Less noise $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 3030 --sport 1024:65535 -j DROP -$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dns_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_ssh_out -$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_icmp -$IPT -A OUTPUT -o ${BR_IF} -s ${WIFI_NET} -d ${BR_NET} -j srv_icmp +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j srv_git_out +$IPT -A OUTPUT -o ${BR_IF} -j srv_icmp +#$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -j cli_dns_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_ssh_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_git_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j cli_http_out -$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -j srv_dhcp $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_https_out -$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out $IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_git_out +$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -j cli_http_out -$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out -$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out -$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out +#$IPT -A OUTPUT -o ${WIFI_IF} -d ${DNS} -j cli_dns_out +#$IPT -A OUTPUT -o ${WIFI_IF} -d ${WIFI_NET} -j srv_dns_out +#$IPT -A OUTPUT -o ${WIFI_IF} -j srv_dns_out -$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out -$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out -$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out -$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out +#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_ssh_out +#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_git_out +#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_https_out +#$IPT -A OUTPUT -o ${WIFI_IF} -j cli_http_out +#$IPT -A OUTPUT -o ${WIFI_IF} -j srv_icmp -# Hyperbola servers -$IPT -A OUTPUT -p tcp --sport 1024:65535 --dport 50100 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -# c2.ank /iso -> c9.ank /srv/qemu/iso -$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d 10.0.0.4 -j srv_http_out +## PXE Server +#$IPT -A OUTPUT -o ${BR_IF} -s ${PUB_IP} -d ${BR_NET} -p udp --dport 1024:65535 --sport 1024:65535 -j ACCEPT -####### PostRouting Chain ###### -#Less noise -#$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT -#$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT +######## PostRouting Chain ###### +##Less noise +##$IPT -t nat -A POSTROUTING -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -p tcp --dport 443 --sport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT +##$IPT -t nat -A POSTROUTING -o ${BR_IF} -s ${PUB_IP} -d ${DNS} -p udp --dport 53 --sport 1024:65535 -j ACCEPT +#$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE +##$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " -$IPT -t nat -A POSTROUTING -o ${WIFI_IF} -j MASQUERADE +## log everything else and drop +ipt_log -#$IPT -t nat -A POSTROUTING -j LOG --log-level 7 --log-prefix "iptables: POSTROUTING: " +iptables-save > bridge.v4 diff --git a/core/conf/iptables/ipt-conf.sh b/core/conf/iptables/ipt-conf.sh index 52669dc..c3dac16 100644 --- a/core/conf/iptables/ipt-conf.sh +++ b/core/conf/iptables/ipt-conf.sh @@ -1,6 +1,6 @@ #!/bin/bash -TYPE=bridge -#TYPE=server + +IPT="/usr/sbin/iptables" SPAMLIST="blockedip" SPAMDROPMSG="BLOCKED IP DROP" @@ -19,4 +19,5 @@ PUB_IF="enp8s0" # private interface for virtual/internal WIFI_IF="wlp7s0" -WIFI_NET="192.168.1.0/24" +#WIFI_NET="192.168.1.0/24" +WIFI_NET="10.0.0.0/8" diff --git a/core/conf/iptables/ipt-firewall.sh b/core/conf/iptables/ipt-firewall.sh index 6ea613a..12c3834 100644 --- a/core/conf/iptables/ipt-firewall.sh +++ b/core/conf/iptables/ipt-firewall.sh @@ -1,7 +1,5 @@ #!/bin/bash -IPT="/usr/sbin/iptables" - ipt_clear () { echo "clear all iptables tables" diff --git a/core/conf/iptables/ipt-open.sh b/core/conf/iptables/ipt-open.sh new file mode 100644 index 0000000..3ef1254 --- /dev/null +++ b/core/conf/iptables/ipt-open.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +echo "setting client network..." +source ipt-conf.sh +source ipt-firewall.sh +ipt_clear +ipt_tables + +# Unlimited on loopback +$IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +$IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT + +####### Input Chain ###### +$IPT -A INPUT -j blocker + +$IPT -A INPUT -i ${PUB_IF} -j cli_dns_in +$IPT -A INPUT -i ${PUB_IF} -j cli_http_in +$IPT -A INPUT -i ${PUB_IF} -j cli_https_in +$IPT -A INPUT -i ${PUB_IF} -j cli_git_in +$IPT -A INPUT -i ${PUB_IF} -j cli_ssh_in +$IPT -A INPUT -i ${PUB_IF} -j srv_icmp +$IPT -A INPUT -i ${PUB_IF} -j cli_pops_in +$IPT -A INPUT -i ${PUB_IF} -j cli_smtps_in +$IPT -A INPUT -i ${PUB_IF} -j cli_irc_in +$IPT -A INPUT -i ${PUB_IF} -j cli_ftp_in +$IPT -A INPUT -i ${PUB_IF} -j cli_gpg_in + + +####### Output Chain ###### +$IPT -A OUTPUT -j blocker + +$IPT -A OUTPUT -o ${PUB_IF} -j cli_dns_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_https_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_ssh_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_git_out +$IPT -A OUTPUT -o ${PUB_IF} -j srv_icmp +$IPT -A OUTPUT -o ${PUB_IF} -j cli_pops_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_smtps_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_irc_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_ftp_out +$IPT -A OUTPUT -o ${PUB_IF} -j cli_gpg_out + +## log everything else and drop +ipt_log + +iptables-save > open.v4 diff --git a/core/conf/iptables/ipt-server.sh b/core/conf/iptables/ipt-server.sh index 225fd31..370db60 100644 --- a/core/conf/iptables/ipt-server.sh +++ b/core/conf/iptables/ipt-server.sh @@ -1,10 +1,14 @@ -echo "setting server network..." +echo "setting server iptables ..." +source ipt-conf.sh +source ipt-firewall.sh +ipt_clear +ipt_tables # Unlimited on loopback $IPT -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT $IPT -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT -$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT -$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT +#$IPT -A INPUT -i lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT +#$IPT -A OUTPUT -o lo -s ${PUB_IP} -d ${PUB_IP} -j ACCEPT ####### Input Chain ###### $IPT -A INPUT -j blocker @@ -35,3 +39,8 @@ $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j srv_https_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_ssh_out $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -j srv_git_out + +## log everything else and drop +ipt_log + +iptables-save > server.v4 diff --git a/core/conf/iptables/open.v4 b/core/conf/iptables/open.v4 new file mode 100644 index 0000000..30e476d --- /dev/null +++ b/core/conf/iptables/open.v4 @@ -0,0 +1,210 @@ +# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 +*security +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Sat Jun 8 23:05:15 2019 +# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Sat Jun 8 23:05:15 2019 +# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Sat Jun 8 23:05:15 2019 +# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Sat Jun 8 23:05:15 2019 +# Generated by iptables-save v1.8.2 on Sat Jun 8 23:05:15 2019 +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +:blocker - [0:0] +:cli_dns_in - [0:0] +:cli_dns_out - [0:0] +:cli_ftp_in - [0:0] +:cli_ftp_out - [0:0] +:cli_git_in - [0:0] +:cli_git_out - [0:0] +:cli_gpg_in - [0:0] +:cli_gpg_out - [0:0] +:cli_http_in - [0:0] +:cli_http_out - [0:0] +:cli_https_in - [0:0] +:cli_https_out - [0:0] +:cli_irc_in - [0:0] +:cli_irc_out - [0:0] +:cli_pops_in - [0:0] +:cli_pops_out - [0:0] +:cli_smtps_in - [0:0] +:cli_smtps_out - [0:0] +:cli_ssh_in - [0:0] +:cli_ssh_out - [0:0] +:srv_db_in - [0:0] +:srv_db_out - [0:0] +:srv_dhcp - [0:0] +:srv_dns_in - [0:0] +:srv_dns_out - [0:0] +:srv_git_in - [0:0] +:srv_git_out - [0:0] +:srv_http_in - [0:0] +:srv_http_out - [0:0] +:srv_https_in - [0:0] +:srv_https_out - [0:0] +:srv_icmp - [0:0] +:srv_rip - [0:0] +:srv_ssh_in - [0:0] +:srv_ssh_out - [0:0] +-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT +-A INPUT -j blocker +-A INPUT -i wlp9s0 -j cli_dns_in +-A INPUT -i wlp9s0 -j cli_http_in +-A INPUT -i wlp9s0 -j cli_https_in +-A INPUT -i wlp9s0 -j cli_git_in +-A INPUT -i wlp9s0 -j cli_ssh_in +-A INPUT -i wlp9s0 -j srv_icmp +-A INPUT -i wlp9s0 -j cli_pops_in +-A INPUT -i wlp9s0 -j cli_smtps_in +-A INPUT -i wlp9s0 -j cli_irc_in +-A INPUT -i wlp9s0 -j cli_ftp_in +-A INPUT -i wlp9s0 -j cli_gpg_in +-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 +-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 +-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT +-A OUTPUT -j blocker +-A OUTPUT -o wlp9s0 -j cli_dns_out +-A OUTPUT -o wlp9s0 -j cli_https_out +-A OUTPUT -o wlp9s0 -j cli_ssh_out +-A OUTPUT -o wlp9s0 -j cli_git_out +-A OUTPUT -o wlp9s0 -j cli_git_out +-A OUTPUT -o wlp9s0 -j srv_icmp +-A OUTPUT -o wlp9s0 -j cli_pops_out +-A OUTPUT -o wlp9s0 -j cli_smtps_out +-A OUTPUT -o wlp9s0 -j cli_irc_out +-A OUTPUT -o wlp9s0 -j cli_ftp_out +-A OUTPUT -o wlp9s0 -j cli_gpg_out +-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +-A blocker -f -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP +-A blocker -j RETURN +-A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT +-A cli_dns_in -j RETURN +-A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT +-A cli_dns_out -j RETURN +-A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -j RETURN +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_out -j RETURN +-A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_git_in -j RETURN +-A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_git_out -j RETURN +-A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_gpg_in -j RETURN +-A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_gpg_out -j RETURN +-A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -j RETURN +-A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -j RETURN +-A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -j RETURN +-A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -j RETURN +-A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_irc_in -j RETURN +-A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_irc_out -j RETURN +-A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_pops_in -j RETURN +-A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_pops_out -j RETURN +-A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_smtps_in -j RETURN +-A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_smtps_out -j RETURN +-A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -j RETURN +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -j RETURN +-A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_db_in -j RETURN +-A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_db_out -j RETURN +-A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT +-A srv_dhcp -j RETURN +-A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -j RETURN +-A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -j RETURN +-A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_git_in -j RETURN +-A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_git_out -j RETURN +-A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_http_in -j RETURN +-A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_http_out -j RETURN +-A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_https_in -j RETURN +-A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_https_out -j RETURN +-A srv_icmp -p icmp -j ACCEPT +-A srv_icmp -j RETURN +-A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT +-A srv_rip -j RETURN +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -j RETURN +-A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -j RETURN +COMMIT +# Completed on Sat Jun 8 23:05:15 2019 diff --git a/core/conf/iptables/server.v4 b/core/conf/iptables/server.v4 new file mode 100644 index 0000000..ed202ee --- /dev/null +++ b/core/conf/iptables/server.v4 @@ -0,0 +1,204 @@ +# Generated by iptables-save v1.8.2 on Sat Jun 8 19:50:25 2019 +*security +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Sat Jun 8 19:50:25 2019 +# Generated by iptables-save v1.8.2 on Sat Jun 8 19:50:25 2019 +*raw +:PREROUTING ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +COMMIT +# Completed on Sat Jun 8 19:50:25 2019 +# Generated by iptables-save v1.8.2 on Sat Jun 8 19:50:25 2019 +*nat +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Sat Jun 8 19:50:25 2019 +# Generated by iptables-save v1.8.2 on Sat Jun 8 19:50:25 2019 +*mangle +:PREROUTING ACCEPT [0:0] +:INPUT ACCEPT [0:0] +:FORWARD ACCEPT [0:0] +:OUTPUT ACCEPT [0:0] +:POSTROUTING ACCEPT [0:0] +COMMIT +# Completed on Sat Jun 8 19:50:25 2019 +# Generated by iptables-save v1.8.2 on Sat Jun 8 19:50:25 2019 +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +:blocker - [0:0] +:cli_dns_in - [0:0] +:cli_dns_out - [0:0] +:cli_ftp_in - [0:0] +:cli_ftp_out - [0:0] +:cli_git_in - [0:0] +:cli_git_out - [0:0] +:cli_gpg_in - [0:0] +:cli_gpg_out - [0:0] +:cli_http_in - [0:0] +:cli_http_out - [0:0] +:cli_https_in - [0:0] +:cli_https_out - [0:0] +:cli_irc_in - [0:0] +:cli_irc_out - [0:0] +:cli_pops_in - [0:0] +:cli_pops_out - [0:0] +:cli_smtps_in - [0:0] +:cli_smtps_out - [0:0] +:cli_ssh_in - [0:0] +:cli_ssh_out - [0:0] +:srv_db_in - [0:0] +:srv_db_out - [0:0] +:srv_dhcp - [0:0] +:srv_dns_in - [0:0] +:srv_dns_out - [0:0] +:srv_git_in - [0:0] +:srv_git_out - [0:0] +:srv_http_in - [0:0] +:srv_http_out - [0:0] +:srv_https_in - [0:0] +:srv_https_out - [0:0] +:srv_icmp - [0:0] +:srv_rip - [0:0] +:srv_ssh_in - [0:0] +:srv_ssh_out - [0:0] +-A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT +-A INPUT -j blocker +-A INPUT -s 212.55.154.174/32 -d 10.0.0.254/32 -i enp8s0 -j cli_dns_in +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i enp8s0 -j srv_https_in +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i enp8s0 -j srv_ssh_in +-A INPUT -s 10.0.0.0/8 -d 10.0.0.254/32 -i enp8s0 -j srv_git_in +-A INPUT -d 10.0.0.254/32 -i enp8s0 -j srv_https_in +-A INPUT -d 10.0.0.254/32 -i enp8s0 -j cli_https_in +-A INPUT -d 10.0.0.254/32 -i enp8s0 -j srv_ssh_in +-A INPUT -d 10.0.0.254/32 -i enp8s0 -j srv_git_in +-A INPUT -j LOG --log-prefix "iptables: INPUT: " --log-level 7 +-A FORWARD -j LOG --log-prefix "iptables: FORWARD: " --log-level 7 +-A OUTPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -o lo -j ACCEPT +-A OUTPUT -j blocker +-A OUTPUT -s 10.0.0.254/32 -d 212.55.154.174/32 -o enp8s0 -j cli_dns_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o enp8s0 -j srv_https_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o enp8s0 -j srv_ssh_out +-A OUTPUT -s 10.0.0.254/32 -d 10.0.0.0/8 -o enp8s0 -j srv_git_out +-A OUTPUT -s 10.0.0.254/32 -o enp8s0 -j cli_https_out +-A OUTPUT -s 10.0.0.254/32 -o enp8s0 -j srv_https_out +-A OUTPUT -d 10.0.0.0/8 -o enp8s0 -j srv_ssh_out +-A OUTPUT -d 10.0.0.0/8 -o enp8s0 -j srv_git_out +-A OUTPUT -j LOG --log-prefix "iptables: OUTPUT: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop sync: " --log-level 7 +-A blocker -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP +-A blocker -f -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop frag: " +-A blocker -f -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop null: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop syn rst syn rs" +-A blocker -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop xmas: " +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -m limit --limit 5/min --limit-burst 7 -j LOG --log-prefix "iptables: drop fin scan: " +-A blocker -p tcp -m tcp --tcp-flags FIN,ACK FIN -j DROP +-A blocker -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP +-A blocker -j RETURN +-A cli_dns_in -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT +-A cli_dns_in -j RETURN +-A cli_dns_out -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT +-A cli_dns_out -j RETURN +-A cli_ftp_in -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_in -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_in -j RETURN +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT +-A cli_ftp_out -p tcp -m tcp --sport 1024:65535 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A cli_ftp_out -j RETURN +-A cli_git_in -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_git_in -j RETURN +-A cli_git_out -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_git_out -j RETURN +-A cli_gpg_in -p tcp -m tcp --sport 11371 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_gpg_in -j RETURN +-A cli_gpg_out -p tcp -m tcp --sport 1024:65535 --dport 11371 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_gpg_out -j RETURN +-A cli_http_in -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -p udp -m udp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_http_in -j RETURN +-A cli_http_out -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -p udp -m udp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_http_out -j RETURN +-A cli_https_in -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -p udp -m udp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_https_in -j RETURN +-A cli_https_out -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -p udp -m udp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_https_out -j RETURN +-A cli_irc_in -p tcp -m tcp --sport 6667 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_irc_in -j RETURN +-A cli_irc_out -p tcp -m tcp --sport 1024:65535 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_irc_out -j RETURN +-A cli_pops_in -p tcp -m tcp --sport 995 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_pops_in -j RETURN +-A cli_pops_out -p tcp -m tcp --sport 1024:65535 --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_pops_out -j RETURN +-A cli_smtps_in -p tcp -m tcp --sport 465 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_smtps_in -j RETURN +-A cli_smtps_out -p tcp -m tcp --sport 1024:65535 --dport 465 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_smtps_out -j RETURN +-A cli_ssh_in -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A cli_ssh_in -j RETURN +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT +-A cli_ssh_out -j RETURN +-A srv_db_in -p tcp -m tcp --sport 1024:65535 --dport 5432 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_db_in -j RETURN +-A srv_db_out -p tcp -m tcp --sport 5432 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_db_out -j RETURN +-A srv_dhcp -p udp -m udp --sport 68 --dport 67 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 68 -j ACCEPT +-A srv_dhcp -p udp -m udp --sport 67 --dport 67 -j ACCEPT +-A srv_dhcp -j RETURN +-A srv_dns_in -p udp -m udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -p tcp -m tcp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_dns_in -j RETURN +-A srv_dns_out -p udp -m udp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -p tcp -m tcp --sport 53 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_dns_out -j RETURN +-A srv_git_in -p tcp -m tcp --sport 1024:65535 --dport 9418 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_git_in -j RETURN +-A srv_git_out -p tcp -m tcp --sport 9418 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_git_out -j RETURN +-A srv_http_in -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_http_in -j RETURN +-A srv_http_out -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_http_out -j RETURN +-A srv_https_in -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT +-A srv_https_in -j RETURN +-A srv_https_out -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT +-A srv_https_out -j RETURN +-A srv_icmp -p icmp -j ACCEPT +-A srv_icmp -j RETURN +-A srv_rip -p udp -m udp --sport 520 --dport 520 -j ACCEPT +-A srv_rip -j RETURN +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 2222 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 2222 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name SSH --mask 255.255.255.255 --rsource -j ACCEPT +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j LOG --log-prefix "BLOCKED IP DROP SSH" +-A srv_ssh_in -p tcp -m tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH --mask 255.255.255.255 --rsource -j DROP +-A srv_ssh_in -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_in -j RETURN +-A srv_ssh_out -p tcp -m tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT +-A srv_ssh_out -j RETURN +COMMIT +# Completed on Sat Jun 8 19:50:25 2019 diff --git a/core/conf/pkg-get.conf b/core/conf/pkg-get.conf new file mode 100644 index 0000000..4825657 --- /dev/null +++ b/core/conf/pkg-get.conf @@ -0,0 +1,15 @@ +## +# /etc/pkg-get.conf +# pkg-get configuration file + +# package repositories (remote) +# The first two are remote repoistories, the last is a local one +pkgdir /usr/ports/server|https://hive.gnu.systems/mirror-3.4/packages +#pkgdir /usr/packages/java|http://www.foobar.com/java +#pkgdir /usr/packages/games + +# runscripts: if "yes" pre-post install scripts are +# automatically executed. Handle with care. +runscripts yes + +preferhigher yes # (yes|no) diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf index 4085a38..4d689ec 100644 --- a/core/conf/pkgmk.conf +++ b/core/conf/pkgmk.conf @@ -2,10 +2,32 @@ # /etc/pkgmk.conf: pkgmk(8) configuration # -export CFLAGS="-O2 -g -march=x86-64 -pipe" +export CFLAGS="-O2 -march=x86-64" export CXXFLAGS="${CFLAGS}" -# export MAKEFLAGS="-j2" +## ccache settings +#export PATH="/usr/lib/ccache/:$PATH" +#export CCACHE_DIR="/usr/ports/ccache" +#export CCACHE_PREFIX="distcc" +#export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux" +# +## compile using ccache and distcc +#export DISTCC_HOSTS="localhost/4 xborg/4" +# +### compile using distcc without ccache +##export PATH="/usr/lib/distcc/:$PATH" +##export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp" +##export PUMP_BUILD=yes +# +## distcc settings +#export JOBS=$(/usr/bin/distcc -j 2> /dev/null) +#export DISTCC_DIR="/usr/ports/distcc" +#export MAKEFLAGS="-j ${JOBS}" +#export SCONSFLAGS="$MAKEFLAGS" + +# local compile only +export JOBS=$(nproc) +export MAKEFLAGS="-j $JOBS" case ${PKGMK_ARCH} in "64"|"") @@ -22,7 +44,7 @@ case ${PKGMK_ARCH} in ;; esac -#PKGMK_SOURCE_MIRRORS=(http://machine.example.org/ports/distfiles/) +PKGMK_SOURCE_MIRRORS=(https://hive.gnu.systems/mirror-3.4/distfiles/) # PKGMK_SOURCE_DIR="$PWD" PKGMK_SOURCE_DIR="/usr/ports/distfiles" # PKGMK_PACKAGE_DIR="$PWD" @@ -37,5 +59,6 @@ PKGMK_WORK_DIR="/usr/ports/work/$name" # PKGMK_WGET_OPTS="" # PKGMK_CURL_OPTS="" # PKGMK_COMPRESSION_MODE="gz" +# PKGMK_UP_TO_DATE=yes # End of file diff --git a/core/conf/ports/kde5.git b/core/conf/ports/kde5.git new file mode 100644 index 0000000..37b5764 --- /dev/null +++ b/core/conf/ports/kde5.git @@ -0,0 +1,7 @@ +# Collection core +# +NAME=kde5 +URL=git://hive.gnu.systems/kde5.git +BRANCH=stable-3.4 +destination=/usr/ports/kde5 +PORTS_DIR="/usr/ports" diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf index 1f7a39e..8e88333 100644 --- a/core/conf/prt-get.conf +++ b/core/conf/prt-get.conf @@ -5,19 +5,16 @@ # note: the order matters: the package found first is used prtdir /usr/ports/core prtdir /usr/ports/opt -prtdir /usr/ports/contrib -prtdir /usr/ports/machine-ports prtdir /usr/ports/xorg -# 6c37 team provides a collection with freetype-iu, fontconfig-iu -# and cairo-iu ports. - # the following line enables the multilib compat-32 collection #prtdir /usr/ports/compat-32 # the following line enables the user maintained contrib collection -# prtdir /usr/ports/6c37-dropin -# prtdir /usr/ports/6c37 +prtdir /usr/ports/contrib +prtdir /usr/ports/ports +prtdir /usr/ports/mate +prtdir /usr/ports/kde5 ### use mypackage form local directory # prtdir /home/packages/build:mypackage @@ -26,7 +23,7 @@ prtdir /usr/ports/xorg writelog enabled # (enabled|disabled) logmode overwrite # (append|overwrite) rmlog_on_success yes # (no|yes) -logfile /usr/ports/pkgbuild/%n-%v-%r.log +logfile /usr/ports/pkgbuild/%n.log # path, %p=path to port dir, %n=port name # %v=version, %r=release @@ -37,7 +34,7 @@ logfile /usr/ports/pkgbuild/%n-%v-%r.log readme verbose # (verbose|compact|disabled) ### prefer higher versions in sysup / diff -preferhigher no # (yes|no) +preferhigher yes # (yes|no) ### use regexp search # useregex no # (yes|no) @@ -46,7 +43,6 @@ preferhigher no # (yes|no) ### --install-scripts option runscripts yes # (no|yes) - ### EXPERT SECTION ### ### alternative commands diff --git a/core/conf/rc.d/distccd b/core/conf/rc.d/distccd new file mode 100755 index 0000000..65a166d --- /dev/null +++ b/core/conf/rc.d/distccd @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +# +# /etc/rc.d/distccd: start/stop distcc daemon +# + +. /etc/distcc.conf +if [ -z "$DISTCC_ALLOW" ]; then + echo "Please define a range of IPs allowed to connect to this distccd" + echo "host in DISTCC_ALLOW in /etc/rc.conf. More detailed information" + echo "can be found in the distcc's README package." + exit 1 +fi + +DISTCC_USER="${DISTCC_USER:=nobody}" +DISTCC_LOG_LEVEL="${DISTCC_LOG_LEVEL:=notice}" + +case $1 in +start) + /usr/sbin/distccd --daemon --user "$DISTCC_USER" --allow "$DISTCC_ALLOW" --log-level "$DISTCC_LOG_LEVEL" + ;; +stop) + killall -q /usr/sbin/distccd + ;; +restart) + $0 stop + $0 start + ;; +*) + echo "usage: $0 [start|stop|restart]" + ;; +esac + +# End of file diff --git a/core/conf/rc.d/iptables b/core/conf/rc.d/iptables index 9471f99..cc7c765 100644 --- a/core/conf/rc.d/iptables +++ b/core/conf/rc.d/iptables @@ -1,39 +1,62 @@ -source /etc/iptables/ipt-conf.sh -source /etc/iptables/ipt-firewall.sh +IPT="/usr/sbin/iptables" +TYPE=bridge +#TYPE=server +#TYPE=open + +echo "clear all iptables tables" + +${IPT} -F +${IPT} -X +${IPT} -t nat -F +${IPT} -t nat -X +${IPT} -t mangle -F +${IPT} -t mangle -X +${IPT} -t raw -F +${IPT} -t raw -X +${IPT} -t security -F +${IPT} -t security -X + +# Set Default Rules +${IPT} -P INPUT DROP +${IPT} -P FORWARD DROP +${IPT} -P OUTPUT DROP + +${IPT} -A INPUT -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT +${IPT} -A OUTPUT -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT case $1 in start) - ipt_clear - ipt_tables - case $TYPE in - bridge) - source /etc/iptables/ipt-bridge.sh - - ## log everything else and drop - ipt_log - - iptables-save > /etc/iptables/bridge.v4 - ;; - server) - source /etc/iptables/iptables-conf.sh - - ## log everything else and drop - ipt_log - - iptables-save > /etc/iptables/net.v4 - ;; - esac - ;; - stop) + case $TYPE in + bridge) + + echo "setting bridge network..." + echo 1 > /proc/sys/net/ipv4/ip_forward + + ## load bridge configuration + iptables-restore /etc/iptables/bridge.v4 + + ;; + server) + + echo "setting server network..." + ## load server configuration + iptables-restore /etc/iptables/server.v4 - ipt_clear ;; - restart) - $0 stop - $0 start + open) + + echo "setting client network..." + ## load client configuration + iptables-restore /etc/iptables/open.v4 + ;; + esac + ;; + stop) + + ;; *) - echo "Usage: $0 [start|stop|restart]" - ;; + echo "Usage: $0 [start|stop]" + ;; esac diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index 4606791..771112a 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -3,51 +3,19 @@ # kernel.printk = 7 1 1 4 + kernel.randomize_va_space = 2 + # Shared Memory #kernel.shmmax = 500000000 # Total allocated file handlers that can be allocated # fs.file-nr= vm.mmap_min_addr=65536 + # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 # -# Memory Protections -# - -# If you say Y here, all ioperm and iopl calls will return an error. -# Ioperm and iopl can be used to modify the running kernel. -# Unfortunately, some programs need this access to operate properly, -# the most notable of which are XFree86 and hwclock. hwclock can be -# remedied by having RTC support in the kernel, so real-time -# clock support is enabled if this option is enabled, to ensure -# that hwclock operates correctly. -# -# If you're using XFree86 or a version of Xorg from 2012 or earlier, -# you may not be able to boot into a graphical environment with this -# option enabled. In this case, you should use the RBAC system instead. -kernel.grsecurity.disable_priv_io = 1 - -# If you say Y here, attempts to bruteforce exploits against forking -# daemons such as apache or sshd, as well as against suid/sgid binaries -# will be deterred. When a child of a forking daemon is killed by PaX -# or crashes due to an illegal instruction or other suspicious signal, -# the parent process will be delayed 30 seconds upon every subsequent -# fork until the administrator is able to assess the situation and -# restart the daemon. -# In the suid/sgid case, the attempt is logged, the user has all their -# existing instances of the suid/sgid binary terminated and will -# be unable to execute any suid/sgid binaries for 15 minutes. -# -# It is recommended that you also enable signal logging in the auditing -# section so that logs are generated when a process triggers a suspicious -# signal. -# If the sysctl option is enabled, a sysctl option with name -# "deter_bruteforce" is created. -kernel.grsecurity.deter_bruteforce = 1 - -# # Filesystem Protections # @@ -55,341 +23,9 @@ kernel.grsecurity.deter_bruteforce = 1 # Increase system file descriptor limit fs.file-max = 65535 -# If you say Y here, /tmp race exploits will be prevented, since users -# will no longer be able to follow symlinks owned by other users in -# world-writable +t directories (e.g. /tmp), unless the owner of the -# symlink is the owner of the directory. users will also not be -# able to hardlink to files they do not own. If the sysctl option is -# enabled, a sysctl option with name "linking_restrictions" is created. -kernel.grsecurity.linking_restrictions = 1 - - -# Apache's SymlinksIfOwnerMatch option has an inherent race condition -# that prevents it from being used as a security feature. As Apache -# verifies the symlink by performing a stat() against the target of -# the symlink before it is followed, an attacker can setup a symlink -# to point to a same-owned file, then replace the symlink with one -# that targets another user's file just after Apache "validates" the -# symlink -- a classic TOCTOU race. If you say Y here, a complete, -# race-free replacement for Apache's "SymlinksIfOwnerMatch" option -# will be in place for the group you specify. If the sysctl option -# is enabled, a sysctl option with name "enforce_symlinksifowner" is -# created. -kernel.grsecurity.enforce_symlinksifowner = 1 -kernel.grsecurity.symlinkown_gid = 15 - -# if you say Y here, users will not be able to write to FIFOs they don't -# own in world-writable +t directories (e.g. /tmp), unless the owner of -# the FIFO is the same owner of the directory it's held in. If the sysctl -# option is enabled, a sysctl option with name "fifo_restrictions" is -# created. -kernel.grsecurity.fifo_restrictions = 1 - -# If you say Y here, a sysctl option with name "romount_protect" will -# be created. By setting this option to 1 at runtime, filesystems -# will be protected in the following ways: -# * No new writable mounts will be allowed -# * Existing read-only mounts won't be able to be remounted read/write -# * Write operations will be denied on all block devices -# This option acts independently of grsec_lock: once it is set to 1, -# it cannot be turned off. Therefore, please be mindful of the resulting -# behavior if this option is enabled in an init script on a read-only -# filesystem. -# Also be aware that as with other root-focused features, GRKERNSEC_KMEM -# and GRKERNSEC_IO should be enabled and module loading disabled via -# config or at runtime. -# This feature is mainly intended for secure embedded systems. -#kernel.grsecurity.romount_protect = 1 - -# if you say Y here, the capabilities on all processes within a -# chroot jail will be lowered to stop module insertion, raw i/o, -# system and net admin tasks, rebooting the system, modifying immutable -# files, modifying IPC owned by another, and changing the system time. -# This is left an option because it can break some apps. Disable this -# if your chrooted apps are having problems performing those kinds of -# tasks. If the sysctl option is enabled, a sysctl option with -# name "chroot_caps" is created. -kernel.grsecurity.chroot_caps = 1 - -#kernel.grsecurity.chroot_deny_bad_rename = 1 - -# If you say Y here, processes inside a chroot will not be able to chmod -# or fchmod files to make them have suid or sgid bits. This protects -# against another published method of breaking a chroot. If the sysctl -# option is enabled, a sysctl option with name "chroot_deny_chmod" is -# created. -kernel.grsecurity.chroot_deny_chmod = 1 - -# If you say Y here, processes inside a chroot will not be able to chroot -# again outside the chroot. This is a widely used method of breaking -# out of a chroot jail and should not be allowed. If the sysctl -# option is enabled, a sysctl option with name -# "chroot_deny_chroot" is created. -kernel.grsecurity.chroot_deny_chroot = 1 - -# If you say Y here, a well-known method of breaking chroots by fchdir'ing -# to a file descriptor of the chrooting process that points to a directory -# outside the filesystem will be stopped. If the sysctl option -# is enabled, a sysctl option with name "chroot_deny_fchdir" is created. -kernel.grsecurity.chroot_deny_fchdir = 1 - -# If you say Y here, processes inside a chroot will not be allowed to -# mknod. The problem with using mknod inside a chroot is that it -# would allow an attacker to create a device entry that is the same -# as one on the physical root of your system, which could range from -# anything from the console device to a device for your harddrive (which -# they could then use to wipe the drive or steal data). It is recommended -# that you say Y here, unless you run into software incompatibilities. -# If the sysctl option is enabled, a sysctl option with name -# "chroot_deny_mknod" is created. -kernel.grsecurity.chroot_deny_mknod = 1 - -# If you say Y here, processes inside a chroot will not be able to -# mount or remount filesystems. If the sysctl option is enabled, a -# sysctl option with name "chroot_deny_mount" is created. -kernel.grsecurity.chroot_deny_mount = 1 - -# If you say Y here, processes inside a chroot will not be able to use -# a function called pivot_root() that was introduced in Linux 2.3.41. It -# works similar to chroot in that it changes the root filesystem. This -# function could be misused in a chrooted process to attempt to break out -# of the chroot, and therefore should not be allowed. If the sysctl -# option is enabled, a sysctl option with name "chroot_deny_pivot" is -# created. -kernel.grsecurity.chroot_deny_pivot = 1 - -# If you say Y here, processes inside a chroot will not be able to attach -# to shared memory segments that were created outside of the chroot jail. -# It is recommended that you say Y here. If the sysctl option is enabled, -# a sysctl option with name "chroot_deny_shmat" is created. -kernel.grsecurity.chroot_deny_shmat = 1 - -# If you say Y here, an attacker in a chroot will not be able to -# write to sysctl entries, either by sysctl(2) or through a /proc -# interface. It is strongly recommended that you say Y here. If the -# sysctl option is enabled, a sysctl option with name -# "chroot_deny_sysctl" is created. -kernel.grsecurity.chroot_deny_sysctl = 1 - -# If you say Y here, processes inside a chroot will not be able to -# connect to abstract (meaning not belonging to a filesystem) Unix -# domain sockets that were bound outside of a chroot. It is recommended -# that you say Y here. If the sysctl option is enabled, a sysctl option -# with name "chroot_deny_unix" is created. -kernel.grsecurity.chroot_deny_unix = 1 - -# If you say Y here, the current working directory of all newly-chrooted -# applications will be set to the the root directory of the chroot. -# The man page on chroot(2) states: -# Note that usually chhroot does not change the current working -# directory, so that `.' can be outside the tree rooted at -# `/'. In particular, the super-user can escape from a -# `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. -# -# It is recommended that you say Y here, since it's not known to break -# any software. If the sysctl option is enabled, a sysctl option with -# name "chroot_enforce_chdir" is created. -kernel.grsecurity.chroot_enforce_chdir = 1 - -# If you say Y here, processes inside a chroot will not be able to -# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, -# getsid, or view any process outside of the chroot. If the sysctl -# option is enabled, a sysctl option with name "chroot_findtask" is -# created. -kernel.grsecurity.chroot_findtask = 1 - -# If you say Y here, processes inside a chroot will not be able to raise -# the priority of processes in the chroot, or alter the priority of -# processes outside the chroot. This provides more security than simply -# removing CAP_SYS_NICE from the process' capability set. If the -# sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" -# is created. -kernel.grsecurity.chroot_restrict_nice = 1 - -# -# Kernel Auditing -# - -# If you say Y here, the exec and chdir logging features will only operate -# on a group you specify. This option is recommended if you only want to -# watch certain users instead of having a large amount of logs from the -# entire system. If the sysctl option is enabled, a sysctl option with -# name "audit_group" is created. -kernel.grsecurity.audit_group = 1 - -# If you say Y here, the exec and chdir logging features will only operate -# on a group you specify. This option is recommended if you only want to -# watch certain users instead of having a large amount of logs from the -# entire system. If the sysctl option is enabled, a sysctl option with -# name "audit_group" is created. -kernel.grsecurity.audit_gid = 99 - -# If you say Y here, all execve() calls will be logged (since the -# other exec*() calls are frontends to execve(), all execution -# will be logged). Useful for shell-servers that like to keep track -# of their users. If the sysctl option is enabled, a sysctl option with -# name "exec_logging" is created. -# WARNING: This option when enabled will produce a LOT of logs, especially -# on an active system. -kernel.grsecurity.exec_logging = 0 - -# If you say Y here, all attempts to overstep resource limits will -# be logged with the resource name, the requested size, and the current -# limit. It is highly recommended that you say Y here. If the sysctl -# option is enabled, a sysctl option with name "resource_logging" is -# created. If the RBAC system is enabled, the sysctl value is ignored. -kernel.grsecurity.resource_logging = 1 - -# If you say Y here, all executions inside a chroot jail will be logged -# to syslog. This can cause a large amount of logs if certain -# applications (eg. djb's daemontools) are installed on the system, and -# is therefore left as an option. If the sysctl option is enabled, a -# sysctl option with name "chroot_execlog" is created. -kernel.grsecurity.chroot_execlog = 0 - -# If you say Y here, all attempts to attach to a process via ptrace -# will be logged. If the sysctl option is enabled, a sysctl option -# with name "audit_ptrace" is created. -#kernel.grsecurity.audit_ptrace = 1 - -# If you say Y here, all attempts to attach to a process via ptrace -# will be logged. If the sysctl option is enabled, a sysctl option -# with name "audit_ptrace" is created. -kernel.grsecurity.audit_chdir = 0 - -# If you say Y here, all mounts and unmounts will be logged. If the -# sysctl option is enabled, a sysctl option with name "audit_mount" is -# created. -kernel.grsecurity.audit_mount = 1 - -# If you say Y here, certain important signals will be logged, such as -# SIGSEGV, which will as a result inform you of when a error in a program -# occurred, which in some cases could mean a possible exploit attempt. -# If the sysctl option is enabled, a sysctl option with name -# "signal_logging" is created. -kernel.grsecurity.signal_logging = 1 - -# If you say Y here, all failed fork() attempts will be logged. -# This could suggest a fork bomb, or someone attempting to overstep -# their process limit. If the sysctl option is enabled, a sysctl option -# with name "forkfail_logging" is created. -kernel.grsecurity.forkfail_logging = 1 - -# If you say Y here, any changes of the system clock will be logged. -# If the sysctl option is enabled, a sysctl option with name -# "timechange_logging" is created. -kernel.grsecurity.timechange_logging = 1 - -# if you say Y here, calls to mmap() and mprotect() with explicit -# usage of PROT_WRITE and PROT_EXEC together will be logged when -# denied by the PAX_MPROTECT feature. This feature will also -# log other problematic scenarios that can occur when PAX_MPROTECT -# is enabled on a binary, like textrels and PT_GNU_STACK. If the -# sysctl option is enabled, a sysctl option with name "rwxmap_logging" -# is created. -kernel.grsecurity.rwxmap_logging = 1 - -# -# Executable Protections -# - - -# if you say Y here, non-root users will not be able to use dmesg(8) -# to view the contents of the kernel's circular log buffer. -# The kernel's log buffer often contains kernel addresses and other -# identifying information useful to an attacker in fingerprinting a -# system for a targeted exploit. -# If the sysctl option is enabled, a sysctl option with name "dmesg" is -# created. -kernel.grsecurity.dmesg = 1 - # Hide symbol addresses in /proc/kallsyms kernel.kptr_restrict = 2 -# If you say Y here, TTY sniffers and other malicious monitoring -# programs implemented through ptrace will be defeated. If you -# have been using the RBAC system, this option has already been -# enabled for several years for all users, with the ability to make -# fine-grained exceptions. -# -# This option only affects the ability of non-root users to ptrace -# processes that are not a descendent of the ptracing process. -# This means that strace ./binary and gdb ./binary will still work, -# but attaching to arbitrary processes will not. If the sysctl -# option is enabled, a sysctl option with name "harden_ptrace" is -# created. -kernel.grsecurity.harden_ptrace = 1 - -# If you say Y here, unprivileged users will not be able to ptrace unreadable -# binaries. This option is useful in environments that -# remove the read bits (e.g. file mode 4711) from suid binaries to -# prevent infoleaking of their contents. This option adds -# consistency to the use of that file mode, as the binary could normally -# be read out when run without privileges while ptracing. -# -# If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" -# is created. -kernel.grsecurity.ptrace_readexec = 1 - -# If you say Y here, a change from a root uid to a non-root uid -# in a multithreaded application will cause the resulting uids, -# gids, supplementary groups, and capabilities in that thread -# to be propagated to the other threads of the process. In most -# cases this is unnecessary, as glibc will emulate this behavior -# on behalf of the application. Other libcs do not act in the -# same way, allowing the other threads of the process to continue -# running with root privileges. If the sysctl option is enabled, -# a sysctl option with name "consistent_setxid" is created. -kernel.grsecurity.consistent_setxid = 1 - -# If you say Y here, access to overly-permissive IPC objects (shared -# memory, message queues, and semaphores) will be denied for processes -# given the following criteria beyond normal permission checks: -# 1) If the IPC object is world-accessible and the euid doesn't match -# that of the creator or current uid for the IPC object -# 2) If the IPC object is group-accessible and the egid doesn't -# match that of the creator or current gid for the IPC object -# It's a common error to grant too much permission to these objects, -# with impact ranging from denial of service and information leaking to -# privilege escalation. This feature was developed in response to -# research by Tim Brown: -# http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ -# who found hundreds of such insecure usages. Processes with -# CAP_IPC_OWNER are still permitted to access these IPC objects. -# If the sysctl option is enabled, a sysctl option with name -# "harden_ipc" is created. -kernel.grsecurity.harden_ipc = 1 - -# If you say Y here, you will be able to choose a gid to add to the -# supplementary groups of users you want to mark as "untrusted." -# These users will not be able to execute any files that are not in -# root-owned directories writable only by root. If the sysctl option -# is enabled, a sysctl option with name "tpe" is created. -kernel.grsecurity.tpe = 1 -kernel.grsecurity.tpe_gid = 100 - -# If you say Y here, the group you specify in the TPE configuration will -# decide what group TPE restrictions will be *disabled* for. This -# option is useful if you want TPE restrictions to be applied to most -# users on the system. If the sysctl option is enabled, a sysctl option -# with name "tpe_invert" is created. Unlike other sysctl options, this -# entry will default to on for backward-compatibility. -kernel.grsecurity.tpe_invert = 0 - -# If you say Y here, all non-root users will be covered under -# a weaker TPE restriction. This is separate from, and in addition to, -# the main TPE options that you have selected elsewhere. Thus, if a -# "trusted" GID is chosen, this restriction applies to even that GID. -# Under this restriction, all non-root users will only be allowed to -# execute files in directories they own that are not group or -# world-writable, or in directories owned by root and writable only by -# root. If the sysctl option is enabled, a sysctl option with name -# "tpe_restrict_all" is created. -kernel.grsecurity.tpe_restrict_all = 1 - - -kernel.grsecurity.harden_tty = 1 - # # Network Protections # @@ -455,7 +91,6 @@ net.ipv4.conf.default.rp_filter = 1 #net.ipv6.conf.default.rp_filter = 1 #net.ipv6.conf.all.rp_filter = 1 - # Make sure no one can alter the routing tables # Act as a router, necessary for Access Point net.ipv4.conf.all.accept_redirects = 0 @@ -495,96 +130,4 @@ net.ipv4.tcp_keepalive_time = 1800 # Sen SynAck retries to 3 net.ipv4.tcp_synack_retries = 3 -# If you say Y here, neither TCP resets nor ICMP -# destination-unreachable packets will be sent in response to packets -# sent to ports for which no associated listening process exists. -# This feature supports both IPV4 and IPV6 and exempts the -# loopback interface from blackholing. Enabling this feature -# makes a host more resilient to DoS attacks and reduces network -# visibility against scanners. -# -# The blackhole feature as-implemented is equivalent to the FreeBSD -# blackhole feature, as it prevents RST responses to all packets, not -# just SYNs. Under most application behavior this causes no -# problems, but applications (like haproxy) may not close certain -# connections in a way that cleanly terminates them on the remote -# end, leaving the remote host in LAST_ACK state. Because of this -# side-effect and to prevent intentional LAST_ACK DoSes, this -# feature also adds automatic mitigation against such attacks. -# The mitigation drastically reduces the amount of time a socket -# can spend in LAST_ACK state. If you're using haproxy and not -# all servers it connects to have this option enabled, consider -# disabling this feature on the haproxy host. -# -# If the sysctl option is enabled, two sysctl options with names -# "ip_blackhole" and "lastack_retries" will be created. -# While "ip_blackhole" takes the standard zero/non-zero on/off -# toggle, "lastack_retries" uses the same kinds of values as -# "tcp_retries1" and "tcp_retries2". The default value of 4 -# prevents a socket from lasting more than 45 seconds in LAST_ACK -# state. -kernel.grsecurity.ip_blackhole = 1 -kernel.grsecurity.lastack_retries = 4 - -# If you say Y here, you will be able to choose a GID of whose users will -# be unable to connect to other hosts from your machine or run server -# applications from your machine. If the sysctl option is enabled, a -# sysctl option with name "socket_all" is created. -kernel.grsecurity.socket_all = 1 - -# Here you can choose the GID to disable socket access for. Remember to -# add the users you want socket access disabled for to the GID -# specified here. If the sysctl option is enabled, a sysctl option -# with name "socket_all_gid" is created. -kernel.grsecurity.socket_all_gid = 200 - -# If you say Y here, you will be able to choose a GID of whose users will -# be unable to connect to other hosts from your machine, but will be -# able to run servers. If this option is enabled, all users in the group -# you specify will have to use passive mode when initiating ftp transfers -# from the shell on your machine. If the sysctl option is enabled, a -# sysctl option with name "socket_client" is created. -kernel.grsecurity.socket_client = 1 - -# Here you can choose the GID to disable client socket access for. -# Remember to add the users you want client socket access disabled for to -# the GID specified here. If the sysctl option is enabled, a sysctl -# option with name "socket_client_gid" is created. -kernel.grsecurity.socket_client_gid = 201 - -# If you say Y here, you will be able to choose a GID of whose users will -# be unable to connect to other hosts from your machine, but will be -# able to run servers. If this option is enabled, all users in the group -# you specify will have to use passive mode when initiating ftp transfers -# from the shell on your machine. If the sysctl option is enabled, a -# sysctl option with name "socket_client" is created. -kernel.grsecurity.socket_server = 1 - -# Here you can choose the GID to disable server socket access for. -# Remember to add the users you want server socket access disabled for to -# the GID specified here. If the sysctl option is enabled, a sysctl -# option with name "socket_server_gid" is created. -kernel.grsecurity.socket_server_gid = 99 - -# -# Physical Protections -# - -# If you say Y here, a new sysctl option with name "deny_new_usb" -# will be created. Setting its value to 1 will prevent any new -# USB devices from being recognized by the OS. Any attempted USB -# device insertion will be logged. This option is intended to be -# used against custom USB devices designed to exploit vulnerabilities -# in various USB device drivers. -# -# For greatest effectiveness, this sysctl should be set after any -# relevant init scripts. This option is safe to enable in distros -# as each user can choose whether or not to toggle the sysctl. -kernel.grsecurity.deny_new_usb = 0 - -# -# Restrict grsec sysctl changes after this was set -# -kernel.grsecurity.grsec_lock = 0 - # End of file diff --git a/core/configure.html b/core/configure.html index 90c97ea..cdb51a4 100644 --- a/core/configure.html +++ b/core/configure.html @@ -18,22 +18,26 @@ </pre> <pre> - $ export BLK_EFI=/dev/sda1 - $ export BLK_BOOT=/dev/sda2 - $ export BLK_ROOT=/dev/sda3 - $ export BLK_VAR=/dev/sda5 - $ export BLK_USR=/dev/sda7 + $ export BLK_EFI=/dev/sda2 + $ export BLK_BOOT=/dev/sda3 + $ export BLK_ROOT=/dev/vg_system/lv_root + $ export BLK_VAR=/dev/vg_system/lv_var - $ export BLK_HOME=/dev/sda8 + $ export BLK_HOME=/dev/vg_system/lv_home $ sudo mount $BLK_BOOT $CHROOT/boot $ sudo mount $BLK_EFI $CHROOT/boot/efi $ sudo mount $BLK_VAR $CHROOT/var - $ sudo mount $BLK_USR $CHROOT/usr - $ sudo mount $BLK_HOME $CHROOT/home </pre> + <p>If using separate /usr partition;</p> + <pre> + $ export BLK_USR=/dev/vg_system/lv_usr + $ sudo mount $BLK_USR $CHROOT/usr + </pre> + + <p>Now you can chroot;</p> <pre> @@ -186,7 +190,7 @@ <pre> # useradd -U -m -k /etc/skel -s /bin/bash username - # usermod -G adm,wheel,audio,video username + # usermod -G adm,wheel,audio,input,video,users username # passwd username </pre> @@ -271,7 +275,7 @@ <a href="index.html">Core OS Index</a> <p>This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/core/exim.html b/core/exim.html index 7e1fd28..3b86bb7 100644 --- a/core/exim.html +++ b/core/exim.html @@ -2,13 +2,13 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.6. Exim</title> + <title>2.5. Exim</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>2.6. Exim</h1> + <h1>2.5. Exim</h1> - <h2 id="conf">2.6.1. Exim Configuration</h2> + <h2 id="conf">2.5.1. Exim Configuration</h2> <p>Exim come with default configuration we will change to mach system settings <a href="conf/etc/exim/exim.conf">/etc/exim/exim.conf</a>.</p> @@ -17,7 +17,7 @@ $ sudo prt-get depinst mailx </pre> - <h2 id="cert">2.6.2. Certificates</h2> + <h2 id="cert">2.5.2. Certificates</h2> <p>Exim creates a key for you if you just copy exim.conf and start daemon;</p> @@ -64,7 +64,7 @@ # chmod 644 /etc/ssl/certs/exim.cert </pre> - <h2 id="alias">2.6.3. Aliases</h2> + <h2 id="alias">2.5.3. Aliases</h2> <p>Exim come with default aliases we will change to mach system settings <a href="conf/etc/exim/aliases">/etc/exim/aliases;</a></p> @@ -109,7 +109,7 @@ #### </pre> - <h2 id="smarthost">2.6.4. Smarthost</h2> + <h2 id="smarthost">2.5.4. Smarthost</h2> <p>Tony Finch publish a nice <a href="http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/exim/etc/etc.cam/configure">configuration reference</a>. @@ -133,7 +133,7 @@ # exim -bt bob@remote.com </pre> - <h2 id="fetchmail">2.6. Fetchmail</h2> + <h2 id="fetchmail">2.5. Fetchmail</h2> <pre> $ prt-get depinst fetchmail diff --git a/core/hardening.html b/core/hardening.html index 1455398..d94cda6 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -2,30 +2,146 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.2. Hardening</title> + <title>2.6. Hardening</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>2.2. Hardening</h1> + <h1>2.6. Hardening</h1> - <p>Check <a href="apparmor.html">apparmor</a>, - <a href="sysctl.html">sysctl</a>, - <a href="toolchain.html">toolchain</a> and - <a href="samhain.html">samhain</a> before running tests.</p> + <h2>2.6.0.2 System security</h2> - <p>Mount some filesystems in read only</p> - <p>Check processes running as root</p> - <p>Check processes users premissions</p> + <dl> + <dt>File systems</dt> + <dd>Check <a href="install.html#fstab">fstab</a> and current mount options. Mount filesystems in read only, only strict necessary in rw.</dd> + <dt>Sys</dt> + <dd>Check kernel settings with <a href="sysctl.html">sysctl</a>.</dd> + <dd>kernel.yama.ptrace_scope breaks gdb, strace, perf trace and reptyr.</dd> + <dt>Iptables</dt> + <dd>Check if <a href="network.html#iptables">iptables</a> rules are loaded and are correctly logging.(firewald works as API to iptables).</dd> + <dt>Apparmor</dt> + <dd>Check if <a href="apparmor.html">apparmor</a> is active and enforcing policies.</dd> + <dt>Samhain</dt> + <dd>Check if <a href="samhain.html">samhain</a> is running.</dd> + <dt>Toolchain</dt> + <dd>Build ports using hardened <a href="toolchain.html">toolchain</a> settings.</dd> + </dl> + + + <pre> + $ sudo prt-get depinst checksec + </pre> + + <h2>2.6.0.1 System configuration</h2> + + <h3>1.1 - Users groups, passwords and sudo.</h3> + + <p>Check "normal" users groups, make sure they are not admin or wheel group; ps -U root -u root u, ps axl | awk '$7 != 0 && $10 !~ "Z"', process permission; ps -o gid,rdig,supgid -p "$pid"</p> + + <p>Maintain, secure with hash, and enforce secure passwords with pam-cracklib.</p> + + + <h3>1.2 - Linux PAM</h3> + + <p>Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests.</p> + + <p>Check files (processes) set uid and set gid;</p> + + <pre> + # find / -perm -4000 >> /root/setuid_files + # find / -perm 2000 >> /root/setguid_files + </pre> + + <p>To setuid (4744);</p> + + <pre> + # chmod u+s filename + </pre> + + <p>To remove (0664) from su and Xorg (user must be part of input and video for xorg to run);</p> + + <pre> + # chmod u-s /usr/bin/su + # chmod u-s /usr/bin/X + </pre> + + <p>To set gid (2744)</p> + <pre> + # chmod g+s filename + </pre> + <p>To remove (0774);</p> + <pre> + # chmod g-s filename + </pre> + + <p>Check files (processes); getfacl filename.</p> + , disable admins and root from sshd.</p> + + <h3>1.3. Capabilities</h3> + + <p>Check capabilities;</p> + <pre> + # getcap filename + </pre> + + <dd>1.9 - Limit number of processes.</dd> + <dd>1.10 - Lock user after 3 failed loggins.</dd> + <dd>1.8 - Block host ip based on iptable and services + abuse.</dd> + </dl> + + <h3>1.4 Sudo</h3> + + <p>Check sudo, sudoers and sudo replay.</p> + + <p>Don't run editor as root, instead run sudoedit filename or sudo --edit filename. Editor can be set as a environment variable;</p> + + <pre> + $ export SUDO_EDITOR=vim + </pre> + + <p>Set rvim as default on sudo config;</p> + + <pre> + # visudo + + Defaults editor=/usr/bin/rvim + </pre> + + <p>Once sudo is correctly configured, disable root login;</p> + + <pre> + # passwd --lock root + </pre> + + <h3>1.5 Auditd</h3> + + <pre> + $ prt-get depinst audit + </pre> + + <p>Example audit when file /etc/passwd get modified;</p> + + <pre> + $ auditctl -w /etc/passwd -p wa -k passwd_changes + </pre> + + <p>Audit when a module get's loaded;</p> + + <pre> + # auditctl -w /sbin/insmod -p x -k module_insertion + </pre> + + <h2>2.6.0.2 Lynis</h2> <pre> - $ sudo prt-get depinst checksec lynis + $ sudo prt-get depinst lynis </pre> - <p>Lynis gives a view of system overall configuration, without changing - default profile it runs irrelevant tests. Create a lynis profile by - coping default one and run lynis;</p> + <p>Lynis gives a view of system overall configuration, + without changing default profile it runs irrelevant tests. + Create a lynis profile by coping default one and run lynis;</p> <pre> $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf @@ -44,7 +160,7 @@ <a href="index.html">Core OS Index</a> <p>This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/core/index.html b/core/index.html index 87330b1..20e50af 100644 --- a/core/index.html +++ b/core/index.html @@ -45,16 +45,17 @@ <li><a href="configure.html#locale">1.2.3. Set lacale</a></li> <li><a href="configure.html#user">1.2.4. Users</a></li> <li><a href="configure.html#fstab">1.2.5. File system table</a></li> - <li><a href="configure.html#rcconf">1.2.6. Initialization Scripts</a></li> + <li><a href="configure.html#rcconf">1.2.6. Initialization scripts</a></li> </ul> </li> <li><a href="ports.html">1.3. Ports</a> <ul> - <li><a href="ports.html#filesystem">1.3.1. Ports Layout</a></li> + <li><a href="ports.html#filesystem">1.3.1. Ports layout</a></li> <li><a href="ports.html#fakeroot">1.3.2. Build as user</a></li> <li><a href="ports.html#pkgmk">1.3.3. Configure pkgmk</a></li> <li><a href="ports.html#prtget">1.3.4. Configure prt-get</a></li> + <li><a href="ports.html#distcc">1.3.5. Ccache and distcc</a></li> </ul> </li> @@ -103,48 +104,47 @@ <li><a href="linux.html#remove">2.1.6. Remove</a></li> </ul> </li> - <li><a href="hardening.html">2.2. Hardening</a> + <li><a href="network.html">2.2. Network</a> <ul> - <li><a href="apparmor.html">2.2.1. AppArmor</a></li> - <li><a href="sysctl.html">2.2.2. Sysctl</a></li> - <li><a href="toolchain.html">2.2.3. Toolchain</a></li> - <li><a href="samhain.html">2.2.4. Samhain</a></li> + <li><a href="network.html#resolv">2.2.1. Resolver</a></li> + <li><a href="network.html#static">2.2.2. Static ip</a></li> + <li><a href="network.html#iptables">2.2.3. Iptables</a></li> + <li><a href="network.html#wpa">2.2.4. Wpa and dhcpd</a></li> + <li><a href="network.html#nm">2.2.5. NetworkManager</a></li> </ul> </li> - <li><a href="network.html">2.3. Network</a> + <li><a href="package.html">2.3. Package Management</a> <ul> - <li><a href="network.html#resolv">2.3.1. Resolver</a></li> - <li><a href="network.html#static">2.3.2. Static ip</a></li> - <li><a href="network.html#iptables">2.3.3. Iptables</a></li> - <li><a href="network.html#wpa">2.3.4. Wpa and dhcpd</a></li> + <li><a href="package.html#sysup">2.3.1. Update system</a></li> + <li><a href="package.html#depinst">2.3.2. Install ports and dependencies</a></li> + <li><a href="package.html#ports">2.3.3. Ports collections</a></li> + <li><a href="package.html#info">2.3.3. Show port information</a></li> + <li><a href="package.html#depends">2.3.4. Show port dependencies</a></li> + <li><a href="package.html#printf">2.3.5. Print information</a></li> </ul> </li> - - <li><a href="package.html">2.4. Package Management</a> + <li><a href="tty-terminal.html">2.4. Terminals and shells</a> <ul> - <li><a href="package.html#sysup">2.4.1. Update system</a></li> - <li><a href="package.html#depinst">2.4.2. Install ports and dependencies</a></li> - <li><a href="package.html#ports">2.4.3. Ports collections</a></li> - <li><a href="package.html#info">2.4.3. Show port information</a></li> - <li><a href="package.html#depends">2.4.4. Show port dependencies</a></li> - <li><a href="package.html#printf">2.4.5. Print information</a></li> + <li><a href="dash.html">2.4.1. Dash</a></li> + <li><a href="bash.html">2.4.2. Bash</a></li> + <li><a href="tmux.html">2.4.3. Tmux</a></li> </ul> </li> - - <li><a href="tty-terminal.html">2.5. Terminals and shells</a> + <li><a href="exim.html">2.5. Exim</a> <ul> - <li><a href="dash.html">2.5.1. Dash</a></li> - <li><a href="bash.html">2.5.2. Bash</a></li> - <li><a href="tmux.html">2.5.3. Tmux</a></li> + <li><a href="exim.html#conf">2.5.1. Exim configuration</a></li> + <li><a href="exim.html#cert">2.5.2. Certificates</a></li> + <li><a href="exim.html#alias">2.5.3. Aliases</a></li> + <li><a href="exim.html#smarthost">2.5.4. Smarthost</a></li> + <li><a href="exim.html#fetchmail">2.5.5. Fetchmail</a></li> </ul> </li> - <li><a href="exim.html">2.6. Exim</a> + <li><a href="hardening.html">2.6. Hardening</a> <ul> - <li><a href="exim.html#conf">2.6.1. Exim configuration</a></li> - <li><a href="exim.html#cert">2.6.2. Certificates</a></li> - <li><a href="exim.html#alias">2.6.3. Aliases</a></li> - <li><a href="exim.html#smarthost">2.6.4. Smarthost</a></li> - <li><a href="exim.html#fetchmail">2.6.5. Fetchmail</a></li> + <li><a href="apparmor.html">2.6.1. AppArmor</a></li> + <li><a href="sysctl.html">2.6.2. Sysctl</a></li> + <li><a href="toolchain.html">2.6.3. Toolchain</a></li> + <li><a href="samhain.html">2.6.4. Samhain</a></li> </ul> </li> diff --git a/core/install.html b/core/install.html index 69a82cf..1526c12 100644 --- a/core/install.html +++ b/core/install.html @@ -43,13 +43,14 @@ <h2 id="step2">1.1.2. Prepare target</h2> <p>Prepare disk or target location where new system will - be installed. Follow steps describe how to create efi and - separate partitions such as; - bios grub, EFI, boot, root, var, usr, swap and home. + be installed. Follow steps describe how to create efi system, + for bios_boot systems is only needed the boot partition in + the beginning of the disk and can use ext4 file system for example. For more information about gpt partitions table read - <a href="http://devil-detail.blogspot.com/2013/07/install-grub2-on-gpt-disk-dedicated-partition.html">devil-detail grub2 on gpt</a>. - Script <a href="scripts/setup-target.sh">setup-target.sh</a> - creates follow partitions;</p> + <a href="http://devil-detail.blogspot.com/2013/07/install-grub2-on-gpt-disk-dedicated-partition.html">devil-detail grub2 on gpt</a>. Script <a href="scripts/setup-target.sh">setup-target.sh</a> help to create partitions + scripts.</p> + + </p> <p>Create gpt label and set unit size to use;</p> @@ -93,14 +94,40 @@ <h3>/</h3> + <p>There are different ways to achieve disk encryption, + the method described uses cryptosetup to create cryptodevice + with <a href="../tools/lvm.html">lvm</a> inside containing + root and other partitions such as; + var, usr, swap and home. + + <pre> + (parted) mkpart primary 1132 100% + (parted) set 4 lvm on + </pre> + + <p>Create encrypted block for lvm;</p> + + <pre> + # modprobe dm-crypt + # cryptsetup luksFormat /dev/sda4 + # cryptsetup luksOpen /dev/sda4 cryptlvm + </pre> + + <p>Create physical group and volume group;</p> + + <pre> + # pvcreate /dev/mapper/cryptlvm + # vgcreate vg_system /dev/mapper/cryptlvm + </pre> + <p>Core collection installation on root partition uses approximately 2G. Partition with 8G-20G is recommended for a server or desktop with dedicated ports partition or using only compiled packages. Partition size 20G;</p> + <pre> - (parted) mkpart primary ext4 1132 21132 - (parted) name 4 root + # lvcreate -L 20G -n lv_root vg_system </pre> <h3>/var</h3> @@ -109,8 +136,7 @@ system is configured. Partition size 2G;</p> <pre> - (parted) mkpart primary ext4 21132 23132 - (parted) name 5 var + # lvcreate -L 2G -n lv_var vg_system </pre> <h3>Swap (ram)</h3> @@ -119,27 +145,19 @@ memory ram, ports system will be configured to build on ram. To build firefox is necessary at least 34G. Partition size 4G;</p> - <p>Is better to create swap partition later using - <a href="../tools/lvm.html">lvm</a>.</p> - <pre> - (parted) mkpart primary linux-swap 23132 27132 - (parted) name 6 swap + # lvcreate -L 4G -n lv_swap vg_system </pre> <h3>/home</h3> - <p>Home partition on desktop fill the rest of disk - space while on server this partition can be unnecessary. + <p>On desktop fill the rest of disk space while on server + this partition can be replaced with /srv. Fill the rest of disk space;</p> - <p>Is better to create home partition later using - <a href="../tools/lvm.html">lvm</a>.</p> - <pre> - (parted) mkpart primary ext4 27132 100% - (parted) name 7 home + # lvcreate -L 120G -n lv_home vg_system </pre> <h3>Create filesystems</h3> @@ -147,32 +165,33 @@ <pre> $ sudo mkfs.fat -F 32 /dev/sda2 $ sudo mkfs.ext4 /dev/sda3 - $ sudo mkfs.ext4 /dev/sda4 - $ sudo mkfs.ext4 /dev/sda5 - $ sudo mkswap /dev/sda6 - $ sudo mkfs.ext4 /dev/sda7 + $ sudo mkfs.ext4 /dev/vg_system/lv_root + $ sudo mkfs.ext4 /dev/vg_system/lv_var + $ sudo mkswap /dev/vg_system/lv_swap + $ sudo mkfs.ext4 /dev/vg_system/lv_home </pre> <h2 id="step3">1.1.3. Prepare Install</h2> <p>From now on script - <a href="scripts/setup-install.sh">setup-install.sh</a> - create file systems, install packages, configure host - metadata and setup ports;</p> + <a href="scripts/setup-target.sh">setup-target.sh</a> + create file systems, <a href="scripts/install-core.sh">install-core.sh</a> install core packages and + <a href="scripts/setup-core.sh">setup-core.sh</a> + configure host metadata and setup ports;</p> - <p>Export target root partition;</p> + <p>Export target root partition;</p> - <pre> - $ export BLK_ROOT=/dev/sda - </pre> + <pre> + $ export BLK_ROOT=/dev/vg_system/lv_root + </pre> - <p>Export target root directory you want to install;</p> + <p>Export target root directory you want to install;</p> <pre> $ export CHROOT=/mnt </pre> - <p>If you are installing to a directory and not partitions you don't need to mount;</p> + <p>If you are installing to a directory and not partitions you don't need to mount;</p> <pre> $ sudo mount $BLK_ROOT $CHROOT @@ -191,11 +210,11 @@ $ sudo mkdir -p $CHROOT/tmp $ sudo mkdir -p $CHROOT/proc $ sudo mkdir -p $CHROOT/sys - </pre> + </pre> - <p>If partition layout is different or target is a directory is not necessary to mount, create only the directories;</p> + <p>If partition layout is different or target is a directory is not necessary to mount, create only the directories;</p> - <pre> + <pre> $ sudo mount $BLK_BOOT $CHROOT/boot $ sudo mkdir -p $CHROOT/boot/efi $ sudo mount $BLK_EFI $CHROOT/boot/efi @@ -296,6 +315,17 @@ pkgadd /usr/ports/packages/efivar#* pkgadd /usr/ports/packages/efibootmgr#* pkgadd /usr/ports/packages/dosfstools#* + pkgadd /usr/ports/packages/ported#* + pkgadd /usr/ports/packages/libgcrypt#* + pkgadd /usr/ports/packages/cryptsetup#* + pkgadd /usr/ports/packages/popt#* + pkgadd /usr/ports/packages/libgpg-error#* + pkgadd /usr/ports/packages/libevent#* + pkgadd /usr/ports/packages/libtirpc#* + pkgadd /usr/ports/packages/git#* + pkgadd /usr/ports/packages/tmux#* + pkgadd /usr/ports/packages/prt-utils#* + pkgadd /usr/ports/packages/elfutils#* </pre> <pre> @@ -343,7 +373,7 @@ <a href="index.html">Core OS Index</a> <p>This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/core/network.html b/core/network.html index 5913845..4a412ad 100644 --- a/core/network.html +++ b/core/network.html @@ -2,14 +2,15 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.3. Network</title> + <title>2.2. Network</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>2.3. Network</h1> + <h1>2.2. Network</h1> - <p>Operation of the network can be handle with init scripts;</p> + <p>Operation of the network can be handle with init scripts or with + <a href="#nm">network manager</a>;</p> <dl> <dt><a href="conf/rc.d/iptables">/etc/rc.d/iptables</a></dt> @@ -24,11 +25,13 @@ <dd>Configure Wireless interface, launch wpa_supplicant to handle wireless authenticationand dynamic (dhcp) connection to router and add as default gateway.</dd> + <dt><a href="conf/rc.d/wlan">/etc/rc.d/networkmanager</a></dt> + <dd>Use network manager to handle connections.</dd> </dl> - <p>Choose wireless or net as connection to outside world and configure - <a href="conf/rc.conf">/etc/rc.conf</a> to run at startup, example - connecting using wireless interface;</p> + <p>Choose wireless (wlan), cable network (net) or network manager in + <a href="conf/rc.conf">/etc/rc.conf</a> to handle configuration of the + network at startup, example using network manager;</p> <pre> # @@ -40,7 +43,7 @@ TIMEZONE="Europe/Lisbon" HOSTNAME=machine SYSLOG=sysklogd - SERVICES=(lo iptables wlan crond) + SERVICES=(lo iptables networkmanager crond) # End of file </pre> @@ -49,7 +52,7 @@ described scripts then proceed to <a href="package.html#sysup">update system.</a></p> - <h2 id="resolv">2.3.1. Resolver</h2> + <h2 id="resolv">2.2.1. Resolver</h2> <p>This example will use <a href="http://www.chaoscomputerclub.de/en/censorship/dns-howto">Chaos Computer Club</a> @@ -57,7 +60,7 @@ <pre> # /etc/resolv.conf.head can replace this line - nameserver 213.73.91.35 + nameserver 2.2.73.91.35 # /etc/resolv.conf.tail can replace this line </pre> @@ -65,7 +68,7 @@ # chattr +i /etc/resolv.conf </pre> - <h2 id="static">2.3.2. Static IP</h2> + <h2 id="static">2.2.2. Static IP</h2> <p>Current example of <a href="conf/rc.d/net">/etc/rc.d/net</a>;</p> @@ -112,37 +115,11 @@ # ip route add default via ${GW} </pre> - <h2 id="iptables">2.3.3. Iptables</h2> + <h2 id="iptables">2.2.3. Iptables</h2> <p>For more information about firewall systems read arch wiki <a href="https://wiki.archlinux.org/index.php/Iptables">iptables</a> - an <a href="https://wiki.archlinux.org/index.php/nftables">nftables</a>.</p> - - <p>To setup iptables rules a set of scripts is used, init script - <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> - loads set of rules from file /etc/iptables/net.v4 at boot time. - Start option "open" option allows everything to outside - and blocks everything from outside, "stop" will block and log - everything. Setup init script and rules ;</p> - - <pre> - # mkdir /etc/iptables - # cp core/conf/iptables/net.v4 /etc/iptables/ - # cp core/conf/rc.d/iptables /etc/rc.d/ - # chmod +x /etc/rc.d/iptables - </pre> - - <p>Change /etc/rc.conf and add iptables;</p> - - <pre> - SERVICES=(iptables lo net crond) - </pre> - - <p>See current rules and packets counts;</p> - - <pre> - # iptables -L -n -v | less - </pre> + and <a href="https://wiki.archlinux.org/index.php/nftables">nftables</a>.</p> <p>Diagram of a package route throw iptables;</p> @@ -286,74 +263,44 @@ -c, --set-counters packets bytes </pre> - <h3 id="ipt_server">2.3.3.1. Server iptables</h3> - - <p>Adjust <a href="scripts/iptables.sh">iptables.sh</a> with - your network configuration then run it;</p> - - <p>Default configuration;</p> + <p>See current rules and packets counts;</p> <pre> - server) - - echo "Setting server network..." - ####### Input Chain ###### - $IPT -A INPUT -j blocker - - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${DNS} -j cli_dns_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_https_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_ssh_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -s ${BR_NET} -j srv_git_in - $IPT -A INPUT -i ${PUB_IF} -d ${PUB_IP} -j cli_https_in - - ####### Output Chain ###### - $IPT -A OUTPUT -j blocker - - $IPT -A OUTPUT -o ${PUB_IF} -d ${DNS} -s ${PUB_IP} -j cli_dns_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_https_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_ssh_out - $IPT -A OUTPUT -o ${PUB_IF} -d ${BR_NET} -s ${PUB_IP} -j srv_git_out - $IPT -A OUTPUT -o ${PUB_IF} -s ${PUB_IP} -j cli_https_out + # iptables -L -n -v | less + </pre> - ## log everything else and drop - iptables_log + <h3 id="ipt_scripts">2.2.3.1. Iptable scripts</h3> - iptables-save > /etc/iptables/net.v4 - exit 0 + <p>Scripts help to setup iptables rules so they can be saved using iptables-save + and later restored using iptables-restore utilities. Init script + <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> + loads set of rules from /etc/iptables folder at boot time. + Start option "open" option allows everything to outside + and blocks new connections from outside, "stop" will block and log + everything.</p> - ;; - </pre> + <p>Setup init script and rules;</p> <pre> - # bash core/scripts/iptables.sh + # mkdir /etc/iptables + # cp core/conf/iptables/net.v4 /etc/iptables/ + # cp core/conf/rc.d/iptables /etc/rc.d/ + # chmod +x /etc/rc.d/iptables </pre> - <h3 id="ipt_client">2.3.3.2. Client iptables </h3> - - <p></p> - <h3 id="ipt_client">2.3.3.3. Bridge iptables</h3> + <p>Change /etc/rc.conf and add iptables;</p> <pre> - $IPT -A FORWARD -j blocker - $IPT -A FORWARD -i lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - $IPT -A FORWARD -o lo -s 127.0.0.0/8 -d 127.0.0.0/8 -j ACCEPT - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -d ${BR_NET} -j srv_ssh_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_ssh_out - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_https_in - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_https_out - - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_rip + SERVICES=(iptables lo net crond) + </pre> - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j srv_dhcp - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j srv_dhcp + <p>Change <a href="conf/rc.d/iptables">/etc/rc.d/iptables</a> and define type; server, bridge or open.</p> - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in tap2 --physdev-out ${PUB_IF} -j cli_https_out - $IPT -A FORWARD -i ${BR_IF} -o ${BR_IF} -m physdev --physdev-in ${PUB_IF} --physdev-out tap2 -j cli_https_in - <pre> + <p>Adjust <a href="conf/ipt-conf.sh">/etc/iptables/ipt-conf.sh</a> + with your network configuration, and adjust + <a href="conf/ipt-server.sh">/etc/iptables/ipt-server.sh</a>, <a href="conf/ipt-bridge.sh">/etc/iptables/ipt-bridge.sh</a>, <a href="conf/ipt-open.sh">/etc/iptables/ipt-open.sh</a> according with host necessities.</p> - <h2 id="wpa">2.3.4. Wpa and dhcpd</h2> + <h2 id="wpa">2.2.4. Wpa and dhcpd</h2> <p>There is more information on <a href="http://crux.nu/Wiki/WifiStartScripts">Wiki Wifi Start Scripts</a> and @@ -371,7 +318,7 @@ # iwconfig wlp2s0 essid NAME key s:ABCDE12345 </pre> - <h3>2.3.4.1. Wpa Supplicant</h3> + <h3>2.2.4.1. Wpa Supplicant</h3> <p>Configure wpa supplicant edit;</p> @@ -401,7 +348,7 @@ init script to auto load wpa configuration and dhcp client.</p> - <h3>2.3.4.2. Wpa Cli</h3> + <h3>2.2.4.2. Wpa Cli</h3> <pre> # wpa_cli @@ -440,11 +387,39 @@ > save_config </pre> + <h2 id="nm">2.2.5. Network Manager</h2> + + <p>Wifi status;</p> + + <pre> + $ nmcli radio wifi + $ nmcli radio wifi on + </pre> + + <p>List wifi networks;</p> + + <pre> + $ nmcli device wifi rescan + $ nmcli device wifi list + </pre> + + <p>Connect to a wifi network;</p> + + <pre> + $ nmcli device wifi connect "network name" password "network password" + </pre> + + <p>Edit and save network configuration;</p> + + <pre> + $ nmcli connection edit "network name" + nmcli> save persistent + </pre> <a href="index.html">Core OS Index</a> <p> This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/core/package.html b/core/package.html index e0f8eae..974ead2 100644 --- a/core/package.html +++ b/core/package.html @@ -2,13 +2,13 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.4. Package Management</title> + <title>2.3. Package Management</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>2.4. Package Management</h1> + <h1>2.3. Package Management</h1> <p>For more information read crux handbook Package management front-end: @@ -57,7 +57,7 @@ $ prt-get depinst prt-utils prt-get-bashcompletion </pre> - <h2 id="sysup">2.4.1. Update System</h2> + <h2 id="sysup">2.3.1. Update System</h2> <p>Before build software get latest version of port collections;</p> @@ -87,7 +87,7 @@ $ prt-get update -fr $(revdep) </pre> - <h2 id="depinst">2.4.2. Install port and dependencies</h2> + <h2 id="depinst">2.3.2. Install port and dependencies</h2> <p>Installing using prt-get tool;</p> @@ -108,10 +108,10 @@ $ sudo pkgadd /usr/ports/packages/git#2.9.3-1.pkg.tar.gz </pre> - <p>If you user pkgmk and pkgadd allways check if README, pre and post + <p>If you user pkgmk and pkgadd allways check if README, pre and post instal files exist.</p> - <h3 id="ports">2.4.3. Ports collections</h3> + <h3 id="ports">2.3.3. Ports collections</h3> <p>Clone this documentation;</p> @@ -132,23 +132,21 @@ prtdir /usr/ports/contrib # ports described on this documentation - prtdir /usr/ports/machine-ports + prtdir /usr/ports/ports # 6c37 team provides a collection with freetype-iu, fontconfig-iu # and cairo-iu ports. - prtdir /usr/ports/6c37-dropin - prtdir /usr/ports/6c37 + # prtdir /usr/ports/6c37-dropin + # prtdir /usr/ports/6c37 </pre> <p>Get new ports;</p> <pre> - $ sudo ports -u machine-ports - $ sudo ports -u 6c37-dropin - $ sudo ports -u 6c37 + $ sudo ports -u ports </pre> - <h2 id="info">2.4.4. Show port information</h2> + <h2 id="info">2.3.4. Show port information</h2> <pre> $ prt-get info port_name @@ -166,13 +164,13 @@ $ pkginfo -o filename </pre> - <h2 id="depends">2.4.5. Show port dependencies</h2> + <h2 id="depends">2.3.5. Show port dependencies</h2> <pre> $ prt-get depends port_name </pre> - <h2 id="printf">2.4.6. Print information</h2> + <h2 id="printf">2.3.6. Print information</h2> <p>Example how to get ports installed from contrib. Maybe there is a "cleaner" way to this, for now is ok;</p> @@ -183,7 +181,7 @@ <a href="index.html">Core OS Index</a> <p>This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/core/ports.html b/core/ports.html index e921351..9d2f989 100644 --- a/core/ports.html +++ b/core/ports.html @@ -76,10 +76,11 @@ # /etc/pkgmk.conf: pkgmk(8) configuration # - export CFLAGS="-O2 -g -march=x86-64 -pipe" + export CFLAGS="-O2 -march=x86-64" export CXXFLAGS="${CFLAGS}" - # export MAKEFLAGS="-j2" + export JOBS=$(nproc) + export MAKEFLAGS="-j $JOBS" case ${PKGMK_ARCH} in "64"|"") @@ -96,14 +97,16 @@ ;; esac - #PKGMK_SOURCE_MIRRORS=(http://machine.example.org/ports/distfiles/) + PKGMK_SOURCE_MIRRORS=(https://hive.gnu.systems/mirror-3.4/distfiles/) # PKGMK_SOURCE_DIR="$PWD" PKGMK_SOURCE_DIR="/usr/ports/distfiles" # PKGMK_PACKAGE_DIR="$PWD" PKGMK_PACKAGE_DIR="/usr/ports/packages" # PKGMK_WORK_DIR="$PWD/work" - PKGMK_WORK_DIR="/usr/ports/work/$name" + PKGMK_WORK_DIR="/usr/ports/work/${name}" # PKGMK_DOWNLOAD="no" + # PKGMK_IGNORE_SIGNATURE="no" + # PKGMK_IGNORE_MD5SUM="no" # PKGMK_IGNORE_FOOTPRINT="no" # PKGMK_IGNORE_NEW="no" # PKGMK_NO_STRIP="no" @@ -136,19 +139,16 @@ # note: the order matters: the package found first is used prtdir /usr/ports/core prtdir /usr/ports/opt - prtdir /usr/ports/contrib - prtdir /usr/ports/ports prtdir /usr/ports/xorg - # 6c37 team provides a collection with freetype-iu, fontconfig-iu - # and cairo-iu ports. - # the following line enables the multilib compat-32 collection #prtdir /usr/ports/compat-32 # the following line enables the user maintained contrib collection - # prtdir /usr/ports/6c37-dropin - # prtdir /usr/ports/6c37 + prtdir /usr/ports/contrib + prtdir /usr/ports/ports + prtdir /usr/ports/mate + prtdir /usr/ports/kde5 ### use mypackage form local directory # prtdir /home/packages/build:mypackage @@ -157,18 +157,18 @@ writelog enabled # (enabled|disabled) logmode overwrite # (append|overwrite) rmlog_on_success yes # (no|yes) - logfile /usr/ports/pkgbuild/%n-%v-%r.log + logfile /usr/ports/pkgbuild/%n.log # path, %p=path to port dir, %n=port name # %v=version, %r=release ### use alternate cache file (default: /var/lib/pkg/prt-get.cache # cachefile /mnt/nfs/cache - ### print readme information: + ### print README information: readme verbose # (verbose|compact|disabled) ### prefer higher versions in sysup / diff - preferhigher no # (yes|no) + preferhigher yes # (yes|no) ### use regexp search # useregex no # (yes|no) @@ -177,20 +177,87 @@ ### --install-scripts option runscripts yes # (no|yes) - ### expert section ### ### alternative commands - makecommand sudo -h -u pkgmk fakeroot pkgmk + makecommand sudo -H -u pkgmk fakeroot pkgmk addcommand sudo pkgadd removecommand sudo pkgrm runscriptcommand sudo sh </pre> + <h2 id="distcc">1.3.5. Ccache and distcc</h2> + + <p>Ccache avoids same code to be compiled by saving + the output from compilers and identifying same + input by using hashes and distcc distributes + compiling process across machines.</p> + + <p>Don't set native or generic on /etc/pkgmk.conf.</p> + <pre> + $ prt-get depinst ccache distcc + </pre> + + <p>Configure pkgmk and define number of cores available, + in this example get dynamically Edit + <a href="conf/pkgmk.conf">/etc/pkgmk.conf</a> and + set ccaching directory and instructs to use distcc + backend;</p> + + <pre> + # ccache settings + export PATH="/usr/lib/ccache/:$PATH" + export CCACHE_DIR="/usr/ports/ccache" + export CCACHE_PREFIX="distcc" + export CCACHE_COMPILERCHECK="%compiler% -dumpversion; crux" + </pre> + + <p>Set distcc hosts and respective number of + cpu cores to send work, hosts names, exp; "worker" must + be configured on /etc/hosts.</p> + + <pre> + ### compile using distcc without ccache + ##export PATH="/usr/lib/distcc/:$PATH" + ##export DISTCC_HOSTS="localhost/4,lzo,cpp xborg/4,lzo,cpp" + ##export PUMP_BUILD=yes + + # distcc settings + export JOBS=$(/usr/bin/distcc -j 2> /dev/null) + export DISTCC_DIR="/usr/ports/distcc" + export MAKEFLAGS="-j ${JOBS}" + export SCONSFLAGS="$MAKEFLAGS" + + # local compile only + #export JOBS=$(nproc) + #export MAKEFLAGS="-j $JOBS" + </pre> + + <p>Configure distcc daemon, edit + /etc/rc.d/distccd;</p> + + <pre> + #!/usr/bin/env bash + # + # /etc/rc.d/distccd: start/stop distcc daemon + # + + . /etc/distcc.conf + if [ -z "$DISTCC_ALLOW" ]; then + </pre> + + <p>Create /etc/distcc.conf;</p> + + <pre> + DISTCC_ALLOW="10.0.0.0/8" + DISTCC_USER="pkgmk" + DISTCC_LOG_LEVEL="info" + </pre> + <a href="index.html">Core OS Index</a> <p> This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/core/samhain.html b/core/samhain.html index d28a6d2..a209864 100644 --- a/core/samhain.html +++ b/core/samhain.html @@ -2,13 +2,13 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.2.4. Samhain</title> + <title>2.6.4. Samhain</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1 id="samhain">2.2.4. Samhain</h1> + <h1 id="samhain">2.6.4. Samhain</h1> <p>Read <a href="http://www.la-samhna.de/samhain/manual/">Samhain Manual</a>, @@ -37,7 +37,7 @@ <dd>log file</dd> </dl> - <h2 id="conf">2.2.4.1. Configure</h2> + <h2 id="conf">2.6.4.1. Configure</h2> <p>For more information on configuration check <a href="http://www.la-samhna.de/samhain/manual/filedef.htm">Monitoring Policies</a>. @@ -234,7 +234,7 @@ # samhain status </pre> - <h2 id="updatedb">2.2.4.2. Update database</h2> + <h2 id="updatedb">2.6.4.2. Update database</h2> <p><a href="http://www.la-samhna.de/samhain/manual/updating-the-file-signature-database.html">Manual</a>, You can update the database while the daemon is running, as long diff --git a/core/scripts/setup-target.sh b/core/scripts/setup-target.sh index ecbe018..69b8640 100755 --- a/core/scripts/setup-target.sh +++ b/core/scripts/setup-target.sh @@ -1,6 +1,7 @@ #!/bin/sh -DEV=/dev +DEV=/dev/sda +VG=vg_system SETUP_TARGET="print" CHROOT="/mnt" @@ -13,22 +14,21 @@ SCRIPTPATH=$(dirname "$SCRIPT") DIR=$(dirname "$SCRIPTPATH"); DIR_LOCAL="$(dirname $(dirname ${DIR}))/local"; -ISO_FILE="${DIR_LOCAL}/crux-3.4.iso" - ##read BLK_EFI BLK_EFI="${DEV}2" ##read BLK_BOOT BLK_BOOT="${DEV}3" ##read BLK_ROOT -BLK_ROOT="${DEV}4" +BLK_CRYPT="${DEV}4" +BLK_ROOT="/dev/$VG/lv_root" ##read BLK_VAR -BLK_VAR="${DEV}5" +BLK_VAR="/dev/${VG}/lv_var" ##read BLK_USR -BLK_USR="${DEV}6" +#BLK_USR="${DEV}6" ##read BLK_SWP -BLK_SWP="${DEV}7" +BLK_SWP="/dev/${VG}/lv_swap" ##read BLK_HOME -BLK_HOME="${DEV}8" +BLK_HOME="/dev/${VG}/lv_home" # First we define the function @@ -64,16 +64,21 @@ partition_target () { set 2 boot on \ mkpart primary ext4 125 1128 \ name 3 boot \ - mkpart primary ext4 1128 5128 \ - name 4 root \ - mkpart primary ext4 5128 6128 \ - name 5 var \ - mkpart primary ext4 6128 14128 \ - name 6 usr \ - mkpart primary linux-swap 14128 18128 \ - name 7 swap \ - mkpart primary ext4 18128 100% \ - name 8 home + mkpart primary 1128 100% \ + set 4 lvm on + + modprobe dm-crypt + cryptsetup luksFormat ${BLK_CRYPT} + cryptsetup luksOpen ${BLK_CRYPT} cryptlvm + + pvcreate /dev/mapper/cryptlvm + vgcreate ${VG} /dev/mapper/cryptlvm + + lvcreate -L 20G -n lv_root ${VG} + lvcreate -L 4G -n lv_var ${VG} + lvcreate -L 8G -n lv_swap ${VG} + lvcreate -L 120G -n lv_home ${VG} + } mount_target () { @@ -85,8 +90,8 @@ mount_target () { mkfs.ext4 $BLK_ROOT echo "1.1.2 Creating File System on $BLK_VAR with ext4:" mkfs.ext4 $BLK_VAR - echo "1.1.2 Creating File System on $BLK_USR with ext4:" - mkfs.ext4 $BLK_USR + #echo "1.1.2 Creating File System on $BLK_USR with ext4:" + #mkfs.ext4 $BLK_USR echo "1.1.2 Creating Swap File System on $BLK_SWP:" mkswap $BLK_SWP echo "1.1.2 Creating File System on $BLK_HOME with ext4:" @@ -104,8 +109,8 @@ mount_target () { mkdir -p $CHROOT/var mount $BLK_VAR $CHROOT/var - mkdir -p $CHROOT/usr - mount $BLK_USR $CHROOT/usr + #mkdir -p $CHROOT/usr + #mount $BLK_USR $CHROOT/usr mkdir -p $CHROOT/home mount $BLK_HOME $CHROOT/home @@ -152,16 +157,16 @@ enable_target () { print_target() { echo "Device: $DEV" echo "CHROOT: $CHROOT" - echo "ISO_FILE: $ISO_FILE" - echo "Option Selected: $SETUP_TARGET\n" + echo "Option Selected: $SETUP_TARGET" echo "1.1.2 EFI block; ($BLK_EFI)" echo "1.1.2 boot block; ($BLK_BOOT)" + echo "1.1.2 cryptlvm block; ($BLK_CRYPT)" echo "1.1.2 root block; ($BLK_ROOT)" echo "1.1.2 var block; ($BLK_VAR)" echo "1.1.2 usr block; ($BLK_USR)" echo "1.1.2 swap block; ($BLK_SWP)" - echo "1.1.2 home block; ($BLK_HOME)\n" + echo "1.1.2 home block; ($BLK_HOME)" } diff --git a/core/sysctl.html b/core/sysctl.html index d06afde..afee463 100644 --- a/core/sysctl.html +++ b/core/sysctl.html @@ -2,24 +2,18 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.2.2. Sysctl</title> + <title>2.6.2. Sysctl</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1 id="sysctl">2.2.2. Sysctl</h1> + <h1 id="sysctl">2.6.2. Sysctl</h1> <p>Sysctl references <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>, <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>, - <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>, - <a href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">Grsecurity and PaX Configuration</a>.</p> - - <p>Since kernels on machine-ports have <a href="pax.grsecurity.net">PaX</a> - and <a href="http://grsecurity.net/announce.php">grsecurity</a>, - <a href="conf/sysctl.conf">/etc/sysctl.conf</a> can have follow - values;</p> + <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>.</p> <pre> # @@ -27,49 +21,20 @@ # kernel.printk = 7 1 1 4 + kernel.randomize_va_space = 2 + # Shared Memory #kernel.shmmax = 500000000 # Total allocated file handlers that can be allocated # fs.file-nr= vm.mmap_min_addr=65536 + # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 - # - # Memory Protections - # - - # If you say Y here, all ioperm and iopl calls will return an error. - # Ioperm and iopl can be used to modify the running kernel. - # Unfortunately, some programs need this access to operate properly, - # the most notable of which are XFree86 and hwclock. hwclock can be - # remedied by having RTC support in the kernel, so real-time - # clock support is enabled if this option is enabled, to ensure - # that hwclock operates correctly. - # - # If you're using XFree86 or a version of Xorg from 2012 or earlier, - # you may not be able to boot into a graphical environment with this - # option enabled. In this case, you should use the RBAC system instead. - kernel.grsecurity.disable_priv_io = 1 - - # If you say Y here, attempts to bruteforce exploits against forking - # daemons such as apache or sshd, as well as against suid/sgid binaries - # will be deterred. When a child of a forking daemon is killed by PaX - # or crashes due to an illegal instruction or other suspicious signal, - # the parent process will be delayed 30 seconds upon every subsequent - # fork until the administrator is able to assess the situation and - # restart the daemon. - # In the suid/sgid case, the attempt is logged, the user has all their - # existing instances of the suid/sgid binary terminated and will - # be unable to execute any suid/sgid binaries for 15 minutes. - # - # It is recommended that you also enable signal logging in the auditing - # section so that logs are generated when a process triggers a suspicious - # signal. - # If the sysctl option is enabled, a sysctl option with name - # "deter_bruteforce" is created. - kernel.grsecurity.deter_bruteforce = 1 + #Yama LSM by default + kernel.yama.ptrace_scope = 1 # # Filesystem Protections @@ -79,345 +44,15 @@ # Increase system file descriptor limit fs.file-max = 65535 - # If you say Y here, /tmp race exploits will be prevented, since users - # will no longer be able to follow symlinks owned by other users in - # world-writable +t directories (e.g. /tmp), unless the owner of the - # symlink is the owner of the directory. users will also not be - # able to hardlink to files they do not own. If the sysctl option is - # enabled, a sysctl option with name "linking_restrictions" is created. - kernel.grsecurity.linking_restrictions = 1 - - - # Apache's SymlinksIfOwnerMatch option has an inherent race condition - # that prevents it from being used as a security feature. As Apache - # verifies the symlink by performing a stat() against the target of - # the symlink before it is followed, an attacker can setup a symlink - # to point to a same-owned file, then replace the symlink with one - # that targets another user's file just after Apache "validates" the - # symlink -- a classic TOCTOU race. If you say Y here, a complete, - # race-free replacement for Apache's "SymlinksIfOwnerMatch" option - # will be in place for the group you specify. If the sysctl option - # is enabled, a sysctl option with name "enforce_symlinksifowner" is - # created. - kernel.grsecurity.enforce_symlinksifowner = 1 - kernel.grsecurity.symlinkown_gid = 15 - - # if you say Y here, users will not be able to write to FIFOs they don't - # own in world-writable +t directories (e.g. /tmp), unless the owner of - # the FIFO is the same owner of the directory it's held in. If the sysctl - # option is enabled, a sysctl option with name "fifo_restrictions" is - # created. - kernel.grsecurity.fifo_restrictions = 1 - - # If you say Y here, a sysctl option with name "romount_protect" will - # be created. By setting this option to 1 at runtime, filesystems - # will be protected in the following ways: - # * No new writable mounts will be allowed - # * Existing read-only mounts won't be able to be remounted read/write - # * Write operations will be denied on all block devices - # This option acts independently of grsec_lock: once it is set to 1, - # it cannot be turned off. Therefore, please be mindful of the resulting - # behavior if this option is enabled in an init script on a read-only - # filesystem. - # Also be aware that as with other root-focused features, GRKERNSEC_KMEM - # and GRKERNSEC_IO should be enabled and module loading disabled via - # config or at runtime. - # This feature is mainly intended for secure embedded systems. - #kernel.grsecurity.romount_protect = 1 - - # if you say Y here, the capabilities on all processes within a - # chroot jail will be lowered to stop module insertion, raw i/o, - # system and net admin tasks, rebooting the system, modifying immutable - # files, modifying IPC owned by another, and changing the system time. - # This is left an option because it can break some apps. Disable this - # if your chrooted apps are having problems performing those kinds of - # tasks. If the sysctl option is enabled, a sysctl option with - # name "chroot_caps" is created. - kernel.grsecurity.chroot_caps = 1 - - #kernel.grsecurity.chroot_deny_bad_rename = 1 - - # If you say Y here, processes inside a chroot will not be able to chmod - # or fchmod files to make them have suid or sgid bits. This protects - # against another published method of breaking a chroot. If the sysctl - # option is enabled, a sysctl option with name "chroot_deny_chmod" is - # created. - kernel.grsecurity.chroot_deny_chmod = 1 - - # If you say Y here, processes inside a chroot will not be able to chroot - # again outside the chroot. This is a widely used method of breaking - # out of a chroot jail and should not be allowed. If the sysctl - # option is enabled, a sysctl option with name - # "chroot_deny_chroot" is created. - kernel.grsecurity.chroot_deny_chroot = 1 - - # If you say Y here, a well-known method of breaking chroots by fchdir'ing - # to a file descriptor of the chrooting process that points to a directory - # outside the filesystem will be stopped. If the sysctl option - # is enabled, a sysctl option with name "chroot_deny_fchdir" is created. - kernel.grsecurity.chroot_deny_fchdir = 1 - - # If you say Y here, processes inside a chroot will not be allowed to - # mknod. The problem with using mknod inside a chroot is that it - # would allow an attacker to create a device entry that is the same - # as one on the physical root of your system, which could range from - # anything from the console device to a device for your harddrive (which - # they could then use to wipe the drive or steal data). It is recommended - # that you say Y here, unless you run into software incompatibilities. - # If the sysctl option is enabled, a sysctl option with name - # "chroot_deny_mknod" is created. - kernel.grsecurity.chroot_deny_mknod = 1 - - # If you say Y here, processes inside a chroot will not be able to - # mount or remount filesystems. If the sysctl option is enabled, a - # sysctl option with name "chroot_deny_mount" is created. - kernel.grsecurity.chroot_deny_mount = 1 - - # If you say Y here, processes inside a chroot will not be able to use - # a function called pivot_root() that was introduced in Linux 2.3.41. It - # works similar to chroot in that it changes the root filesystem. This - # function could be misused in a chrooted process to attempt to break out - # of the chroot, and therefore should not be allowed. If the sysctl - # option is enabled, a sysctl option with name "chroot_deny_pivot" is - # created. - kernel.grsecurity.chroot_deny_pivot = 1 - - # If you say Y here, processes inside a chroot will not be able to attach - # to shared memory segments that were created outside of the chroot jail. - # It is recommended that you say Y here. If the sysctl option is enabled, - # a sysctl option with name "chroot_deny_shmat" is created. - kernel.grsecurity.chroot_deny_shmat = 1 - - # If you say Y here, an attacker in a chroot will not be able to - # write to sysctl entries, either by sysctl(2) or through a /proc - # interface. It is strongly recommended that you say Y here. If the - # sysctl option is enabled, a sysctl option with name - # "chroot_deny_sysctl" is created. - kernel.grsecurity.chroot_deny_sysctl = 1 - - # If you say Y here, processes inside a chroot will not be able to - # connect to abstract (meaning not belonging to a filesystem) Unix - # domain sockets that were bound outside of a chroot. It is recommended - # that you say Y here. If the sysctl option is enabled, a sysctl option - # with name "chroot_deny_unix" is created. - kernel.grsecurity.chroot_deny_unix = 1 - - # If you say Y here, the current working directory of all newly-chrooted - # applications will be set to the the root directory of the chroot. - # The man page on chroot(2) states: - # Note that usually chhroot does not change the current working - # directory, so that `.' can be outside the tree rooted at - # `/'. In particular, the super-user can escape from a - # `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. - # - # It is recommended that you say Y here, since it's not known to break - # any software. If the sysctl option is enabled, a sysctl option with - # name "chroot_enforce_chdir" is created. - kernel.grsecurity.chroot_enforce_chdir = 1 - - # If you say Y here, processes inside a chroot will not be able to - # kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, - # getsid, or view any process outside of the chroot. If the sysctl - # option is enabled, a sysctl option with name "chroot_findtask" is - # created. - kernel.grsecurity.chroot_findtask = 1 - - # If you say Y here, processes inside a chroot will not be able to raise - # the priority of processes in the chroot, or alter the priority of - # processes outside the chroot. This provides more security than simply - # removing CAP_SYS_NICE from the process' capability set. If the - # sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" - # is created. - kernel.grsecurity.chroot_restrict_nice = 1 - - # - # Kernel Auditing - # - - # If you say Y here, the exec and chdir logging features will only operate - # on a group you specify. This option is recommended if you only want to - # watch certain users instead of having a large amount of logs from the - # entire system. If the sysctl option is enabled, a sysctl option with - # name "audit_group" is created. - kernel.grsecurity.audit_group = 1 - - # If you say Y here, the exec and chdir logging features will only operate - # on a group you specify. This option is recommended if you only want to - # watch certain users instead of having a large amount of logs from the - # entire system. If the sysctl option is enabled, a sysctl option with - # name "audit_group" is created. - kernel.grsecurity.audit_gid = 99 - - # If you say Y here, all execve() calls will be logged (since the - # other exec*() calls are frontends to execve(), all execution - # will be logged). Useful for shell-servers that like to keep track - # of their users. If the sysctl option is enabled, a sysctl option with - # name "exec_logging" is created. - # WARNING: This option when enabled will produce a LOT of logs, especially - # on an active system. - kernel.grsecurity.exec_logging = 0 - - # If you say Y here, all attempts to overstep resource limits will - # be logged with the resource name, the requested size, and the current - # limit. It is highly recommended that you say Y here. If the sysctl - # option is enabled, a sysctl option with name "resource_logging" is - # created. If the RBAC system is enabled, the sysctl value is ignored. - kernel.grsecurity.resource_logging = 1 - - # If you say Y here, all executions inside a chroot jail will be logged - # to syslog. This can cause a large amount of logs if certain - # applications (eg. djb's daemontools) are installed on the system, and - # is therefore left as an option. If the sysctl option is enabled, a - # sysctl option with name "chroot_execlog" is created. - kernel.grsecurity.chroot_execlog = 0 - - # If you say Y here, all attempts to attach to a process via ptrace - # will be logged. If the sysctl option is enabled, a sysctl option - # with name "audit_ptrace" is created. - #kernel.grsecurity.audit_ptrace = 1 - - # If you say Y here, all attempts to attach to a process via ptrace - # will be logged. If the sysctl option is enabled, a sysctl option - # with name "audit_ptrace" is created. - kernel.grsecurity.audit_chdir = 0 - - # If you say Y here, all mounts and unmounts will be logged. If the - # sysctl option is enabled, a sysctl option with name "audit_mount" is - # created. - kernel.grsecurity.audit_mount = 1 - - # If you say Y here, certain important signals will be logged, such as - # SIGSEGV, which will as a result inform you of when a error in a program - # occurred, which in some cases could mean a possible exploit attempt. - # If the sysctl option is enabled, a sysctl option with name - # "signal_logging" is created. - kernel.grsecurity.signal_logging = 1 - - # If you say Y here, all failed fork() attempts will be logged. - # This could suggest a fork bomb, or someone attempting to overstep - # their process limit. If the sysctl option is enabled, a sysctl option - # with name "forkfail_logging" is created. - kernel.grsecurity.forkfail_logging = 1 - - # If you say Y here, any changes of the system clock will be logged. - # If the sysctl option is enabled, a sysctl option with name - # "timechange_logging" is created. - kernel.grsecurity.timechange_logging = 1 - - # if you say Y here, calls to mmap() and mprotect() with explicit - # usage of PROT_WRITE and PROT_EXEC together will be logged when - # denied by the PAX_MPROTECT feature. This feature will also - # log other problematic scenarios that can occur when PAX_MPROTECT - # is enabled on a binary, like textrels and PT_GNU_STACK. If the - # sysctl option is enabled, a sysctl option with name "rwxmap_logging" - # is created. - kernel.grsecurity.rwxmap_logging = 1 - - # - # Executable Protections - # - - - # if you say Y here, non-root users will not be able to use dmesg(8) - # to view the contents of the kernel's circular log buffer. - # The kernel's log buffer often contains kernel addresses and other - # identifying information useful to an attacker in fingerprinting a - # system for a targeted exploit. - # If the sysctl option is enabled, a sysctl option with name "dmesg" is - # created. - kernel.grsecurity.dmesg = 1 - # Hide symbol addresses in /proc/kallsyms kernel.kptr_restrict = 2 - # If you say Y here, TTY sniffers and other malicious monitoring - # programs implemented through ptrace will be defeated. If you - # have been using the RBAC system, this option has already been - # enabled for several years for all users, with the ability to make - # fine-grained exceptions. - # - # This option only affects the ability of non-root users to ptrace - # processes that are not a descendent of the ptracing process. - # This means that strace ./binary and gdb ./binary will still work, - # but attaching to arbitrary processes will not. If the sysctl - # option is enabled, a sysctl option with name "harden_ptrace" is - # created. - kernel.grsecurity.harden_ptrace = 1 - - # If you say Y here, unprivileged users will not be able to ptrace unreadable - # binaries. This option is useful in environments that - # remove the read bits (e.g. file mode 4711) from suid binaries to - # prevent infoleaking of their contents. This option adds - # consistency to the use of that file mode, as the binary could normally - # be read out when run without privileges while ptracing. - # - # If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" - # is created. - kernel.grsecurity.ptrace_readexec = 1 - - # If you say Y here, a change from a root uid to a non-root uid - # in a multithreaded application will cause the resulting uids, - # gids, supplementary groups, and capabilities in that thread - # to be propagated to the other threads of the process. In most - # cases this is unnecessary, as glibc will emulate this behavior - # on behalf of the application. Other libcs do not act in the - # same way, allowing the other threads of the process to continue - # running with root privileges. If the sysctl option is enabled, - # a sysctl option with name "consistent_setxid" is created. - kernel.grsecurity.consistent_setxid = 1 - - # If you say Y here, access to overly-permissive IPC objects (shared - # memory, message queues, and semaphores) will be denied for processes - # given the following criteria beyond normal permission checks: - # 1) If the IPC object is world-accessible and the euid doesn't match - # that of the creator or current uid for the IPC object - # 2) If the IPC object is group-accessible and the egid doesn't - # match that of the creator or current gid for the IPC object - # It's a common error to grant too much permission to these objects, - # with impact ranging from denial of service and information leaking to - # privilege escalation. This feature was developed in response to - # research by Tim Brown: - # http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ - # who found hundreds of such insecure usages. Processes with - # CAP_IPC_OWNER are still permitted to access these IPC objects. - # If the sysctl option is enabled, a sysctl option with name - # "harden_ipc" is created. - kernel.grsecurity.harden_ipc = 1 - - # If you say Y here, you will be able to choose a gid to add to the - # supplementary groups of users you want to mark as "untrusted." - # These users will not be able to execute any files that are not in - # root-owned directories writable only by root. If the sysctl option - # is enabled, a sysctl option with name "tpe" is created. - kernel.grsecurity.tpe = 1 - kernel.grsecurity.tpe_gid = 100 - - # If you say Y here, the group you specify in the TPE configuration will - # decide what group TPE restrictions will be *disabled* for. This - # option is useful if you want TPE restrictions to be applied to most - # users on the system. If the sysctl option is enabled, a sysctl option - # with name "tpe_invert" is created. Unlike other sysctl options, this - # entry will default to on for backward-compatibility. - kernel.grsecurity.tpe_invert = 1 - - # If you say Y here, all non-root users will be covered under - # a weaker TPE restriction. This is separate from, and in addition to, - # the main TPE options that you have selected elsewhere. Thus, if a - # "trusted" GID is chosen, this restriction applies to even that GID. - # Under this restriction, all non-root users will only be allowed to - # execute files in directories they own that are not group or - # world-writable, or in directories owned by root and writable only by - # root. If the sysctl option is enabled, a sysctl option with name - # "tpe_restrict_all" is created. - kernel.grsecurity.tpe_restrict_all = 1 - - - kernel.grsecurity.harden_tty = 1 - # # Network Protections # + net.core.bpf_jit_enable = 0 + # Increase Linux auto tuning TCP buffer limits # min, default, and max number of bytes to use # set max to at least 4MB, or higher if you use very high BDP paths @@ -519,105 +154,18 @@ # Sen SynAck retries to 3 net.ipv4.tcp_synack_retries = 3 - # If you say Y here, neither TCP resets nor ICMP - # destination-unreachable packets will be sent in response to packets - # sent to ports for which no associated listening process exists. - # This feature supports both IPV4 and IPV6 and exempts the - # loopback interface from blackholing. Enabling this feature - # makes a host more resilient to DoS attacks and reduces network - # visibility against scanners. - # - # The blackhole feature as-implemented is equivalent to the FreeBSD - # blackhole feature, as it prevents RST responses to all packets, not - # just SYNs. Under most application behavior this causes no - # problems, but applications (like haproxy) may not close certain - # connections in a way that cleanly terminates them on the remote - # end, leaving the remote host in LAST_ACK state. Because of this - # side-effect and to prevent intentional LAST_ACK DoSes, this - # feature also adds automatic mitigation against such attacks. - # The mitigation drastically reduces the amount of time a socket - # can spend in LAST_ACK state. If you're using haproxy and not - # all servers it connects to have this option enabled, consider - # disabling this feature on the haproxy host. - # - # If the sysctl option is enabled, two sysctl options with names - # "ip_blackhole" and "lastack_retries" will be created. - # While "ip_blackhole" takes the standard zero/non-zero on/off - # toggle, "lastack_retries" uses the same kinds of values as - # "tcp_retries1" and "tcp_retries2". The default value of 4 - # prevents a socket from lasting more than 45 seconds in LAST_ACK - # state. - kernel.grsecurity.ip_blackhole = 1 - kernel.grsecurity.lastack_retries = 4 - - # If you say Y here, you will be able to choose a GID of whose users will - # be unable to connect to other hosts from your machine or run server - # applications from your machine. If the sysctl option is enabled, a - # sysctl option with name "socket_all" is created. - kernel.grsecurity.socket_all = 1 - - # Here you can choose the GID to disable socket access for. Remember to - # add the users you want socket access disabled for to the GID - # specified here. If the sysctl option is enabled, a sysctl option - # with name "socket_all_gid" is created. - kernel.grsecurity.socket_all_gid = 200 - - # If you say Y here, you will be able to choose a GID of whose users will - # be unable to connect to other hosts from your machine, but will be - # able to run servers. If this option is enabled, all users in the group - # you specify will have to use passive mode when initiating ftp transfers - # from the shell on your machine. If the sysctl option is enabled, a - # sysctl option with name "socket_client" is created. - kernel.grsecurity.socket_client = 1 - - # Here you can choose the GID to disable client socket access for. - # Remember to add the users you want client socket access disabled for to - # the GID specified here. If the sysctl option is enabled, a sysctl - # option with name "socket_client_gid" is created. - kernel.grsecurity.socket_client_gid = 201 - - # If you say Y here, you will be able to choose a GID of whose users will - # be unable to connect to other hosts from your machine, but will be - # able to run servers. If this option is enabled, all users in the group - # you specify will have to use passive mode when initiating ftp transfers - # from the shell on your machine. If the sysctl option is enabled, a - # sysctl option with name "socket_client" is created. - kernel.grsecurity.socket_server = 1 - - # Here you can choose the GID to disable server socket access for. - # Remember to add the users you want server socket access disabled for to - # the GID specified here. If the sysctl option is enabled, a sysctl - # option with name "socket_server_gid" is created. - kernel.grsecurity.socket_server_gid = 99 - - # - # Physical Protections - # - - # If you say Y here, a new sysctl option with name "deny_new_usb" - # will be created. Setting its value to 1 will prevent any new - # USB devices from being recognized by the OS. Any attempted USB - # device insertion will be logged. This option is intended to be - # used against custom USB devices designed to exploit vulnerabilities - # in various USB device drivers. - # - # For greatest effectiveness, this sysctl should be set after any - # relevant init scripts. This option is safe to enable in distros - # as each user can choose whether or not to toggle the sysctl. - kernel.grsecurity.deny_new_usb = 0 - - # - # Restrict grsec sysctl changes after this was set - # - kernel.grsecurity.grsec_lock = 0 - # End of file </pre> + <p>Reload sysctl settings;</p> + + <pre> + # sysctl --system + </pre> <a href="index.html">Core OS Index</a> <p>This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> diff --git a/core/toolchain.html b/core/toolchain.html index 57113fd..9662217 100644 --- a/core/toolchain.html +++ b/core/toolchain.html @@ -2,13 +2,13 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.2.3. Toolchain</title> + <title>2.6.3. Toolchain</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1 id="toolchain">2.2.3. Toolchain</h1> + <h1 id="toolchain">2.6.3. Toolchain</h1> <p>Add flags to pkgmk configuration and change specific ports that don't build with hardening flags. More information about diff --git a/core/tty-terminal.html b/core/tty-terminal.html index 6eb08d3..d033ec2 100644 --- a/core/tty-terminal.html +++ b/core/tty-terminal.html @@ -2,13 +2,13 @@ <html dir="ltr" lang="en"> <head> <meta charset='utf-8'> - <title>2.5. Consoles, terminals and shells</title> + <title>2.4. Consoles, terminals and shells</title> </head> <body> <a href="index.html">Core OS Index</a> - <h1>2.5. Consoles, terminals and shells</h1> + <h1>2.4. Consoles, terminals and shells</h1> <dl> <dt>Consoles</dt> |